Uncertainties handling in safety system performance assessment by using fuzzy Bayesian networks

Abstract

This paper proposes a method to analyse the uncertainty problem in assessing of the safety systems performance. The method is based on Bayesian networks and integrates several parameters like the factor of Common Cause Failure. The imperfect knowledge concerns the CCF factors involved in the safety system. The point-valued CCF factors are replaced by triangular fuzzy numbers, allowing experts to express their uncertainty about the CCF values. The proposed method shows how the uncertainties of CCF factors propagate through the Bayesian networks and how this induces an uncertainty to the values of the safety system performance. The proposed method ensures the relevance of the results. This is validated by a comparison with the results of probabilistic analysis of a Monte Carlo sampling, where we consider triangular probability distribution of common cause failures factors.

Keywords

Safety systems probability of failure on demand Bayesian networks common cause failure uncertainty fuzzy numbers

1 Introduction

It is obvious that today we try to adopt a modern approach to enhance the integrity in terms of security while improving the availability of processes. Reduce the occurrence of dangerous events is the main concern in order to avoid damage to the environment or human health. Safety instrumented systems (SIS) continuously monitor the status of safety devices and diagnose the health of the entire safety loop, which greatly reduces the risk (explosion, fire, etc.) A SIS is a system composed of combination of logic solvers, sensors, and final elements for taking the supervised process to a safe state when predetermined conditions are transgressed.

The safety requirements, the IEC 61508 standard [1] introduces a probabilistic approach for the quantitative assessment of the safety systems performance. This probabilistic approach allows computing a particular concept named average probability of failure on demand (PFD_avg). The qualification of this probability value is determined by using the referred Safety Integrity Levels (SIL). Thus, the PFD_avg is in fact the unavailability of the SIS that affects its ability to react to hazards; i.e. the safety unavailability [2]. The IEC 61508 standard [1, 3] establishes four classification levels according to the PFD_avg value (for low demand operating systems). The definition of safety levels is given in Table 1.

Table 1
SIL for low demand mode [1]

SIL PFD_avg

4 ≥ 10^-5 to <10^-4

3 ≥ 10^-4 to <10^-3

2 ≥ 10^-3 to <10^-2

1 ≥ 10^-2 to <10^-1

SIL	PFD_avg
4	≥ 10^-5 to <10^-4
3	≥ 10^-4 to <10^-3
2	≥ 10^-3 to <10^-2
1	≥ 10^-2 to <10^-1

The definition of SIL levels can be seen in Table 1. IEC 61508 [1] to estimate the PFD_avg due to random hardware failures. The calculations involving a large number of parameters: architecture, component failure rates, test interval, and also the CCF factors [4]. A CCF is a multiple failure affecting several or all of the redundant components, potentially leading to failure of the safety function. Thus, CCFs can result in the SIS failing to function when there is a process demand. Consequently, CCFs must be identified during the design process and the potential impact on the SIS functionality must be understood [5].

Computing the PFD_avg can be determined by quantitative assessment methods like Markov chains [6], fault trees [7] or Petri nets. Markov chains have often been employed and remain the reference methods for the researchers in the field of dependability. However, complex systems become difficult to model by Markov chains because they induce a combinatory explosion of the states and the computation becomes intensive. The use of the fault tree method [7] assumes the independence of elementary probabilities of failures and boolean variables. The Fault trees are also difficult to implement on large systems and particularly if the studied system presents redundant failures. Petri Net is a method interesting used to evaluate the safety system performance. They provide a powerful modelling formalism but, unfortunately, the performance analysis is associated with Monte Carlo simulation that usually requires a great number of simulation runs in order to get accurate results.

This work focus on Bayesian networks [8, 9], which provides solutions to the problems mentioned above by concentrating on the modelling in a compact structure built from the states of component. It is possible to represent the functional propagation of failures to introduce the factors of common causes [4, 8]. The stochastic dependencies between events can also be simply modeled. Moreover, it is possible to use the Bayesian Networks method to show the failure effect and to analyze the probable state of some components of system in order to use to carry out maintenance actions (for example a diagnostic approach) [10]. The Bayesian Networks are thus general-purpose method making it possible to assess on the unavailability of a safety system whatever its complexity.

When safety systems are in low demand mode, feedback data is weak and handled probabilities may seem weakly credible, referring to the uncertainty principle (what is precise is more uncertain). The uncertainty problem on failure rates or repair rates comes also when working with new components [6]. In this case, experts or designers provide uncertain estimates of the characteristic rates of components. In this context, the CCF factor is often poorly determined. We are thus in the presence of missing data or of imprecision between the basic parameters of the safety system. The incompleteness and the imprecision point out a problem of uncertainty [10].

The problem of imperfect knowledge about the probability values is known and handled in various ways. Interval valued probability is a simple and attractive representation of imprecision [11]. The problem of uncertainty is considered by other authors using the probability theory [12], Fuzzy numbers [10, 13], possibility distributions [14] or belief function theory.

The fuzzy logic theory brings an interesting solution to the problem of uncertainty [12]. The fuzzy probabilities are a suitable means to model the imprecision and uncertainty [4, 6]. It naturally reflects the linguistic formulation of the information given by an expert like is around or is approximately. To model unavailability in the epistemic context of uncertainty, the combination of the fuzzy logic theory and the Bayesian Networks offers a very interesting tool [10]. In this article, we show how this combination is carried out in the goal of assessment safety system performance.

For this purpose, directed acyclic graphs based on the Bayesian Networks [9, 10] are used. We allot a particular attention to the uncertain value of the Common Cause Failures (CCF) factor expressed as fuzzy numbers. We make no particular assumption on the probability values, but our lack of knowledge is expressed by fuzzy numbers. Section 2 is devoted to a brief presentation of adopted methodology in computing the PFD_avg including CCF factors. The third section focuses on fuzzy Bayesian Networks and how to determine the SIL considering fuzzy values of CCF factors. The last section deals an application example of safety system defined in the literature that illustrates the proposed approach.

2 Methodology

The PFD_avg assessment must be obtained by quantitative methods. This assessment is connected with the computation of the safety function unavailability on demand [15]. In this context, bayesian networks are probably the most relevant model to represent different states that can take a safety system and its characteristic parameters can take.

2.1 Bayesian networks analysis

Bayesian Networks are directed acyclic graphs used to analyse uncertain knowledge in reliability assessment [10]. A Bayesian Network defined by a set of nodes and a set of directed arcs [8]. The nodes represent the system variables and the arcs symbolize the dependencies or the cause-effect relationships among the variables. A probability is associated to each state of the node. This probability is defined, a priori for a root node and computed by inference for the others [10]. The determination is based on the probabilities of parents states and the Conditional Probability Table (CPT) [8, 9]. For example, two nodes X and Y with each of them two states (s₀ and s₁) from the bayesian Networks in Fig. 1. Prior probabilities are represented in Table 2. The probabilities of the states assigned to Y are computed using a CPT. The CPT of Y is determined by the conditional probabilities P (Y/X) over each Y state knowing its parents states X. This CPT is defined as a Table 3. To determine $P (Y = s_{0}^{Y})$ , Equation 1 is used:

$\begin{matrix} P (Y = s_{0}^{Y}) & = & P (Y = s_{0}^{Y} / X = s_{0}^{X}) . P (X = s_{0}^{X}) \\ + P (Y = s_{0}^{Y} / X = s_{1}^{X}) . P (X = s_{1}^{X}) \end{matrix}$ (1)

Fig.1

Basic example of a Bayesian network.

Table 2

Prior probability of node X

X	$s_{0}^{X}$	P(X= $s_{0}^{X}$ )
	$s_{1}^{X}$	P(X= $s_{1}^{X}$ )

Table 3

CPT of node Y

X		$s_{0}^{X}$	$s_{1}^{X}$
Y	$s_{0}^{Y}$	P(Y= $s_{0}^{Y}$ /X= $s_{0}^{X}$ )	P(Y= $s_{0}^{Y}$ /X= $s_{1}^{X}$
	$s_{1}^{Y}$	P(Y= $s_{1}^{Y}$ /X= $s_{0}^{X}$ )	P(Y= $s_{1}^{Y}$ /X= $s_{1}^{X}$ )

The added value of a Bayesian Networks is linked to the computation of the probabilities assigned to a node state, knowing the state of one or several components. If any state of components nodes are defined, then the computation is only based on prior probabilities. The CPT contains the conditional probabilities (Table 3) which explain the failure propagation process the functional structure of a system. Then, it is possible to assess the system unavailability from the basic parameters of its components.

2.2 Assumptions

In order to compute the PFD_avg of safety system is based on the following assumptions:

The system components are independent, i.e. all random variables which describe the component failure behaviour are independent or alternatively, their dependence is precisely known.

The probability distributions of failure of the system components are considered as exponential distributions.

The failure rates are assumed to be constant and independent of time.

The system is coherent.

The CCF can be modeled by the standardβ-factor model [2, 6].

2.3 Bayesian networks to model unavailability

In order to model the unavailability of systems by Bayesian networks, we transpose the approach suggested by Bobbio [8], i.e, use Bayesian Networks in the same way as Fault Trees even if Bayesian Networks are able to do more. Therefore, we adopt the following convention: the component C is supposed to have binary states, for instance: {0} or (C = 0) the component is available (functioning), and {1} or (C = 1) the component is unavailable due to failure. In the usual hypothesis those component failures are exponentially distributed [8], the probability of occurrence of the primary event (C = 1) is represented by the following equation:

$\begin{matrix} P (C = 1, t) & = & 1 - e^{λ_{C} . t} \\ P (C = 0, t) & = & e^{λ_{C} . t} \end{matrix}$ (2) where λ_C is the failure rate of component C.

2.4 CCF factor in Bayesian networks

The CCFs can be directly introduced into the PFD_avg evaluation. The computing parameters are evaluated using feedback data. Given the difficulty of obtaining such data, parametric models have been developed. Several models have been considered in the literature as the model of factor β [16], the PDS method [17], the model of multiple Greek letters (MLG) [18] or the model of factor α [19]. In this work, we preferred the model of factor β due to its reasonable complexity that makes it one of the most popular models. Moreover, the β factor model is recommended by IEC 61508 [20]. According to β factor model, the total failure rate of a component λ_i is the sum of independent failures (λ^I) and CCFs (λ^CCF). $λ_{i} = λ_{i}^{I} + λ_{i}^{CCF} = (1 - β) . λ_{i} + β . λ_{i}$ (3) where β is defined as the failure probability due to a common cause given the occurrence of a failure [6, 21]. The expression of β is given as follows: $β = \frac{λ_{i}^{CCF}}{λ_{i}^{CCF} + λ_{i}^{I}} = \frac{λ_{i}^{CCF}}{λ^{i}} .$ (4)

To account for of the CCFs, a typical formalization is used, which consists to add a virtual component in series with the redundant components. In Fault Tree method, CCF are represented by adding an OR gate, directly connected to the principal event, in which one input is the system failure, and the other input is that of the CCF. In the Bayesian Networks mechanism, such additional constructs are not necessary, since the probabilistic dependence due to CCF is included in the CPT. The Reliability Block Diagram of parallel system submitted to a CCF and the corresponding Bayesian Networks, as shown in Fig. 2. In Fig. 2, components A and B of a parallel system are identical, placed in redundancy with the same failure rate. In Fig. 2, components A and B of a parallel system are identical, placed in redundancy with the same failure rate. The independent failure probability P^I (t) is based on the system structure with the independent failure rates of components λ^I. The P^CCF (t) is defined according to a 1oo1 (i.e. one-out-of-one) architecture with the CCF factor λ^CCF and whatever is the considered layer architecture. Parent nodes A and B are assigned prior probabilities (coincident with the probability values assigned to the corresponding basic nodes in the Bayesian Networks), and child node S is assigned its CPT. The prior probability of components nodes A and and B to be in state 1, at time t is defined by the following equation:

$\begin{matrix} P (A = 1, t) = P (B = 1, t) & = & 1 - e^{- λ^{I} . t} \\ = & 1 - e^{- (1 - β) . λ . t} . \end{matrix}$ (5)

Fig.2

The equivalent Bayesian network of parallel system with CCF.

The failure probability of the system due to common causes, P^CCF, when one or both components are available, is given as follows: $P^{CCF} (t) = 1 - e^{- λ^{CCF} . t} = 1 - e^{- β . λ . t}$ (6)

In the Bayesian Networks formalism, the probabilistic dependence due to P^CCF is included in the CPT. Table 4 shows a parallel system with CCF and the corresponding CPT. The CPT P (S = 1/A, B), contains the conditional probabilities (Table 4), in the case where the component node S is unavailable, i.e. in state 1. This CPT is determined by using the probability of node S of being in state 1 knowing the state of components A and B. Table 4 explain the failure propagation mechanism through the functional architecture of the system. Then, to compute the unavailability of the function S, as shown on Fig. 2, when events on a component are considered statistically independent, the Equation 7 is used:

$\begin{matrix} P (S = 1, t) & = & P^{CCF} . P (A = 0) . P (B = 0) \\ + P^{CCF} . P (A = 1) . P (B = 0) \\ + P^{CCF} . P (A = 0) . P (B = 1) \\ + P (A = 1) . P (B = 1) \\ P (S = 1, t) & = & P^{CCF} . P (A = 0)^{2} + 2 . P^{CCF} \\ . P (A = 1) . P (A = 0) + P (A = 1)^{2} \\ P (S = 1, t) & = & P^{CCF} - P^{CCF} . P (A = 1)^{2} \\ + P (A = 1)^{2} \end{matrix}$ (7)

Table 4

CPT of parallel system with CCF

P(S=1/A,B)
	A=0	A=1
B=0	P ^CCF	P ^CCF
B=1	P ^CCF	1

Thanks to Equations 5, 6 and 7, we can determine the PFD of the SIS. The point PFD(t_i) can be assessed for the length of the mission time. The sum of the point values are then divided over the total number of assessments n to obtain the PFD_avg. ${PFD}_{avg} ≃ \frac{\sum_{i = 0}^{T} PFD (t_{i})}{n}$ (8)

The PFD_avg which is the main reference to qualify the SIS performance.

2.5 Fuzzy numbers

A fuzzy sub-set $\tilde{A}$ on a universe of discourse Ω is characterized by a membership function $μ_{\tilde{A}}$ which associates each element x of Ω to a real number in [0, 1]:

$μ_{\tilde{A}} : Ω \to [0, 1]$ (9)

A fuzzy number is a subset satisfying the following conditions [22]:

$μ_{\tilde{A}} (x)$ is piecewise continuous.

$μ_{\tilde{A}} (x)$ is convex.

$μ_{\tilde{A}} (x)$ is normal (a value x₀ exists such as $μ_{\tilde{A}} (x_{0}) = 1$ ).

L - R fuzzy numbers are a particular class of fuzzy numbers because they are defined by two functions: left (L) and right (R). If we consider three parameters m, a, b strictly positives and two functions L and R defined on [0, 1]. A fuzzy number $\tilde{M}$ is L - R if its membership function $μ_{\tilde{M}}$ is defined by: $μ_{\tilde{M}} (x) = {\begin{matrix} R [(x - m) / b] & if x > m \\ L [(m - x) / a] & if x \leq m \end{matrix}$ (10)

Let’s write L - R fuzzy number as $\tilde{M} = < m, a, b >_{LR}$ . m is its modal value with $μ_{\tilde{M}} (m) = 1$ i.e. the most waited value. a is the length of the support on the left of m, also called the left spread parameter and b is the right spread parameter, on the real axis or on [0, 1] for the probability case. The interest of L - R fuzzy numbers is to be able to represent singular values, intervals, fuzzy numbers or fuzzy intervals. We can characterise a triangular fuzzy number by a set of nested intervals at different level cuts α. Indeed, if we consider a fuzzy number $\tilde{A}$ with the membership function $μ_{\tilde{A}} (x)$ , we obtain several nested intervals by using the α-cut method [4]. Thus, a convex interval is created by the α-cut with a confidence index (1 - α). Each interval of level α is bounded by its left bound $A_{L}^{(α)}$ and right bound $A_{R}^{(α)}$ . Thus, a fuzzy number can be represented by all its nested α-cuts as follows: $\tilde{A} \to [A^{(α)}] = [A_{L}^{(α)}, A_{R}^{(α)}], 0 \leq α \leq 1$ (11)

Moreover, fuzzy numbers respect the property of monotonic inclusion which specifies that at a given level of knowledge the less precise a proposal is the more certain it is. Thus, we can write the monotony of inclusion for fuzzy numbers is as follows: $A^{(α_{1})} \subseteq A^{(α_{2})} \Rightarrow (1 - α_{1}) \leq (1 - α_{2})$ (12)

Fig.3

α-cuts of a triangular fuzzy number.

3 Fuzzy performance assessment

The bayesian network method is used to represent the conditional dependencies between variables, integrating uncertainty on the characteristic parameters of components modeled by fuzzy numbers in the assessment of the safety system performance.

3.1 Fuzzy probabilities

A fuzzy probability is a fuzzy set defined in the space of probabilities. It represents a fuzzy number between 0 and 1 which is assigned to the occurrence probability of an event. Taking into account the uncertainty with fuzzy probabilities can be resolved by the extension principle of Zadeh [22]. Let’s consider Y = f (P₁, P₂, …, P_n) a deterministic function that associates a numerical output variable y to n numerical input variables P_i combined by classical algebraic operators (eg: +, - , × , ÷). When using intervals to model uncertainty, repetition of the same variable in an expression means taking account several times this variable uncertainty on the final result. The interval calculus is sub-distributive, so the calculation result is much more uncertain than it could be [23]. Buckley wrote in [24] that if f is a monotonic function then the calculus of the output interval Y can be conducted by appropriately choosing the bounds of inputs P_i [4, 24]. Let’s consider Y = f (P₁, P₂, …, P_n), where each P_i varies in the interval $[P_{iL}^{(α)}, P_{iR}^{(α)}]$ . If the following conditions are verified:

f is locally monotonic according to each variable P_i. We verify it by computing the sign of $\frac{\partial f}{\partial P_{i}}$ and verifying it is independent of P_i.

∀j ∈ E₁, f is monotonically increasing according to P_j.

∀j ∈ E₂, f is monotonically decreasing according to P_j.

where E₁ and E₂ are two disjoint sets which are not necessarily a partition of 1, …, n. If we transpose to α-cuts then for

Y^{(α)} = [Y_{L}^{(α)}, Y_{R}^{(α)}]

Y_{L}^{(α)} = \min {\begin{matrix} f (w) | \forall j \in E_{1}, w_{j} = P_{jL}^{(α)} \\ f (w) | \forall j \in E_{2}, w_{j} = P_{jR}^{(α)} \end{matrix}

(13)

Y_{R}^{(α)} = \max {\begin{matrix} f (w) | \forall j \in E_{1}, w_{j} = P_{jR}^{(α)} \\ f (w) | \forall j \in E_{2}, w_{j} = P_{jL}^{(α)} \end{matrix}

(14)

So, the choice of input interval bounds are done according to the sign of partial derivative $\frac{\partial f}{\partial P_{i}}$ of Y according to P_i in order to provide the thinnest output interval that encloses all real values [24]. As f is monotonic, the monotonic inclusion property holds for Y the output of f [13].

3.2 Fuzzy Bayesian networks

Fuzzy Bayesian Networks offer an efficient tool to conduct performance analysis under uncertainty. For the implementation of the fuzzy performance analysis to determine the safety integrity level, a fuzzy assessment approach is proposed using Fuzzy Bayesian Networks. In the proposed approach, the following five steps are adopted.

Step (1) Failures identification: Carry out preliminary risk analysis for identify expected potential hazards. Bayesian networks are used to model the system failures. Identify the CCFs of components. Determine all specific nodes.

Step (2) Bayesian Networks model construction: Identify potential failure scenarios of the target risk. A descending dysfunctional analysis can lead to a compact model of safety system failure logic. Build of the Bayesian network connecting all specific nodes and develop the CPT including the CCF factor, β.

Step (3) Fuzzy probability assessment: According to the expert knowledge estimate probability of root nodes from the CCF factor β. Transform the linguistic expressions into fuzzy numbers. Determine the conditional fuzzy probability tables. Then calculate the compute the fuzzy PFD_avg based up on the fuzzy approach.

Step (4) Determining safety Level: Take advantage of the fuzzy calculation in Bayesian Network, and carry out risk analysis. Starting from fuzzy PFD_avg, assess safety integrity level according to Table 1. Rank and discuss the results.

Step (5) Decision making: Discuss risk level associated to the uncertainty induced by the lack of knowledge of the CCF factor β on the SIS qualification. The decision maker has the responsibility to accept or reject the potential risk.

The method proposed, consists in associating the fuzzy numbers of input variables and in combining them by using the concept of α-cuts which brings back to an interval calculation problem. In this section we suppose that knowledge of the characteristic parameters values such as the CCF factor β is imperfect. We model the imprecision of these parameters by triangular fuzzy numbers as previously defined. Each fuzzy parameter can be described by the set of its α-cuts as indicated in Equation (11). The corresponding fuzzy CCF factor $\tilde{β}$ is defined by the set of its α-cuts. [β^(α)] is the interval bounded by two values $[β_{L}^{(α)}, β_{R}^{(α)}]$ .

Parameters $\tilde{β}$ integrate directly the characteristic CPT of the studied system. Then, we are dealing with fuzzy Bayesian Networks to compute the upper and lower probabilities of safety system performance. For example in Fig. 2, we compute the upper and lower bounds of ${\tilde{P}}^{(ccf)} (t)$ from the fuzzy CCF factors $\tilde{β}$ by (15), considering the α-cut method (cf. Equations (13) and (14)). ${\tilde{P}}^{CCF} (t) = 1 - e^{- \tilde{β} . λ . t} = 1 - e^{- [β^{(α)}] . λ . t}$ (15)

Given ∂P^CCF/∂β > 0, then:

$\begin{matrix} {\tilde{P}}^{CCF} & \Rightarrow & [P^{CCF, (α)}] = [P_{L}^{CCF, (α)}, P_{R}^{CCF, (α)}] \\ \Rightarrow & {\begin{matrix} P_{L}^{CCF, (α)} = 1 - e^{- β_{L}^{(α)} . λ . t} \\ P_{R}^{CCF, (α)} = 1 - e^{- β_{R}^{(α)} . λ . t} \end{matrix} \end{matrix}$ (16)

Similarly we compute the upper and lower bounds of the fuzzy prior probability of nodes A $\tilde{P} (A = 1, t)$ , for each α-cuts. Given ∂ (P (A = 1, t))/∂β < 0, the $\tilde{P} (A = 1, t)$ is computed using Equation (17).

$\begin{matrix} \tilde{P} (A = 1, t) \\ \Rightarrow [P_{L}^{(α)} (A = 1, t), P_{R}^{(α)} (A = 1, t)] \\ \Rightarrow {\begin{matrix} P_{L}^{(α)} (A = 1, t) = (1 - e^{- (1 - β_{R}^{(α)}) . λ . t}) \\ P_{R}^{(α)} (A = 1, t) = (1 - e^{- (1 - β_{L}^{(α)}) . λ . t}) \end{matrix} \end{matrix}$ (17)

Then, we are dealing with fuzzy Bayesian Networks which require the use of Equations (16) and (17), to compute the upper and lower of system unavailability $\tilde{P} (S = 1)$ , for each α-cuts, by the following equations:

$\begin{matrix} \tilde{P} (S = 1, t) \Rightarrow [P_{L}^{(α)} (S = 1, t), P_{R}^{(α)} (S = 1, t)] \\ {\begin{matrix} P_{L}^{(α)} (S = 1, t) = P_{L}^{(α) CCF} - P_{L}^{(α) CCF} . P_{L}^{(α)} (A = 1, t)^{2} + P_{L}^{(α)} (A = 1, t)^{2} \\ P_{R}^{(α)} (S = 1, t) = P_{R}^{(α) CCF} - P_{R}^{(α) CCF} . P_{R}^{(α)} (A = 1, t)^{2} + P_{R}^{(α)} (A = 1, t)^{2} \end{matrix} \end{matrix}$ (18)

The PFD_avg is computed when the safety function is in low demand mode. It is equal to the average unavailability computed over the mission duration T_i or possibly on the test interval [0, T_i], if all the components are simultaneously tested. As fuzzy numbers are involved in this approach, PFD_avg is now computed by 19:

$\begin{matrix} P \tilde{F} D_{avg} & \Rightarrow & [{PFD}_{avg}^{(α)}] = [{PFD}_{avg, L}^{(α)}, {PFD}_{avg, R}^{(α)}] \\ \Rightarrow & {\begin{matrix} {PFD}_{avg, L}^{(α)} ≃ \frac{\sum_{i = 0}^{T} {PFD}_{L}^{(α)} (t_{i})}{n} \\ {PFD}_{avg, R}^{(α)} ≃ \frac{\sum_{i = 0}^{T} {PFD}_{R}^{(α)} (t_{i})}{n} \end{matrix} \end{matrix}$ (19)

This analysis made on one layer of a SIS can be extended to all layers i.e. to the complete Bayesian Networks for a studied SIS by using Equations (13), (14), (16), (17) and (18).

4 Application: Study of a safety system

The safety system given in Fig. 4 is a practicable case relating to the process industry, has been defined in the literature [7]. It will be used to illustrate of the proposed approach. This SIS is dedicated to the protection of the downstream portion of an offshore production system against overpressure due to its upstream (oil well W₁). Three pressure sensors PT_i are responsible for detecting the pressure increase over a specified threshold. These three sensors send information to a logic solver (LS) which implements a 2oo3 logic. If at least two of the three signals received from the sensors confirm the presence of an overpressure in the pipeline, the logic unit controls the opening of solenoid valves SV₁ and SV₂, which results in shutting off hydraulic supply that kept open valves SDV₁ and SDV₂. Then, SDV₁ and SDV₂ are closed and reduce the risk of overpressure in the downstream circuit. The undesired event is the inhibition of the SIS, which is characterized by the non-closure of the two relief valves SDV₁, SDV₂. The studied SIS is composed of:

The sensor layer structured in 2oo3 architecture, made up of three pressure sensors PT_i.

The logic unit layer (Logic Solver) in 1oo1 architecture.

The actuator layer structured in 1oo2 architecture, made up of valves SV_i and SDV_i.

Fig.4

Studied SIS.

The reliability block diagram of the SIS is given in Fig. 5. The equivalent Bayesian network concerning the studied SIS is shown in Fig. 6. The independent failures and the CCF of components are clearly identified as basic events. The logic solver has no CCF because there is only one element. But, the final element layer is divided in 2 parts because 2 preactuators (SV₁, SV₂) control the power actuators (SDV₁, SDV₂). Then, there is one CCF for each sub-layer. So, three CCF are characterized. The characteristic parameters of the SIS components are given in Table 5. As mentioned in the introduction, SIS are periodically tested. So, to compute $P \tilde{F} D_{avg}$ , an interval test time T_i is associated to the test frequency of the SIS.

Fig.5

SIS reliability block-diagram.

Fig.6

SIS Bayesian networks.

Table 5

Numerical data

SIS Components	λ (h^-1)	β (%)	T_i (h)
E₁, E₂, E₃: PT	7.40E^-7	<5, 3, 8 > _LR	T₁ = 730
E₄: Logic Sover	4.60E^-7	-	T₂ = 2190
E₅, E₇: SV	3.10E^-6	<10, 8, 13 > _LR	T₃ = 1460
E₆, E₈: SDV	2.80E^-6	<10, 8, 13 > _LR	T₃ = 1460

4.1 Epistemic approach

Using the fuzzy Bayesian Networks method proposed in this paper, associated to α-cuts the SIS PFD is computed according to the characteristic parameters of components modeled by fuzzy numbers. The intrinsic failures rate of components λ_i are considered consistent and precise according to manufacturers data. The CCF factor β of each subset of components are described by a triplet of parameters <m_i, a_i, b_i> estimated and given by an expert as triangular fuzzy numbers. Considering only the imprecision on β_i, we can measure the influence on the safety systems performance. To compute the fuzzy performance PFD_avg, a test interval time T_i is associated to the test frequency of the safety system. In this study, different test intervals are used for each subsystem. Moreover, we assume that each subsystem is functionally tested independently from each other. The SIS $P \tilde{F} D_{avg}$ is computed by the combination of the failure probability of all subsystems providing together the safety function. Figure 7 shows the fuzzy SIS unavailability $P \tilde{F} D$ and, its average value $P \tilde{F} D_{avg}$ . For the sake of clarity, only the support and the kernel of the resulting fuzzy number are shown. The safety system $P \tilde{F} D$ is bounded by upper and lower values according to the interval defined by the α-cut of level 0. The monotonic inclusion property of the availability function of the system warrant that intervals of the α-cut of level greater than 0 are strictly included in the support (α = 0) of $\tilde{PFD}$ given in Fig. 7. Figure 8 shows the triangular fuzzy number representing the uncertainty on the SIS PFD_avg induced by the uncertain CCF factors. The support of fuzzy $P \tilde{F} D_{avg}$ varies from 0.875 × 10^-3 to 1.107 × 10^-3 for (α = 0) which corresponds to a confidence degree of 100%. In this case, the SIL of the studied SIS varies from a SIL 3 level (PFD_avg ∈ [10^-4, 10^-3]) to SIL 2 level (PFD_avg ∈ [10^-3, 10^-2]) according to Table 1. As shown, the uncertainty of the CCF factors lead to a possible change in the SIS level of SIL. The uncertainty of the CCF factors leads to a possible change in the SIS level of SIL whereas an uncertain but precise value would have provided only one level of SIL 3 that corresponds to [ ${PFD}_{avg}^{(α = 1)}$ ]. Thus, the uncertainty on PFD_avg induces an uncertainty on the SIS performance classification. If we seek a classification of SIL without uncertainty, it is necessary to change either the set of components or the structure of the SIS (redundancy level) or increase our knowledge about the characteristic parameters or modify the test strategy. The decision maker has the responsibility to accept or reject the potential risk associated to the uncertainty induced by the lack of knowledge of the CCF factor β on the SIS qualification. There is a compromise between cost and risk that the decision maker must arbitrate. In some dependability studies of systems, engineers usually represent their ignorance about the values that a parameter can take by a subjective probability distribution.

Fig.7

$P \tilde{F} D$ and $P \tilde{F} D_{avg}$ of the SIS.

Fig.8

SIS Fuzzy P $\tilde{F}$ D_avg.

Contrary to the previous fuzzy approach, the probabilistic analysis is a stochastic approach which considers the subjective information from the expert through a probability distribution and thus in an aleatory way.

4.2 Aleatory approach

When dealing with imperfect knowledge in the probability framework, dependability studies of systems considers probability distributions. By considering the value of β within a range and because no more information is known, the insufficient principle of Laplace (everything which is equiplausible is equiprobable) leads us to consider triangular probability distribution to represent our ignorance about the CCF factors.

The triangular probability distribution (cf. Fig. 9) is often used as a subjective description in the case where we dispose estimates of the minimum a_i; maximum b_i and the most likely value m_i (same parameters <m_i, a_i, b_i> than the fuzzy number $\tilde{β_{i}}$ ). The triangular probability distribution defined by Equation 20. The considered value for the distribution are shown in Table 5. $β_{i} \to Δ (a_{i}, m_{i}, b_{i})$ (20)

Fig.9

Triangular probability distribution.

Thanks to a Monte Carlo sampling, we can determine the distribution of PFD_avg modeled by the Bayesian Networks given on Fig. 6. For this experiment, the Monte Carlo sampling consists in randomly choosing 2000 triplets of values for β_i according to 9distribution. The distribution of the PFD_avg for each input distribution are represented in Fig. 10. These distributions are fairly near a normal distribution but, we are interested in the range of values for sake of comparison. From these distributions, we can compute the lower and upper bounds of PFD_avg: PFD_avg ∈ [0.885 × 10^-3, 1.091 × 10^-3] which are independent of the type of input distribution. The probabilistic approach is considered to demonstrate the exactness of the fuzzy approach. By comparing the results of the two approaches, some elements are interesting. First, the support of P $\tilde{F}$ D_avg is [0.875 × 10^-3, 1.107 × 10^-3] and contains the upper and lower bounds of the probability distribution obtained by the Monte Carlo samplings. The PFD_avg bounds obtained by the probabilistic approach are approximate values. The fuzzy approach proposed gives directly the exact values of the PFD_avg bounds. However, to obtain the same results with the probabilistic method, the number of samples should increase towards infinity. Second, the computed bounds by fuzzy approach are determined in a shorter computing time than the Monte Carlo sampling approach.

Fig.10

Histogram of Monte-Carlo simulation results.

5 Conclusion

In this paper, the powerful representation and the exactness of Bayesian Networks in studies of safety systems performance is shown. In some context like incomplete or badly known information, we can use uncensored data with the fuzzy sets theory to consider the epistemic uncertainty. The proposed approach shows how concepts of the fuzzy sets theory can be implemented in Bayesian Networks to treat this kind of uncertainty and to extract the most of information from the available data. The Bayesian Networks are a powerful tool to manage uncertainty in artificial intelligence and approximate reasoning.

The complex nature of CCF makes their quantification more difficult and more uncertain. The paper allows the analysis of the influence of imperfect knowledge of several factors to the imprecision of the SIS performance. It clearly shows that CCFs are influencing the results. So, the analysis simultaneously provides an assessment and a sensitivity analysis at the same time. The obtained fuzzy value of the PFD_avg shows that the uncertainty due to imperfect knowledge could involve variations concerning the level of the SIL of the SIS. The fuzzy approach applied in Bayesian Networks leads to exact results and guarantees the efficient computation of the smallest final interval of the failure probability of the SIS.

For the sake of comparison and verification, a probabilistic approach has been considered which demonstrates the preciseness of the present approach by obtaining the same results but with shorter computing time and little effort. Nevertheless, the bounds obtained by the Monte Carlo sampling are approximations whereas the presented approach gives the accurate values. The proposed method of Bayesian Networks offers many benefits to the decision maker in terms of performance assessment. This approach can be used for this simple case and all the results will be applicable for more complex safety systems.

References

IEC61508, Functional safety of Electrical/Electronic/Programmable Electronic Safety related systems. part 1-7, (2010).

Torres-Echeverria

, Martorell

and Thompson

, Multiobjective optimization of design and testing of safety instrumented systems with moon voting architectures using a genetic algorithm, Reliability Engineering & System Safety 106 (2012), 45–60.

IEC61511, Functional safety safety instrumented systems for the process industry sector, (2000).

Mechri

, Simon

and BenOthman

, Uncertainty analysis of common cause failure in safety instrumented systems, Proceedings of the Institution of Mechanical Engineers Part O Journal of Risk and Reliability 225(4) (2012), 450–460.

Hokstad

, Rausand

Common cause failure modeling: Status and trends, Misra

K.B.

(Ed.), Handbook of performability Engineering, Springer London, Ch. 39, 2008, pp. 621–640.

Mechri

, Simon

, Bicking

and Othman

K.B.

, Fuzzy multiphase markov chains to handle uncertainties in safety systems performance assessment, Journal of Loss Prevention in the Process Industries 26(4) (2013), 594–604.

Dutuit

, Innal

, Rauzy

and Signoret

J.-P.

, Probabilistic assessments in relationship with safety integrity levels by using fault trees, Reliability Engineering & System Safety 93(12) (2008), 1867–1876, 17th European Safety and Reliability Conference.

Bobbio

, Portinale

, Minichino

and Ciancamerla

, Improving the analysis of dependable systems by mapping fault trees into bayesian networks, Reliability Engineering and System Safety 71(3) (2001), 249–260.

Loutchkina

, Jain

L.C.

, Nguyen

and Nesterov

, The systems integration technical risk assessment fusing of bayesian belief networks and parametric models, Journal of Intelligent and Fuzzy Systems 24(2) (2013), 281–296.

10.

Simon

and Weber

, Imprecise reliability by evidential networks, Proceedings of the Institution of Mechanical Engineers Part O Journal of Risk and Reliability 223(2) (2009), 119–131.

11.

Kozine

and Utkin

, Interval valued finite markov chains, Reliable Computing 8 (2002), 97–113.

12.

Chutia

, Mahanta

and Datta

, Uncertainty modelling of atmospheric dispersion model using fuzzy set and imprecise probability, Journal of Intelligent and Fuzzy Systems 25(3) (2013), 737–746.

13.

Mechri

and BenOthman

, Probabilistic fuzzy approach for the imprecise evaluation of safety instrumented systems, International Review on Modelling and Simulations 3(3) (2011), 388–400.

14.

Dubois

, Possibility theory and statistical reasoning, Computational Statistics and Data Analysis 51(1) (2006), 47–69. the Fuzzy Approach to Statistical Analysis.

15.

Mechri

, Simon

and BenOthman

, Switching markov chains for a holistic modeling of sis unavailability, Reliability Engineering and System Safety 133 (2015), 212–222.

16.

Fleming

, A reliability model for common mode failures in redundant systems, GA-A-13284.

17.

Hauge

, Hokstad

, Langseth

and Oien

, Reliability Prediction Method for Safety Instrumented Systems, SINTEF, 2006.

18.

Barros

, Grall

and Vasseur

, Estimation of common cause failure parameters with periodic tests, Nuclear Engineering and Design 239(4) (2009), 761–768.

19.

Vaurio

J.K.

, Consistent mapping of common cause failure rates and alpha factors, Reliability Engineering & System Safety 92(5) (2007), 628–645. recent Advances in Theory & Applications of Stochastic Point Process Models in Reliability Engineering.

20.

Rausand

and Hoyland

, System Reliability Theory; Models, Statistical Methods and Applications, 2nd Edition, New York, Wiley 2004.

21.

Lundteigen

M.A.

and Rausand

, Common cause failures in safety instrumented systems on oil and gas installations: Implementing defense measures through function testing, Journal of Loss Prevention in the Process Industries 20(3) (2007), 218–229.

22.

Zadeh

, Fuzzy sets, Information and control, 1965.

23.

Moore

, Interval Analysis, Vol. 16, Prentice-Hall, New York, 1966.

24.

Buckley

, Fuzzy Probabilities, Vol. 115, Springer, 2005.

Uncertainties handling in safety system performance assessment by using fuzzy Bayesian networks

Abstract

Keywords

1 Introduction

Table 1 SIL for low demand mode [1] SIL PFD avg 4 ≥ 10-5 to <10-4 3 ≥ 10-4 to <10-3 2 ≥ 10-3 to <10-2 1 ≥ 10-2 to <10-1

2.1 Bayesian networks analysis

2.3 Bayesian networks to model unavailability

3.1 Fuzzy probabilities

References

Table 1
SIL for low demand mode [1]

SIL PFD_avg

4 ≥ 10^-5 to <10^-4

3 ≥ 10^-4 to <10^-3

2 ≥ 10^-3 to <10^-2

1 ≥ 10^-2 to <10^-1