system safety - m11 event tree analysis v1 · pdf filesystem safety m11 event tree analysis...
TRANSCRIPT
System SafetyM11 Event Tree Analysis V1.3
Matthew Squair
UNSW@Canberra
15 October 2015
1 Matthew Squair M11 Event Tree Analysis V1.3
Except for images whose sources are specifically identified, this copyright work islicensed under a Creative Commons Attribution-Noncommercial, No-derivatives 4.0International licence.
To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/
2 Matthew Squair M11 Event Tree Analysis V1.3
1 Introduction
2 Overview
3 Methodology
4 Limitations, advantages and disadvantages
5 Conclusions
6 Further reading
3 Matthew Squair M11 Event Tree Analysis V1.3
Introduction
1 Introduction
2 Overview
3 Methodology
4 Limitations, advantages and disadvantages
5 Conclusions
6 Further reading
4 Matthew Squair M11 Event Tree Analysis V1.3
Introduction
Learning outcomes
The student is able to appropriately apply common cause analysis methodsas part of a hazard analysis
The student will understand the strengths and weaknesses of the methodFor a nominated initiating event the student will be able to identify andprepare an event sequences that lead to hazards
The student will understand the strengths and weaknesses of the method
5 Matthew Squair M11 Event Tree Analysis V1.3
Overview
1 Introduction
2 Overview
3 Methodology
4 Limitations, advantages and disadvantages
5 Conclusions
6 Further reading
6 Matthew Squair M11 Event Tree Analysis V1.3
Overview
Overview
Although first describe by the physicist Christiaan Huygens, in the 17thcentury, their initial use in safety analysis was the WASH-1400 NRC reporton the safety of nuclear power plants [NRC 1975]
The potential hazardous trigger event is known as the initiator.
Event trees are an inductive, forward logic (known cause, unknown result)technique which examines all possible responses to the initiating event
They are portrayed as:
Progressing left (initiator) to right (end states)
Branches of the tree represent success or failure
Think of Blaise Pascal’s parallel worlds
7 Matthew Squair M11 Event Tree Analysis V1.3
Overview
Event tree example 1: Reactor core breach [NRC 1975]
Figure: WASH-1400 Example Event Tree (Executive report Fig 4-3)8 Matthew Squair M11 Event Tree Analysis V1.3
Overview
Example 2: Fire modelling
Fire modelling is a classic challenge/response analysis problem that ETsare useful for
9 Matthew Squair M11 Event Tree Analysis V1.3
Overview
Key definitions
Branch point (alt. node, vertice). A point at which the success offailure of the system is evaluated and a quantitative probability assigned toeach leg. These numbers may be assigned through statistical data, formalanalysis via fault tree or simply reflect our confidence as to whichassumption is more likely
End state. End states define the outcomes relative to measures of successor failure for each event sequence
Initiating event. A postulated event that could occur within the systemor it’s environment. The initiating event creates a disturbance in thesystem that has the potential to lead to a loss event depending on thedegree of successful response of various components within the system
10 Matthew Squair M11 Event Tree Analysis V1.3
Overview
Event tree analysis and the system lifecycle
11 Matthew Squair M11 Event Tree Analysis V1.3
Methodology
1 Introduction
2 Overview
3 Methodology
4 Limitations, advantages and disadvantages
5 Conclusions
6 Further reading
12 Matthew Squair M11 Event Tree Analysis V1.3
Methodology
Methodology
1 Select initiating events
2 Bin the events list (optional)3 Define safety functions required to mitigate the event
ab initio for a new designInfer from the existing components/systems for existing design
4 Organise functions according to their time of intervention
5 Define success/failure states for each function
6 Prune tree to remove legs which are functionally dependant onanother function occurring, where is has not occurred
7 Replace functions with system components
8 Prune tree again based on physical/functional dependencies ofcomponents
13 Matthew Squair M11 Event Tree Analysis V1.3
Methodology
Selecting the Initiating Event
Usually done in three steps1 Identify candidate events
Review published studies, journals, accident reports etcFacility/system accident reports
2 Review of all components for a system
Determine if a failure or set of failures could cause a critical event ormishap
3 Review operating experience for the system
Review plant history to ensure field experience is accounted for
Dont forget external events (flood, fire etc)
14 Matthew Squair M11 Event Tree Analysis V1.3
Methodology
Binning the analysis
One event tree is prepared for each initiating event considered
Limits how many that can be considered
Workaround is to bin like events, we group similar initiating events inbins on basis of similar end effect or system response (discretizing thedistribution)
Investigate one representative initiating event for each bin in detail
Class discussion. What effect could ’binning’ have upon modellinguncertainty?
15 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Event trees
Event trees
A general event tree models all credible outcomes, each path is thentraced to eventual success or failure
In practice we simplify to a Bernoulli process
Syntax and semantics
Tree (in the graph theoretic sense)
Bernoulli process - only two out paths from any vertice (node)
Success paths are the upper path, failure down
PT = PS + PF = 1
A fault tree may be attached to the node to estimate PF
16 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Event trees
Event tree with developed fault trees [NRC 1975]
17 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Event trees
Event trees
System failure probabilities Pf can be evaluated by quantifying the relevantfault tree associated with each node
1− Pf then gives the likelihood of passing along the system success branch
‘Strong’ dependencies when P(A|B) = 1 or P(A|B) = 0 for system A eventfollowing the system B event can also be incorporated in this basicapproach
18 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Example event tree - Flood control [Clemens 2002]
Example
A compartment contains control equipment & is protected against flooding by the
system shown on the following slide. Rising flood waters closes float switch S,
powering pump P from an UPS. A klaxon K is also sounded, alerting operators to
perform manual bailing B if the pump fails. Either pumping or bailing will
dewater the compartment. Assume flooding has commenced, and analyse
responses of the dewatering system
Simplifying Assumptions:
Power is available full time
Treat only the four system components S, P, K, and B
Consider operator error as included in the bailing function, B
19 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Example event tree - Flood control (Schematic)
20 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Flood control (Functional Event Tree)
21 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Flood control (Eqpmt Event Tree)
22 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Flood control (Probabilities)
23 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Flood control (Derived RBD)
24 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Flood control (Path sets)
25 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Example event tree - Flood control (Cut sets)
26 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Example event tree - Flood control (Fault Tree)
27 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Example Event Tree
Event Tree to Fault Tree transformation
As the preceding examples illustrates it is possible to convert between ET,FT and RBD forms
Figure: Event tree to Fault tree transforms [Clemens 2002]
28 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Handling dependent events
Dependency in Event Trees
Event tree calculation implicitly assumes independence of branch pointevents
Does not address common cause effects due to dependencies amongstthe branch point events
Not a problem for ‘strong’ dependencies as this can be modelled in
Is a problem when we have ‘weak’ dependencies, i.e. common basicevents, such as common cause failures, in more than one of the faulttrees which develop the branch point
This is a non-trivial effect, e.g. we can reasonably expect it to occurin practice, and it can significantly affect results
The effect of dependencies can be evaluated via inked fault trees andapplication of the inclusion/exclusion principle
29 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Handling dependent events
Dependency in Event Trees (continued)
Large errors can be introduced even for small problems
These inaccuracies will not be consistent across the outcome eventsbecause each leg may contain more (or less) coherent elements
30 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Handling dependent events
Options for handling weak dependencies
Identify the accuracy of your analysis
Fault tree with boundary conditions. If dependencies are simple split outthe common item as a separate system and revise the event tree to reflectthe success/failure of that system as a precursor to both the dependantsystems
Fault tree link. Model dependencies using fault trees that follow the logicof the top level event tree Not taught in this course
Binary Decision Diagrams (BDDs). Use to evaluate the top level eventrates for coherent and non-coherent fault trees Not taught in this course
Question: In our original event tree analysis what other common item (s)were there?
31 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Modelling missions
Mission modelling
A lot of systems we’re interested in don’t exist in a single state they havea defined set of mission phases, stages or mode
Event trees are useful in modelling these phases:
Mission success represents passing to the next phase/mode
Partial mission capability can also be modelled
Extreme events terminate the mission in that phase
32 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Modelling missions
Modelling system missions (ESDs)
Event Sequence Diagrams (ESDs) are an extension to the Event Treegrammar developed to model these phases
Mission success represents passing to the next phase/mode
Partial mission capability can also be modelled (returns to successpath)
Extreme events terminate the mission in that phase
ESDs are near equivalent to ETs, somewhat easier for non-specialists toreview
33 Matthew Squair M11 Event Tree Analysis V1.3
Methodology Modelling missions
Example Mission ESD (Mars sample return)
34 Matthew Squair M11 Event Tree Analysis V1.3
Limitations, advantages and disadvantages
1 Introduction
2 Overview
3 Methodology
4 Limitations, advantages and disadvantages
5 Conclusions
6 Further reading
35 Matthew Squair M11 Event Tree Analysis V1.3
Limitations, advantages and disadvantages
Limitations of the method
Operating pathways must be anticipated
Partial successes/failures are not distinguishable
Difficult to order events if sequence is not obvious
Challenge & response model can skew safety towards a barrierapproach
Can contain unseen weak dependencies
36 Matthew Squair M11 Event Tree Analysis V1.3
Limitations, advantages and disadvantages
Advantages & disadvantages
Event trees have the following advantages:
End events need not be foreseen
Useful if the success criteria are complicated
Multiple failures can be analysed
Allows probabilistic calculations (easier if events are independent)
Potential single-point failures can be identified
System weaknesses can be identified
Good for evaluating the effectiveness of protection systems
Event trees have the following disadvantages:
You can end up with event tree lantana
Dealing with dependency adds complexity to the model
If the system behaviour is steady state may not appropriate
37 Matthew Squair M11 Event Tree Analysis V1.3
Conclusions
1 Introduction
2 Overview
3 Methodology
4 Limitations, advantages and disadvantages
5 Conclusions
6 Further reading
38 Matthew Squair M11 Event Tree Analysis V1.3
Conclusions
Conclusions
Event trees are a standard safety analysis technique in the analysis of’defence in depth’ type systems, especially when combined with fault treesto become the probabilistic risk assessment technique
Like fault trees they can become very complex, very quickly so planningand managing the model can be a significant part of the analysis task
Dependencies need to be identified and accounted for as part of theanalysis
39 Matthew Squair M11 Event Tree Analysis V1.3
Further reading
Bibliography
[NRC 1975] Nuclear Regulator Commission (NRC) (1975), WASH-1400(NUREG-75/014),Reactor Safety Study An Assessment of Accident Risks in U.S.Commercial Nuclear Power Plants.
[Clemens 2002] Clemens, P.L., (2002) Event Tree Analysis, 2nd Ed.
[CPS 1992] Center for process Safety (CPS), (1992) Guidelines for Hazard EvaluationProcedures, 2nd Ed. with Worked Examples (pp 461), American Institute ofChemical Engineers, 1992.
[Fragola 2001] Fragola, J.R., (2001) Mars Sample Return PRA, Presented at The 2ndNASA PRA Workshop, University of Virginia, Charlottesville, VA, 19-21 June.
[Henley 1981] Henley, E.J., Kumamoto, H., (1981) Reliability Engineering and RiskAssessment (pp 568).
[Lees 1996] Lees, F.P., (1996) Loss Prevention in the Process Industries, (pp 1,316),2nd Ed.
40 Matthew Squair M11 Event Tree Analysis V1.3