chapter 11 risk assessment
TRANSCRIPT
-
7/30/2019 Chapter 11 Risk Assessment
1/46
Cha ter 11. RISK ASSESSMENT
-
7/30/2019 Chapter 11 Risk Assessment
2/46
IntroductionRisk Assessment
Incident Identification Consequence analysis
How accident occurs Expected damage
(Analysis of probability) (loss of life, damage, days outage)
This chapter discusses
1. Review probability mathematics
2. How failure probability of individual components
contribute to the failure of the entire process.3. Describe two probabilistic methods
Event tree
Fault tree
-
7/30/2019 Chapter 11 Risk Assessment
3/46
Probability Theory
Failure in a process occurs as a result of interaction ofthe individual components
The overall probability depends on nature of this
interaction. Average failure rate as faults/time, On average the
component fails after certain period of time .
The robabilit that the com onent will NOT fail durin
the time interval (0,t) is given by poisson distribution
As t
then R(t) goes to 0 and high means less R(t). The complement of the reliability is called probability
and is given by
-
7/30/2019 Chapter 11 Risk Assessment
4/46
Probability Theory
Failure density function : derivative of failure probability
The failure density function is used to determine the
probability P at least one failure in the time period t0 to t1
-
7/30/2019 Chapter 11 Risk Assessment
5/46
Probability Theory
MTBF : The time interval between two failures of thecomponent is called the mean time between failures (MTBF)
and is given by
Many component exhibit bathtub failure rate
-
7/30/2019 Chapter 11 Risk Assessment
6/46
Probability Theory
Interaction between Process units
Parallel: Process failure requires simultaneous failure of a
number of components in parallel. Failure probabilities
for the individual components must be multiplied(Parallel Probability)
n is the total number of components and
Piis the failure probability of eachcomponent.
Total reliability for parallel units
Riis the reliability of an individual process
component
Parallel represented by logical AND gate function.
-
7/30/2019 Chapter 11 Risk Assessment
7/46
Probability Theory
Interaction between Process unitsSeries:
Failure of any single component in the series of
components will result in failure of the process. Represented by logical OR function.
Overall process reliability is found by multiplying the
.
The overall failure probability
-
7/30/2019 Chapter 11 Risk Assessment
8/46
Probability Theory
Interaction between Process unitsSeries:
For system composed of 2 components A and B
If the failure probabilities are small , then the product term
can be neglected. For this special case
ompensa es or coun ng
the overlapping cases twice
-
7/30/2019 Chapter 11 Risk Assessment
9/46
Revealed and Unrevealed Failure
Revealed Failure:Failures that are immediately obvious. e.g Flat tire on a car
0+ r =MTBF
The time that the component is operational is called theperiod of operation and is denoted by 0. After a failure
occurs, a period of time, called the period of inactivity or
downtime (r), is required to repair the component.
-
7/30/2019 Chapter 11 Risk Assessment
10/46
Revealed Failure
Revealed Failure:For revealed failures the period of inactivity or downtime
for a particular component is computed by averaging the
inactive period for a number of failures
Where, n is the number of times the failure or inactivityoccurred and r is the period for repair for a particular
failure.
Similarly, the time before failure or period of operation isgiven by
So,
-
7/30/2019 Chapter 11 Risk Assessment
11/46
Revealed Failure
AvailabilityProbability that component found functioning
Unavailability
probability that the component or process is found
not functioning.
For revealed failures,
-
7/30/2019 Chapter 11 Risk Assessment
12/46
Unrevealed Failure
For unrevealed failures if, u is the average period of unavailabilityduring the inspection interval and if i is the inspection interval,
then
The average period of unavailability is computed from the failure
probability
For unrevealed failures
-
7/30/2019 Chapter 11 Risk Assessment
13/46
Probability of coincidence
The dangerous process episode occurs when a process
upset occurs and the emergency system is unavailable.
This requires coincidence of events.
Assume that a dangerous process episode occurs Pd timesinterval Ti. The frequency of this episode is given by
For an emergency system with unavailability U, a
dangerous situation will occur when the process episode
occurs and the emergency system is unavailable. This isevery pdU episodes.
-
7/30/2019 Chapter 11 Risk Assessment
14/46
Probability of coincidence
The mean time between coincidences (MTBC) is the reciprocal of
the average frequency of dangerous coincidences:
-
7/30/2019 Chapter 11 Risk Assessment
15/46
EVENT TREE ANALYSIS
Event tree analysis evaluates potential accident
outcomes that might result following an equipmentfailure or process upset known as an initiating event. It
is a forward-thinking process, i.e. the analyst begins
with an initiating event and develops the followingsequences of events that describes potential accidents,
accounting for both the successes and failures of the
safety functions as the accident progresses.
-
7/30/2019 Chapter 11 Risk Assessment
16/46
Guidelines
1. Identify an initiating event of interest.
2. Identify the safety functions designed to
deal with the initiating event.
3. Construct the event tree.
4. Describe the resulting accident event
sequences.
-
7/30/2019 Chapter 11 Risk Assessment
17/46
Construction of the Event Tree Enter the initiating event on the left hand side
List the functional responses chronologically
Decide whether or not the success-failure ofthe function can or does effect the course of
17
If the answer is yes, the event tree is branchedto distinguish between success and failure ofthe function; success always branches
upword, failure downward. If the systemfunction has no effect, the tree does notbranch, but proceeds to the next systemfunction (to the right)
-
7/30/2019 Chapter 11 Risk Assessment
18/46
Step 1 Identify the initiating event
system or equipment failure
human error
process upset
[Example]
Loss of Cooling Water
to an Oxidation Reactor
-
7/30/2019 Chapter 11 Risk Assessment
19/46
Step 2 Identify the Safety Functions
Designed to Deal with the Initiating
Event
Safety system that automatically respond tothe initiating event.
initiating event occurs and operator actionsdesigned to be performed in response toalarms or required by procedures.
Barriers or Containment methods that areintended to limit the effects of the initiatingevent.
-
7/30/2019 Chapter 11 Risk Assessment
20/46
Example
Oxidation reactor high temp. Alarm alerts
operator at temp T1. Operator reestablish cooling water flow to the
oxidation reactor.
Automatic shutdown system stops reaction attemp. T2. T2 > T1
These safety functions are listed in the order inwhich they are intended to occur.
-
7/30/2019 Chapter 11 Risk Assessment
21/46
Step 3: Construct the Event Tree
a. Enter the initiating event and safety functions.
SAFETY
FUNCTION
Oxidation reactor
high temperature
alarm alertsoperator
at temperature T1
Operator
reestablishes
cooling water flow
to oxidation reactor
Automatic
shutdown system
stops reaction at
temperature T2
INITIATING EVENT:
Loss of cooling waterto oxidation reactor
FIRST STEP IN CONSTRUCTING EVENT TREE
-
7/30/2019 Chapter 11 Risk Assessment
22/46
Step 3: Construct the Event Tree
b. Evaluate the safety functions.
SAFETY
FUNCTION
Oxidation reactorhigh temperature
alarm alertsoperator
at temperature T1
Operatorreestablishes
cooling water flow
to oxidation reactor
Automaticshutdown system
stops reaction at
temperature T2
INITIATING EVENT:
Loss of cooling waterto oxidation reactor
REPRESENTATION OF THE FIRST SAFETY FUNCTION
Success
Failure
-
7/30/2019 Chapter 11 Risk Assessment
23/46
Step 3: Construct the Event Tree
b) Evaluate the safety functions.
SAFETY
FUNCTION
Oxidation reactorhigh temperature
alarm alertsoperator
at temperature T1
Operatorreestablishes
cooling water flow
to oxidation reactor
Automaticshutdown system
stops reaction at
temperature T2
INITIATING EVENT:
Loss of cooling waterto oxidation reactor
REPRESENTATION OF THE SECOND SAFETY FUNCTION
Success
Failure
If the safety function does not affect the course of the
accident, the accident path proceeds with no branch pt to
the next safety function.
-
7/30/2019 Chapter 11 Risk Assessment
24/46
Step 3: b. Evaluate safety functions.
SAFETY
FUNCTION
Oxidation reactor
high temperature
alarm alertsoperator
at temperature T1
Operator
reestablishes
cooling water flowto oxidation reactor
Automatic
shutdown system
stops reaction attemperature T2
INITIATING EVENT:
Loss of cooling waterto oxidation reactor
COMPLETED EVENT TREE
Success
Failure
Completed !
-
7/30/2019 Chapter 11 Risk Assessment
25/46
Step 4: Describe the Accident Sequence
SAFETY
FUNCTION
Oxidation reactor
high temperature
alarm alertsoperator
at temperature T1
Operator
reestablishes
cooling water flowto oxidation reactor
Automatic
shutdown system
stops reaction attemperature T2
INITIATING EVENT:
Safe condition,return to normaloperation
Safe condition,process shutdown
B C D
A
AC
Loss of cooling water
to oxidation reactor
ACCIDENT SEQUENCES
Success
Failure
nsa e con on,
runaway reaction,operator aware ofproblem
Unstable condition,process shutdown
Unsafe condition,runaway reaction,
operator unawareof problem
A
ACD
AB
ABD
-
7/30/2019 Chapter 11 Risk Assessment
26/46
Example Event Tree
-
7/30/2019 Chapter 11 Risk Assessment
27/46
Cooling CoilsReactor Feed
Cooling Water Out
Cooling
Figure 11-8 Reactor with high temperature alarm
and temperature controller.
Reactor
TIA
TIC
Alarmat
T > TA
Thermocouple
High Temperature Alarm
Temperature
Controller
Water In
-
7/30/2019 Chapter 11 Risk Assessment
28/46
Safety Function:
Identifier: B C D E
Failures/Demand: 0.01 0.25 0.25 0.1
High TempAlarm Alerts
Operator
OperatorNotices
High Temp
OperatorRe-startsCooling
OperatorShuts Down
Reactor Result
A
A
0.7425
AD0.2227
ADE
0.02475
AB
0.99
0.2475
Continue Operation
Shut Down
Runaway
Continue Operation
Shutdown = 0.2227 + 0.001688 + 0.005625 = 0.2250 occurrences/yr.
Runaway = 0.02475 + 0.0001875 + 0.0000625 = 0.02500 occurrences/yr.
Figure 11-9 Event tree for a loss of coolant accident for the reactor of Figure 11-8.
Initiating Event:
Loss of Cooling
1 Occurrence/yr.
0.005625
ABD
0.001688
ABDE
0.0001875
ABC
0.001875
ABCD
0.0005625
ABCDE
0.0000625
0.01
0.001875
0.000625
0.0075
0.0025
Shut Down
Runaway
Continue Operation
Shut Down
Runaway
-
7/30/2019 Chapter 11 Risk Assessment
29/46
Safety Function0.01 Failures/Demand
Initiating
Event0.5 Occurrences/yr.
Success of Safety Function
(1-0.01)*0.5 = 0.495 Occurrence/yr.
Failure of Safet Function
0.01*0.5 = 0.005 Occurrence/yr.
Figure 11-10 The computational sequence across a safety function in anevent tree.
Hi h T O t O t Hi h T O t
-
7/30/2019 Chapter 11 Risk Assessment
30/46
Safety Function:
Identifier: B C D E FFailures/Demand: 0.01 0.25 0.25 0.01 0.1
High TempAlarm Alerts
Operator
OperatorNotices
High Temp
OperatorRe-startsCooling
High TempShuts Down
Result
A
1
A0.7425
0.99
0.2475
Continue Operation
Shut Down
Shut Down
Runaway
OperatorShuts Down
Reactor
AD0.2450
ADE0.002228
ADEF0.0002475
AB0.005625
0.002475
Continue Operation
Shutdown = 0.2450 + 0.001856 + 0.00001688 + 0.0006187 = 0.2475 occurrences/yr.
Runaway = 0.0002475 + 0.000001875 + 0.000000625 = 0.0002500 occurrences/yr.
Figure 11-11 Event tree for the reactor of Figure 11-8. This includes a high temperature shutdown system.
Loss of Cooling1 Occurrence/yr.
0.01
0.001875
0.000625
0.00750
0.0025
0.001856
ABDE0.00001688
ABDEF0.000001875ABC0.001875
ABCD
0.0006187ABCDE0.00000563
ABCDEF0.000000625
0.00001875
0.00000675
Shut Down
Shut Down
Runaway
Continue Operation
Shut Down
Shut Down
Runaway
-
7/30/2019 Chapter 11 Risk Assessment
31/46
What is Fault Tree Analysis? Fault Tree Analysis(FTA) is one of the several deductive logic model techniques,
and one of the most common hazard identification tool.
The deduction begins with a stated top level hazardous/undesired event.
It uses logic diagrams and Boolean Algebra to identify single events and
combinations of events that could cause the top event.
Probability of occurrence values are assigned to the lowest events in the tree in
order to obtain the probability of occurrence of the top event.
-
7/30/2019 Chapter 11 Risk Assessment
32/46
Fault tree main symbols.Commonly Used Symbols Occasionally Used Symbols
OR gate Incomplete event
An Event / Fault Inhibit gate
Basic Event
-
7/30/2019 Chapter 11 Risk Assessment
33/46
FTA Symbols Explained
Basic Event: A lower most event that can not be further developed.
E.g. Relay failure, Switch failure etc.,
An Event / Fault: This can be a intermediate event (or) a top event. They are aresult logical combination of lower level events.
E.g. Both transmitters fail, Run away reaction
OR Gate:Either one of the bottom event results in occurrence of
the top event.
E.g. Either one of the root valve is closed, process signal to transmitter fails.
AND Gate: For the top event to occur all the bottom events should
occur.
E.g. Fuel, Oxygen and Ignition source has to be present for fire.
S b l l i d
-
7/30/2019 Chapter 11 Risk Assessment
34/46
FTA Symbols Explained
Incomplete Event: An event which has scopefor further development but not done usuallybecause of insufficient data.
E.g. Software malfunction, Human Error etc.,
External Event: An event external to the system.
E.g. Fire.
Inhibit Gate: The top event occurs only if the
bottom event occurs and the inhibit condition istrue.E.g. False trip of unit on maintenance overridenot ON.
-
7/30/2019 Chapter 11 Risk Assessment
35/46
Procedure
Procedure for Fault Tree AnalysisDefine TOP
event
Define overall
structure.
Explore each
branch in
successive level
.
Solve the fault
tree
Perform
corrections if
required and
make decisions
-
7/30/2019 Chapter 11 Risk Assessment
36/46
ProcedureDefine Top Event: Use PHA, P&ID, Process description etc., to define the top event.
If its too broad, overly large FTA will result. E.g. Fire in process.
If its too narrow, the exercise will be costly. E.g. Leak in the valve.
The boundaries for top event definition can be a System, Sub-system,
Unit, Equipment (or) a Function.
Some good examples are: Overpressure in vessel V1, Motor fails to start,
Reactor high temperature safety function fails etc.,
-
7/30/2019 Chapter 11 Risk Assessment
37/46
ProcedureProcedure for Fault Tree Analysis
Define TOP
event
Define overall
structure.
Explore each
branch in successive
.
Solve the faulttree
Perform corrections
if required andmake decisions
-
7/30/2019 Chapter 11 Risk Assessment
38/46
Procedure
Procedure for Fault Tree Analysis:Define TOP
event
Define overall
structure.
Explore each
branch in
successive level
.
Solve the fault
tree
Perform
corrections if
required and
make decisions
-
7/30/2019 Chapter 11 Risk Assessment
39/46
ProcedureExplore each branch in successive level of detail:
Continue the top down process until the root cause for each
branch is identified and/or until further decomposition isconsidered unnecessary.
So each branch will end with a basic event or an undeveloped
event.
Consider Common cause failure & Systematic failures in the
process of decomposition.
A good guide to stop decomposing is to go no further than
physical (or) functional bounds set by the top event.
-
7/30/2019 Chapter 11 Risk Assessment
40/46
Procedure
Procedure for Fault Tree Analysis:
Define TOP
event
Define overall
structure.
Explore each
branch in
successive level
.
Solve the fault
tree
Perform
corrections if
required andmake decisions
-
7/30/2019 Chapter 11 Risk Assessment
41/46
ProcedureSolve the Fault Tree:
Assign probabilities of failure to the lowest level event in each
branch of the tree.
From this data the intermediate event frequency and the top
level event frequency can be determined using Boolean
Algebra and Minimal Cut Set methods.
P d
-
7/30/2019 Chapter 11 Risk Assessment
42/46
Procedure
Minimal Cut Set theory:
The fault tree consists of many levels of basic andintermediate events linked together by AND and OR gates.
Some basic events may appear in different places of the fault
.
The minimal cut set analysis provides a new fault tree,
logically equivalent to the original, with an OR gate beneath
the top event, whose inputs (bottom)are minimal cut sets.
Each minimal cut set is an AND gate with a set of basic event
inputs necessary and sufficient to cause the top event.
-
7/30/2019 Chapter 11 Risk Assessment
43/46
Procedure
Procedure for fault tree analysis:
Define TOP
event
Define overall
structure.
Explore each
branch in
successive level
.
Solve the fault
tree
Perform
corrections if
required andmake decisions
-
7/30/2019 Chapter 11 Risk Assessment
44/46
Advantages of FTA
Plus points of FTA:
Deals well with parallel, redundant or alternative fault paths.
Searches for possible causes of an end effect which may not
ave een oreseen.
The cut sets derived in FTA can give enormous insight into
various ways top event occurs.
Very useful tool for focused analysis where analysis is
required for one or two major outcomes.
d f
-
7/30/2019 Chapter 11 Risk Assessment
45/46
Disadvantages of FTA
Minus points of FTA:
Requires a separate fault tree for each top event and makes itdifficult to analyze complex systems.
Fault trees developed by different individuals are usuallydifferent in structure, producing different cut set elements
and results.
The same event may appear in different parts of the tree,
leading to some initial confusion.
-
7/30/2019 Chapter 11 Risk Assessment
46/46