Journal of Loss Prevention in the Process Industries 43 (2016) 361e371

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Analysis of the safety barrier function: Accidents caused by the failure

of safety barriers and quantitative evaluation of their performance
Jian Kang, Jixin Zhang*, Jiancun Gao
Department of Safety Engineering, Beijing Institute of Petrochemical Technology, Beijing 102617, China

a r t i c l e i n f o a b s t r a c t

Article history: An evaluation of the safety barrier system currently in place in the modern workplace is required to
Received 24 March 2016 prevent major accidents and present new recommendations regarding safety levels. Safety barriers were
Received in revised form classified and their components were described to evaluate their performance. We established a new
20 June 2016
evaluating method that included three indicators, namely the degree of confidence, the effectiveness and
Accepted 20 June 2016
the economic impact. A calculation method is developed to assess each indicator using fuzzy mathematic
Available online 22 June 2016
theory. We described the progression of an accident considering the failure of safety barriers and used
the observations to devise proper barriers to stop the propagation of unexpected events. The proposed
Keywords:
Safety barrier
method is applied to simulate a catastrophe involving the explosion of an oil storage facility which
Performance evaluation constitutes our case study. The obtained results are practical and applicable and show a high degree of
Accident evolution quality and flexibility.
Failure mechanism © 2016 Elsevier Ltd. All rights reserved.

1. Introduction
Any industrial activity involves unexpected events that are tied
to the behavior of workers, the organization of work and the facility
design. We can locate multiple preventive or protective barriers in
actual work environments (Sunindijo, 2015). These barriers contain
components to protect, mitigate and prevent hazardous sequences
of events. We can build adequate safety barriers by analyzing their
functions and thus reduce risks. Explaining how the safety barrier
system fails and the causes of their failure will help reduce the
potential accidents and their consequences.
A growing attention is given to the performance of existing
safety barriers and their adequacy. It is worth carrying out the
performance evaluation. The evaluation of safety barriers perfor-
mance originated in the former European Project Accidental Risk
Assessment Methodology for Industries System (ARAMIS). The
project involved several existing methodologies such as the Layer
of Protection Analysis (LOPA) and Bow-Tie diagrams. With the
development of theories on systematic safety, the performance
evaluation of safety barriers became a tool to prevent, control and
mitigate accidents. Ramzali et al. (2015) employed the Event Tree
Analysis (ETA), Fault Tree Analysis (FTA) and Reliability Block
* Corresponding author.
E-mail address: zhangjixin0922@163.com (J. Zhang).
Diagram (RBD) methods to build a safety barrier system for offshore
drilling wells. Xue et al. (2013) proposed a new model involving a
barrier to avoid blowout accidents during drilling wells. Their
model employed a three-level well control and primary and sec-
ondary well control barriers depending on the Swiss Cheese Model
(SCM). A physical safety barrier for protecting vehicles from road-
side hazards was designed and tested by Soltani et al. (2013)to
achieve optimum performance. Hayes (2012) developed a proce-
dure, similar to job safety or a work permit, determining how best
to proceed based on safety barrier performance.
The performance evaluation of safety barriers greatly relies on
hazard scenarios, risk propagations, and operation procedures.
Several new lines of research investigate the evolution of accidents.
Valerio et al. (2009) presented a model assessing the domino po-
tential hazard including of the repercussions of applying inherent
and passive protection measures. Based on the relationships be-
tween the internal hazardous factors, Sharif et al. (2002) developed
a model describing the cumulative effect of risk factors which is
expected to prevent accidents through analyzing all hazards at
their early stages. Underwood and Waterson (2014) proposed a
comparative method considering whether SCM can provides a
viable option for analyzing accidents through systematic thinking.
Accidents were simulated involving different types of fracture on a
leg to verify the progression in the severity of the injury. Severe
accident prevention and mitigation measures were developed to
provide strategies and guidelines for the occurrence of similar

http://dx.doi.org/10.1016/j.jlp.2016.06.010
0950-4230/© 2016 Elsevier Ltd. All rights reserved.
362 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371
types of accidents (Hu et al., 2015).
Current industrial practices do not take into account the per-
formance evaluation of safety barriers for preventing major acci-
dents. Qualitative and graphical descriptions are insufficient to
implement practical preventive strategies. Some existing research
identifies all potential fatality sources for a given individual and
determines the contribution of each source in predicting the overall
risk. The primary risk sources for oil, gas and petrochemical
workers are: (1) occupational, e.g. slips, falls and drowning, (2)
transportation, e.g. road traffic and air transport accidents and, (3)
hydrocarbon-related, e.g. loss of containment leading to the release
of toxic material, fires or explosions.
To optimize the performance of safety barriers one can develop
its core competence by studying the evolution mechanism of
interconnected risk factors. The evolution occurs when a primary
unwanted event in an accident is propagated (“temporally”) within
a system and/or (“spatially”) to nearby systems in sequence or
concurrently. The event transforms into or trigger one or more
secondary unwanted events, which in turn trigger further (higher
order) events, and so on. The final consequences are often more
severe than those of the primary event (Cozzani and Reniers, 2013).
Another important action is the establishment of a quantitative
evaluation model. Although qualitative evaluation methods are
simple and easy for application, it is not recommended or high risk
system especially when the risk factors show complex relationships
with each other.
The remainder of the paper is organized as follows. Section 2
presents an introduction to the proposed research. Section 3 cate-
gorizes in more detail the safety barriers. The evolution of accidents
related to the failure of safety barriers and the domino effect are
investigated in Section 4. Section 5 presents a mathematical model
that includes three evaluation indexes followed by a comprehen-
sive evaluation model of the performance of safety barriers
employing fuzzy mathematic theory. Section 7 presents the testing
method illustrated by the explosion of an oil storage facility which
constitutes our case study.
2. Description of the proposed approach
Our approach aims to support industrial and other decision
makers in evaluating the performance of existing safety barriers in
their work environment and in installing necessary safety barriers
to prevent accidents. The classification of safety barriers considers
the industrial risk and the operation safety. We developed a
comprehensive and systematic classification of safety barriers and
their safety performance through a mathematical model setting
evaluation indexes representing the barrier quality. Where quan-
titative data are not available, we use our expert judgment and a
scoring method. We analyzed various stages of an accident through
the failures of safety barriers. We can determine the evolution
mechanism of an accident and explain how a series of unexpected
events can eventually result in a major accident. The evolution of an
accident can take different paths and each possible path can be
blocked by proper barriers.
A schematic structure of the proposed approach is shown in
Fig. 1. The schema is a step by step guide to evaluate and enhance
the safety of existing barriers. Different technological processes,
equipment production and operating environments among typical
industries will necessitate the installation of different safety bar-
riers. Our case study is an oil storage tank farm. However, since the
proposed approach uses the accident evolution and the barrier
system concurrently, the proposed approach is applicable to
various industrial projects.
3. Category of safety barriers
The safety barrier model was introduced by James Reason in
1990 (Hickey and Qi, 2013). However, the concept of “safety barrier”
is not universally accepted (Dianous and Fie vez, 2006). For
example, Sklet (2006) had taken several dimensions and attributes
into consideration to describe the safety barrier performance.
Neogy et al. (1996) divided the safety barriers into three types:
physical barriers, management and process barriers and personnel
barriers, but their description and usefulness lack details. In our
simulated accident scenario involving an oil storage tank farm, we
did classify the safety barriers into three broad categories and
further added subdivisions based on the hazard identification and
risk index presented in Table 1.
3.1. Personnel barriers
The purpose of personnel barriers is to apply human knowledge
and control to prevent improper behaviors in a safety system to
reduce accidents.
3.2. Organizational barriers
Organizational barriers can be installed through a sound man-
agement program. The organizational barriers apply to, but are not
limited to, management institutions, regulatory agencies and fund
guarantee.
3.3. Technological barriers
Technological barriers depend on technological measures to
prevent accidents and mitigate their consequences. Technological
barriers are subdivided into:
✧ Passive barriers: These have the capability of preventing risks
during an entire system life cycle, with no need of human in-
teractions or energy and information sources. Passive barriers
may constitute physical barriers (such as a retention wall) or
permanent barriers (such as corrosion prevention systems) or
intrinsic safety design.
✧ Positive barriers: These barriers must be automated or manu-
ally activated to operate or are mechanical and need to be
activated by hardware/software to function. These included
emergency shutoff valves, automatic interlocking devices and
automatic sprinkler systems.
✧ Detection barriers: The barriers detect and monitor potential
risk events and send information to trigger other barriers.
Detection barriers cannot prevent and protect against accidents.
An example would be a flammable gas detector.
4. Performance evaluation of safety barriers
4.1. Establishing an evaluation index system
The selection and allocation of safety barriers will focus on a
deeper knowledge of dangerous phenomena. We propose three
evaluating indicators that include the degree of confidence, effec-
tiveness and cost.
C Degree of confidence: The concept is provided by the defi-
nition of the safety integrity level found in the IEC61511-
technical content. The concepts are extended to various
types of safety barriers.
C Effectiveness: Effectiveness means whether a safety barrier
prevents accidents. That implies the barrier system will
 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371
Fig. 1. Schematic overview of the proposed approach.
reduce the risk to an expected level. Assessing the effec-
tiveness is conducted by considering the experience of the
barrier suppliers or industrialists and by running on site tests
and recording the results on data sheets.
C Cost: Each barrier should undergo an economic evaluation
since the maximization of profits is one important target of
several companies. The plant manager and evaluation team
must address the financial sustainability of reducing risks to
an acceptable level.
An objective performance evaluation of the safety barrier sys-
tem requires some fundamental assessment. For instance, the Fault
Tree Analysis (FTA) investigates the deep causes of accidents, their
frequency and possible consequences (Shi et al., 2014). The ultimate
objective of the evaluation is to provide strategies for improving the
safety level of barriers and make good use of limited sources.
4.2. Establishing the evaluation model
The evaluation level L is used to represent the performance of
the current safety barrier system. The function is divided into three
variable functions f1 (x), f2 (x) and f3 (x), optimized in a preferred
order by a weighted sum.
The evaluation level L of the evaluation object is defined as
follows:
L ¼ f ðf1 ðxÞ; f2 ðxÞ; f3 ðxÞÞ cði; jÞ2A; ck2Mij
f1 ðxÞ ¼ min lcnij ¼ A1
n2N
f2 ðxÞ ¼ f ðV1 ; V2 ; V3 Þ ¼ B2
P
cos tijk
Ak2Mij
f3 ðxÞ ¼  100% ¼ C3
s
where, A denotes a set of arcs (i, j) representing an unexpected
event propagation from node i to node j. If an unexpected event
happens to node i,2N unexpected propagates along arc (i, j) 2A. Mij
is defined for each arc (i, j) and comprises all the preventive,
363
mitigated and protective measures available for this arc. lcnij pre-
sents the actual level of confidence for each type of safety barrier
function. costkij is the financial expenditure. V1 is the effectiveness
coefficient of the technological measures. V2 is the effectiveness
coefficient of the personnel. V3 is the effectiveness coefficient of the
security management. Therefore, f1(x) presents the actual level of
confidence for each category of the safety barrier function. f2(x)
denotes the effectiveness of the entire safety barrier system. f3(x)
represents the economic evaluation of each barrier.
In particular, the optimized order assumes the final importance
ranking of f1 (x), f2 (x) and f3 (x) can be ranked by a decision maker.
Usually, the order of importance is given as f2 (x), f1 (x), f3 (x). A
solution having a higher value of f2 (x) is always assigned a greater
weight. If the effectiveness is low, the investment will not provide a
sufficient and satisfying safety reward. That is why f2 (x) is
considered the most important index factor. In solutions where all
the each evaluation objects have a same value of f2 (x), the solution
of higher f1 (x) value is preferred. The level of confidence, repre-
senting the actual level of the safety function, is an important in-
dicator of the equipment achieving an allowable safety state and
based on this the actual risk and residual risk can be concluded.
Therefore, f1 (x) is the second most important variable of the entire
safety barrier performance. In solutions with equal values of f2 (x)
and f1 (x), the one presenting the highest value of f3 (x) is selected.
Eq. (4) can restrict the total cost associated with the selected pro-
tective safety barrier system. The responsibility of safety is
(1) incumbent to enterprises but governments usually impose obliga-
tions on companies. In that case, f3 (x) is the least important index.
Eq. (4) be used to balance the demands of financial affordability and
(2) safety standards.
(3)
4.3. Calculation of evaluation indexes
4.3.1. Degree of confidence, A1
(4) The quantitative assessment of the degree of confidence (A1) is
associated with two modes:
➣ A low requirement mode: the required frequency to carry out
safety operations once a year or no more than twice the testing
frequency.
364 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371

Table 1
Proposed classification of safety barrier.

Safety barrier category Prevention Protection

Personnel barrier Professional capacity

Professional quality

Organization barrier (Periodically corrective action) Safety production management institution and personnel

Safety production regulatory framework

Safety production fund guarantee

Safety production safety education and examination

Operation instruction

Safety production daily check

Contingency plan and measure

Daily risk analysis

Daily hidden danger investigation and correction

Accident statistic and analysis

Technology barrier Technically positive barrier Design Plant layout

Safety distance

Technology Emergency rescue capability

Grounding for static electricity

lightning arresters

equipment maintenance

Equipment Explosion-proof electrical products

Control valve and relief valves

Fire-fighting device

Blast wall

fire dike

Caution board Personal protective equipment

Warning sign

Hazard public notification

Technically passive barrier Emergency shutoff valve

Automatic interlocking device

Automatic sprinkler system

Technical detection barrier Flow meter

Liquid level

Detecting instrument for flammable gas

Monitor video

Emergency shutoff valve

Automatic interlocking device

➣ High requirement mode: The required frequency to conduct possibility of system failure. The overall LC is given by the smallest
safety operations more than once a year or more than twice the system LC.
testing frequency.

Most safety barriers installed in petrochemical plants (such as 4.3.2. Effectiveness, B2

emergency shut down and fire detection systems) are associated
with the low requirement mode because the safety function is
normally implemented no more than once a year. The relation
between LC and the probability of failure is presented in Table 2.
Fig. 2 shows a framework for acquiring the LC of each risk event
caused by a safety function failure. It is based on four parameters:
the consequence of the accident, expose frequency, possibility of
risk avoidance and the probability of an unexpected event. The
higher the required level of the safety function, the lower the
The effectiveness indicates whether hazards associated with
chemical substances and technical processes can be controlled. The
effectiveness of safety barriers is their capability to accomplish
specific safety functions using particular technologies in different
environmental and operating conditions. The actual effectiveness
could be smaller than what is required by risk control because of
limits on design, operating conditions, component wear, errors by
the working personnel and deficiencies in organization/
management.
 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371 365

Table 2
Relationship of LC and the failure probability.

LC mode LC Failure probability rang

LC low requirement for operation mode (Average failure rate of safety function) 4 [105, 104)
3 [104, 103)
2 [103, 102)
1 [102, 101)
LC high requirement for operation mode (failure rate for each hour) 4 [109, 108)
3 [108, 107)
2 [107, 106)
1 [106, 105)

Fig. 2. LC identification based on risk graph

The quality of the working personnel and management are the Rs has four main parameters (R1, R2, R3 and R4) representing the
principal effectiveness indexes. It is necessary to use a unified personnel qualification, skill, personnel stability and a load coeffi-
procedure to better experience the safety barrier practices. The cient respectively.
effectiveness is calculated as follows:
Y4
Rs ¼ R
i¼1 i
(6)
(1) Effectiveness coefficient of technological measures, V1

The procedures to obtain the effectiveness coefficient (V1) are 0; the operator without qualified training or exam
R1 ¼
provided in Table 3. The parameters C1, C2 and C3 represent the 1; the operator with certification
safety compensation built on the technology control, material (7)
segregation and fire protection. The suggested data are provided by
DOW chemical fire. They contain statistics related to past accidents
1
and equipment failures. The safety barrier index for the processing R2 ¼ 1    (8)
equipment is given in Table 3 in which the calculated effectiveness k2 t þ1
T2
value V1 is equal to the product of C1, C2 and C3, so that:

where, k2 is the proportionality coefficient. With a person having

Y
3
V1 ¼ Ci
i¼1
(2) Effectiveness coefficient of working personnel, V2
Operators and managers are often exposed to dangerous situa-
tions: therefore the quality evaluation of the working personnel
should use the following criteria: (1) the operators should
concentrate on developing their expertise and, (2) the importance
of managers in maintaining the employee’s motivation and provide
good safety atmosphere. V2 is designed to better understand the
relation between those parameters.
The reliability of a single worker, Rs is devised to compensate for
dangerous operating conditions and to guarantee system stability.
qualified certifications through training, k2 is given a value of 4. t
(5)
represents the time required to fill one post with one worker. T2
indicates the necessary time for one worker to get the required
qualifications to complete his job. Commonly, if a person works
continuously at the same position, then his proficiency for this
position is 95%, and T2 is six months.
The personnel stability R3 is defined as follows:
1
R3 ¼ 1   2  (9)
t
k3 T3 þ1
where, k3 is the proportionality coefficient. Assuming the initial
value of k3 is 4, then the personnel operation stability will be
reduced by 50% and k3 will equal 2, if an accident just occurred. t
gives the time a person worked after the accident. T2 represents the
366 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371

Table 3
Suggested values for calculating V1.

Item Effective coefficient range Value in the case

Technically positive barrier (C1 ) Design Plant layout 0.81e0.99 0.99

Safety distance 0.81e0.99 0.95
Technology Emergency rescue capability 0.81e0.99 0.97
Grounding for static electricity 0.81e0.99 0.99
Lightning arresters 0.91e0.99 0.99
Equipment maintenance 0.91e0.99 0.99
Equipment Explosion-proof electrical products 0.81e0.99 0.99
Control valve and relief valves 0.81e0.99 0.99
Fire-fighting device 0.81e0.99 0.99
Blast wall 0.81e0.99 0.99
Fire dike 0.81e0.99 0.89
Personal protective equipment 0.81e0.99 0.95
Caution board Warning sign 0.81e0.99 0.96
Hazard public notification 0.81e0.99 0.99
C1 ¼ 0.687
Technically passive barrier (C2) Emergency shutoff valve 0.91e0.99 0.95
Automatic interlocking device 0.91e0.99 0.94
Automatic sprinkler system 0.91e0.99 0.95
C2 ¼ 0.850
Technical detection barrier (C3) Flow meter 0.81e0.98 0.91
Liquid level 0.81e0.98 0.85
Detecting instrument for flammable gas 0.81e0.97 0.92
Monitor video 0.81e0.97 0.92
C3 ¼ 0.653

required time to achieve a certain degree of operational stability

after the accident. For example, if the operational stability reaches obtained score of safety management
V3 ¼ (12)
90% within one year after the accident, then T2 equals 6 months. deserved score of safety management
The personnel operation stability will reach 95%in the following
three years after the accident, provided newly added workers do
not cause any new accident. Therefore, R3 equals 1.
The load coefficient of an operator R4 is calculated via Eq. (10), (4) The effectiveness coefficient of the entire safety barrier, B2

Assuming B2 being the effectiveness coefficient of the entire

8  2 safety barrier, B21 becomes the effectiveness factor of the technical
>
<1  k t
4 1 ; t  T4 barrier, B22 is the effectiveness factor of the quality of the personnel
R4 ¼ T4 (10)
>
: and B23 is the effectiveness factor of the management barrier. B2 can
1; t3T4 be expressed in Eq. (13), as:

where, T4 represents a normal work time accomplished by a worker
in a post. Usually, T4 equals 8 h or is determined by the actual
working conditions. t represents the working time from the
beginning to the end of the work period for one worker. K4 is a
proportional coefficient which normally is equal to 4.
A working group occupying one post can be made up of N
people, and considering the relations between these N people is not
serial or parallel, the reliability of the personnel occupying a certain
post is the average of N people based on the next situation.
The reliability of the personnel quality holding a dangerous post
is:
X
N
Rsi
V2 ¼ (11)
N attains the ideal value of 1. This indicates the need to control more
i¼0
(3) Effectiveness coefficient of security management, V3
The evaluation index for the safety management effectiveness
contains 10 parameters (see Table 1, organization barriers). Each
item is given a full mark of 100. The average score for these 10
parameters serves as the estimated final value of the safety man-
agement effectiveness, thus:
B2 ¼ 1  ð1  B21 Þð1  B22 Þð1  B23 Þ (13)
set:
8
< B21 ¼ B2A V1
B ¼ B2B V2 (14)
: 22
B23 ¼ B2C V3
where, B2A, B2B and B2C are the actual protection ratios.
B2A is the implicit risk offset percentage of the unit when all
technical effectiveness factors meet the requirement of V1 ¼ 1. B2B
and B2C have similar connotations as B2A. B2A, B2B and B2C are the
maximum protection barrier ratios. We cannot replace B2A, B2B and
B2C with the values of V1, V2 and V3 for the effectiveness value of the
entire barrier will reach 1 when one of the three types of barriers
than one type of barrier to avoid all accidents. Although the prob-
ability of accident is low, accidents could happen for unexpected
reasons as long as hazards exist.
Introduction of marks:
Let a represent the technological operation, equipment and
storage factors. Let b give the quality factor of the operating staff
and let c represent the safety factor of the management state
(Young and Poon, 2013).
Then, the conditional probabilities can be obtained through
accident statistics:
 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371 367

   
XT1 ¼ XAB þ XAB þ XAB þ XAB
P ajbc ¼ 0:216; PðajbcÞ ¼ 0:522; P a bc ¼ 0:254; PðajbcÞ
XT2 ¼ XAC þ XAC þ XAC þ XAC (17)
¼ 0:982 XT3 ¼ XCB þ XCB þ XCB þ XCB

          X   X
XAB X
P bjac ¼ 0:658; P bjac ¼ 0:792; P bjac ¼ 0:775; P bjac WðabÞ ¼ ; W ab ¼ AB ; W ðabÞ ¼ AB ; W ab ¼ AB
XT1 XT1 XT1 XT1
¼ 0:969
XAC XAC XAC XAC
WðacÞ ¼ ; W ðacÞ ¼ ; W ðacÞ ¼ ; W ðacÞ ¼
XT2 XT2 XT2 XT2
     
P cjba ¼ 0:347; PðcjbaÞ ¼ 0:569; P cjba ¼ 0:379; P ajbc XCB   X X   X
WðcbÞ ¼ ; W cb ¼ CB ; W ðcbÞ ¼ CB ; W cb ¼ CB
XT3 XT3 XT3 XT3
¼ 0:923
(18)
Any factor controlling the occurrence of an accident relies on the We can obtain the B2 values from the above equations. The
degree of control by the other two factors. a, b and c correspond to higher the B2value, the greater the degree of risk control.
the index set A, B and C, respectively, where A, B and C contain
several elements. If factor a is under control, all elements of the A
4.3.3. Economic evaluation, C3
index set reach an ideal value and V1 equals 1. If factor a is not
The cost of safety barriers resides in the construction and
controlled, then V1 equals 0. In real situations,
operation. A maximum operation efficiency achieved at a minimum
0  V1  1; 0  V2  1; 0  V3  1. The evaluation unit being a
expenditure is considered an ideal situation. The estimation index
discourse domain, A, B and C are fuzzy sets. If XA ; XB ; XC represent
evaluating the cost of safety barriers is calculated in Eq. (4).
members of A, B and C, respectively, then
XA ¼ V1 ; XB ¼ V2 ; XC ¼ V3 . If A; B; C forms the complemen-
tary set of A, B and C, respectively, then the membership of the 4.4. A comprehensive evaluation of the safety barrier system
evaluation unit affecting A; B; C is XA ¼ 1  V1 , XB ¼ 1  V2 ,
XC ¼ 1  V3 , respectively. The maximum compensation rate is 4.4.1. Membership function and evaluation matrix
expressed by the weighted sum of the condition probabilities, thus: The three indexes (f1(x), f2(x) and f3(x)) (see section 5.3) repre-
sent the entire safety barrier performance. Since there are multiple

8        
>
>
> B2A ¼ WðbcÞPðajbcÞ þ WðbcÞPðajbcÞ þ W bc P a bc þ W bc P ajbc
<          

B2B ¼ WðacÞP b ac þ WðacÞP b bc þ WðacÞP b ac þ W bc P ajbc (15)
>
>        
>
:
B2C ¼ WðbcÞPðcjbaÞ þ W ab P c ab þ WðabÞPðcjabÞ þ W ba P cjba

levels of uncertainties within the criteria and relations, the core of a

A significance equation set determined by the fuzzy set theory is fuzzy comprehensive evaluation is a fuzzy transform. Let the three
detailed as follows: factors set be U ¼ {f1(x), f2(x), f3(x)} (the element set). The comment
set is L ¼ {L1, L 2, L 3, L 4, L 5}(the evaluation set), where L is cate-
8 gorized into five qualifiers: L 1 ¼ very good performance, L 2 ¼ good
>
> ¼ minðXA ; XB Þ ¼ min ðV1 ; V2 Þ performance, L 3 ¼ medium performance, L 4 ¼ low performance
> XAB
>
>
> X ¼ minðXA ; XB Þ ¼ min ðV1 ; 1  V2 Þ and, L 5 ¼ very low performance.
>
> AB
>
> XAB ¼ minðXA ; XB Þ ¼ minð1  V1 ; V2 Þ
>
>  
The relation between the factor set and the evaluation factor is
>
>
>
> X ¼ min XA ; XB ¼ min ð1  V1 ，1  V2 Þ expressed by the membership function based on the fuzzy relation
>
> AB
>
> matrix R:
>
> XAC ¼ minðX
 A ; XC Þ¼ min ðV1 ; V3 Þ
>
> h i
>
> X ¼ min XA ; XC ¼ minðV1 ; 1  V3 Þ
>
> R ¼ mivj ðxÞ (19)
< AC   nm
XAC ¼ min XA ; XC ¼ min ð1  V1 ; V3 Þ (16)
>
>  
>
> where mivj ðxÞ indicates the membership of factor i on comment vj ,
>
> X ¼ min XA ; XC ¼ minð1  V1 ; 1  V3 Þ
>
> AC (i ¼ 1, 2, … ,n; j ¼ 1, 2, … ,m), n is the number of influence factors
>
> ¼ minðX
>
>
>
XBC  B ; XC 
Þ ¼ minðV2 ; V3 Þ and chosen as 3, and m is the number of evaluation orders and
>
> XBC ¼ min XB ; XC ¼ minðV2 ; 1  V3 Þ
>
> chosen as 5.
>
>  
>
> The evaluation order is divided into five intervals. Table 4 shows
>
> XBC ¼ min XB ; XC ¼ minð1  V2 ; V3 Þ
>
>   the grading criteria of each evaluation index.
>
>
>
: XBC ¼ min XB ; XC ¼ minð1  V2 ; 1  V3 Þ

4.4.2. Determining the weight factor

Where, XAB is the subordination degree of the evaluation unit When a comprehensive evaluation is conducted, an expert as-
available by A∩B. The other variables are being described in similar signs a weight value to each index based on his or her expertise and
fashion. The mid-calculated values connecting the state of solution knowledge. Each expert makes his own assessment of the produced
are provided by the following equations: value and the summary of these values will give the safety
368 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371
Table 4
Grading criterion for each evaluation index.
L1 L2 L3 L4
f1(x): A1 4 3 2 1
f2(x): B2 0.8e1.0 0.6e0.8 0.4e0.6 0.2e0.4
f3(x): C3 0e20% 20%e40% 40%e60% 60%e80%
performance of the barrier system. Different experts hand over
different scores due to the following reasons (Li et al., 2015):
➣ They possess different education and culture backgrounds.
➣ They usually carry unique work experiences which lead to
different evaluations.
➣ Their opinions differ owing to their familiarity with the project
being evaluated.
We weight the value of each expert with a number. For an
important expert, his or her weight may be higher relative to the
others. Fuzzy values can dictate the importance of experts. Having a
T number of experts, their weights are given by ki (i ¼ 1, 2, …, T). To
generate a more intuitive distinction, we normalized the process
such as:
k
wi ¼ PT i i ¼ 1:2; …; T
i¼1 ki
Then an expert weight set can be determined as W ¼ {w1,w2,
…,wT}, where wi indicates the weight of each expert.
4.4.3. Results of the fuzzy evaluation
The final evaluation level of the target unit, is generated by the
formula:
L ¼ f ðf ðx1 Þ; f ðx2 Þ; f ðx3 ÞÞ ¼ f ðA1; B2; C3Þ ¼ W$R
5. The evolution of accidents related to the failure of safety
barriers
5.1. Coupling effect of risk factors
The weight of one snowflake is extremely small. However, a
strong tree branch can be broken by the accumulation of a sub-
stantial mass of snowflakes. We compare the snowflakes to mul-
tiple single risk factors that can lead to a major accident. The last
snowflake to fall can be compared to the event triggering a major
accident. In the industrial workplace, minor mistakes occasionally
occur. But these seemingly insignificant errors can cause an
important accident when the accumulation of risks exceeds the
system tolerance. A serious accident will happen when the last risk
factor (e.g. the last snowflake to fall) develops and triggers directly
the event leading to the ultimate accident.
5.2. The evolution of accidents from safety barrier failures
The safety of oil storage tank farms has drawn attention from
several researchers. Various risk factors stem from the production
of oil-based materials (with a high potential of fire and explosion),
high temperature and pressure toxic technological processes and
the quality of the working personnel such as the education level.
Unexpected events will gradually worsen if the control barriers fail
and finally grow into a serious accident causing significant
personnel injury and property loss. Fig. 3 describes how a major
accident happens in a processing industry in relation to failures of
safety barriers.
L5 As shown in Fig. 3, in practice, there exists more than one known
a
risk factor acting concurrently. The safety barrier detects and
0e0.2 eliminates the risk factors continuously. Since the system is dy-
80%e100% namic and open, unknown risk factors may appear and are grad-
ually converted into known risk factors. The system will be in a
dynamic balance state if the accumulated risk level falls below the
critical risk level. However, if the accumulated risk level grows
beyond the critical risk level an initial event will occur. The last risk
factor commonly triggers the event (inducing factor). If the safety
barrier preventing the trigger event is effective, then the accident is
stopped. Otherwise, the initial event will progress and trigger a
secondary event. Similarly, if the safety barrier preventing the
secondary event is effective, then no major accident will occur.
6. Case study: fire and explosion in an oil storage tank farm
Our case study concerns an oil storage accident in history. Nine
employees suffered injuries during the incident and approximately
4.64 million pounds of oil was loss to fire. We analyzed the incident
in terms of the performance and failure of the safety barriers based
in part on published reports of the accident. A panel of 10 experts,
including plant managers and academic researchers, was formed to
(20) support our case study and analyze the entire accident process.
6.1. The functions of safety barriers
The safety function is defined by combining all barriers during
the risk analysis process. Integrating multiple safety barriers is a
sound strategy to reduce the overall risk level. Table 5 summarizes
the safety functions and safety barriers.
Table 5 reveals a relative abundance of barriers to prevent oil
(21) overflow and limit the extent of combustible steam. These two
unexpected events can be effectively controlled. However, for
others like the prevention of explosion and pool fire, limiting the
range of explosion and mitigating the consequences of the accident,
there is only a single safety barrier which seems wholly inadequate.
A single barrier has a higher possibility of failing than a series of
barriers.
6.2. A comprehensive performance evaluation of safety barriers
6.2.1. Determining the LC of the safety barrier function (A1)
Six major safety barrier functions were identified (see Table 5).
The LC for each safety barrier function can be calculated according
to the method detailed in Section 5.3.1. The “preventing oil over-
flow” serves as an example with C4 grading for the consequences of
the overflow. We assumed the time the target was exposed to a
dangerous environment exceeded 10% of the system run time,
signifying F ¼ F2. The oil overflowing, the operation staff may
discover the anomaly and take timely restrictive measures, there-
fore D ¼ D1. The manipulator failure frequency is estimated at 0.1/a,
indicates P ¼ P1. Fig. 2, presenting the safety barrier function
analysis, suggests a LC value of 2 for this category of safety barrier.
The expert panel determined the other five safety barrier functions.
The results are listed in Table 5.
6.2.2. Calculation of the effectiveness of the safety barrier (B2)
The safety barrier index for the processing equipment is deter-
mined in Table 3, based on statistics of past accidents and equip-
ment failure rate. The calculated value of V1, the effectiveness, is
equal to the product of C1, C2 and C3, thus:
 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371 369

Fig. 3. Logical scheme of major accidents happening in process industry.

Table 5
Identification of safety functions and safety barriers.

Function Safety function of Safety function of Safety function of Safety function of Safety function of LC
“Organization management “Technical detection “Unqualified “Technically positive “Technically passive
failure” failure” personnel” measures failure” measures failure”

Prevent oil overflow B1-1 B2-1 B3-1 Null Null 2

Limit the extensiveness of Null Null B3-2 B4-1 þ B4-2 B3-1 2
combustible steam
Prevent explosion and pool Null Null Null Null B5-1 2
fire
Limit the further Null Null Null B4-3 þ B4-4 Null 3
enlargement of
combustible steam
Limit the enlargement of Null Null Null B4-5 Null 4
explosion range
Mitigate the accident B1-2 Null Null Null Null 4
consequence

Table 6
Identification of safety functions and safety barriers.

P1 P2 P3 P4 P5 P6 P7 P8 P9 P10

R1 1 1 1 1 1 1 1 1 1 1
R2 0.815 0.815 0.625 0.625 0.625 0.625 0.403 0.625 0.815 0.815
R3 1 0.5 0.5 0.3 0.3 0.3 0.5 0.5 0.3 0.5
R4 1 1 1 1 1 1 1 1 1 1
Rsi 0.815 0.4075 0.3125 0.1875 0.1875 0.1875 0.2015 0.3125 0.2445 0.4075
V2 ¼0.322

Note: Pi means person i. In this case, 10 persons are involved.

Table 7
Score for each safety management index.

No. Items Full mark Actual score

1 Safety production management institution and personnel 100 95

2 Safety production regulatory framework 100 98
3 Safety production fund guarantee 100 95
4 Safety production safety education and examination 100 87
5 Operation instruction 100 85
6 Safety production daily check 100 95
7 Contingency plan and measure 100 90
8 Daily risk analysis 100 95
9 Daily hidden danger investigation and correction 100 90
10 Accident statistic and analysis 100 90

They were ten persons at risk. Their qualifications can be ob-

Y
n
tained by R1, R2, R3 and R4 and are listed in Table 6.
V1 ¼ Ci ¼ 0:381
The reliability of the personnel quality for a specific post is:
i¼1
370 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371

6.2.4. Results of the fuzzy evaluation

X
N
Rsi
V2 ¼ ¼ :022
N (1) Membership function and evaluation matrix
i¼0

The score for each safety management index is given in Table 7 The relationship between the factor set and the evaluation
and generates the effectiveness coefficient for the safety manage- factor is expressed by the membership function based on the fuzzy
ment barrier, thus: relation matrix (Kang et al., 2014, 2016). We programmed the
software of calculating the Fuzzy Evaluation Method. In the field
obtained score of safety management 87:7 application, the membership function can be obtained by entering
V3 ¼ ¼ ¼ 0:877
deserved score of safety management 100 the actual score of each evaluation element. The evaluation matrix
Substituting V1 ¼ 0.381, V2 ¼ 0.322, V3 ¼ 0.877 into Eq. (15) to is obtained by Eq. (19),
Eq. (18), we get: 2 3
0 0 1 0 0
B2A ¼ 0:350; B2B ¼ 0:670; B2C ¼ 0:510; B21 ¼ 0:133; B22 R ¼ 40 0:615 0:385 0 05
0 0 0:265 0:735 0
¼ 0:214 and; B23 ¼ 0:447

B2 ¼ 1  ð1  B21 Þð1  B22 Þð1  B23 Þ ¼ 1  0:377 ¼ 0:623

Therefore the effectiveness of the safety management barrier (2) Factors weights
gets the “well” grade (see Table 4).
The weights of the three indexes are obtained by Eq. (7),
following the calculation results of the program, the result of the
6.2.3. Economic evaluation (C3) weight is obtained,
For each arc, several safety barriers were installed to prevent
and protect against fire and explosions. Although there was suffi- W ¼ ½0:391; 0:492; 0:117
cient number of barriers, we must consider the monetary aspect
because of the maximum expenditure permitted by the company,
therefore:
P (3) Comprehensive evaluation
cos tijk
Ak2Mij
C3 ¼  100% ¼ 64:7% The comprehensive evaluation result is:
s

Fig. 4. Incident process analysis based on safety barriers failure.

 J. Kang et al. / Journal of Loss Prevention in the Process Industries 43 (2016) 361e371
2 3
0 0 1 0
L ¼ W  R ¼ ½ 0:391 0:492 0:117   4 0 0:615 0:385
0 0 0:265
The safety level barrier system performance is given by the
largest value of the vector L (0.611), indicating a “middle status”
level. Therefore, it is necessary to improve the safety barrier per-
formance by further risk control. Improvements on safety man-
agement level, employee quality, safety device and daily
maintenance are recommended.
6.3. The evolution of accidents based on the failure of safety barriers
An initial event produces a serious secondary event that has
possible ramifications to the health of the entire system. Fig. 4 il-
lustrates the progression of the oil storage fire and explosion taking
the failure of safety barriers into consideration.
7. Conclusions
A quantitative evaluation model of safety barriers performance
is presented. Assessing the quality of safety barriers within an in-
dustrial plant from different aspects is our primary goal. We also
aim to help decision makers to efficiently manage these barriers.
The results of this study allow the following conclusions to be
drawn.
➣ A comprehensive and systematic categorization of safety bar-
riers installed at an oil storage tank farm is presented based on
their functions and features. This is important to better under-
stand the usage of different types of barriers. Depending on risk
identification and assessment, the safety barrier system is
divided into three types: technological barrier, personnel barrier
and organizational barrier. The evolution of an accident is a
valuable support to the installation of preventive and protective
barriers and to block its propagation through a domino effect.
The model proposed in this paper is used to analyze more
realistic scenarios that may have a significant impact on the
occurrence of accidents. The profile of an accident can guide
decision makers to install the necessary safety barriers.
➣ A quantitative evaluation method for safety barrier systems is
proposed having indexes of effectiveness, level of confidence
and cost, helping deliver quality barriers. A comprehensive
evaluation model for the safety barrier system using these three
indexes is established employing the fuzzy mathematic theory
and a global safety grade can be determined. After calculating
each evaluation index, vulnerabilities in the barrier system can
be detected and incorporated in system optimizations.
➣ The results are encouraging both in terms of their applicability,
quality of solution and flexibility. With an increasing number of
barriers, we can provide an optimal solution in a limited amount
of time and workload at minimal cost through: (a) pairing
different categories of safety barriers to reduce the uncertainty
of analysis, (b) the accident analysis to guide the location of
safety barriers to cut off the path of risk events, (c) the evalua-
tion of the assessment index allowing a better understanding of
safety barrier performance from different aspects and, (d) a
comprehensive grading system to support decision makers in
371
0
0 05 ¼ ½0 0:303 0:611 0:086 0
0:735 0
evaluating entire safety systems. This paper provides a powerful
support tool to decision makers who want to evaluate and
improve the current safety barrier system and also to design
new safety barrier systems according to different requirements.
Acknowledgments
Project supported by Science and Technology Innovation
Foundation from Beijing Institute of Petrochemical Technology
(Grant No. 15031862005/016 and 15031862005/014); Natural Sci-
ence Foundation of Beijing, China (Grant No. 2162016).
References
Cozzani, V., Reniers, G., 2013. 1ehistorical Background and State of the Art on
Domino Effect Assessment. Domino Effects in the Process Industries, pp. 1e10.
Dianous, V.D., Fie vez, C., 2006. Aramis project: a more explicit demonstration of risk
control through the use of bow-tie diagrams and the evaluation of safety barrier
performance. J. Hazard. Mater. 130 (3), 220e233.
Hayes, J., 2012. Use of safety barriers in operational safety decision making. Saf. Sci.
50 (3), 424e432.
Hickey, J., Qi, V.E.H., 2013. Effectiveness of accident models: system theoretic model
vs. the swiss cheese model: a case study of a us coast guard aviation mishap. Int.
J. Risk Assess. Manag. 17 (1), 46e68.
Hu, L., Zhang, Y., Li, L., Su, G.H., Tian, W., Qiu, S., 2015. Investigation of severe ac-
cident scenario of pwr response to loca along with sbo. Prog. Nucl. Energy 83,
159e166.
Kang, J., Zhang, J., Gao, J., 2016. Improving performance evaluation of health, safety
and environment management system by combining fuzzy cognitive maps and
relative degree analysis. Saf. Sci. 87, 92e100.
Kang, J., Liang, W., Zhang, L., et al., 2014. A new risk evaluation method for oil
storage tank zones based on the theory of two types of hazards. J. Loss Prev.
Process Ind. 29 (1), 267e276.
Li, W., Liang, W., Zhang, L., Tang, Q., 2015. Performance assessment system of health,
safety and environment based on experts’ weights and fuzzy comprehensive
evaluation. J. Loss Prev. Process Ind. 35, 95e103.
Neogy, P., Hanson, A.L., Davis, P.R., et al., 1996. Hazard and Barrier Analysis Guidance
Document [M]. US Department of Energy.
Ramzali, N., Lavasani, M.R.M., Ghodousi, J., 2015. Safety barriers analysis of offshore
drilling system by employing fuzzy event tree analysis. Saf. Sci. 78, 49e59.
Sharif, R., Mustapha, S., Ahmadun, F., Shaluf, I.M., Said, A.M., 2002. Technological
man-made disaster precondition phase model for major accidents. Disaster
Prev. Manag. 11 (5), 380e388.
Shi, L., Shuai, J., Xu, K., 2014. Fuzzy fault tree assessment based on improved ahp for
fire and explosion accidents for steel oil storage tanks. J. Hazard. Mater. 278,
529e538.
Sklet, S., 2006. Safety barriers: definition, classification, and performance. J. Loss
Prev. Process Ind. 19 (5), 494e506.
Soltani, M., Moghaddam, T.B., Karim, M.R., Sulong, N.H.R., 2013. Analysis of devel-
oped transition road safety barrier systems. Accid. Anal. Prev. 59C (59C),
240e252.
Sunindijo, R.Y., 2015. Improving safety among small organisations in the con-
struction industry: key barriers and improvement strategies. Proc. Eng. 125,
109e116.
Underwood, P., Waterson, P., 2014. Systems thinking, the swiss cheese model and
accident analysis: a comparative systemic analysis of the grayrigg train
derailment using the atsb, accimap and stamp models. Accid. Anal. Prev. 68 (1),
75e94.
Valerio, C., Alessandro, T., Ernesto, S., 2009. The development of an inherent safety
approach to the prevention of domino accidents. Accid. Anal. Prev. 41 (6),
1216e1227.
Xue, L., Fan, J., Rausand, M., Zhang, L., 2013. A safety barrier-based accident model
for offshore drilling blowouts. J. Loss Prev. Process Ind. 26 (1), 164e171.
Young, R., Poon, S., 2013. Top management supportdalmost always necessary and
sometimes sufficient for success: findings from a fuzzy set analysis. Int. J. Proj.
Manag. 31 (7), 943e957.