Risk, Reliability and Societal Safety Aven & Vinnem (eds) 2007 Taylor & Francis Group, London, ISBN 978-0-415-44786-7 Safety-barrier diagrams N.J. Duijm Systems Analysis Department, Ris National Laboratory, Technical University of Denmark, Roskilde, Denmark ABSTRACT: Safety-barrier diagrams and the related so-called bow-tie diagrams have become popular methods in risk analysis. This paper describes the syntax and principles for constructing consistent and valid safety-barrier diagrams. The relation with other methods such as fault trees and Bayesian networks are discussed. A simple method for quantification of safety-barrier diagrams is proposed, including situations where safety barriers depend on shared common elements. It is concluded that safety-barrier diagrams provide a useful framework for an electronic data structure that integrates information from risk analysis with operational safety management. 1 INTRODUCTION Since the 1980-s, safety-barrier diagrams have been used in Denmark as a tool for risk analysis in the pro- cess industry. Safety-barrier diagrams became popular because it appeared that these diagrams were helpful in communication with non-experts by showing visually what actions had been taken to prevent and mitigate accidents. Therefore it became a tool that is appre- ciated and promoted by the competent authorities in Denmark. Over the last five years, the concept of safety barri- ers has gained interest internationally in the framework of the so called bowtie which is essentially a bar- rier diagram with a Critical Event. While a lot of literature exists concerning other (and comparable) risk-analysis tools like fault trees (FT), event trees (ET) andBayesianNetworks (BN), little or nothinghas been published concerning the principles of constructing safety-barrier diagrams. This paper describes the principles for safety- barrier diagrams in order to draw consistent and valid diagrams. The relation with other graphical presenta- tions (FT, ET and BBN) and the layer of protection analysis (LOPA) is described, and the advantages and disadvantages as compared to these presenta- tions discussed. One clear advantage of safety-barrier diagrams is the focus on the safeguards that are delib- erately inserted in the system to prevent or mitigate accidents, so safety-barrier diagrams show directly the issues that are the primary concern of safety management. 2 SYNTAX OF SAFETY-BARRIER DIAGRAMS 2.1 Definition of safety barriers The notion of safety barriers has recently been dis- cussedbySklet (Sklet, 2006). Previouslythe definition of safety barriers has been linked to the safety func- tion (Harms-Ringdahl, 2000; Harms-Ringdahl, 2003; IEC, 2003) or barrier function (Hollnagel, 2004). Sklet defines the barrier function as: A barrier function is a function planned to prevent, control, or mitigate undesired events or accidents, and the corresponding definition of safety barriers is proposed as: Safety barriers are physical and/or non-physical means planned to prevent, control, or mitigate undesired events or accidents. In his discussion, Sklet emphasizes that the safety barrier should be directly related to the event sequence or accident scenario, and that it should not include the risk influencing factors that affect the barrier per- formance. This is an important observation if safety- barrier diagrams are to be used as comprehensive documentation of possible event or accident scenarios, and it is in line with the concept used in the ARAMIS and BORA projects about the relation between safety barriers and organizational factors including safety management (Aven et al., 2006; Duijm & Goossens, 2006). Therefore, the definition of safety barriers and 9 Aven CH002.tex 17/5/2007 9: 19 Page 10 barrier functionshouldbe slightlymore restrictive, and avoid the vagueness of the term non-physical. As the notion of an abstract barrier function explic- itly recognizes the possibility of implementing these functions by different alternative solutions, it is the preferred basis for a definition, so: A barrier function is a function planned to prevent, control, or mitigate the propagation of a condition or event into an undesired condition or event; A safety barrier is a series of elements that imple- ment a barrier function, each element consisting of a technical system or human action. Some safety barriers implement the safety function by the mere presence of their elements (e.g. a tank pit or a firewall), these are called passive safety barriers. Other safety barriers perform an action in response to a certain state or condition, these are called active barriers. Active barriers always include a sequence of detection diagnosis action (in LOPA (Center for Chemical Process Safety, 2001) called DDD: detect diagnose deflect). A more correct term for these barriers would be activated barriers, as e.g. a venti- lation system or active corrosion protection doesnt include this DDD sequence, but work continuously, and, thereby, should be considered a passive barrier. For a discussion of different barrier types, see (de Dianous & Fievez, 2006; Duijm and Goossens, 2006; Guldenmund et al., 2006). 2.2 The syntax and definition of barrier diagrams A barrier diagram is a graphical presentation of the evolution of unwanted events (initiating events or conditions) through different system states depending on the functioning of the safety barriers intended to prevent this evolution. A barrier diagram represents possible (accident) scenarios. It is a graph within the framework of mathematical graph theory. A barrier diagram is a directed graph by nature of the evolution (normally in time), and the subsequent fact that one cannot move backwards through the diagram. In principle one could imagine barrier diagrams that are cyclic, i.e. diagrams that contain closed loops. This would mean that the actions of some barriers could lead to conditions that appear earlier in the scenario. However, this paper is restricted to acyclic diagrams. The advantage of directed, acyclic graphs is that they allow for a mathematical evaluation of the likelihood of the states in the diagram, given the ini- tial states and initiating events and the likelihoods of the functioning of the barriers. The exclusion of cyclic barrier diagrams is not a severe restriction in prac- tice. One may notice that also event trees, fault trees, cause-consequence diagrams and Bayesian networks, to which the barrier diagrams are closely related, are directed, acyclic graphs. Using the terminology of graph theory, the barri- ers are the nodes or vertices of the graph. The edges between the nodes correspond to conditions or states of the system: on the left-hand side of a barrier, such a condition is the condition or event that triggers the barrier to function (demand state or condition) while normally the condition on the right-hand side is the condition when the barrier has failed (condition on failure). Alternatively other states on the right- hand side can be defined, corresponding to different responses of the barrier, but usually only two barrier outcomes are considered, viz. success or failure. E.g. for a pressure relief valve, the successful deployment leads to a release of material, which is not a normal condition and therefore may be included in the barrier diagram giving rise to an alternative scenario (i.e. an alternative path through the barrier diagram). We use the graphical notation for barriers with two states on the right-hand side as in Figure 1. Logically, the barrier represents an AND gate, i.e. the condition on failure occurs when the demand con- dition occurs and the barrier fails. This is shown in Figure 2. Note that in this presentation one cannot show the condition on success without introducing a new input condition (barrier works) and a new logical gate. One of the main advantages of barrier diagrams is their relative simplicity as compared to Figure 1. Convention for picturing a barrier with condition on success displayed. Figure 2. Abarrier logical representation by means of AND gates. 10 Aven CH002.tex 17/5/2007 9: 19 Page 11 fault trees and event trees, which makes them useful for communication with non-experts. A barrier diagram can be displayed as in Figure 3. The diagram reads from left (a scenario starting with initiating events) to right (a scenario ending with a consequence). 2.3 Properties and restrictions of safety-barrier diagrams In order to design meaningful and logically consistent safety-barrier diagrams, we discuss some restrictions and properties of barrier diagrams. Barriers may not be bypassed. The condition after the barrier is different from the condition before the barrier (if not physical, then at least logical: on the left- hand side of the barrier, we have no knowledge on the success of the barrier, while on the right-hand side, we know whether the barrier has been effective or not, so the probabilities of the states are different on the two sides). This means that shortcuts parallel to barriers are not possible as in the barrier diagram in Figure 4 (barrier B2). This is of course straightforward: if the shortcut would exist, the barrier B2 is irrelevant. This means that the edges on all sides of each barrier are unique. It also means that in these graphs the edges contain information, i.e. they represent clearly defined conditions or events. Converging and diverging graphs. It is useful to dis- tinguish between converging or diverging graphs (or parts of graphs). Converging graphs are graphs where a node is linked to only one node on the right-hand side (i.e. in the direction of the edges direction), so in Figure 3. Basic example of a barrier diagram. Figure 4. Invalid barrier diagram. Figure 3 the barriers B1, B2 and B3 form a converg- ing graph. In a converging diagram the edges that link several left-hand side barriers to the right-hand side barrier represent an OR gate, i.e. the demand condi- tion for barrier B3 in Figure 3 above appears when the condition on failure of barrier B2 or the condition on failure of barrier B1 appears (alternative scenarios). Converging diagrams can effectively represent fault- tree-like paths to a critical event with several initiating events (see below). Diverging graphs are those where a node has more than one right-hand side node or edge, such as formed by barrier B3 in Figure 3, but also barrier B1 in Fig- ure 5 (B1 is linked to both B2 and B3 on the right-hand side). In a diverging diagram the edges that link one left-hand side barrier to several right-hand side bar- riers, represent parallel pathways, i.e. the probability of each of the pathways through the right hand side barriers is equal to the probability of the originating condition following the left-hand side barrier. So barri- ers B2 and B3 in Figure 5 are both demanded on failure of barrier B1. This does not express mutually exclusive paths as in an event tree, where the sum of the con- ditional probabilities over the diverging paths would be 1. Event-tree like diverging behavior can only be included in a barrier diagram by means of barriers that have more than one right-hand side states or condi- tions, as illustrated by barrier B3 in Figure 3. (It should be noted that event trees can easily be described with diverging Bayesian networks, where the distribution over parallel nodes is provided by a priori conditional probabilities, see below). Diverging behavior as illustrated by barriers B2 and B3 in Figure 5 is relevant if a hazardous situation has more than one consequence. E.g. spillage of a liquid can lead to both evaporation and a hazardous cloud and to pollution of the ground for both events bar- riers can be put in place. In this case it is unlikely that the pathways at some later point will join again. Another possibility is that several barriers simultane- ously act against the escalation of an event, e.g. when a flammable cloud appears, ignition can be minimized by both the installation of explosion-save equipment Figure 5. Example of a diverging barrier diagram. 11 Aven CH002.tex 17/5/2007 9: 19 Page 12 Figure 6. Two parallel barriers between two events. (passive barrier) and prohibiting smoking and open fire (behavioral barrier based on passive warning). In that case the condition on failure of both barriers is identical (ignition of the cloud), see Figure 6. A barrier diagram can be divided into a set of connected barrier diagrams. A safety-barrier diagram can be split into several diagrams. A barrier diagram contains edges to the external environment. These correspond to initiating events or initial conditions at the left-hand side and consequences at the right-hand side. But a consequence from one diagram can be an initiating event for another diagram and vice versa. There are no formal rules how to start or stop a bar- rier diagram; one is free to split a diagram in as many diagrams as possible, where the minimumsize of a dia- gramconsists of a single barrier and its corresponding demand condition and condition on failure or success. But if diagrams share conditions or events, i.e. the dia- grams are connected; it should be possible to generate one single diagram, which again should be directional and acyclic. Barriers and conditions are unique. Each barrier responds to a well defined demand condition and leads to well defined conditions on success or failure (or other possible outcomes of the barrier if one allows for this). This means that the same barrier cannot be part of parallel paths through the barrier diagram unless these paths are fullyidentical. Together withthe acyclic requirement this implies that each barrier and each condition in the diagram is unique. In a set of con- nected diagrams (as described above) each barrier is unique, while conditions can be used more than once only as consequence and initiating event. Note that elements that make up the barrier need not to be unique, i.e. unique barriers can have common power supply or actions in several barriers are per- formed by the same operator. These common elements need of course to be accounted for when quantifying the probability of scenarios. 2.4 Logical gates As depicted in Figure 2, a barrier is to be considered as an AND gate: The condition on failure occurs if the Figure 7. Variation of barrier diagram from Figure 3 with AND gate. Figure 8. Barrier diagram with an explicit OR gate. demand condition occurs and the barrier fails. But if two or more different necessary conditions depend on left-hand side initial events and barriers, it is impos- sible to construct a collective barrier diagram without the concept of a separate AND-gate. In Figure 7 the demand condition for barrier B3 is only fulfilled if the condition on failure for both barrier B1 and B2 are fulfilled (which automatically requires that both initial conditions 1 and 2 occurred) Barrier diagrams can be constructed without the need of an OR-Gate. A condition can be the outcome of more than one barrier, thus this condition repre- sents the joint OR condition for the continuation of the scenario. The demand condition for barrier 3 in Figure 3 is the joint result (OR result) of the outcomes of barriers 1 and 2. However, there may be situations where one prefers to show explicitly that a condition can be a result of more than one event or situation. This will especially be the case where several initiat- ing events create the same hazardous condition (e.g. loss of power or mechanical failure or loss of coolant leads to temperature rise in a reactor). For this rea- son OR-gates can be included in a similar way as an AND-gate, see Figure 8. 3 SAFETY-BARRIER DIAGRAMS AND OTHER REPRESENTATIONS A barrier diagram doesnt include other information than can be presented by either fault trees or event trees. As stated above, a barrier can be represented 12 Aven CH002.tex 17/5/2007 9: 19 Page 13 by an AND gate to represent the relation between the demand conditions and the condition on failure, respectively as an event-tree branch to show the alter- native possibilities of the condition on failure and the condition on success. The combination of fault trees and event trees in a single diagram has been introduced as a cause-consequence diagram in the early seventies (Lees, 2001; Nielsen, 1971; Nielsen, 1974; Taylor, 1973). The cause-consequence diagram combines one or more fault trees (cause diagrams) leading to a critical event, followed by a consequence diagram which combines elements from event trees (binary branches) with fault-tree type logic (gates). The cause- consequence diagram syntax as developed by Nielsen and Taylor is quite extensive, in (Nielsen, 1974) are described some 25 different symbols to be used in cause-consequence diagrams. It is interesting to note, that cause-consequence diagrams allow for a time- delay symbol, which makes it possible to show and consider some dynamic aspects in safety analysis, such as time available for intervention, an aspect that is included explicitly in neither fault trees, event trees nor safety-barrier diagrams. The safety-barrier diagramas such does not provide extra information than a cause-consequence diagram, but the representation is simpler, which makes it easier to identify the elements in a socio-technical system that perform deliberate safety functions. Late research activities (ARAMIS, WORM) pro- mote the use of the so-called bowtie (Aneziris et al., 2006; Delvosalle et al., 2006; Salvi & Debray, 2006). The bowtie should consist of a fault tree on the left- hand side, leading to a critical event, followed by an event tree to show the possible outcomes or con- sequences of the critical event, c.f. the description of cause-consequence diagrams, see Figure 9. These bowties are often displayed with barriers to prevent (on the left-hand side) the critical event or mitigate (on the right-hand side) the consequences, see (de Dianous and Fievez, 2006; Salvi and Debray, 2006). We can therefore state that a bowtie is a special case of a safety- barrier diagram, where all paths (scenarios) through the diagramstarting fromone or more initiating events converge to at least one shared event before the dia- gram diverges to one or more consequences. One of the shared events is the critical event of the bowtie. 3.1 Condition graph In stead of using the barriers as nodes, one can also use the conditions as nodes, and the barriers as the edges between conditions. In this form, the graph becomes a Bayesian network (BN), (Jensen, 1996) where the conditional probability tables of the nodes contain the information regarding the failure or success rates of Figure 9. Example of a bowtie diagram. Figure 10. Condition graph or Bayesian Network that corresponds to the barrier diagram of Figure 3. the barriers, see Figure 10. These graphs are some- what less restrictive than barrier diagrams, e.g. there are no restrictions on the number of branches as com- pared to barrier diagrams, where a barrier normally only has two possible output states. Also the edges can represent natural events, not necessarily deliberate (i.e. subject to safety management) barriers such as ambient temperature or wind direction. But the disad- vantage of the BN is that the logical relations (AND, OR) cannot be visualized in the graph they are hid- den in the conditional probability tables that link the conditions in the BN - while the barriers are degraded to connecting arrows. 3.2 Layer of protection analysis The layer of protection analysis (LOPA) has been intro- duced as a means to rationalize the decision making in safety management related to protection layers (which can be considered to be synonymous to the con- cept of safety barriers in this paper) (Center for Chem- ical Process Safety, 2001). Both LOPA and safety- barrier diagrams aim at making explicit what specific measures are present or should be installed to ensure safe operation. Many of the considerations in LOPA especially with regards to the need of independency between safety systems using the concept of Indepen- dent Protection Layers (IPL) are equally applicable when drafting and developing safety-barrier diagrams. 13 Aven CH002.tex 17/5/2007 9: 19 Page 14 Figure 11. Fault tree with two root causes involving operator action. However, there may be two notable differences, mainly related to the (restrictions of) the use of written forms in LOPA. Firstly, the graphical presentation of the safety-barrier diagramis expected to be better suited in the communication with non-experts. Secondly, LOPA is restricted to one-to-one relations between a sin- gle initiating event (though an Enabling condition and Conditional Modifiers are allowed) and a single consequence. Safety-barriers diagrams allow includ- ing alternative initiating events and different resulting consequences for the same analysis. 4 QUANTIFICATION OF SAFETY-BARRIER DIAGRAMS Safety-barrier diagrams can be used to evaluate the likelihood of the consequences depicted on the dia- gram(or for that matter, the likelihood of any condition in the diagram) given the expected frequency or probability of initiating events or conditions and the probabilities of failure on demand (PDF) of the safety barriers. Safety-barrier diagrams can be quantified using the same methods as used for fault trees, such as the minimum cut sets or Monte Carlo simulation. As all conditions and barriers in the diagramare unique, min- imum cut sets can be easily derived from the topology of the diagram, where parallel paths represent alter- native scenarios (OR condition) while the conditions and barriers in a single string are necessary (AND condition). But in many cases the propagation of likelihood through the diagram is straightforward in diagrams that do not exhibit diverging-converging paths as exemplified in Figure 6. In those cases it is not nec- essary to derive minimum cut sets (unless the barriers have common dependencies, see below). When quantifying barrier diagrams one should real- ize the difference between events where likelihood is expressed as the expected frequency (unit: time 1 ) and conditions where likelihood is expressed as a (condi- tional) probability (dimensionless). In this paper we only consider events. In that case the following rule can be applied to propagate the expected frequency through the diagram: Here f c is the expected frequency of an event that occurs on failure of one out of k, or success of one out of m preceding barriers, while the demand condi- tions of these barriers have an expected frequency of f i or f j , respectively. The same expression can be used for propagation through an OR gate, with PFD=1 and m=0. An AND gate can only have one event as input, the other inputs need to be conditions. The resulting output fre- quency is the product of the one event input frequency and the probabilities of the other inputs. 4.1 Dependency between barriers In many systems, some safety barriers depend on common elements to fulfill the safety function. The common elements can be physical infrastructures, such as power supply or the control system. There are also situations, where an operator has to react on dif- ferent signals and alarms. If the same operator has to performthese tasks, the operator is a common element 14 Aven CH002.tex 17/5/2007 9: 19 Page 15 Figure 12. Safety diagram equivalent to the fault tree in Figure 11 with dependent operator actions. in the different alarm-based barriers. As an example, Figure 11 shows part of a fault tree discussed by Lees (Lees, 2001). In this fault tree there are two root causes operator fails to intervene (level rise as indicated by level meter) and operator fails to intervene High Alarm. This fault tree can be pictured as a barrier diagram as in Figure 12. The barriers Level Intervention and HighAlarm Intervention can be described with a block diagram where the functioning of the instrumentation (level meter or alarm) and the action from the operator are in series. The barrier fails if either the instrumentation fails or if the operator fails, so the PFDof the total bar- rier is the sum of the PFD of the instrumentation and the PFD of the operator. In general, if P 1 is the PFD of the whole barrier B 1 , which involves a common ele- ment E with a PFD P E , then the remaining elements of the barrier B 1 in series with E have a PFD: If in a barrier diagram consisting of a single path as in Figure 11 a barrier B 1 (e.g. Level Intervention) at some later point is followed by a barrier B 2 (e.g. High Alarm Intervention), and both barriers have element E (i.e. control room operator action) in common, then the demand condition of barrier B 2 only occurs if B 1 has failed. So instead of the a priori PFDP 2 one should use the conditional probability P 2 to propagate the expected frequencythrough the diagram. Using Bayes rule one can derive: This formula can be extended for n barriers that depend on E, by replacing P 2,R with P n,R and the probability of E conditional on failure of B 1 by: It is straightforward to extend this rule to multiple common elements, while it is also possible to derive similar rules for barriers where some of the barrier ele- ments are in parallel (n-out-of-m systems). But these rules can only be applied if the barrier diagrams are not converging up to the condition of interest (diver- gence is allowed if each path is evaluated separately). If common elements appear in more than one converg- ing path, the above mentioned methods developed for fault tree evaluation need to be used. When barriers share common elements throughout the converging branches, minimum cut sets can no longer be derived directly from the diagrams topology. 5 DISCUSSION In this paper, safety-barrier diagrams have been pre- sented as a comprehensive method for analyzing risk. Syntax, restrictions and requirements are discussed. Rules to quantify the likelihood of the outcomes of accident scenarios from safety-barrier diagrams have been proposed. It is obvious that nowadays safety-barrier diagrams will be developed as electronic data structures, where the graphical presentation and the quantification are only two of the expressions of all the available data. It is mentioned in this paper that safety-barrier diagrams are simpler and use fewer symbols than fault trees or cause-consequence diagrams. This simplification could lead to loss of information, but an underlying data structure that captures and stores the invisible information, will resolve this apparent loss. We suggest that the syntax of barrier diagrams with objects describing safety barriers linked to conditions or events is a useful architecture for a data structure that can be used for both risk analysis and safety man- agement. Such a data structure can link additional information to the safety barriers, such as management factors and actions that influence barrier performance (Aven et al., 2006; Duijm and Goossens, 2006), oper- ational information such as procedures, maintenance records and incident reports. REFERENCES Aneziris, O.N., Papazoglou, I.A., Mud, M.L., Baksteen, H., Post, J., Ale, B.J.M., Hale, A., Bellamy, L.J., Bloemhof, A. & Oh, J.I.H. 2006. Towards risk assessment for crane activities. In Guedes Soares, C. and Zio, E. (eds.), Safety andReliabilityfor ManagingRisk, Proceedings of ESREL 2006: 733740, London: Taylor & Francis Group. Aven, T., Sklet, S. & Vinnem, J.E. 2006. Barrier and operational risk analysis of hydrocarbon releases (BORA- Release): Part I. Method description. Journal of Haz- ardous Materials 137(2): 681691. Center for Chemical Process Safety 2001. Layers of protec- tion analysis simplified process risk assessment. New York: American Institute of Chemical Engineers. de Dianous, V. & Fievez, C. 2006. ARAMIS project: A more explicit demonstration of risk control through the use 15 Aven CH002.tex 17/5/2007 9: 19 Page 16 of bow-tie diagrams and the evaluation of safety bar- rier performance. Journal of Hazardous Materials 130(3): 220233. Delvosalle, C., Fievez, C., Pipart, A. & Debray, B. 2006. ARAMIS project: A comprehensive methodology for the identification of reference accident scenarios in pro- cess industries. Journal of Hazardous Materials 130(3): 200219. Duijm, N.J. & Goossens, L. 2006. Quantifying the influence of safety management on the reliability of safety barriers. Journal of Hazardous Materials 130(3): 284292. Guldenmund, F., Hale, A., Goossens, L., Betten, J. & Duijm, N.J. 2006. The development of an audit technique to assess the quality of safety barrier management. Journal of Hazardous Materials 130(3): 234241. Harms-Ringdahl, L. 2000. Assessment of safety functions at an industrial workplace A case study. In Cottam, M. P., Harvey, D. W., and Pape, R. P. (eds.), Foresight and Precaution, ESREL 2000: 13731378, Edinburgh: Balkema. Harms-Ringdahl, L. 2003. Assessing safety functionsresults from a case study at an industrial workplace. Safety Science 41(8): 701720. Hollnagel, E 2004. Barriers andAccident Prevention. Hamp- shire, UK: Ashgate. IEC 2003. International Standard IEC 61511-1, Functional Safety Safety instrumented systems for the process industry sector Part 1: Framework, definitions, system, hardware and software requirements. Geneva, Switzer- land: IEC. Jensen, F V 1996. An introduction to Bayesian Networks. London: UCL Press. Lees, F. P. 2001. Chapter 9: Hazard Assessment. Loss pre- vention in the process industries Edition 2. Oxford: Butterworth Heinemann. Nielsen, D.S. 1971. The Cause/Consequence Diagram Method as a Basis for Qiantitative Accident Analysis. Ris-M-1374. Roskilde: Danish Atomic Energy Commi- sion, Ris. Nielsen, D.S. 1974. Use of Cause-Consequence Charts in Practical Systems Analysis. Ris-M-1743.: 124. Roskilde: Danish Atomic Energy Commission, Ris. Salvi, O. & Debray, B. 2006. A global view on ARAMIS, a risk assessment methodology for industries in the frame- work of the SEVESO II directive. Journal of Hazardous Materials 130(3): 187199. Sklet, S. 2006. Safety barriers: Definition, classification, and performance. Journal of Loss Prevention in the Process Industries 19(5): 494506. Taylor, J.R. 1973. A formalisation of failure mode analysis of control systems. Ris-M-1654. Roskilde: Danish Atomic Energy Commission, Ris. 16