An Integrated Approach to Safety Instrumented System Lifecycle Management: Risk Evaluation and Optimization in the Petrochemical Industry Using Genetic Algorithms

The proposed methodology for the evaluation and optimization of SIS comprises five key steps, as illustrated in Figure 1.

1.png

Figure 1. Proposed methodology for SIS lifecycle management

These steps are designed to provide a comprehensive and systematic approach to address the critical aspects of risk analysis, SIL allocation, SIS realization, validation, and optimization. The five main steps of our methodology for SIS evaluation and optimization are explained below:

Step 1: Risk analysis

The risk analysis stage is essential for locating possible risks and assessing their effects. Several well-known risk analysis techniques have been used in this phase, including Fault Tree Analysis (FTA), Hazard and Operability (HAZOP), Failure Modes, Effects, and Criticality Analysis (FMECA), and Preliminary Hazard Analysis (PHA) [18, 19]. Studies on HAZOP are widely utilized techniques, especially in the petrochemical industry [20]. The study is carried out by a multidisciplinary team that divides the plant into streams (which represent particular products or utility materials) and nodes (which represent strategic equipment and sections). To find possible departures from the design intent, the team uses a set of guidelines (like no, more, and less) along with process parameters (like temperature, flow, and pressure). The team looks into the causes, effects, and current safeguards for each deviation that is found; it then looks for any gaps and suggests adding new safeguards as needed. Potential accident scenarios and their effects, such as fires, explosions, or toxic releases, are identified through the HAZOP study process [21]. To support the risk analysis process, modeling and calculation programs like PHAST and ALOHA can be used in addition to the HAZOP study [22, 23]. PHAST (Process Hazard Analysis Software Tool) is selected to quantitatively model the consequences of hazardous scenarios. PHAST, developed by DNV, is a comprehensive software tool widely used in the industry to simulate the progression of accidental releases, such as gas leaks, fires, explosions, and toxic dispersions [24]. It provides critical outputs, including safety distances, thermal radiation contours, overpressure levels, and toxic exposure zones. While HAZOP identifies potential deviations, their causes, and qualitative consequences, PHAST completes the HAZOP analysis by simulating the physical progression of identified scenarios, such as vapor cloud dispersion or pool fires [25]. This integration allows for a more detailed understanding of the potential impacts, supporting the prioritization of risks and the design of effective mitigation measures. The consequence analysis using the PHAST Software involves the following steps:

Scenario selection: Hazardous events identified in the previous phases are selected for consequence modeling.

Input data preparation: Process parameters, environmental conditions, and chemical properties are entered into the software.

Simulation and analysis: PHAST generates consequence reports including impact zones and thermal radiation levels.

Step 2: SIL allocation

The allocation of a Safety Integrity Level (SIL) is a critical step in the design of SIS, ensuring that the system provides a quantitative measure of the effectiveness of safety functions in controlling risk to an acceptable level. The SIL provides a statistical measure of the reliability of SIS when faced with a process demand. According to IEC 61508, there are four distinct SIL categories, ranging from SIL 1 (lowest) to SIL 4 (highest). Each of these levels is associated with a specific range of values for both the average probability of failure on demand (PFDAvg) and the probability of a dangerous failure per hour (PFH). These Relationship is illustrated in Table 1. The two common methods used for SIL allocation are Risk Graph and LOPA.

Risk Graph is a qualitative technique used to assign SILs based on predefined criteria related to consequences severity, exposure frequency, hazard avoidance probability, and demand rate on safety functions [26, 27]. While the Risk Graph method is simpler and easier to apply, it lacks precision compared to LOPA as it relies on subjective judgments rather than exact probabilities and frequencies [28]. This qualitative nature can lead to inconsistencies in SIL determination, particularly in complex industrial processes where numerical data is more readily available [29]. The method's reliance on subjective assessments may introduce uncertainties in SIL assignments, highlighting the importance of considering more quantitative approaches like LOPA in certain contexts.

Table 1. Safety integrity level (SIL) according to PFDavg and PFH [1]

LOPA is a semi-quantitative method that enables determining the minimum SIL necessary to lower the risk levels of SISs to acceptable levels [30, 31]. This method bases its calculation on the number of independent protection levels required to control the risk in each hazardous situation. The LOPA technique begins with information gathered during hazard identification, typically through a HAZOP study. It addresses each identified hazard by documenting both the initiating causes and the protective measures that prevent or mitigate the hazard. The fundamental approach of LOPA is to calculate the frequency of a hazardous event (impact event) by quantifying the initiating causes, frequencies, and probability of failure on demand for each protective layer [32, 33]. The Intermediate event frequency can be formulated as follows:

$f^c=f^{I E} * \prod_i P F D_{{avg }}^i$          (1)

$f^c$: occurrence frequency of consequence C

$f^{I E}$: initiating event frequency

$P F D_{ {avg }}^i:$: Average probability of failure on demand of the barrier i.

The required risk reduction allocated to the SIS safety function is obtained by comparing with the maximum allowable average probability of failure  that the SIS could have, such that the necessary risk reduction is achieved. Reading this quantity in Table 1 makes it possible to define the corresponding SIL.

$P F D_{ {avg }}^{S I S} \leq \frac{f_t}{f^{I E} * \prod_i P F D_{ {avg }}^i}$          (2)

Comparing the frequency of the feared event to the safety objective (tolerable frequency) yields the assigned risk reduction for the SIS safety function. The inequality's right-hand side quantity represents the SIS's maximum allowable average failure probability that would achieve the required risk reduction. Consulting Table 1 with this quantity enables the determination of the corresponding SIL.

Step 3: SIS realization

After assigning the necessary SIL, the SIS must demonstrate performance that meets the corresponding criteria. Several methodologies have been used to calculate the Probability of Failure on Demand (PFDavg) and determine the Achieved SIL, such as Markov models [3], Petri nets [3], and FTA [3]. However, these techniques may have limitations when integrated into optimization frameworks due to their computational complexity and difficulty in handling large search spaces efficiently. For these computations, we employ the generalized analytical equations established by Innal et al. [34]. The computed result should not exceed the threshold value set during the required SIL stage. This quantitative assessment necessitates the evaluation of multiple factors: the system's architecture (including the number of components used and their voting logic), failure rates, diagnostic coverage, intervals between periodic tests, time required for repairs, and common cause failures.

Step 4: SIS validation

In this step, a comparison between the determined required and Achieved SILs is made. The SIS is considered to meet its requirements if the Achieved SIL is equal to or greater than the required SIL. This indicates that the SIS can provide the necessary risk reduction assigned to it, thus fulfilling the security objective. It is crucial to record the comparison results, including the methodologies used to calculate the actual SIL, data origins, assumptions, and any conducted verification tests. This documentation acts as proof of adherence to relevant safety standards, such as IEC 61508 and IEC 61511. However, if the Achieved SIL is lower than the required SIL, the SIS must be enhanced to ensure the actual SIL meets or surpasses the required level.

Step 5: SIS optimization

If the realized SIS does not meet the required Safety Integrity Level (SIL), the methodology advances into the optimization phase. In this step, the SIS architecture is iteratively modified and enhanced until the required SIL is achieved. The optimization process explores various architectural configurations by considering parameters such as the number of elements used and their voting logic, failure rates, diagnostic coverage, periodic test intervals, repair time, and common cause failures. This iterative process continues until a solution is identified that meets the SIL requirements.

In this step, the GA was selected as the most suitable optimization method due to its efficiency in handling complex, non-linear problems, particularly those involving single-objective functions like minimizing the Probability of Failure on Demand (PFDavg) [34]. The optimization of PFDavg involves exploring a vast search space defined by various decision variables, including the number of components in each subsystem (sensors, logic solvers, and final elements), their voting logic configurations (e.g., KooN), and proof-test intervals [35]. This non-linear problem is characterized by interactions among these variables, which influence the PFDavg in complex ways. The use of GAs in SIS optimization facilitates the discovery of architectural configurations that satisfy the required SIL while optimizing other critical parameters. Readers can consult research by Sohail [36], Gen [37], and Katoch at al. [38] for a thorough examination of GAs and their uses.

In what follows, the study approach will be applied to the reflux drum 30-V-2 described in the previous section.

4.1 Risk analysis

The first step involves thorough risk analysis to identify the potential risks associated with the industrial process under consideration. The HAZOP method is applied in this step concerning the deviation "High Level inside 30-V-2" which is given in Table 3.

The corresponding frequency table is presented in Tables 4 and 5, respectively. The risk matrix is a tool to classify and visualize risk by defining categories of consequences and occurrence frequency.

A risk matrix is a tool used to classify and visualize risks by combining qualitative assessments of consequence severity and occurrence frequency shown in Tables 4 and 5, respectively. These categories are then applied to the risk matrix in Table 6, which determines the overall risk level. For the analyzed risk (overpressure), the severity is classified as "Catastrophic S4." According to the RA1K risk acceptance criteria, the risk is tolerable only if its frequency falls within the "Very Low P2" category. From Table 6, the corresponding maximum tolerable frequency for this risk level is:

FT = 1E-5/year.

Table 3. Application of the HAZOP method for "High Level" deviation

Table 4. RA1K Severity scale [39]

Table 5. RA1K occurrence frequency scale [39]

Table 6. Risk acceptance matrix for RA1K [39]

3.png

Figure 3. Predicted downwind distance vs. leak dispersion for different overpressure categories

4.png

Figure 4. Maximum blast wave radii for various overpressure thresholds

To estimate the severity level, we use the PHAST Software to simulate threat zones. Figure 3 shows the distance downwind (in meters) against the distance traveled (in meters) for three different overpressure categories (Category 1.5/F, Category 1.5/D, and Category 5/D), while Figure 4 shows the maximum radii of the blast waves for the same three overpressure categories mentioned above.

The simulation results for the Reflux Drum V-2 equipment under the "Leak" scenario are summarized in Table 7. It lists the overpressure levels (in bar) and the corresponding maximum distances (in meters) and diameters (in meters) for each overpressure category and weather condition (Category 1.5/F, Category 1.5/D, and Category 5/D). The consequence analysis of the De-ethanizer Reflux Drum V-2 leak scenario, conducted using PHAST software, reveals potentially severe outcomes. The model predicts irreversible effects extending up to 849 meters and lethal effects up to 423 meters from the source, with impact zones varying significantly based on atmospheric conditions.

Table 7. Overpressure levels and the corresponding maximum distances and diameters of the leak scenario in V-2

These findings underscore the critical necessity for a robust safety instrumented system and comprehensive emergency response protocols.

4.2 Allocation of the required SIL for SIS

The next step is to assign a suitable SIL to the SIS based on the risks that have been identified in the first step. The LOPA method is used for this allocation. It calculates the required SIL by assessing the risk reduction offered by different independent protection layers (IPLs).

The chosen impact event is Lighters C1/C2 release to the atmosphere from V-2 De-ethanizer Reflux Drum (Leak) due to failure of Basic Process Control Systems of level and flow level, which leads to a VCE if it is not mitigated. According to the severity levels in Table 4, the tolerable frequency corresponding to a hazardous event with severity 4 is set to 1E-5/year. The initiating cause of the undesired event is the pumps P-52A/B failing to suck and reflux the accumulated liquid inside V-2, which has a frequency value of 1E-1/year. The probabilities of failure on demand (PFDavg) of IPL that intervene to prevent the development of this impact event (Leak) are shown in Table 8 [40]. The obtained results during the application of the LOPA method are summarized in Table 9.

According to the LOPA analysis results, the required SIL for our SIS is SIL 2 with a minimum PFD_Avg of 5E-3.

Table 8. IPLs and their PFDs [40]

Table 9. LOPA related to the impact event lighters C1/C2 released to the atmosphere

4.3 Realization of the SIS (real SIL)

To calculate the Achieved SIL, we employ the analytical formula for calculating the PFDavg as developed by Cheraghi and Taghipour [14] and Touahar et al. [15] which are detailed in the study of Zhao et al. [7] (see Eq. (3)).

$\begin{gathered}P F D_{K O O N}=A_N^{N-K+1} * \lambda_{D i n d}^{N-K+1} * \prod_{i=1}^{N-k+1} M D T_{100 i} +\lambda_{D U}^{c c f}\left(\frac{T_1}{2}+M R T\right)+\lambda_{D D}^{c c f} * M T T R\end{gathered}$          (3)

where:

$M D T_{100 i}=\frac{\lambda_{D D}}{\lambda_D} * M T T R+\frac{\lambda_{D U}}{\lambda_D} *\left(\frac{T_1}{i+1}+M R T\right)$          (4)

$A_N^{N-K+1}=\frac{N!}{(K-1)!}$          (5)

$\left\{\begin{array}{c}\lambda_{\mathrm{DD}}=\lambda_{\mathrm{D}} * \mathrm{DC} \\ \lambda_{\mathrm{DU}}=\lambda_{\mathrm{D}} *(1-\mathrm{DC})\end{array}\right.$          (6)

The PFD_KOON formula takes into account the dangerous failure rates (λ_D), mean time to repair (MTTR), and diagnostic coverage (DC) for each SIS component, including sensor LT 1153, logic solver LS 1165, and final element UV 1165. The λ_D parameter is further broken down into λ_DD (the detected dangerous failure rate) and λ_DU (the undetected dangerous failure rate), enabling a comprehensive assessment of the system's reliability performance (see Eq. (4)). The different reliability data used are shown in Table 10 [41].

Table 10. Reliability data of the SIS [41]

Table 11. PFDavg of the SIS using Eq. (3) and FTA

5.png

Figure 5. PFDavg and SIL graph of the SIS

Table 11 presents the calculated PFDavg values for the various subsystems and the overall SIS. A comparison with FTA results is provided to validate those obtained by Eq (3). Some slight differences are also present for the subsystems, which look insignificant for the whole SIS. Finally, the PFDavg of the SIS and the associated SIL graph are modeled using the Tree module of the GRIF software (Graphical interface for reliability forecasting) as shown in Figure 5.

4.4 Validation of SIS

In this step, we compare the Achieved SIL with the required SIL target determined by the LOPA method. The Achieved SILis quantified by calculating the PFDavg using the analytical formulas, while the required SIL corresponds to the minimum acceptable PFDavg value identified during the LOPA analysis. In our case study, the obtained PFDavg value for the current SIS design is 2.1E-2, corresponding to a Achieved SIL of 1. However, the LOPA results indicate that the minimum required PFDavg should be at least 5E-3, aligning with a target SIL 2. Since the Achieved SIL1 does not meet or exceed the required SIL 2, the risk associated with the current SIS design is unacceptable.

To address this issue and reduce the risk to an acceptable level, the SIS architecture needs to be optimized to achieve an Achieved SIL that meets or exceeds the required SIL target. Our proposed solution is to employ a Genetic Algorithm (GA) optimization technique to search for an optimal SIS architecture that minimizes the PFDavg while considering other performance metrics and constraints. The GA will explore various combinations of SIS component configurations, redundancy levels, and diagnostic coverage to identify architectures that can satisfy the required SIL while optimizing factors such as reliability, availability, and lifecycle costs.

4.5 Optimization of SIS design using GA

The objective of this optimization step is to minimize the average Probability of Failure on Demand (PFDavg) for our SIS, subject to the following constraints:

•PFDavg must be less than or equal to 5E-3 to ensure compliance with SIL 2 requirements.

•The total acquisition cost must not exceed 32,000 units.

•The total proof-test cost  must not exceed 18,000 units.

These constraints are evaluated over a mission time (MT) of 20 years, ensuring that both safety and cost performance are optimized within the specified cost limits.

The fitness function used to evaluate potential solutions is defined by Eq. (3), which calculates the PFDavg using the KooN voting formula. The decision variables include the number of elements in each subsystem (N), the number of elements required for operation (K), the acquisition and proof-test costs (C_P and C_T), and the proof-test intervals (T). To achieve this, we set up a GA optimization problem in MATLAB, where the objective function calculates the PFDavg using the KooN formula for each subsystem, and the constraint function checks if the PFDavg satisfies the given limit.

Table 12. Encoding of the SIS solutions: SIS chromosomes

To find an optimal solution using the GA, it is necessary to represent potential solutions as coded expressions called chromosomes. In our SIS configuration, a chromosome consists of 12 genes (as shown in Table 12). These genes correspond to the decision variables of the optimization problem. After establishing the encoding, an initial population (generation) of potential solutions (individuals, each defined by a chromosome) is randomly created across the solution space. The decision variables are constrained within predetermined limits. The encoding for each subsystem includes the number of components and their operational specifications as follows:

N1, N2, and N3 represent the total number of components in the sensor, logic solver, and final element subsystems, respectively.

•K1, K2, and K3 represent the minimum number of components required to remain operational in each subsystem.

•T_S, T_LS, and T_FE represent the proof-test intervals for each subsystem.

• $C_P^S, C_P^{L S}, C_P^{F E}$ represent the acquisition costs for the sensor, logic solver, and final element subsystems.

• $C_T^S, C_T^{L S}, C_T^{F E}$ represent the proof-test costs for the sensor, logic solver, and final element subsystems.

The GA progressively enhances the makeup of the population across subsequent generations. As the generations advance, the population's adaptability, as measured by the objective function (fitness function), should typically show improvement. The creation of a new population from its predecessor occurs in two phases: selection and reproduction. The used data in the SIS optimization is presented in Table 13. It is noteworthy that the SIS operates in a low-demand mode.

•The positions of the GA take variable values between the lower bound: LB: [1 1 1 1 1 1 1 1 1 1 1], and the upper bound:  UB: [3 3 3 4 1 1 3 3 4 4 3 4].

•The used parameters are population size (150), Maximum Number of Iterations (200), and the maximum size of the archive (100).

Table 13. SIS optimization data

To solve the SIS optimization problem using GA, we use the Optimization Toolbox" of the MATLAB environment. Our strategy involves minimizing the PFDavg (the considered objective). Therefore, the objective problem with constraints takes the form:

$\left\{\begin{array}{c}\mathrm{Y}=\mathrm{F}(\mathrm{X})=(\mathrm{PFDavg}(\mathrm{X})) \\ \mathrm{PFDavg} \leq 5 \mathrm{E}-3 \\ C_P^{S I S} \leq C_P^{\max } ; C_T^{S I S} \leq C_T^{\max } \\ \mathrm{K} 1 \leq \mathrm{N} 1 ; \mathrm{K} 2 \leq \mathrm{N} 2 ; \mathrm{K} 3 \leq \mathrm{N} 3\end{array}\right.$          (7)

The achievement of the objective related to safety integrity requires the study of four (04) design choices and therefore represents an optimization problem that can be summarized as follows:

1. How many elements in each subsystem (S, LS, FE) are required: N_S ∈ {1, ..., N_Smax}, N_LS ∈ {1, ..., N_LSmax}, N_FE ∈ {1, ..., N_FEmax}?

2. How many elements within each subsystem whose operation is required, the following conditions must be met: K_S ≤ N_S, K_LS ≤ N_LS, K_FE ≤ N_FE?

3. What is the proof-test interval (T) for each subsystem?

4. What are the acquisition and proof-test costs for the SIS components, considering the given mission time (MT = 20 years): $C_P^{S I S} \leq C_P^{\max } ; C_T^{S I S} \leq C_T^{\max }$?

6.png

Figure 6. Best fitness value PFDavg through generations

The evolution of the best value of the objective function through generations is given in Figure 6. We note that it reaches a stationary value from the second generation. The GA explored various combinations of subsystem architectures and proof-test intervals, converging on an optimal solution within the first few generations. The resulting optimized SIS architecture consists of:

Sensors (LT 1153): 1oo3 configuration tested every 8760 hours (each year).

Logic solver (LS 1165): 1oo1 configuration tested every 13140 hours (18 months).

Final element (UV 1165): 1oo3 configuration tested every 2190 hours (each 03 months).  

The corresponding values for PFDavg, $C_P^{S I S}$ and $C_T^{S I S}$ are respectively: 6.10537E-4 (SIL 3), 21500 u, and 5600 u. This new design achieved a significantly improved PFDavg of 6.10537E-4, which meets the required SIL 2 performance.

The optimization of our SIS architecture achieved a significant reduction in PFDavg, from an initial value of 2.1E-2 to 6.10537E-4. This reduction represents a significant improvement in the safety integrity, positioning the SIS below the required PFDavg of 5E-3, thereby achieving compliance with SIL 2, which mitigates the risk of hazardous events, and ensures a safer operational environment for the De-ethanizer reflux drum V-2. In addition to enhancing safety, the optimized design also delivers substantial cost efficiency. The total acquisition cost was reduced to 21500 units, whereas the total proof-test cost was minimized to 5600 units. ensuring that the SIS delivers superior safety performance without exceeding budgetary constraints.

Annual testing of the sensors ensures early detection of potential failures, while the more frequent testing of the final element addresses its higher likelihood of failure. This strategic balance between testing intervals and component criticality maximizes system availability, minimizes downtime, and reduces maintenance costs over the system's lifecycle.

The performance of the GA in this optimization task underscores its robustness and effectiveness in solving complex, multi-variable, and constrained optimization problems. The rapid convergence to a stable solution, coupled with the consistent improvement in the objective function, highlights the algorithm’s capability to navigate intricate solution spaces efficiently. Sensitivity analysis further validated the robustness of the solution, demonstrating minimal deviations in the optimal PFDavg across different GA parameter settings, such as population size, mutation rate, and crossover rate. This stability indicates that the optimized solution is not only effective but also resilient to variations in optimization parameters.

After optimizing the architecture of both the level transmitter and the isolated valve from 1001 to 1003, we will use the Fault Tree to illustrate the new design of our SIS as shown in Figure 7.

7.png

Figure 7. Fault Tree related to the proposed architecture of the SIS