Stochastic Fuzzy-LOPA Approach for Risk Assessment

of Chemical Processes
Ennio R. Piceno-Díaz1, Héctor Puebla1
1
Departamento de Energía, Universidad Autónoma Metropolitana-Azcapotzalco, Ciudad de

México, México

*magl@azc.uam.mx

July 30, 2020

Abstract

1. Introduction

1.1.- Risk Assessment.

Nowadays is becoming more and more important to assess the uncertainty associated with
information thus identifying our level of knowledge and/or ignorance within an specific process.
Risk analysis of industrial hazardous processes should be performed using a systems framework that
accounts for uncertainties in modeling, behavior, prediction models, interaction among
components of a system, and impacts on the system and its surrounding environment. (Ayyub, Bilal
M. 2003).

Formally, risk can be defined as the potential of losses from an exposure to a hazard or as a result
of a risk scenario. Risks could result in significant budget overruns, delivery delays, failures, financial
losses, environmental damages, and even injury and loss of life (Ayyub, Bilal M. 2003).

In this paper, risk is presented as an expected value of loss or an average loss and it is evaluated as
the product of likelihood of occurrence and the impact severity of occurrence of an event.

1.2.-Classsical LOPA

A method widely used by the chemical processing industry to analyze controls is known as layers of
protection analysis or LOPA. LOPA is a semi-quantitative risk assessment method that includes both
frequency and consequence expressed in an order of magnitude approximation. LOPA was
introduced to comply with Functional Safety Standards in the process industry (IEC, 61511) that are
relevant in determining safety integrity level (SIL) for safety instrumented systems (SIS) (Markowsky,
2012).

The primary purpose of LOPA is determining the effectiveness of existing controls called
independent protection layers (IPLs) or in other words determining if there are sufficient layers of
protection against an specific scenario (a unique pair of cause-consequence) identified by means of
PHA (process Hazard analysis) qualitative methods such as What IF or HAZOP (hazard and operability
analysis), (CCPS, 2020; Popov et al., 2022)

An IPL is a device, system, or action that is capable of preventing a scenario from proceeding to the
undesired consequence without being adversely affected by the initiating event or the action of any
other protection layer associated with the scenario. The three criteria that an IPL must meet are:
Independence, Effectiveness and Auditability (CCPS, 2020).

IPLs include safety instrumented systems (SISs) which are safety interlock systems, safety shutdown
and emergency shutdown systems. Each SIS includes safety instrumented functions (SIFs) such as a
relieving pressure, controlling temperature, shutting down system, etc. Active barriers must have
separate elements of (DDA) ‘detect decide act’, for instance, ‘detect’ a change in condition or what
is going wrong, ‘decide’ what action is required to rectify the change and ‘act’ to stop the threat
from progressing further. Administrative-type measures such as inspections, training, standard
operating procedures (SOPs), and PPE are not IPLs and are not taken credit for them in LOPA (CCPS,
2020; Popov et al., 2022).

Compared with Quantitative Risk Analysis (QRA), LOPA provides a simplified, flexible and effective
but less precise method to assess the effectiveness of protection layers and safeguards

Amongst the advantages of LOPA over other risk assessment methods, is its effectiveness and
flexibility in evaluating safeguards. Moreover, there may be more possible applications of LOPA for
other safety management purposes including: design hazard review, management of change,
machine risk assessment and incident investigation (Markowsky, 2012). Other LOPA’s benefits are:
providing clearly structured tabulation and justification for the chosen integrity level, clarifying the
requirements for the design, operation and maintenance of safety systems and hightlighting the
required shutdown integrity at an early stage in a Project. On the downside, LOPA limitations are
that the quantification of the integrity of the independent protection layers/shutdown systems
must be justified by a full and careful assessment and that it could only be applied to a single cause-
consequence pair at a time (Crawley, 2020).

The major steps of a LOPA study include (Crowl Daniel, Louvar Joseph, 2011; CCPS, 2020):

1.- Identifying a single risk scenario consisting of a single cause-consequence pair.

2.- Identifying the initiating event (IE) for the scenario and estimating the initiating event frequency.
The initiating event must lead to the consequence given failure of all the safeguards.

3.- Identifying the independent protection layers (IPLs) available for this particular consequence and
estimating the probability of failure on demand (PFD) for each IPL. All IPLs are safeguards but not all
safeguards are IPLs.

4.- Combining the initiating event frequency with the probabilities of failure on demand for the
independent protection layers to estimate a mitigated event frequency (MEF) for this initiating
event.
5.- Evaluate the risk to make a decision concerning the scenario. The MEF is compared with the
tolerable frequency criterion. If the MEF is greater than the tolerable event frequency then actions
are required so additional ILP or a SIS are added to the system design.

The MEF of a consequence of a specific scenario is computed using Equation (1):

𝐽

𝑀𝐸𝐹𝑖𝐶 = 𝑓𝑖𝐼 (∏ 𝑃𝐹𝐷𝑖𝑗 ) (1)

𝑗=1

Where: 𝑓𝑖𝐶 is the mitigated consequence frequency for a specific consequence C for an initiating
event i, 𝑓𝑖𝐼 is the initiating event frequency for the initiating event i, and 𝑃𝐹𝐷𝑖𝑗 is the probability of
failure of the jth IPL that protects against the specific consequence and the specific initiating event
i.

In some cases companies may be interested in calculating not only the frequency of a release but
also the frequency of the other outcomes of it. To calculate the frequency of such outcomes,
Equation (1) is modified by multiplying the frequency of the release scenario by the appropriate
probabilities for the outcome of interest. These may include: the probability of ignition (k=1), the
probability that personnel are in the affected area (k=2), the probability that injury occurs or fatality
(k=3), etc (… k=K) as expressed in Equation (2).
𝐽 𝐾

𝑀𝐸𝐹𝑖𝐶,𝐴𝐷𝑂 = 𝐼
𝑓𝑖 (∏ 𝑃𝐹𝐷𝑖𝑗 ) (∏ 𝑃𝑖𝑘 ) (2)
𝑗=1 𝑘=1

Where, 𝑃𝑖𝑘 is the k probability of the additional final outcome (ADO) for the event i.

In order to ease the process of decision making, one useful LOPA result is the Risk Reduction Factor
(RRF) for each risk scenario, which is computed using Equation (3).
𝑀𝐸𝐹𝑖
𝑅𝑅𝐹𝑖 = (3)
𝑇𝐸𝐹𝑖
If RRF < 1 the independent protection layers (IPLs) provide adequate risk reduction. If RRF > 1
additional risk reduction controls are required.

2.- Uncertainty in LOPA, Review of the State of the Art

LOPA is a semiquantitative simplified model that is focused on an specific risk scenario at a time
(one pair of cause-consequence), in traditional LOPA both initiating event frequency and
independent protection layers PFD’s are obtained from databases, for instance: Center for Chemical
Process Safety (CCPS), (CCPS, 1989) and the Offshore Reliability Data Handbook (OREDA), (OREDA,
2002). Failure data coming from these data sources and/or historical data are not accurate enough
since they represent wide intervals and only single points are picked, therefore when used in a LOPA
study the frequency outcome tends to be overestimated and so does the risk. This may lead to
excessive installation and maintenance costs.
A better way to handle or limit uncertainty and obtain more accurate data is if enough appropriate
specific data are collected in order to assemble a relevant database, but this could be time and
money impractical. This is why customized companies data bases may also introduce uncertainties
such as samples size, data quality, measuring, environmental and operating conditions

A study carried out by the Health and Safety Executive of the UK (HSE), (HSE, 2009) motivated by
the Buncefield incident, identified several issues from a sample of 7 LOPA studies applied to fuel
storage tanks in the oil and gas industry. Amongst the important findings are that the quality of data
and data sources used varied widely and even some of the data used were found to be unappropiate
and or contained a high degree of uncertainty. Therefore, HSE recommends as a good practice to
include in any LOPA study a sensitivity or uncertainty analysis to demonstrate the robustness of any
conclusions.

It is evident that taking uncertainty into account in LOPA studies has become paramount, to deal
with this matter, there have been several approaches mainly divided into three categories: those
where fuzzy logic is applied (Fuzzy: Khalil et al., 2012; Markowski and Mannan, 2009; Ouazraoui et
al., 2016; Salaheldine et al., 2020), probabilistic approaches such as Bayesian networks or cloud
models (Pasman and Rogers, 2013; Yan et al., 2017; Yun et al., 2009) and hybrid between fuzzy and
probabilistic models (Hong, et al., 2016; Ouazraoui et al., 2013; Ouazraoui et al., 2015; Zarei et al.,
2018).

Markowski et al. (Markowski et al., 2009) explored the application of fuzzy logic to a bow-tie model,
the input variables are treated as exact values and all the variables are replaced by fuzzy numbers
in the process of fuzzification and subsequently using fuzzy arithmetic, fuzzy probability of the top
event for fault tree, and fuzzy outcome probabilities for event tree are calculated by means of
defuzzification methods for each outcome event. Although the resulting final event probabilities are
more reallistic than the traditional single point estimations, the success of this method depends on
the quality of the PFD values, so uncertainty in this regard is not considered at all. Markowski and
Mannan (Markowski and Mannan, 2009) developed a fuzzy LOPA (fLOPA) approach for risk
assessment of transportation of flammable substances in pipelines in which fuzzy risk matrix
approach (Markowski and Mannan, 2008) was used for risk assessment and the resulting risk index
calculated by fLOPA helps with dealing with the uncertaintes related to the traditional LOPA and it
is more accurate. Khalil et al. (Khalil et al., 2012) developed a cascaded fuzzy-LOPA model for SIL
assessment with an application in the natural gas industry. The model consists of two blocks,where
the first is a fuzzy model to obtain scenario severity, the second fuzzy loop has two inputs: the
severity from the first loop and the scenario frequency. The output from the second loop is the SIL
rating for any additional safeguards. Not only does the fuzzy approach yield more precise outcomes
but it is easy and practical to implement. Ouazraoui et al. (Ouazraoui et al., 2016) presented an
approach to calculate criticality or a risk index using a fuzzy inference system that substitutes the
conventional criticality matrix. In this way the calculated risk index is more precise than conventional
criticality matrix index and facilitates the decision making process of reducing risk.

Salaheldine et al. (Salaheldine et al., 2020) applied the HAZOP technique to the direct reduction iron
industry followed by LOPA, fuzzy logic was used to estimate the severity and determine the SIL rating
which was compared with the one obtained by a traditional LOPA study. In this approach the
tolerable event frequency was obtained as an output of a fuzzy inference system and was
represented as a severity category linguistic variable, the inputs to this system were the economic
loss and number of fatalities. Although the tolerable event frequency for calculating the risk
reduction factor was calculated by fuzzy logic, the mitigated event frequency wasn’t, so the SIL
selection didn’t considered all the associated uncertainties.

Yun et al. (Yun et al., 2009), proposed the Bayesian -LOPA methodology. In this approach Bayesian
estimation updates generic failure data with plant specific data to compensate for the uncertainty
of the insufficient data. The results showed that the Bayesian–LOPA method produces valid and
well-updated risk values improving the risk assessment in LNG importation terminals. Pasman and
Rogers (Pasman and Rogers, 2013) applied Bayesian belief networks to LOPA, offering great
potential in scenario generation/description and analyzing risks taking account of uncertainty. In
this approach, distributions were developed based on data and expert knowledge to represent the
probabilities of failure of demand, the final risk results are in the form of probability distributions.

Yan et al. (Yan et al., 2017) proposed an improved layer of protection analysis called the cloud model
LOPA. In this approach, expert judgements in the form of scores of four severity indices are
converted into cloud descriptors for each event. The frequency of each event is processed along
with the cloud model severity (CMS) yielding the cloud model risk (CMR). The explicit values
obtained from the cloud descriptors make the assessment results more precise and the risk
reduction process too, due to the randomness and fuzziness of the cloud model.

Regarding the hybrid probabilistic-fuzzy approaches, uncertainty encountered in LOPA is considered

in the framework of possibility theory by Ouazraoui et al. (Ouazraoui et al., 2013; Ouazraoui et al.,
2015). The proposed framework used fuzzy quantities to represent the data provided from reliability
databases and expert judgments in LOPA. The fuzzy frequency is calculated by extended
multiplication using -cuts method and the necessary risk reduction is achieved by solving a
possibilistic decision making problem under necessity constraint. One drawback of this approach is
that it is not clear what optimal value of  confidence level satisfies an ALARP demonstration. A
fuzzy logic and probabilistic hybrid approach was developed by Hong et al. (Hong et al., 2016) in
which fuzzy logic inference system based on the available data and expert judgment is used to
calculate a parameter variance modifier that enables quantifying the uncertainty of frequency of an
initiating event and the probabilities of failure on demand (PFD) of the IPLs. The corrected
distributions are then convoluted applying Monte Carlo method. The advantages of this approach
include the application of more accurate failure rates and therefore the calculation of a more real,
less conservative scenario frequency than classical LOPA. Zarei et al. (Zarei et al., 2018) applied a
fuzzy bayesian network (FBN) methodology to a critically analysis of root events. Unlike the
conventional Bayesian network (BN) approach in which crisps probabilities are utilized in assessing
uncertainty, the FBN methodology uses expert elicitation and fuzzy theory to determine
probabilities along with the same conventional BN reasoning and inference algorithms to update
probabilities and for predictive analysis. The FBN provided a more efficient way to deal with
uncertainty with more detailed, transparent and realistic results than the simple BN approach.

Additionally, methods to quantify uncertainty in LOPA studies were proposed by Freeman (Freeman,
2012, 2013). The first method to quantify uncertainty was developed using the variance contribution
method previously applied by Freeman. One difficulty encountered in this framework is the
computation of partial derivatives so, Freeman (Freeman, 2013) explored the use of approximations
to compute the uncertainty information and developed a simplified method to evaluate the
uncertainty in the basic LOPA equation by estimating its mean and variance and then calculating the
uncertainty range in the resulting scenario frequency. Both Freeman methods to estimate
uncertainty were validated using Monte Carlo simulation and the advantage of the latter is its
simplicity and direct approach.

Through fuzzy logic applied to LOPA method, it has been proved that a more precise assessment can
be made, nevertheless the obtained final outcome is a crisp value. Although uncertainty is reduced
by the application of fuzzy logic, an even more precise result could be obtained when probabilistic
methods are mixed with fuzzy inference systems. The final results from the hybrid frameworks are
distributions that allow to make better decisions regarding risk reduction and ALARP
demonstrations.

This paper presents a LOPA fuzzy probabilistic framework intended for risk assessment, it is based
on a fuzzy matrix model that is used in a Monte Carlo simulation. Consequences are calculated as a
fuzzy number by means of a severity fuzzy inference system and the frequency is calculated by
classical LOPA. Consequence variables, iniating event frequency and protection layer PFD’s are
represented as probability distributions. In this study, fuzzy logic and stochastic approach are mixed
to provide robustness and to account for uncertanties in both consequences and LOPA input
parameters.

3.- Methodology

3.1 Fuzzy Logic

Fuzzy Sets theory (Zadeh, 1973) was developed to deal with imprecise, ambiguous or missing
information, necessary to solve many problems. A typical case where fuzzy sets theory can be
applied is LOPA because classical LOPA method uses rough estimates of probability to compute a
value of risk that is often too conservative or overestimated.

Unlike traditional sets theory that an element belongs to a set or not, in fuzzy sets theory an element
can belong to a set in some degree which is called membership function () and it takes values
between 0 and 1. Moreover, fuzzy sets are very useful describing linguistic variables and qualitative
data and their membership functions can be represented by mathematical functions, i.e triangular,
trapezoidal, Gaussian, Bell, lognormal, etc.

Fuzzy modelling requires converting the input variables in three steps before a crisp output
information can be obtained: fuzzification, fuzzy inference system (FIS) and defuzzification. The
fuzzy modelling method used in this research is based on linguistic modelling of the input and output
variables. The linguistic variables are represented by fuzzy sets (fuzzification) and IF-THEN rules. The
Mamdami procedure (FIS) which is based on IF-THEN rules is selected to determine the membership
functions resulting effect on the variable of concern as a fuzzy set. Consequently, the fuzzy outcome
of the FIS is converted into a crisp value by means of a defuzzification method, in this paper centroid
method was adopted. The structure of a fuzzy logic system and the transformation steps, are shown
in Fig. 1.
 Fig 1 Fuzzy logic system structure

3.2 Risk Matrix

An important and powerful tool for ranking the risks and performing qualitatively risk assessment
in process hazard analysis (PHA) is Risk Matrix. The logic behind a risk matrix model is the
relationship of the output Risk Category with two independent input categories: the frequency and
the severity. The categorization of the frequency and severity depends on the type of activity or
processes involved. A widely accepted risk matrix standard is the MIL-STD-882E, in which frequency
is categorized into six categories and severity into four categories. In this paper, a modified risk
matrix based on MIL-STD-882E standard is used with the intention of serving as a basis for the fuzzy
risk inference system design. An increased severity of consequence resolution with respect to MIL-
STD-882E was included in the modified matrix allowing for a better fit for a wide spectrum of
industrial applications (Alp, E., 2006), so five severity categories are included instead of four. The
5x6 risk matrix used for designing the fuzzy risk inference system is shown in Fig. 2. In this work, the
risk categories of the risk matrix are the same used by Markowski and Mannan, 2009 (Markowski
and Mannan, 2009): A: acceptable, no further action is required; TA: tolerable acceptable, further
action is based on ALARP principle; TNA: tolerable–unacceptable, additional safety measures are
required; and NA: non-acceptable, must change immediately.

Severity
Frequency Negligible Low Marginal Critical Catastrophic
I II III IV V
Frequent G T TNA NA NA NA

Probable F T TNA TNA NA NA

Occasional E T T TNA TNA NA

Remote D A T T TNA TNA

Improbable C A T T T TNA
Imposible B A A A T T

Fig 2 Risk assessment matrix (frequency categories: B: impossible, C: improbable, D: remote, E: occasional, F: probable, G: frequent;
severity categories: I: negligible, II: low, III: marginal, IV: critical, V: catastrophic; risk categories: A: acceptable, TA: tolerable–acceptable,
TNA: tolerable–unacceptable, NA: unacceptable)
3.3 Proposed Framework

The present work applies the Fuzzy LOPA model developed by Markowski and Mannan (Markowski
and Mannan, 2009) and Zuniga (Zuniga, 2008) combined with a Monte Carlo algorithm, in order to
determine a robust risk index distribution that could facilitate the risk reduction and decision making
processes and also could facilitate SIL selection.

The arquitecture of the stochastic fLOPA approach is depicted in Fig. 3. The framework consist of
two fuzzy model blocks, the severity fuzzy inference system (S-FIS) and the risk fuzzy inference
system (R-FIS), the former calculates the severity of the consequence for the scenario and works in
parallel with the LOPA event tree model, the latter uses the event frequency from the LOPA method
and the fuzzy severity crisp value from S-FIS as inputs in order to calculate a crisp risk index.

The inputs to the LOPA event tree model are represented by probability distributions for the
initiating event frequency and probability of failure in demand of the independent protection layers.
Since the lognormal probability distribution truncates the random variable range, allowing for only
the use of positive values, its probability density function (PDF) is skewed to the right compared to
the normal distrbution. This make the lognormal distribution more suitable for use in modeling
failures at the beginning of the equipment lifecycle and those that typically occur in chemical
processes (Chakrabarty, A., Mannan, S., Cahin, T., 2016). This is the reason why in this research the
lognormal distribution was used to represent the initiating event frequency and the PFD’s of the
independent protection layers. The normal PDF of lognormal distribution is given by Equation (4).
1 1
𝑓(𝑡|𝑚, 𝑣) = 𝑒𝑥𝑝 [− (ln 𝑡 − 𝜇)] (4)
𝑡𝜎√2𝜋 2𝜎 2
The mean and the variance of the Lognormal distribution are given by Equations (5)-(6).

𝜎2
𝑚 = 𝐸(𝑙𝑛𝑡) = exp (𝜇 + ) (5)
2

𝑣 = 𝑉𝑎𝑟(𝑙𝑛𝑡) = [exp(𝜎 2 ) − 1]exp(2𝜇 + 𝜎 2 ) (6)

Where, the parameter  and  are respectively the mean and standard deviation of the variable’s
natural logarithm, and m and v are the mean and variance of the lognormal distribution respectively.
In this paper, m and v were obtained from generic databases and expert experience. The
convolution or multiplication of frequency of failure rate distributions was achieved by a Monte
Carlo algorithm in which 10000 realizations were generated. The mitigated event frequency of each
IE frequency and PFD convolution was directly fed as an input variable to the risk fuzzy inference
system and defining the membership function accordingly, in this way the problem of dealing with
agreggation of frequency and PFD fuzzy numbers is avoided.

In the other hand, the inputs to the severity fuzzy inference system (S-FIS) are represented by
distributions for the number of injuries, extent of medical treatment and fatalities. To represent
these variables a discrete uniform distribution was used, so uniformly distributed random integers
were generated in each realization. Discrete uniform distribution for injuries, fatalities and extent
of medical treatment were selected because it is a symmetric probability distribution wherein a
finite number of values are equally likely to be observed so every one of the n values has equal
probability of 1/n. This is also advantageous because uncertainty is introduced in all of severity fuzzy
system inputs and the robustness of the proposed probabilistic framework can be tested. The
discrete uniform distribution itself is inherently non-parametric, its values are generally represented
by all integers in an Interval [a,b] so that a and b are the main parameters of the distribution. The
cumulative distribution function of the discrete uniform distribution and the probablity mass
function are expressed by Equations (7)-(8).
⌊𝑘⌋ − 𝑎 + 1
𝐹(𝑘; 𝑎, 𝑏) = 𝑓𝑜𝑟 𝑎𝑛𝑦 𝑘 ∈ [𝑎, 𝑏] (7)
𝑏−𝑎+1
1
𝑃𝑀𝐹 = ; 𝑤ℎ𝑒𝑟𝑒: 𝑛 = 𝑏 − 𝑎 + 1 (8)
𝑛
As for the frequency event tree, 10000 realizations were generated for the injuries, fatalities and
EMT distributions and were fed to the S-FIS, where they were convoluted to obtain a crisp severity
value, hence also 10000 severity index realizations were obtained.

Finally, the results of the severity index and the mitigated event frequency were fed to and
combined with the R-FIS in order to generate the crisp risk outcome that is presented as a probability
distribution.

Fig 3 Structure of Stochastic Fuzzy-LOPA Approach

Regarding the distribution’s convolution, Monte Carlo method was used, therefore random
numbers were generated for each distribution, so for every realization of all the input variables for
both the LOPA model and the severity fuzzy model, a crisp risk index value was calculated.

3.4 Severity Fuzzy Inference System (S-FIS)

The severity fuzzy inference system is designed based on the IIAR’s OSHA compliance matrix and
Zuniga (Zuniga, 2008) because the case study of this paper is related to an ammonia refrigeration
process. Therefore based on the above, the severity index (S-FIS output) is a function of fatalities
(life threatening injuries, LFT), injuries and the extension of medical treatment whose variables are
the inputs to the S-FIS. One of the advantages of the S-FIS is its ability to handle the uncertanties
related with the severity consequences modelling of loss of containment events. In this paper, both
fatalities and injuries represent the expert opinion about the presence of personnel in the plant
section of concern. The extent of medical treatment is an integer value (from 1 to 3) that represents
the expert opinion about the medical attention for the people injured after the undesirable event.

Table. 1. gives the details of the fuzzy sets, numbers and linguistic variables along with their linguistic
terms and universe of discourse that are part of the design of the S-FIS. And Fig. 4. presents the
fuzzy sets and its membership function for each variable used in the S-FIS design. The IF-THEN rules
to estimate S-FIS output which is the severity are presented in Table. 2. as a matrix. As depicted in
Table. 2. and Fig. 4., IIAR considers that more than one fatality leads to a catastrophic scenario,
whereas one fatality represents a critical or high risk scenario

Fig 4 Severity Fuzzy Inference System (S-FIS) Membership functions for inputs and output

IF [(# of injuries) is X and (Extension of Medical Treatment) is Y] THEN (Severity) is Z

Severity Rules Extension of Medical Treatment (EMT)

# of Injuries First Aid Physician Care Advanced
High Marginal Critical Catastrophic
Intermediate Marginal Critical Critical
Moderate Low Marginal Critical
Low Negligible Low Marginal

IF (LTF) is X THEN (Severity) is Y

LTF Severity
One Critical
Critical Catastrophic

Table. 2. If-then rules for severity of S-FIS

 FIS Linguistic Linguistic Term Universe of
Description Description Range
Type Variables (Fuzzy Set) Discourse
S-FIS Injuries Low One injury that may require only
0 ≤ 𝐼𝑛𝑗 < 2 𝐼𝑛𝑗 ∈ (0,20)
(input) first aid treatment
Moderate Two ot three injuries that
0 ≤ 𝐼𝑛𝑗 < 4
require first aids
Intermediate Five injuries requiring either first
2 ≤ 𝐼𝑛𝑗 < 7
aid and or/ physician care
High More than eight injuries that
may require advanced medical 𝐼𝑛𝑗 > 5
treatment

S-FIS Extension First Aid Medical attention administered

(input) of Medical immediately at the location the 𝐸𝑀𝑇 = 1 𝐸𝑀𝑇 ∈ (1,3)
Treatment injury occurs by plant personnel
Physician Care Healthcare that has to be
𝐸𝑀𝑇 = 2
administered by a doctor.
Advanced Healthcare that has to be
administered by a medical 𝐸𝑀𝑇 = 3
specialty doctor in a hospital

S-FIS Fatalities LTF—One One fatality occurs 𝐿𝑇𝐹 = 1 𝐿𝑇𝐹 ∈ (0,20)

(input) (Life LTF—CRI Two or more fatalities occur
Threatening 𝐿𝑇𝐹 > 1
Injuries)

S-FIS Severity Negligible (I) No losses 1<𝑆≤2 𝑋𝑆 ∈ (1,5)

(output) Low (II) Restricted to local vicinity,
R-FIS potencial injuries requiring no 1<𝑆≤3
(input) more than first aid
Marginal (III) Moderate injuries requiring
2<𝑆≤4
physician care
Critical (IV) One fatality and multiple injuries
3<𝑆≤5
with permanente disability
Catastrophic (V) Multiple fatalities 4<𝑆≤5

R-FIS Frequency Frequent (G) Happens several times per year 10−1 ≤ 𝐹 < 101 𝑋𝐹 ∈ (10−12 , 101 )
(output)
Probable (F) Will occur several times in the
life of an item 10−2 ≤ 𝐹 < 100
Occasional (E) Likely to occur sometime in the
life of an item 10−4 ≤ 𝐹 < 10−1
Remote (D) Unlikely, but possible to occur in
the life of an item 10−5 ≤ 𝐹 < 10−3

Improbable (C) Not expected to occur during the

lifetime o fan item 10−7 ≤ 𝐹 < 10−4
Impossible (B) Incapable of occurrence 𝐹 < 10−6

R-FIS Risk Acceptable (A) No action required 0≤𝑅≤2 𝑋𝑅 ∈ (1,5)

(output) Category Tolerable (T) Action based on ALARP principle 1≤𝑅≤3
Tolerable- Indication for improvements in
Unacceptable (TNA) medium notice 2≤𝑅≤4

Unacceptable (NA) Must be reduced immediately 3≤𝑅≤5

Table. 1. Fuzzy sets for severity fuzzy inference system (S-FIS) and risk fuzzy inference system (R-FIS).

3.5 Risk Fuzzy Inference System (R-FIS)

When designing a fuzzy risk matrix an important management task is the proper selection of the risk
matrix and this task is included in safety and major accident prevention policies (Alp, E., 2006;
Markowski and Mannan, 2008). For this research the fuzzy logic matrix is based on the work of
Zuniga (Zuniga, 2008) and the IIAR’s OSHA risk matrix because the case study selected is about a
node of an ammonia loop refrigeration process. Input variables to the risk fuzzy inference system
(R-FIS) are the mitigated frequency of the scenario and the crisp severity that is S-FIS output. The
output of the R-FIS is a final crisp risk value.

The scenario´s severity membership function is the same as used in the S-FIS. The membership
functions of the iniating event frequency and for the risk outcome are presented in Fig. 5. The
definitions of the linguistic terms that are asociated with the R-FiS variables are presented in Table.
1. The set of rules for the R-FIS are shown in the form of matrix in Fig. 2. while the surfaces for both
S-FIS and R-FIS after evaluation of all the rules are presented in Fig. 6.

Fig 5 Risk
Fuzzy Inference System (R-FIS) Membership functions for inputs and output

Fig. 5. Fuzzy Severity and Risk Surfaces

3.6. Case Study

The case study selected in order to exemplify the utility of the present fuzzy LOPA stochastic
algorithm is an industrial ammonia two-stage refrigeration system (Zuniga, 2008). For this study only
the node comprising the high pressure receiver of the system is considered, because it is one of the
most critical units in the system that contains a large ammount of ammonia under high pressure. So
charging of ammonia for starting up and making up are considered in the analysis of this node. As
presented in Fig. 6. the node consist of the ammonia receiver HPR-100 and thermosiphon tank TSV-
100. The complete system has several two stage refrigeration loops and the refrigerant receiver has
as design intent receiving the liquid ammonia from the evaporative condensers and feed the liquid
refrigerant to a heat exchanger called intercooler. The receiver has a capacity of 31000 L and
operates at 9 Bar and +35°C. The thermosiphon tank functions as a regulator for the liquid ammonia
feed to the receiver and also feeds the compressor lubrication system. The scenario used in this
research was chosen from a HAZOP study of a complete ammonia refrigeration system of an
icecream manufacturing plant.

Fig. 5. Simplified Node for Ammonia Refrigeration System High Pressure Receiver

4.- Results and Discussion

Only one cause-consequence pair is used as an example to illustrate the application of the proposed
stochastic fuzzy LOPA framework. The selected scenario from the HAZOP is intended to analyze the
rapid charging of ammonia into the high pressure receiver due to human error in setting up the tank
truck pump, resulting in a release of a toxic cloud into the plant through a relief valve, affecting the
personnel, community and environment. So, for this scenario the identified initiating event is the
operator human error in adjusting the truck pump pressure, as shown in Table 3 the frequency of
the initiating event is a typical value taken from CCPS of 1x10-2 / opportunity, and if two charging or
making up operations are performed per year then the initiating frequency is 2x10-2 /year. In the
initial risk assessment, the identified IPLs to consider are only the pressure safety valves PSV-01 A/B,
PSV-02 A/B that are installed on the top of the receiver and thermosiphon vessel. Since these valves
are installed above a three way change over valve, only one pressure safety valve is active for
protecting the high pressure receiver, this is because the purpose of the change-over valves is to
eliminate possible downtimes due to maintenance activities. Therefore, credit is not taken from the
other pressure safety valves and the PFD of a single PSV is considered for this IPL. The most accepted
value of PSV PFD in the industry and literature is 1x10-2, this mean value as seen in Table 3, is
considered for the LOPA calculations in the traditional LOPA based on Equation (1) giving a
frequency of the mitigated consequence of 2x10-4 /year as shown in Table 4. The risk tolerance
criteria considered in the case study is 1x10-5 /yr that is a value according to the company’s risk
tolerance criteria included in the HAZOP. For the base case of the traditional LOPA, since the
mitigated event frequency (MEF) is 2x10-4 /yr then the MEF is greater than the risk tolerance criteria,
moreover the calculated risk reduction factor (RRF) is 20 as shown in Table 4. Therefore, additional
protection layers should be added to achieve the required risk reduction and perform an ALARP
demonstration.

For the required risk reduction, a need for a high pressure and/or high level safety instrumented
function (SIF) as a IPL to trip the feed pump and close an inlet valve (to be installed) to prevent the
overpressure accident, is identified. The proposed SIF is considered to have a PFD of 2x10-2 and is
expected to lower the frequency of the consequence to an ALARP, tolerable level. The calculated
MEF after adding the proposed overpressure SIF is shown in Table 4 along with its corresponding
RRF. According to Table 4, now with the additional SIF a tolerable level of risk is reached of 4x10-6
/yr with a acceptable RRF of 0.4.
Initiating Event Frequency IPL PFD
Receiver PSV Overpressure, Overfill SIS
Human Error in Setting Truck Pump
(Initial Risk Scenario) (Added for ALARP Demonstration)
1x10-2 / opportunity

(2 opportunities/ yr) 1x10-2 2x10-2

2x10-2 /yr

Table. 3.Frequency and probability of failure on demand (PFD) data.

As shown in the arquitecture of the proposed Stochastic Fuzzy-LOPA Approach in Fig. 3. the required
inputs are the probability distributions for the initiating event, IPL PFD’s, number of injuries, extent
of medical treatment and number of fatalities.

The lognormal distributions for the initiating event and each IPL are considered based on generic
databases, CCPS data and expert experience. The uniform distribution is considered for the number
of injuries, extent of medical treatment and number fatalities. The input data for all the distributions
used in the case study are shown in Table 5.
 Stochastic LOPA
Traditional LOPA
LOPA Initial Risk Reduced Risk
Result
Initial Risk Reduced Risk Mean 95 Percentile Mean 95 Percentile

MEF 2x10-4 4x10-6 1.95x10-4 7.74x10-4 3.91x10-6 1.21x10-5

RRF 20 0.4 19.57 77.4 0.39 1.21

Table. 4. MEF and RRF of Traditional LOPA and Stochastic LOPA

Distribution Type Initial Risk Sc. Reduced Risk Sc. ALARP

Initiating Event (IE) Log Normal f(0.02, 0.001) f(0.02, 0.001)

IPL PFD f(m,v) f(0.01, 0.0005) f(0.02, 0.005)
Injuries F(3,12) F(2,4)
Uniform
Extent of Medical Treatment F(2,3) F(1,2)
F(a,b)
Fatalities F(1,6) F(0,2)

Table 5. Probability Distributions of Frequency, IPL PFD’s, Injuries, Extent of Medical Treatment and Fatalities

10000 random numbers were generated for the distributions of the IE, IPL PFD’s and the severity
input variables, shown in Table 5, in order to apply the Monte Carlo Method to the traditional LOPA
framework of Equation (1) and at the same time in parallel to the severity fuzzy inference system
(S-FIS). The result from each convolution of the LOPA framework and the crisp output of the S-FIS
are fed as inputs to the Risk Fuzzy Inference System (R-FIS) whose output is the crisp fuzzy risk index.
Regarding the distribution convolution based on the multiplication of the frequency of initiating
event and the failure rates of each IPL, all the resulting values are presented in histograms as shown
in Fig. 6. for both initial and reduced risk scenarios and also for the RRF. One can make safety
decisions only based on MEF and RRF results and as stated by Hong, et al., (2016) if the difference
between the mean and the 95 percentile values is greater than one order of magnitude, additional
IPLs can be applied to reduce the failure frequency of the specific scenario. The values of the mean
and 95 percentile for both scenarios are shown in Table 4.

Fig. 6. MEF and RRF in Histograms for Initial Risk and Reduced Risk Scenarios
The fuzzy risk index values obtained from the proposed stochastic fuzzy LOPA are shown in Fig 7 as
a cumulative probability graph and as a histogram for both scenarios discussed in this case study.
Regarding the cumulative probability curves for both scenarios, the differences between the 50%
and 90% probability values is little, so this section of the curves does not vary much, so the safety
decisions regarding whether a risk index value is tolerable or acceptable or not is easier than the
fuzzy LOPA and the traditional LOPA. Table 6 shows the indexes of the traditional risk matrix of Fig
2 and the fuzzy matrix of Fig 5 comparing them with the mean and the 95 percentile values of the
fuzzy risk index. As shown in Table 6, the mean risk index and the 95percentile values obtained from
the proposed stochastic fuzzy LOPA approach are more accurate than the fuzzy LOPA approach that
tends to be more conservative and in some cases overestimated. One of the advantages of the
stochastic fuzzy LOPA approach is that it takes into account the uncertainties in the severity
variables that the simple fuzzy LOPA approach can’t, so risk assessment could be more precise and
less conservative.

Fig. 7. Cummulative Probability or Fuzzy Risk Index and Fuzzy Risk Index Histogram

Stochastic Fuzzy
Risk Scenario TRA Matrix Fuzzy Matrix
Mean 95 Percentile

4 (NA if frequency is Occasional

Initial Risk 3.25 (NA-0.11, 0.89 TNA) 2.90 3.32
3 (TNA if frequency is Remote)

2 (T if frequency is Improbable)
Reduced Risk, ALARP 2.04 (TNA-0.02, 0.98 T) 1.92 2.21
2 (T if frequency is Impossible)

Table. 6.Traditional LOPA, Fuzzy LOPA and Stochastic Fuzzy LOPA Results
5.-Conclusions

The uncertainty in the input data used in LOPA studies is an issue that has been treated either with
fuzzy approaches or probabilistic approaches or even with hybrid models. Monte Carlo method is a
merely probabilistic approach that is very useful in quantifying risk and considering uncertainties
associated with input variables of processes. Fuzzy LOPA approaches have proven to be useful too
when handlying uncertainties specially when applied to risk assessment based on risk matrices. This
paper applies a Monte Carlo algorithm to the fuzzy risk matrix models in order to obtain a crisp risk
index distribution. This stochastic fuzzy LOPA approach not only considers uncertainties in the LOPA
frequencies and PFDs but also in the severity variables such as number or injuries or fatalities. That
is for any given parameter for which uncertainty exists the uncertainty must be described via a
probability distribution. The comparison between the results of the proposed approach with the
fuzzy and traditional LOPA, show that the stochastic fuzzy LOPA approach provides a risk index mean
and 90 percentile that is lower and more accurate than the traditional and fuzzy LOPA. This is due
to the conservative selection of the input variables and of course because no uncertainties are
considered. Other advantage of the proposed framework is that it is not only a Monte Carlo
simulation of the traditional LOPA equation, because the output distribution is entirely fed to a fuzzy
inference system which itself also contributes to process the uncertainties for the risk index. The
results obtained in this research show that it is a useful tool when large uncertainties are present in
LOPA scenarios, giving more confidence to the analyst when making safety decisions regarding the
installation of additional safety instrumented functions and thus avoiding posible discrepancies.
References.

1. ANSI, 2003. Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
ISA. American National Standards Institute, 61511 Standard.

2. Ayyub, B.M. Risk Analysis in Engineering and Economics. Chapman & Hall/CRC, 2003.

A. Salaheldine Darwish et al., Applying LOPA and fuzzy logic to identify SIL requirement
for safety critical functions in a direct reduction iron industry, Alexandria Eng. J.
(2020), https://doi.org/10.1016/j.aej.2020.06.003

3. CCPS, 1989. Guidelines for Process Equipment Reliability Data with Data Tables. Center for
Chemical Process Safety/AIChE.

4. CCPS, 2020. Center for Chemical Process Safety. Layer of Protection Analysis: Simplified
Process Risk Assessment. Wiley.

5. Chakrabarty, A., Mannan, S., Cahin, T., Multiscale Modeling for Process Safety Applications,
Butterworth-Heinemann, Elsevier, 2016.

6. Crawley, F., A Guide to Hazard Identification Methods. 2nd Edition. Elsevier, 2020.

7. Crowl, D.A., Louvar, J.F., Chemical Process Safety, fundamentals with applications. 2nd
Edition. Prentice Hall International Series, 2011.

8. Freeman, R., 2012. Quantifying LOPA uncertainty. Process Saf. Prog. 31 (3), 240-247.

9. Freeman, R., 2013. Simplified uncertainty analysis of layer of protection analysis results.
Process Saf. Prog. 32 (4), 351-360.

10. Hong, Y. Z., Pasman, H. J., Sachdeva, S., and Markowski, A. S., 2016. A fuzzy logic and
probabilistic hybrid approach to quantify the uncertainty in layer of protection analysis. J.
loss Prev. process industries. 43, 10-17. DOI: 10.1016/j.jlp.2016.04.006.

11. International Institute of Ammonia Refrigeration (IIAR) . Process Safety Management

Guidelines for Ammonia Refrigeration, IIAR, Arlington, VA, 1998.

12. Khalil, M., Abdou, M.A., Mansour, M.S., Farag, H.A., Ossman, M.E., 2012. A cascaded fuzzy-
LOPA risk assessment model applied in natural gas industry. J. loss Prev. process industries
25 (6), 877-882.

13. Markowski, A.S.M. and Mannan, S. 2008, “Fuzzy risk matrix”, J. Hazard. Mater. 159 (1), 152-
157. http://dx.doi.org/10.1016/j.jhazmat.2008.03.055.

14. Markowski, A.S., Mannan, M.S., 2009. Fuzzy logic for piping risk assessment (pfLOPA). J. loss
Prev. process industries 22 (6), 921-927.
15. Markowski, A.S., Mannan, M.S., Bigoszewska, A., 2009. Fuzzy logic for process safety
analysis. J. loss Prev. process industries 22 (6), 695-702.

16. Nait-Said, R., Zidani, F., Ouzraoui, N. 2009. Modified risk graph method using fuzzy rule-
based approach. J. Hazard. Mater. 164, 651-658.

17. Ouazraoui, N., Nait-Said, R., Bourareche, M., Sellami, I., 2013. Layers of protection analysis
in the framework of possibility theory. J. Hazard. Mater. 262, 168-178.

18. Ouazraoui, N., Bourareche, M., Nait-Said, R., 2015. Proceedings of the 2015 International
Conference on Industrial Engineering and Operations management Dubai, United Arab
Emirates (UAE), March 3 – 5, 2015

19. Ouazraoui, N., Achouri, N., Nait-Said, R., 2016. An alternative approach to criticality analysis
of industrial risks. Proceedings - International Conference on Industrial Engineering and
Operations Management, Kuala Lumpur, Malaysia, March 8-10, 2016.

20. OREDA, 2002. Offshore Reliablity Data Handbook.

21. Pasman, H., Rogers, W., 2013. Bayesian networks make LOPA more effective, QRA more
transparent and flexible, and thus safety more definable! J. loss Prev. process industries 26
(3), 434-442.

22. Popov, G., Lyon, B.K., Hollcroft, B.D., Risk Assessment, A Practical Guide to Assessing
Operational Risks, 2nd Edition, Wiley, 2022.

23. US Department of Defense, System Safety Program Requirements, DC US Depart-ment of

Defense, MIL-STD-882E.

24. Yan, F., Xu, K., Cui, Z., Yao, X., An improved layer of protection analysis based on a cloud
model: Methodology and case study, Journal of Loss Prevention in the Process Industries
(2017), doi: 10.1016/j.jlp.2017.04.006.

25. Yun, G., Rogers, W., Mannan, S. Risk assessment of LNG importation terminals using the
Bayesian–LOPA methodology, 2009. J. loss Prev. process industries 22, 91-96.

26. Zadeh, L.A., 1965. Fuzzy sets. Inf. control 8 (3), 338e353.

27. Zarei, E., Khakzad, N., Cozzani, V., Reniers, G., 2019. Safety analysis of process systems using
Fuzzy Bayesian Network (FBN), Journal of Loss Prevention in the Process Industries 57, 7-
16.

28. Zuniga, G. (2008). Layer of protection analysis applied to ammonia refrigeration systems,
Texas A&M University, M. S. Thesis, College Station, TX.