Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Biochemistry
  4. Genetics

Chapter 3 System Analysis Event Tree Analysis

advertisement 
Chapter 3
System Analysis
Event Tree Analysis
Marvin Rausand
Department of Production and Quality Engineering
Norwegian University of Science and Technology
marvin.rausand@ntnu.no
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 1 / 28
Introduction
Consequence
spectrum
Barriers
What is ...?
Example
Applications
Construction
Example:
Separator
Introduction
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 2 / 28
Consequence spectrum
Introduction
Consequence
spectrum
Barriers
What is ...?
Example
Applications
Construction
Example:
Separator
An accidental event is defined as the first significant deviation
from a normal situation that may lead to unwanted consequences
(e.g., gas leak, falling object, start of fire)
An accidental event may lead to many different consequences.
The potential consequences may be illustrated by a consequence
spectrum
Quantitative
analysis
Conclusions
C1
Accidental
event
C2
C3
Ck
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 3 / 28
Barriers
Introduction
Consequence
spectrum
Barriers
What is ...?
Example
Applications
Construction
Example:
Separator
Most well designed systems have one or more barriers that are
implemented to stop or reduce the consequences of potential
accidental events. The probability that an accidental event will
lead to unwanted consequences will therefore depend on whether
these barriers are functioning or not.
The consequences may also depend on additional events and
factors. Examples include:
Quantitative
analysis
Conclusions
Whether a gas release is ignited or not
❑ Whether or not there are people present when the accidental
event occurs
❑ The wind direction when the accidental event occurs
❑
Barriers are also called safety functions or protection layers, and
may be technical and/or administrative (organizational). We will,
however, use the term barrier in the rest of this presentation.
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 4 / 28
What is event tree analysis?
Introduction
Consequence
spectrum
Barriers
What is ...?
Example
Applications
Construction
Example:
Separator
Quantitative
analysis
Conclusions
An event tree analysis (ETA) is an inductive procedure that
shows all possible outcomes resulting from an accidental
(initiating) event, taking into account whether installed safety
barriers are functioning or not, and additional events and factors.
By studying all relevant accidental events (that have been
identified by a preliminary hazard analysis, a HAZOP, or some
other technique), the ETA can be used to identify all potential
accident scenarios and sequences in a complex system.
Design and procedural weaknesses can be identified, and
probabilities of the various outcomes from an accidental event
can be determined.
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 5 / 28
Example
Introduction
Consequence
spectrum
Barriers
What is ...?
Example
Applications
Initiating
event
Start of fire
Sprinkler
Fire alarm is
system does
not activated
not function
True
Construction
True
0.001
Example:
Separator
0.01
False
Quantitative
analysis
True
0.999
Conclusions
0.80
True
Explosion
10 -2 per year
False
0.001
0.99
False
0.999
False
0.20
Outcomes
Frequency
(per year)
Uncontrolled
fire with no
alarm
8.0 .10-8
Uncontrolled
fire with alarm
7.9 .10-6
Controlled fire
with no alarm
8.0 .10-5
Controlled fire
with alarm
7.9 .10-3
No fire
2.0 .10-3
– Adapted from IEC 60300-3-9
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 6 / 28
Applications
Introduction
Consequence
spectrum
Barriers
What is ...?
Example
Applications
Risk analysis of technological systems
❑ Identification of improvements in protection systems and
other safety functions
❑
Construction
Example:
Separator
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 7 / 28
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Event tree construction
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 8 / 28
Main Steps
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Quantitative
analysis
Conclusions
1. Identify (and define) a relevant accidental (initial) event that
may give rise to unwanted consequences
2. Identify the barriers that are designed to deal with the
accidental event
3. Construct the event tree
4. Describe the (potential) resulting accident sequences
5. Determine the frequency of the accidental event and the
(conditional) probabilities of the branches in the event tree
6. Calculate the probabilities/frequencies for the identified
consequences (outcomes)
7. Compile and present the results from the analysis
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 9 / 28
Accidental event
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Quantitative
analysis
Conclusions
When defining an accident event, we should answer the following
questions:
What type of event is it? (e.g., leak, fire)
❑ Where does the event take place? (e.g., in the control room)
❑ When does the event occur? (e.g., during normal operation,
during maintenance)
❑
In practical applications there are sometimes discussions about
what should be considered an accidental event (e.g., should we
start with a gas leak, the resulting fire or an explosion).
Whenever feasible, we should always start with the first
significant deviation that may lead to unwanted consequences.
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 10 / 28
Accidental event
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Quantitative
analysis
Conclusions
An accidental event may be caused by:
System or equipment failure
❑ Human error
❑ Process upset
❑
The accidental event is normally “anticipated”. The system
designers have put in barriers that are designed to respond to the
event by terminating the accident sequence or by mitigating the
consequences of the accident.
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 11 / 28
Accidental event
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
For each accidental event we should identify:
The potential accident progression(s)
❑ System dependencies
❑ Conditional system responses
❑
Example:
Separator
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 12 / 28
Barriers
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Quantitative
analysis
Conclusions
The barriers that are relevant for a specific accidental event
should be listed in the sequence they will be activated.
Examples include:
❑
❑
❑
❑
❑
Automatic detection systems (e.g., fire detection)
Automatic safety systems (e.g., fire extinguishing)
Alarms warning personnel/operators
Procedures and operator actions
Mitigating barriers
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 13 / 28
Additional events/factors
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Additional events and/or factors should be listed together with
the barriers, as far as possible in the sequence when they may
take place.
Some examples of additional events/factors were given on a
previous slide.
Example:
Separator
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 14 / 28
Event sequence
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Quantitative
analysis
Conclusions
Each barrier should be described by a (negative) statement, e.g.,
“Barrier X does not function” (This means that barrier X is not
able to performs its required function(s) when the specified
accidental event occurs in the specified context).
Additional events and factors should also be described by (worst
case) statements, e.g., gas is ignited, wind blows toward dwelling
area.
B1
Accidental
event
Additional
event I occurs
B2
B3
B4
B5
Barrier I does Barrier II does Barrier III does Additional
Outcome /
not function
not function
not function event II occurs consequence
True
By this way the most severe consequences will come first
False
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 15 / 28
Outcome alternatives
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
In most applications only two alternatives (“true” and “false”) are
considered. It is, however, possible to have three or more
alternatives, as shown in the example below:
Wind toward
residental area
Example:
Separator
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
Gas release
Wind toward
factory
Wind toward
empty area
System Reliability Theory (2nd ed), Wiley, 2004 – 16 / 28
End outcomes
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
Quantitative
analysis
Conclusions
In practice, many event trees are ended before the “final”
consequences are reached
❑ Including these “final” consequences may give very large event
trees that are impractical for visualization
❑ This is solved by establishing a consequence distribution for
each end event and the probability of each consequence is
determined for each end event
❑ In effect, this is an extension of the event tree, but it gives a
more elegant and simpler presentation and also eases the
summary of the end results
❑
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 17 / 28
Results in decision making
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Example:
Separator
The results from the event tree analysis may be used to:
Judge the acceptability of the system
❑ Identify improvement opportunities
❑ Make recommendations for improvements
❑ Justify allocation of resources for improvements
❑
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 18 / 28
End events
Introduction
Construction
Main Steps
Accidental event
Barriers
Event sequence
Outcome
alternatives
End outcomes
Outcome
descr.
Loss of lives
Frequency
0
1-2 3-5
620
Material damage
>
20
N
L
M
H
Environmental
damage
N
L
M
H
Example:
Separator
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 19 / 28
Introduction
Construction
Example:
Separator
Offshore separator
Event tree
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
Example: Separator
System Reliability Theory (2nd ed), Wiley, 2004 – 20 / 28
Offshore separator
Introduction
To flare
Construction
PSV1
Example:
Separator
Offshore separator
Event tree
PSV2
RD
Quantitative
analysis
Gas outlet
Pressure
switches
Conclusions
LU
Separator
Gas, oil, and
water inlet
PSD1
PSD2
Fluid outlet
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 21 / 28
Activation Pressures
Introduction
Construction
Pressure in
separator
Example:
Separator
Offshore separator
Event tree
RD to be opened
PSVs to be opened
PSDs to be closed
Quantitative
analysis
Conclusions
Marvin Rausand, October 7, 2005
Time
System Reliability Theory (2nd ed), Wiley, 2004 – 22 / 28
Event tree
Introduction
Construction
Example:
Separator
Offshore separator
Event tree
Initiating
event
1
2
3
PSDs do not
close flow into
separator
PSVs do not
relieve
pressure
Rupture disc
does not open
Quantitative
analysis
True
Rupture or
explosion of
separator
False
Gas flowing out
of rupture disc
False
Gas relieved
to flare
True
Conclusions
True
Gas outlet
blocked
False
Marvin Rausand, October 7, 2005
Outcomes
Controlled
shutdown,
no gas "lost"
System Reliability Theory (2nd ed), Wiley, 2004 – 23 / 28
Introduction
Construction
Example:
Separator
Quantitative
analysis
Example
Frequencies of
outcomes
Conclusions
Marvin Rausand, October 7, 2005
Quantitative analysis
System Reliability Theory (2nd ed), Wiley, 2004 – 24 / 28
Example
Consider the generic example:
Introduction
Example:
Separator
B2
B1
Construction
Accidental
event
Additional
event I occurs
Quantitative
analysis
Example
Frequencies of
outcomes
B3
B4
Barrier I does Barrier II does
Additional
not function
not function event II occurs
True
True
False
True
Conclusions
True
False
True
True
False
False
True
False
False
Marvin Rausand, October 7, 2005
Outcome 1
Outcome 2
Outcome 3
Outcome 4
True
False
Outcome /
consequence
Outcome 5
Outcome 6
Outcome 7
Outcome 8
Outcome 9
System Reliability Theory (2nd ed), Wiley, 2004 – 25 / 28
Frequencies of outcomes
Introduction
Construction
Example:
Separator
Quantitative
analysis
Example
Frequencies of
outcomes
Conclusions
Let λ denote the frequency of the accidental (initiating) event.
Let Pr(Bi ) denote the probability of event B(i).
When we know that the accidental even has occurred, the
probability of “Outcome 1” is:
Pr(Outcome 1 | Accidental event) = Pr(B1 ∩ B2 ∩ B3 ∩ B4 )
= Pr(B1 ) · Pr(B2 | B1 ) · Pr(B3 | B1 ∩ B2 ) · Pr(B4 | B1 ∩ B2 ∩ B3 )
Note that all the probabilities are conditional given the result of the
process until “barrier” i is reached.
The frequency of “Outcome 1” is:
λ · Pr(B1 ∩ B2 ∩ B3 ∩ B4 )
The frequencies of the other outcomes are determined in a similar way.
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 26 / 28
Introduction
Construction
Example:
Separator
Quantitative
analysis
Conclusions
Pros and cons
Marvin Rausand, October 7, 2005
Conclusions
System Reliability Theory (2nd ed), Wiley, 2004 – 27 / 28
Pros and cons
Introduction
Positive
Construction
Example:
Separator
Quantitative
analysis
Conclusions
Pros and cons
Visualize event chains following an accidental event
❑ Visualize barriers and secuence of activation
❑ Good basis for evaluating the need for new / improved
procedures and safety functions
❑
Negative
❑
❑
❑
❑
❑
No standard for the graphical representation of the event tree
Only one initiating event can be studied in each analysis
Easy to overlook subtle system dependencies
Not well suited for handling common cause failures in the
quantitative analyses
The event tree does not show acts of omission
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 28 / 28
Related documents
Quality Control Checks on Reservoir Fluid Samples
Quality Control Checks on Reservoir Fluid Samples
Abstract The basic reasons we care about information systems security are...
Abstract The basic reasons we care about information systems security are...
Oil/Water Separator Maintenance SOP
Oil/Water Separator Maintenance SOP
Download
advertisement