hazards analyses - sfpe-sac.orgsfpe-sac.org/process-safety/section3.pdf · •electrical...
Post on 06-Feb-2018
217 Views
Preview:
TRANSCRIPT
HAZARDS ANALYSES ∗ Failure Modes and Effects Analysis (types) ∗ Event Tree and Cause Consequence Analyses ∗ Barrier and Threat Analysis ∗ Hazard and Operability Studies ∗ Fault Tree AnalysIs
SECTION 3
Failure Mode and Effects Analysis
FAILURE MODES AND EFFECTS ANALYSIS
n INDUCTIVE APPROACH
n SUBSYSTEM BY SUBSYSTEM
n COMPONENT BY COMPONENT
n DEYTAILED AND INTENSIVE
FMEA PROCEDURE1. Define the scope of the system2. Gather information
q drawings, specifications, part lists3. Partition the system into subsystems4. Develop a coding (recordkeeping)
system that corresponds to the system breakdown
5. Identify resources of value to be protected
Procedure for FMEA4.0 Subdivide the system for analysis
5.0 Identify potential failure modes for elements of the system
3.0 Choose the type of FMEA approach for the study
6.0 Evaluate potential failure modes capable of producing problems of interest
2.0 Define the problems of interest for the analysis ation
7.0 Perform quantitative evaluation (if necessary)
1.0 Define the system of interest
8.0 Transition the analysis to another level of resolution (if necessary or otherwise useful)
9.0 Use the results in decision making
Sample Breakdown Coding
More FMEA PROCESS
1. List components2. LIST ALL FAILURE MODESq e.g. closed, open, partially open, etc..
3. Determine the causes of each failure mode
4. Determine Effects of the failure5. Determine probability of failure
occurring
Questions to ask when considering effectsn Will failure of the system render an
unacceptable loss?n Will failure of this subsystem render
an unacceptable loss?n Will failure of this assembly render
an unacceptable loss?n NO means that part of the analysis
is complete
More FMEAPROCEDURE6. DETERMINE RISKq Include probability considerationsq Categorize risk using the matrix
7. Determine controls and countermeasures
8. Make recommendations
Advantagesn Exhaustive method for determining
single-point failures and consequences.
n In FMECA Risk assessment of these failures is accomplished
n Further analysis for items identified as high risk in the PHA.
n Finds hazards that were overlooked in the PHA
Disadvantagesn Costly and time consumingn Multiple element faults are missedn No check methodology for
completenessn Depends on analyst’s ability and
expertisen Human error and hostile environment
are often overlooked.n Probability is difficult to obtainn Likely to miss synergistic effects.
Resources
• Appendices• FMEA Info Centre
– http://www.fmeainfocentre.com/
7/10/2015
1
Event Tree
l System design type analysis Determine all possible outcomes from a single initiating event
l Similar to Cause-Consequence Analysisl Developed during the WASH 1400 study
~1974 (Nuclear Industry)
Key Definitions
l Initiating Eventl Failure or undesired event that intimates the start
of an (accident) sequencel Pivotal Eventl Intermediary events that the failure or success of
determine the progress to undesired outcomes
7/10/2015
2
Anatomy of an Accident
An accident is a series of interconnected events that
leads to an undesirable outcome.
Initiating Event
IntermediateEvent #1
IntermediateEvent #2
Final Event(accident)
This diagram represents a “look back” at an accident that might be developed as part of an incident investigation.
Sample Event TreePiping Failure in Flammable Pressurized Liquid System
Example Event Tree
7/10/2015
3
Advantagesl Structured and rigorousl Computerizedl Vary levels of detail possiblel Visual modell Easy to dol Models complex relationshipsl Follows fault paths across system boundariesl Combines hardware software and human interactionl Permits probability assessmentl Commercial software is available
7/10/2015
4
Disadvantages
l Only one initiating eventl Overlooks subtle dependenciesl Bernoulli--Partial success or failure not
detectedl Requires some training and experiencel Common Mistakesl Improper Initiating Eventl Not identifying all pivotal events
CAUSE CONSEQUENCE ANALYSIS
l A bottom-up, deductive, system safety analytical technique
l Applies tol Physical systems, with or without human operatorsl Decision-making/management systems
l Closely related to event treesl “expanded”
7/10/2015
5
Complementary to other Safety analysis techniques, e.g….
l Fault Tree Analysisl Failure Modes and Effects Analysis
Cause Consequence Analysis
l Explores time-sequenced system RESPONSES to initiating “CHALLENGES”
l andl Enables PROBABILITY ASSESSMENTS
Challenges
l Do not have to be abnormal eventsl Example “challenges”
Loss of Coolant Normal Operating Command
Loss of External Power High Level AlarmHigh Cost of Resource Loss of Primary
ContainmentSensor Failure Sensor Activates
7/10/2015
6
“CONSEQUENCE”
l portrays an array of outcomes…l representing staged increments of
success/failure.l each increment has an associated level of
probability, based on permutations available
Symbols*
P.L. Clemens “Event Trees , 2002
FORMAT*
*P.L. Clemens “Event Trees , 2002
7/10/2015
1
Energy Trace and Barrier Analysis
Background
• Energy Flow/Barrier Analysis is based on a useful set of concepts introduced by William Haddon, Jr., M.D*
• Used initially in highway safety and then nuclear safety.• Universal concept that applies in performance of other
analyses• May be known under other names such as Energy Flow
Analysis or Barrier Analysis
*Haddon, William, Jr., M.D., “Energy Damage and the Ten CountermeasureStrategies.” Human Factors Journal, August 1973
Energy Trace and Barrier Analysis (ETBA) is:• A useful adjunct tool to the performance of other analyses
• A hazard identification tool• A tool for evaluating the adequacy of counter measures and the vulnerability of systems
7/10/2015
2
ETBA is useful when• Designing systems.• Writing procedures (e.g., tagout-lockout).• Planning/judging operational readiness.• Investigating incidents• Making decisions about “safe-to-enter” at incident sites.• Performing Analyses
Approach• Identify all system energy sources
TYPICAL ENERGY SOURCE(S)•Electrical•Mechanical•Chemical•Radiation•Pneumatic•Hydraulic•Others
For Each Energy Source• Examine the potential for unwanted energy FLOW
• From the Source to a “Target”• To cause undesirable consequences
7/10/2015
3
Targets can be
• Personnel• Equipment• Product• Productivity• Environment• Reputation• Market share• ??
BARRIERS ARE INHIBITORS TO FLOW SUCH AS • Walls• Guard Rails• Insulation• Shielding• Personal Protective Equipment• Containment Structures• Procedures
Energy sources are varied• Electrical• Mechanical• Chemical• Radiation• Sonic• Thermal• Nuclear• Pneumatic• Hydraulic• Others
NOTE: Not all energy sources are easily recognized as energy sources. Such as• Toxic or asphyxiant gases• Pathogenic organisms• Environmental pollutants
7/10/2015
4
Barriers do not have to be physical.Barriers serve as countermeasures to control Probability and/or Severity of harm to a Target
Barriers can be • Walls• Guard rails• Diking• Insulation• Procedures• Shielding• ??
There Are Many Kinds of Targets• Personnel • Equipment • Product • Productivity• Environment• Reputation • Others
The unwanted energy released from a single source may attack a variety of targets
Barrier Strategies• Exclude energy • Limit quantity and/or level of energy• Prevent release of energy• Modify rate of release of energy• Separate energy from target in time and/or space• Isolate by interposing a material or procedural barrier• Modify target contact surface or basic structure• Strengthen (harden) potential target• Control improper energy input
7/10/2015
5
Be wary of combinations• Wind and Fire• Electrical discharge and flammable
vapors• Explosions
• Thermal• Pressure
Countermeasure Hierarchy1. Design change2. Engineered Safety Features3. Safety Devices4. Warning Devices5. Procedures and Training
Increasing Effectiveness
7/10/2015
1
Hazard and Operability Studies (HazOp)• Most Rigorous Process Hazard Analysis Technique• Gives the most information• Multidisciplinary• Based on deviations
from normal• Traditional and Functional Methods• Uses outside Process Safety
• Reliability• Training• Quality
Definitions• Hazard
• Any operation that could cause a catastrophic release of toxic, flammable or explosive chemicals or any actions that could result in personnel injury.
• Operability• Any operation inside the design envelope that would
cause a shutdown that could lead to a violation of environmental, health or safety regulations or negatively impact profitability 1
The Multidisciplinary Team• Leaders must act as facilitators• Technical experts must be free to think• Don't tie down “employees” with menial tasks• The scribe needs to understand the terms used
7/10/2015
2
Hazard and Operability Studies (HazOp)• Create a prospective (before the incident) version of an
investigation team• Visualize (imagine) ways a plant can malfunction
• What can go wrong, will go wrong • Determine the possible causes• Guide the imagination/visualization process• Systematically examine all portions of the process.
Traditional Hazard and Operability Studies (HazOp) Guide Word Approach• Guide Word• NO (not)• More• Less• As well as• Part of• Reverse • Other than
• Process Condition• Parameter
• Flow• Pressure• Temperature• Level• Composition• pH• Time
Hazard and Operability Studies (HazOp)
7/10/2015
3
Intention• This is what the segment or “node” is in the system to
accomplish. i.e. The answer to ‘why do we have this____ in our system?’
• This is critical because the consequence of a deviations is important with respect to how it affects the intention.
Hazard and Operability Studies (HazOp)• Define the Scope (of the analysis)• Scope should include consequence level of the analysis
• ex. Multiple injuries• single serious injury• process upset• shut down• environmental release
Process• Select a node• Define the “intention” for that node• Select a parameter• Apply all relevant guide words to that parameter to
establish deviations.• Determine all credible probable causes for those
deviations• Determine all probable consequences (refer to the
intention)• Identify Risks and Safeguards/Countermeasures
7/10/2015
4
ExampleParameter
•Composition
•Flow
•Pressure
•Level
Guide WordNo
More
Other than
As well as
Node 1 Feed Storage
MORE + LEVEL = OVERFLOW
Node 1 intention = store process feed stocks
7/10/2015
1
Fault Tree AnalysisLogic Tree Process Hazard Analysis
Origins of the Technique• Developed in 1962 for the use of the US military by Bell
Telephone Laboratories• Adaptation of an electonics circuit design method
• Symbolic analytical technique used in operations research
Fault Tree is --• A graphic depiction of the pathways within a system that can
lead to a foreseeable undesired event.• Pathways connect contributory events and conditions through
use of standard logic symbols • Quantifiable using numerical probabilities• .. . Only one tool
7/10/2015
2
Best used when…• Losses could be large• Numerous potential contributors• Complex systems/processes are analyzed• There are identified undesirable events• An incident has indiscernible causes
Caution: Fault Trees are resource intensive and should be undertaken when the benefits far exceed the costs
Produces• A graphic display of events and/or conditions that lead to or
enable a loss• Identifies contributors that are critical• Improves understanding of the system• Quantiative or qualitative insights into probability of an
identified loss evewnt• Guidance for deploying resourcdes• Documentation
Fault• An abnormal, undesirable state of a system or a system
element* induced • (1)by presence of an improper command or absence of a proper
one, or• (2) by a failure (see below). All failures cause faults; not all faults are caused by failures.
A system which has been shut down by safety features has NOT faulted
7/10/2015
3
Failure• Loss, by a system or system element, of functional integrity
to perform as intended.• Examples
• Relay will not pass the rated current• Pressure vessel ruptures• Valve leaks• Note: a protective device that functions as intended has not failed
e.g. blown fuse, opened relief valve
Basic Assumption for Analysis• Non-repairable system• No intentional damage to system• Markov system
• Failure rates are constant• Future is independent of the past
• Bernoulli• Two mutually exclusive states
Event Symbols• EVENT - a state produced
by antecedent events• Top Event Foreseeable
Undesired event
• BASIC EVENT – Initiating fault/failure not developed further
7/10/2015
4
Connecting Gates
“OR” Gate…produces output if any input exists. Any input,individually, must be (1) necessary and (2) sufficient to cause the output event
“AND” Gate…produces output if all inputs co-exist. All inputs, collectively, must be (1) necessary and (2) sufficient tocause the output event
Step 1: Identify the top level undesired event
Step 2: Identify 1st
Level Contributors
Step 3: Link to the TOP with a Logic Gate
Step 4: Identify 2nd Level Contributors
Step 5: Link to Level 1 with a Logic Gate
Conventions and Rules
7/10/2015
5
Conventions and Rules
NO
YES
More Rules
• Be CONSISTENT in naming fault events/conditions. Use the same name for the same thing every time
• Say WHAT failed/faulted and HOW –e.g., “Valve AV49 failed open”
Scope the AnalysisToo General Improved
Computer Outage L0ss 0f Primary Process Computer exceeding 30 minutes
Exposed conductor Human contact with an exposed component w/ voltage above 60 V
Loss of product Loss of product containment exceeding 10 gallons
Applying scoping to the “Top Event” enables the analyst to preserve resources in the analysis by confining the effort to relevant considerations. In order to “scope,” describe the level of penalty or the situation in which the event becomes intolerable/undesirable.
7/10/2015
6
EXAMPLE
AND
Fault trees expose common causes
7/10/2015
7
Other symbols
Relationships for Quantification• S = Successes • F = Failures
• Reliability… � = �(���)
• Failure Probability … �� = �(���)
�� + � = �(���)
+ �(���)
= 1
� = �� ���
= Fault Rate
“Bathtub Curve”1
1. Clemens, Pat, Fault Tree Analysis, 2002, Sverdrup Engr.
7/10/2015
8
Quantification with an OR• �� + � = �
(���)+ �
(���)= 1
• Through an OR gate with 2 inputs:• PF = 1 –R• PF = 1- (Ra* Rb)• PF = 1 –[(1 –Pa)(1 –Pb)]
• PF = Pa + Pa –Pa Pb
R = Ra*Rb
Rare Event approx. For Pa,b ≤ 0.2PF = Pa+Pb
For 3 inputs:
Quantification with an AND• Case with 2 inputs• Both of two, independent elements must fail to produce
system failure• R = Ra+Rb- Ra*Rb• PF= 1-R
• PF = 1 –[(1 –Pa) + (1 –Pb) –(1 –Pa)(1 –Pb)]• PF = Pa*Pb
3 Inputs
Propagation through AND
� � � ������
7/10/2015
9
Propagation through OR
� �� � ������
� �� ��+��
Analyze the Tree• A CUT SET is any group of fault tree initiators (basic events)
which, if all occur, will cause the top event to occur.• A MINIMAL CUT SET is a smallest group of fault tree initiators
which, if all occur, will cause the top event to occur.• Shortest path to the top event
Cut Sets indicate structural importanceIn general if other factors are equivalent…• A long Cut Set indicates there is low vulnerability• A short Cut Set generally indicates there is a higher
vulnerability• Presence of many Cut Sets is an indicator of a high
vulnerability…• and a single cut set signals a potential single point failure
7/10/2015
10
Path Sets
• PATH SET is a group of fault tree initiators which, if none of them occurs, will guarantee that the TOP event cannot occur
Find Path Sets
• TO FIND PATH SETS change all AND gates to OR gates and all OR gates to AND. You have transformed the tree to a success tree.
• Then proceed as for Cut Sets.
• Path Sets will be the result
“Perform an analysis only to reach a decision. Do not perform an analysis if that decision can be reached without it...”
Dr. V.L. GroseGeorge Washington University
top related