Probability and frequency calculations related to protection layers
revisited
Fares Innal
a, *
, Pierre-Joseph Cacheux
b
, St
ephane Collas
b
, Yves Dutuit
c
, Cyrille Folleau
d
,
Jean-Pierre Signoret
e
, Philippe Thomas
d
a
Batna University, IHSI-LRPI, Avenue Chahid M. Boukhlouf, 05000 Batna, Algeria
b
TOTAL EP, CSTJF, Avenue Larribau, 64000 Pau, France
c
TOTAL Associate Professors, 38, rue du Prieur e, 33170 Gradignan, France
d
SATODEV, 25 rue Marcel Issartier, 33700 M erignac, France
e
TOTAL Technology Specialist, 2 route de Garlin, 64160 Sedz ere, France
article info
Article history:
Received 11 August 2013
Received in revised form
3 June 2014
Accepted 7 July 2014
Available online 15 July 2014
Keywords:
Independent and dependent protection
layers
Safety instrumented systems
Failure frequency
Fault tree
Markov model
abstract
This article casts a new glance over some methods dedicated to the calculation of the likelihood
(probability or frequency) of failure of systems and, in particular, safety-related systems working alone or
in association with other protection layers. It consists first in examining with a critical eye the relevancy
of the aforementioned methods, which are still often used in spite of their restrictive limitations, and
second in proposing an alternative approach for each of them. The correctness of the examinated
methods is tested by applying them to very simple systems modeled by fault tree models, with intent to
show why these methods are debatable and how they can be replaced by other ones, more appropriate.
The particular case of several protection layers having to react on the demand resulting from the global
failure of their associated control system is considered. That case leads to revisit the common assumption
of the independence between the above protection layers and control system, by taking into account the
order of their respective failures from a qualitative and quantitative point of view.
© 2014 Elsevier Ltd. All rights reserved.
1. Introduction
Risk management approaches are aimed primarily at reducing the
current risk, generated by a given application, to an acceptable or
tolerable level and to maintain that level over time. This reduction is
often achieved by interposing several layers (or barriers) of protec-
tion between the hazard source, which can be the monitored process,
and the potential targets (people, plant and environment). The ty-
pology of these layers covers a wide variety and is increasingly sup-
plemented by extra layers known as safety instrumented systems
(SISs). These safety-related systems have sparked off and continue to
cause a growing interest from industrial users, contractors and aca-
demics as well. This general interest is shown by the abundant
literature dealing with this topic and by the second edition of IEC
61508 (2010) and IEC 61511 (2012) standards devoted to functional
safety. The first one is already published, whilst the second one is still
in the draft stage. The protection layers based-technique carried out
to reduce risk is well-known and has been looked at in detail in
(Center for Chemical Process Safety (CCPS), 2001) and in annexes B
and F of the first edition of IEC 61511-3 standard (IEC 61511, 2003),
respectively entitled “Semi-quantitative method” and “Layer Of Pro-
tection Analysis (LOPA)”. This protection technique has been abun-
dantly presented, commented on, implemented, and the formula
given in this standard to calculate the so-called mitigated event
likehood, also known as hazardous-event rate (HER) or hazard event
frequency (HEF) (Misumi & Sato, 1999), has been applied by many
authors (see, for instance, Babu, 2007; Delvosalle, Fi evez, Pipart,
Londiche, & Debray, 2004; Dowell, 1998; Dowell & Hendershot,
2002; Gowland, 2005; Marszal, 2000). But, since that time, the use
of this formula and several other calculation methods in the same
domain seem debatable (Innal, 2008; Innal, Dutuit, Rauzy, & Signoret,
2010) and then deserve to be further analyzed. This is the object of the
present paper which is organized as follows. Section 2 is devoted to
the critical analysis of two fault tree-based methods sometimes used
to calculate the failure probability or the failure frequency of systems.
These methods are applied on an elementary fault tree model to focus
more easily on their intrinsic limitations by comparing the results
they give with those provided by a right method. On the basis of a
basic process control system (BPCS) associated to a paire of safety * Corresponding author. Tel.: þ213 669290488.
E-mail address: innal.fares@hotmail.fr (F. Innal).
Contents lists available at ScienceDirect
Journal of Loss Prevention in the Process Industries
journal homepage: www.elsevier.com/locate/jlp
http://dx.doi.org/10.1016/j.jlp.2014.07.001
0950-4230/© 2014 Elsevier Ltd. All rights reserved.
Journal of Loss Prevention in the Process Industries 31 (2014) 56e69