You are on page 1of 9

available recently.

The table covers the three steps specific to FTA (Steps 3-5 Figure
3.3). Roberts et al. (1981) and Bari et al. (1985) provide a more extensive list of FTA
computer codes suitable for mainframe application.
Computer codes are available that will draw trees, given the input logic. Fault trees
can also be drawn using readily available personal computer graphics packages.
3.2.2. Event Tree Analysis
3.2.2.1. BACKGROUND
Purpose. An event tree is a graphical logic model that identifies and quantifies possible
outcomes following an initiating event. The event tree provides systematic coverage of
the time sequence of event propagation, either through a series of protective system
actions, normal plant functions, and operator interventions (a preincident application),
or where loss of containment has occurred, through the range of consequences possible
(a postincident application). Consequences can be direct (e.g., fires, explosions) or
indirect (e.g., domino incidents on adjacent plants.)
Technology. Event tree structure is the same as that used in decision tree analysis
(Brown et al., 1974). Each event following the initiating event is conditional on the
occurrence of its precursor event. Outcomes of each precursor event are most often
binary (SUCCESS or FAILURE, YES or NO), but can also include multiple outcomes (e.g., 100%, 20%, or 0% closure of a control valve).
Applications. Event trees have found widespread applications in risk analyses for both
the nuclear and chemical industries. Two distinct applications can be identified. The
preincident application examines the systems in place that would prevent incident-precursors from developing into incidents. The event tree analysis of such a
system is often sufficient for the purposes of estimating the safety of the system. The
postincident application is used to identify incident outcomes. The event tree analysis
can be sufficient for this application. Studies such as the Reactor Safety Study (Rasmussen, 1975), have used preincident event trees to demonstrate the effectiveness of successive levels of protective systems. Some CPI risk assessments (Health and Safety
Executive, 1981; World Bank, 1985) use postincident event trees. Protective systems
are also investigated this way. Arendt (1986a) demonstrates the use of event trees to
investigate hazards from a heater start-up sequence. Human reliability analysis uses
event tree techniques (see Section 3.3.2).
3.2.2.2. DESCRIPTION
Description of Technique. Preincident event trees can be used to evaluate the effectiveness of a multielement protective system. A postincident event tree can be used to
identify and evaluate quantitatively the various incident outcomes (e.g., flash fire,
UVCE, BLEVE dispersal) that might arise from a single release of hazardous material
(Figure 2.1). Figure 3.8 (from EFCE, 1985) demonstrates these two uses in a chemical
plant context. A preincident example is loss of coolant in an exothermic reactor subject
to runaway. A postincident example is release of a flammable material at a point (X)
and incident outcomes at a downwind location (T). In fact, the two uses are comple-

Note the difference in meaning of the term initiating event between the applications of fault tree and event tree analysis. By computing the frequency of the top event of a fault tree. the corresponding branching or initiating event frequency can also be estimated. the top event of a fault tree may be the initiating event of an event tree. Examples of preincident and postincident event trees.PRE-ACClDENT EVENTTREE COOLANTFLOW ALARM WORKING B REACTORTEMP. A . Good descriptions of preincident event trees are given in HEP Guidelines (AIChE/CCPS. Fault trees are often used to model the branching from a node of an event tree. 1983). ALARM WORKING C REACTORDUMP VALVE WORKING D SEQUENCE DESCRIPTION 1 SAFE SHUTDOWN 2 RUNAWAY REACTION 3 SAFE SHUTDOWN REACTOR COOLANT FAILURE A 4 RUNAWAY REACTION 5 SAFE SHUTDOWN 6 RUNAWAY REACTION 7 RUNAWAY REACTION 8 RUNAWAY REACTION POST-ACCIDENT EVENT TREE IGNITION ATX B WIND TOY C IGNITION ATY D EXPLOSION ONIGNITION E SEQUENCE DESCRIPTION 1 EXPLOSION AT X 2 FIRE AT X FLAMMABLE RELEASE ATX A 3 EXPLOSION AT Y 4 FIRE AT Y 5 DISPERSES 6 DISPERSES FIGURE 3. mentary: the postincident event tree can be appended to those branches of the preincident event tree that result in FAILURE of the safety system. From EFCE (1985).8. 1985) and the PRA Procedures Guide (NUREG. Also.

and like fault tree analysis. but an event tree will have only one initiating event that leads to many possible outcomes.9).9. The construction of an event tree is sequential. Logic diagram for event tree analysis. and the temporal sequences of occurrence of all relevant safety functions or events are entered. STEP1 Identify the initiating event STEP 2 Identify safety function/hazard and determine outcomes STEP 3 Construct event tree to all important outcomes STEP 4 Classify the outcomes in categories of similar consequence STEPS Estimate probability of each branch in the event tree STEP 6 Quantify the outcomes STEP 7 Test the outcomes FIGURE 3. . The construction begins with the initiating event.fault tree may have many initiating events that lead to the single top event. is top-down (left-right in the usual event tree convention). Each branch of the event tree represents a separate outcome (event sequence). The sequence is shown in the logic diagram (Figure 3.

an internal explosion. Identify the Initiating Event. Hazard promoting factors are more varied and include • ignitions or no ignition of release • explosion or flash fire • liquid spill contained in dike or not • daytime or nighttime • meteorological conditions. such as multiple ignition sources. may appear more than once in the event tree depending on what is happening in time. The listing of the safe recovery and incident conditions is an important output of this analysis. It is most often used in postincident analysis. This failure event will have been identified by one of the methods discussed in Chapter 1 and in more detail in HEP Guidelines (AIChE/CCPS. The event tree graphically displays the chronological progression of an incident. that can interrupt the sequence from an initiating event to a hazardous outcome. These headings must be in chronological order of impact on the system. etc.g. is a failure event corresponding to a release of hazardous material. toxic releases or internal explosions). For a postincident analysis. Thus. The frequency of this incident is estimated from the historical record (Section 3. from a dispersing cloud to a flash fire or to a VCE). two or more alternatives are analyzed (Step 2) until a final outcome is obtained for each node. or barrier. most of which can be characterized as having outcomes of either success or failure on demand.g. Some branches may be more fully developed than others. At each heading or node. 1985). It will be simplest for incidents that have few possible outcomes (e. The analyst must be careful to list all those headings that could materially affect the outcome of the initiating event. Some examples are • automatic safety systems • alarms to alert operators • barriers or containment to limit the effect of an accident. Releases that are both flammable and toxic may have many possible outcomes. Most of the above branches are binary choices. A safety function is a device. a vessel rupture. A hazard promoting factor may change the final outcome (e. The initiating event might correspond to a pipe leak.1) or by FTA (Section 3f2. In a preincident analysis. atmospheric stabilities. Identify Safety Function/Hazard Promoting Factor and Determine Outcomes. action. in many CPQRAs. and wind directions. headings. the final results might .. The initiating event.Step 1. Only nodes that materially affect the outcome should be shown explicitly in the event tree. Step 2. A heading is used to label a safety function or hazard promoting factor.1). Safety functions can be of many types. Starting with the initiating event. The event tree is used to trace the initiating event through its various hazardous consequences. Construct the Event Tree. the final sequence might correspond to successful termination of some initiating event or a specific failure mode. the event tree is constructed (conventionally) left to right. Step 3.. Meteorological conditions may be represented by ranges of wind speeds.

Where outcomes are of significance. many analysts label each heading with a letter identifier.6).5). Quantify the Outcomes.2). over the appropriate branch of the event tree. Many outcomes developed through different branches of the event tree will be similar (e.0 for each heading. the probabilities associated with each branch must sum to 1. chemical data (Section 5.. due to poor data) or incorrect (e. Branches leading to lesser consequences can be left undeveloped. Test the Outcomes. flash fire. Step 6. As with fault trees.1).g. only outcomes relevant to that outcome (offsite fatalities) need be developed. it is often adequate to stop at the incident itself (e.2). The source of conditional probability data may be the historical record (Section 5. This is true for either binary or multiple outcomes from a node. especially for complex safety systems encountered in preincident analyses. Starting with the initiating event. As a check. safe dispersal). explosion. poor event tree analysis can lead to results that are inaccurate (e. environmental data (Section 5.. important branches have been omitted). The final event tree outcomes can be classified according to type of consequence model that must be employed to complete the analysis.4). It is usual to have SUCCESS or YES branch upward and FAILURE or NO branch downward. wind direction or atmospheric stability) on possible consequences (Figure 1.4) will consider individual influencing factors (e. The objective in constructing the event tree is to identify important possible outcomes that have a bearing on the CPQRA. the sum of all the outcome frequencies must sum to the initiating event frequency. or partial success or failure. . Thus. Classify the Outcomes.g. The subsequent risk analysis calculation (Section 4.g. an explosion may arise from more than one sequence of events). Step 4. An important step in the analysis is to test the results with common sense and against the historical record..6). large drifting toxic vapor cloud). It may be necessary to use fault tree techniques to determine some probabilities. The event headings should be indicated at the top of the page. Every final event sequence can then be specified with a unique letter combination (Figure 3..g.3). equipment reliability data (Section 5. Step 5. if an estimate of the risk of offsite fatalities is the goal of the analysis. Step 7. This is best done by an independent reviewer.g.correspond to the type of incident outcome (e..g.7). A bar over the letter indicates that the designated event did not occur. and use of expert opinion (Section 5. Estimate the Probability of Each Branch in the Event Tree. BLEVE. human reliability data (Section 5. The above calculation assumes no dependency among event. Each heading in the event tree (other than the initiating event) corresponds to a conditional probability of some outcome if the preceding event has occurred. UVCE. Either of these conditions complicates the numerical treatment beyond the scope of this book. Thus. plant and process data (Section 5.. The frequency of each outcome may be determined by multiplying the initiating event frequency with the conditional probabilities along each path leading to that outcome.

The frequency of an outcome is defined as the product of the initiating event frequency and all succeeding conditional event probabilities leading to that outcome.2. However. In practice. The qualitative output shows the number of outcomes that result in success versus failure of the protective system in a preincident application. The data relevant to the event tree are given in Table 3. Simplified Approaches. The qualitative output from a postincident analysis is the number of more hazardous outcomes versus less hazardous ones. Using Table 3.2.3)].2. or experience. or in the sequence of physical events that lead to hazardous consequences (e. Their theoretical foundation is based on logic theory. or VCE frequencies) are employed directly in CPQEA risk calculations.5. Analysts require a complete understanding of the system under consideration and of the mechanisms that lead to all the hazardous outcomes. This event may be identified using other CPQRA techniques such as HAZOP. an event tree is developed to predict possible outcomes from the leakage of LPG.. and fragments (Section 2. The starting point in event tree analysis is the specification of the initiating event. As discussed earlier. experience. The quantitative output is the frequency of each event outcome.5. these may be based on reliability data. or produce a flash fire. control actions. This may be in the form of a time sequence of instructions. or from fault tree modeling. the spreading characteristics of a dense vapor cloud). If the leak does not immediately ignite. The output of event tree modeling can be either qualitative or quantitative. the historical record. An engineering analysis of the problem indicates that the potential consequences include BLEVE of the tank if the leak is ignited (either immediately or by flashback). Event trees are pictorial representations of logic models or truth tables. SAMPLE PROBLEM The sample problem is a postincident analysis of a large leakage of pressurized flammable material from an isolated LPG storage tank.g. The level to use for a particular task can be selected based on the importance of the event or the amount of information available. For example. The quantitative evaluation of the event tree requires conditional probabilities at every node.Theoretical Foundation. it can drift toward a populated area with several ignition sources and explode (VCE). some events are terminated at entry points to specific consequence models. Other downwind areas have a lower probability of ignition. It highlights failure routes for which no protective system can intervene (single-point failures). Output. This event tree is not exhaustive. The event tree technique is a relatively simple approach. 3. Further discussions are given in Henley and Kumamoto (1981) and Lees (1980). Input Requirements and Availability. these outcomes would be investigated separately in the BLEVE consequence model calculation. three outcomes are possible from BLEVEs [thermal impact.3. it can be used in various levels of detail. the historical record. flash fire. . These outputs (which might specify BLEVE. physical overpressure. Not every outcome is developed to completion.

6. These problems arise if the same basic event appears in the fault trees that are used to establish the probabilities of branching at the various event tree nodes. Every node of an event tree doubles the number of outcomes (binary logic) and increases the complexity of classification and combination of frequency. The total frequency of all outcomes is a check to ensure that this equals the initiating event frequency of 1 X 10""4 per year (i. 3. The event tree assumes all events to be independent. Jet flame strikes the LPG tank * These data are for illustrative purposes only. Delayed ignition near populated area 0. From a practical standpoint this limits the number of headings that can be reasonably handled to 7 or 8..e.15 Wind rose data D. From this. Postincident event trees highlight the range of outcomes that are possible from a given incident. Omission of outcomes can lead to serious .5. An important strength of the event tree is that it portrays the event outcomes in a systematic. especially indicating outcomes that lead directly to failures with no intervening protective measures. Preincident event trees highlight the value and potential weaknesses of protective systems.0 X 10"6 per year). logical. Wind blowing toward populated area 0.10. with any outcome conditional only on the preceding outcome branch.1 Expert opinion C. 100. including domino incidents. If multiple fault trees are used to establish the frequencies of various nodes or decision points. common cause failures or mutually exclusive events can arise that invalidate event tree logic.2. Sample Event Tree Input Data Frequency or probability* (x KFVyr. Immediate ignition at tank 0. Large leakage of pressurized LPG Source of data" -O Fault tree analysis B. The event tree for the LPG leak initiating event is given in Figure 3. VCE rather than flash fire F.5 Historical data 0.9 Expert opinion 0.2 Tank layout geometry E.2.TABLE 3. These outcomes and their predicted frequencies are given in Table 3. Identification and Treatment of Possible Errors. an electrical power failure basic event may appear in several fault trees that support an event tree. Failure by the risk analyst to recognize and deal with the commonality of the electrical power failure basic event will result in serious errors.4.) Event l A. a total of six outcomes are predicted. self-documenting form that is easily audited by others. The logical and arithmetic computations are simple and the format is usually compact. thereby ensuring that important potential consequences are not overlooked. DISCUSSION Strengths and Weaknesses. For example.

1 x lO^/year Flashfireand BLEVE ABCDEF 1.6x10"*/year TOTAL 1 x 1(T4 /year .10. Frequency BLEVE ABF axlO^/year Local Thermal hazard ABF SxlO^/year VCE ABODE 6.9 x lO^/year Flash fire ABCDEF 27.5x10^/year Safe dispersal ABCD 7.9 x lO^/year Safe dispersal ABCD LAxlO^/year VCE ABCDE 39.1) FIGURE 3.Large LPG Leakage A Immediate ignition B Wind to Populated area C Delayed ignition O UVCE or Rash Fire E Ignited jet points at LPG tank F Outcome No (0. Event tree outcomes for sample problem.2x10~*/year Flash fire ABCDEF 4.5x10-6/year Flash fire and BLEVE ABCDEF 6.

g. some factors that influence the quality of the analysis were deferred.3) we discuss common-cause failure analysis (3.6 x ID"6 = 9. Except for unusually complicated problems.0 x 1(T6 = 8. Independent review of final event trees is the best method to identify such faults (Step 7. 5150 El Camino Real. and are especially helpful in the analysis of sequential systems or in human error problems. Lowe and Garrick. Because protective system designs tend to be very complex (Section 6. Figure 3. Science Applications International Corp. 3. Los Altos.5 x 10^= 40. Errors can arise in the conditional probability data leading to major errors in the predicted final outcome frequencies. Resources Needed.5 x ICT6 8. Event trees are a straightforward technique to use. In this section (3.1 x 1(T6 + 34.2). domino effect on nearby equipment). the calculations are easy.0 x ICT6 1.O. Provided the assumptions of no dependency and total success and failure are met. human reliability analysis (3.5 x HT 6 = 32.9 x 1(T* + 27. Sample Event Tree Outcomes and Frequencies Outcome Sequences leading to outcome Frequency (per year) 2.4 x 10"6 Flash fire and BLEVE ABCDEF +ABCDEF 1..1).2 x IQ-6 + 6. by using frequency and probability data.9 x HT 6 = 8. Pickard. Box 355. CA 94022 RISKMAN. Newport Beach.3. Utility. event trees tend not to require significant resources. and external Next page .3.0 x IQ-6 BLEVE ABF Flash Fire ABCDEF + ABCDEF 4. ETA II.0 x IQ-* = 2. They are a graphical form of a logic table and are easier to understand by nonspecialists than fault trees.4 x IQ-* + 7. For ease of presentation in that section. postincident analyses tend to be easier to apply than preincident analyses.6. The analyst should document sources of data employed to allow for subsequent checking.9)..TABLE 3.2) discusses the analysis of fault trees and event trees. They are useful for both preincident and postincident analyses. CA SUPER. Westinghouse Risk Management.1 x 10^ UVCE ABCDE + ABCDE Local thermal hazard ABF Safe dispersal ABCD +ABCD 6. Complementary Plant-Modeling Techniques The previous section (3. Computer Codes Available.3. Pittsburgh. PA 15230.0 x 1(T6 Total all outcomes = 100 x IQ-6 error (e. P.2).