Predicting major accidents in the process industry based on the barrier status at scenario level A practical approach

OCI Nitrogen wants to gain knowledge of (leading) indicators regarding the process safety performance of their ammonia production process. This paper answers the question whether indicators can be derived from the barrier system status to provide information about the development and likelihood of the major accident pro- cesses in the ammonia production process. The accident processes are visualized as scenarios in bowties. This research focuses on the status of the pre- ventive barriers on the left-hand side of the bowtie. Both the quality – expressed in reliability/availability and effectiveness – and the activation of the barrier system give an indication of the development of the accident scenarios and the likelihood of the central event. This likelihood is calculated as a loss of risk reduction compared to the original design. The calculation results in an indicator called “ preventive barrier indicator ” , which should initiate further action. Based on an example, it is demonstrated which actions should be taken and what their urgency is.


Introduction
In 2015, several major process-related incidents occurred at a number of site users of Chemelot, a chemical industrial park in Geleen, The Netherlands (OVV, 2018). The increase in the frequency and severity of the incidents made the Chemelot Board decide to have an external investigation conducted (Crisislab, 2016). This study concludes, among other things, that due to an increase of attention paid to personal safety, process safety has been neglected. Apparently, the focus on occupational safety is so high that the potential hazards of the plant or chemical process do not receive the attention they deserve. In other words, there is insufficient anticipation of "early warnings" from the process.
OCI Nitrogen, one of Chemelot's larger site users, has faced several serious process safety incidents, including at its two ammonia plants. In some occurrences, the relevant ammonia production process had to be shut down immediately to prevent worse from happening. As the possible accident scenarios were insufficiently monitored, there was no awareness of their likelihood, nor whether they had already developed. It is therefore not surprising that any occurring incidents always came unexpectedly and without warning.
OCI Nitrogen management has started its own investigation in measuring and monitoring process safety. The investigation aims to take timely and targeted measures and thereby prevent major process safety incidents in the future. OCI Nitrogen wants to identify which indicators provide information about the major accident scenarios of its ammonia production processes. Two front-end loading sub-studies have previously been published. Schmitz et al., 's 2018 sub-study focused on the 'ranking' of the most dangerous process parts of the ammonia production process. The other sub-study identified the main static installation parts of the ammonia production process, which are related to mechanical failure mechanisms (Schmitz et al., 2019a;b;2020). This paper describes the third part of the research: it contains the results concerning (preventive barrier) indicators, which aim to recognize and stop the development of scenarios at an early stage. The research question associated with this sub-research is: Can indicators be derivedbased on the status of the barrier systemthat provide information on the development and likelihood of major accident processes in the ammonia production process?
The associated sub-questions to be investigated are: 1) What is a barrier system? 2) How can the status of a barrier system be determined? 3) What is an indicator? 4) What are criteria for indicators? 5) What is the relationship between indicators and accident processes?
Accident processes that originate from working conditions are excluded in this sub-study. This paper is exclusively concerned with potential incidents related to process safety and, in addition, only those that are major or catastrophic.
This article starts with definitions of indicators from the literature, followed by the barrier concept from the bowtie metaphor. Here quality aspects of barriers, barrier systems and their status are discussed, which are used to develop the preventive barrier indicator concept. This concept is applied to one of the major hazard scenarios of an essential equipment of the ammonia production, the loss of cooling of the post reformer.

Indicators
Process safety indicators have been the focus of many studies, but little empirical research has been published on it, as observed by Swuste et al. (2016). In contrast, many (petro) chemical companies measure their process safety performance and HSE (2006), CCPS (2011), Cefic (2011Cefic ( , 2016, OGP (2011) and ANSI/API (2010) have set up guidelines to monitor process safety based on indicators. A distinction is often made between 'leading' and 'lagging' indicators. Where the former are proxies to hazards, barriers, scenarios and management factors, the latter provide information on the central, loss of containment or loss of control event and its consequences. The scientific literature questions this distinction (Swuste et al., 2016).
Leading indicators should provide information before an incident occurs and indicate the extent to which one deviates from an ideal situation. They can be considered as an early warning (Dokas et al., 2013;Knegtering and Pasman, 2013;Øien et al., 2011a, b;Vinnem, 2010). (Leading) indicators should monitor the level of safety, decide where and which action is necessary, and motivate operators to actually take the necessary action (Hale, 2009). In a guideline of the HSE (2006), leading indicators are a form of active monitoring aimed at a few critical parts of the risk management system. They should encourage the most important actions or activities to be carried out as intended.
This paper emphasizes the leading indicators and focuses on the barriers on the left-hand side of the bowtie. They should be defined to provide insight into the quality of the barriers and the development of scenarios (Swuste et al., 2016). To measure the safety level, the barrier quality and the scenarios must be actively monitored. This means that monitoring must be done continuously and at "real time".

Barriers
The bowtie model forms the basis of this sub-study. The bowtie is a suitable model to visually map the course of accident scenarios (from cause to effect) and enables to include preventive and mitigating barriers (Schmitz et al., 2019a(Schmitz et al., , 2019b. In the central event, a dangerous substance and/or energy is released in an uncontrolled manner and a state of uncontrollable hazard arises. Preventive barriers, as shown in Fig. 1 on the left-hand side of the bowtie, should stop the accident processes at an early stage and avoid the central event from happening. A barrier is anything that prevents causes from developing into consequences, including preventing the cause itself (Bellamy et al., 2007). If barriers are broken or not present, a scenario can develop into a central event, or the central event can develop into unwanted consequences.
Barriers can be classified in different ways: Sklet (2006) distinguishes between physical and non-physical, while Hollnagel (2008) classifies them according to function or purpose and Vinnem (2010) opts for technical and operational barrier elements. Barriers are usually made up of three elements: a sensor, a decision maker and a final element or action taker, referred to by Guldenmund, Hale, Goossens, Betten and Duijm as detect, diagnose and act as main barrier tasks (Guldenmund et al., 2006). A barrier only works if all three elements are functioning. In this sense, a barrier can be regarded as a 3-out of-3 system.
A barrier system is the set of existing barriers that must prevent causes from developing into consequences. The barrier system in this paper is limited to the existing preventive barriers (on the left-hand side of the bowtie), which should prevent causes from developing into the central event of the accident process. To achieve this, the (preventive) barrier system must be in place and be of good quality. Different parameters indicate something about the quality of barriers. According to Sklet (2006), Vinnem (2010) and Badredine et al. (2014), the quality of barriers is determined by: • Effectiveness (functionality, capacity): the ability of a barrier to perform its necessary function correctly; • Reliability: the likelihood that a barrier will be able to perform its necessary function, given the aforementioned conditions, for a specified period of time; • Availability: the chance that a barrier will function at any point in time; • Costs: the costs of keeping the barrier functional, reliable and available; • Robustness: the ability to continue to function in the event of (extreme) environmental influences, such as an incident; • Response time: the time from activation of the barrier to the execution of the intended function; • "Trigger": the event or condition that activates the barrier. The above parameters characterize the quality of a barrier. They are "qualifiers", requirements that a high-quality barrier must meet. The quality of barriers might decrease because of use, wear, pollution, degradation, damage or defects. In order to measure the likelihood that a scenario will develop into a central event, it is necessary to monitor the decline in quality of the barriers. This monitoring can be done by selecting relevant parameters capable of mapping the lowering in barrier quality. This means that these parameters must be sensitive to change, something that several authors emphasize as an important criterion (Hale, 2009;Vinnem, 2010;Sinelnikov et al., 2015). The quality parameters, effectiveness, reliability and availability are the only ones that vary sufficiently over time and can present the possible deterioration in quality of a barrier. In line with Sklet's (2006) approach, this paper considers reliability and availability under one heading. Where effectiveness is a barrier's ability to perform its necessary function correctly, reliability/availability means the likelihood that a barrier will function at any point in time. Sklet outlines the difference using an emergency shutdown (ESD) system as an example. Internal leakage of an ESD valve reduces effectiveness while not affecting reliability/availability. A barrier must be both reliable/available and effective to stop the development of an accident scenario.
Reliability/availability and effectiveness have been selected in this paper to monitor the quality of a barrier or barrier system. This is in line with the views of Landucci, Argenti, Tugnoli and Cozzani, who also assess the performance of barriers based on availability and effectiveness (Landucci et al., 2015). By monitoring these parameters, an image of the quality status of a barrier or barrier system can be given, which can be translated into a likelihood of an accident scenario as explained in section 2.
Preventive and corrective maintenance, inspection and test programs, and management and administrative aspects influence the reliability/availability and effectiveness of technical barrier systems (Vinnem et al., 2006). Within the (petro) chemical industry it is required to maintain, inspect and test barriers according to a predefined schedule. Not (properly) or not timely executing such a program can affect both the reliability/availability and the effectiveness of a barrier. This paper assumes that the maintenance, inspection and testing of a barrier is of good quality and that the barrier is reliable/available and effective after maintenance. In addition, testing should meet the specific conditions of the plant as much as possible. Lees (in Mannan, 2005) indicates that a barrier may have been approved in a workshop but may not function properly in the actual installation.
Besides the influence of maintenance, inspection and testing, there are additional aspects that can affect reliability/availability and effectiveness. A barrier may be not reliable/available and/or not effective for various reasons: due to a defect or by a (deliberate) inactivation. A defective barrier will not function when there is a demand and/or will not perform the intended function correctly and is therefore by definition not reliable/available and/or not effective. SIL (safety integrity level) qualified instrumental barriers contain a degree of self-diagnosis in their design as some of the defects are automatically detected and reported. Type B instruments are preferably used in SIL-qualified safety loops for their high diagnostic coverage as they are based on (programmable) electronic technology. Because of these diagnostics, errors can be detected that would otherwise remain latent (Houtermans, 2014). Mechanical safety barriers, on the other hand, usually do not have such degree of self-diagnostics. A defective mechanical safety device is only noticed at its next inspection or test or when an incident occurs which the mechanical safety device should have prevented.
A barrier that has been deliberately inactivated is not reliable/ available. This is done, for example, for performing maintenance, an inspection or a test. For instrumental safeguards, this is often indicated by the term "overriding". "Overriding" can be done in different ways, but in all cases an overridden barrier no longer performs its function.
In summary, the parameters reliability/availability and effectiveness provide a picture of the quality of a barrier. The following has been assumed: • Maintenance, inspection and testing of a barrier is of good quality; • A barrier that is put into operation after maintenance, inspection and testing is reliable/available and effective; • Delayed maintenance, inspection and testing affects reliability/ availability and effectiveness to some extent; • A barrier that is overridden or defective is not reliable/available and/or not effective and therefore no longer able to stop the development of an accident scenario.
To increase readability, the barrier qualification 'reliable/available and/or effective' is replaced by 'trustworthy' from here. This also counts for 'not reliable/available and/or not effective' and 'possibly not reliable/available and/or not effective', which is replaced by 'not trustworthy' and 'possibly not trustworthy', respectively. A barrier is trustworthy when it is maintained, inspected and/or tested as scheduled, and not trustworthy when it is inactivated or defective. In the area in between there may be reasons to assume that the barrier is possibly not trustworthy due to lagging or lacking maintenance, inspection and/ or testing, or otherwise.

Preventive barrier indicator
Based on the above quality parameters reliability/availability and effectiveness, a barrier can be (1) trustworthy, (2) possibly not trustworthy or (3) not trustworthy. The barrier status in this case indicates that (1) the barrier is working as designed, (2) may not be working or (3) is not working at all. In this way, the barrier status provides information about the likelihood that the scenario can develop into a central event.
In addition to trustworthy, possibly not trustworthy, and not trustworthy, a barrier can also be 'actived' or 'not activated'. In this paper it is assumed that an activated barrier not only acts at a demand (reliable/ available), but also performs the predefined function within the required response time (effective). If an available/reliable barrier is activated, but proves to be ineffective, the scenario will develop further. In the event of an activated barrier, which is not only available/reliable, but also effective, the development of the accident scenario has stopped, but attention is required because the scenario has been initiated. Table 1 shows the possible (preventive) barrier statuses and links them to symbols. These symbols are used as abbreviations in this paper.
Trustworthy barriers will, when a scenario is initiated, be activated and stop the scenario before the central event occurs. The scenario has developed up to the activated barrier(s) and no further. Based on the activated barrier(s), the position can be determined in which the scenario is currently located. The position in the scenario indicates the remaining barriers that protect against the central event. The status of the remaining barriersbased on their quality parameters reliability/ availability and effectivenesscan provide information about the likelihood that the scenario could have developed into the central event.

Relative risk reduction
In section 1.2 it was concluded that improper or not timely implementation of the maintenance, inspection and test program can adversely affect the trustworthiness of a barrier or barrier system. Assuming that the maintenance, inspection and test program is performed to a high standard, this raises two questions: What is not timely, and to what extent is the trustworthiness adversely affected? IEC (2016) has expressed the unavailability of a barrier as a function of time: U(t) = 1 -e − λt , where λ is the barrier failure frequency and t is any moment in time. In this paper, U(t) is assumed to be the opposite of trustworthiness, meaning reliability/availability and effectiveness. U(t) is a dimensionless number between 0 and 1, sometimes shown as a percentage between 0 and 100. The formula shows that U(t) increases as time progresses. If a barrier is never maintained, inspected and tested, and the time t runs to infinity, U(t) will go to 1. In other words, the barrier will fail with 100% certainty when it is needed (not reliable/available) and/or the barrier will not (correctly) perform its necessary function (not effective). Therefore, to ensure the trustworthiness of a barrier, a barrier should be checked at regular intervals, that is maintained, inspected and tested. The time interval with which the maintenance, inspection and test are to be performed, can be calculated as indicated in the formula in order to achieve the trustworthiness required according to the design.
The risk reduction RR that can be achieved with the barrier is the reciprocal value of U(t): (1 -e − λt ) − 1 . As the risk reduction is mostly given as a 10-, 100-or 1000-fold reduction, this paper uses the Briggs logarithm, the mathematical function that has the exponent as a result. The risk reduction expressed in logarithm is abbreviated as RRL, where the RRL is equal to 10 log(1 -e − λt ) − 1 .
If the maintenance, inspection and test are done at the (required) time interval T, the maximum U(t) of the barrier is in accordance with the design and is equal to 1 -e − λT . The minimum risk reduction RR of the barrier equals (1 -e − λT ) − 1 and the minimum RRL 10 log(1 -e − λT ) − 1 . The barrier can be qualified as trustworthy. If a barrier is checked later than the required period T, the RR will decrease and may not meet the RR required for the barrier. Table 2 shows the effect of postponement of maintenance, inspection and testing on the risk reduction RR and the risk reduction expressed in logarithm RRL. Three different values of U(t) (0.1, 0.01 and 0.001) are included in Table 2 for various time intervals. Table 2 shows that if, for example, the check is postponed by half a period to 1.5 T, U(t) increases by a factor of 1.5 to resp. 0.15, 0.015 and 0.0015 and the RR decreases by 33%.
For this paper, it is assumed that a barrier may not be trustworthy if the RR has decreased by 50% or more from the required design value. Table 2 shows that this is the case if a barrier has not been checked (maintained, inspected and tested) for more than a doubled period of T, that is from 2 T upwards.
The status of the barrier system can be used to determine the likelihood of the central event against which the barriers should prevent. The status of the barrier system is therefore suitable to derive an indicator. The indicator, referred to as "preventive barrier indicator", shows the likelihood of the central event. It has been developed based on the RRL of the barrier system as a ratio to the designed or required value. The preventive barrier indicator is the quotient of the current RRL and the required RRL. This is also called relative risk reduction expressed in a logarithm: RRRL. RRRL(t) = [RRL(t)/RRL required ] x 100%. Table 3 shows the outcome of the preventive barrier indicator representing the likelihood of the central event in four colors: green (very unlikely), yellow (not unlikely), orange (likely) and red (very likely). As the color shifts from green to red, the likelihood of the central event increases. The boundaries are evenly distributed in this paper and are set at 0%, 25%, 50%, 75% and 100%. For each of these classifications, management must determine how to respond and by whom. This is beyond the scope of this paper.
The preventive barrier indicator, RRRL, can be determined not only from the trustworthiness of the barrier system, but also from its activation. If the barrier system has been activated, it is possible to determine how many barriers still protect against the central event. The calculation of the RRRL can be applied in the same way here: RRRL(t) = [RRL(t)/RRL required ] x 100%, where RRL(t) is the risk reduction expressed in Briggs logarithm of the (remaining) barrier system to the central event. The RRRL shows the current risk reduction compared to what it should be according to design and has thus become a (relative) measure for the loss of quality of the barrier system. The preventive barrier indicator shows: • The quality or trustworthiness of the (preventive) barrier system taken from its quality parameters, and; • The development of the (left-hand side of the) accident scenario through the activated barrier(s).
Three scenarios have been worked out below with a barrier system of a total RRL of resp. 1, 2 and 3. The barrier system is always located on the left-hand side of the bowtie and consists of preventive barriers. In the first example as shown in Fig. 2, a scenario is protected by a barrier system with an RRL of 1. Table 4 shows the preventive barrier indicator related to the barrier status. With a possibly not trustworthy barrier, the RR has decreased from 10 to 5. The RRL is 0.70, resulting in an RRRL of 70%, as a result of which the preventive barrier indicator turns yellow. If the barrier is not trustworthy, the preventive barrier indicator turns red because the RRRL has reduced to 0%. If the barrier is trustworthy and activated and the scenario does not develop any further, the RRL equals 1 and the RRRL equals 100%. After all, the barrier worked on demand and has proven to be effective. The preventive barrier indicator turns green. Since the scenario has been initiated, it seems evident that targeted action should Table 1 Possible barrier statuses and associated symbols.

Table 2
The influence of the time interval on U(t), RR and RRL. be taken. This is visualized by placing two exclamation marks in the green field to indicate that the scenario is developing, and that attention is required.
In Fig. 3, a scenario is protected by a barrier system comprising two independent barriers with an RRL of 1 each. The RRL of the barrier system is the sum of each of the RRLs (RRL = RRL1 + RRL2 = 1 + 1 = 2). Table 5 shows what the preventive barrier indicator is in relation to the status of the barriers. If one of the barriers is possibly not trustworthy, the RRL has been reduced from 2 to 1.70 (RRL = 0.70 + 1). The RRRL is equal to 85% ((1.70/2) x 100%). In this case, the preventive barrier indicator is green. If both barriers are possibly not trustworthy, the RRL has been reduced to 1.40 (RRL = 0.70 + 0.70) and the preventive barrier indicator turns yellow (RRRL = (1.40/2) x 100% = 70%). If one of the barriers is not trustworthy, the RRL is reduced from 2 to 1 (RRL = 0 + 1) and the RRRL is 50% ((1/2) x 100%). The preventive barrier indicator turns orange. If both barriers are not trustworthy, the preventive barrier indicator turns red. Table 5 also shows how the preventive barrier indicator colors when barrier 1 and barrier 2 are being activated and function properly. When activating barrier 1, the RRL is at least 1 (RRL = 1 + RRL2). The preventive barrier indicator changes depending on the status of the second barrier. When activating barrier 2, the RRL of the barrier system is equal to 1. Barrier 2 can only be activated if the first barrier is not trustworthy as the scenario developed up to the second barrier. The RRRL has been reduced to 50% ((1/2) x 100%) and the preventive barrier indicator turns orange.
The third example is elaborated in Fig. 4 and shows a scenario with a barrier system consisting of two barriers: one with an RRL of 1 and one with an RRL of 2. This example represents for instance a high-pressure scenario, which is equipped with a SIL 1 qualified, instrumental safeguard and a (mechanical) safety valve. Table 6 shows the RRL, the RRRL and the preventive barrier indicator related to the status of the two barriers. The same reasoning can be followed as in the second example with the two identical barriers. However, the two barriers differ in designed RRLs, which results in different RRRLs and preventive barrier indicator colors.

M-out of-n barrier systems
M-out of-n barrier systems are widely used in the process industry. Due to the multiple implementation, they have a high trustworthiness and are ideally suited for use in case of high-risk scenarios. An m-out of-n barrier system consists of n serial, identical barriers where the sensors share the same set value and where the same final elements are controlled. An m-out of-n barrier system is activated when at least m barriers are activated. The most common designs are the 1-out of-2, 1out of-3, 2-out of-3, and 2-out of-4 system.
M-out-of-n barrier systems require special attention since their status may be difficult to determine. When m equals 1, the m-out of-n or 1-out of-n system can be drawn in the bowtie as n serial barriers from which the status can be readily established. As these barriers have the same setting, there are only limited combinations when they are activated, meaning that a barrier is either trustworthy and activated or not trustworthy. But when m doesn't equal 1, it gets more complicated to establish the barrier system's status. To overcome this, some basic rules have been drawn up below based on the status of their single barriers: Table 3 The color of the preventive barrier indicator related to the RRRL.

Table 4
Preventive barrier indicator of a barrier system consisting of one barrier with an RRL of 1. Fig. 3. A scenario protected by two independent barriers with an RRL of 1 each.
• An m-out of-n barrier system is activated if at least m barriers are activated, because that is the prerequisite for activating the m-out ofn barrier system; • An m-out of-n barrier system which is not trustworthy has at least as many not trustworthy barriers that the system cannot be activated. An m-out-n barrier system is not trustworthy if at least (n-m + 1) barriers are not trustworthy. One not trustworthy barrier can be substituted by two possibly not trustworthy barriers; • If there is a demand on an m-out of-n barrier system which is possibly not trustworthy, at least one of the barriers needed to activate the barrier system, should have the status of possibly not trustworthy, meaning that at least one of the barriers has not been timely maintained, tested or inspected. An m-out of-n barrier system is possibly not trustworthy if at least (n-m + 1) barriers are possibly not trustworthy. Each pair of possibly not trustworthy barriers can be substituted by one barrier which is not trustworthy. Table 7 shows when a 2-out of-3 and a 2-out of-4 system are possibly not trustworthy, not trustworthy or trustworthy and activated based on the status of the individual barriers.

Dormant controls
A dormant control, also called passive control, is a device that only starts to control from a certain process value onwards. A dormant control can be regarded as an instrumental safeguard, like a pressure blowoff control that opens when the pressure of the process increases and Table 5 Preventive barrier indicator of a barrier system consisting of two barriers with an RRL of 1 each.

Fig. 4.
A scenario protected by two independent barriers with an RRL of 1 resp. 2.

Table 6
Preventive barrier indicator of a barrier system consisting of two barriers with an RRL of 1 resp. 2. exceeds a safe value. The control valve will be opened to a position to regain the desired process value. A dormant control is aimed at stopping the development of the scenario and can be considered a barrier. In Table 8, a symbol is linked to the status of a dormant control in a similar way as is done in Table 1.

Over-safeguarded scenarios
In occasional cases scenarios may be "over-safeguarded", meaning they are provided with a better barrier system than required by a risk assessment. If all barriers are included, the installed RR will be larger than the required RR. Depending on the status of the barrier system, the RRRL may be larger than 100%. Table 3, which shows the color of the preventive barrier indicator in relation to the RRRL, remains valid in such a case.

SIL a qualified SIFs
In the process industry instrumental safeguards are used which do not have a SIL qualification as described in IEC 61511 (IEC, 2016). Four SIL levels are specified in this European standard, with SIL 4 as the highest and SIL 1 as the lowest level. However, "SIL a" qualified SIFs (Safety Instrumented Function) are often also part of a barrier system, but do not meet a SIL level as defined by IEC 61511. According to this standard, SIL a qualified SIFs are not subject to any special safety requirements. In this paper it is assumed that a SIF with a SIL a qualification has an RRL of (minimum) 0.5. This means, for example, that two independent serial SIL a SIFs have a total RRL of 1 and can be equated to one SIL 1 SIF. A SIL a SIF which is possibly not trustworthy has an RRL equal to 0.2.

The ammonia process
The ammonia process uses natural gas as a raw material to which steam and air are supplied. The process consists of two main parts: the cracking process and the synthesis. In the cracking process, the incoming natural gas is stripped of sulfur and then largely converted to CO, CO 2 and hydrogen (H 2 ) using steam, a catalyst and a temperature of 825 • C and a pressure of 35 bar. The H 2 formed is ultimately necessary to make ammonia. Air is added to the post reformer, supplying nitrogen (N 2 ) into the process, which is necessary to make ammonia in the synthesis part. The oxygen from the air reacts with an amount of H 2 which increases the temperature even more. Due to the elevated temperature of approximately 1000 • C, the methane still present in the gas is cracked. To remove the CO 2 generated in the cracking process, the process gas is passed through a (physical) CO 2 scrubber. The last residues of CO and CO 2 are converted into methane (CH4) using a catalyst and H 2 .
In the synthesis process, the process gas mainly consists of the H 2 and N 2 , in the ratio of 3:1. The reaction to ammonia takes place in the presence of a catalyst at approx. 200 bar and 515 • C (Haber-Bosch process). In the last part of the process the ammonia formed is cooled, separated from the unreacted and inert gases and reduced in pressure, followed by refrigeration to liquify the ammonia.

Failure of the water jacket of the post reformer (R1)
Post reformer R1 is part of the cracking process and is located downstream the reformer where most of the natural gas is cracked. In Table 7 Worked examples of a 2-out of-3 and 2-out of-4 barrier system.

Table 8
Dormant control indicator. the post reformer the uncracked natural gas from the reformer is cracked under very high temperatures, up to 1000 • C. This temperature is reached by supplying air, which burns some of the hydrogen from the process gas. The air is supplied by the process air compressor with a pressure of approx. 38 bar, slightly higher than the pressure in the post reformer.
The post reformer is equipped with a water jacket that protects the inner wall against too high temperature. The water jacket has some open connections on top, meaning that the water is at boiling temperature. As the water jacket is slowly losing its contents, water has to be supplied continuously. If there's not enough water in the jacket, the wall's temperature becomes too high, and the wall will weaken and collapse under the prevailing process pressure of approx. 37 bar. This will result in an escape of process gas, followed by a jet fire or explosion. The water in the water jacket comes from the feed water pumps P1A and P1B, one of which always runs, and one is on stand-by mode. As a pump failure is seen as the most likely cause for failure of the water supply, this case will focus on the pumps' failure only. If the running pump fails, the other pump will start automatically. If both pumps fail, a motor alarm (MA P1) is activated, after which the operator can try and start one of the feed water pumps, start one of the condensate pumps or draw in canal water to feed the water jacket.
A low water supply to the water jacket is also detected by a low flow alarm (FAL1) that gives the operator enough time to act and to ensure sufficient water supply to the water jacket. This action is identical to that of the alarm MA P1: manual start of the feed water or condensate pumps or the intake of canal water. If the level of the water jacket becomes too low, two (low-level) alarms (LAL) installed on the water jacket will be activated. Although these two identical alarms can be considered as a 1out of-2 system, they count in the calculation as if they were two separate alarms. In case the low-level alarms have been activated, the operator has some but limited time to identify and recover from the cause. Ultimately it can be decided to shut down the plant. All the operator actions are relatively simple and can be conducted out without much time pressure.
All four alarms have an RRL of 0.5. According to specification, the scenario is protected by a barrier system with a total RRL of 2. Fig. 5 shows the post reformer with its alarms. Fig. 6 shows the barriers in a bowtie designed to prevent the post reformer from having a too high wall temperature. Table 9 shows the preventive barrier indicator of the scenario "too high wall temperature R1" depending on the status of the (preventive) barrier system consisting of four alarms.
The screenshots below show a detailed process safety dashboard. Fig. 7 shows the ammonia production unit with the two ammonia production installations and their related units. In ammonia plant 3 one of the indicators is colored yellow. This can be investigated by zooming in to the reformer and CO shift unit, see Fig. 8. Fig. 8 shows that the post reformer (R3102, called R1 in the example) is colored yellow. For further analysis, Fig. 9 shows that two of the post reformer scenarios are colored yellow and that two barriers have an abnormal status: FIAL1110 (in the example FAL1) is possibly not trustworthy and LAL1107 (in the example LAL1) is not trustworthy. Apparently, the inactivation of one of the low level alarms (LAL1107) also influences another scenario indicator (erosion of refractory).
Installing such a process safety dashboard can provide the control room with real-time information about the status of the barrier system, but it also enables management to view the status quo of their production unit at a high level.

Discussion
This sub-study shows that it is possible to give a qualitative estimate of the likelihood of the central event based on the preventive barrier status. However, the presented model has a few limitations: • Barriers usually consist of 3 elements: a sensor, a decision maker, and a final element. All three must be monitored to determine the status of the (preventive) barrier. In particular, the final element does not always have self-diagnosis, so it cannot be foreseen whether this barrier element is overridden or defective. • If a barrier consists of an alarm, a (safety-critical) instruction and an operator intervention, a similar problem occurs. The trustworthiness of the operator is difficult to measure. Has the operator seen the alarm and understood the problem? Does he/she know how to act? Is he/she not too busy with other tasks?
Mechanical safeguards such as safety valves or check valves are rarely maintained, inspected and tested, for example once every 4, 6 or even 12 years. These barriers also do not provide feedback if they are defective. This means that the barrier status of mechanical safeguards will not change for a long time. Despite this limitation, it makes sense to include mechanical safeguards in the assessment of the preventive barrier indicator of the scenarios in which they apply. If there is a suspicion of malfunction during operation, which cannot be immediately verified or resolved, and for which corrective maintenance is planned, the barrier status could be set manually to possibly not trustworthy or not trustworthy.
Proper and timely maintenance, inspection and testing may not always guarantee the trustworthiness of barriers. Clearly, maintenance should be performed according to the manufacturer's guidelines and by competent personnel, but that does not mean a 100% safe barrier system. It is recommended to set up a registration system for safety critical equipment that records the findings of its maintenance, inspection and testing. The records should then be regularly checked so to establish whether the maintenance, inspection and testing regime should be adjusted. So will a higher frequency contribute to better trustworthiness. IEC 61511 (IEC, 2016) provides guidance on calculating the trustworthiness based on its frequency.
Another aspect is that an inspection and/or test must show whether the barrier is not only reliable/available but also effective, meaning capable of achieving the designed target within a specified time. After all, a barrier can be subject to wear or degradation and this should be reflected in the test procedure. Do valves close completely? Does the instrumental safeguard activate at the right process value? Is the fireresistant coating not too much degraded? And is the anti-slip floor not worn too far? In other words, is the barrier still sound? When a barrier is returned to service after maintenance, inspection and testing it requires special attention. In case there are doubts about its trustworthiness, the barrier status should be classified as 'possibly not trustworthy'.
Four SIL levels are specified in IEC 61511, with SIL 4 being the highest and SIL 1 being the lowest. In addition, the standard specifies that the RR of a SIL 1 barrier is between 10 and 100, excluding 10 and including 100 (and for a SIL 2 barrier between 100 and 1000, excluding 100 and including 1000, etc.). In this paper it is assumed that the RR of a SIL 1 barrier is also between 10 and 100 but including 10 and excluding 100. In the calculations an RR of 10 is applied for a SIL 1 barrier, an RR of 100 for SIL 2 and for SIL 3 an RR of 1000. This conservative approach is in line with CCPS (2015), which for a SIL 1, SIL 2 and SIL 3 barrier proposes an RR of respectively 10, 100 and 1000.
The calculation of the preventive barrier indicator does not consider simultaneous testing, the mean time to repair (MTTR) and the mean repair time (MRT), common cause errors and other factors that allow the different (serial) SIFs in a barrier system to interact. As a result, the final RR may be slightly lower than calculated. However, this paper provides an indication of the likelihood of the scenario which should be seen as a relative change rather than an absolute value.
In m-out of-n systems, the numerical value of m and n is based on the number of sensors and not on the number of decision makers and final elements. The number of sensors may differ from the number of decision-makers and final elements. To determine the status of the barrier system, all barrier elements must be considered.
When applying the IEC 61511 risk graph or a risk matrix from LOPA (layer of protection analysis), the mitigation or risk reduction is given as a 10-, 100-or 1000-fold reduction. The development of a preventive barrier indicator based on the Briggs logarithm with base 10 is a logical consequence. In this way the RRLs of the various barriers can easily be summed. If Table 3 was not drawn up from the RRL but from the RR, not only would the distribution be disproportionately more spread, but the preventive barrier indicator could not become 0%. The RRR (Relative Risk Reduction) of an inactive barrier system will be a low number close to 0% but never 0% (RRR(t) = [RR(t)/RR required ] x 100% = [1/RR required ] x 100%). On the other hand, using the Briggs logarithm the RRRL will always be 0% when all barriers are inactive, no matter the size of the barrier system.
Several choices have been made in this paper that influence the sensitivity of the preventive barrier indicator. First, a barrier is possibly not trustworthy at halving the RR. Table 2 shows, however, that another change in the RR can be opted to label a barrier as possibly not trustworthy. Second, the limits of the preventive barrier indicator in Table 3 are also freely selectable and offer the option of having the preventive barrier indicator colored earlier or later. Both choices are up to each company to determine and are partly dictated by their policy. The choices made in this paper are based on scenarios of the ammonia plants where the author works.
Finally, it should be emphasized that a scenario only develops when it has started. The chance of a central event does not only depend on the barrier status, but also on the chance that the 'initiating event' occurs. This paper focuses on the barrier system but could be extended with indicators on the initiating events, such as (active) controls. This would provide a solution for barrier systems that consist of few barriers only.

Conclusions
The main question of this paper is whetherbased on the status of the barrier systemindicators can be derived that provide information about the development and likelihood of the major accident processes in the ammonia production process. To answer this question, various subquestions have been investigated. A barrier system is defined as a set of existing barriers that must prevent causes from developing into consequences. The barrier system's status can be derived from the parameters reliability/availability and effectiveness. Both parameters are sensitive to change, which is considered an important indicator criterion. An indicatorcalled preventive barrier indicatorhas been developed from these parameters. From the example the preventive barrier indicator has proven to monitor the level of safety, and enable the operators to decide where and which action is necessary. The preventive barrier indicator shows the development and likelihood of the scenario, which is not an absolute value, but rather an indication of the change in the status quo that should initiate further action.
Many incidents did not happen because a process value was extremely out of range, but rather because of a rare combination of deviating values (Ale, 2009). That is perhaps one of the reasons that the number of major process safety incidents in the process industry is low. It is better to look at the more frequent "precursor" incidents to measure safety (Hopkins, 2009). The concept elaborated in this paper seems to comply with this: every technical change of the barrier system is used to determine the development and likelihood of the scenario. If the quality parameters of the barriers are incorporated in an automated system, the preventive barrier indicator can be calculated and displayed in real time. This is different for technical changes which are not automatically notified as they will have to be entered manually. A future validation, performed through retrospective research based on several (near) incidents, will have to show to what extent the preventive barrier indicator provides timely insight into the likelihood and development of the accident scenarios.
This sub-study focuses on the barrier system, but indicators can be developed at multiple levels. For example, Sonnemans et al. (2010) look at the smaller signals, meaning common precursors and latent conditions. The latent conditions allow the presence of precursors to persist and undermine the effectiveness of the barrier system. Hassan and Khan (2012) provide different levels from which indicators can be derived, and Bellamy et al. (2007) distinguish between primary barriers and supporting barriers. At various levels, indicators can provide information about accident scenarios. Scenarios are influenced via barriers and management factors (the management delivery system) as the most important vectors. Further research is needed to design indicators at Fig. 6. Scenario 'too high wall temperature R1' by failure of the water jacket cooling.

Table 9
Preventive barrier indicator of the scenario 'too high wall temperature R1'.
other levels that can provide information on major accident processes, starting with the management delivery system as the first higher aggregation level.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.