Performance analysis of safety instrumented systems against cascading failures during prolonged demands Reliability Engineering and System Safety

Cascading failures may occur in many technical systems where the failure of one component triggers successive events. Safety barriers like safety instrumented systems are installed in many industries to prevent failures and failure propagations. However, little attention has been paid to the impacts of safety instrumented systems employed to prevent cascading failures in the literature. This paper proposes a novel method for analyzing how the performance of safety instrumented systems influences the protection against and mitigation of cascading failures. It considers SIS reliability and SIS durability in the mitigation of cascading failures. The method uses recursive aggregations based on the reliability block diagram and is verified with Monte Carlo simulations. The application is illustrated with a practical case study, where the proposed method is found beneficial to identify the criticality of safety instrumented systems in consideration of their locations and performance.


Introduction
Cascading failures (CAFs) are multiple failures in which the failure of one component leads to high stress and a consequently high failure probability in other components [1]. CAFs are a concern for many technical systems, such as railway signaling systems, power distribution networks, process systems, industrial communication networks, and internet systems [2,3]. Functional dependencies and interactions exist commonly among components, and thus a single failure can negatively influence other parts in the same system. As a result, CAFs may cause catastrophes in technical systems without proper preventions and mitigations [4,5].
The awareness of CAFs is not new. In the past decade, much research has aimed at developing models to evaluate the effects of CAFs and associated preventive measures. These models can be categorized as topological, probabilistic, state-transition, and simulations. In the context of topological models, some efforts have been devoted to assessing mitigation measures of CAFs based on complex network theory [6][7][8][9] and graph theory [10][11][12]. Probabilistic models have been applied to quantify the ability of preventions against CAFs in risk propagations [13][14][15][16]. State-transition models, such as Markov processes, Petri nets, and Bayesian networks, have effectively analyzed CAFs [17][18][19][20][21]. Besides, simulations like the Monto Carlo simulation (MCS) have been used in analyzing the systems associated with CAFs in many application areas, including power and gas networks, traffic-power, and infrastructure systems [22][23][24].
To prevent CAFs, Safety instrumented systems (SISs) can install as a type of safety barrier. SISs are widely employed to reduce accidents in the process industries and other sectors [25]. An SIS applies electrical/electronic/programmable electronic (E/E/PE) technologies to detect and act upon hazardous situations arising in the assets [26]. The assets can be humans, equipment, or process sections. They are called equipment under control (EUC) in the generic standard IEC 61508 [26]. An SIS generally consists of three main subsystems: sensors (e.g., level transmitters, gas detectors, and push buttons), logic solvers (e.g., programmable logic controllers and industrial computers), and final elements (e.g., shutdown valves and circuit breakers). As illustrated in Fig. 1, the sensors detect possible abnormal situations (e.g., CAFs), and the logic solvers activate, then the final elements act according to the sensor inputs. The event upon which an SIS is activated is considered a demand [1]. A typical example of SISs to prevent CAFs is an automatic fire extinguishing system (AFES) 1 . An AFES activates when a fire or gas leakage at a tank is detected. If the SIS fails to extinguish or control the fire at a specific time, the fire can propagate and affect several facilities [27].
SIS performance is of great significance to ensure the safety of EUC systems [28]. Several indicators can reflect SIS performance, such as specificity, functionality, reliability, response time, capacity, durability, robustness, audit-ability, and independence [25,29,30]. Among them, reliability is the most crucial for SISs since it expresses the ability of an SIS to protect EUC systems at a specific time [1].
The SIS reliability is related to the ability to respond on-demand as expected. For example, when a fire occurs, an AFES is expected to start to splash water. If an SIS works on-demand, it is reliable. However, many SIS failures cannot be detected immediately after their occurrences. Instead, those failures can be revealed upon actual demands or periodical proof tests with noticeable delays. Such failures are called failures on demand (FODs). In applications, a specific measure, the probability of failure on demand (PFD), is widely applied for FODs of SISs [26]. If the proof test intervals are fixed, the average PFD within one interval as PFD avg is a commonly used reliability measure [22]. PFD avg can be obtained by simplified formulas [1], IEC 61508 formulas [26], the PDS method [31], and Markov models [19,32].
In recent years, PFD avg and SIS reliability have been intensively studied. For example, Cai et al. [28] have proposed a method for evaluating SISs with heterogeneous components based on Bayesian networks. Liu and Rausand have considered different demand modes for the SIS reliability analysis [19,33]. Alizadeh and Sriramula [34] have developed an unreliability model for redundant SISs using Markov chains. Meng et al. [35] have modeled the SIS reliability measures in AltaRica 3.0. Xie et al. [36] have considered the reliability of redundant SISs where dependent failures may occur. An analytical approach for simplification of complex Markov model has been proposed in SIS reliability analysis [37]. In addition, Ding et al. [38] have derived a diverse redundancy method based on system degradation using a reliability block diagram to evaluate the SIS reliability. Yu et al. [39] have proposed a fuzzy reliability assessment for SIS taking account of common cause failures.
However, little attention has been paid to the impacts of SISs employed to protect against CAFs. In addition, the currently defined SIS reliability is insufficient to evaluate the overall SIS performance in preventing and mitigating CAFs. That is because the demands on SISs for preventing or mitigating CAFs may not be instantaneous [3]. As a result, even though an SIS can respond to demands, it may fail afterward. For example, fires can last few seconds or several days, and AFESs must operate for a specified period to suppress fires. Such a period is defined as a prolonged demand duration. During this period, SISs are often exposed to high stress and thereby have more chances to fail. Therefore, it is of interest to examine whether an SIS is reliable while responding and how an SIS performs after activation. The former is related to SIS reliability, whereas the latter is related to SIS durability. Durability represents how long an SIS can perform its safety instrumented functions and withstand stress. The failures related to durability are called failures during demand (FDDs) in this study. In other words, SISs that are employed against CAFs may suffer from intensive degradations and failure before demands are complete.
Considering both FODs and FDDs, it is thus challenging to use straightforward traditional methods to evaluate the SISs against CAFs. For example, fault tree analysis is often used for the specific analysis of the accident, and it is difficult to cope with dependent issues such as CAFs [40]. In addition, Markov models have a problem in dealing with a large-scale system where CAFs occur [37,41]. Furthermore, the formulas listed in IEC 61508 do not consider CAFs [42]. Therefore, a new method to assess the performance of SISs against CAFs is required. This paper proposes a method for analyzing how SIS performance  influences the protection against and mitigation of CAFs. This paper's novelty and main contributions are two folds: 1) developing a new method to model SISs against CAFs and evaluate their effectiveness; 2) revealing the influences of reliability and durability of SISs on the mitigation of CAFs. The benefits of the proposed method include the following: 1) providing precise and holistic performance analysis considering SIS reliability and durability; 2) considering time-dependent failures on SISs while responding and after activation, and there is no limitation on failure distributions; 3) offering guidelines for the SIS design and deployment to improve the reliability of EUC systems.
The rest of the paper is organized as follows. Section 2 illustrates the models of CAFs and SISs. Section 3 suggests the method for evaluating the impacts of SISs associated with their failures. In Section 4, an illustrative example is provided and is verified by Monte Carlo simulations. A practical case study in the oil and gas industry is presented in Section 5. Finally, in Section 6, we conclude and discuss future works.

Modeling cascading failures
CAFs are identified in the literature by many names, such as induced failures, domino failures, propagated failures, and interaction failures [43][44][45]. This paper deals with CAFs between EUC components. The case that CAFs within SISs have been studied in work [36]. CAFs are assumed to originate from a fault in an EUC component, triggering successive failures of other parts of EUC systems. For example, when an external leakage of flammable gases from a valve is detected, a failure in a control system can cause a valve misclosure and sudden pressure increases.
In previous research [36,[46][47][48], cascading probability γ i ∈ [0, 1] has been introduced as a measure of propagation easiness. This measure is also employed in this paper. Given that EUC i fails, the probability that the failure cascades to other components is γ i . The failure propagation is shown as a dotted curved arrow in Fig. 2 (a). Cascading probability influences the extent of CAFs damages. It can be estimated based on test data or historic failure records [48]. The probability that there are no CAFs is denoted by γ i (γ i = 1 − γ i ). Fig. 2(b) illustrates that SIS ij is installed to prevent failure propagation from EUC i. This paper focuses on the situations that demands on SISs are prolonged (e.g., 2 hours or more). An SIS may fail due to failures in any of its three main subsystems (i.e., the sensors, logic solvers, and final elements). The failures can be classified into two groups:

Modeling SISs against CAFs
• FOD refers to an event when an SIS cannot act on demands (e.g., the inability to activate an AFES). An FOD is always a dangerous undetected failure, as defined in IEC 61508 [26]. It is hidden until upon demand or in a proof test. An SIS is often considered as-good-as-new after a proof test [1]. If the proof test interval is not changed, PFD avg is the same in the whole life. PFD avg is also used to determine if an SIS satisfies a specified safety integrity level (SIL) [26]. IEC 61508 defines four SILs: SIL 1 (the lowest level) through SIL 4 (the highest level) [26]. • FDD refers to an event when an SIS fails during a prolonged demand (e.g., an AFES stops operating even though the fire has not been suppressed). Since an FDD is revealed immediately, it is similar to those dangerous detected failures defined in IEC 61508 [26]. The difference is that FDD is also undetectable by continuous monitoring. It is natural to assume an FDD can be found upon a demand or test. Time to FDD reflects the capability of SISs to resist stress during demands. It is reasonable to use known distributions with probability density functions f SISij (t) for FDD, such as a Weibull distribution. Fig. 3 depicts the sequence of failure events associated with Fig. 2(b). An initiating event is a hazardous event like overheating or a short circuit in the EUC system. EUC i may fail due to hazardous events, which causes a fire. The fire can propagate to the other components with cascading probability γ i . An FOD may occur when the demand on SIS ij presents. SIS ij may also fail due to FDD even if it is activated. The failures in SIS ij , including FOD and FDD, determine the outcomes of EUC j . This paper focuses on the performance of SISs starting from hazardous events, meaning that the moment t = 0 in this context is the occurrence of a hazardous event. In other words, the EUC system is asgood-as-new until t = 0. The EUC system is still functioning in a degraded mode under hazardous events. Let t i denote time that EUC i fails, and a fire propagates from EUC i . Then, a demand on SIS ij occurs. The condition of the SIS is unknown when it needs to be activated, and it may be working or failed due to a hidden failure. An FOD may thus be Let P ij (t) denote the probability that SIS ij fails by time t, considering FOD and FDD. The probability P ij (t) can be obtained as: where T SIS denotes the operating time of SIS ij from activation to the failed state. T SIS is assumed to be less than T DD , because the demand is prolonged. Accordingly, let P ij (t) denote the probability that the SIS ij functions by time t. The probability P ij (t) can be obtained as: 2. An EUC system with CAF and SIS.

Performance analysis considering CAFs and SISs
A recursive aggregation method based on reliability block diagrams (RBDs) is proposed in this section. The method builds on the previous studies of multi-state systems with failure propagation time [47]. The method in this paper is applied to EUC systems in which SISs are employed to intervene in CAF propagation. We take EUC system reliability into account in the analysis of SIS performance in the context of CAFs. The term of system reliability in the following sections refers to the reliability of EUC systems. EUC systems are constructed as typical series-parallel structures.

Reliability analysis with conditional failures
System reliability can usually be calculated with reliability functions derived from RBDs as long as there are two states of components (functioning and failed) [49]. However, when the system is subject to CAFs, the components are not independent. Consequently, the general rules for structure functions cannot be applied. Reliabilities with conditions are therefore introduced to complement the RBD method. Here, three scenarios may arise considering the states of EUC i and CAFs: 1) EUC i functions; 2) EUC i fails, and the failure is not cascaded; 3) EUC i fails, and the failure is cascaded, as shown in Fig. 5.  The conditional reliability of EUC i , denoted by R i (t), is defined as the probability that EUC i is functioning at time t given no CAF from EUC i . No CAF phenomena include the two scenarios: 1) EUC i functions; 2) EUC i fails, and the failure is not cascaded. Hence, the probability of no CAF, denoted by Accordingly, the probability that a CAF occurs P r (CAF occurs ) is equal to γ i R i (t). The conditional reliability R i (t) can be described as: If the failure in EUC i will never be cascaded out, the conditional reliability R i (t) is defined to be equal to the reliability R i (t).
Consider a system Ω n with n components EUC i (i = 1, 2, …, n) organized in a series structure. One can obtain the conditional system reliabilities by time t as: Similarly, the conditional reliability of a parallel system with n components EUC i can be obtained as: The conditional system reliability for an arbitrary series-parallel system can be obtained based on Eq.s (4) and (5). The method is similar to the traditional RBD method [49], replacing component reliabilities by corresponding conditional reliabilities.

Reliability of an EUC system
This section presents the method for analyzing the reliability of an EUC system. The following assumptions are made: • The two states are considered for EUC i : functioning or failed.
• The time to failure in EUC i follows a known distribution with probability density functions, denoted by f i (t). • There are no repairs and inspections during demand durations.
First, consider a system Ω n with n components structured as a seriesparallel system, and only one CAF may occur from EUC i to EUC j . If the CAF occurs and an SIS is functioning with the probability of P ij (t), EUC j is protected from the CAF by the safety function of the SIS. It implies that only EUC i is in a failed state at time t for this system. On the contrary, when the CAF occurs and an SIS fails with the probability of P ij (t), EUC j is impacted by the CAF. Both EUC i and EUC j are in failed states at time t. P ij (t) corresponds to the conditional reliability R Ω− i (t) in case that the SIS is functioning. Similarly, P ij (t) corresponds to the conditional reliability R Ω n− (i,j) in case that the SIS is in a failed state. Hence, the reliability of the system Ω n by time t is listed as follows: where Ω n− (i,j) and Ω n− (i) are the subsystems with functioning components. R Ωn− i and R Ω n− (i,j) denote the corresponding conditional reliabilities of Ω n− (i,j) and Ω n− i . The failed components can be removed when calculating system reliability, meaning that their reliabilities are replaced by zero. One can obtain R Ω n− (i) and R Ω n− (i,j) based on Eq.s (4) and (5). Second, consider a system Ω n with multiple CAFs. Subsystem Ω m (Ω m ∈ Ω n ) has m EUC components with CAFs, denoted by CAF 1 , CAF 2 , CAF 3 , …and CAF m . Cascading probabilities are γ 1 , γ 2 , γ 3 , …, and γ m . All possible combinations of CAF occurrence are considered. The event θ 1 describes no CAF in subsystem Ω m (θ 1 = CAF 1 ∩ CAF 2 … ∩ CAF m ). The event θ 2 is a situation when CAFs generate from the first component (θ 2 = CAF 1 ∩ CAF 2 … ∩ CAF m ). The event when all CAFs occur in m components is denoted by θ 2 m (θ 2 m = CAF 1 ∩ CAF 2 … ∩ CAF m ). The probability θ ν (t)(ν ∈ ∀(1, 2…2 m )) describes that the CAF event θ ν occurs by time t, and it is given as follows: Assume the CAF event θ ν is connected to a specific subsystem Ω ν (Ω ν ∈ Ω m ) where CAFs are triggered from the components. Assume EUC h (EUC h ∈ ∀Ω ν ) is linked to l SISs denoted by SIS h1 , SIS h2 , SIS h3 , …, and SIS hl . All possible combinations of the SISs' states (i.e., functioning or failed) are considered SIS events. The event δ 1 involves no SIS failure The event when all SISs fail is denoted by . The probability δ h,g (t)(g ∈ ∀(1, 2…2 l )) describes that EUC h fails and the SIS event δ g occurs by time t, and it is given as follows: where is the probability that SIS hj has failed by time t, while P h,j (t) is the probability that SIS hj is functioning at time t. EUC h fails at time t h . PFD avg,hj denotes the steady-state probability for FOD in SIS hj . SISs are critical safety barriers so that they are often designed to be highly reliable under normal conditions [50]. PFD(t) is relatively small and varies slightly. It is unnecessary to determine the probability as a function of time, and an average value is sufficient for FOD [1]. Furthermore, IEC 61508 distinguishes four SILs relating to PFD avg , rather than PFD(t) [26]. Therefore, in Eq. (8), we use PFD avg to represent PFD(t i ) approximately.
Combing all SIS events, conditional probability for the CAF event θ ν by time t is obtained as: where Ω n− F denotes a subsystem with the functioning EUC components, andR Ωn− F (t) denotes the conditional reliability by time t for the subsystem Ω n− F . Eventually, system reliability can be obtained as: In short, system reliability can be obtained by applying the following steps: The following section introduces an example. Then, a practical case is used to present the method's effectiveness.

An illustrative example
Consider a system Ω n with three EUC components (the RBD of this system is shown in Fig. 6). Subsystem Ω m represents a subsystem with m EUC components that may trigger multiple CAFs. The subsystem Ω m includes the components EUC 1 and EUC 2 . The cascading possibilities are γ 1 and γ 2 . SIS 12, SIS 13 SIS 21 and SIS 23 are installed to prevent and mitigate CAFs propagation. The probability of FODs is PFD avg,12 , PFD avg,13 , PFD avg,21 , and PFD avg, 23 .
The reliability of the EUC system is calculated using the following five steps: Step 1: According to Eq. (3), the conditional reliabilities of EUC 1 , EUC 2, and EUC 3 considering CAFs are obtained as: Step 2: By using Eq. (7), the probabilities of the CAF events are obtained as: Step 3: By using Eq. (8), the probabilities of the SIS events are obtained as: Step 4: According to Eqs. (4) and (5), the conditional reliabilities of the subsystems considering CAFs can be obtained as: Step 5: The system reliability R S (t) can be calculated using Eq. (10): By removing the subsystems whose reliabilities with conditions are equals to zero, the system reliability can be obtained as: Notice that the calculations regarding θ 4 (t) are excluded since the system is down when EUC 1 and EUC 2 fail simultaneously.

Verifications of the proposed formulas
Monto Carlo simulations (MCSs) were conducted to check the validity of the proposed method and Eq. (11) in the previous sections. Fig. 7 is a flowchart of MCSs constructed in MATLAB. The flowchart illustrates the simulation process of the example in section 4.1. The principals should be the same for different examples, but details may be modified according to the algorithm and configurations. The proposed method can be applied to any arbitrary type of failure distribution. In this case, the time to failures in EUC components is assumed to follow an exponential distribution, while time to FDD in SISs is assumed to follow a Weibull distribution. An exponential random variable, denoted by T i (λ i ), expresses the time to failure in EUC i . A variable η is a random variable generated from a uniform [0, 1]. If η is smaller than cascading probability γ i , CAFs occur in the simulations. Similarly, η 1 is another random variable generated from a uniform [0, 1]. An FOD occurs when η 1 is smaller than FOD probability (i.e., PFD avg of SISs). Time T(λ SIS ) denotes the simulated time to FDD of SISs, which is reflected by time (μ − t i ) in Fig. 4. Time T s denotes simulated time to system failure.
The EUC components and SISs are assumed to be identical. Without losing generality, γ 1 and γ 2 are assigned to 0.2 and 0.3, respectively. The other parameters are presented in Table 1. Fig. 8 shows the system reliability profiles in 2 hours. Here, we run the simulations with 10 6 MC iterations. System reliability calculation using the proposed method in this paper gives the same results as the simulations for all three cases. Thus, it is demonstrated that the method in this paper is suitable for evaluating system reliability considering CAFs and SISs.

Case study
This section conducts a practical case study in the oil and gas industry to illustrate deploying SISs based on the proposed method. A EUC system consists of three separators (EUC 1, EUC 2, and EUC 3 ), one scrubber (EUC 4 ), and three compressors (EUC 5, EUC 6, and EUC 7 ), as shown in Fig. 9. The separators separate production fluids into oil, gas, and water, and the scrubber is used to wash unwanted pollutants from the gas stream. Finally, the compressors are applied to increase gas pressure and temperature.
In this case, hazardous events like overheating or short circuits can result in failures of the EUC system. We assume that the failures in EUC 2 and EUC 6 can initiate fires. The fires can propagate to the components located in the same facility, as shown in Fig. 9. They cannot cause fires in the rest of the components because of separation systems like firewalls. Time to failure in an EUC component is assumed to follow a Weibull distribution with a scale parameter λ EUC and a shape parameter α EUC .
Cascading probabilities are denoted by γ 2 and γ 6 . The parameters used in this case study are presented in Table 2. In general, such parameters can be obtained from historical statistics, vendor data, and equipment certifications. The failure probability of EUC components and SISs is much higher than in regular operations. That is because they are supposed to be exposed to high stress in hazardous events in this case.
AFESs are installed to suppress and extinguish fires. Each AFES is for the analysis generalized as SIS ij . As shown in Fig. 9, SIS 24 and SIS 25 can prevent failure propagation from EUC 2 , while SIS 64 and SIS 67 can prevent failure propagation from EUC 6 . For all SIS ij , PFD avg is assigned to be 10 − 3 for FODs to achieve the required SIL 3 requirements, i.e., the maximum allowed value of a SIL 3 function. Time to FDD is assumed to follow a Weibull distribution with scale parameter λ SIS and shape parameter α SIS . The parameters of SISs are summarized in Table 3.

System reliability calculation
The reliability of the EUC system can be calculated using Eq. (10). The EUC system is evaluated by considering the following states of the SISs: (1) perfect SISs, (2) SISs with FOD, and (3) SISs with FOD and FDD. Here, γ 2 and γ 6 are set at 0.5. The calculation results are shown in Fig. 10. Since we focus on the situations when demands on SISs are prolonged (e.g., 2 hours or more), it is reasonable to observe the reliability in the first two hours as an example. As seen, the reliability profiles of the EUC systems with (1) perfect SISs and (2) SISs with FOD are almost the same. That means the effects of FOD are relatively low. The reliability gap between the EUC systems with (1) perfect SISs and (3) SISs with FOD and FDD is noticeable. The effects of FDD can explain such a gap. The reason is that we focus on what happens after a hazardous event, and the probability of FOD is extremely low. The Table 1 The parameters of the illustrative example.
reliability gaps can be changed when λ SIS and PFD avg are set differently. It implies that it is reasonable to pay more attention to the effects of FDD when considering the high stress from CAFs.

Sensitivity analysis
Given that SISs are installed, the reliability of the EUC system is impacted by the strength of CAFs (i.e., cascading probability γ) and the capacity of SISs (i.e., PFD avg in terms of FOD and scale parameters λ SIS for FDD). This section will carry out sensitivity analyses to understand the influences of these parameters.

Effects of origins of CAFs
To evaluate the impacts of CAFs, we observe the situations when cascading probabilities γ 2 and γ 6 are changed, keeping the other parameters as constants. For example, cascading probability γ 2 is increased, meaning that the failure is more likely to affect the others due to geographical location (e.g., closing to the center of an industrial area).    Table 2 and Table 3. The result at time t = 2 hours is provided in Figure 11. The 3D plot indicates that the system reliability is more sensitive to γ 6 than γ 2 , which means that CAFs generated from EUC 6 are more critical to system reliability in this case. In other words, if EUC 6 is physically closer to other parts of the production system, the system is more vulnerable in case of fires.

Mitigating effects of SISs
The mitigating effects of SISs are considered in this section. Now, the cascading probabilities γ 2 and γ 6 are kept constant and set equal to 0.5, while the values of PFD avg for FOD and scale parameters for FDD are changed. We assume that the same values are applied for all SISs since the SISs are identical and perform similar safety functions. The system reliabilities with increasing Log 10 (PFD avg ) at the different observing times (e.g., t = 0.5, 1, 1.5, 2 hours) are presented in Fig. 12. For clarity, the ranges of SILs are SIL 1 to SIL 4. As seen, when changing Log 10 (PFD avg ), the trend of the system reliability in the four subplots are approximately similar. The system reliabilities remain almost unchanged when SISs are at SIL 2 or higher. If the SIL of the SISs drops to SIL1, the system reliabilities decrease dramatically. In other words, SISs mitigate CAFs almost as well at SIL 2 as at SIL 4. This analysis provides information on improving system reliabilities with increasing SILs regarding safety integrity. In practice, it is beneficial to determine proof test intervals of SISs to satisfy the SIL safety requirements and the EUC reliability requirements. Fig. 13 illustrates how the system reliability is impacted when the scale parameters λ SIS varies. For example, by t = 2 hours, the system reliabilities with λ SIS , 1.5λ SIS , 2λ SIS , 2.5λ SIS 3λ SIS of SISs are 0.74, 0.70, 0.66, 0.64 and 0.63, respectively. The system reliabilities do not decrease linearly with higher values of the scale parameters. Thus, it is necessary to analyze how specific SISs mitigate CAFs and deploy suitable SISs, and it will be discussed in the following sections.

Criticality analysis of SISs
Based on the method in Section 3, criticality analysis is carried out to identify optimal solutions of SISs in protecting against CAFs. We consider three variables related to optimal solutions: location, number, and cost of SISs. Specifically, risk achievement worth (RAW), denoted by I RAW (SIS|t), is employed as the critical analysis. It is defined as the ratio of the system unreliability if an SIS is not present (or in the failed state) with the system unreliability if an SIS is functioning at time t [49]:    Fig. 11. System reliability considering γ 2 and γ 6 at t = 2 hours. where h(0 SIS , R S (t)) denotes system reliability without an SIS, while h(1 SIS , R S (t)) denotes system reliability with an SIS. When I RAW (SIS|t) is large, the status of SIS can result in a comparatively significant change in the system reliability significantly at time t. By combining Eqs. (10) and (12), I RAW (SIS|t) is obtained in Table 4. The parameters are shown in Table 2 and Table 3 The cost of SIS deployment can also be considered in the analysis. We assume that the installation cost is roughly the same for all SISs and equal to a. Then, I RAW (SIS|t)/a reflects the improvement of system reliability by installing an SIS. The analysis results are summarized in Table 4 In addition to I RAW (SIS|t), we can also obtain the system reliability profiles to compare different solutions. For example, we consider two potential solutions: No.6 (SIS 24, SIS 25 ) and No.11(SIS 64 and SIS 67 ). Fig. 14 indicates that the two solutions effectively improve system reliability, but solution No. 11 always has more significant effects in protecting against CAFs than solution No.6. It implies that SIS 64 and SIS 67 are more critical for the system reliability than SIS 24 and SIS 25 . In other words, SIS 64 and SIS 67 can more effectively protect the 1oo3 subsystem (i.e., EUC 5 , EUC 6, EUC 7 ) from CAFs than the others.

Conclusions and future research
This paper has proposed a novel method to evaluate the performance of SISs that are employed to protect the EUC system against CAFs. The method considers failures of SISs in responding and after activation and so analyzes SIS reliability and durability in performance analysis. The proposed method can provide designers and operators with information for the SIS design and deployment, thereby improving the safety and reliability of the EUC system. This paper applies the proposed method to SISs and EUC systems, but it can also be adopted in other safety barriers in industrial series-parallel systems.
The method is verified through simple applications, but it efficiently manages large systems with a limited number of CAFs. If the number increases, the combinations of CAFs grow exponentially. In that case, the  calculation efficiency of the method is expected to be further improved. However, the method is applicable for systems incorporating a moderate number of CAFs in most cases. This paper has focused on SIS reliability and durability, but the other indicators, such as response time, capacity, and robustness, can also be important. Hence, they can be the research in the future. In addition, the assumption of constant cascading probability is somewhat restrictive; statistical dependency (e.g., time-dependent cascading probability) can be considered. Another direction of future work is extending the method to more complex systems (e.g., network systems and hierarchical systems) to investigate more interdependent relationships between SISs and CAFs.

Authorship contributions
The specific contributions made by each author (Lin Xie, Mary Ann Lundteigen, Yiliu Liu) is listed as below.
Conception and design of study: Lin Xie, Mary Ann Lundteigen, Yiliu Liu; Acquisition analysis and interpretation of data: Lin Xie, Yiliu Liu; Drafting the manuscript: Lin Xie; Revising the manuscript critically: Mary Ann Lundteigen, Yiliu Liu.

Declaration of Competing Interest
All the authors of this paper certify that they have NO affiliations with or involvement in any organization or entity with any financial interest (such as honoraria; educational grants; participation in speakers' bureaus; membership, employment, consultancies, stock ownership, or other equity interest; and expert testimony or patentlicensing arrangements), or non-financial interest (such as personal or professional relationships, affiliations, knowledge or beliefs) in the subject matter or materials discussed in this manuscript.