Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
METHOD AND SYSTEM FOR CONTINUOUS ESTIMATION AND REPRESENTATION OF RISK
Document Type and Number:
WIPO Patent Application WO/2021/064144
Kind Code:
A1
Abstract:
Method and system for continuous estimation and representation of risk, more particularly a method and system for determining a risk indicator, in an industrial environment or another environment where risks are involved in performing the activity, and the dynamic development thereof over time. The system according to a preferred embodiment of the present invention comprises a distributed field infrastructure for gathering information and a central infrastructure for processing and assessing risk. The system and method according to a preferred embodiment of the present invention use the information gathered from a plurality of detectors set up to measure the various activities. These detectors include, for example, sensors and apparatuses (industrial hardware, field buses) for capturing and monitoring production plants, dedicated control systems present in the individual machines and plants, and have the function of capturing real-time measurements of various process parameters, operating parameters and plant/machine state parameters.

Inventors:
CARRUBBA GUGLIELMO (IT)
Application Number:
PCT/EP2020/077599
Publication Date:
April 08, 2021
Filing Date:
October 01, 2020
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
SAPIO PRODUZIONE IDROGENO OSSIGENO S R L (IT)
International Classes:
G06Q10/06; G06Q10/00
Foreign References:
EP1918869A12008-05-07
US20110252479A12011-10-13
US20190235483A12019-08-01
Other References:
BARALDI, P.MANGILI, F.ZIO, E.: "A prognostics approach to nuclear component degradation modeling based on Gaussian Process Regression", PROGRESS IN NUCLEAR ENERGY, vol. 78, 2015, pages 141 - 154, XP029106467, DOI: 10.1016/j.pnucene.2014.08.006
WELZ, Z.COBLE, J.UPADHYAYA, B.HINES, W.: "Maintenance-based prognostics of nuclear plant equipment for long-term operation", NUCLEAR ENGINEERING AND TECHNOLOGY, vol. 49, no. 5, 2017, pages 914 - 919
COBLE, J.RAMUHALLI, P.BOND, L.HINES, J.W.UPADHYAYA, B.: "A review of prognostics and health management applications in nuclear power plants", INTERNATIONAL JOURNAL OF PROGNOSTICS AND HEALTH MANAGEMENT, vol. 6, 2015, pages 1 - 22
DAIGLE, M.ROYCHOUDHURY, I.SPIRKOVSKA, L.GOEBEL, K.SANKARARAMAN, S.OSSENFORT, J.KULKARNI, C.: "Real-time prediction of safety margins in the national airspace", 17TH AIAA AVIATION TECHNOLOGY, INTEGRATION, AND OPERATIONS CONFERENCE, OR ROYCHOUDHURY, I., 2017
SPIRKOVSKA, L.DAIGLE, M.BALABAN, E.SANKARARAMAN, S.KULKARNI, C.POLL, S.GOEBEL, K.: "Predicting real-time safety of the national airspace system", AIAA INFOTECH @ AEROSPACE CONFERENCE, 2016
COBLE, J.B.RAMUHALLI, P.BOND, L.J.HINES, J.W.UPADHYAYA, B.R.: "PNNL-21515", U.S. DEPARTMENT OF ENERGY, article "Prognostics and Health Management in Nuclear Power Plants: A Review of Technologies and Applications"
ALDEMIR, T.: "A survey of dynamic methodologies for probabilistic safety assessment of nuclear power plants", ANNALS OF NUCLEAR ENERGY, vol. 52, 2013, pages 113 - 124
KIM, H.LEE, S.-H.PARK, J.-S.KIM, H.CHANG, Y.-S.HEO, G.: "Reliability data update using condition monitoring and prognostics in probabilistic safety assessment", NUCLEAR ENGINEERING AND TECHNOLOGY, vol. 47, no. 2, 2015, pages 204 - 211
PLANAS, E.ARNALDOS, J.SILVETTI, B.VALLEE, AGNESCASAL, J.: "A Risk Severity Index for industrial plants and sites", JOURNAL OF HAZARDOUS MATERIALS, vol. 130, 2006, pages 242 - 250, XP025022803, DOI: 10.1016/j.jhazmat.2005.07.015
JIANG, H.LIN, P.FAN, Q.QIANG, M.: "Real-Time Safety Risk Assessment Based on a Real-Time Location System for Hydropower Construction Sites", THE SCIENTIFIC WORLD JOURNAL, vol. 2014, 2014, XP055648378, DOI: 10.1155/2014/235970
LIANG, Q.HE, Y.: "The Risk Assessment System of Chemical Industry Park based on Analytic Hierarchy Process", CET CHEMICAL ENGINEERING TRANSACTIONS, vol. 62, 2017
LOFSTRAND, M.BACKE, B.KYOSTI, P.LINDSTROM, J.: "A model for predicting and monitoring industrial system availability", INT. J. PRODUCT DEVELOPMENT, vol. 16, no. 2, 2012
KUDRYAVTSEV, S.S.YEMELIN, P.V.YEMELINA, N.K.: "The Development of a Risk Management System in the Field of Industrial Safety in the Republic of Kazakhstan", SAFETY AND HEALTH AT WORK, vol. 9, 2018, pages 30 - 41
GISBERT, J.R.PALAU, C.URIARTE, M.PRIETO, G.PALAZON, J.A.ESTEVE, M.LOPEZ, O.CORREAS, J.LUCAS-ESTAN, M.C.GIMENEZ, P.: "Integrated system for control and monitoring industrial wireless networks for labor risk prevention", JOURNAL OF NETWORK AND COMPUTER APPLICATIONS, 2014, pages 233 - 252
Attorney, Agent or Firm:
MURGITROYD & COMPANY (GB)
Download PDF:
Claims:
CLAIMS

1. Method for the quantification and representation of a value indicative of a risk in an operating environment, using a distributed system comprising a plurality of detectors 103, each of the plurality of detectors 103 being set up to measure at least one operational parameter and transmit at predetermined time intervals to a server 101 the value of the at least one measured operational parameter, each of the at least one operational parameter having a direct or indirect relationship with at least another operational parameters, the method comprising the steps of: maintaining in a database 105 accessible by the server 101 a list of operational parameters, each of the operational parameters being associated with: one of the plurality of sensors; a threshold value indicative of an acceptable risk value AR; a value PW indicative of the weight of the associated operational parameter and the relationships of the operational parameters with the other operational parameters having a relationship with such parameter; processing by way of the server 101 the values of the parameters received from the plurality of sensors 103 and determining for each parameter an estimate of a value RR indicative of the residual risk, the value RR for each parameter being a function of the difference between the value measured and the acceptable risk value, weighted with the associated value PW; determining by way of the server 101 a value GRR indicative of the global residual risk associated with the operating environment, the determination of the value GRR being calculated by means of a probabilistic function of the plurality of estimated values RR, the probabilistic function comprising Artificial

Intelligence tools; representing and communicating by way of the server the determined value

GRR; in response to the determined value GRR exceeding a predetermined threshold, performing a predetermined corrective action procedure.

2. Method according to claim 1 , wherein the probabilistic function comprises a function based on neural networks.

3. Method according to one of the preceding claims, wherein the probabilistic function comprises a function based on an acyclic graph.

4. Method according to claim 3, wherein the probabilistic function comprises a function based on Bayesian networks.

5. Method according to one of the preceding claims, wherein the conective action comprises the emission of an acoustic and/or visual signal.

6. Method for the quantification and representation of a value indicative of a risk in an industrial site or other work environment comprising N operating environments, the method comprising the steps of:

-for each of the N operating environments, calculating a value GRRi (where

0<i<N) according to the method of any preceding claims;

- determining the maximum value GRRmax being the maximum value of all GRRi values;

- assigning the value GRRmax to the value indicative of the total risk of the industrial site;

- representing and communicating by way of the server the determined value

GRRmax;

- responsive to the determined value GRRmax exceeding a predetermined threshold, performing a predetermined conective action procedure. 7. A computer program for the quantification and representation of a value indicative of the risk in an operating environment, according to one of the preceding claims, when the program is executed on a data processing system.

8. A distributed system comprising one or more components suitable for implementing a method for the quantification and representation of a value indicative of the risk in an operating environment, according to one of claims 1 to 5.

9. A distributed system comprising one or more components suitable for implementing a method for the quantification and representation of a value indicative of the risk in an industrial site, according to claim 6.

Description:
METHOD AND SYSTEM FOR CONTINUOUS ESTIMATION AND REPRESENTATION

OF RISK

TECHNICAL FIELD

The present invention relates to a method and system for continuous estimation and representation of risk, more particularly to a method and system for determining a risk indicator, in an industrial environment or another environment where risks are involved in performing the activity, and the dynamic development thereof in real time.

TECHNICAL BACKGROUND

Prevention and reduction (or even better, where possible, elimination) of risk, for example in an industrial environment, is taking on ever increasing importance, and is drawing attention, efforts and investment proportionate to what is at stake. Industry 4.0, or the fourth industrial revolution, is characterised by a broad, deep process of digitising and interconnecting production processes and products. This can have a major impact on occupational health, safety and environment (OHSE) by making it possible to monitor the risk of failure of components and thus providing the opportunity to prevent malfunctions.

Traditionally, safety in production process was predominantly implemented using digital logic, in which the higher thresholds (e.g. FSHH, TSHH, FYHH, LSLL, PSLL, etc.) were used to activate block logics, while the lower thresholds (e.g. FSH, TSH, LSL, etc.) were used to activate preventative actions, which were nearly always maintenance-related. In this case, the innovation involves inserting a safety control by using simple or complex analogue variables (PressureSIC, TemperatureSIC, CalculationsSIC). This changes the method and the approach to safety, which starts to be managed as soon as there is a deviation from normal operating conditions; this makes human activity safer, since it eliminates the state of anxiety that occurs upon verifying a real and objective state of alarm or shutdown. Furthermore, human error is by definition reduced, since the ameliorative actions taken because of a deviation in the process are derived from a deeper, more detailed analysis as a result of the innovation. ALL OF THIS, HOWEVER, should ALREADY OCCUR DURING OPERATIONS.

The literature discusses some experiments on possible applications of monitoring in safety-critical contexts; see, for example, for the nuclear industry, Baraldi, P., Mangili, F.,

Zio, E. (2015), "A prognostics approach to nudear component degradation modeling based on Gaussian Process Regression", Progress in Nuclear Energy, Vol. 78, pp. 141-

154, Welz, Z., Coble, J., Upadhyaya, B., Hines, W. (2017) "Maintenance-based prognostics of nudear plant equipment for long-term operation", Nudear Engineering and

Technology, Vol. 49(5), pp. 914-919, or Coble, J., Ramuhalli, P., Bond, L, Hines, J.W.,

Upadhyaya, B. (2015) "A review of prognostics and health management applications in nudear power plants", International Journal of Prognostics and Health Management, Vol.

6 (SP3), pp. 1-22, and, for the aeronautical industry, Daigle, M., Roychoudhury, I.,

Spirkovska, L, Goebel, K., Sankararaman, S., Ossenfort, J., Kulkami, C. (2017) "Realtime prediction of safety margins in the national airspace", 17th AIAA Aviation

Technology, Integration, and Operations Conference, or Roychoudhury, I., Spirkovska,

L, Daigle, M., Balaban, E., Sankararaman, S., Kulkami, C., Poll, S., Goebel, K. (2016)

"Predicting real-time safety of the national airspace system", AIAA Infotech @ Aerospace

Conference. However, a structured modelling approach which analyses the safety benefits of monitoring in detail is yet to be developed, as can be seen from the fact that safety standards still require many advancements in order to make the technology mature enough to be implemented in safety-critical systems (see Coble, J.B., Ramuhalli, P.,

Bond, L.J., Hines, J.W., Upadhyaya, B.R., "Prognostics and Health Management in

Nudear Power Plants: A Review of Technologies and Applications", U.S. Department of Energy, PNNL-21515, Washington D.C.), even if studies have already been proposed.

For example, Aldemir, T. (2013), "A survey of dynamic methodologies for probabilistic safety assessment of nuclear power plants", Annals of Nuclear Energy, Vol. 52, pp. 113-

124 and Kim, H„ Lee, S.-H., Park, J.-S., Kim, H„ Chang, Y.-S., Heo, G. (2015) "Reliability data update using condition monitoring and prognostics in probabilistic safety assessment", Nuclear Engineering and Technology, Vol. 47 (2), pp. 204-211, propose incorporating the predictions on malfunction time into probabilistic, dynamic risk assessment models, so as to integrate the dynamic predictions and their uncertainties with the actions carried out by the operators and by the automatic control systems.

The document Planas, E., Amaldos, J., Silvetti, B., Vall6e, Agnds, Casal, J. (2006), “A

Risk Severity Index for industrial plants and sites”, Journal of Hazardous Materials 130

(2006) pp. 242-250, considers the possibility of assessing plant risk indices in relation to the severity of the accident scenarios, so as to be able to obtain a “risk map” for the various accidents that may affect the plant. Jiang, H., Lin, P., Fan, Q., Qiang, M. (2014),

“Real-Time Safety Risk Assessment Based on a Real-Time Location System for

Hydropower Construction Sites”, The Scientific World Journal, Volume 2014, analyses the importance of having an online (real-time) risk assessment available, which takes into account both the importance of the processes and the human factor. The document

Liang, Q., He, Y. (2017), “The Risk Assessment System of Chemical Industry Park based on Analytic Hierarchy Process”, GET Chemical Engineering Transactions, Vol. 62, 2017, relating to the chemical industry, underlines the importance of adopting a holistic approach to risk assessment, assigning the correct weight to each source of risk.

Ltifstrand, M., Backe, B., Kytisti, P., Lindstrtim, J. (2012), “A model for predicting and monitoring industrial system availability”, Int J. Product Development, Vol. 16, No. 2,

2012, proposes a model for predicting functional availability which makes use of system/sensors integration. The subjects of risk monitoring and the maintenance and optimisation thereof are also dealt with. Kudryavtsev, S.S., Yemelin, P.V., Yemelina, N.K.

(2018), “The Development of a Risk Management System in the Field of Industrial Safety in the Republic of Kazakhstan”, Safety and Health at Work 9 (2018), pp. 30-41, develops a model for processing the available monitoring information and data and analysing, assessing and controlling the plant risk. By exploiting this risk monitoring, the appropriate measures can be implemented to prevent workplace accidents, fatalities and injuries for effective safety management in industrial plants. Finally, the work set out in Gisbert, J.R.,

Palau, C., Uriarte, M., Prieto, G., Palazdn, J.A., Esteve, M., L6pez, O., Correas, J.,

Lucas-Estafi, M.C., Gimen6z, P., Moyano, A., Collantes, L, Gonz&lvez, J., Molina, B.,

L&zaro, O., Gonz&lez, A. (2014), “Integrated system for control and monitoring industrial wireless networks for labor risk prevention”, Journal of Network and Computer

Applications (2014), pp. 233-252, concentrates on the impact of a system for monitoring and controlling the health and safety risks for workers within a plant.

As can be seen from the above examples, the literature discusses some experiments on the possible applications of monitoring in safety-critical contexts (for example, nuclear and aeronautical industry); there are already workplaces which have taken into consideration, in various manners and with various outlooks, the estimation of risk indices for complex monitored systems. What is missing is a structured modelling approach which analyses the safety benefits of monitoring in detail. This can be seen from the fact that safety standards still require many advancements in order to make the technology mature enough to be implemented in safety-critical systems, even if studies have already been proposed.

In practice, in industry, the current systems are usually limited to measuring safety by way of injuries, accidents, near misses, safety signalling, and other consolidated procedures which actually do nothing more than continue to populate the database with events which have occurred. In essence, security thus far has looked to the PAST.

However, there is a need to reverse this rather unsatisfactory tendency, in favour of

FUTURE expectations for safety.

The object of the present invention is to provide a technology which overcomes, at least in part, the drawbacks of the currently available systems.

SUMMARY OF THE INVENTION

This result has been reached, in accordance with the present invention, by providing a method for the quantification and representation of a value indicative of a risk in an operating environment, using a distributed system comprising a plurality of detectors, each of the plurality of detectors being adapted to monitor and measure at least one operational parameter and transmit, e.g. at a predetermined time interval (other arrangements are possible, for example when an event occurs), to a server the value of the at least one measured operational parameter, each of the at least one operational parameter having a direct or indirect relationship with at least another one of the operational parameters, the method comprising the steps of: maintaining in a database accessible by the server a list of operational parameters, each of the operational parameters being associated with: one of the plurality of sensors; a threshold value indicative of an acceptable risk value (AR) and a value (PW) indicative of the weight of the associated operational parameter and of the relationship of the operational parameter with the other operational parameters with a direct or indirect relationship; processing by way of the server the values of the parameters received from the plurality of sensors and determining for each parameter an estimate of a value (RR) indicative of the residual risk, the value RR for each parameter being a function of the difference between the value measured and the acceptable risk value, weighted with the associated value PW; determining by way of the server a value GRR indicative of the global residual risk associated with the operating environment, the determination of the value GRR being calculated by means of a probabilistic function of the plurality of estimated values RR, the probabilistic function comprising Artificial Intelligence (IA) tools; representing and communicating by way of the server the determined value GRR; in response to the determined value GRR exceeding a predetermined threshold, performing a predetermined corrective action procedure.

In a preferred embodiment, the probabilistic function comprises a function based on neural networks. The probabilistic function may further be based on an acyclic graph, such as a function based on Bayesian networks. The aforementioned corrective action may comprise the emission of an acoustic and/or visual signal.

The present invention also provides a computer program, a software application or a program product which implements the aforementioned method when executed on a computer, a telephone or some device provided with data processing capabilities.

A distributed system which implements the aforementioned method is further provided.

According to the present invention we also provide a method for the quantification and representation of a value indicative of a risk in an industrial site (or any other work environment) comprising N operating environments, the method comprising the steps of: for each of the N operating environments, calculating a value GRRi (where 0<i<N) according to the above method; determining the value of GRRmax being the maximum value of all GRRi values; assigning the value GRRmax to the value indicative of the total risk of the industrial site; representing and communicating by way of the server the determined value GRRmax; in response to the determined value GRRmax exceeding a predetermined threshold, performing a predetermined corrective action procedure. The present invention also provides a computer program, a software application or a program product which implements the aforementioned method for the quantification and representation of a value indicative of a risk in an industrial site, when executed on a computer, a telephone or some device provided with data processing capabilities.

A distributed system which implements such method is also provided.

As a result of the present invention, it is possible to provide a system which combines all the relevant aspects for individual and global assessment of risk, which is not currently possible with the available instruments, particularly for the industrial context in question.

The global residual risk indicator is the resultant of all the individual residual risks, both sensor-equipped and otherwise, appropriately weighted.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other advantages, objects and features of the present invention will be better appreciated by any technical expert in the field from the following description and the accompanying drawings, relating to example embodiments of an exemplary nature but which are not intended as limiting, in which:

Fig. 1 shows the general architecture of a system according to a preferred embodiment of the present invention;

Fig. 2 schematically shows a generic computer used in the system according to a preferred embodiment of the present invention;

Fig. 3 schematically shows a method of calculating the global residual risk indicator

GRR;

Fig. 4 shows the residual risk control as a control loop;

Fig. 5 shows a scheme with the extraction of the monitorable risk events from the relevant risk documents;

Fig. 6 shows an example of extracting the analogue and Boolean variables linked to the monitorable risk events; Fig. 7 shows a regression line used in an example embodiment of the method according to the present invention;

Fig. 8 shows an example of a deviation from acceptable risk;

Fig. 9 shows an example of a Boolean variable used in an example embodiment of the method according to the present invention;

Fig. 10 is a graphical representation of an application of the method according to an embodiment of the present invention;

Fig. 11 schematically shows the steps of a method according to a preferred embodiment of the present invention.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

The present description refers to “risk”, meaning the probability that a certain event capable of causing harm to persons occurs. The notion of risk implies the existence of a source of danger and of possibilities for this source to translate into harm. There are no limits on the representation of risk, so long as this risk is already known and can be represented in some way.

According to the method and system of the present invention, the goal of keeping the variable of safety under control is achieved by risk analysis, by means of which the residual risk for each accident event is estimated. The residual risk is actually defined as the risk predicted to remain once the required countermeasures have been taken. As defined by the laws in force, accident events which are considered “acceptable” have a residual risk below the admitted threshold. The residual risk is continuously subject to a reduction process both by way of continuous monitoring of the process variables and by way of an activity of searching for technologies which make it possible to increase the available information. The idea is therefore to start from the ACCEPTABLE risk and monitor it in real time to avoid it increasing or, even worse, going out of control until, without our knowledge, it becomes UNACCEPTABLE.

The system according to a preferred embodiment of the present invention comprises a distributed field infrastructure for gathering information and a central infrastructure for processing and assessing risk. The field infrastructure is managed by a server 101 which controls and is connected to a plurality of detectors 103 set up to measure the various activities: these detectors 103 include, for example, sensors and apparatuses (industrial hardware, field buses) for capturing and monitoring production plants, dedicated control systems present in the individual machines and plants (for example CNC, PLC, DCS,

SCADA, etc.), and have the function of capturing real-time measurements of various process parameters, operating parameters and plant/machine state parameters. The collected data are supplied to the server 101 via appropriate communication systems, which may comprise, purely by way of example, local networks, LAN, WAN, Internet, fixed or mobile telephone networks. The server 101, after a first validation process (for example for identifying temporary or continuous malfunctions of the sensors, including using random techniques), processes the captured measurements and stores and archives them in appropriate databases (105). The databases 105 may comprise for example data structures which can manage even massive architectures and thus process in accordance with configurable parameters, which can be defined on the basis of the end goals. Further, a dedicated function makes it possible, using captured measurements which have been verified and validated, to determine new “virtual sensor” or “soft sensing” measurements which make it possible to complete the framework of information relating to the production process in question and to increase the reliability of the “risk indicator” datum.

The central infrastructure comprises, within or under the control of the server 101 (as shown in the drawings), a module for processing and assessing risk 107 and a module for signalling and communicating the risk factor 109. In the module for processing and assessing risk 107, instruments are integrated for analysing and processing the data gathered from the capture system described above, which are integrated together with information from other computing instruments and apparatuses (for example management instruments for asset management, for planning and allocating resources, for managing intemal/extemal logistics, etc.). The output produced by the system for capturing the field data (field infrastructure) is used by higher-level, advanced instruments and algorithms for a. identifying alarms; b. supporting operators in first-response assessment for effective and efficient management of anomalies; c. supporting operators in performing more complex analyses for identifying the most probable causes of the encountered anomaly.

In the central infrastructure, there are also algorithms which use the information, data and feedback gathered from the field to supply and update an expert system which interprets the available information and data to produce a real and potential risk indicator and thus to allow the organisation to understand the phenomenon and to activate the relevant decisions, even in normal operational conditions.

The processing performed by the module for processing and assessing risk 107 supplies the results to the module for signalling and communicating the risk factor 109, which proceeds to communicate them in the appropriate manner to the instruments and persons which need to receive the risk signalling, within and/or beyond the monitored site and the industry which owns the structures for which the residual risk is to be estimated.

Fig. 2 shows a generic computer used in the system according to the preferred embodiment of the present invention. This generic description includes any device provided with processing capabilities, albeit with various levels of sophistication and functionality (e.g. computers, mobile terminals, servers, network routers, proxy servers).

The computer 250 is composed of various units which are connected in parallel with a system bus 253. In detail, one or more microprocessors 256 control the operations of the computer; a RAM 259 is used directly as a working memory of the microprocessors 256, while a ROM 262 contains the basic code for the activities for initially loading up the system (bootstrap). Various peripheral units are connected to a local bus 265 by means of appropriate interfaces. In particular, these peripheral units may comprise mass storage in the form of a hard disk 271 and a reader for CD ROMs and/or optical disks (e.g. DVDs or Blu-rays) 274, or else any other peripheral or storage device external to the computer.

Further, the computer 250 may comprise input devices 277 (e.g. keyboard, mouse,

TrackPoint, USB ports) and output devices 280 (e.g. screen, printer, USB ports). A network card (Network Interface Card) 283 is used for connecting the computer 250 to a network. A bridge unit 286 forms the interface between the system bus 253 and the local bus 265. Each microprocessor 256 and the bridge unit 256 may operate as a “master agent" and request exclusive access to the system bus 253 for transmitting information.

An arbiter 289 manages requests for access to the system bus 253, preventing conflicts between the requesters. Similar considerations apply to systems which are slightly different or based on different network configurations. Other components beyond those described may be present in specific cases and for particular implementations (e.g.

PDAs, mobile telephones, etc.).

One important element of the method and system according to a preferred embodiment of the present invention is an algorithm which makes it possible to monitor the residual risk continuously with a reliability level no lower than the reliability level of the activity which causes the risks (e.g. SMR hydrogen production plant, reliability level 98%). Residual risk monitoring is performed by monitoring the plurality of variables in normal conditions (i.e. acceptable conditions) and through a precise estimate of the value of such variable and its trend in the future; this estimate is obtained by applying a mathematical model and Artificial Intelligence (Al) tools. Continuous monitoring is possible, but takes place by reducing unmeasurable risks, and so this activity presupposes the adoption of sensors or in any case of electrical instrument devices which make it possible to detect the value directly or indirectly linked to the risk. With this basic presupposition, virtually all risks can be introduced into the control logic, and the inclusion thereof in the model depends solely on the possibility of measuring them.

It is necessary to start from an initial risk assessment, as established for example in

Legislative Decree 81/2008 and subsequent amendments and additions. In the present discussion, the following steps are assumed for assessing the initial risk:

1. Identification of the sources of danger, the risks and the vulnerable workplaces;

2. Calculation of the initial risk (IR), carried out in various ways depending on the classification into unmeasurable risks and measurable risks;

3. Standardisation of the risk indices onto a single scale (e.g. 1+16);

4. Individuation and programming of the necessary hardware interventions for reducing the risk at the source, for example in accordance with the priorities indicated by the general principles of Legislative Decree 81/08, Art. 15;

5. Individuation and determination of the software interventions for reducing the risk, specifically for each assessed risk and for each homogeneous group

(organisational interventions, procedural interventions, training, information, use of collective and individual protective devices, which do not actually alter the place of work, the equipment or the process);

6. Calculation of the residual risk (RR). Residual risk means the risk remaining after the corrective actions, and represents the parameter which indicates the parameter indicated as ACCEPTABLE by the probability P that the potential level of harm G is reached under the conditions of use and/or of exposure to a particular factor. The risk is a function of the probability that harm is established and of the seriousness or scale of the possible harm. The acceptable risk level is determined from: legal requirements; technical standards; prior art in the field / state of the art; established practices in the field / activity under analysis; company policy.

In any case, regardless of how the initial risk (IR) is assessed and the residual risk (RR) calculated, the goal should be to reduce the risk to the point of not causing harm; in other words, the residual risk is a function of harm which tends to zero RR = / (G→o) in line with the spirit of “continuous improvement".

Once the risks for the health and safety of the persons and the environment and the actions taken to reduce them to make them acceptable have been individuated, there is a need to monitor the acceptability level of the individual risk using variables. An indicator

(RESIDUAL RISK INDICATOR (RRI)) is used to do this for each individual risk so as then to arrive at a single INDICATOR (I) representing the resultant of all the risks individuated in the analysed process. This indicator I is obtained by way of a weighted functional relationship of all the risks which, in each variation thereof, will in turn cause overall residual risk indicator (ORRI) to vary as a function of the individual weighting weight The weighting weight between the various risks is determined from the analysis of the process in question, and is thus fundamentally the role and the knowledge of the expert in the process. Fig. 3 shows a model for determining the global residual risk.

The RESIDUAL RISK indicator (RRI) is an analogue variable and, like all variables, may have one or more SETPOINTS, each of which may activate actions suitable for reporting the residual risk at the nominal values (acceptability of the risk) or activate emergency actions such as shutdown of the process and/or preventative evacuation of persons.

Fig. 4 shows a flow chart of the activity for residual risk control, using a conventional control loop, as described for example in GISI “Measurement and control instrumentation in industrial applications” A. Brunelli volume ill-1 control of instruments and systems.

Each activity presents risks both for the person and for the surrounding environment; therefore, all risks can be grouped within the following contexts: a) Production: phase in which the PROCESS is active and requires continuous control/monitoring by the control system and the persons. In this case, the risks are those directly linked to performing the process. b) Maintenance: phase in which activities are performed by persons and equipment which allow the PROCESS to maintain performance in terms both of yield and of safety in accordance with the pre-set targets. In this case, the risks are those directly linked to the maintenance activity. c) Workplace organisation: together with human resources directly involved in various roles in the phases set out in points “a” and “b” above. In this case, the risks are exclusively linked to human behaviour, or to the erroneous operations carried out by staff both in performing the process and in the maintenance activity.

The measurement of the risks can be represented in various ways, for example using a

Boolean variable or a real variable. In the former case, the change in state determines the passage from the normal state to the risk state; in the latter case, the risk state is brought about by the deviation in the real variable with respect to the reference function thereof. Said reference function is the behaviour of the variable over time within the admissible range thereof.

The model used in the method and system according to a preferred embodiment of the present invention introduces two other types of variables which may make a significant contribution to the global plant risk:

Non-sensor-equipped barriers, the reliability of which depends on factors which can be tracked (for example the timing of the maintenance activities) or which can be estimated qualitatively by plant experts (for example the result of the maintenance inspections);

Behavioural barriers, the introduction of which into the model can lead to consideration of human reliability, the influence of which on the global plant risk is fundamental and should be taken into consideration. The behavioural barriers are those of added individual value, since they belong to the individual; therefore, the thought of inserting sensors anywhere to remove the individual’s barriers would be a major error.

For these two complex types of variables, suitable analyses are set up, which should in some way quantify a risk value, which can be indicated as an Updating Likelihood Factor, which will be updated over time in view of new available information.

APPLICATION GUIDELINES FOR AN EXAMPLE EMBODIMENT OF THE SYSTEM

ACCORDING TO THE PRESENT INVENTION

In a preferred embodiment of the present invention, the various steps to be carried out for monitoring the residual risk of a productive process first involve a series of preliminary activities for the correct configuration of the calculation instruments and subsequently the activity of calculation in real time which makes it possible to update the risk indicator continuously. The steps described herein represent an example embodiment, but may be subject to adjustments and alterations depending on preferences and other conditions, as will be appreciated by technical experts in the field. Further, depending on specific requirements and alterations to the legal requirements, other steps may be added.

Preliminary activities

The preliminary activities include for example:

STEP 1: Analysis of monitorable risk events

A risk even is considered monitorable if there is the possibility of measuring the residual risk thereof. This activity has to be performed while analysing all the legally required documents which already deal with various aspects of the question of risk, including:

HAZOP (HAZard and OPerability analysis), risk analysis, safety report, environmental analysis, monitoring system, Integrated Environmental Authorisation system monitoring, safety and environment management system, accident prevention plan, Risk Assessment

Document (RAD) and other tools.

Fig. 5 schematically shows the step of extracting the monitorable risk events from the risk-related documents, according to a preferred embodiment of the method and system according to the present invention.

STEP 2: Extraction of the analogue and Boolean variables linked to the monitorable risk events

The analogue and Boolean variables which have a direct or indirect relationship with the monitorable risk events are taken into consideration (an indirect relationship referring to those variables which are linked to those in a direct relationship).

Fig. 6 schematically shows the step of extracting the analogue and Boolean variables linked to the monitorable risk events, according to a preferred embodiment of the method and system according to the present invention.

Once the list of Boolean variables is generated, there is a need to differentiate those linked to sensor-equipped (or sensor-equippable) components from those which are not sensor-equipped.

STEP 3: Checking of the RELIABILITY level of the PROCESS

The goal of this activity is to gain awareness of the reliability level of the process in terms both of the measurement instruments and of the automation. Both contexts can actually be affected by false positives: for the sensors, these are linked to incorrect measurement of the analogue variables; for automation, meanwhile, they are linked to the signalling of alarms in the absence of real anomalous conditions (there are also false negatives or absences of alarm signalling in the presence of real anomalous conditions).

The sensors should be provided with malfunction signalling, and if the variable to be monitored is a critical variable for RISK purposes it is preferably to apply voting logic. This technique is known to experts in the field, and involves installing more sensors (2 or 3) for the same variable. In this way, on the one hand false positives are avoided, and on the other hand measurement accuracy is increased. Where possible, it is safe to recommend capturing the diagnostic information supplied by the sensor itself (for example using a

HART protocol or other out-of-range diagnostic systems) so as to have a greater degree of accuracy for the real functioning of the instrument. In addition to the instrument redundancy, the problem of false positives for sensors can actually be eliminated by way of the machine learning algorithms used for reconstructing variables which are subject to monitoring of deviations (these are none other than models which use the variables related by physical laws). The recognition of the false positive occurs when, for the deviation in the measured analogue variable, there is no corresponding deviation in the variables related thereto. In the absence of diagnostic information supplied by the sensor itself, this method is a very good alternative tool for advance recognition of the incipient malfunction of the sensor. As regards automation, meanwhile, redundancy of the alarms linked to the risk is provided within the intelligent monitoring system. In the presence of a false alarm, IP will signal the anomaly without incrementing the risk value of the event with which the false alarm is associated. At the same time, in the presence of false negatives (absence of alarm signalling in the presence of real anomalous conditions), the intelligent monitoring system will signal the alarm while causing automatic incrementation of the risk value of the event with which the alarm which it had to trigger was associated. In both cases, the intelligent monitoring system will provide generation of a query resulting from the false alarm (whether positive or negative). The intelligent monitoring system thus becomes the controller of the accuracy of the measurements and signalling of the control system.

STEP 4: Individuation of the risks arising from maintenance activity

To individuate the risks arising from maintenance activity, there is a need to carry out careful risk analysis of the maintenance management system itself. This system, if implemented using an IT platform, can actually transmit all the information inherent to the intrinsic features of the assets (age, useful lifetime, technology, level of use, etc.) and to the maintenance activity (schedule, timing, maintenance report account, etc.), in addition to all the essential authorisation steps for the maintenance activity, such as the work permit This information does not come from sensors, but is updated periodically by the appropriate staff at maintenance interventions. Within the intelligent monitoring system, said information can automatically activate alarms at the RISK system at the moment when they are no longer compliant. These alarms are usually Boolean variables, and there is therefore a need to associate them correctly with the risk events identified in step

1.

STEP 5: Individuation of the risks arising from human behaviour

This preliminary step relates to the individual and his behaviour. The risks from human error are still numerous, and relate to all levels of the organisation, from the operator to the top manager. Clear, honest assessment of the organisation using standardised techniques and methodologies is therefore advisable. At the same time, using the instrumentation which is gradually coming onto the market, it is possible to start providing more and more effective and helpful support for the individual. In time, this combination of factors will also improve the cultural process as regards safety and the environment.

The events linked to human behaviour are Boolean variables, since they attest to an intervention being performed, and there is therefore a need to associate them correctly with the risk events identified in step 1.

Manners of calculation

The real-time calculation activities performed within the intelligent monitoring system make it possible to update the risk indicator at any moment in time.

The calculation model for the global risk indicator was presented previously in Fig. 3. As was addressed previously, the weighting weight between the various risks is determined from the analysis of the process in question, and the role and the knowledge of the expert in the process are thus fundamental.

Meanwhile, as regards the calculation of the residual risk indicator of each risk event, in a preferred embodiment of the present invention, a probabilistic model is used which represents a set of stochastic variables along with the dependencies thereof using a direct acyclic graph. Experts in the field will appreciate that other models may be used, so long as they correctly represent the link between the variables. The acyclic graph makes it possible (for example using Bayesian networks or other networks) to generate consequential events between directly linked variables, thus avoiding the possibility of cyclical events which would poorly represent the development of the risk event. The entry nodes to the advanced probabilistic model identify the base events, and require calculation of the probability at each moment in time. This probability depends directly on the state of the variable associated with the node in question. In the model described herein, two possible states/conditions are distinguished:

Normal condition: the risk remains constant since the process is under control

Risk condition: the risk tends to increases as a result of the presence of an anomaly

So as to be able to distinguish whether the variable in question is in a normal condition or a risk condition, it is necessary to introduce the concept of a residue.

The residue e at time t represents the difference between the current value y(t) and the reconstructed (or “expected”) value y*(t) of the analogue variable in question: e(t)=y*(t)-y(t)

The process of reconstructing said variable takes place using suitable, properly trained machine leaning algorithms (for the training phase of the models, it is necessary to identify time windows in the historical data relating to normal operativity). The reconstructed variable is thus a function of the variables (χ· \ 2 . x n ) linked thereto by physical laws (the weights /?< are the result of the training phase): y*(t)=β 0 1 x 1 (t)+β 2x2 (t)+. ·+β Ν ΧΝ(t) and is independent of the form it may take (straight line, sinusoid, etc.).

By way of example, let us consider having 5 values of a single independent variable X available, identified by the points (P 1 ,P 2 ,P 3 ,P 4 ,P s ). The reconstructed variable is represented by the regression line γ*(t)=β 1 2 χ(t) from which the identified values of the points (Q 1 , Q 2, Q 3 ,Q 4, Q 5 ) are derived.

The residues (e 1 ,e 2 ,e 3 ,e 4 ,e 5 ) are represented by the differences between the points P and the points Q, as is shown in Fig. 7.

As a result, the value of the residue is to discriminate between the two normal and risk conditions:

Normal condition: the residue remains within the admissible range thereof

Risk condition: the residue leaves the admissible range thereof

So long as the normal condition persists, the probabilities of all the input nodes to the advanced model take the nominal values which are drawn from literature or estimated using particular algorithms.

In this context, the following algorithms occur

MAVT (multi-attribute variable theory): used for correcting the nominal failure rate on the basis of information indicated in preliminary step 4

CREAM (cognitive reliability and error analysis method): used for correcting the probability of failure of a human behaviour on the basis of information indicated in preliminary step 5.

When the risk condition occurs, the probability of the input nodes to the advanced probabilistic model is recalculated on the basis of the nature of the variable in question:

Analogue variables

The residue is directly used for calculating the deviation in the analogue variable (variable

D), which mathematically represents the angle between the projection of said variable and the horizontal axis

D(t)=tan -1 [e(t)/Δt]

Fig. 8 shows a graphical representation of the deviation of a process variable from nominal operating conditions.

In this case, the probability is a variable number from the nominal value ΡΓΝΟΜ to the unit value, and the updating thereof is inversely related to the value of the residual time t R in which the variable will reach a predefined threshold (pre-alarm threshold, alarm threshold or other threshold) Pr(t)α 1/t R (t) where tn(t)=\threshold-y(t)\ / D(t)

The probability is thus directly proportional to the deviation

Pr(t)ocf(D(t)) and so, the greater the deviation (angle), the shorter the residual time and the more rapidly the probability will rise to the unit value.

The various deviations in the analogue variables involved in a single risk event will be associated with different nodes, since they require different weighting in relation to said event.

For example: if, in a furnace operating at high temperature and low pressure, there is the risk of an explosion during a “normal operation” phase, it is assumed that deviation of the pressure variable will have a greater risk than deviation of the temperature variable.

Boolean variables

In this case, the probability can take only two values (as is shown in Fig. 9):

Nominal value ( Pr=Pr NOM ): when the normal condition obtains

Unit value (Pr= 1): when a risk condition obtains

The increase in the probability to the unit value immediately causes a step increase in the risk indicator, naturally depending on the importance of the node associated with the

Boolean variable in question.

The Boolean variables are of various natures, for example:

Variables from automation (alarms, block logic, etc.)

Calculated variables linked to maintenance activities

Calculated variables linked to human interventions

Fig. 10 shows a possible embodiment of the above-described methodology, demonstrating the combination of some parameters combined using Boolean operators to obtain a final global residual risk value.

Fig. 11 shows the steps of a method for the quantification and representation of a value indicative of the risk in an operating environment according to a preferred embodiment of the present invention. The method is implemented using a distributed system comprising a plurality of detectors 103, each set up to measure at least one operational parameter and transmit at predetermined time intervals to a server 101 the value of the measured operational parameter. As is illustrated in step 1101, the method provides maintaining in a database 105 accessible by the server 101 a list of operational parameters, each of the operational parameters being associated with one of the plurality of sensors and with a threshold value indicative of an acceptable risk value (AR) and with a constant indicative of the weight of the associated parameter (PW). The sensors continuously detect the values of associated parameters) (step 1103) and transmit them at regular (or very similar) time intervals to the server (step 1105). The details of how this detection and this transmission take place and the transmission times and frequencies of the data between the sensors and the server may change depending on specific requirements; the trigger for detection and/or transmission could be, in specific circumstances, event-driven instead of time-driven. In step 1107, the server 101, by means of the processing and risk assessment module 107, processes the values of the parameters received from the plurality of sensors 103 and determines for each parameter an estimate of a value (RR) indicative of the residual risk, the value RR for each parameter being a function of the difference between the value measured and the acceptable risk value, weighted with the associated constant PW; the server 101 thus determines (step 1109) a value GRR indicative of the global residual risk associated with the operating environment, the determination of the value GRR being calculated by means of a probabilistic function of the plurality of estimated values RR. The server, by means of the module 109 for signalling and communicating the risk factor, provides that the determined value GRR is represented and communicated (step 1113). The representation and communication of the value GRR may take on a wide range of forms and manners: purely by way of example, it may provide a graphical representation, potentially with the aid of conventional green, amber and red colours for risk classification (low, medium, high); it may be accompanied by acoustic and/or visual signals if one or more predetermined values are reached; it may be communicated using communications networks (e.g. telephone, Internet, fixed or mobile company network). When a predetermined threshold value is reached or exceeded (verified in step 1111), a predetermined corrective action procedure can be activated and performed (step 1115). The time, manner and performance times of said corrective action may depend on the circumstances of the operating environment and on the existing rules and policies. In the graphic of Fig. 11, the representation step 1113 is performed as an alternative to the step of performing the corrective procedure, but a different order may perfectly well be provided (e.g. first the representation step 1113, then the verification 1111). In each case, the control returns to step 1103 for continuous repetition of the detection 1103, transmission 1105, processing

1107 and determination 1109 activities.

In practice, however, the particulars of performance may vary in an equivalent manner so that the individual constructional elements described and illustrated and the nature of the indicated materials are adhered to, without thereby departing from the adopted solution idea and thus while remaining within the limits of the teaching provided by the present patent A technical expert in the field may make many alterations to the above-described solution so as to meet local or specific requirements. In particular, it should be clear that, although implementation details referring to one or more preferred embodiments have been provided, omissions, substitutions or variations in any specific features or in any steps of the described method may be applied in accordance with planning or implementation requirements.

By way of example, the hardware structures may take on various appearances or include various modules; the term “computer” includes any device (e.g. telephones, PDAs, machines and sensors of any type) provided with processing capability for executing software programs or parts thereof. The programs may be structured in various ways or be implemented in any form. In the same way, the memories may take on multiple forms of embodiment or be replaced with equivalent entities (not necessarily consisting of physical media). The programs may take on any form suitable for performing the relevant functions, and may be written in any programming languages or presented in the form of software, firmware or microcode, both in object code and in source code. Said programs may be stored on any type of medium so long as it is computer-readable; by way of example, the media may be: hard disks, removable disks (e.g. CD-ROMs, DVDs or Blu- ray discs), tapes, cartridges, wireless connections, networks, telecommunications waves; the media may for example be electronic, magnetic, optical, electromagnetic, mechanical, using infrared or semiconductors. In every case, the solution according to the present solution lends itself to implementation using software, hardware (including integrated into chips or semiconductor materials) or a combination of hardware and software.

The principle of monitoring the residual risk is applicable in any field in which there are risks to the health and safety of persons and the environment, so long as the process that causes said risks is monitorable. As an example of extensibility, in the near future the risks linked to cybersecurity will gradually be taken into consideration.

At the same time, using the instrumentation which is gradually coming onto the market, it is possible to start providing more and more effective and helpful support for the individual. In time, this combination of factors will also improve the cultural process as regards safety and the environment.

According to a possible implementation of the present invention, the method described above could be applied to more complex environments, such as industrial sites, logistic centres, agricultural sites or any other working environment having a plurality of operating environments, possibly independent and not related one each other. Each operating environment can be monitored and the risk quantified with the method described above: the total risk indicator will be assumed to be equal to the highest of the single operating enviroments calculated risk. For example, in an industrial site or other work environment comprising N operating environments, the method would comprise the steps of: for each of the N operating environments, calculating a value GRRi (where 0<i<N) according to the method of any preceding claims; determining the maximum value GRRmax being the maximum value of all GRRi values; assigning the value GRRmax to the value indicative of the total risk of the industrial site. The total risk indicator obtained can then be represented and communicated as discussed above. Also, when the determined value

GRRmax exceeds a predetermined threshold, a corrective action procedure can be invoked and executed.