CHE 421 RISK MANAGEMENT

ESTIMATING THE LIKELIHOOD OF

INCIDENTS (PART B)


Nicoleta Maynard 2009
WEEK 8 PLAN:
Quantitative estimation of fault trees
The rules
Reliability assessment of protective systems
Analysis of systems with common failures
Human errors in fault tree analysis
Uncertainties
Quantitative estimation of even trees
Your example on fault/event tree
In-class work

Books & Journals
Skelton, Bob Process Safety Analysis: an
introduction chapter 7
Cameron I and Raman R. - Process Systems Risk
Management chapter 8
Lees loss prevention in the process industries:
hazard identification, assessment and control,
edited by Sam Mannan, free electronic resource at
Curtins library


RESOURCES used for discussions/debate
FAULT TREE AND EVENT TREE
STRUCTURES
t
r
a
c
e

t
o

b
a
s
i
c

e
v
e
n
t
s

t
r
a
c
e

t
o

c
o
n
s
e
q
u
e
n
c
e
s

Top
event
C
5
C
1
C
2

C
3

C
4

Starting
event
e
6

e
5

e
4
e
3

e
2

e
1

Ian Cameron
FAULT TREE GATE SYMBOLS
Symbol Name Causal relation

AND
Output occurs if all
inputs occur
simultaneously

OR
Output occurs if any
input event occurs
Ian Cameron
FAULT TREE EVENT SYMBOLS
Symbol Meaning
Top event
Basic event, not requiring further
development
House event assumed to exist as a
boundary condition. Basic event,
used to represent a demand
Ian Cameron
FAULT TREE BASIC STRUCTURES
(INDEPENDENT EVENTS)
OR gate
AND gate
T
BE
1
BE
2

T
BE
2
BE
1

Probability (-) Probability (-)

P(T) P(BE
1
) + P(BE
2
)
Frequency (time
-1
)

f (T) f (BE
1
) + f (BE
2
)

f (T) = f (BE
1
)-P(BE
2
)

P(T) = P(BE
1
) -(BE
2
)
Frequency (time
-1
)
Ian Cameron
QUANTITATIVE EVALUATION OF
FAULT TREES
What do we need?
Failure rate data section 8.7 (Cameron)
Follow the rules:
OR gate rules:
can add the input frequencies
can add the input probabilities
cannot add an input frequency & probability
AND gate rules:
can multiply the input probabilities
can multiply a frequency & a probability
cannot multiply the input frequencies
FAULT TREE PROTECTIVE SYSTEM
STRUCTURES
Common scenario involves two major issues
demand rate on protective system
performance of protective system
Stranded on
Highway
Tyre blowout
Repair not
possible
BE1 G1
No spare
tyre
BE2
No jack
BE3
No spanner
BE4
Example Tree
Generic Tree
Hazard
occurs
Demand on
system
Protective
system fails
T
Ian Cameron
RELIABILITY ASSESSMENT OF
PROTECTIVE SYSTEMS
Fractional dead time (FDT) the fraction of the total
time that the protective device is in failed state
2 types of protective system failure:
Reveled failure detected before the demand
Unrevealed failure not knowing before the demand
HR = D.FDT
HR = hazard/incident rate
D = demand rate (incidents/time)
FDT = fractional dead time
Probability of failure on demand:
Ian Cameron (Ch.8) / Skelton (Ch.7)
THE FRACTIONAL DEAD TIME (FDT)
Function of:
Mean failure rate of the component ()
Proof test interval (T
p
)

FDT =1
1
T
p
1exp T
p
( ) ( )

FDT = 0.5T
p
for <<1
Assumed failure occur randomly at any time during a proof test
On average failure occur halfway test interval (large no. of test
intervals)
Ian Cameron (Ch.8) / Skelton (Ch.7)
THE FRACTIONAL DEAD TIME (contd.)
FDT should take into account:
T
p
/2
- duration of the test (the protective system might be
disarmed)
- human error of leaving protective system disarmed
after each test

FDT = 0.5T
p
+
t
T
p
+c

if t <<T
p

t /T
p
~ 0
Ian Cameron (Ch.8) / Skelton (Ch.7)
FDT EXAMPLE
The failure rate of emergency shutdown valve is
0.05 p.a.
The proof test interval is 1 in 6 months. During each
test, the system is disarmed for 1 h.
The general human error probability for ommison to
re-alarm the trip is 0.003 per operation

=0.05 p.a.

T
p
= 0.5 year

t =1/8760 year

c = 0.003

FDT = 0.5T
p
+
t
T
p
+c
= 0.0125+ 0.000114+ 0.003= 0.0156

if T
p
=1/12 year (monthly)

FDT = 0.0021 +1.14 E 4 + 0.003 = 0.0052
Ian Cameron (Ch.8) / Skelton (Ch.7)
ANALYSIS OF SYSTEMS WITH
COMMON FAILURES
Assume that the various inputs to the gate are
independent wrong!!!
Essential to identify and treat common cause
issues
Example: a component contributing to a demand is
also used as protection system (control valve as trip
valve)
Ian Cameron (Ch.8) / Skelton (Ch.7)
CHLORINE/ETHYLENE REACTOR P&ID
Ian Cameron (Ch.8)
CHLORINE REACTOR EXAMPLE
Demand events
Cl
2
control valve sticks open (A) 0.2 p.a.
Cl
2
control system (including sensor) malfunction (B) 0.1 p.a.
C
2
H
4
control valve sticks closed (C) 0.2 p.a.
C
2
H
4
control system (including sensor) malfunction (D) 0.1 p.a.


Protection system failures:
Cl
2
/C
2
H
4
ratio high trip failure (E) 0.005 (FDT)
Cl
2
valve fails to close on demand (A)

Top event release of Cl
2
in atm
Ian Cameron (Ch.8)
CHLORINE REACTOR EXAMPLE
FAULT TREE AFTER REDUCTION
T= A+(B+C+D).E
0.1/yr 0.1/yr 0.2/yr
0.4/yr
0.005
0.002
0.2/yr
0.202
T= 0.202 p.a.
Ian Cameron (Ch.8)
CHLORINE REACTOR EXAMPLE
shutdown valve for chlorine feed included
T= (A+B+C+D).(E+F)=0.009 22 times reduction!!!
Ian Cameron (Ch.8)
Fault Tree
Logic function for the tree

T = BE
1
+(BE
2
+ BE
3
)-(BE
4
+ BE
5
)
Mechanical
failure Pump B
BE5
PS2 fails
BE4
Mechanical
failure Pump A
BE3
Power supply
PS1 fails
BE2
Pump B fails
G3
Pump A fails
G2
Pumps fail
G1
Valve C fails
BE1
No flow
0.1
0.15
0.1
0.15
0.1
Process
FAULT TREE PUMPING APPLICATION
[1]

T = 0.1+ 0.25 - 0.25 = 0.1625
Ian Cameron
FAULT TREE REVISED PUMPING
APPLICATION
Logic function

T = BE
1
+ BE
2
+ BE
3
- BE
5
= 0.222
Pump B fails
BE5
Pump A fails
BE3
Pumps fail
G1
Valve C fails
BE1
No flow
Power fails
BE2
Process
Shared power supply
Ian Cameron
FAULT TREES COMMON CAUSE
FAILURES
Common Cause Failures
System Faults Operating Faults
Design Construction Operating Procedures Ambience
Not all
parameters
recognized
Execution Component
Manufacture
Installation
and start-up
Maintenance
and testing
Operation Extreme
values
during
operation
not
recognized
Incidental
events
inadequate
instrumentation
inadequate
control systems
etc.
common
operating and
control
components
inadequate
components
etc.

inadequate
quality
control
standards
inspection
etc.
inadequate
quality
control
standards
inspection
etc.
inadequate
testing
inadequate
repair
inadequate
calibration
spare parts
etc.
operator
instructions
communications
inadequate
supervision etc.
vibrations
pressure
temperature
corrosion
etc.
fire
flooding
explosion
etc.
(Edwards et al. 1979)
Ian Cameron
CAPTURING HUMAN FACTORS IN FTA
Errors captured as:
Skill-based: routine tasks
Rule-based: procedural errors in work systems
Knowledge-based: higher level decision making
Human reliability analysis (HRA)
Human error rate prediction:
THERP: Technique for human error rate
prediction (handbook)
HEART: Human error assessment and
reduction technique (database)
Performance shaping factors (PSFs): training,
communication and procedures, instrumentation
feedback/design, preparedness, stress etc
Ian Cameron
GENERAL ESTIMATES OF HUMAN
ERROR
Estimated Error
Probability
Activity
0.001
Pressing the wrong button. Error is not decision based, but one of loss of
inattentiveness or loss of concentration.
0.003 - 0.01
General human error or commission, errors of omission, with no provision for
reminder for error recovery. e.g. misreading label and therefore selecting wrong
switch, forgetting to re-arm trip after function testing.
1.0
Conditional probability of error in a 2
nd
task, given an error in the 1
st
task, when
two coupled tasks are carried out by the same person.
0.1
Failure to check plant condition after shift handover, in the absence of a witten
handover procedure or a checklist.
0.5
Failing to detect abnormal conditions during plant walk-through surveillance, in
the absence of a specific checklist.
0.2 - 0.3
General error rate given very high stress levels where dangerous activities are
occurring rapidly.
Ian Cameron
FAILURE TO DIAGNOSE ABNORMAL
EVENT
0.01
0.1
1
0 20 40 60 80 100 120 140 160 180 200
Elapsed time, minutes
P
r
o
b
a
b
i
l
i
t
y

o
f

i
n
c
o
r
r
e
c
t

r
e
s
p
o
n
s
e
Ian Cameron
FAULT TREES UNCERTAINTIES AND
PROBLEMS
Inadequate definition of system boundary
Failure to include all significant failure modes (e.g.
human)
Inconsistent units used
No consideration of common mode failures
Inappropriate failure data (eg. generic vs. specific)
Lack of statistically significant data or none at all
Wrong choice of logic
Ian Cameron
EVENT TREES BASICS
Define initiating event
Define relevant secondary events (chronological
sequence both technical and human)
Trace failure paths
Classify outcomes
Estimate conditional probability of branches
Quantify outcomes

Ian Cameron
EVENT TREES QUANTITATIVE
EVALUATION
Provide frequency/probability data for each
outcome
Evaluate principal consequences ($/y) at
particular frequency
Ian Cameron
EVENT TREES SOLVENT PUMP
EXAMPLE
Pump
overheats
Secondary
events:
Failure
+ Fire
Not
extinguished
Major pipe
failure
Explosion
Explosion
Fire damage
and loss
Fire damage
Short term
fire
Overheats
C
1

C
2

C
3

C
4

C
5

(1-P
1
)
(1-P
2
)
(1-P
3
)
(1-P
4
)
P
4

P
3

P
2

P
1

Yes
No
f
o

P(C
1
)=f
o
P
1
.P
2
.P
3
.P
4

P(C
5
)=f
o
(1-P
1
)
Ian Cameron
EVENT TREES SOLVENT PUMP
EXAMPLE
Pump
overheats
Secondary
events:
Failure
+ Fire
Not
extinguished
Major pipe
failure
Explosion
Explosion
Fire damage
and loss
Fire damage
Short term
fire
Overheats
C
1
=0.00002
C
2

C
3

C
4

C
5

(1-P
1
)
(1-P
2
)
(1-P
3
)
(1-P
4
)
P
4
=0.2
P
3
=0.2
P
2
=0.1
P
1
=0.05
Yes
No
F
o
=0.1
P(C
1
)=f
o
P
1
.P
2
.P
3
.P
4
P(C
2
)=f
o
P
1
.P
2
.P
3
.(1-P
4
)
P(C
5
)=f
o
(1-P
1
)
HUMAN FACTORS IN EVENT TREES
Human response outcomes after an initiating event
Techniques to analyze these actions: HRA, THERP and HCR
Performance shaping factors (PSFs) address stress levels
Base performance data available from NUREG (USA) studies
Ian Cameron