674 5 Safety and Risk i n Engineering Design
Table 5.22 FMSE for process criticality using residual life
Component Failure
description
Failure
mode
Failure
consequences
(1) (2) (3) (4) (5) Criticality
rating
Cost
criticality
rating
Maintenance
frequency
Control valve Fails t o open TLF Production 75% 6 4.50 0.083 0.37 Low
criticality
Medium
cost
6 monthly
Control valve Fails t o open TLF Production 75% 6 4.50 0.167 0.75 Low
criticality
Medium
cost
6 monthly
Control valve Fails to
seal/close
TLF Production 100% 6 6.00 0.167 3.0 Medium
criticality
Medium
cost

6 monthly
Control valve Fails to
seal/close
TLF Production 100% 6 6.00 0.5 1.5 HIGH
criticality
Medium
cost
6 monthly
Instrument
loop (press. 1)
Fails to
provide
accurate
pressure
indication
TLF Maint. 100% 2 2.00 0 .67 1.34 Medium
criticality
Low cost 6 monthly
Instrument
loop (press. 2)
Fails to detect
low pressure
condition
TLF Maint. 100% 2 2.00 0 .67 1.34 Medium
criticality
Low cost 6 monthly
Instrument
loop (press. 2)
Fails to detect
low pressure

condition
TLF Maint. 100% 2 2.00 0 .5 1.0 Medium
criticality
Low cost 6 monthly
Instrument
loop (press. 2)
Fails to
provide output
signal for alarm
TLF Maint. 100% 2 2.00 0 .5 1.0 Medium
criticality
Low cost 6 monthly
5.2 Theoretical Overview of Safety and Risk in Engineering Design 675
Condition (likelihood of failure)
True False
Positive True positive False positive
(type I error,
P-value)
Positive
predicted value
Negative False negative
(type II error)
Tr ue negative Negative
predicted value
Sensitivity Specificity
determined. Using decision trees and influence diagrams details all the possible op-
tions for a decision model. Decision trees provide a more formal structure in which
decisions and chance events are linked from left to right in the order they would
occur. Probabilities of the likelihood of failure events are added to each node in
the tree. A decision analysis generates a risk profile. The risk profile compares the

sensitivity of different decision options. Such sensitivity analysis is best conducted
with the aid of sp ecialised ap plication software such as @RISK
c

,inwhichthe
outcome is expressed as a probability distribution, as illustrated in the insert below
(Fig. 5.44).
Fig. 5.44 Probability distribution definition with @RISK (Palisade Corp., Newfield, NY)
676 5 Safety and Risk in Engineering Design
5.3 Analytic Development of Safety and Risk
in Engineering Design
A significant factor in considering analytic development of safety and risk in engi-
neering design is the extent to which probabilistic analysis and deterministic analy-
sis can complement each other in safety and risk prediction, assessment and evalu-
ation of engineered installations at each respective phase of the engineering design
process. This requires an understanding of the advantages o f each specific approach
taken in the analysis of safety, and the basic concepts of potential risk and residual
risk (de Gelder 1997).
Concepts of risk The prediction, assessment and evaluation of risk in the con-
ceptual, preliminary/schematic or detail design stages respectively of engineered
installations have to distinguish between:
• potential risk, which can lead to accidents or incidents if no protection measures
are considered or taken,
• residual risk, which remains after having considered all measures taken to pre-
vent accidents or incidents, and to mitig ate their consequences.
The main contributions to residual risk stem from events that are not considered
in the design, such as vessel rupture; an accident/incident progression worse than
the assumptions considered in the design basis, such as multiple failures, common
mode failures (resulting in complete failure of a safety system) and operator errors;
cumulative occurrence of initiating events that are considered in the design but not

accounted for, since cumulative occurrence is not considered to be a design basis
event.
As considered previously, the assessment of risk requires two measures—speci-
fically, the frequency of occurrence of potential accidents, and the severity of their
consequences. During the analysis of safety, both these measures are considered
with the objective that accidents with the most significant consequences should have
the lowest frequencies of occurrence. The main objective of safety analysis is to
verify that measures taken at the design stage, as well as during construction and
operatio n of the engineer ed installation are adequate in achieving the prescribed
safety requirements.
The probabilistic safety analysis approach The probab ilistic approach enables
the prediction or assessment of the major contributors to potential risk, and evalu-
ation of the most significant contributors for further reduction of residual risk. The
major steps in a probabilistic safety analysis are as f ollows:
• Identification of the initiating events and the plant o perational states to be con-
sidered.
• Analysis of the possible accident scenarios, by means of event trees.
• Reliability analysis, by means of fault trees, of the systems considered in the
event trees.
5.3 Analytic Development of Safety and Risk in Engineering Design 677
• Collection of probabilistic data (failure probability or unavailability for test and
maintenance, initiating event frequencies).
• Use of analytic techniques such as sneak analysis, genetic algorithms and neural
nets.
• Event sequence quantification, resulting in a frequency for each event.
• Interpretation of results (including sensitivity and importance analyses).
The deterministic safety a nalysis approach This approach has constituted a basis
for the design of most high-risk engineeredinstallations. The deterministicapproach
is based on regulations and guides established b y the appropriate regulatory author-
ity. The major steps in a deterministic safety analysis are the following:

• Identification and categorisation of events considered in the design basis:
At the beginningof the d esignstage, a list of initiating events to be covered in the
design is established and constitutes the so-called design basis events.Theseare
then grouped into categories, based on their estimated frequency of occurrence.
This categorisation of the initiating events is basically into classes, d epending
on the significance of the overall risk posed by the engineered installation. For
example, the categorisation of initiating events into classes was established by
the US Nuclear Regulatory Commission for high-risk engineered installations
such as nuclear power plants (NUREG 75/014 1975; NUREG/CF-1401 1980).
The following categorisation is of initiating events into classes:
– Class 1: normal operation,
– Class 2: incidents of moderate frequency,
– Class 3: incidents/accidents of low frequency,
– Class 4: hypothetical accidents.
• Analysis of enveloping scenarios:
For each category, a number of enveloping scenarios are identified in such a way
that their analysis covers all events to be considered in that category. Each en-
veloping scenario is then analysed by using conservative assumptions in the ini-
tial conditions of plant, such as:
– power, flows, pressures, temperatures,
– most unfavourable moment in the process cycle,
– instrumentation uncertainties,
– hypotheses concerning the accident/incident progression.
• Evaluation of consequences:
The potential consequences of these enveloping scenarios are analysed using
conservative assumptions, such as:
– the initial activity of a primary circuit is supposed to be equal to the maximum
activity allowed by the technical specifications,
– unfavourable climatic conditions.
678 5 Safety and Risk in Engineering Design

• Verification with respect to acceptance criteria:
The results of the analysis of the enveloping scenarios are finally compared with
predefined acceptance criteria. These acceptance criteria can be expressed in re-
lation to parameters of the engineered installation, and to the protection of people
and the environment.When all analyses show that acceptancecriteria are met, the
proposed design is accepted in the deterministic safety approach.
Below, various methodologies for the analytic development of safety and risk in the
design of engineered installations are considered, incorporating probabilistic anal-
ysis in the respective prediction, assessment and evaluation of safety and risk prob-
lems at each phase of the engineering design process. VariousAI analytictechniques
presented, such as evolutionaryalgorithms, genetic algorithms and neural networks,
are basically stochastic search and optimisation heuristics derived from classic evo-
lution theory and implemented in intelligent computer automated methodology in
the prediction, assessment and evaluation of engineering design safety and risk.
5.3.1 Analytic Development of Safety and Risk Prediction
in Conceptual Design
In this section, the development of a design space is considered in which methods
of design preferences and scenarios are integrated with analytic techniques such
as evolutionary algorithms, genetic algorithms and/or artificial neural networks to
perfor m m ulti-objective optimisation in designing for safety. In Sect. 5.4, c omputer
automated methodology is presented in which optimisation algorithms have been
developed for knowledge-based expert systems within a blackboard model that is
applied in determining the integrity of engineering design. Certain approaches are
therefore adopted for the prediction of risk in the conceptual design stage, specifi-
cally in:
i. Establishingan analytic basis for developing an intelligent computer automated
system;
ii. Evolutionary computing and evolutionary design.
5.3.1.1 Establishing an Analytic Basis for Developing an Intelligent Computer
Automated System

The goal is to establish an an alytic basis fo r developing an intelligent computer
automated system that will be able to work together with the designer during the
different phases o f the engineering design process—especially during the concep-
tual design phase when interaction and designer knowledge are sometimes more
important than accuracy.
5.3 Analytic Development of Safety and Risk in Engineering Design 679
a) A Computer Automated Design Space
The core of a computer/human design space consists of four parts:
• The designer/design team.
• Fuzzy preference handling (for objective importance specification).
• Dynamic constraints handling (scenarios, etc.).
• Analytic module for multi-objective optimisation.
Furthermore, such a design space must be suited to applied concurrent engineer-
ing design in an integrated collaborative design environment in which automated
continual d esign reviews may be conducted throughout the engineering design pro-
cess by remotely located design groups. Therefore, interaction with the designer (or
design team) is very important. The goal is to provide the designer with a multi-
ple criteria decision aid for multiple criteria decision-making during the conceptual
phase of the engineering design process.
The methodology is generic and could be easily integrated with other conceptual
design problems. Such a computer/human design space is illustrated in Fig. 5.45.
b) Preferences and Fuzzy Rules
The problem of qualitative versus quantitativecharacterisation of the relative impo r-
tance of objectives in a multi-objective optimisation framework is usually encoun-
tered during the conceptual design phase. At this initial stage of the engineering
design process, it is much easier for the designer to give qualitative definition to the
objectives (i.e. ‘objective A is much more important than objective B’) than to set
a weighted value of objective A to, say, 0.1 or to 0.09. The method of fuzzy prefer-
ences and induced preference order is used for information transformation in which
predicates are introduced (Fodor et al. 1994).

Table 5.23 shows the relation and intended meaning of some predicates.
These predicates, together with the complementary relations of > and , can
help build the relationship matrix R necessary for ‘words to numbers’ transfor-
mation, and the induced order for the relation R. Integrated preferences in multi-
objective optimisation techniques basically include two methods: one that uses
Fig. 5.45 Schema of a con-
ceptual design space
Designer
(engineer)
Optimisation
module
Fuzzy rules
module
Constraint
module
680 5 Safety and Risk in Engineering Design
Table 5.23 Fuzzy and induced preference predicates
Relation Intended meaning
≈ Is equally important
< Is less important
 Is much less important
# Do not know
¬ Is not important
! Is important
weighted sums, and one that uses a modified Pareto method that computes the ob-
jective weights.
c) Dynamic Constraints and Scenarios
The other second tier module from Fig. 5.45 handles dynamic constraints and sce-
narios. Each scenario is a set of additional constraints or objectives that the designer
can change, add and/or delete interactively.More formally,a scenario is represented

as conjunctions of relations (constraints) in a fairly precise mathematical/modelling
language. Each scenario is a function of variables, objectivesand possible additional
parameters. In an optimisation framework, these scenarios could return a value as
a percentage of the relations satisfied for given input values. The concept behind the
scenarios is that the designer can specify conditions that are not part of the mathe-
matical model (such as ‘set y5 ∈ [0, 4] or, if not possible, then set y1 + y3 > 100’).
This allows the designer to focus on certain regions of the design space. An ad-
ditional advantage is that scenarios are dynamic and are interpreted ad hoc without
any change to the program or model, and can be added, modified or deleted ‘online’.
Integrating scenarios in the design space provides the ability to assign a different
level of importance to each scenario, and to calculate the value of a set of scenarios
in different ways:
• Using weights or preferences for specifying scenario importan ce.
• Calculating multiple scenario values.
• Considering only one scenario at a time.
The third approach is adopted in the automated methodology presented in Sect. 5.4,
as it enables the use of various imbedded software programs (analytic methods)
that can analyse the various scenarios and signal any possibility or impossibility of
satisfying the design constraints.
In the application of optimisation algorithms in artificial intelligence-based
(AIB) modelling within a blackboard model, such as presented in Sect. 5.4, there
is no need for specifying, quantitatively or qualitatively, the importance (as in the
first method) or order (as in the second method) of the various scenarios.
5.3 Analytic Development of Safety and Risk in Engineering Design 681
d) The Optimisation Module
Optimisation in the early phases of engineering design represents a rather insignifi-
cant part of the overall design problem. The fuzzy nature of initial design c oncepts,
and efficient exploration across the many different variants that the designer needs
to assess are of greater interest. The methods of design preferences and scenarios
are integrated with analytic techniques such as evolutionary algorithms, genetic al-

gorithms and/or artificial neural networks to perform multi-objective optimisation
in designing for safety.
Evolutionary computing (including evolutionary algorithms, genetic algorithms,
and related models such as artificial neural networks) is based on a continuous and
probabilistic representation of algorithmic optimisation (e.g. weight matrices) that
would likely be able to provide the best scenario for design optimisation, in the
sense that it achieves a better design with respect to performance, depending on the
design problem (Cvetkovic et al. 1998).
5.3.1.2 Evolutionary Computing and Evolutionary Design
Design optimisation is a fairly common computational approach that attempts to
utilise design req uirements as an integral part of the design space. Design optimisa-
tion views requirements as a fixed set of criteria, and creates an evaluation function
(referred to as the fitness fu nction in artificial intelligence literature) against which
the design solutions are weighed. However, design is seldom a static activity in
time, especially during conceptual design. Requirements as well as design solutions
change as the search for the best design progresses. This places a significant demand
on the development of a suitable computational environment for interdisciplinary
design collaboration in which various techniques for design concept generation as
well as the evolution of design requirements and solutions are established, prompt-
ing a need for evolutionary techniques for design optimisation (Tang 1997).
The in tegra tion of evolutionary co mputing with artificial intelligence-based
(AIB) design methodology allows for the development and integration of the ba-
sic building blocks of d esign (or examples of past or existing designs) that are rep-
resented in a design knowledge base. Several general-purpose design knowledge
sources (or support systems) are similarly developed to support the design knowl-
edge base. The design knowledge sources (or support systems) are developed to
support the following design activities (Tang 1997):
• synthesis of conceptual design solutions from building blocks of design models
and design requirements, using inductive learning,
• transferring conceptual design solutions into detailed design models containing

spatial, geometric and structural knowledge,
• manipulationand partition of detailed design modelsinto smaller design p roblem
spaces containing suitably constrained design variables and constraints,
• searching for solutions in the partitioned design problem spaces using evolution-
ary computing techniques,
682 5 Safety and Risk in Engineering Design
Fig. 5.46 Selecting design objects in the design knowledge base
• exploration of alternative design solutions when considering different design is-
sues,
• documentation and explanation of design results.
The design knowledge base and design knowledge sources form the core of an in-
tegrated design support system. An artificial intelligence-based blackboard system
is used to control the design knowledge sources and integrate the knowledge-based
design applications. The design knowledge base contains design objects, constraints
in terms of intended function and interfaces, as well as detailed informationin terms
of materials and geometry, etc.
The design knowledge base is developed by a knowledge engineer or by the var-
ious design teams. The design objects in the design knowledge base can be selected
and synthesised to generate conceptual design solutions, as graphically indicated
in Figs. 5.46 and 5.47. At an abstract level, a conceptual design solution identifies
the basic components and their topological arrangement to the satisfaction of initial
design requirements.At the early stages of the design process, many alternative con-
ceptual design solutions must be analysed, evaluated and selected before confirming
a design concept that can progressively evolve in detail for further investigation.
Once a conceptual design solution is selected, it is transformed into a schematic
design model using the knowledge stored in advance in the design knowledge base.
A schematic design model contains design variables and constraints describing the
5.3 Analytic Development of Safety and Risk in Engineering Design 683
Fig. 5.47 Conceptual design solution of the layout of a gas cleaning plant
Fig. 5.48 Schematic design model of the layout of a gas cleaning plant