Critical Risks Method (CRM): A New Safety Allocation Approach for a Critical Infrastructure

In the current research, a safety allocation technique named the Critical Risks Method (CRM) has been developed. Starting from a literature review, we analyzed the shortcomings of conventional methods. The outcomes show the primary two criticalities of the most important safety allocation approaches: (1) They are developed for series configuration, but not for parallel ones; (2) they ordinarily give only qualitative outputs, but not quantitative ones. Moreover, by applying the conventional methods, an increase in safety of the units to ensure the safety target leads to an increase of the production costs of the units. The proposed strategy can overcome the shortcomings of traditional techniques with a safety approach useful to series–parallel systems in order to obtain quantitative outputs in terms of failures in a year. The CRM considers six factors that are able to ensure its applicability to a great variety of critical infrastructures. In addition, CRM is described by a simply analytic definition. The CRM was applied to a critical infrastructure (Liquid Nitrogen Cooling Installation) in a nuclear plant designed with series–parallel units. By comparing the CRM outputs with databank safety values, the proposed method was validated.


Introduction
Safety Instrument Systems (SISs) are units designed to ensure the safety of people and the environment. The international standard IEC 61508 [1] gives a safety approach to evaluate safety targets. This standard is conventional and subjective. Sector-specific standards are developed using IEC 61508; for example, IEC 61511 [2] for business analysis and IEC 62061 [3] for hardware frameworks. The standard gives a hazard analysis to evaluate the safety requirements of units. Starting from the safety target of the whole system, it is necessary to evaluate the safety value of the units. This approach is called safety allocation in IEC 61508. IEC 61508 and IEC 61511 recommend two methods for this approach: The Risk Graph method and the layers of protection analysis (LOPA). The Risk Graph method has been broadly discussed [4,5]. Many researches point out some shortcomings of the technique, in particular due to the subjective idea of the risk graph and risk matrix [6,7]. Baybutt (2007) recommends an improved hazard diagram technique to overcome these shortcomings. The LOPA technique was presented by the Center for Chemical Process Safety (CCPS) (1993) for industrial processes [8]. This methodology can be incorporated with a Hazard and Operability study (HAZOP). Numerous techniques have been developed [9,10]. All approaches give qualitative outputs [11,12]. The European Space Agency (ESA) has created a quantitative approach: The Sphynx Method [13]. The ESA's approach has been structured to allocate safety targets to aerospace systems. The examined The Sphynx Method [13]. The ESA's approach has been structured to allocate safety targets to aerospace systems. The examined techniques share a shortcoming in their scientific formulations: They are developed for units with series configurations, but not for series-parallel configurations. Furthermore, only the Sphynx Method provides quantitative results. In order to overcome these criticalities, a new safety allocation approach has been proposed and validated: The Critical Risks Method (CRM). The new technique was applied on a toroidal machine, which is important in completing research on plasma material and controlled atomic fusion. A nuclear plant was structured using series-parallel configurations in order to ensure safety. This paper is organized as follows: Section 2 introduces the Nuclear System, Section 3 analyzes the state of the art of safety allocation techniques, in Section 4, the framework of the CRM is described, and, finally, in Section 5, a case study is presented. Section 6 summarizes the conclusions of the research and the future developments.

Nuclear System
Nuclear fusion [14] is a strongly energetic reaction: Two "light" particles (with low nuclear number), for example, hydrogen or its isotopes, deuterium and tritium, are fused to deliver heavier atoms, like helium.
The nuclei of hydrogen (H), deuterium (D), and tritium (T) contain one proton and alternate quantities of neutrons; one for the nucleus of deuterium, two for tritium. In each of the three cases, the particle, electrically neutral, has an electron orbiting around the nucleus, compensating the single proton charge. Regularly, a nucleus of deuterium and one of tritium are combined to deliver a nucleus of helium (alpha particle) and a neutron ( Figure 1). At the end of the reaction, the total mass is lower than that of the interacting elements. The difference, called defect of mass, transforms into energy, according to the Einstein's notable law: In order to obtain energy production through controlled nuclear reactions, it is important to heat the plasma of deuterium-tritium up to extremely high temperatures (around 10 8 °C), keeping the hot plasma confined in a magnetic field, to force particles to follow spiral trajectories. In magnetic confinement, hot plasma is enclosed inside a vacuum chamber. In the present research, we analyzed a toroidal machine (Figure 2) [15].  At the end of the reaction, the total mass is lower than that of the interacting elements. The difference, called defect of mass, transforms into energy, according to the Einstein's notable law: In order to obtain energy production through controlled nuclear reactions, it is important to heat the plasma of deuterium-tritium up to extremely high temperatures (around 10 8 • C), keeping the hot plasma confined in a magnetic field, to force particles to follow spiral trajectories. In magnetic confinement, hot plasma is enclosed inside a vacuum chamber. In the present research, we analyzed a toroidal machine (Figure 2) [15]. The Sphynx Method [13]. The ESA's approach has been structured to allocate safety targets to aerospace systems. The examined techniques share a shortcoming in their scientific formulations: They are developed for units with series configurations, but not for series-parallel configurations. Furthermore, only the Sphynx Method provides quantitative results. In order to overcome these criticalities, a new safety allocation approach has been proposed and validated: The Critical Risks Method (CRM). The new technique was applied on a toroidal machine, which is important in completing research on plasma material and controlled atomic fusion. A nuclear plant was structured using series-parallel configurations in order to ensure safety. This paper is organized as follows: Section 2 introduces the Nuclear System, Section 3 analyzes the state of the art of safety allocation techniques, in Section 4, the framework of the CRM is described, and, finally, in Section 5, a case study is presented. Section 6 summarizes the conclusions of the research and the future developments.

Nuclear System
Nuclear fusion [14] is a strongly energetic reaction: Two "light" particles (with low nuclear number), for example, hydrogen or its isotopes, deuterium and tritium, are fused to deliver heavier atoms, like helium.
The nuclei of hydrogen (H), deuterium (D), and tritium (T) contain one proton and alternate quantities of neutrons; one for the nucleus of deuterium, two for tritium. In each of the three cases, the particle, electrically neutral, has an electron orbiting around the nucleus, compensating the single proton charge. Regularly, a nucleus of deuterium and one of tritium are combined to deliver a nucleus of helium (alpha particle) and a neutron ( Figure 1). At the end of the reaction, the total mass is lower than that of the interacting elements. The difference, called defect of mass, transforms into energy, according to the Einstein's notable law: In order to obtain energy production through controlled nuclear reactions, it is important to heat the plasma of deuterium-tritium up to extremely high temperatures (around 10 8 °C), keeping the hot plasma confined in a magnetic field, to force particles to follow spiral trajectories. In magnetic confinement, hot plasma is enclosed inside a vacuum chamber. In the present research, we analyzed a toroidal machine (Figure 2) [15].   In order to cool the vacuum chamber and coils, a closed circuit of liquid nitrogen was designed with the following units ( Figure 3): -Three buffer tanks of fluid nitrogen with an all-out limit of 90,000 L and pressure of 2.5 bar; -Two cryogenic pumps lubricated by a similar fluid nitrogen; -Two evaporators; -Tanks, valves, and common extras. In order to cool the vacuum chamber and coils, a closed circuit of liquid nitrogen was designed with the following units ( Figure 3): -Three buffer tanks of fluid nitrogen with an all-out limit of 90,000 L and pressure of 2.5 bar; -Two cryogenic pumps lubricated by a similar fluid nitrogen; -Two evaporators; -Tanks, valves, and common extras. The cryostat is the main unit of the system. In order to cool the main components, the nitrogen pipes arrive at the cryostat. The toroidal framework is allocated inside the cryostat, where the pressure is higher than outside (20 mm H2O) in order to avoid the entry of atmosphere (working temperature of -190 °C) [16].

Literature Review: State of the Art of Safety Allocation Methods
In the present section, the conventional methodologies of safety allocation are analyzed. Let S*(t) (events/time) be the safety target of a series system. Let Si*(t) (events/time) be the safety allocation for unit i [17,18] The allocation is an iterative procedure in order to define wi%. It begins from the design phase, when little information about the units is available. In this stage, it is smarter to consider units in series. The initial step of the safety allocation process is to allocate the safety target to all units. IEC 61508 does not give any conventional techniques to allocate safety targets.
IEC 61508 recommends some methodologies for this purpose: - The "As Low As Reasonably Practicable" method (ALARP); - The Risk Graph method; -Layers of Protection Analysis (LOPA); -Hazardous event severity matrix.
Another method, not suggested by IEC 61508, is the Sphynx Method. This approach was developed by the ESA.

ALARP Method
The ALARP method is described by the risk triangle: (a) Unacceptable risk (red color) on the top, (b) tolerable risk in the middle (yellow color), and (c) acceptable risk (green color) at the bottom ( Figure 4). The risk degree decreases from high to low through mitigations or measures. Safety allocated above the red level is intolerable and risk reduction is necessary. Between the red level and the green level, the risk is only tolerable if it is ALARP, which means that all reasonably practicable risk reduction measures have been identified and implemented. The reduction of safety cost (money, The cryostat is the main unit of the system. In order to cool the main components, the nitrogen pipes arrive at the cryostat. The toroidal framework is allocated inside the cryostat, where the pressure is higher than outside (20 mm H 2 O) in order to avoid the entry of atmosphere (working temperature of −190 • C) [16].

Literature Review: State of the Art of Safety Allocation Methods
In the present section, the conventional methodologies of safety allocation are analyzed. Let S*(t) (events/time) be the safety target of a series system. Let Si*(t) (events/time) be the safety allocation for unit i [17,18]: The allocation is an iterative procedure in order to define w i %. It begins from the design phase, when little information about the units is available. In this stage, it is smarter to consider units in series. The initial step of the safety allocation process is to allocate the safety target to all units. IEC 61508 does not give any conventional techniques to allocate safety targets.
IEC 61508 recommends some methodologies for this purpose: -The "As Low As Reasonably Practicable" method (ALARP); - The Risk Graph method; -Layers of Protection Analysis (LOPA); -Hazardous event severity matrix.
Another method, not suggested by IEC 61508, is the Sphynx Method. This approach was developed by the ESA.

ALARP Method
The ALARP method is described by the risk triangle: (a) Unacceptable risk (red color) on the top, (b) tolerable risk in the middle (yellow color), and (c) acceptable risk (green color) at the bottom ( Figure 4). The risk degree decreases from high to low through mitigations or measures. Safety allocated above the red level is intolerable and risk reduction is necessary. Between the red level and the green level, the risk is only tolerable if it is ALARP, which means that all reasonably practicable risk reduction measures have been identified and implemented. The reduction of safety cost (money, time, or effort) is greater than the reduction of the safety target. In other words, ALARP is simply a balancing of risk reduction and the cost to achieve it. time, or effort) is greater than the reduction of the safety target. In other words, ALARP is simply a balancing of risk reduction and the cost to achieve it. The risk management has to demonstrate that a risk is ALARP. In order to implement risk reduction measures, it is important to determine the correct approach to assess whether it is ALARP or not. According to the ALARP method, the appropriate techniques could be: (a) engineering judgement, (b) qualitative risk assessment, or c) semi-quantitative risk assessment.
There are some clear strengths with this approach: -It is easy to understand and apply.
However, there are numerous weaknesses and limitations: -It is qualitative methodology; -It is very difficult to define an objective wi for every unit.
The qualitative methodologies do not allow an accurate evaluation of safety values. They express only a judgment influenced by the experts. Quantitative methods, on the other hand, permit an estimate of the safety value expressed as faults per year.

The Risk Graph Method
The Risk Graph technique allows the valuation of the safety target according to the hazard factors of units. The technique is useful for safety allocation of mechanical equipment (IEC 62061, 2005, Annex A) or industrial systems (IEC 61511, 2003, Part 3), and should be used in the chemical process (Salis, 2011). The approach is useful for qualitative and quantitative risk assessment. A wide variety of factors that define the nature of the units are used. According to IEC 61508, the necessities for the preceding parameters have to enable a significant ranking of the danger, and additionally have to include the key elements for danger evaluation. The standard offers a simplified process and an established scheme, introduced in Figure 5. This normal instance uses four factors to define units (IEC 61508, 2010, Annex E, Section 5). The risk management has to demonstrate that a risk is ALARP. In order to implement risk reduction measures, it is important to determine the correct approach to assess whether it is ALARP or not. According to the ALARP method, the appropriate techniques could be: (a) engineering judgement, (b) qualitative risk assessment, or c) semi-quantitative risk assessment.
There are some clear strengths with this approach: -It is easy to understand and apply. -However, there are numerous weaknesses and limitations: -It is qualitative methodology; -It is very difficult to define an objective w i for every unit.
The qualitative methodologies do not allow an accurate evaluation of safety values. They express only a judgment influenced by the experts. Quantitative methods, on the other hand, permit an estimate of the safety value expressed as faults per year.

The Risk Graph Method
The Risk Graph technique allows the valuation of the safety target according to the hazard factors of units. The technique is useful for safety allocation of mechanical equipment (IEC 62061, 2005, Annex A) or industrial systems (IEC 61511, 2003, Part 3), and should be used in the chemical process (Salis, 2011). The approach is useful for qualitative and quantitative risk assessment. A wide variety of factors that define the nature of the units are used. According to IEC 61508, the necessities for the preceding parameters have to enable a significant ranking of the danger, and additionally have to include the key elements for danger evaluation. The standard offers a simplified process and an established scheme, introduced in Figure 5. This normal instance uses four factors to define units (IEC 61508, 2010, Annex E, Section 5).
Safety requirements range from unrequired through the Safety Integrity Levels (SILs) 1-4. Safety, environmental, and economic impact are pursued by the Risk Graph method. The safety percentile weight is: There are also some clear strengths with this approach:  Safety requirements range from unrequired through the Safety Integrity Levels (SILs) 1-4. Safety, environmental, and economic impact are pursued by the Risk Graph method. The safety percentile weight is: There are also some clear strengths with this approach: -It can be conducted both qualitatively and quantitatively; -It is easy to understand and apply.
However, there is a great limitation: -It is only suitable for series configuration.

LOPA Method
The LOPA method is a semi-quantitative risk assessment technique introduced by the Center for Chemical Process Safety in 1993 (CCPS, 1993). The motivation behind LOPA is to decide if there are adequate safety levels against explicit accident situations (CCPS, 2001). A safety layer in LOPA is equivalent to a safety unit. In addition, CCPS (2001) introduced the idea of independent safety layers. The necessities for an independent protection layer (IPL) are referred to in IEC 61511 (2003, Part 3).
The LOPA method generally follows an HAZOP analysis. An LOPA event tree ( Figure 6) can represent the different accident situations for a critical system. In this example, the specific initiating event can result in one out of four end events.

LOPA Method
The LOPA method is a semi-quantitative risk assessment technique introduced by the Center for Chemical Process Safety in 1993 (CCPS, 1993). The motivation behind LOPA is to decide if there are adequate safety levels against explicit accident situations (CCPS, 2001). A safety layer in LOPA is equivalent to a safety unit. In addition, CCPS (2001) introduced the idea of independent safety layers. The necessities for an independent protection layer (IPL) are referred to in IEC 61511 (2003, Part 3).
The LOPA method generally follows an HAZOP analysis. An LOPA event tree ( Figure 6) can represent the different accident situations for a critical system. In this example, the specific initiating event can result in one out of four end events. Safety requirements range from unrequired through the Safety Integrity Levels (SILs) 1-4. Safety, environmental, and economic impact are pursued by the Risk Graph method. The safety percentile weight is: There are also some clear strengths with this approach: -It can be conducted both qualitatively and quantitatively; -It is easy to understand and apply.
However, there is a great limitation: -It is only suitable for series configuration.

LOPA Method
The LOPA method is a semi-quantitative risk assessment technique introduced by the Center for Chemical Process Safety in 1993 (CCPS, 1993). The motivation behind LOPA is to decide if there are adequate safety levels against explicit accident situations (CCPS, 2001). A safety layer in LOPA is equivalent to a safety unit. In addition, CCPS (2001) introduced the idea of independent safety layers. The necessities for an independent protection layer (IPL) are referred to in IEC 61511 (2003, Part 3).
The LOPA method generally follows an HAZOP analysis. An LOPA event tree ( Figure 6) can represent the different accident situations for a critical system. In this example, the specific initiating event can result in one out of four end events.  According to this method, the safety percentile weight is: There are some clear strengths with this approach: -It can be conducted both qualitatively and quantitatively; -It is incorporated into HAZOP analysis.
However, there are also weaknesses and limitations: -It is only suitable for low-demand systems; -It is only suitable for series configuration.

Hazardous Event Severity Matrix
Starting from Failure Mode and Effect Analysis (FMEA), the Risk Priority Number (RPN) has been used by recent researches to consider the failure effect in reliability. Let unit i have N j failure modes with severity ranking Sij, occurrence rating O ij , and detection ranking D ij . The three factors are evaluated by an ordinal scale from 1 to 10. The RPN of failure mode j in unit i is given by the following equation: The lack of objectivity and the difficulty of risk effect comparison are the shortcomings of this approach [19]. It is a semi-quantitative method. The O and S values are determined on a quantitative and semantic scale defined by various international standards, such as IEC 60812 (2006) [20] and ISO 31010 (2010) [21].
The safety percentile weight is: There are some clear strengths with this approach [22]: -It can be conducted both qualitatively and quantitatively; -It is very simple.
However, there is a main limitation: -It is only suitable for series configuration.

Sphynx Method
The Sphynx approach was structured to allocate safety targets to the ESA's aerospace prototypes [23]. The Sphynx method is based on "Allocation Factors" AF i for unit i. The formulation is the following: where: D e = Environmental risks; D t = Technological risks; F = Number of catastrophic/critical/marginal/minor functions of the system; C = Complexity index. The complexity index value ranges between 0 and 1, and is obtained by normalizing the Complexity Factor (Table 1) (C f ): The safety percentile weight is: There are some clear strengths with this approach: -It is quantitative methodology; -It is suitable for complex systems where high safety standards are required.
However, there are some weaknesses and limitations: -The sum of the number of functions with technological risks has no scientific reason; -It is only suitable for series configuration.
The review of the literature techniques points out that there are significant difficulties in conducting an objective safety allocation. All of the suggested methods have their strengths and weakness, which have been illustrated in this section.
The Risk Graph method has a few significant criticalities. Baybutt (2014) suggested that the approach has a narrow application area.
The LOPA methodology is easier to understand and is integrated with HAZOP. The technique takes into consideration various parameters, e.g., safety, failures, environmental impact, multiple units, etc. The biggest issue with the LOPA model is that it cannot be used on SIL 3 or SIL 4 systems.
The hazardous event severity matrix approach is probably sufficient to achieve a tolerable risk, but it is questioned if this method will survive, as it leads to overly conservative safety requirements.
The Sphynx approach shows some limitations. In particular, the technique was developed for an aerospace environment. In this situation, environmental hazards are more important than technological ones (D e are considered integrally, whereas D t are considered partially).
A more flexible formulation could consider that: -Environmental and technological hazards should have the same importance; -It is necessary to value the real influence of each hazard on the considered unit.
The analysis of the Sphynx method points out a shortcoming concerning the F factor, since the sum of F with D t is not established on scientific reason.
Starting from the above considerations, we proposed a new safety allocation technique in order to solve the limitations of conventional approaches.
The above analysis has suggested some guidelines to develop the new method. We have applied the most suitable approach for the nuclear system. In particular, we applied the RPN and Sphynx methods because: -Thermonuclear systems are in the production phase-many factors are known (system criticality, technology, mission time, etc.); -Thermonuclear systems have a complexity similar to that of aerospace; -Thermonuclear system detection is an important parameter for safety allocation.

Critical Risks Method
The correct environmental condition for the toroidal system is the mission of the cooling unit in order to confine plasma in magnetic fields. Appling a Safety Block Diagram (SBD), the whole system has been de-structured into functional units in series configuration (Table 2): Then, Top Events were developed through a Preliminary Hazard Analysis (PHA) ( Table 3). According to an expert judgment, a safety target was evaluated in terms of faults per year (Table 4). Starting from an Functional-FMECA analysis, it was possible to estimate the allocation indexes for the RPN (Table 5) and Sphynx methods (Table 6), only in series configuration. The results show how the safety target influenced the allocated values [24] during the working and maintenance phases [25].  The analysis of the RPN results shows that (1) there are high values of allocated safety (series configuration), and (2) the standard deviation is high-there is a big difference between safety values.
The analysis of the Sphynx results shows that (1) there are high values of allocated safety (series configuration), (2) there are some low values, and (3) the standard deviation is low.
There is not any reference to a potential "buffer effect" (parallel configuration); in fact, in the Safety Block Diagram (SBD), there are only series configurations [26]. Table 7 summarizes these comparisons. Realistic and achievable requirements.
The proposed allocation approach, named the "Critical Risks Method", was developed for the toroidal machine [27], but it can also be useful for any critical infrastructure (series and parallel configuration).
The first stage was the examination of critical units according to expert judgment. In order to restrain the analysis to low number of components, a critical unit ranking was developed [28]. The CRM is structured in the following steps: Step 1: Definition of the system and units; Step 2: Construction of a Safety Block Diagram (SBD); Step 3: Analysis of a Preliminary Hazard Analysis (PHA) of the Top Events; Step 4: F-FMECA analysis to point out catastrophic/critical/marginal/minor functions of unit i; Step 5: Calculation of A 1 , A 2 , A 3 , A 4 , A 5 , and A 6 as factors for every unit, where: Criticality Factor (A 1 ): It allows evaluation of the consequences on a Top Event caused by a total or partial unit failure. The factor will assign higher safety to less critical systems. The index can vary between 0 (n = ∞) for a low criticality of the unit and 1 (n = 1) for highly critical one. The A 1 factor is evaluated through the following equation: where "n" is the number of "buffer elements" (parallel configuration) that can oppose a risk implementation. The factor permits the assignment of a low safety value to a parallel configuration (n > 1). Environmental Risk Factor (A 2 ): It allows the evaluation of the stress level caused by environmental factors for a single unit. The factors will assign higher safety to the most stressed unit.
where the f i value ranges between 1 and 100: -f = 1 means a little influence of environmental conditions on unit i; -f = 100 means a great influence of environmental conditions on unit i.
It could be difficult to estimate the f value in the pre-design phase. However, a simple evaluation will be possible in developed critical infrastructures, thanks to professional judgment supports and by comparison to similar structures.
Technological Risk Factor (A 3 ): It allows the evaluation of the stress level caused by technological factors for a single unit. The factors will assign higher safety to the most technologically advanced unit.
where the g i value ranges between 1 and 100: -g = 1 means a little influence of technological conditions on unit i; -g = 100 means a great influence of technological conditions on unit i.
It could be difficult to estimate the f value in the pre-design phase. However, a simple evaluation it will be possible in developed critical infrastructures, thanks to professional judgment supports and by comparison to similar structures. This represents the technological level of a single unit.
Functionality Factor (A 4 ): The factor evaluates the functionality of the units in terms of structure, assembly, and interactions. It permits one to discriminate the system unit complexity, linked to the number of functions.
Event factor K is where the K numerator is the number of functions that may cause a catastrophic/critical/marginal/minor event.
In addition, functionality factor H is: where the H denominator is the ratio between the number of unit functions and the number of system functions. The H factor discriminates the system units' complexity, linked to the number of functions. Functionality factors assign a high safety target to critical units (high H factor, low K factor), as opposed to the Sphynx method, which assigns a low safety target to a unit with many critical functions.
Complexity Factor (A 5 ): See Sphynx method (Equation (7)) Step 6: Calculation of the Allocated Factor of unit i: Calculation of the Allocated Safety Weight of unit i: where w i is the global weight of the i-th unit. After the evaluation of w i , it is possible to allocate the safety target using Equation (2): Step 7: Analysis of results.

Application of the CRM
The proposed approach was applied to the thermonuclear system described in Section 2. According to Preliminary Hazard Analysis (PHA) (Table 3), the proposed approach was applied for each Top Event.
Step 2: The reality of the Safety Block Diagram of the cooling system is a series-parallel configuration. In reality, not all of the units shown in Table 2 are related to every Top Event. The SBD for each of the three Top Events was modified starting from functional and FMECA tables. The CRM permits the evaluation of the subgroups of units, influencing Top Events with their "buffer units" (parallel configuration). Figure 7 describes the safety block diagram for the second Top Event (low pressure in the cryostat) [29]. safety target using Equation (2): Step 7: Analysis of results.

Application of the CRM
The proposed approach was applied to the thermonuclear system described in Section 2. According to Preliminary Hazard Analysis (PHA) (Table 3), the proposed approach was applied for each Top Event.
Step 2: The reality of the Safety Block Diagram of the cooling system is a series-parallel configuration. In reality, not all of the units shown in Table 2 are related to every Top Event. The SBD for each of the three Top Events was modified starting from functional and FMECA tables. The CRM permits the evaluation of the subgroups of units, influencing Top Events with their "buffer units" (parallel configuration). Figure 7 describes the safety block diagram for the second Top Event (low pressure in the cryostat) [29].
The SBD shows that a constant pressure value depends on the cycle of pressurization, but also on the presence of liquid nitrogen in the collection tank. Some nitrogen present in the tank evaporates, contributing to maintaining a fixed level of pressure in the cryostat [30]: Step 3: Analyzed in Section 4.

Functions
Mode Note Linked Units Control valve opening VC4 according to the pressure of cryostat during the PLC cycle.
The opening is partial. Nominal pressure of c.a. 20 mm.
Incorrect functioning of the valve and its equipment (pressure sensors) could increase pressure in the cryostat.

Unit 11
Control valve opening VC1 according to the cooling gradient magnets.
The opening is partial.
If the valve is opened excessively, a considerable amount of nitrogen is discharged into the cryostat and into the reservoir.  The SBD shows that a constant pressure value depends on the cycle of pressurization, but also on the presence of liquid nitrogen in the collection tank. Some nitrogen present in the tank evaporates, contributing to maintaining a fixed level of pressure in the cryostat [30]: Step 3: Analyzed in Section 4.
Step 4: Functional analysis (Table 8) and FMECA (Table 9) analysis were implemented to point out catastrophic/critical/marginal/minor functions of Units 9, 4, 15, 10, and 7. Incorrect functioning of the valve and its equipment (pressure sensors) could increase pressure in the cryostat.

Unit 11
Control valve opening VC1 according to the cooling gradient magnets.
The opening is partial.
If the valve is opened excessively, a considerable amount of nitrogen is discharged into the cryostat and into the reservoir.

Unit 11
Setting pressure of the CP1 pump by VC2. The opening is partial. Nothing Nothing Setting pressure in the copper cooling circuit using VC3.
The opening is partial. Nominal pressure of 1.5 bar.
After the shot, the fluid heats up by increasing the volume. The valve prevents excessive pressure increase due to fluid mass input.
Unit 2 Table 9. FMECA Analysis of Unit 9. Step 5: According to Equations (7) and (10)- (13), the allocations of the indexes were evaluated (Table 10). Step 6: According to Equations (16) and (17), the safety allocation weights were evaluated. Then, according to Equation (2), the safety allocations were evaluated for single units (Table 11) for Top Event 1 (Catastrophic): Step 7: The CRM's outputs show two problems related to Units 7 and 9 (level regulation valve and pressure regulation valve). In order to reduce the risk of the above units, the new approach suggests to fill the collection tank through Unit 7. The result is an increase of the pressurization of the cryostat. A similar critical state is highlighted in the cycle of pressurization. In fact, a failure of Unit 9 could close the access to the gaseous nitrogen cryostat. In the same cycle, the Unit 10 shows less importance. The reason is that Unit 10 works in less stressful operating conditions because the number of opening and closing cycles is reduced.

Unit 9-Pressure-Regulation Valves
In order to verify the CRM, safety targets were compared to allocated safety values [31]. Subsequently, the results obtained were compared, in terms of Mean Absolute Deviation (MAD) and negative technological errors (Table 12), with the results obtained in Section 4 ( Tables 6 and 7).
In particular, the negative technological error is defined according to Equation (18).
If S(t) allocated < S(t) databanks , we obtain a negative technological error. The ε technological values highlight the criticalities of the allocation technique, particularly the sum (−έ technological ).
The MAD for CRM is the minimum (MAD CRM = 5.16 × 10 −4 ) in relation with MAD for RPN and MAD for Sphynx.
The results obtained with CRM can be summarized as follows: -Reduction of S(t) allocat for Units 4, 15 and 10 (parallel configuration); the average value is 28.61%. This means a good alignment with respect to the databank and a substantial savings in the choice of less-performing units; - Reduction of MAD of about 32.93%; -Reduction of (-έ technological ) of about 38.69%.
The results highlight that CRM assigns smaller values allocated to the components compared to databanks (expect Unit 15). These values ensure a "safety" condition for the nuclear units.
It is possible to notice that: -The allocated safety values are comparable to the supplied safety ones; - The units' performance and hierarchy are respected ( Figure 8). If S(t)allocated < S(t)databanks, we obtain a negative technological error. The cal technologi ε values highlight the criticalities of the allocation technique, particularly the sum ∑(-έtechnological).
The MAD for CRM is the minimum (MADCRM = 5.16 × 10 -04 ) in relation with MAD for RPN and MAD for Sphynx.
The results obtained with CRM can be summarized as follows: The results highlight that CRM assigns smaller values allocated to the components compared to databanks (expect Unit 15). These values ensure a "safety" condition for the nuclear units.
It is possible to notice that: -Factor A5 is a qualitative value and is difficult to evaluate without an expert judgement.
These limitations highlight some allocated values greater than those of the databanks (e.g., Unit 15). In this case, the units' performance and hierarchy are not respected. Future research aims to define a quantitative approach for factors A2,A3, and A5. By comparing the results, the proposed methodology points out results that are more similar to those of databanks, respecting and highlighting hierarchies of performance among units. The reason is simple: The new approach has been structured for series and parallel systems, not only for series ones. This allows important economical savings, since the system's units required less restrictive allocation values.  However, the shortcomings of the CRM are: -Factors A 2 and A 3 are quali-quantitative values; -Factor A 5 is a qualitative value and is difficult to evaluate without an expert judgement.
These limitations highlight some allocated values greater than those of the databanks (e.g., Unit 15). In this case, the units' performance and hierarchy are not respected. Future research aims to define a quantitative approach for factors A 2 , A 3 , and A 5 .
By comparing the results, the proposed methodology points out results that are more similar to those of databanks, respecting and highlighting hierarchies of performance among units. The reason is simple: The new approach has been structured for series and parallel systems, not only for series ones. This allows important economical savings, since the system's units required less restrictive allocation values.

Conclusions
In this research, we analyzed a safety allocation issue in a critical infrastructure with many series-parallel units. The conventional safety allocation approaches were developed for critical infrastructures with series configurations, but not for series and parallel ones. The output is an increase of safety allocated to subsystems in series in order to ensure the safety target. In reality, designing and manufacturing a subsystem with an extremely high safety rate would consume a considerable amount of economic resources. The aim of the present paper was to overcome the limitations of the techniques from the literature. The proposed technique was applied in a nuclear infrastructure. By comparing the CRM results with those of conventional methods in terms of MAD andέ technological , we validated the CRM. The comparison pointed out that CRM provides outputs more similar to those obtained with real data. The new approach points out safety values that are more suitable to databanks and permits a more economical unit design.
The main advantages of the CRM are highlighted below: -The CRM solves the fundamental problem (parallel configurations) by using new indexes (A 1 , A 2 , A 3 , A 4 , A 5 , and A 6 ); - The CRM results allow the efficient allocation of safety values, meeting customer needs, controlling reasonable support costs, and decreasing manufacturing and maintenance costs [31]. - The comparison with literature is described as follows: - The MAD of the CRM is smaller than the MAD of the literature methods and is equal to 5.16 × 10 −4 (failures/year). - The (−έtechnological) of the CRM is smaller than the (−έtechnological) of the literature methods and is equal to −2.42 × 10 −3 (failures/year).