For each sequence of the event tree, the fault trees of the composing events are linked in one large fault tree that follows the logic depicted in the event tree, and the fault tree is t
Trang 1structural dependencies For each sequence of the event tree, the fault trees of the composing events are linked in one large fault tree that follows the logic depicted in the event tree, and the fault tree is then solved with the usual techniques to compute the probability of occurrence of that sequence
Figure 5.12 shows the previous example of an initiating event that requires two
systems, S1and S2, to intervene, where both systems are explicit on the event tree without care to their dependence The hazardous event (accident and/or incident)
sequences in Fig 5.12 may now be calculated using Bayes’ theorem of conditional probability:
(I)(S1)(S2) = P(S2 |S1I )P(S1 |I)P(I) (I)(S1)(F2) = P(F2|S1I )P(S1 |I)P(I) (I)(F1)(S2) = P(S2 |F1I )P(F1|I)P(I) (I)(F1)(F2) = P(F2|F1I )P(F1 |I)P(I)
(5.4)
If the probability of the sequence(I)(S1)(S2) is to be evaluated, a fault tree is developed with the top event occurring when the initiating event I, and the failure
of both systems S1and S2occur In place of the events S1and S2, the corresponding system fault trees can be substituted, thus obtaining a large fault tree that can be logically simplified (accounting for the existing dependencies) and evaluated so as
to give the probability of the top event, i.e the probability of the sequence of interest With this method, the dependencies are properly treated even if the analysis had,
a priori, no information that the dependency existed This is particularly useful in evaluating systems for safety critical consequences during the engineering design stage when information concerning the dependencies of hazardous events is still
System 1 success state S1 System 2 S2 (I) (S1) (S2)
System 2 F2 (I) (S1) (F2)
(I) (F1) (S2) (I) (F1) (F2)
System 2 S2 System 2 F2
System 1 failed state F1
Initiating
Event E1
Fig 5.12 Event tree with fault-tree linking
Trang 25.2 Theoretical Overview of Safety and Risk in Engineering Design 565 vague Conversely, the resulting fault tree for an accident sequence may be rather large, necessitating more time for safety analysis during the design stage
In summary, all the significant dependencies of hazardous events among systems are explicitly represented in the event trees with boundary conditions The fault trees for the individual events are then simple and independent However, great care must be taken in identifying all the existing dependencies In the fault-tree link approach, dependencies of hazardous events are included in the fault trees for the various systems and, thus, are not dependent The accident sequence in the linked fault tree is rather large and complex but all dependencies are treated automatically
In Fig 5.13, a simplified version of a functional event tree is illustrated for the case of a pipe rupture in the primary cooling circuit of a nuclear reactor It is evident from these simplified event trees that for realistic systems, event tree analysis and, thus, safety analysis in engineering design can become quite complicated
5.2.1.4 Cause-Consequence Analysis for Safety in Engineering Design
The consequence analysis (CCA) method or, alternatively, the
cause-consequence diagram (CCD) method is a tool for system safety and risk analysis As with the fault-tree analysis method, the cause-consequence diagram documents the failure logic of the system In addition to this, the cause-consequence diagram pro-duces the exact failure probability in an efficient calculation procedure The cause-consequence diagram technique, as applied to static systems, has been shown to yield the same result as those produced by the solution of the equivalent fault tree and binary decision diagram On this basis, general rules have been devised for the construction of a cause-consequence diagram, given a static system The use of the method in this manner has significant implications in terms of efficiency of con-ducting safety analysis, and can be shown to have benefits for determining safety in engineering design
Safety analysis of industrial systems is carried out to reduce the risk of adverse events such as injury or death, as well as to aid in the protection of systems and facilities, by reducing the frequency or consequences of accidents and/or incidents Since the early 1960s, various mathematical models have been used to perform re-liability analysis in order to predict the likelihood that a system will function under
a given demand Each analysis model had different features that made it more ap-propriate to specific types of systems, and the most efficient analysis was to utilise the simplest technique The most commonly employed technique to assess the
prob-ability of failure of industrial systems is fault-tree analysis (FTA).
For systems containing independent failure events, it has been shown that the FTA technique produces a logical description of the failure process and yields, among other results, the system’s unreliability It has been highlighted, however, that this technique has limitations even when it is applied to systems containing indepen-dent failure events, in that the structural extent of backward analysis for this tree-based deductive method quickly becomes multi-branched for complex systems, and
in itself becomes complex Qualitatively, if the fault tree is complex, then finding the
Trang 3Fig 5.13 Function event tree for loss of coolant accident in nuclear reactor (NUREG 75/014 1975)
Trang 45.2 Theoretical Overview of Safety and Risk in Engineering Design 567 minimal cut sets can be time-intensive In addition, the top event probability, found via the inclusion-exclusion formula, may also be computationally time-consuming
if the system contains a moderate number of minimal cut sets
In the past, this problem was solved by using a simple approximation for the probability of occurrence of the top event These approximations, however, can be inaccurate if the likelihood of component failure is large The problem of inaccu-racies due to approximation techniques has been alleviated by the development of
the binary decision diagram (BDD) approach BDDs are based on Bryant’s trees
(Bryant 1986) to obtain the exact top event probability efficiently by expressing the system failure modes as disjoint paths The calculation of the top event probabil-ity is achieved by summing the probabilities of these disjoint paths This analysis procedure makes the BDD technique more efficient than the traditional FTA tech-nique The BDDs, however, cannot be constructed from the system description, and are developed from the fault-tree representation of the system During the conver-sion process, the BDD loses all the causality information that is represented in the fault-tree structure In addition to this, an inefficient ordering of the basic events can result in an excessively large diagram that can prove difficult to analyse, reducing the efficiency of the method
A technique has been developed that represents all system outcomes, given an initial event, on a diagram that contains a full textual description of the systems behaviour, and produces an exact quantification of system failure probability This technique is based on the cause-consequence diagram (CCD) method developed at RISO Laboratories in Denmark in the 1970s to aid in reliability analysis of nuclear power plant (Villemeur 1991)
The cause-consequence diagram method involves the identification of the poten-tial modes of failure of individual components and then relates the causes to the ultimate consequences for the system The consequences evaluated include those that represent system failure as well as those that represent other systems behaviour
As all consequence sequences are investigated, the method can assist in identifying system outcomes that may not have been envisaged during the earlier design phases Cause-consequence analysis (CCA) is most frequently applied to systems where the system state changes with time (Nielsen et al 1975) Application of cause-consequence analysis to a static system, and development of rules for the construc-tion of a cause-consequence diagram representing a static system have been used in
a high-integrity protection system (HIPS) to prevent the passage of a high-pressure surge in downstream vessels in a process engineering design (Ridley et al 1996)
The Cause-Consequence Diagram Method
Cause-consequence diagramming is a technique that embodies both causal and con-sequence analysis The technique provides a diagrammatic notation for expressing the potential consequences of an event (normally, a hazard) and the factors that influ-ence the outcome The basic notation is introduced in the context of the example in Fig 5.14 In this diagram, the hazard is ‘ignition’ The final outcomes (or so-called
Trang 5Fig 5.14 Example
cause-consequence diagram
YES
No fire Minor fire Major fire
Alarm on
Sprinkler on
Ignition YES NO
NO
significant consequences) are shown in octagons and vary from ‘no fire’, ‘minor fire’, to ‘major fire’ The main factors that influence the outcomes are shown in
‘condition vertices’ (i.e YES or NO branching), specifically ‘alarm on’ and ‘sprin-kler on’ The diagram shows that a major fire will occur as a result of the ignition hazard only if both the sprinkler and alarm system fail If the frequency with which the hazard will occur can be estimated, and the probability that the sprinkler and alarm systems will fail on demand (and, importantly, to what degree these failures are correlated), then the frequency with which the hazard will give rise to this in-cident can be estimated This is an essential step on the way to estimating the risk arising from the hazard
Symbols Used for a Cause-Consequence Diagram
There are basically six types of symbols used for constructing a cause-consequence diagram These symbols include the decision box, fault-tree arrow, initiator triangle, time delay box, OR gate, and consequence box, as illustrated in Table 5.4
The cause-consequence diagram is thus developed from an initiating event, i.e.
an event that starts a particular operational sequence, or an event that activates cer-tain safety systems The cause-consequence diagram is comprised of two conven-tional safety analysis techniques, the fault-tree analysis (FTA) method and the event tree analysis (ETA) method
The event tree analysis method is used to identify the various paths that the
sys-tem could take, following the initiating event, depending on whether certain sub-systems/components function correctly or not
The fault-tree analysis method is used to describe the failure causes of the
sub-systems considered in the event tree part of the diagram This relationship is shown
in Fig 5.15
Trang 65.2 Theoretical Overview of Safety and Risk in Engineering Design 569
Table 5.4 Cause-consequence diagram symbols and functions
The decision box represents the functionality
of a component/system The NO box represents failure to perform correctly, the probability of which is obtained via a fault tree or single component failure probability qi
Fault tree arrow represents the number of the fault tree structure which corresponds to the decision box
The initiator triangle represents the initiating event for a sequence where λ indicates the rate
of occurrence
YES
Ft1
t = x hrs
λ =
NO Sprinkler
on qi
Time delay 1 indicates that the time starts from the time at which the delay symbol is entered and continues up to the end of the time interval
in the delay symbol
OR gate symbol: Used to simplify the cause-consequence diagram when more than one decision box enters the same decision box or consequence box
Consequence box represents the outcome event due to a particular sequence of events
Initiating event
Consequence part:
Identification of sequence depending on accident or incident limiting systems.
Event tree analysis
Causal part:
Cause of accident or incident
limiting systems.
Fault tree analysis
Fig 5.15 Structure of the cause-consequence diagram
Trang 7Rules for construction and quantification The cause-consequence diagram
tech-nique has been applied to a static safety system and found to yield results similar
to those produced by a conventional fault tree (Ridley et al 1996) On the basis of this study, general rules have been devised for the correct construction of the cause-consequence diagram, as given below The use of the cause-cause-consequence method in this manner has significant implications in terms of efficiency of reliability analysis, and can be shown to have computational benefits for analysing static safety systems
Step 1 Component failure event ordering If the order of failure is irrelevant,
which is typically the case in a static system, then the CCD can be initiated by
considering any of the components in the system The analysis of the CCD should
yield identical results regardless of the component or variable ordering; however, the actual diagrams may vary in size The first step of CCD construction is there-fore deciding on the order in which component failure events are to be taken To ensure a logical development of the causes of the system failure mode (i.e initiating event), the ordering should follow the temporal action of the system, or the system’s activation for the function required
Step 2 Cause-consequence diagram construction The second stage involves the
actual construction of the CCD Starting from the initiating component, the func-tionality of each component or sub-system is investigated and the consequences of these sequences determined If the decision box is governed by a sub-system, then the probability of failure will be obtained via a fault-tree diagram
Step 3 Reduction If any decision boxes are deemed irrelevant (for example, the
boxes attached to the NO and YES branches are identical, and their outcomes and consequences are the same), then these should be removed and the diagram reduced
to a minimal form Removal of these boxes will in no way affect the end result This
is illustrated in Fig 5.16 where failure (F) can occur due to either of the two paths that terminate in the same failure function consequence, affecting either the NO or YES branches of component A
On one path, the component (A) works, on the other it fails, proving that the state
of component (A) represented by the decision box is irrelevant When a redundant
Fig 5.16 Redundant decision
box
Trang 85.2 Theoretical Overview of Safety and Risk in Engineering Design 571 decision box is identified, reduction is achieved by removing the box and replacing
it with the next decision/consequence box When no further redundancies exist, the cause-consequence diagram is deemed minimal
Step 4 System failure quantification The probability of each consequence for
a static system is determined by summing the probability of each set of events that lead to this particular outcome Each sequence probability is obtained by simply multiplying the probabilities of the component events represented by the branch This is possible because each sequence of events is mutually exclusive, and the probability of a component failure event is assumed independent
Three-component systems The cause-consequence diagram approach for static
systems can be demonstrated by a very simple system example The approach shows that it has potential advantages in comparison to a conventional fault-tree analysis for larger systems The system example contains three components A, B and C, and system failure is caused by either A and B failing together, or C failing alone The system failure causes are illustrated as a fault-tree structure in Fig 5.17
The cause-consequence diagram can be constructed according to the following
steps:
Step 1 Component failure event ordering The ordering chosen is that of A, B and C Step 2 Cause-consequence diagram construction The CCD is constructed by
in-specting the failures of the components in that order (refer to Fig 5.18)
Step 3 Reduction Boxes 3 and 4 are both irrelevant and are therefore removed.
This process reduces the CCD, the final form being illustrated in Fig 5.19 and, as
no further redundancies exist, the diagram is minimal
Step 4 System failure quantification The probability of system failure is equal
to the sum of the probability of the three sequence paths that lead to the
conse-Fig 5.17 Example fault tree
indicating system failure
causes
TOP
Function A Function B
C
Trang 9Fig 5.18 Cause-consequence diagram for a three-component system
Trang 105.2 Theoretical Overview of Safety and Risk in Engineering Design 573
quence ‘F’ Therefore, since the paths are mutually exclusive:
Probability of failure= P(path 1) + P(path 2) + P(path 4)
= qA · qB+ qA · (1 − qB) · qC+ (1 − qA) · qC
= qA · qB+ qA · qC− qA· qB· qC+ qC − qA· qC
= qA · qB+ qC − qA· qB· qC The fault-tree quantification calculates the top event probability to be identical to that obtained by the cause-consequence diagram approach By studying the reduced form of the CCD, it can be noted that it is equivalent to the binary decision diagram (BDD) for the fault tree in Fig 5.17 with the variable ordering A< B < C, as
il-lustrated in Fig 5.20 The top event probability can also be obtained directly from the BDD by multiplying the probabilities down the paths that lead to the terminal 1 node
Fig 5.19 Reduced
cause-consequence diagram
Fig 5.20 BDD with variable
ordering A< B < C