Handbook of Reliability, Availability, Maintainability and Safety in Engineering Design - Part 63 pdf

Thus, the initial model, derived in the early design phases, must be refined by adding quantitative information so that a timed discrete event system is obtained for controller verificat

an over-engineered solution to be less reliable than the original design because of inadequate testing and maintenance Furthermore, it is always advisable to take into account the level of training and experience of the personnel who will be operating the plant Actions that call for elaborate and sophisticated protective systems are often wasted, as well as being inherently hazardous, if operators do not understand how they function

c) Hazard and Operability Modelling

A crucial step in support of a HazOp analysis is to find a suitable discrete event sys-tem (DES) representation for the physical syssys-tem behaviour, generally described by

continuous dynamics However, systems modelling approaches have to be adapted

to the information that is available at certain points in the design stage

To create a model that is appropriate for PHI, a method must be developed that qualitatively maps the dynamics in state transition systems This type of model is ideal for HazOp but is often not sufficient for controller verification, especially if thresholds of timeouts have to be considered Thus, the initial model, derived in the early design phases, must be refined by adding quantitative information so that

a timed discrete event system is obtained for controller verification in the detail engineering design phase As a basis for a concept to check the safety of a process system in different design stages, the physical systems behaviour is mapped into state transition systems given as a 6-tupel

where:

TS= state transition system

S = finite set of states

S0 = set of initial states, where S0⊆ S

I = finite input

O = finite output

Furthermore:

φ: S · I → 2 S denotes the state transition function

j : S · I →θ denotes the state output function

Application of the model (in computerised form) in a HazOp study relates system behaviour, mapped into state transition systems, to the HazOp guidewords of ‘none’,

‘more of’, ‘less of’, ‘reverse’, ‘part of’, ‘more than’, ‘other than’, etc This type of DES is appropriate to represent the system’s behaviour qualitatively However, to introduce quantitative information into the TS, time-dependent transitions must be augmented, which will be considered later

d) Qualitative Modelling for Hazard Identification

In a typical model-based PHI, as it is established in the process industries, a team of experts systematically examines a system’s related process flow diagram (PFD) and currently available piping and instrumentation diagram (PID)

To analyse failures and all conceivable deviations from the desired operation, the HazOp guidewords ‘none’, ‘more of’, ‘less of’, ‘reverse’, ‘part of’, ‘more than’,

‘other than’, etc are used to qualitatively describe the dynamic behaviour of the system If an inadequacy or a potential hazard is identified, appropriate counter-measures have to be added Current topics of research to formalise this procedure are based on fuzzy modelling (Wang et al 1995) or expert systems (Vaidhyanathan

et al 1996)

In the conceptual engineering phase, further information about the detail of the process, such as secondary reactions, equipment operations, and final mass and en-ergy balances, is still vague All data are eventually summarised in the PID and sup-plemented by additional information about the purposes of controllers and safety devices—but no exact specifications and detailed numeric data about the physical functions are yet available Thus, the interaction between the system’s physical be-haviour and the controller actions can be modelled only qualitatively (to the degree

of abstraction used in a HazOp study based on the guidewords) However, even

a qualitative model must have features to express causality and the temporal order

of actions The procedure of creating a model according to Eq (5.25) is carried out

by the following four steps:

1 For each systems unit of a plant (reactor, pressure vessel, etc.) or item of equip-ment of a system (tank, pump, etc.)—depending on the level of resolution of

the process at the particular design phase—the set V of process variables v ∈ V

describing physical behaviour is identified This set typically comprises process quantities such as temperature, pressure, level, input flow and output flow

2 Second, a set Q j of qualitative states is introduced for each process variable v j, e.g the states ‘critically low’, ‘low’, ‘normal’, ‘high’ and ‘critically high’ for

a process variable ‘pressure’ The set of states in Eq (5.25) follows from S=

Q1,Q2, ,Q j Usually, the set of initial states S0 corresponds to the system’s normal operation mode

3 The third step, a crucial one, is to define the interactions of the process variables

that are given as transitions between states in S depending on triggering signals.

Thus, for each pair of states,σ1,σ2∈ S, the analyst decides whether a physical effect i k ∈ I exists that can cause a transition between the states

φ1k2:(σ1,i k ) →σ2

φ2k1:(σ2,i k ) →σ1 (5.26)

In this case, the enabling/enforcing effect is included into TS

4 The modeller has to examine if the triggering input signal i k has any further

effect on the process behaviour If there is an effect, then an output signal O ∈ O

that specifies this behaviour is introduced as

φ1k1:(σ1,i k ) → O1 (5.27)

An important aspect of creating the DES is that, in accordance with the HazOp study, even unlikely triggering events and their consequences must be modelled

A discrete model derived like this is not only suitable for PHI but can also be used

as a basis for later model refinement in the detail design phase Relying upon a safe system function defined in the early engineering design phases, one task of the later detail design phase is to design supervisory controllers that ensure the exclusion of dangerous operating modes

To solve this task, model-based verification is used, which includes the following:

• A DES model of the system, including all possible physical behaviours, is

gen-erated

• The controller specifications are transformed into a DES representation, and the

combination of both yields a discrete model of the controlled system

• The avoidance of dangerous states is verified or falsified by reachability analysis.

e) Quantitative Representation of Uncontrolled Processes

An analysis aiming to check whether a supervisory controller always ensures safe systems operation must satisfy the following questions:

• If a system’s state moves in the direction of a critical situation, does the controller

always react with an appropriate countermeasure to avoid this situation?

• Has the threshold of a process variable (or a threshold of time) at which a

coun-termeasure is applied been chosen correctly, to avoid the critical state?

In principle, a transition system obtained from qualitative modelling, such as (Eq 5.25), is sufficient to answer the first question However, an examination of controller thresholds asks for a model comprising also numerical data for thresh-olds, and information about the duration for which a discrete state is active

In this case, the DES of (Eq 5.25) is extended to a timed transition system given

as 7-tupel

TTS= (S,S0,I,O,φ,θ,τ) (5.28) where:

TTS= timed transition system

S = finite set of states

S0 = set of initial states, where S0⊆ S

I = finite input

O = finite output

τ = finite set of clocks

φ: S · I ·ψτ) → 2 S denotes the state-time transition function

j : S · I ·ψτ) →θ denotes the state-time output function

In contrast to the TS of (Eq 5.25), the TTS contains a finite set of clocksτ, and the state transition functionφ: S ·I ·ψ(τ) depends on logical propositionsψ(τ) over the clock variables

f) Checking Safety by Reachability Analysis

Based on the discrete models generated as described in Eqs (5.25) and (5.28),

a comprehensive investigation of the system’s safety is possible The concept of

reachability analysis (RA) is appropriate for checking safety in different design

phases, since it is applicable to models of both degrees of abstraction (i.e quali-tative – Eq 5.25, and quantiquali-tative – Eq 5.28)

If SC denotes the set of critical states, a complete search over all possible runs of

the DES shows whether a path from an initial state s ∈ S0to a critical state contained

in SC exists – in this case, a hazard is identified, and respectively the correspondence

of controller implementation and specification is falsified Obviously, the analysis

of the refined model of (Eq 5.28) is more costly because the time constraintsψ(τ) have to be considered in determining the transitions Thus, to minimise the compu-tational effort, model refinement should be limited to the necessary

For preliminary hazards identification (PHI), alternative strategies can be consid-ered Following the HazOp study method, design failures can be identified by for-ward simulation of the state transition model of (Eq 5.25) In fact, such a simulation imitates the application of guidewords, since a possible deviation from normal oper-ation can be assumed by generating the corresponding input signal, and the propaga-tion of its effect is investigated as a sequence of transipropaga-tions in the model However, such a hazard identification approach relies on the user’s intuition in choosing the right starting scenario, as well as one of several non-deterministic choices during the simulation

The application of hazard and operability modelling during the conceptual design phase, including preliminary hazards identification (PHI) and reachability analysis (RA) in a specific industrial process engineering example, is considered in detail in Sect 5.3.1

5.2.3 Theoretical Overview of Safety and Risk Assessment

in Preliminary Design

Safety and risk assessment attempts to estimate the expected safety risk and critical-ity for each individual system or assembly at the upper systems levels of the systems

breakdown structure (SBS) Safety and risk assessment ranges from estimations of

the safety risk of relatively simple systems with series and parallel assemblies, to

es-timations of the safety risks of multi-state systems with random failure occurrences

Safety and risk assessment is considered in the schematic or preliminary design

phase of the engineering design process, and includes basic concepts of modelling such as:

i Markov point processes in designing for safety.

ii Fault-tree analysis for safety systems design.

iii Common cause failures in root cause analysis.

5.2.3.1 Markov Point Processes in Designing for Safety

A point process is intended to model a probabilistic situation that places points on

a time axis For safety analysis, these points are termed accident or incident events.

To express these points mathematically in an event spaceΩ, the following notation

is used: if A is a set of events inΩ, then N A is the number of events in the set A, while if t is a positive real number, then N (t ) is the number of events on (0,t] Thus,

for example

if:

N (t) = N(0,t]

then:

N (a,b] = N(b) − N(a)

and:

N {a} = the number of events at the point a. (5.29)

A point process has no simultaneous event (i.e more than one accident and/or incident cannot occur simultaneously on the same equipment at the same time) if

each step of N (t) is of unit magnitude (where t is measured in units of time such as

seconds, minutes, hours, days, etc.), with complete certainty (i.e probability= 1) (Thompson 1988)

a) Point Process Parameters

In developing parameters of a point process, let M (t) be the expected value or mean

of N (t) Thus

M (t) = a non-decreasing continuous function

¯

E = expected value

Taking derivatives

μ(t) = d/dt[M(t)] = M  (t) (5.31) where:

μ(t) = instantaneous rate of change of the expected value of the

number of events with respect to time t.

The instantaneous rate of change,μ(t), is termed the event or incident rate of the

process Thus, in modelling a system or its equipment for reliability and/or safety with respect to hazards (or events in a point process) during the schematic or pre-liminary design phase, the incident rate of the process is, in effect, the failure rate

of the system However, it must be expressly noted that this concept of incident rate differs from the failure rate of the age distribution of equipment Obviously, equip-ment ages with use over a period of time, and becomes more prone to failure (i.e wear-out failure characteristic of the failure hazard curve of Fig 3.19) This is the

hazard rate function, r (t), considered in Sect 3.2.3 (refer to Eqs 3.29 to 3.33), and

expressed as

r (t) = lim

Δt →0

P (t ≤ Z < t +Δt)

= limΔt→0 F (t)

where

F (t) =

t+ Δt

x =t

The rates r (t) andμ(t) are quite different, in that the pattern of r(t) follows the wear-out shape of the failure hazard curve (bathtub or U-shaped curve), whereas the

pattern ofμ(t) is linear and follows the random failure or useful life shape of the

failure hazard curve Another function of point processes, in addition to the incident rate μ(t), is the intensity function If there are no simultaneous events, then the

incident rate equals the intensity (Thompson 1988, cited Leadbetter 1970)

The intensity of point process events (accidents or incidents) can be expressed as

h (t) = lim

Δt →0

P (N(t +Δt )) ≥ 1

where:

h (t) = probability of one more event in the interval t +Δt.

b) Markov Chains and Critical Risk

Critical risk theory hypothesises that, out of k risks, at least one will be critical

with respect to the severity of their consequences The theory is based on predicting

a change in these consequences as a result of removing or adding a risk (Thompson

1988) For example, it attempts to predict a change in the useful life expectancy of

a cooling water tank, if an ant-corrosion agent was added to the tank’s contents; or

to predict the probability of an increase in random occurrence events (failures) in electric pump motors due to pump seal deterioration as a result of the addition of an anti-corrosion agent to the cooling water circuit

Critical risk theory assimilates a stochastic process where the transition proba-bilities from an earlier to a later state depend only on the earlier state, and the times involved This is typical of Markov chains Thus, critical risk implies that initially

a system or an item of equipment is in an operable state 0 and, after a time period T ,

the system or equipment undergoes a state change or transition from being

opera-ble to being inoperaopera-ble (i.e failed) as a result of some consequence due to critical risk C.

For a critical risk C, where C = 1,2,3, ,k, time and cause of failure are subject

to chance Only transitions from state 0 to one of the different states 0,1,2,3, ,k

are possible, in which the states 1,2,3, ,k are considered to be absorbing (once in

the system, they are never removed)

Let P i j(τ,t) be the probability of transition from state i at timeτ to state j at time t Assume that the intensity functions h i (t) exist, and satisfy the following

ex-pressions

P00(t,t +Δt ) = 1 −∑k

i=1

h i (t)Δt+ 0(Δt) (5.36)

P 0i (t,t +Δt ) = h i (t)Δt+ 0(Δt) (5.37)

i = 1,2,3, k This yields the Kolmogorov differential equations (Oksendal 1985):

d

dt P00(0,t) = −P00(0,t) · h(t) (5.38)

h (t) = ∑k

i=1

d

dt P 0i (0,t) = P 0i (0,t) · h(t) (5.40)

i = 1,2,3, k

c) Review of Kolmogorov Differential Equations

It is useful at this point to review the Chapman–Kolmogorov equation, which states

that

P i j (s +t) =∑

k

P ik (s) · P k j (t) (5.41)

or, in matrix terms

Note that P (0) = I, which is the identity matrix For integer t, it follows that

P (t) = P(1) t but then t need not be an integer Setting t = ds in the Chapman–

Kolmogorov equation gives

P (s + ds) = P(s) · P(ds)

P (s + ds) − P(s) = P(s) · [P(ds) − I]

P  (s) = P(s) Q

(5.43)

where:

Q = P  (0) is the matrix (called the Q-matrix or the generator matrix of the chain) This is termed the Kolmogorov forward equation, which is one part of the

Kol-mogorov differential equations The KolKol-mogorov forward equation can be derived

as follows:

P [X(s + ds) = j] =∑

k

P [X(s + ds) = j|X(s) = k]P[X(s) = k]

k=i

P [X(s) = k] · q ki ds+



1−∑

k=i

q ki



P [X(s = j)]

If q kk = −∑iq kithen:

d

ds P [X(s) = k] =∑

k

P [X(s) = k] · q ki

The Kolmogorov backward equation (Eq 5.44) is obtained by inserting s = dt into

the previous Chapman–Kolmogorov equation:

To appreciate the difference between the forward and backward equations, there are two different ways of evaluating the linear birth-and-death process (or, in this case, the operable and failed states) It is theoretically possible to solve the Kol-mogorov equation, giving the solution:

P (t) = e Qt=∑t n · Q n /n !

However, this solution is not very useful because Q nis difficult to evaluate; a

sim-pler method is the use of matrices, utilising the Q-matrix, or the generator matrix of

the chain

d) The Q-Matrix

The row sums of the Q-matrix are always zero For example, in the case of a linear birth-and-death process, the rate of transitions from x to x +1 is the birth rate xβand,

from x to x − 1, the death rate xδ Therefore, with all other entries in the Q-matrix

being zero:

q x,x−1 = xδ, q x,x+1 = xβ, and q x,x = −(β+δ)x

Thus, the Q-matrix is represented in tabular form as:

Table 5.11 Values of the Q-matrix

The time until the next event, starting in x, has an exponential distribution with rate

λx = −q x,x , after which it changes state according to the transition matrix R For

calculating state change probabilities, the expected time to change to a particular state, especially the expected time to the first state change, is 1/λx State change

problems such as ‘find h x (t), the probability that X changes to state 0 before time t, starting from state x’ can be treated in the following manner:

h x (t) =

0,t

λx · e −λx u



q x0 /λx+ ∑

y=0,x ·q xy /λx · h y (t − u)



du

Substituting v = t − u:

h x (t) =

0,t

e−λx v



q x0+ ∑

y=0,x ·q xy · h y (v)



/e −λx u

Differentiating, and settingλx = −q x,x, the expressions obtained are easier to solve

in specific cases:

h  (t) = Qh(t),h0(t) = 1,h x (0) = 0 for x = 0

Returning to the Markov chain model, the Kolmogorov differential equations are

d

dt P00(0,t) = −P00(0,t) · h(t) (5.45) d

dt P 0i (0,t) = P00(0,t) · h(t)

i = 1,2,3, ,k

These may be solved to yield the following relationships

P00(0,t) = exp

⎡

⎢

⎣−



(0,t)

h (x)dx

⎤

⎥

P 0i (0,t) = exp

⎡

⎢

⎣−



(0,t)

h i (x) · P00(0,x)dx

⎤

⎥

⎦

where the survival function of the useful life expectancy is expressed as

The hazard rate, represented by the intensity function, is expressed as

h (t) =∑k

i=1

The expected useful life is expressed as

μ=

∞



0

The joint probability of the random failure occurrence (useful life expectance), together with the hazard rate, is expressed as

P 0i (0,z) =

z



0

F  (x) · h i (x)dx

The probability of failure resulting from critical risk C is expressed as

∏

i

= P 0i (0,∞)

P 0i (0,∞) =

∞



F  (x) · h i (x)dx