Nicoleta Maynard 2009 WEEK 8 PLAN: Quantitative estimation of fault trees The rules Reliability assessment of protective systems Analysis of systems with common failures Human errors in fault tree analysis Uncertainties Quantitative estimation of even trees Your example on fault/event tree In-class work
Books & Journals Skelton, Bob Process Safety Analysis: an introduction chapter 7 Cameron I and Raman R. - Process Systems Risk Management chapter 8 Lees loss prevention in the process industries: hazard identification, assessment and control, edited by Sam Mannan, free electronic resource at Curtins library
RESOURCES used for discussions/debate FAULT TREE AND EVENT TREE STRUCTURES t r a c e
t o
b a s i c
e v e n t s
t r a c e
t o
c o n s e q u e n c e s
Top event C 5 C 1 C 2
C 3
C 4
Starting event e 6
e 5
e 4 e 3
e 2
e 1
Ian Cameron FAULT TREE GATE SYMBOLS Symbol Name Causal relation
AND Output occurs if all inputs occur simultaneously
OR Output occurs if any input event occurs Ian Cameron FAULT TREE EVENT SYMBOLS Symbol Meaning Top event Basic event, not requiring further development House event assumed to exist as a boundary condition. Basic event, used to represent a demand Ian Cameron FAULT TREE BASIC STRUCTURES (INDEPENDENT EVENTS) OR gate AND gate T BE 1 BE 2
T BE 2 BE 1
Probability (-) Probability (-)
P(T) P(BE 1 ) + P(BE 2 ) Frequency (time -1 )
f (T) f (BE 1 ) + f (BE 2 )
f (T) = f (BE 1 )-P(BE 2 )
P(T) = P(BE 1 ) -(BE 2 ) Frequency (time -1 ) Ian Cameron QUANTITATIVE EVALUATION OF FAULT TREES What do we need? Failure rate data section 8.7 (Cameron) Follow the rules: OR gate rules: can add the input frequencies can add the input probabilities cannot add an input frequency & probability AND gate rules: can multiply the input probabilities can multiply a frequency & a probability cannot multiply the input frequencies FAULT TREE PROTECTIVE SYSTEM STRUCTURES Common scenario involves two major issues demand rate on protective system performance of protective system Stranded on Highway Tyre blowout Repair not possible BE1 G1 No spare tyre BE2 No jack BE3 No spanner BE4 Example Tree Generic Tree Hazard occurs Demand on system Protective system fails T Ian Cameron RELIABILITY ASSESSMENT OF PROTECTIVE SYSTEMS Fractional dead time (FDT) the fraction of the total time that the protective device is in failed state 2 types of protective system failure: Reveled failure detected before the demand Unrevealed failure not knowing before the demand HR = D.FDT HR = hazard/incident rate D = demand rate (incidents/time) FDT = fractional dead time Probability of failure on demand: Ian Cameron (Ch.8) / Skelton (Ch.7) THE FRACTIONAL DEAD TIME (FDT) Function of: Mean failure rate of the component () Proof test interval (T p )
FDT =1 1 T p 1exp T p ( ) ( )
FDT = 0.5T p for <<1 Assumed failure occur randomly at any time during a proof test On average failure occur halfway test interval (large no. of test intervals) Ian Cameron (Ch.8) / Skelton (Ch.7) THE FRACTIONAL DEAD TIME (contd.) FDT should take into account: T p /2 - duration of the test (the protective system might be disarmed) - human error of leaving protective system disarmed after each test
FDT = 0.5T p + t T p +c
if t <<T p
t /T p ~ 0 Ian Cameron (Ch.8) / Skelton (Ch.7) FDT EXAMPLE The failure rate of emergency shutdown valve is 0.05 p.a. The proof test interval is 1 in 6 months. During each test, the system is disarmed for 1 h. The general human error probability for ommison to re-alarm the trip is 0.003 per operation
=0.05 p.a.
T p = 0.5 year
t =1/8760 year
c = 0.003
FDT = 0.5T p + t T p +c = 0.0125+ 0.000114+ 0.003= 0.0156
if T p =1/12 year (monthly)
FDT = 0.0021 +1.14 E 4 + 0.003 = 0.0052 Ian Cameron (Ch.8) / Skelton (Ch.7) ANALYSIS OF SYSTEMS WITH COMMON FAILURES Assume that the various inputs to the gate are independent wrong!!! Essential to identify and treat common cause issues Example: a component contributing to a demand is also used as protection system (control valve as trip valve) Ian Cameron (Ch.8) / Skelton (Ch.7) CHLORINE/ETHYLENE REACTOR P&ID Ian Cameron (Ch.8) CHLORINE REACTOR EXAMPLE Demand events Cl 2 control valve sticks open (A) 0.2 p.a. Cl 2 control system (including sensor) malfunction (B) 0.1 p.a. C 2 H 4 control valve sticks closed (C) 0.2 p.a. C 2 H 4 control system (including sensor) malfunction (D) 0.1 p.a.
Protection system failures: Cl 2 /C 2 H 4 ratio high trip failure (E) 0.005 (FDT) Cl 2 valve fails to close on demand (A)
Top event release of Cl 2 in atm Ian Cameron (Ch.8) CHLORINE REACTOR EXAMPLE FAULT TREE AFTER REDUCTION T= A+(B+C+D).E 0.1/yr 0.1/yr 0.2/yr 0.4/yr 0.005 0.002 0.2/yr 0.202 T= 0.202 p.a. Ian Cameron (Ch.8) CHLORINE REACTOR EXAMPLE shutdown valve for chlorine feed included T= (A+B+C+D).(E+F)=0.009 22 times reduction!!! Ian Cameron (Ch.8) Fault Tree Logic function for the tree
T = BE 1 +(BE 2 + BE 3 )-(BE 4 + BE 5 ) Mechanical failure Pump B BE5 PS2 fails BE4 Mechanical failure Pump A BE3 Power supply PS1 fails BE2 Pump B fails G3 Pump A fails G2 Pumps fail G1 Valve C fails BE1 No flow 0.1 0.15 0.1 0.15 0.1 Process FAULT TREE PUMPING APPLICATION [1]
T = 0.1+ 0.25 - 0.25 = 0.1625 Ian Cameron FAULT TREE REVISED PUMPING APPLICATION Logic function
T = BE 1 + BE 2 + BE 3 - BE 5 = 0.222 Pump B fails BE5 Pump A fails BE3 Pumps fail G1 Valve C fails BE1 No flow Power fails BE2 Process Shared power supply Ian Cameron FAULT TREES COMMON CAUSE FAILURES Common Cause Failures System Faults Operating Faults Design Construction Operating Procedures Ambience Not all parameters recognized Execution Component Manufacture Installation and start-up Maintenance and testing Operation Extreme values during operation not recognized Incidental events inadequate instrumentation inadequate control systems etc. common operating and control components inadequate components etc.
inadequate quality control standards inspection etc. inadequate quality control standards inspection etc. inadequate testing inadequate repair inadequate calibration spare parts etc. operator instructions communications inadequate supervision etc. vibrations pressure temperature corrosion etc. fire flooding explosion etc. (Edwards et al. 1979) Ian Cameron CAPTURING HUMAN FACTORS IN FTA Errors captured as: Skill-based: routine tasks Rule-based: procedural errors in work systems Knowledge-based: higher level decision making Human reliability analysis (HRA) Human error rate prediction: THERP: Technique for human error rate prediction (handbook) HEART: Human error assessment and reduction technique (database) Performance shaping factors (PSFs): training, communication and procedures, instrumentation feedback/design, preparedness, stress etc Ian Cameron GENERAL ESTIMATES OF HUMAN ERROR Estimated Error Probability Activity 0.001 Pressing the wrong button. Error is not decision based, but one of loss of inattentiveness or loss of concentration. 0.003 - 0.01 General human error or commission, errors of omission, with no provision for reminder for error recovery. e.g. misreading label and therefore selecting wrong switch, forgetting to re-arm trip after function testing. 1.0 Conditional probability of error in a 2 nd task, given an error in the 1 st task, when two coupled tasks are carried out by the same person. 0.1 Failure to check plant condition after shift handover, in the absence of a witten handover procedure or a checklist. 0.5 Failing to detect abnormal conditions during plant walk-through surveillance, in the absence of a specific checklist. 0.2 - 0.3 General error rate given very high stress levels where dangerous activities are occurring rapidly. Ian Cameron FAILURE TO DIAGNOSE ABNORMAL EVENT 0.01 0.1 1 0 20 40 60 80 100 120 140 160 180 200 Elapsed time, minutes P r o b a b i l i t y
o f
i n c o r r e c t
r e s p o n s e Ian Cameron FAULT TREES UNCERTAINTIES AND PROBLEMS Inadequate definition of system boundary Failure to include all significant failure modes (e.g. human) Inconsistent units used No consideration of common mode failures Inappropriate failure data (eg. generic vs. specific) Lack of statistically significant data or none at all Wrong choice of logic Ian Cameron EVENT TREES BASICS Define initiating event Define relevant secondary events (chronological sequence both technical and human) Trace failure paths Classify outcomes Estimate conditional probability of branches Quantify outcomes
Ian Cameron EVENT TREES QUANTITATIVE EVALUATION Provide frequency/probability data for each outcome Evaluate principal consequences ($/y) at particular frequency Ian Cameron EVENT TREES SOLVENT PUMP EXAMPLE Pump overheats Secondary events: Failure + Fire Not extinguished Major pipe failure Explosion Explosion Fire damage and loss Fire damage Short term fire Overheats C 1
C 2
C 3
C 4
C 5
(1-P 1 ) (1-P 2 ) (1-P 3 ) (1-P 4 ) P 4
P 3
P 2
P 1
Yes No f o
P(C 1 )=f o P 1 .P 2 .P 3 .P 4
P(C 5 )=f o (1-P 1 ) Ian Cameron EVENT TREES SOLVENT PUMP EXAMPLE Pump overheats Secondary events: Failure + Fire Not extinguished Major pipe failure Explosion Explosion Fire damage and loss Fire damage Short term fire Overheats C 1 =0.00002 C 2
C 3
C 4
C 5
(1-P 1 ) (1-P 2 ) (1-P 3 ) (1-P 4 ) P 4 =0.2 P 3 =0.2 P 2 =0.1 P 1 =0.05 Yes No F o =0.1 P(C 1 )=f o P 1 .P 2 .P 3 .P 4 P(C 2 )=f o P 1 .P 2 .P 3 .(1-P 4 ) P(C 5 )=f o (1-P 1 ) HUMAN FACTORS IN EVENT TREES Human response outcomes after an initiating event Techniques to analyze these actions: HRA, THERP and HCR Performance shaping factors (PSFs) address stress levels Base performance data available from NUREG (USA) studies Ian Cameron