Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Event tree analysis
Piero Baraldi
Politecnico di MilanoDipartimento di Energia
FailureProbabilty
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
Riskevaluation
RISK = {Si, pi, xi}4321
pi/xi A B C D
International StandardsBest PracticesLessons learnt
Expert judgmentsFlow and transport codes
Finite Element MethodsDC/AC power flows, etc.
ALARP = as low as reasonably practicable
FTAETA
Markov Models
Hazard Analysis
Hazop
FMECA
Monte Carlo Simulation
Classical Techniques for PRA: Event Tree Analysis
Event Tree Analysis (ETA)
Objectives1. Identification of possible scenarios
(accident sequences), developing from a givenaccident initiator (possibly identified by a FMECA)
2. Computation of accident sequence probability
Event Tree Analysis (ETA)
• Systematic and quantitative• Inductive (search for consequences)
ETA: procedure steps1. Define an accident initiator event (I):
• a system/component failure• an external, potentially disruptive event (e.g. an earthquake, hurricane,…)
2. Identify “headings” Sk :• safety/protection functions, systems, procedures demanded by I• phenomena potentially influencing the development of an accident sequence
3. Specify failure/success states of Sk
4. Combine the states of all Sk to generate accident sequences
Example 1: Fire protection system
Example 1: Event Tree
The sequences can be further split by adding the smoke detector, the alarm and the emergency door
ETA typologies
• Functional event tree• First stage: safety functions are identified (cooling, venting, …) • Second stage: safety functions are substituted by the actual
safety systems
• System event treeThe accident sequences in a plant are identified with respect to the protection and safety systems/components involved (valves, pumps, pipes, tanks, etc.)
• Phenomenological event treeDescription of the accident phenomenological evolution outside the plant (winds, sea currents, animals/plants, etc.)
ETA: some general comments (1)
1. One event tree for each accident initiator2. Time and logic of Sk interventions are important for the
tree structure (simplifications possible)3. Sk states are, in general, conditional on accident initiator
and previous Sj’s states
ETA: some general comments (2)
4. Conditional probabilities are assigned to Sk states (upon previous identification, e.g. by FTA)
Sequence probability = product of the conditional probabilities of the events in a branch“Failure” probability = sum of the probabilities of the sequences leading to failures
𝑃𝑃 𝐼𝐼𝑆𝑆1𝑆𝑆2 = 𝑃𝑃 𝑆𝑆2 𝑆𝑆1𝐼𝐼 � 𝑃𝑃 𝑆𝑆1𝐼𝐼= 𝑃𝑃 𝑆𝑆2 𝑆𝑆1𝐼𝐼 � 𝑃𝑃 𝑆𝑆1|𝐼𝐼 � 𝑃𝑃(𝐼𝐼)
Example 2: release of flammable gas
IE S1 S2 S3
S4
Exercise 1: Loss Of Coolant Accident (LOCA)
AA
MM
MM
M
M
A High Pressure Injection SystemSRV
RPV
CST
Low Pressure Injection System
Suppression Pool
Depressurize System
RPV = Reactor Pressure VesselCST = Condensate Storage Tank (which temporarily stores water used in the plant)SRV = Safety Relief Valve
ECS = Emergency Cooling System
• A small pipe crack can induce the loss of coolant (SLOCA) from the reactor pressure vessel (RPV). The frequency of this event is 5.0⋅10-4 y-1
• Under the SLOCA condition, the RPV water level drops due to the crack and decay heat. When it drops under a given low level, the high pressure injection system (HPIS) starts to pump water into the core
• In case that the HPIS works properly, the RPV can be depressurized under control and low pressure injection system (LPIS) will take care of long term heat removal to bring the core to safe status
• If HPIS fails (at a probability of 2.0⋅10-3), the water level goes down to another setting level and trigger-starts LPIS. The operator has to open the safety relief valve (SRV) to relieve the RPV pressure in order to keep LPIS pumping the water into the core
• In case either the operator fails to open SRV (at probability of 5.0⋅10-3) or LPIS fails (at probability of 5.0⋅10-4), the core will be damaged (CD)
Exercise 1: Loss Of Coolant Accident (LOCA)
You are required to:• build the event tree for the initiating event «SLOCA» • Compute the probability of core damage due to a «SLOCA»
Exercise 1: Loss Of Coolant Accident (LOCA)
Exercise 1: SolutionSLOCA HPIS SRV LPIS
OK
CD
OK
CD
CD
5.0E-4
5.0E-3
2.0E-3
5.0E-4
5.0E-4
HPIS = High Pressure Injection SystemLPIS = Low Pressure Injection SystemCD = Core Damage
ETA + FTA
Success stateS1
Failure stateF1
I
S2 =
S2 =
• The FT top events must be conditioned on the sequences identified by the ETA up to the intervention of the system of interest
• It may occur that the event of interest is independent of the previous ones in the sequence
Event Tree AnalysisSLOCA HPIS SRV LPIS
OK
CD
OK
CD
CD
5.0E-4
5.0E-3
2.0E-3
5.0E-4
5.0E-4
HPIS Unavailable
LPIS Unavailable
Fail toDepressurize
Fault Tree Analysis – HP, DP
HPIS Unavailable
Suction Valve Fail to open
HPIS Pump Failure
Injection ValveFail to open
PumpFail to start
PumpFail to run
Fault Tree Analysis – HP, DP
SRV mech. failure
Operator Fail to Depress.
Fail toDepressurize
Fault Tree Analysis – LP
LPIS Unavailable
Suction Valve Fail to open
Injection Valve Fail to open
Pump Section Fail
Train A Failure
Suction Valve Fail to open
LPIS Pump Failure
Injection Valve Fail to open
Pump AFail to start
Pump AFail to run
Train B Failure
Suction Valve Fail to open
LPIS Pump Failure
Injection Valve Fail to open
Pump BFail to start
Pump BFail to run
Exercise 2: kick during well drilling
Hazard:Kick
managedpressure drillingsystem
BlowoutPreventer
stack Casing
Exercise 2: System description
To avoid the blowout accident, well safety barriers are designed and put in place to avoid that a kick, that is an unwanted flow of hydrocarbons inside the well, could result into a blowout, that is the spill out of fluids (either oil rig or underground formation mud, or both) from the well to the environment. Three safety barriers are considered for the purpose of limiting the consequences of kick onset (Grayson et al., 2012): (i) a full Managed Pressure Drilling (MPD) influx management system, (ii) a Blowout Preventers stack (BOP) and (iii) casing. A) Following a kick initiating event, if a Constant Bottom Hole Pressure (CBHP) technique is in place (resorting to a full MPD influx management system to continuously control the Bottom Hole Pressure (BHP), maintaining it lower than the formation pressure, reducing the occurrence of gas influxes inside the well) a rapid kick detection, control and circulation out of the well can be made possible, and blowout avoided without demanding the BOP. However, the CBHP system can only be used under specified conditions of influx volume V (i.e., volume threshold Vth equal to 10 bbl) and maximum surface pressure SP (i.e., maximum surface pressure threshold SPth equal to 800 psi) : when the influx exceeds the CBHP operational limits, only the BOP and casing can withstand the developing scenario. B) A BOP is a stack of valves installed at the top of the well that can be closed if the pressure control inside the wellbore is lost. By closing these valves, the safety procedures are initiated for restoring the pressure inside the well at nominal values and controlling the formation. The BOP is composed by three ram preventers and an annular preventer, that are used to shut in the well. C) Casing is a pipe that is assembled and inserted into a drilled section of borehole and is typically held in place with cement. It must withstand the load acting on it when the kick has entered in the well and the BOP has shut-in the well, to avoid an underground blowout and the loss of the wellbore integrity with severe consequences.
Exercise 2
You are required to:• build the event tree for the initiating
event kick
Exercise 2: Solution
Kick