Fault Tree

L09b Fault Tree Quantification
Quantitative Risk Analysis L09b

Fall 2013
Fault Tree Quantification
1
Example
Water Pumping System
2
Example
Water Pumping System
Assume a water system with a single source of water,
T1, and 2 pumps in parallel, only 1 of which is needed
for pumping capacity.
Values V1 V5 are normally open
The sensing and control system automatically start the
pumps when water is needed to meet the design intent.
AC power for the pumps and the sensing and control
system is from a single source.
3
not developed
to base events
Initial Fault Tree for the Water
Pumping System
S = sensing and control system
4
Identify minimum cut sets:
routes to the top event
1-unit CS:
2-unit CS:
Simplified
from initial FT:
note AC, S
Reduced Fault Tree for the Water
Supply System
5
Component Behavior
recall
bathtub curve
For a component with a failure rate (ROCOF, ) of 0.05 per year,
find the reliability at t = 10 years and the probability of failure at t
= 10 years.
7
Failure of Tested Protective Systems
example
Water is drawn from a tank, which has a level control
system to supply water from an external source. A high-
level shut-off system activates if the level is detected
higher than full.
Also, there is a high-level alarm.
If the level control system and alarm each randomly fail
once in 10 years or 10
-1
/yr,
how often will the tank overflow?
8
Failure of Tested Protective Systems
probability
The frequency of failure of the protective system can be converted
to a probability of being in a failed state when called upon to
protect.
How often is the system tested?
How does frequency of testing affect the failure probability?
If the system is tested every T years, the probability of the system
failing within any test period is ? (Assume constant)
Probability of failure at time T
where is the failure frequency of the protective system, which is
illustrated in the following figure.
9

F(T) =1 R(T) =1 e
l T
Component Behavior
tested vs untested
As the time between tests increases, indicated by the broken line, the probability
of protective system failure approaches 1.
10
F(T) =1 e
l T
,l ~ constant
Cumulative failure probability of an
untested system

F(T*)
test
= 0
Pr of failure following test

F(T) ~ l T
Cumulative failure probability of a
frequently tested system
Component Behavior
tested vs untested
Expand probability of failure,
If T << 1 (ROCOF is low or T is short), the higher
order terms are negligible.
With this condition, cumulative probability of failure T
increases ~ linearly with T as
11

F(T) =1 e
l T

F(T) ~ l T
Component Behavior
after test
The condition of sufficiently frequent testing is shown in
the previous figure. Each time that the system is tested,
for T = T*, it is:
Operable, (certain event) or
Repaired or replaced and restored to operational condition,
Therefore the probability of being in a failed state is 0
or becomes 0 following repair or replacement
(certain event).
12

F(T*)
test
= 0

F(T*)
test
= 0
Component Behavior
probability of failure on demand
When a component is tested, either it works or it does not work
satisfactorily (binary case).
The rate of occurrence of failure (ROCOF) = in time time
intervals of the useful life region (of bathtub curve) is
approximated to be constant.
Assuming POI with P(failure) about the same at any time between
adjacent tests, the average time for an item to be in a failed state,
dead time, is ~ 1/2 the time between tests, T.
Fraction of time the item is in a failed state converts to
probability of failure on demand (PFD)
= average dead time multiplied by :
alternatively called FDT: Fractional Dead Time
13

PFD = (1/ 2)l T
Component Behavior
probability of failure on demand
14
T
Equal testing intervals = T
Probability of Failure on Demand
The PFD is the probability that the protective component is
in a failed state (latent failure) at the time of the system
demand, when it is called upon to perform and protect.
Demand rate, D, is the frequency of system requirement for a
protective response to avoid mishap. An example is the water
level control system (high level detection, water shut off,
high level alarm) assuming independent operation.
Failure frequency = D
detect
(PFD
alarm
)(PFD
shutoff
)
= D
detect
P(alarm|detect)P(shutoff|detect)
15
Example 9.2
A tank has water drawn from it intermittently, and at
varying rates. It is fitted with a level control system
which supplies water from an external supply until the
tank is full again.
There is also a high-level trip system, which actuates if
the level rises higher than the full level, and shuts
down the external water supply to prevent overflow.
Assume that the high level alarm is tested every 3 months.
It is found, on consulting records, that it has failed around once
every 10 years.
Estimate the Hazard Rate.
16
Example 9.2
The frequency of failure of the high level alarm is 0.1
per year. since it is tested every 3 months, that is, every
0.25 years.
PFD or FDT=0.5 T =0.50.10.25 =0.0125 per year
The demand rate, that is, the frequency of failure of level
control, is 0.1 per year.
HR= Demand rate (D)FDT
=0.10.0125 =0.00125 per year
This is equivalent to a 1 in 800 chance per year, or
once per 800 years
17
Untested Protective System
It is bad practice to install a protective system and not to
test it.
An approximate formula for calculating the hazard rate
for a system comprising a demand and an untested
protective system is:
18
D
Hazard Rate
D
Example 9.3
If a level controller fails with a frequency of 0.1 per year
and the (untested) high-level alarm is of a type that
typically fails with a frequency of 0.1 per year
what is the hazard rate
19
Example 9.3, solution
HR=(0.1 0.1)/(0.1 +0.1)
=0.01/0.2=0.05 per year
Thus the overflow frequency of once per 10 years is
reduced by a factor of only 2 by using an untested high-
level alarm
compared with a factor of 80 if the alarm is tested
quarterly (see example 9.1)
20
Example 9.4
An electrical switch room is located where it is just conceivable
that a leak of flammable gas could enter it through its ventilation
system.
A flammable gas detector is installed in the air intake, to shut
down the ventilation system in the event of flammable gas being
detected.
It is estimated that:
the frequency of gas leaks reaching the ventilation air intake is 0.001 per
year;
the frequency of failure of the gas detector is 0.2 per year.
It is to be decided whether, in view of the low likelihood of the gas
leak reaching the switch room,
it is really necessary to test the gas detector at the normal frequency of once
per 3 months, or
whether it would be reasonable to leave it off the testing schedule
altogether.
21
Example 9.4
Solve or H/W
22
23
FE, flow transducer
FC, flow controller
FS, flow switch
FAL, low flow alarm
SV, solenoid valve
FCV, flow control
TE, T transducer
TC, T controller
TSH, high T switch
GIV, gas isolation valve
MBV, manual bypass valve
TCV, T control valve
Example 9.5
Heater Coil FT Quantification
A
D E F G H
Manual
Auto
Auto
B C
State the logic of the
reduced FT using the
same assumptions as
for the initial FT:
Example 9.5
24
T = A{B+C+(D+E)(F+G+H)}
protective response
Example 9.5
Failure rate data for the Hot Oil Heating System are listed
Protective components are tested 4 times/yr, so T = ?.
Pump failure is considered the demand, D, and will be used here
as a frequency.
Other system components are part of the protective response
system and will be used as probabilities.
25
Failure Data
FE: 0.5 x 0.02 x 0.25 = 0.0025
FS: 0.5 x 0.1 x 0.25 = 0.0125
SV: 0.5 x 0.1 x 0.25 = 0.0125
TCV: 0.5 x 0.05 x 0.25 = 0.00626
FAL: 0.5 x 0.05 x 0.25 = 0.00625
PFD
(FDT)

{
(fractional down time)
26
Rules for Quantifying
Frequency on FT
Where there are two independent events, the probability
that both will occur is:
P(A B)=P(A)P(B)
The probability that one or the other will occur
(i.e., A or B) is:
P(A+B) =P(A)+P(B)P(A)P(B)
As P(A) and P(B) are usually small, the third term above is
usually negligible compared with the sum of the first two terms
27
Rules for Quantifying
Frequency on FT
Frequencies are added at an OR gate
(getting a frequency result).
Probabilities are added at an OR gate
(getting a probability result).
Frequencies and probabilities cannot be added
(mixed units: meaningless).
Frequencies cannot be multiplied
(frequency squared units: meaningless).
One frequency can be multiplied with probabilities at an
AND gate (frequency result).
28
Calculate
Pr(events)
29
(Tweeddale, 2003)
PFD of protective system
PFD of manual
PFD of auto
Top event frequency: = 0.0256/yr
FE, FS are required by both the automatic and the
manual protective response systems.
Based on the reduced fault tree, we expect FE, FS to
contribute significantly to overall risk of heater coil burn
out.
30
Heater Coil Common Cause Failure
In this analysis, random failures were approximated to
occur independently.
Dependent or common-cause failures are due to factors
that are common to two or more components, e.g.,
quality of maintenance.
Due to dependencies and common-cause failures, the
combined failure probabilities leading to system failure
can be much greater than calculated assuming
independence of components.
31
Heater Coil System Reliability, 1
First: reduce inherent hazards, and then reduce the
inherent failure probability by increased reliability
components
Reduce demand frequency, D: improve containment and
control (including human factors).
Lower PFD of protective systems. How?
Analyze measures to mitigate consequences to personnel
and to the system.
32
Heater Coil System Reliability, 2
Lower PFD = (1/2) T
Reduce : more reliable components; design changes
Increase testing frequency (cost/risk balance)
Install redundant systems
e.g redundant system
For PFD = 0.01
PFD red = 0.01 x 0.01 = 0.0001
PFD significantly lowered if independent
33
Actual PFD reduction is less,
e.g., components are not fully independent in varying degrees, but can be significantly
dependent, or subject to common-cause failures.
Achievable PFD Level
Relative Categories
34
PFD Categories Description
0.1 0.01 Human error for a wide range of tasks
0.01 Simple system with regular testing & maintenance
0.001 Practical limit unless designed, tested, &
maintained by High Integrity Protective System
specialists
0.0001 Limited to plants, e.g., nuclear, with highest
standards of design, testing, operation,
maintenance, supervision, management, and
with a healthy safety culture.
C
o
s
t

i
n
c
r
e
a
s
e
s
How to Achieve High Reliability
Reduce common-cause failures
Use different types or designs for the 2 protective systems
Difficult to identify all common-cause forms
Higher level of diversity in the design
Plan frequent tests and maintenance
Costs of high reliability systems can be large, which
emphasizes the high priority on designs to minimize
inherent hazards.
35
Heater Coil System
Reliability improvement
Separate overall system into a control system (automatic)
and a protective system (manual).
At present, if control system fails because of FE failure, the
alarm and low-flow protection system (FE, FS, SV) cannot
operate.
Solutions?
Design protective systems to operate more independently
from the control systems.
36
If the low-flow alarm and relay systems are actuated by a low-flow switch
independent of FE, FS, system reliability will be greatly improved.
Cut Set or Path Set:
a Scenario Leading to Top Event
A cut set (path set) is a combination of component
failures (non failures) that will lead to failure (success)
of the system.
Cut set Method:
From control and protection systems, identify the
minimum component and operator failures that will
result in overheating of heater coils.
37
Cut Set Method, Frequency
For each cut set, calculate the
Cut Set Frequency from failure rate information
(PUmp frequency and PFD values for other components)
Only one cut set element can be a frequency, and all
other elements must be probabilities.
38
Heater Coil Cut Set Method
Path-sets?
Cut-sets?
39
combinations of two components are:
PU FE
PU FS
The combinations with three components are:
PU, SV, FAL
PU, SV, OP
PU, SV, GIV
PU, TCV, FAL
PU, TCV, OP
PU, TCV, GIV
Heater Coil Cut Set Method
40
Note: frequencies in italics Top event frequency
PFD
Heater Coil: Main Contributors
41
Cut sets Freq/yr IM %
PU, FS 0.0188 73
PU, FE 0.0038 15
PU, SV, OP 0.0019 7
PU, SV, FAL 0.00012 4
PU, TCV, OP 0.00094 0.5
PU, TCV, FAL 0.00006 0.4
PU, TCV, GIV 0.00005 0.23
PU, SV, GIV 0.00009 0.18
Top event freq = 0.0256/yr

}
88% of total

}
11% of total
M
a
g
n
i
t
u
d
e

}
~1.3% of total
IM
i
=
P(C
i
)
P(TE)
, P(C) = P(c
i
i C
), c
i
is component in cut set C
Cut sets C
i
are categorized by their importance IM:
Heater Coil: Main Contributors
2-element
Cut-set Frequencies
FT quantification
Quantify frequency of top event
Only one component of each cut set can be a frequency.
Cut sets show main contributors to system unreliability
PU, FS and PU, FE cut sets contribute ~ 88% of unreliability
Increase reliability through more independent control
and protection systems.
43
System Reliability
Improve reliability:
evaluate cost effectiveness of higher reliability units and
redundancy.
Test and maintain within low PFD levels where t <1.
Also, design for independence of automatic and manual
protective systems:
reduce or eliminate low-number cut sets, especially 1-
component.
provide more independence between the control system
and the protection system.
44
Failure Rate Data Sources
AIChE (1989), Guidelines for Process Equipment Reliability Data, Center for
Chemical Process Safety CCPS)
IEEE Std 500 (1984), IEEE Guide to the Collection and Presentation of
Electrical, Electronic, Sensing Component and Mechanical Equipment
Reliability Data for Nuclear Power Generating Stations.
MIL-HDBK-217F (2002), Military HandbookReliability Prediction of
Electronic Equipment.
NPRD-2 (1981), Non-electronic Parts Reliability Data, Reliability Analysis
Center at the Rome Air Development Center.
OREDA (1998), Offshore Reliability Data Handbook, SINTEF: Trodheim,
Norway
Lees, F.P., (2005), Loss Prevention in the Process Industries, 3rd Ed., Sam
Mannan, Butterworth, Oxford, UK
45

Fault Tree

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fault Tree

Uploaded by

Copyright:

Available Formats

L09b Fault Tree Quantification

Quantitative Risk Analysis L09b

You might also like