Chapter 11 Risk Assessment

7/30/2019 Chapter 11 Risk Assessment

1/46

Cha ter 11. RISK ASSESSMENT


2/46

IntroductionRisk Assessment

Incident Identification Consequence analysis

How accident occurs Expected damage

(Analysis of probability) (loss of life, damage, days outage)

This chapter discusses

1. Review probability mathematics

2. How failure probability of individual components

contribute to the failure of the entire process.3. Describe two probabilistic methods

Event tree

Fault tree


3/46

Probability Theory

Failure in a process occurs as a result of interaction ofthe individual components

The overall probability depends on nature of this

interaction. Average failure rate as faults/time, On average the

component fails after certain period of time .

The robabilit that the com onent will NOT fail durin

the time interval (0,t) is given by poisson distribution

As t

then R(t) goes to 0 and high means less R(t). The complement of the reliability is called probability

and is given by


4/46

Probability Theory

Failure density function : derivative of failure probability

The failure density function is used to determine the

probability P at least one failure in the time period t0 to t1


5/46

Probability Theory

MTBF : The time interval between two failures of thecomponent is called the mean time between failures (MTBF)

and is given by

Many component exhibit bathtub failure rate


6/46

Probability Theory

Interaction between Process units

Parallel: Process failure requires simultaneous failure of a

number of components in parallel. Failure probabilities

for the individual components must be multiplied(Parallel Probability)

n is the total number of components and

Piis the failure probability of eachcomponent.

Total reliability for parallel units

Riis the reliability of an individual process

component

Parallel represented by logical AND gate function.


7/46

Probability Theory

Interaction between Process unitsSeries:

Failure of any single component in the series of

components will result in failure of the process. Represented by logical OR function.

Overall process reliability is found by multiplying the

.

The overall failure probability


8/46

Probability Theory

Interaction between Process unitsSeries:

For system composed of 2 components A and B

If the failure probabilities are small , then the product term

can be neglected. For this special case

ompensa es or coun ng

the overlapping cases twice


9/46

Revealed and Unrevealed Failure

Revealed Failure:Failures that are immediately obvious. e.g Flat tire on a car

0+ r =MTBF

The time that the component is operational is called theperiod of operation and is denoted by 0. After a failure

occurs, a period of time, called the period of inactivity or

downtime (r), is required to repair the component.


10/46

Revealed Failure

Revealed Failure:For revealed failures the period of inactivity or downtime

for a particular component is computed by averaging the

inactive period for a number of failures

Where, n is the number of times the failure or inactivityoccurred and r is the period for repair for a particular

failure.

Similarly, the time before failure or period of operation isgiven by

So,


11/46

Revealed Failure

AvailabilityProbability that component found functioning

Unavailability

probability that the component or process is found

not functioning.

For revealed failures,


12/46

Unrevealed Failure

For unrevealed failures if, u is the average period of unavailabilityduring the inspection interval and if i is the inspection interval,

then

The average period of unavailability is computed from the failure

probability

For unrevealed failures


13/46

Probability of coincidence

The dangerous process episode occurs when a process

upset occurs and the emergency system is unavailable.

This requires coincidence of events.

Assume that a dangerous process episode occurs Pd timesinterval Ti. The frequency of this episode is given by

For an emergency system with unavailability U, a

dangerous situation will occur when the process episode

occurs and the emergency system is unavailable. This isevery pdU episodes.


14/46

Probability of coincidence

The mean time between coincidences (MTBC) is the reciprocal of

the average frequency of dangerous coincidences:


15/46

EVENT TREE ANALYSIS

Event tree analysis evaluates potential accident

outcomes that might result following an equipmentfailure or process upset known as an initiating event. It

is a forward-thinking process, i.e. the analyst begins

with an initiating event and develops the followingsequences of events that describes potential accidents,

accounting for both the successes and failures of the

safety functions as the accident progresses.


16/46

Guidelines

1. Identify an initiating event of interest.

2. Identify the safety functions designed to

deal with the initiating event.

3. Construct the event tree.

4. Describe the resulting accident event

sequences.


17/46

Construction of the Event Tree Enter the initiating event on the left hand side

List the functional responses chronologically

Decide whether or not the success-failure ofthe function can or does effect the course of

17

If the answer is yes, the event tree is branchedto distinguish between success and failure ofthe function; success always branches

upword, failure downward. If the systemfunction has no effect, the tree does notbranch, but proceeds to the next systemfunction (to the right)


18/46

Step 1 Identify the initiating event

system or equipment failure

human error

process upset

[Example]

Loss of Cooling Water

to an Oxidation Reactor


19/46

Step 2 Identify the Safety Functions

Designed to Deal with the Initiating

Event

Safety system that automatically respond tothe initiating event.

initiating event occurs and operator actionsdesigned to be performed in response toalarms or required by procedures.

Barriers or Containment methods that areintended to limit the effects of the initiatingevent.


20/46

Example

Oxidation reactor high temp. Alarm alerts

operator at temp T1. Operator reestablish cooling water flow to the

oxidation reactor.

Automatic shutdown system stops reaction attemp. T2. T2 > T1

These safety functions are listed in the order inwhich they are intended to occur.


21/46

Step 3: Construct the Event Tree

a. Enter the initiating event and safety functions.

SAFETY

FUNCTION

Oxidation reactor

high temperature

alarm alertsoperator

at temperature T1

Operator

reestablishes

cooling water flow

to oxidation reactor

Automatic

shutdown system

stops reaction at

temperature T2

INITIATING EVENT:

Loss of cooling waterto oxidation reactor

FIRST STEP IN CONSTRUCTING EVENT TREE


22/46


b. Evaluate the safety functions.

SAFETY

FUNCTION

Oxidation reactorhigh temperature


at temperature T1

Operatorreestablishes

cooling water flow


Automaticshutdown system

stops reaction at

temperature T2

INITIATING EVENT:


REPRESENTATION OF THE FIRST SAFETY FUNCTION

Success

Failure


23/46


b) Evaluate the safety functions.

SAFETY

FUNCTION

Oxidation reactorhigh temperature


at temperature T1

Operatorreestablishes

cooling water flow


Automaticshutdown system

stops reaction at

temperature T2

INITIATING EVENT:


REPRESENTATION OF THE SECOND SAFETY FUNCTION

Success

Failure

If the safety function does not affect the course of the

accident, the accident path proceeds with no branch pt to

the next safety function.


24/46

Step 3: b. Evaluate safety functions.

SAFETY

FUNCTION

Oxidation reactor

high temperature


at temperature T1

Operator

reestablishes

cooling water flowto oxidation reactor

Automatic

shutdown system

stops reaction attemperature T2

INITIATING EVENT:


COMPLETED EVENT TREE

Success

Failure

Completed !


25/46

Step 4: Describe the Accident Sequence

SAFETY

FUNCTION

Oxidation reactor

high temperature


at temperature T1

Operator

reestablishes

cooling water flowto oxidation reactor

Automatic

shutdown system

stops reaction attemperature T2

INITIATING EVENT:

Safe condition,return to normaloperation

Safe condition,process shutdown

B C D

A

AC

Loss of cooling water


ACCIDENT SEQUENCES

Success

Failure

nsa e con on,

runaway reaction,operator aware ofproblem

Unstable condition,process shutdown

Unsafe condition,runaway reaction,

operator unawareof problem

A

ACD

AB

ABD


26/46

Example Event Tree


27/46

Cooling CoilsReactor Feed

Cooling Water Out

Cooling

Figure 11-8 Reactor with high temperature alarm

and temperature controller.

Reactor

TIA

TIC

Alarmat

T > TA

Thermocouple

High Temperature Alarm

Temperature

Controller

Water In


28/46

Safety Function:

Identifier: B C D E

Failures/Demand: 0.01 0.25 0.25 0.1

High TempAlarm Alerts

Operator

OperatorNotices

High Temp

OperatorRe-startsCooling

OperatorShuts Down

Reactor Result

A

A

0.7425

AD0.2227

ADE

0.02475

AB

0.99

0.2475

Continue Operation

Shut Down

Runaway

Continue Operation

Shutdown = 0.2227 + 0.001688 + 0.005625 = 0.2250 occurrences/yr.

Runaway = 0.02475 + 0.0001875 + 0.0000625 = 0.02500 occurrences/yr.

Figure 11-9 Event tree for a loss of coolant accident for the reactor of Figure 11-8.

Initiating Event:

Loss of Cooling

1 Occurrence/yr.

0.005625

ABD

0.001688

ABDE

0.0001875

ABC

0.001875

ABCD

0.0005625

ABCDE

0.0000625

0.01

0.001875

0.000625

0.0075

0.0025

Shut Down

Runaway

Continue Operation

Shut Down

Runaway


29/46

Safety Function0.01 Failures/Demand

Initiating

Event0.5 Occurrences/yr.

Success of Safety Function

(1-0.01)*0.5 = 0.495 Occurrence/yr.

Failure of Safet Function

0.01*0.5 = 0.005 Occurrence/yr.

Figure 11-10 The computational sequence across a safety function in anevent tree.

Hi h T O t O t Hi h T O t


30/46

Safety Function:

Identifier: B C D E FFailures/Demand: 0.01 0.25 0.25 0.01 0.1

High TempAlarm Alerts

Operator

OperatorNotices

High Temp

OperatorRe-startsCooling

High TempShuts Down

Result

A

1

A0.7425

0.99

0.2475

Continue Operation

Shut Down

Shut Down

Runaway

OperatorShuts Down

Reactor

AD0.2450

ADE0.002228

ADEF0.0002475

AB0.005625

0.002475

Continue Operation

Shutdown = 0.2450 + 0.001856 + 0.00001688 + 0.0006187 = 0.2475 occurrences/yr.

Runaway = 0.0002475 + 0.000001875 + 0.000000625 = 0.0002500 occurrences/yr.

Figure 11-11 Event tree for the reactor of Figure 11-8. This includes a high temperature shutdown system.

Loss of Cooling1 Occurrence/yr.

0.01

0.001875

0.000625

0.00750

0.0025

0.001856

ABDE0.00001688

ABDEF0.000001875ABC0.001875

ABCD

0.0006187ABCDE0.00000563

ABCDEF0.000000625

0.00001875

0.00000675

Shut Down

Shut Down

Runaway

Continue Operation

Shut Down

Shut Down

Runaway


31/46

What is Fault Tree Analysis? Fault Tree Analysis(FTA) is one of the several deductive logic model techniques,

and one of the most common hazard identification tool.

The deduction begins with a stated top level hazardous/undesired event.

It uses logic diagrams and Boolean Algebra to identify single events and

combinations of events that could cause the top event.

Probability of occurrence values are assigned to the lowest events in the tree in

order to obtain the probability of occurrence of the top event.


32/46

Fault tree main symbols.Commonly Used Symbols Occasionally Used Symbols

OR gate Incomplete event

An Event / Fault Inhibit gate

Basic Event


33/46

FTA Symbols Explained

Basic Event: A lower most event that can not be further developed.

E.g. Relay failure, Switch failure etc.,

An Event / Fault: This can be a intermediate event (or) a top event. They are aresult logical combination of lower level events.

E.g. Both transmitters fail, Run away reaction

OR Gate:Either one of the bottom event results in occurrence of

the top event.

E.g. Either one of the root valve is closed, process signal to transmitter fails.

AND Gate: For the top event to occur all the bottom events should

occur.

E.g. Fuel, Oxygen and Ignition source has to be present for fire.

S b l l i d


34/46

FTA Symbols Explained

Incomplete Event: An event which has scopefor further development but not done usuallybecause of insufficient data.

E.g. Software malfunction, Human Error etc.,

External Event: An event external to the system.

E.g. Fire.

Inhibit Gate: The top event occurs only if the

bottom event occurs and the inhibit condition istrue.E.g. False trip of unit on maintenance overridenot ON.


35/46

Procedure

Procedure for Fault Tree AnalysisDefine TOP

event

Define overall

structure.

Explore each

branch in

successive level

.

Solve the fault

tree

Perform

corrections if

required and

make decisions


36/46

ProcedureDefine Top Event: Use PHA, P&ID, Process description etc., to define the top event.

If its too broad, overly large FTA will result. E.g. Fire in process.

If its too narrow, the exercise will be costly. E.g. Leak in the valve.

The boundaries for top event definition can be a System, Sub-system,

Unit, Equipment (or) a Function.

Some good examples are: Overpressure in vessel V1, Motor fails to start,

Reactor high temperature safety function fails etc.,


37/46

ProcedureProcedure for Fault Tree Analysis

Define TOP

event

Define overall

structure.

Explore each

branch in successive

.

Solve the faulttree

Perform corrections

if required andmake decisions


38/46

Procedure

Procedure for Fault Tree Analysis:Define TOP

event

Define overall

structure.

Explore each

branch in

successive level

.

Solve the fault

tree

Perform

corrections if

required and

make decisions


39/46

ProcedureExplore each branch in successive level of detail:

Continue the top down process until the root cause for each

branch is identified and/or until further decomposition isconsidered unnecessary.

So each branch will end with a basic event or an undeveloped

event.

Consider Common cause failure & Systematic failures in the

process of decomposition.

A good guide to stop decomposing is to go no further than

physical (or) functional bounds set by the top event.


40/46

Procedure

Procedure for Fault Tree Analysis:

Define TOP

event

Define overall

structure.

Explore each

branch in

successive level

.

Solve the fault

tree

Perform

corrections if

required andmake decisions


41/46

ProcedureSolve the Fault Tree:

Assign probabilities of failure to the lowest level event in each

branch of the tree.

From this data the intermediate event frequency and the top

level event frequency can be determined using Boolean

Algebra and Minimal Cut Set methods.

P d


42/46

Procedure

Minimal Cut Set theory:

The fault tree consists of many levels of basic andintermediate events linked together by AND and OR gates.

Some basic events may appear in different places of the fault

.

The minimal cut set analysis provides a new fault tree,

logically equivalent to the original, with an OR gate beneath

the top event, whose inputs (bottom)are minimal cut sets.

Each minimal cut set is an AND gate with a set of basic event

inputs necessary and sufficient to cause the top event.


43/46

Procedure

Procedure for fault tree analysis:

Define TOP

event

Define overall

structure.

Explore each

branch in

successive level

.

Solve the fault

tree

Perform

corrections if

required andmake decisions


44/46

Advantages of FTA

Plus points of FTA:

Deals well with parallel, redundant or alternative fault paths.

Searches for possible causes of an end effect which may not

ave een oreseen.

The cut sets derived in FTA can give enormous insight into

various ways top event occurs.

Very useful tool for focused analysis where analysis is

required for one or two major outcomes.

d f


45/46

Disadvantages of FTA

Minus points of FTA:

Requires a separate fault tree for each top event and makes itdifficult to analyze complex systems.

Fault trees developed by different individuals are usuallydifferent in structure, producing different cut set elements

and results.

The same event may appear in different parts of the tree,

leading to some initial confusion.


46/46

Documents

Chapter 11 Risk Assessment