`International Journal of Quality, Statistics, and ReliabilityVolume 2008 (2008), Article ID 263895, 12 pagesdoi:10.1155/2008/263895`
Research Article

Fuzzy Risk Graph Model for Determining Safety Integrity Level

1LARPI Laboratory, Safety Department, Institute of Health and Occupational Safety, University of Batna, Road Med El-Hadi Boukhlouf, Batna 05000, Algeria
2LSPIE Laboratory, Electrical Engineering Department, Faculty of Engineering, University of Batna, Road Med El-Hadi Boukhlouf, Batna 05000, Algeria

Received 15 August 2007; Revised 15 November 2007; Accepted 14 January 2008

Copyright © 2008 R. Nait-Said et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

The risk graph is one of the most popular methods used to determine the safety integrity level for safety instrumented functions. However, conventional risk graph as described in the IEC 61508 standard is subjective and suffers from an interpretation problem of risk parameters. Thus, it can lead to inconsistent outcomes that may result in conservative SIL's. To overcome this difficulty, a modified risk graph using fuzzy rule-based system is proposed. This novel version of risk graph uses fuzzy scales to assess risk parameters, and calibration may be made by varying risk parameter values. Furthermore, the outcomes which are numerical values of risk reduction factor (the inverse of the probability of failure on demand) can be compared directly with those given by quantitative and semiquantitative methods such as fault tree analysis (FTA), quantitative risk assessment (QRA), and layers of protection analysis (LOPA).

1. Introduction

The purpose of a safety analysis is to ensure that the risks that could be a potential source of harm, damage of property and degradation of the environment, are sufficiently minimized by addressing all the relevant safety lifecycle stages including the design, implementation, operation, and maintenance through to decommissioning. Reducing residual risk to an acceptable level is usually achieved by using a combination of safety protective systems, including safety instrumented systems, SIS (e.g., emergency shutdown systems and fire and gas systems), other technology safety-related systems (e.g., relief valves, bursting discs, firewalls, drain system), and external risk reduction facilities (e.g., work organization, procedures, separation). The SIS often represents an integral part of a safety management system to reduce the risk of major accident hazards [1]. It is made up of one or more safety instrumented functions (SIF) to sense abnormal situations and automatically return the process to a safe state. This is usually achieved by performing a partial or complete shutdown of the process, to prevent a hazardous event or mitigate its consequences. If the initial risk without SIS is high, the availability and integrity requirements for SIF's must be high.

Requirements for SIF's are addressed in the international standard IEC 61508 [2] and the process industry sector-specific version IEC 61511 [3] which are widely accepted as the basis for specification, design, and operation of SIS's. Each SIF is specified in terms of the action to be achieved and the required probability of failure on demand (PFD). The latter defines the required safety integrity level (SIL) for the SIF. The IEC standards provide a framework for establishing SIL's although they do not specify the SIL's required for specific applications. They propose various methods for determining the PFD or the amount of risk reduction needed.

The risk graph described in Part 5 of the IEC 61508 is one of the most popular methods that enables the SIL of a SIF to be determined from a knowledge on the risk factors related to the process. In particular, it has been extensively applied when determining SIL requirements for local safety functions such as process shutdown systems [4, 5]. The principles of the risk graph method have been adopted in the UKOOA guidelines for process control and safety systems on offshore installations and other documents published by offshore operators [6, 7].

An important issue faced by risk analysts is how to deal with uncertainties that arise in each phase of the risk assessment process. In particular, one should identify how to deal with the state of incomplete/no knowledge related to process safety functions. An underlying assumption is that uncertainty increases risk, but this is a conservative approach requiring that, in the absence of meaningful data or the opportunity to assimilate all available data, risk should be overestimated rather than underestimated. Therefore, higher ratings are assigned to risk parameters, reflecting the assumption of unfavorable conditions, in order to compensate the uncertainty. Although this approach results in a conservative outcome leading to a design of sufficient safety integrity, it leads also to higher installation and maintenance costs. Alternatively, more efforts are certainly needed to obtain a consistent and less conservative outcome using more refined SIL determination methods [4, 8, 9].

Fuzzy rule-based systems and fuzzy arithmetic [1012] have emerged over the last years as a very appropriate tool in dealing with uncertainty in reliability and safety analysis [1318]. In this paper, an approach of fuzzy rule-based risk graph is proposed in order to add more power features to the conventional calibrated risk graph method. In this perspective, the safety integrity assessment based on fuzzy logic allows the analyst to evaluate the SIL of SIF's in a natural way by using the notion of a linguistic variable for depicting information which is qualitative, imprecise, and/or uncertain. The methodology we have used is the application of the fuzzy inference system with fuzzifier and defuzzifier on a calibrated risk graph. The outcomes of the fuzzy risk graph are numerical values of risk reduction factor (RRF = 1/PFD) which are computed from a defuzzification of fuzzy SIL's.

2. Conventional Risk Graph Method

Safety-related systems are conceived to implement the safety functions necessary to achieve or maintain a safe state for the process in terms of specified risk reduction related to hazardous events. A safety function is thus expressed in terms of the action to be taken and the required probability to satisfactorily perform this action. This probability as a quantitative target defines the safety integrity. Four discrete safety integrity levels, namely, SIL1, SIL2, SIL3, and SIL4, are defined in the IEC 61508, and quantitative targets to which they relate are based on whether the safety-related system is operating in low-demand mode (e.g., shutdown system) or continuously (e.g., motor care brakes). In the first case, the appropriate measure of safety function performance is the probability of failure on demand (PFD), or its inverse, risk reduction factor (RRF). For functions which operate continuously, it is the probability of a dangerous failure per hour which is of concern. Table 1 shows the definition of the four SIL's for low-demand mode. As shown, the higher the SIL is, the more available the safety related system will be, so the more stringent becomes the implementation of safety function.

Table 1: Definition of SIL's for low-demand mode from IEC 61508-1.

For determining the SIL, IEC standards have provided various methods that have been applied with differing degrees of success [4]. These methods range from using pure quantitative risk assessments to more qualitative methods, as follows:

(i)quantitative methods such as fault tree analysis (FTA) and layer of protection analysis (LOPA),(ii)semiqualitative methods such as safety layer matrix and calibrated risk graph. The latter is described by some practitioners as a semiquantitative method,(iii)qualitative methods like risk graph and hazardous event severity matrix. Qualitative and semiqualitative methods are generally less costly than the quantitative ones. They are technologically less demanding to develop, relatively intuitive to plant operators without requiring detailed risk assessment training, and do not make extensive use of historical failure-related data as a base of estimating failure probabilities.

The risk graph as a qualitative method can be described as a decision tree in which four risk parameters, considered to be sufficiently generic to deal with a wide range of applications, must be combined to arrive at the required SIL. These parameters are as follows: consequence (), frequency and exposure time (), possibility of avoiding hazard (), and probability of the unwanted occurrence (). Figure 1 gives an example of a risk graph implementation [2]. An explanation of this risk graph is the following.

Figure 1: Example of risk graph from IEC 61508-5.

(i)Use of the risk parameters C, F, and P leads to one of six outputs . Each one of these outputs is mapped onto one of three scales (, , and ). Each point on these scales gives an indication of the necessary safety integrity that has to be met by the E/E/PE safety-related system. The numbers 1, 2, 3, and 4 represent the four SIL's. The point a indicates the case of a system without special safety requirements, which corresponds to a probability of failure less than that indicated for SIL1. The point b refers to situations when for specific consequences, a single safety-related system is not sufficient to give the necessary risk reduction.(ii)The mapping onto , , or allows the contribution of other risk reduction measures to be made. Scale provides the minimum risk reduction contributed by other measures (i.e., the highest probability of the unwanted occurrence), scale is a medium contribution, and scale is the maximum contribution. Thus, the output of the risk graph as a measure of the required risk reduction for the E/E/PE safety-related system, together with the risk reductions achieved by other technology safety related systems and external risk reduction facilities which are taken into account by the scales, gives the overall risk reduction for the specific situation.

3. Shortcomings and Alternatives

Although the risk graph method is relatively easy to be implemented and allows a fast assessment of SIL's, it is less precise. Indeed, the interpretation of linguistic terms such as rare, possible, and death of several persons, can differ between evaluators since they could be the result of a subjective decision or can differ from one industry sector to another [4, 6, 19].

There is therefore the need to calibrate the graph and to give guidance on the meanings of linguistic terms using orders of magnitude via numerical scales so that the resulting SIL rating will bring down the residual risk to the acceptable level. Otherwise, the risk reduction will be principally subjective with substantial limitations for safety-related decision making [20]. In this sense, the IEC 61511 Part 3 provides a semiqualitative method which is the calibrated risk graph. Although not specifically and absolutely fixed by the standard, the risk graph is usually calibrated such that each decision differs from another by a factor of ten (). Figure 2 and Table 2, respectively, show an example of a risk graph as used in the UKOOA guidelines and quantitative definitions of risk parameters [6, 7, 21].

Table 2: Example of qualitative and quantitative definitions of parameters.
Figure 2: Risk graph with qualitative description of parameters.

Against a tolerable target risk, managing the inherent uncertainty in the range of the risk parameters of a risk graph is problematic [7, 21, 22]. Although crisp intervals as means of characterizing uncertainty are an acceptable part of the usual calibrated risk graphs, the sufficient robustness in the SIL value may not be reached against the ambiguity of the information upon which the assessors base their judgment.

This type of knowledge elicitation presents two major disadvantages: first, it is in discordance with the gradual transition from one interval to another, well known in real world applications. Indeed, a measurement that falls into a close neighborhood of each precisely defined border between two adjacent intervals is taken as an evidential support for only one of them, in spite of the inevitable uncertainty involved in the computing of the SIL, that is, the safety integrity will be more or less one with of course different requirements. Second, it fails to reflect the fact that in most human reasoning and concept formation, the decomposition of whole into parts is fuzzy rather than crisp [2325]. In fact, there is an incompatibility between the uncertainty characterizing human perception and the crispness of the response mode. Thus, we need a representation of numbers, which is tolerant of imprecision and partial truths. Linguistic terms, defined on numerical universes and supported by fuzzy sets, provide a rather natural tool for numeric/symbolic interfaces and would be a very adequate alternative when available information is imprecise and/or uncertain.

Furthermore, compared to C and W parameters, F and P have only two ranges each and so the calibration will be dominated by the two first. As an alternative solution, Blackmore [22] developed for an offshore project an alternative graph format by introducing four categories for F against reducing those of C to two only (injury or death). As reported, the proposed approach has resulted in improved effectiveness in the SIL determination. For a best calibration, Dean [7] suggested also the introduction of additional consequence and frequency bands in some cases. Recently, Baybutt [8] has developed an improved risk graph with the following four parameters: initiating cause frequency, enabling events/conditions, safeguards failure probability, and consequences of the hazardous event. He introduces more than two levels for the first and the last two parameters to overcome both conservative and optimistic choices that respectively may result in an overestimation and underestimation of the SIL.

Another alternative proposed by Ormos and Ajtonyi [26] concerns the use of a fuzzy rule-based system in determining the SIL value by applying hazardous event severity matrix and conditional catastrophe theory. By application to three subsystems of steam production, the results of this approach compared with those provided by the quantitative method (as described by the IEC 61508) are very encouraging. For two subsystems the same result is obtained, SIL3 and SIL2, and for the third the result is SIL1 by fuzzy approach against SIL2 by the quantitative method. This difference is interpreted by the fact that severity parameter qualitatively estimated as low is not taken into consideration by the quantitative method. In the same way, Simon et al. [27] propose a fuzzy rule-based approach of the risk graph as well as a subjective evaluation of risk parameters by aggregation of expert judgments. Allocation of required SIL is determined by considering the risk graph as a fuzzy decision tree. Both risk parameters and SIL are represented by fuzzy partitions with linguistic descriptors, defined on ordinal measurement scales. The proposed approach is applied to equipment issued from the literature: a vessel containing a volatile flammable liquid. A SIF is considered to protect against a gas release greater than the admissible rate which is 10−4 per year. Each risk parameter is assessed by aggregating expert judgments given as possibility distributions, and fuzzy inference system provides after difuzzification the SIL value which is SIL2. Referring to these works, we attempt in this paper to develop a more flexible calibrated risk graph using fuzzy logic system, with two main differences compared to the above approaches. First, calibration problem is taken into consideration, and so, scales supporting fuzzy partitions of the SIL and parameters C, F, P, and W are numeric rather ordinal with the orders of magnitude given by Tables 1 and 2. Second, fuzzy intervals defined on the RRF universe particularly allow a SIL value to be between two successive classes with differing membership degrees. In practice, when the availability data for a SIF indicates a requirement just between two SIL classes, generally the stricter SIL requirement is chosen [5]. This conservative solution involves a more substantial increment of effort and competence with the major difference occurring when moving from SIL2 to SIL3 [6]. The fuzzy integrity levels may be an alternative to resolve this kind of problems. For example, a value of RRF (1/PFD) as an outcome of the fuzzy risk graph model may belong simultaneously to two fuzzy sets SIL2 and SIL3 but with a little higher membership degree to the latter (e.g., equal to 0.7). It would be reasonable to say that we are in presence of rather SIL3 requirements which clearly involve less cost and time than conventional SIL3, according to the proportion given by the membership degree. For example, 70% of the cost and time devoted to the conventional SIL3.

4. Fuzzy Inference System Methodology

Fuzzy logic-based method is a powerful tool for modeling the behavior of systems which are too complex or too ill-defined to admit of conventional quantitative techniques or when the available information from the systems is qualitative, imprecise, and/or uncertain. In contrast to classical logical systems, fuzzy logic aims at modeling the imprecise modes of reasoning that play an essential role in the human ability to give judgments or to make decisions in an environment of uncertainty and imprecision. Thus, unlike quantitative approaches that require accurate equations to model real-world behaviors, fuzzy logic can accommodate the ambiguities of real-world human with the concept of fuzzy sets and fuzzy inference techniques and consequently, possess a natural capability to express and deal with judgment and measurement uncertainties.

Fuzzy inference systems have found numerous applications in fields such as automatic control, data classification, decision analysis, expert systems, reliability engineering, and system safety. Among these systems, the fuzzy logic controller proposed by Mamdani and Assilian [28] is the most encountered in fuzzy rule-based problems. It was the first implementation dedicated to the control of a steam engine by synthesizing a set of fuzzy rules provided by experienced human operators. Based on a simple technique using the max-min inference, Mamdani’s method has been successfully applied in many fields ranging from processes control to medical diagnosis. Specific details for each step of this method are explained briefly below [29].

Let us consider a rule base constituted of n fuzzy IF-THEN rules with multiple inputs and single output (MISO). Each rule is therefore of the form

where the 's, , and are linguistic variables defined on the universes and , respectively. The fuzzy sets are elements of a linguistic partition of (universe of variable ). For a crisp input vector , the output value is determined by the following three-step method.

4.1. Fuzzification

It is the process of converting an input data into its symbolic representation, that is, a fuzzy set using the fuzzy partition of , by computing the membership degree of to each Then, a matching degree is computed for each rule .

4.2. Fuzzy Inference

The process for obtaining the fuzzy output using the max-min inference method consists of the following substeps.

(i)Finding the firing level of each rule: the truth value for the premise of each rule is computed and applied to the conclusion part of this rule. It is computed as follows: If a rule’s premise has nonzero degree of truth, that is, when the input matches partially the premise of the rule, then the rule is fired.(ii)Inferencing: in the inference step, the output of each rule is computed using a conjunction operator, the min. Then, is given by(iii)Aggregation: for obtaining the overall system output, all the individual rule outputs are combined using the union operator. Then, with membership function

4.3. Defuzzification

It produces a representative value of Y in . Among defuzzification methods, the center of gravity is the most commonly used, and it is given by

5. Fuzzy Safety Integrity Assessment

The overall procedure for making a fuzzy safety integrity assessment is shown in Figure 3. The analysis uses fuzzy partitions to describe both risk parameters and SIL's. The membership functions are determined by a fuzzification, that is, a fuzzy information granulation according to Zadeh [25], of data of a typical calibrated risk graph. Thus, crisp intervals are replaced by fuzzy intervals with trapezoidal membership functions. The basic idea of this transformation is to consider the boundaries of an ordinary interval as a mean value of a fuzzy number under the form of upper and lower expectations [30]. Details concerning the different steps of the proposed fuzzy model are presented bellow.

Figure 3: Overall procedure of fuzzy safety integrity assessment.
5.1. Selection of Input Variables

Referring to the IEC standards, the fuzzy rule-based system associated with conventional risk graph considers the four risk parameters C, F, P, and W as input variables, and considers the SIL as the unique output variable. The parameters C, F, P, and W allow a meaningful graduation of the risks to be made, and contain the key risk assessment factors. Obviously, other factors or conditions could be considered but with reduced number because two major disadvantages may emerge. First, the higher the number of parameters is, the more additional SIL's should be necessarily added but certainly without corresponding requirements. Second, further input variables do not allow the fuzzy system to be at a reasonable size and may complicate the test of the model.

5.2. Development of the Fuzzy Scales

Fuzzy logic uses the concept of linguistic variable to describe the premise and conclusion of a fuzzy rule [11, 12]. This concept provides a tool of approximate characterization of situations which are too complex or too ill-defined for the application of conventional quantitative techniques. A linguistic variable differs from a numerical variable in that its values are not numbers but words in a natural language. The fuzzy sets, with their boundaries not sharply defined, play the role of values of the linguistic variable and may be viewed as summaries of various subclasses of elements in a universe of discourse. In the present step, the fuzzy sets for the description of the parameters C, F, P, and W and the SIL are derived from corresponding crisp partitions, referring to an experienced model, the calibrated risk graph presented in Figure 2. Transforming an ordinary interval to a fuzzy interval may be considered as the converse problem of determining the mean value of a fuzzy interval. However, consistently with the well-known definition of expectation in probability theory, Dubois and Prade [30] have suggested a relevant definition of the mean value of a fuzzy interval as follows: “the mean value of a fuzzy interval Q is a closed interval bounded by the expectations calculated from its upper and lower distribution functions,” that is,

where

and are the lower and upper distribution functions of , respectively, and belongs to the set of probability measures, , which are defined on the support of Q. Let Q be a fuzzy interval with a trapezoidal membership function , and let and be the support and core of Q, respectively, that is, and . Let and be called the left and right spreads, respectively. Under the condition for , it follows that

The calculation of is as follows (see Figure 4):

Figure 4: Upper and lower mean values of .

Thus,

These results are in concordance with the fact that the width of the mean value is a linear function of the spreads and [30]. In our case, given and (resp., and ) of an unknown fuzzy interval Q, (resp., ) will be determined using (10) (resp., (11)). and as mean values are given by the boundaries of crisp intervals. The calculation of and is as follows. First, one computes the mean value, m, of the interval . Next, the core boundaries, and , are computed using the mean value of the subdivisions and , respectively. Both for m, , and , one uses either arithmetic mean or geometric mean according to whether or not the universe scale is linear. Figure 5 illustrates the transformation of an ordinary interval into a fuzzy one on a linear scale. For instance, and are determined as follows:

Figure 5: Transformation of a crisp interval into a fuzzy one.

Extreme fuzzy sets within a linguistic partition are derived from the transformation by assuming infinite spreads, that is, taking , for and , for (el is for extreme left and er for extreme right). Furthermore, transforming an irregular crisp partition into a fuzzy partition may involve linguistic labels with meaningless values (incompatibility problem). In this case, the slope of the increasing or decreasing part of these fuzzy sets needs to be reasonably modified. Table 3 shows numerical results of the different transformations based on data of Tables 1 and 2. The transformation concerning the parameter consequence is illustrated by Figures 6(a), 6(b), 6(c), 6(d). The fuzzy partitions of risk parameters and SIL, which are derived from the fuzzy intervals , are given by Figures 7(a), 7(b), 7(c), 7(d) and 8. A more detailed description of these partitions is presented in the following:

Table 3: Transformation of crisp intervals into Fuzzy intervals.
Figure 6: Transformation of crisp intervals into fuzzy ones: case of the parameter consequence: (a) minor, (b) moderate, (c) critical, and (d) catastrophic.
Figure 7: Membership functions generated for risk parameters (a) consequence, (b) exposure, (c) avoidance, (d) demand rate.
Figure 8: Membership functions generated for SIL.

(i)consequence: four fuzzy sets, namely, minor, moderate, critical, and catastrophic, were defined on the input space of this variable (Figure 7(a)). The values varying from 10−9 to 10 are represented on a logarithmic scale. To the linguistic value minor defined in risk graph as no deaths is assigned the crisp interval [10−9, 10−7] which suitably represents an unlikely event. This interval is transformed into a fuzzy one with the omission of the negative part. The interval is selected to be the mean value of the fuzzy set catastrophic with the possibility to change its upper bound according to the hazardous situation. The increasing part of catastrophic is adjusted by taking the upper bound of the core of the fuzzy set critical as its beginning point. This adjustment has double purpose. First, it removes the negative part of the fuzzy interval associated with the term catastrophic, which is meaningless from a point of view of number of fatalities. Second, it avoids the overlapping between more than two fuzzy sets, which involves many meaningless values for the class catastrophic. For instance, the degree of membership of the zero value in the nonadjusted fuzzy interval is 0.27.(ii)Frequency and exposure time: two fuzzy sets, namely, rare and frequent, were defined on a linear scale ranging from 0% to 100% (Figure 7(b)). The boundaries of their cores are derived from arithmetic means of crisp interval subdivisions. As in the previous risk parameter, the negative part of the first set rare is removed, and the upper bound of its core has served as a lower bound of the support of the second set frequent. The membership function of the latter is obviously right open.(iii)Possibility of avoiding hazard: as in the previous input parameter, two fuzzy sets named, not likely and possible, respectively, were defined on the universe (Figure 7(c)). For the first set not likely, the negative part is removed and the upper bound of its support takes the lower bound value of the core of the set possible. The values of the latter are limited to 100 with a right open membership function.(iv)Probability of the unwanted occurrence: three fuzzy sets, namely, very low, low, and relatively high, were defined on a probability space ranging from 10−5 pa to 1 pa (Figure 7(d)). As for the first risk parameter, the probability values are represented on a logarithmic scale. The choice of 10−5 pa (or 1.14 × 10−9 ph) as a lower bound of the interval [10−5, 0.03] refers to an unlikely event. Only the first and the last fuzzy sets were adjusted by removing the negative part and the values greater then one, respectively. The intermediate fuzzy set low is remaining unchanged.(v)Safety integrity level (SIL): the SIL as a unique output variable is defined on a RRF scale. The universe of discourse of the latter consists of the interval [1, 106] with a regular crisp partition, that is, there is a factor of ten between two successive subintervals. Seven fuzzy sets were defined on the output space (Figure 8): four sets are associated with the four SIL's, with the same labels as levels themselves, namely, SIL1, SIL2, SIL3, and SIL4, and the two sets named NSSR and NR refer to the cases no special safety requirements and single SRS not recommended, respectively. Except the delimitation of the set NR, no adjustment is made for all these labels.

5.2.1. Derivation of the Fuzzy Rules

A number of fuzzy IF-THEN rules are extracted following the risk graph logic and using the linguistic descriptors associated with risk parameters and SIL. In this case, the rule base can be understood as a translation of the risk graph which is mainly based on the knowledge and experience of analysts regarding the process nature and required risk reduction. Both the number of rules and input variables involved in premise parts depend on the risk graph implementation, that is, the decomposition level of risk graph. In the premise and conclusion parts of rules, the linguistic value meaning of input and output variables are described by the fuzzy sets defined in step 2. The general form of the derived fuzzy rules is

where the risk parameters C, F, P, and W stand for input variables; and are their linguistic values, respectively. The SIL is an output variable with as its linguistic value. The fuzzy vector and the fuzzy set are elements of the universes (RP for risk parameters) and , respectively. According to the risk graph reduction, the premise part of the above rule may be reduced to two or three input variables. Referring to the calibrated risk graph of Figure 2, two examples of fuzzy rules are the following:

5.2.2. Fuzzy Rule Base Application

As explained in Section 4, fuzzy inference system methodology, when the fuzzy inference system is to be applied to a set of input parameter values, the information flows through the fuzzification-inference-defuzzification process in order to generate the output value. Given any combination of input values which cover the specific context of risk parameters, the fuzzy rule-based risk graph will compute the RRF value that the SIF must achieve within the specific context. The fuzzifier maps crisp input vector in to fuzzy sets in , and the defuzzifier maps fuzzy sets in . If one or more risk parameters are not considered for a given rule, they will not have any effect on the matching degree .

6. Conclusion

Although conventional risk graphs are relatively simple to be implemented, they can lead to inconsistent results and possibly conservatism that may result in SIL overestimation. Indeed, the use of qualitative definitions for risk parameters is highly subjective and their meaning can be misunderstood. On the other hand, numerical interpretation of risk parameters and SIL's by means of crisp intervals violates gradual transition between intervals which is more realistic.

The proposed fuzzy risk graph model is a fuzzy rule based-risk graph. Its main advantages may include the following.

(i)It preserves the four parameters used in the standard risk graph and can be adapted easily to improved risk graphs.(ii)Fuzzy scales with fuzzy linguistic values are used to assess risk parameters, and calibration of the model may be made by varying risk parameters values.(iii)The outcomes of the model which are numerical values of RRF (1/PFD) can be compared directly with those given by more refined methods like FTA, QRA, and LOPA.

Nomenclature
 IEC: International electrotechnical commission SIS: Safety instrumented system SIF: Safety instrumented function PFD: Probability of failure on demand RRF: Risk reduction factor SIL: Safety integrity level FTA: Fault tree analysis QRA: Quantitative risk assessment LOPA: Layers of protection analysis C: Consequence F: Frequency and exposure time P: Possibility of avoiding hazard W: Probability of the unwanted occurrence Q: Fuzzy interval : Membership function describing Q S(Q): Support of Q C(Q): Core of Q, where , : Left and right spreads of Q, respectively E(Q): Mean value of Q, where : Lower and upper distribution functions : Fuzzy rule derived from risk graph Fuzzy sets describing C and F : Fuzzy sets describing P and W : Fuzzy set describing SIL : Risk parameter universe, where : SIL universe : Crisp input vector in , where

References

1. C. R. Timms, “IEC 61511-an aid to COMAH and safety case regulations compliance,” Measurement & Control, vol. 37, part 4, pp. 115–122, 2004.
2. Functional safety of electrical/electronic/programmable electronic safety related systems, 1998, IEC 61508 Standard, Parts 1–6, 1st edition.
3. Functional safety-Safety instrumented systems for the process industry sector- IEC 61511 Standard, 2003, Parts 1–3, 1st edition.
4. D. Kirkwood and Tibbs B., “Developments in SIL determination,” Computing & Control Engineering, vol. 16, no. 3, pp. 21–27, 2005.
5. S. Hauge, P. Hokstad, and T. Onshus, “The introduction of IEC 61511 in Norwegian offshore industry,” in Proceedings of the European Safety & Reliability International Conference (ESREL '01), pp. 483–490, Torino, Italy, September 2001.
6. D. J. Smith and K. J. L. Simpson, Functional Safety: A Straightforward Guide to Applying IEC 61508 and Related Standards, Elsevier Butterworth-Heinemann, Oxford, UK, 2nd edition, 2004.
7. S. Dean, “IEC 61508-Assessing the hazard and risk,” Sauf Consulting, April 1999, http://www.sauf.co.uk.
8. P. Baybutt, “An improved risk graph approach for determination of safety integrity levels (SILs),” Process Safety Progress, vol. 26, no. 1, pp. 66–76, 2007.
9. W. K. Muhlbauer, Pipeline Risk Management Manual: Ideas, Techniques and Resources, Elsevier, Amsterdam, The Netherlands, 2004.
10. L. A. Zadeh, “Outline of a new approach to the analysis of complex systems and decision processes,” IEEE Transactions on Systems, Man and Cybernetics, vol. 3, pp. 28–44, 1973.
11. L. A. Zadeh, “The concept of a linguistic variable and its application to approximate reasoning—I,” Information Sciences, vol. 8, no. 3, pp. 199–249, 1975.
12. L. A. Zadeh, “The concept of a linguistic variable and its application to approximate reasoning—II,” Information Sciences, vol. 8, no. 4, pp. 301–357, 1975.
13. J. B. Bowles and C. E. Pelaez, “Fuzzy logic prioritization of failures in a system failure mode, effects and criticality analysis,” Reliability Engineering & System Safety, vol. 50, no. 2, pp. 203–213, 1995.
14. K. Xu, L. C. Tang, M. Xie, S. L. Ho, and M. L. Zhu, “Fuzzy assessment of FMEA for engine systems,” Reliability Engineering & System Safety, vol. 75, no. 1, pp. 17–29, 2002.
15. A. Pillay and J. Wang, “Modified failure mode and effects analysis using approximate reasoning,” Reliability Engineering & System Safety, vol. 79, no. 1, pp. 69–85, 2003.
16. A. C. F. Guimarães and C. M. F. Lapa, “Hazard and operability study using approximate reasoning in light-water reactors passive systems,” Nuclear Engineering and Design, vol. 236, no. 12, pp. 1256–1263, 2006.
17. A. C. F. Guimarães and C. M. F. Lapa, “Fuzzy inference to risk assessment on nuclear engineering systems,” Applied Soft Computing, vol. 7, no. 1, pp. 17–28, 2007.
18. A. S. Markowski, M. S. Mannan, and A. Bigoszewska, “Fuzzy logic for process safety analysis,” in Proceedings of the International Symposium of Process Safety Center, College Station, Tex, USA, October 2007.
19. F. Redmill, “IEC 61508 - principles and use in the management of safety,” Computing & Control Engineering, vol. 9, no. 5, pp. 205–213, 1998.
20. K. T. Kosmowski, “Functional safety concept for hazardous systems and new challenges,” Journal of Loss Prevention in the Process Industries, vol. 19, no. 2-3, pp. 298–305, 2006.
21. W. G. Gulland, “Methods of determining safety integrity level (SIL) requirements-Pros and Con,” in Proceedings of the 12th Annual Safety-Critical Systems Symposium, pp. 105–122, Birmingham, UK, February 2004.
22. L. Blackmore, “IEC 61508-Practical experience in increasing the effectiveness of SIL assessments,” 2000, ISA EXPO.
23. D. W. Massaro, “Broadening the domain of the fuzzy logical model of perception,” in Cognition: Conceptual and Methodological Issues, H. L. Pick, Jr., P. van den Broek, and D. C. Knill, Eds., pp. 51–84, American Psychological Association, Washington, DC, USA, 1992.
24. S. A. Sandri, D. Dubois, and H. W. Kalfsbeek, “Elicitation, assessment, and pooling of expert judgments using possibility theory,” IEEE Transactions on Fuzzy Systems, vol. 3, no. 3, pp. 313–335, 1995.
25. L. A. Zadeh, “Toward a theory of fuzzy information granulation and its centrality in human reasoning and fuzzy logic,” Fuzzy Sets and Systems, vol. 90, no. 2, pp. 111–127, 1997.
26. L. Ormos and I. Ajtonyi, “Soft computing method for determining the safety of technological system by 1EC 61508,” in Proceedings of the 1st Romanian-Hungarian Joint Sympsiom on Applied Computational Inelligence (SACI '04), Timisoara, Romania, May 2004.
27. C. Simon, M. Sallak, and J.-F. Aubry, “SIL allocation of SIS by aggregation of experts' opinions,” in Proceedings of the Safety and Reliability Conference (ESREL '07), Stavanger, Norway, June 2007.
28. E. H. Mamdani and S. Assilian, “An experiment in linguistic synthesis with a fuzzy logic controller,” International Journal of Man-Machine Studies, vol. 7, no. 1, pp. 1–13, 1975.
29. D. Dubois, H. Prade, and L. Ughetto, “Fuzzy logic, control engineering and artificial intelligence,” in Fuzzy Algorithms for Control, H. B. Verbruggen, H. J. Zimmerman, and R. Babuska, Eds., pp. 17–57, Kluwer Academic Publishers, Dordrecht, The Netherlands, 1999.
30. D. Dubois and H. Prade, “The mean value of a fuzzy number,” Fuzzy Sets and Systems, vol. 24, no. 3, pp. 279–300, 1987.