ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

APPENDIX 7 Frequencies and probabilities data for the fault tree

Debray B., Piatyszek E., Cauffet F., Londiche H. Armines, Ecole Nationale Suprieure de Mines de Saint Etienne (France)

-1-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

TABLE OF CONTENTS
1. 2. Introduction.......................................................................................................................... 4 Data sources available .......................................................................................................... 6
2.1 Reliability databases ...........................................................................................................6 2.2 Human reliability data .......................................................................................................16 2.3 Accident databases ..........................................................................................................21 2.4 Other relative distribution of causes...................................................................................28 2.5 Frequency of the critical events.........................................................................................31 2.6 Other absolute frequencies ...............................................................................................32 2.7 Synthesis of the data sources analysis................................................................................41

3. 4. 5. 6.

Some comments inspired by the Assurance Project............................................................. 42 Proposal of a method for evaluating the frequency of the critical event.................................. 45 Conclusion......................................................................................................................... 47 References......................................................................................................................... 49
6.1 ARAMIS Documents.......................................................................................................49 6.2 Other documents..............................................................................................................49

7.

Additional data................................................................................................................... 51
7.1 HSE reference failure frequencies ....................................................................................51 7.2 I-Risk..............................................................................................................................52

-2-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Summary
One of the main step of the ARAMIS methodology for the identification of reference accident scenarios is the calculation of the frequency (per year) of the critical event . It is shown in the main report that the frequency (per year) of the critical event can be estimated in two ways: either by estimating the frequency (probability) of the initiating events in the fault tree, and combining these frequencies (probabilities) with the actions of safety barriers to calculate the critical event frequency, or by choosing a generic frequency for the critical event, issued from published database. This appendix aims to give information to the reader in order to be able to put frequencies in the fault tree part of the bow-tie . Other appendices give information on how to take barriers into consideration in order to calculate the frequency of the critical event. First of all, this document gives an overview of the different data sources available . Chapter 2 gives information and figures about reliability databases, human reliability data, accidents databases and other data. Paragraph 2.7 presents a synthesis of data collected for this report, clearly showing that available data are sparse and scattered in the various levels of the fault tree. Chapter 3 recalls the conclusion of the European project "Assurance", during which it has been shown that the estimation of failure frequencies is a topic in which a great discrepancy exists among experts. Having in mind these limitations, ARAMIS proposes to calculate the frequency of the critical event starting from the frequency (probability) of the initiating events, combining them in a fault tree and taking into account the influence of safety barriers in the calculation. In the previous steps of the analysis (see main report), the generic fault trees have been built for the equipment analysed. Plant specific data should be preferred for the failure frequencies of these trees, if available. If not, chapter 4 and tables in chapter 7 give indications about what kind of figures should be used in what circumstances.

-3-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

1.

Introduction

The aim of this step of the ARAMIS project is to provide the user with the maximum number of elements to evaluate the frequency of the critical events resulting from the fault tree analysis of the plant. Once this frequency is evaluated, it should contribute to the selection of the reference scenarios, the definition of the requirements in terms of safety barriers and safety functions, the assessment of the safety barriers efficiency. The elements that would be needed by the user of the ARAMIS methodology are a method for evaluating the frequency of the critical event and data to apply the method. This document provides an analysis of the available data and their possible use in the framework of the ARAMIS methodology. Along this document different possibilities will be discussed, as they correspond to different trends in the probabilistic approach. For each of them, its applicability within the framework of ARAMIS with the available data will be discussed. Three different approaches have been considered : a. Evaluate specific frequencies from a fault tree and event tree analysis : this corresponds to the most classical approach in the QRA. The frequency of the critical event attempts to take into account all the possible failure of the components and of their barriers. It is used as an input for the downstream evaluation of the consequences and their probabilities (societal risk). b. Provide generic frequencies for the critical events. This approach is used in the Netherlands where the frequency of the critical event is not calculated on the basis of the actual plant configuration but is assumed on the basis of generic figures. In this country, frequencies have been assessed for standard configurations of plants and serve as references in the QRA (Quantitative Risk Assessment). These values implicitly take the presence of safety barriers into account. c. Provide initial data which will serve as reference for the barrier approach. This possibility was discussed in Maastricht (ARAMIS meeting June 2003) as an alternative way to evaluate frequencies (probabilities). It is compatible with the approach developed by INERIS and adapted in the framework of WP3 for the assessment of barrier efficiency. The idea is to decrease an initially high reference frequency (probability) by factors which correspond to the efficiency of the barriers. This initial frequency (probability) would correspond to the frequency of the critical event without any barrier. A first feeling about accident data would be that there are plenty of them and that their use is obvious. Many reference books about risk analysis simply expose the basics of fault tree and event tree analysis and leave aside the problem of finding or producing data to do the quantitative assessment. Some of them however warn the reader with the difficulty of this task.

-4-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

The first part of this report lists and analyses the different categories of data available, which are of four main types : o Reliability databases o Human reliability data o Accident databases o Event frequencies available in the literature The difficulties with the use of these data in the framework of the ARAMIS methodology is discussed. It lays mainly in the fact that the fault trees build in the first ARAMIS work package are not classical fault trees similar to those used for reliability analysis but generic fault trees with a limited number of levels and a large number of minimal cut sets. After a short synthesis of the data source and their applicability, a brief comment is made about the result of the European project ASSURANCE, which brings enlightenment about the relativity of the QRA. This project shows that even with a rather complete description of an industrial site and process, very large deviations can be observed. This is a fortiori true for a generic approach. From these preliminary conclusions, a series of recommendations is given on how the frequencies (probabilities) should be calculated within the framework of the ARAMIS methodology in an actual industrial site. An attempt is then made to provide indicative reference data which can be used as initial references for the barrier approach. To conclude this introduction it seems interesting to quote the following sentence from the HSE risk assessment guide. Base event failure rate data are essential components of risk assessments, but they must be relevant and applicable to site circumstances. Simply taking a number from the literature without consideration of whether it applies to the site in question is unlikely to be acceptable. On the other hand, use of a failure rate that is not consistent with historical or relevant generic industry data must be justified. The origin of all probabilities quoted in a safety report should be given so that, where necessary, Assessors can make a judgement on their appropriateness. (HSE assessment criteria)

-5-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

2.

Data sources available

2.1 Reliability databases

Fault tree analysis is now a well known and used method to evaluate the reliability of equipment and systems. FTA has been recommended as one of the main components of the QRA (Quantitative Risk assessment) analysis. It is designed to provide an evaluation of the overall probability of an accident scenario, knowing the failure rates of the individual components involved in the scenario. In this purpose, reliability databases have been developed by groups of industrial companies. Several of them have been inventoried by the RISO [Akhmetjanov]. The first part of this document makes an extensive use of this inventory. It first analyses the industrial field to which these data apply to eliminate those which are not adapted to the process industry concerned by the SEVESO II directive. The content of the databases is then be discussed to evaluate how it can be used in he context of ARAMIS. The application fields of the databases identified by Risoe are the following : Nuclear industry Military industry Automotive industry Aeronautic industry Process industry Offshore industry Electronic components of technical systems

Among these, the only databases applicable to the process industry are the following : OREDA : Offshore reliability database. [OREDA] GIDEP (only available to companies having a contract with the US government) AIChe/CCPS reliability database

-6-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

The reliability databases provide information about component failures. The main information is the failure rate for different types of failure modes. Usually the failure rate is given as a range with upper, lower and mean value. The distinction is made between failure rates during operation which indicates a number of failure by unit time of functioning and failure on demand, which designates the number of failures per number of solicitation of the component. The components are standard components in the chemical industry. For example the OREDA database contains information about the following components : Machinery o Gas turbines Electric equipment Mechanical equipment o Vessels o Control logic units o Process sensors Sub sea equipment o Well completions o Drilling equipment o Miscellaneous utility systems o Compressors o Pumps o Electric generators o Heat exchangers Control and safety equipment o Fire and gas detectors o Valves o Control systems Other o Electric power systems o

Table 1: list of the components for which data are available in the OREDA Database For each of these components, various sub types are proposed. For examples compressors are divided into : Centrifugal Electric motor driven 100-1000 kW 1000 3000 kW 3000 10000 kW Turbine driven Reciprocating Electric motor driven 1000-3000 kW 3000-10000 k W

-7-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

For each component, various failure modes are proposed with very different failure rates for each. For example, the failure modes envisaged for compressors are given in Table 2. Critical Failed to start High gas flow Other Unknown Degraded Fail while running Low gas flow Other Unknown Incipient External leakage Fail while running Overheated Overhaul Vibration External leakage High gas flow Overheated Overhaul Vibration

Table 2: failure modes for compressors in the OREDA database Detailed are also given in OREDA handbook of the repartition of the failures among the different components constituting the equipment. The following table is an example of an OREDA table.

-8-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Figure 1: example of OREDA data

-9-

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Figure 2: Example of CCPS reliability data Other databases are build by industrial groups. For example the French UIC (union of the chemical industries) has been developing a database for 20 years by collecting incident data from chemical plants of the Rhne-Alpes region.

- 10 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

The following tables are examples of the data that can be obtained from this database.
First step of database development Year of introduction in the database 1988 1988 1988 1988 1988 1988 1988 1988 1988 1988 1988 1988 1988 1988 Second step of database development Year of introduction in the database 1999

EQUIPMENTS

Number of equipment

Number of equipment

Stirrers Analysers Sensors Regulators Compressors Heat exchangers Spinning Dryer Electric motors Pumps Regulation valves Transformers Inverters Reducer multiplier Safety valves Automated systems

2 550 8 14 107 7 470 78 640 129 5 572 1 720 13 374 76 8 1 247 460

1 863

2002

24 944

2002

86

1996

5 276

2002

209

2003 2002

4 691 333

Table 3: components inventoried in the UIC Database

- 11 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Table 4 provides an example of data collected for pumps. Failure rate of different types of pumps with 80% confidence interval (failure/hour).
Number de Number pumps failures Centrifugal Horizontal centrifugal Vertical centrifugal Vacuum Multicell Volumetric Volumetric with piston Volumetric with gears Volumetric with membrane Vacuum extraction Complete set : all pumps 3186 2398 219 373 362 796 246 135 366 175 5276 1390 1113 78 177 98 496 101 56 254 43 2328 of inferior borne 1,25.10-4 1,39.10-4 9,44.10-5 1,11.10-4 6,35.10-5 1,90.10-4 1,40.10-4 1,03.10-4 2,39.10-4 6,53.10-5 1,24.10-4 Middle 1,30.10-4 1,45.10-4 1,10.10-4 1,23.10-4 7,27.10-5 2,02.10-4 1,60.10-4 1,23.10-4 2,59.10-4 8,06.10-5 1,27.10-4 Superior borne 1,34.10-4 1,50.10-4 1,28.10-4 1,36.10-4 8,30.10-5 2,14.10-4 1,83.10-4 1,47.10-4 2,81.10-4 9,88.10-5 1,30.10-4

Table 4: example of failure rates for pumps in the UIC database

A correction factor has been introduced to take the environment, failure mode and conditions of use into account. For each component, the correction factor to be used in an environment e is calculated as follows.

Ce =

e global

where e is the failure rate measured in the environment e and global, the failure rate given by the database. The overall failure rate is then the product of the initial failure rate by the series of correction factors.

- 12 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

The following expression is an example of the calculation of the failure rate for a pump :

k = 1,445.10-4 1,283 0,962 1,146 0,713 1,551 1,249 0,337

Failure rate in the database

Chemical Rotation speed

Etancheity

Material Functioning Start up

Failure mode

k = 0,951.10-4 failure / hour Correction factors function of the environment of the pump with 68% confidence interval.
Number of pumps Product Water Chemical Corrosive Loaded Hot Viscous Rotation speed from 0 to 1100 rev/min from 1100 rev/min from 1800 rev/min > 3500 rev/min Water tightness Braids G.M.S. G.M.D. Immerged pump Magnetic stirring to 1800 398 2613 1785 580 382 127 261 1682 Number of failures 135 823 441 195 154 39 182 664 Inferior borne 0,75 0,84 0,51 0,69 0,84 0,40 1,77 0,63

Middle 1,06 1,28 0,89 1,27 1,14 1,21 2,96 0,85

Superior borne 1,36 1,73 1,26 1,84 1,45 2,02 4,16 1,06

to

3500

2189 7 1084 2150 495 163 40

982 21 406 732 217 50 20

0,68 1,88 1,01 0,72 1,07 0,48 1,18

0,96 11,27 1,05 0,74 1,15 0,57 1,42

1,25 20,66 1,09 0,75 1,22 0,67 1,66

- 13 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Material Cast iron Stainless steel Teflon PVDF Ceramic Graphite Type of functioning Continuous > 5000 h/y 500 < Discontinuous 2006 < 5000 h/y Occasional < 500 h/an Frequency starting of < 1 / week > 1 / week 173 1863 2151 89 1161 742 4,84 0,38 0,83 12,23 0,70 1,25 662 0,95 1,55 993 1942 57 109 10 80 2215 553 716 24 47 24 57 1324 0,61 0,45 0,49 1,09 7,85 0,32 0,53 1,58 0,71 1,49 2,43 17,07 2,02 0,74

July 2004

2,55 0,98 2,48 3,77 26,30 3,73 0,95 2,15

19,61 1,01 1,67

Table 5: examples of correction factors in the UIC database

95 % lower bound Tightness Mechanical part Coupling part 0,146 0,099 0,001

Average 0,338 0,281 0,086

95 % upper bound 0,529 0,463 0,170

Table 6: examples of correction factors according to the failure mode This example shows that failure rates are highly dependent on the environment, on the conditions of use and on the failure mode.

- 14 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

The same approach is presented in the CCPS guidelines [CCPS], inspired by the methods recommended by du Pont in their Process Safety Management Reference Manual.
Adjustment factors Equipment failure rate influences Process medium factors Corrosion Erosion Fouling, plugging Pulsating flow Temperature extremes External environmental factors Vibration Corrosive atmosphere Dirty atmosphere High temperature and/or humidity Location factors Exposed mechanical damage Inaccessible for inspection 1.07 1.07 1.07 1.07 1.42 1.21 1.07 1.07 1.21 1.21 1.07 1.07 1.07 1.14 1.07 1.14 1.07 1.14 1.28 1.14 1.07 1.07 Instruments Valves

Table 7: Generic failure rate data adjustment factors in the Du Ponts Process Safety Management Reference Manual

Using data from reliability databases to assess the frequency of critical events: The use of reliability databases will now be discussed with respect to the objectives defined in the introduction. a. Evaluate specific frequencies from a fault tree and event tree analysis . Even if reliability databases are often used for maintenance purposes, their use for evaluating the specific frequency of critical events is widespread. It would therefore seem obvious that they can be used to assess the frequencies of critical events during an ARAMIS analysis. It is unfortunately not so simple. The fault trees build during WP1A of ARAMIS are generic fault trees. As such they present several characteristics which make them difficult to use with reliability databases : They are limited in depth to five levels (even four, as the first one is the critical event), which has the consequence that the failure of plant components often does not explicitly appear in the tree.

- 15 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

When it does, the precise type of component involved is not given, which makes impossible the selection of a failure rate in the database. In the same way, the failure mode is not given, which again has an enormous importance on the definition of the failure rate. Especially, the distinction is not made between failure in use and failure on demand. The number of components involved is not provided. Depending on the type of components and the failure mode, the number of components can have diverse influence on the overall failure rate. The duplication of one component can be considered as a way to reduce the failure rate by introducing a redundancy if only one component is necessary (and provided that the configuration of the equipment really permits the second component to relieve the first one in case of failure) or it can be considered as an increase of the probability of failure if two components are necessary. The failure rate would be doubled in such a configuration. This is particularly true for pipes, for which the probability of failure is directly linked to the length of the pipe.

For all these reasons it is not possible to use directly the reliability databases with the generic fault trees to calculate the frequency of the critical event. Yet, this would be possible if the fault trees were used as a base for the definition of scenarios and the elaboration of specific and detailed fault trees. In such a case, it would be possible to make the specific components appear with their dread failure mode and environmental information. b. Provide generic frequency for the critical events . The reliability databases do not contain critical events frequencies but rather frequencies of component failure. To calculate a generic frequency for the critical event using reliability database it would be necessary to use the generic fault trees with the reliability data. This has been discussed above, and is not possible. c. Provide initial data which will serve as reference for the barrier approach. Here again, the configuration of the generic fault trees makes difficult using the reliability data to calculate an initial value corresponding to the frequency of the critical event without safety barriers. Yet, assumptions could be made to obtain a rough estimate of the upper bound of the critical event frequencies as will be proposed in the last section of this document.

2.2 Human reliability data

Data tells us that human failures contribute up to 80% of industrial accidents. Even in oil refineries, which are highly capitalised and automated, the figure is 50%. (HSE safety report assessment guidelines) Human error is a root cause for all the direct causes identified at the origin of the critical events. Therefore, an evaluation of the critical event frequency should use an evaluation of human error frequency (probability). The following paragraphs examine the possibility of using human reliability analysis to assess the overall frequency of the critical events.

- 16 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

HR (human reliability) is influenced by many factors among which the design of man-machine interface, the environment, the management, the pace of activity. In fact, human reliability analysis distinguishes different situations in which the human action is required and subject to errors. A parallel can be made with equipment failure for which the failure mode is of extreme importance to determine the failure rate. The following tables provides examples of common human error failure rates (on demand).
Failure event HEP (Human probability) 0.003 0.05 0.001 0.003 0.003 0.01 0.001 0.003 0.006 Plant Specific 0.003 0.001 0.0005 0.0005 0.05 0.005 0.001 0.005 0.1 0.01 0.001 error

Omitting step in procedure Fail to use test or calibration procedure Omission in procedure, with checkoff, <10 items Omission in procedure, with checkoff, >10 items Omission in procedure, without checkoff, <10 items Omission in procedure, without checkoff, >10 items Commission in reading digital meter Commission in reading analogue meter Commission in reading chat recorder Inadvertent operation of manual control Select wrong controls, controls labelled only Select wrong controls, controls in functional grouping Select wrong controls, mimic Turn 2 position, control wrong way Turn 2 position, population stereotype violated Select wrong circuit breaker, densely packed labels Select wrong local valve, similar items clear labels Select wrong local valve, similar items unclear labels Checker fails to find error, routine with procedure Checker fails to find error, routine, special activity Checker fails to find error, routine, safety import

Table 8: Examples of HEP (human error probabilities) [Fragola]

- 17 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Other authors provide data for human error probabilities which are more generic and, therefore, more easy to use in the framework of ARAMIS. However, some though has to be made about the meaning of these data and their use.
Type of Activity Critical Routine Task (tank isolation) Non-Critical Routine Task (misreading temperature data) Non Routine Operations (start up, maintenance) Check List Inspection Walk Around Inspection High Stress Operations; Responding after major accident - first five minutes - after five minutes - after thirty minutes - after several hours 1 0.9 0.1 0.01 Probability of Error per Task 0.001 0.003 0.01 0.1 0.5

Table 9: Human Error Rates (Source: US Atomic Energy Commission Reactor Safety Study, 1975)

- 18 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Type of Activity Simplest Possible Task Overfill Bath Fail to isolate supply (electrical work) Fail to notice major cross roads Routine Simple Task Read checklist or digital display wrongly Set switch (multiposition) wrongly Routine Task with Care Needed Fail to reset valve after some related task Dial 10 digits wrongly Complicated Non-routine Task Fail to recognise incorrect status in roving inspection Fail to notice wrong position on valves 0.1 0.5 0.01 0.06 0.001 0.001 0.00001 0.0001 0.0005

July 2004

Probability of Error per Task

Table 10: Human Error Rates (Source: Smith DJ 1993) Practically, the failure rate depends a lot on the type of activity performed by the operator and on the time available to do it. The following figures illustrates this dependency. The more time is available to the operator to perform a given task the lower is the probability of error.

- 19 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Figure 3: TRCs (time reliability curves) based on Human response Time Regime (Dougherty and Fragola cited in [Fragola])

Figure 4: Human error probability of diagnosis of one abnormal event by control room personnel (after Swain and Guttmann, 1983) reproduced in [Lees]

- 20 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Here again, it seems obvious that the generic nature of the fault trees prevents from using directly the human reliability data to evaluate the frequency of the critical event. Most of the time, the human failure modes are not specified, the number of tasks is not known. The latest is a problem because the human failure rates concern mostly failures on demand. The global failure rate to be applied is therefore the product of the failure rate by the number of tasks. Any way, if human reliability data cannot be used directly in the generic fault trees to evaluate the frequencies of critical events, they can be used as references to produce basic frequencies which will be reduced by the application of prevention barriers.

2.3 Accident databases

The accident databases provide general and detailed information about past accidents in various types of industries and transport activities. These databases are build from the accident declarations by plant operators. The database structure varies from one database to another. Some databases have very detailed fields (MARS), others only provide textual descriptions of accidents (ARIA). The number of accidents accessible also varies a lot as well as the scope and reference territory. For all these reasons, the results obtained by analysing the databases have to be taken cautiously. An extensive analysis of MARS, HADES and MHIDAS has been made by FPMs, JRC and UPC [Delvosalle MOOA]. The aim of the present document is not to reproduce the results obtained by this analysis but rather to discuss their applicability in the objective of producing probability figures which could be used to evaluate the risk in a process plant. The analysis of accident databases provides information about the relative distribution of causes.
30 27.66 26.95 25

20 Frequency (%)

15

14.18

10

8.51 7.09 4.96

4.26 2.84 2.13 0.71 0.71 0.00 0.00 0 . 0 0 0.00

0
Eq uip m en t fa Ins uff ilur icie e M nt a co n a nta ge inm m Op en era ent ts tor pe e cifi rro ca r tion Un kn ow n Co Ov nta er pr inm es en su ts re pe H cif igh C ica T orr tio em osio n p no era n t m tu et re Lo w Te mp era tur e Im pa ct Un E de ros W rpr ion ron es g e Ex su qu ter re ipm na en l loa t/lo din ca g tion

Figure 5: Causes distribution in MARS (141 accidents) [Delvosalle MOOA]

- 21 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

35,00 31,23 30,00 25,00 20,46 16,59 20,00 11,95 15,00 10,00 3,67 2,95 2,91 1,61 5,00 0,00

Figure 6: distribution of causes in MHIDAS [Delvosalle MOOA]

25,00 23,68 20,00 Frequency 15,00 10,00 5,00 0,00

Eq uip m en t fa ilu Op re era tor err or Un de Do fin m ino ed eff Ov ects erp res su M re an ag em en t Ex Co ter r na ro sio la gg n re ss ion

M ec ha nic al Hu failu m re Ex an ter fac na to Vi l ev r ole e Up nt nts re se ac tp I ro mpa tion ce ss ct fa il c Ins ond ure tru itio m ns en Se t fail rvi ure ce fai lur e
19,08 18,42 11,84 9,87 8,55 4,61 3,95

Figure 7 : Repartition of causes in HADES [Delvosalle MOOA] A first analysis of these data shows that, even if they bring some information about the most observed accidents, they remain difficult to exploit to derive failure probabilities.

Differences can be observed between the databases in terms of cause classification, and values of the relative distribution. The types of cause are different from one base to another and are different - 22 -

Frequency

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

from the causes retained in the ARAMIS fault trees. The category equipment failure contains events which could be attributed to other categories of causes if a deeper analysis was made. Table 11 provides a rough analysis of the IChemE Accident database [IchmE]. Among the causes identified in this database, many can be found in the ARAMIS fault trees. Others were not identified. This shows that ARAMIS fault trees should not be considered as exhaustive but rather as a base for an initial risk analysis, which should be completed according to the local context.
number of accidents chemical causes additional chemical present accidental mixing contamination cleaning inadequate solids deposition oxygen enrichment residue channelling in catalyst bed chemical missing lack of stabiliser/inhibitor low level of catalyst chemicals added incorrectly incorrect chemical present incorrect chemical concentration incorrect material of construction unwanted chemical reaction auto ignition decomposition auto decomposition polymerisation runaway reaction spontaneous combustion thermic reaction uncontrolled reaction equipment causes control failure computer failure electrical equipment failure arcing flashover generator failure lack of earthling Short circuit Spark Equipment missing incorrect equipment installed instrumentation failure material of construction failure brittle fracture 38 18 4 2 0 3 3 24 4 36 57 10 38 75 37 8 10 0,71 0,33 0,07 0,04 0,00 0,06 0,06 0,45 0,07 0,67 1,06 0,19 0,71 1,39 0,69 0,15 0,19 %

39

0,73

9 32 8 1 33 50 232 5 37 99 22

0,17 0,59 0,15 0,02 0,61 0,93 4,31 0,09 0,69 1,84 0,41

- 23 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree number of accidents corrosion crack creep embrittlement erosion fracture hydrogen embrittlement metal fatigue rusting Stress stress corrosion cracking weld failure mechanical equipment failure agitation failure bearing failure blower failure bolt failure bolts incorrectly tightened connector failure cooling tower collapse dam failure elbow failure equipment misalignment expansion joint failure flange failure flexible coupling failure floating roof failure gasket failure gauge glass failure hose failure joint failure lining failure pipeline failure pump failure refractory failure seal failure shaft failure tank failure tube failure valve failure vessel failure safety equipment failure alarm failure bursting disk failure bursting disk fails prematurely safety relief valve failure 295 100 12 10 8 61 2 19 9 27 9 86 5 38 1 9 5 1 1 0 4 3 18 5 9 43 9 45 29 4 75 47 3 62 1 28 63 156 9 14 1 9 % 5,48 1,86 0,22 0,19 0,15 1,13 0,04 0,35 0,17 0,50 0,17 1,60 0,09 0,71 0,02 0,17 0,09 0,02 0,02 0,00 0,07 0,06 0,33 0,09 0,17 0,80 0,17 0,84 0,54 0,07 1,39 0,87 0,06 1,15 0,02 0,52 1,17 2,90 0,17 0,26 0,02 0,17

July 2004

- 24 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree number of accidents external causes deliberate acts arson bomb civil war missile sabotage terrorism vandalism excessive vibration fire/explosion lagging fire friction heat hot surface mechanical spark natural disaster avalanche earth movement earth tremor earthquake excavation damage landslide settlement subsidence weather effects cold weather flood fog lightning rain storm damage strong winds hurricane typhoon sunlight thermal expansion hot weather human causes Additional incorrect operation Cigarette Contractor error design fault design or procedure error cleaning procedure incorrect design inadequate faulty instructions %

July 2004

8 3 1 1 76 31 16 55 22 11 155 15 1 2 20 52 3 2 6 54 17 25 140 16

0,15 0,06 0,02 0,02 1,41 0,58 0,30 1,02 0,41 0,20 2,88 0,28 0,02 0,04 0,37 0,97 0,06 0,04 0,11 1,00 0,32 0,46 2,60 0,30

46 0 4 6 3 31 44 14 11 202 12

0,86 0,07 0,11 0,06 0,58 0,82 0,26 0,20 3,76 0,22

- 25 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree number of accidents inadequate guarding maintenance procedure error safety procedure inadequate standards inadequate Document errors drug misuse operation inadequate competency lacking draining of line insufficient identification inadequate inspection inadequate installation inadequate isolation inadequate labelling incorrect maintenance inadequate pipe laying inadequate testing inadequate operation omitted atmosphere not tested operator error operator/crew fatigue shift change management system inadequate Manning levels inadequate modification procedures inadequate permit to work system inadequate training inadequate Process causes Backflow exothermic reaction thermal instability flameout Friction spark frothing incorrect flow rate flow rate too high high loading rate Inadequate venting flow rate too low flow restriction vent blocked no flow incorrect pressure high pressure hydraulic pressure internal explosion 13 28 286 5 5 1 16 7 10 68 35 51 34 59 1 33 8 256 1 5 1 22 29 27 24 5 10 0 1 % 0,24 0,52 5,32 0,09 0,09 0,02 0,30 0,13 0,19 1,26 0,65 0,95 0,63 1,10 0,02 0,61 0,15 4,76 0,02 0,09 0,02 0,41 0,54 0,50 0,45 0,09 0,19 0,00 0,02

July 2004

2 4

0,04 0,07

9 12

0,17 0,22

6 3

0,11 0,06

- 26 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree number of accidents overpressurisation pressure surge pump dead heated water hammer low pressure implosion vacuum incorrect Temperature high temperature overheating thermal degradation low temperature cold brittleness freezing inadequate insulation leak air leaking into system flange leak gasket leak joint leak Offloading Overflow tank overflow Overspeed reverse flow rollover static under filling of vessel water slug unidentified cause utility failure air system failure fuel supply failure hydraulic failure inert gas failure lubrication failure power supply failure steam failure 192 16 3 12 7 23 % 3,57 0,30 0,06 0,22 0,13 0,43

July 2004

188 5 1 11 2 2 47 1 6 20 2 5 20 1 192 1 2 77 10 1 1 2 6 70 3

3,50 0,09 0,02 0,20 0,04 0,04 0,87 0,02 0,11 0,37 0,04 0,09 0,37 0,02 3,57 0,02 0,04 1,43 0,19 0,02 0,02 0,04 0,11 1,30 0,06

Table 11: relative distribution of causes in the IchemE accident database (all types of activities excluding transportation). This relative frequency is only aimed at illustrating the diversity of causes.

- 27 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

2.4 Other relative distribution of causes

Apart from accident databases, different bibliographical sources provide tables with relative repartition of causes. The most interesting are those which cross the immediate cause, such as erosion or corrosion, with the root cause, human error, poor management, In the framework of ARAMIS, the immediate causes could correspond to the direct causes and the root causes correspond to the undesirable events. An interesting complement to this classification was brought by a contract research report by the HSE executive [Bellamy], which proposes a three entry classification of accident causes : direct cause, origin of failure and recovery failure. The following figure exposes the principle of such a classification applied to pipework failures. What is interesting in this approach is that it implicitly states that the recovery failure is part of the global failure scenario. This should be compared with the barrier approach introduced in ARAMIS.

Figure 8: Structure of classification scheme showing direct cause, origin of failure and recovery failure. Bellamy et al, 1989

- 28 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree N of incidents to which cause contributed Defective pipe or equipment 303 (unknown cause) Operator error Overpressure Corrosion Unknown Impact 190 129 92 84 49

July 2004

Total contribution

% contribution % contribution (excluding (overall) (n=921) unknowns) (n=543.5) 31.9 18.2 12.1 9.3 9.1 4.8 4 3.8 3 1.5 1.5 0.8 100 30.9 20.5 15.6 8.1 6.7 6.4 5 2.5 2.5 1.3 100

293.5 167.83 111.83 85.5 84 43.83 36.83 34.83 27.5 14 14 7.33 921

Wrong in-line equipment or 44 location Temperature (high or low) External loading Vibration Other Erosion Total 44 35 16 17 11 1014

Table 12: Breakdown of level 1 direct causes of incidents [Bellamy]

- 29 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree % A. Incident modes Unknown exothermic decomposition Incorrect charging Inadequate cooling Excessive heating Incorrect agitation Inadequate batch control Undesired catalyst Exothermic from impurity B. Incorrect charging Excess of reactant Deficiency of reactant Too fast addition of reactant Modification of reactant Incorrect order of reactant addition C. Inadequate cooling Coolant source/power failure Coolant pump set failure Coolant turned off Automatic control failure Condenser fault D. Excessive heating Initial overheating Heating / cooling changeover fault Undesired heating Automatic control failure Manual control failure E. Incorrect batch control Initial temperature too low Initial temperature too high 11.1 0 15.8 15.8 10.5 10.5 10.5 0 3.8 11.5 11.5 11.5 29.4 26.5 23.5 11.8 5.9 15.1 17.2 13.1 9.6 10.1 9.1 2.5 10.6

July 2004

Too fast addition of reactant relative to the temperature 22.2 Incorrect cycle Excessive holding 16.6 22.2

Table 13: analysis of reactor overpressure [Lees] (Table 11.11)

- 30 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Causes of service failure by corrosion Cavitation Cold wall Cracking, corrosion fatigue Cracking, stress corrosion Crevice Demetallification End grain Erosion-Corrosion Fretting Galvanic General Graphitization High temperature Hot wall Hydrogen blistering Hydrogen embrittlement Hydrogen grooving Intergranular Pitting Weld corrosion % 0.3 0.4 1.5 13.1 0.9 0.6 0.4 3.8 0.3 0.4 15.2 0.1 1.3 0.1 0.1 0.4 0.3 5.6 7.9 2.5 Causes of service failure by mechanical failure Abrasion, erosion or wear Blisters, plating Brinelling Brittle fracture Cracking, heat treatment Cracking, liquid metal pen Cracking, plating Cracking, thermal Cracking, weld Creep or stress rupture Defective material Embrittlement, sigma Embrittlement, strain age Fatigue Galling Impact Leaking through defects Overheating Overload Poor welds Warpage Sub-total 55.2 Sub-Total 5.4 0.1 0.1 1.2 1.9 0.1 0.6 3.1 0.6 1.9 1.6 0.3 0.4 14.8 0.1 0.1 0.4 1.9 5.4 4.4 0.4 44,8

July 2004

Table 14: Causes of service failure in metal equipment and piping in chemical plants (Collins and Monack, 1973) [Lees] (Table 12.26)

These relative distribution tables bring useful information about the most frequent causes, but, again, cannot be used directly to evaluate absolute frequencies. Yet, if the absolute frequency of one event is known, they can be used to derive the order of magnitude of other causes in the same family. This will be used in the last section of the present document to produce the initial data to be used for the barrier approach.

2.5 Frequency of the critical events

Diverse bibliographical sources provide generic frequencies for the critical events. Most of these are issued from countries where QRA serves as a decision support for land use planning. An analysis of these data sources is more deeply presented in appendix 10.

- 31 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

2.6 Other absolute frequencies

Lees and other authors propose a series of data from a large literature review. However, many of these data are relatively old. Most of them are from the seventies. A large proportion is issued from the nuclear industry and can therefore not be applied to the process industry. Many of these data are reliability data concerning different types of equipment used in the process industry. Others are frequencies of events such as pipe leaks or causes such as overfilling. Such data always apply to a particular industrial activity and are the result of a limited data collection process, or, often an expert judgement, which makes difficult their extrapolation to other activities. When secondary failures are considered, the data always apply to plants where the safety standards of the time were applied, which makes difficult their use as reference data in a no barrier context as required by the MIMAH methodology. The following four tables (Table 15 to Table 18) provide useful reliability data, some of which can be used directly in the generic fault trees. Critical event frequencies are shown to allow the reader to compare his own calculations and some published data.

Failure rate (failure/106 h) Electric motor Transformer (<15kV) (132-400 kV) Circuit breakers (general <33kV) (400kV) Pressure vessels (general) (high standard) Pipes Pipe joints Ducts Gaskets Bellows Diaphragm (metal) (rubber) Unions and junctions Hoses (heavily stressed) (Lightly stressed) Ball bearings (heavy duty) (Light duty) Roller bearings Sleeve bearings Shafts (heavily stressed) (lightly stressed) 10 0.6 7 2 10 3 0.3 0.2 0.5 1 0.5 5 5 8 0.4 40 4 20 10 5 5 0.2 0.02

- 32 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Failure rate (failure/106 h) Relief valves : leakage Blockage Hand-operated valves Control valves Ball valves Solenoid valves Rotating seals Sliding seals oring seals Couplings Belt drives Spur gears Helical gears Friction clutches Magnetic clutches Fixed orifice Variable orifices Nozzle and flapper assemblies : blockage Breakage Filters : blockage Leakage Rack-and-pinion assemblies Knife-edge fulcrum : wear Springs (heavily stressed) (lightly stressed) Hair springs Calibration springs : creep Breakage Vibration mounts Mechanical joints Grub screws Pins Pivots Nuts Bolts Boilers (all types) Boiler feed pump Cranes 2 0.5 15 30 0.5 30 7 3 0.2 5 40 10 1 3 6 1 5 6 0.2 1 1 2 10 1 0.2 1 2 0.2 9 0.2 0.5 15 1 0.02 0.02 1.1 1012.5 7.8

July 2004

- 33 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Table 15: Some data on equipment failure rates published by the UKAEA 1972 from nuclear and non nuclear industry [LEES] (Table A14.2)

Equipment Compressor Centrifugal turbine driven Reciprocating, turbine driven Electric motor driven Diesel generator Electricity supply Gaskets Heat exchanger Pipe joint Pumps Centrifugal Boiler Fire Fuel Oil lubrication Vacuum 10 100 100 6 10 20 30 150 500 100 125 110 0.02 1 0.5

Failure rate (failures/106h)

300 4000

1 40

30 500

80

50 30 100

Turbine, steam Valves Ball Butterfly Gate Relief Non return Slam shut Solenoid

80

1 1 1.5 4 2 10 1.5

3.5 20 15 9 5 30 10 30 30

Valve actuator Fail open Spurious close 0.1 5 4 40

Table 16: [Lees] Table A14.4 D.J.Smith 1985

Instrument Control valve Power cylinder Valve positioner Solenoid valve Failure (fault/year) 0.6 0.78 0.44 0.42

- 34 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Failure (fault/year) 0.49 1.41 1.14 1.73 1.01 0.34 2.18

July 2004

Instrument Current/pressure transducer Pressure measurement Flow measurement(fluids) Differential pressure transducer Transmitting variable area flowmeter Indicating variable area flowmeter Magnetic flowmeter Flow measurement (solids) Load cell Belt speed measurement and control Level measurement (liquids) Differential pressure transducer Float type level transducer Capacitance type level transducer Electrical conductivity probes Level measurement (solids) Temperature measurement (excluding pyrometers) Thermocouple Resistance thermometer Mercury-in-steel thermometer Vapour pressure bulb Temperature transducer Radiation pyrometer Optical pyrometer Controller Pressure switch Flow switch Speed switch Monitor switch Flame failure detector Millivolt-current transducer Analyser PH meter Gas-liquid chromatograph O2 analyser CO2 analyser H2 analyser H2O analyser (in gases)

3.75 15.3 1.70 1.71 1.64 0.22 2.36 6.86 0.35 0.52 0.41 0.027 0.37 0.88 2.17 9.70 0.29 0.34 1.12

1.69 1.67 8.49 5.88 30.6 5.65 10.5 0.99 8

- 35 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Failure (fault/year) 1.4 16.7 14.2 10.9 0.77 0.14

July 2004

Instrument Infrared liquid analyser Electrical conductivity meter (for liquids) Electrical conductivity meter (for water in solid) Water hardness meter Impulse lines Controller settings

Table 17: Example of instrument failure rates from three chemical works (1971) [Lees] p13/20 table 13.6 (extract)

Instrument Instrument in contact with process fluid Pressure measurement Level measurement Flow measurement Flame failure device Instrument not in contact with process fluids Valve positioner Solenoid valve Current-pressure transducer controller Pressure switch Control valve Temperature measurement

Failure rate (faults/year) 1.15 0.97 1.55 1.09 1.37 0.31 0.41 0.30 0.54 0.26 0.30 0.57 0.29

Table 18: effect of environment on instrument reliability: instrument in contact with or not in contact with process fluids. [Lees] table 13.7 The following two tables (Table 19 and Table 20) are interesting as they illustrate the importance of the working conditions of the equipment. They concern process pressure vessel failure rates for different types of industries. As can be seen, the frequencies can vary greatly with the type of vessel, the type of process and the type of chemical environment. It is interesting to compare these values with those given for the critical events (appendix 10). Frequencies in Table 19 and Table 20 are several (two or three) orders of magnitude higher, which shows the difficulty of choosing the appropriate data for risk assessment.

- 36 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Number of failures Vessel-years 5535 2220 5950 447 809 1941 15 4 10 181 6 3 2.7 x10-3 1.8x10-3 1.7 x 10-3 405 x 10-3 7.4x10-3 1.5x10-3

July 2004

Vessel

Sample size Vessels

Failure rate (failures/year)

Process pressure vessel Pressure storage vessel Heat exchanger Fired heaters

415 129 446 36

High temperature vessel, 58 except fired heater Low temperature vessel 147

Table 19: Arulanantham and Lees 1981 (olefins plants, data gathered between 1960 and 1981) [Lees] p. 12/97

Vessel

Sample size Vessels Vessel-years 1572 192 540 588

Number of failures

Failure rate (failure/year) 26x10-3 36x10-3 39x10-3 20x10-3

Process pressure vessel

131

15 7 21 12

High temperature vessels, 16 except fired heater Vessel in corrosive duty 45

Vessel subject to stress 49 corrosion

Table 20: same study: toxic plants [Lees] p.12/97

The following series of data concerns pipeworks failure. They perfectly well illustrate this sentence by Lees: [Lees] p.12/98: There is a considerable amount of data available on pipework failures, but the range of values quoted tends to be confusing. They also illustrate the necessity of knowing the precise configuration of the plant, as most of these data are given in number of failures per meter and vary a lot with the diameter of the pipes.

Frequency of guillotine rupture Frequency of lesser failure Frequency of gasket failure Gasket 0.6 mm thick Gaskets 3 mm thick These data include valve leaks.

= 3x10-7failure/m.year = 3 x10-6failure/m.year =3x10-6 failure/year = 5x10-6 failure/year

Table 21: Pape and Nussey for chlorine plant [Lees] p.12/105

- 37 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Purple book data on pipes [CPR] Type of pipe Diameter <=50mm 50<diameter<150mm Diameter>150mm failure frequency 1x10-10m-1h-1=8.8x10-7m-1y-1 3x10-11m-1h-1=2.6x10-7m-1y-1 1x10-11m-1h-1 =8.8x10-8

Table 22: COVO Study catastrophic rupture [CPR] [Hu92] pipe rupture frequency Log(failure rate per meter per year)=-(0.0064x(pipe diameter in mm)+5.56) Diameter <=50mm 50<diameter<150mm Diameter>150mm failure frequency leak=10 x rupture failure frequency failure frequency leak=20 x rupture failure frequency failure frequency leak=30 x rupture failure frequency

Table 23: COVO study for significant leaks [Hu92] leak failure frequency Log(failure rate per meter per year)=-(0.026x(pipe diameter in mm)+5.32)

Pumps Catastrophic failure of pumps : the purple book proposes the following values : Installation (part) Pumps without additional provisions Pumps with a wrought steel containment Canned pumps Catastrophic failure 1x10-4y-1 5x10-5y-1 1x10-5y-1 Table 24: Catastrophic failure of pumps These figures should not be mistaken with the other pumps failure rates corresponding to other failure modes. Leak 5x10-4y1 2.5x10-4y-1 5x10-5y-1

A : Pressure storage sphere (Drysdale and David)

Crack in pipe Gasket failure Flange failure Valve seating failure Draining/sampling valve not properly shut Pipe rupture due to

Frequency/probability (per year) 10-4/y 5x10-5/y 4x10-5/y 3x10-2/y 10-4/y

- 38 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Vehicle impact Vibration Corrosion Repair whilst operating Excess pressure (blockage) Fatigue Creep Sabotage During Filling operation Operator fails to stop filling when correct level is reached 0.1 Operator fails to pump quickly enough when release occurs 10-2 Fixed water spray inoperative because : Water shut off Activation fails Water frozen Pipes completely blocked Low main pressure Sprinkler system damaged Fixed water spray system ineffective because : Pipe partially blocked Low mains pressure Some heads blocked 3x10-4 2x10-3 8x10-4 10-2 2x10-2 5x10-4 10-4 3x10-4 10-5 10-5/y 10-2/y 10-4/y 10-4/y 10-7/y 10-4/y 10-5/y 2x10-3/y

July 2004

B : Pressure storage (Considine, Grint and Holden)

Catastrophic failure of vessel : Complete failure Failure equivalent to 6 in nozzle Fracture of a 6 in. liquid line Pipework Equivalent failure of fittings Release due to overfilling Fracture of 2 in. vapour line Serious leak from equipment or pipeworks (1 kg/s) 6 in. pipework 2 in. pipework Flange Pump seal Release in course of draining or sampling (1.5 kg/s) Release per operation Draining operations 10-4 50/year 6x10-6/m.year 6x10-5/m.year 3x10-4/flange.year 5x10-3/seal.year 3x10-7/m-year 5x10-6/item-year 10-4/vessel-year 3x10-6/m.year 3x10-6/vessel-year 7x10-6/vessel-year

- 39 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Sampling operations Failure to recover during draining Failure to recover during sampling C : Refrigerated atmospheric storage (Considine, Grint and Holden) Catastrophic failure of tank Rollover Overfilling Overfilling with tank failure Overfilling without tank failure Fracture of a 6 in. liquid line Leak from pipework 5x10-6/tank-year 10-5/tank-year 10-4/tank-year 10-5/tank-year 9x10-5/year As section B As section B 100/year 10-1 10-2

July 2004

Table 25: Event Frequency/probability estimates given in two LPG hazard assessments (after Drysdale and David 1979/80; Considine, Grint and Holden, 1982) [Lees] (table 22.16) Table 25 illustrates the necessity of knowing the plant configuration to be able to calculate the frequency of a critical event. In this table several frequencies are given in number of occurrence per year and per equipment (flange.year or seal.year). Depending on the number of equipment, the overall probability can change considerably.

A. Estimates used
Coolant source/power failure Frequency of coolant source/power failure 0.1 failure/year

Probability that failure is sufficiently serious to give 0.1 total loss of power Probability that reactor is in critical condition Frequency of excursion due to this cause Coolant pump set failure Frequency of pump failure (complete failure to pump) Assume one pump operating and one on standby Length of batch cycle Probability of successful pump changeover Probability of failure during batch Probability that the reactor is in critical condition Number of cycles Frequency of excursion due to pump set failure Coolant turned off Frequency of manual isolation valve wrongly directed 0.05/year closed Probability that operator fails to detect lack of cooling 0.01 16h=0.00183 year 0.95 1-exp(-0.1 x 0.00183)(1+0.95x0.1x0.00183)=9x10-6 0.2 250/year 250 x 0.2x9x10-6=2.5 x10-4/year 0.1 failure/year 0.2 0.1 x 0.1 x 0.2=2.10-3/year

- 40 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Probability that reactor is in critical condition Frequency of excursion due to coolant turned off Automatic control failure Frequency of failure of control loop in fail to danger 0.25 failure/year mode Probability that operator fails to detect loss of control Probability that reactor is in critical condition Frequency of excursion due to automatic control failure Inadequate agitation Frequency of agitator failure Frequency of operator failure to start agitator Probability that agitator failure is critical Frequency of excursion due to inadequate agitation 0.5 failure/year 0.5 failure/year 0.01 (0.5+0.5)x0.01=10-2/year 0.01 0.2 0.25x0.01x0.2=5x10-4/year 0.5 0.05x0.01x0.5=2.5x10-4/year

July 2004

Table 26: Analysis of reactor overpressure : frequency of inadequate cooling (Marrs and Lees, 1989) [Lees] (Table 11.13) Table 26 illustrates how different frequencies and probability combine to lead to the final probability of an event (here, a reactor overpressure). These last data show the difficulty of working with the limited generic fault trees, as it clearly appears that the number of combined causes which must be taken into account to assess the probability of the events can be high.

System

Operatin g time

No of failures

Downtime Failure (h) Planned (h) 300 38 48 73 17

Availability % 99.9 99.91 99.78 99.5 99.61

Single computer system with analogue standby Twin computer system with analogue standby Twin computer system with shared critical loops - 1 Twin computer system with shares critical loops -2 Twin computer system with analogue standby

66528 35040 78 888 78 888 13 848

13 8 21 37 6

65 30.5 172 388 54

Table 27: Failure data for some process computer systems in the chemical industry [Lees] (Table A14.18)

2.7 Synthesis of the data sources analysis

Figure 9 illustrates the position of the available data on the fault tree. The red circles represent the position of absolute frequencies in the fault trees. Equipment reliability data mostly apply to specific fault trees that would be further developed from the initial generic fault trees. However, some data can be applied in the generic trees (doted circle) at the DDC (detailed direct causes) or DC level, when an equipment is explicitly involved (pumps or compressors in the overpressure scenarios).

- 41 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

The human reliability data could be applied at the undesirable events level as these correspond mostly to human or organisational deficiencies. In many situations it also possible to apply them directly to the DCs or DDCs when these events correspond already to human error situations.

Equiment reliability data

UE1 UE2

DDC1

Cause relative frequencies

DC1

DDC2 NSC1

DC2 CE

NSC2

DCj DDCi UEn

Frequencies of CE

Human reliability data

Figure 9: Position of the available data on the fault tree. Plain circles correspond to the most logical position of the data. Doted ones are alternative possibilities.

3.

Some comments inspired by the Assurance Project

The ASSURANCE project [Lauridsen] was a benchmark operation aimed at comparing the risk analysis methodologies used by seven European Partners. The assurance project involved the calculation of event frequencies for a same ammonia plant using the methodologies in use in the partner countries. The plant was originally described rather precisely with information about quantities stored and used in the process, the size and configuration of equipment. Yet, large differences were observed in the results of the frequencies of critical events. For some of the scenarios, the values calculated by the partners were varying initially by up to four orders of magnitude (Table 28).

- 42 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Table 28: Frequencies of the top events of the common scenarios used by the partners (events per year) in the ASSURANCE project An analysis was made of the causes of deviation. For this purpose, the scenarios were grouped into three sets: scenarios related to (1) pipelines, (2) loading arms, and (3) tanks. The following possible causes of uncertainty have been considered: (1) scenarios related to pipelines 1. Length of a pipeline to be analysed 2. Utilisation factor (fraction of time when a pipeline is in use) 3. Including piping-related components (flanges, valves and pumps) 4. Failure causes considered: 1. Mechanical 2. Overpressure 3. External impact (2) scenarios related to loading arms 1. Number of transhipments 2. Failure causes considered: 1. Mechanical 2. Overpressure 3. Other (e.g. "excessive movement of the arm, leading to its rupture")

- 43 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

(3) scenarios related to tanks 1. Failure causes considered: 1. Mechanical 2. Overpressure 3. Other (e.g. fires and explosions)

After this analysis, characteristics common for all the partners were defined such as the length of the pipes to be analysed, the utilisation factor or the number of transhipments. Once these precision were incorporated to the initial data, the calculation were performed again. The results were closer, even if the deviation could still reach three orders of magnitude for various top events (Table 29).

Table 29: recalculated frequencies according to the assumptions common to all research teams in the ASSURANCE project This project shows the difficulty of getting significant and reliable values when evaluating frequencies. It also shows the importance of the precise description of the plant, of its components and of its functioning. It is clear that using short generic fault trees with generic data is a major difficulty and that the results which could be obtained this way would probably not have much meaning. Yet, the following section attempts to propose some solution for the calculation of probabilities.

- 44 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

4.

Proposal of a method for evaluating the frequency of the critical event

The method retained by the ARAMIS project is based on the barrier approach. In other words, the scenarios are quantified by applying the barrier failure rates to an initial failure probability. This approach should reduce the stress on the frequency evaluation. Yet, it is necessary to provide some type of initial evaluation of the frequency (probability) to be able to calculate the final critical event frequency. As the preceding considerations have shown it is not easy to derive frequency (probability) values from the data source available. Yet, some type of quantification is desired. The following solutions can be proposed. As was already discussed, the main difficulty resides in the generic character of the fault trees and the appropriateness and validity of the failure data. Generic fault trees do not make a sufficient description of the failure modes and do not allow to take explicitly the number of components, the time of use, the number of demands into account. The failure data do not correspond to the events described in the event tree. They were derived from ancient studies and may not reflect the present state of the art.

To overcome these difficulties the following recommendations can be made. Detailed specific fault trees should always be preferred to generic fault trees as they allow a more precise description of the equipment and the failure modes. These detailed specific fault trees should be build, when possible, by developing the generic fault trees provided by MIMAH. In many plants, reliability analysis have been made and could be used as a reliable source to implement the probability analysis. When possible, plant specific data should be preferred to generic frequencies as the later reflect average behaviour of components which can be fairly different from those observed in the plant concerned by the study. The next section provides some useful data. When these cannot be used, the very coarse generic data given bellow can be adopted for an initial study.

Plant specific data Detailed fault trees Generic fault trees

Generic data

Use plant specific data and Use generic data with detailed detailed fault trees fault trees Use plant specific data with Use generic data with generic generic fault trees fault trees

Table 30: preferred data sources and methods for risk analysis Chapter 7 of the present document proposes some failure rates for different types of components which could be used for the calculation of the failure probabilities provided that the fault trees be developed further sufficiently to make these components appear.

- 45 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

Table 31 and Figure 10 provide even more generic data. Whatever the data used, it is also necessary to apply them to the number of components susceptible to fail.

Item People Mechanical systems Electrical systems

Failure Rates (on demand) 10-2 per operation 10-3 per operation 10-4 per operation

Table 31: Generic Failure Rates

Figure 10: Typical ranges of failure rates for parts, equipment and systems (CCPS guidelines) An attempt was made to introduce data into the generic fault trees (see tables at the end of chapter 7). The data correspond as much as possible to a no barrier situation, even if this criterion is not always easy to warrant. In fact different situations were distinguished : o Component failure : In such a situation, the component failure rate should be applied, if it can be found in the reliability databases. Of course, this failure rate can be increased by local conditions (corrosive environment,). Distinction has to be made between failure in time and failure on demand. In this second situation, the number of component solicitation must be known. In any case, the number of components susceptible to fail and their configuration (series or parallel) should be known and taken into account to calculate the resulting frequency. As it is not possible to reproduce entire databases such as the OREDA - 46 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

handbook, the CCPS guideline ranges given by Figure 10 were used in the fault trees. o Hazardous operation : these are operations which should always result into a hazardous phenomenon, such as manipulating hazardous chemicals. In such situations, the frequency of hazardous event is that of the operations reduced by the provisions taken to reduce the risk. In other words, the frequency without barriers is that of the operations. No data was introduced in the fault trees in this case. The value to be used is the plant specific frequency of operation. o Human error : the general comments about human reliability given above show that it is not recommendable to use single generic data to estimate the human error failure rate. Human reliability depends a lot on the context and the type of operations performed by the operators. But, in a first approximation, conservative values can be used such as 101 /operation (it should be reminded that this value is taken before taking into account the safety barriers, this means that no training or work procedures are considered). The frequency of the dread event (resulting from the error) is given by the product of the probability of human error by the frequency of the considered human operation (opening of a valve, for example). o External hazard : such as earthquake, domino effects or weather conditions. In this case, the local data should be obtained from the competent authorities and used directly. Earthquake and lightening data issued from the HSE safety report assessment guide were introduced in the tree but they should be used very carefully as they correspond to the situation in England. o Continuous degradation leading to failure : these include corrosion, erosion, and other mechanical failure. Whereas many absolute failure data are available for equipment failure, much less are available for these direct causes which appear in accident databases with high relative frequencies. In this case, the very few available data (8x10-7 to 10-4/h for corrosion in the I-Risk project database) were used as reference data and the other figures were derived from this initial data by applying relative distribution figures. However, the meaning of these is not clear, as it seems obvious that the probability of failure by corrosion or erosion must be somehow related with the length or surface of the concerned equipment. No figures could be found linking the different failure modes (corrosion, erosion, fatigue) and the length of pipes, for example.

5.

Conclusion

The objectives of this ARAMIS step was to produce a method and data to calculate the critical event frequencies which would be compatible with the elements of the method already developed, the generic fault trees, and those being developed by other partners, the safety barrier requirements approach. For this purpose, a typology of data sources was made. These can mostly be divided into o Reliability databases concerning mostly equipment failures

- 47 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

o Human reliability data o Accident databases (relative distributions of causes) o Scattered absolute and relative frequencies which can be found in very diverse literature references. These include frequencies of the critical events and some more scarce frequencies of intermediate events (NSC, DC or DDC in the fault trees). The limits of each data type were underlined with respect to the ARAMIS methodology. These limits concern both the data themselves and their applicability to the structure of the generic fault trees. As far as the data are concerned, and excluding, maybe, the reliability databases which are updated regularly, but are not easily accessible, it is difficult to know how accurate and reliable they are. The conditions and time of the initial collection are seldom known, which makes their use as generic data delicate. But it is also the generic nature of the fault trees which makes the assessment of the critical events frequencies difficult. For many events it is necessary to have more information on the plant configuration and operating conditions to calculate their frequency (probability). This is particularly true when on demand failure rates are involved. Yet, it was necessary to provide some guidelines for the assessment of the frequencies (probabilities). This was done by making some recommendations which include the development of specific fault trees on the basis of the generic fault trees provided in the ARAMIS methodology and the use of plant specific data when available. When such data are not available, generic ones must be used. Orders of magnitude of such data were introduced in the fault trees. Most of them are based on a combined use of absolute frequencies, when available and relative distribution of causes. Even if some results were obtained, this part of ARAMIS shows that the lack of reliable data and coupling between the data and the generic fault trees is a major difficulty. This should suggest to the project partners to propose an European data collection program which would result into a truly ARAMIS compatible database.

- 48 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

6.

References

6.1 ARAMIS Documents

[Delvosalle MOOA] C. Delvosalle, C. Fivez, A. Pipart, C. Kirchsteiger, F. Mushtaq, J. Casal Fabrega, Dr. E. Planas, PART 2 OF DELIVERABLE D.1.A. MOOA - MOST OFTEN OBSERVED ACCIDENTS WP 1/A [Delvosalle WP1D] C. Delvosalle, C. Fivez, A. Pipart, Methodology for the Identification of Reference Accident Scenarios, WP1D [Delvosalle WP1C] C. Delvosalle, C. Fivez, A. Pipart, Frequencies and probabilities on the event tree, Characteristics of critical events, WP 1C [Fivez WP1C] C. Fievez, A.Pipart, Intermediate report on the WP1C, ARAMIS

6.2 Other documents

[Akhmetjanov] Farit M. Akhmetjanov, Reliability databases : state of the art and perspectives : Risoe report Risoe R- 1235 EN [Bellamy] L.J. Bellamy, T.A.W. Geyer and J.A. Astley, Evaluation of the human contribution to pipework and in-line equipment failure frequencies, HSE contract research report n15/1989 [Barton] J. Barton, R. Rogers, Chemical reaction hazards, Ichem E, Rugby, 1993,184 p. [CCPS] Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition, Center for Chemical Process Safety, American institute of chemical engineers, New-York, 2000 [CPR] Guidelines for quantitative risk assessment, purple book, CPR 18E, Committee for the prevention of disasters, Sdu Uitgevers, Den Haag, 1999 [Fragola] J.R. Fragola Human reliability analysis procedure, ESREL 2001, Safety and reliability, proceedings of the european conference on safety and reliability, ESREL 2001, tutorial notes, ed: Politecnico di Torino, 2001, pp.107-142 [Giovannini] Cration dun ple de comptences sur lvaluation de la scurit des procds chimiques (DRA-005) RAPPORT INTERMEDIAIRE DOPERATION, Guide mthodologique dvaluation des dangers lis la mise en oeuvre de ractions chimiques B. GIOVANNINI Juin 2001, available at www.ineris.fr
[HOURTOLOU] D. HOURTOLOU, Analyse des risques et prvention des accidents majeurs (DRA-007), Rapport final Opration ASSURANCE, ASSessment of the Uncertainties in Risk Analysis of Chemical Establishments, Projet U.E. ENV4-CT97-0627 available on (www.ineris.fr)

- 49 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

[HSE] HID - SAFETY REPORT ASSESSMENT GUIDES : http://www.hse.gov.uk/comah/index.htm, links to Safety Report Assessment Guide : Chlorine Safety Report Assessment Guide : Chemical Warehouses Safety Report Assessment Guide : LPG Safety Report Assessment Guide : HFL Safety Report Assessment Guide : Methane Gas Bullets Safety Report Assessment Guide : Methane Gas Holders Safety Report Assessment Guide : Whiskey Maturation Warehouse [IchmE] The Accident Database Version 4.1, Institution of Chemical Engineers, Rugby, UK [I-RISK] I-RISK Project : ANNEX IV.1, QUANTIFICATION: DATABASE MAY 1999 [Lauridsen] Assessing the uncertainties in the process of risk analysis of chemical establishments: part I, Kurt Lauridsen, Michalis Christou, Aniello Amendola, Frank Markert, Igor Kozine, Monica Fiori available at : http://mahbsrv.jrc.it/antwerp/docs%5CLauridsen.pdf [Lees] Franck P. Lees, Loss prevention in the process industry, London: Butterworths, 1986 [OREDA] Offshore Reliability Data Handbook, 1997, Det Norske Veritas [Piccini] Human Factors In The Design Process Of Advanced Supervisory And Control Systems , Piccini M. and Carpignano A., Politecnico di Torino Dipartimento di Energetica, C.so Duca degli Abruzzi 24, 10129 Torino, Italy, [R2A] http://www.r2a.com.au/publications/4th_Edition/4th_edition.html [RIVM 1] RIVM Report 610066015 Benchmark risk analysis models [RIVM 2] Report 610066014 A method to judge the internal risk of establishments with dangerous substances [Tucci] Human reliability analysis to high-risk industries: the case of process chemical industry for the polyethylene production. Prof. Mario Tucci, Ing. Lorenzo Giagnoni, Ing. Irene Cappelli [Villemeur] Alain Villemeur, Suret de fonctionnement des systmes industriels, fiabilit, facteurs humains, informatisation , Eyrolles, PARIS, 1988, 798 p.

- 50 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

7.

Additional data

7.1 HSE reference failure frequencies

Event High pressurise gas transmission line rupture Lightning strike Severe earthquake capable of rupturing pipework Seal Fire Failure of a ROSOV on demand Failure of an excess flow control valve on demand Failure of an automatic shutoff valve to close Failure of a level sensor (sticking) Split Crown (without ignition) Split crown explosions Rupture of pipe on a pressurised storage system Sudden catastrophic failure of vessels Failure of a flow sensor Export/Import line failure High pressurise gas transmission line rupture Failure rate of small bore gas pipework Frequency of sparking of zone 1 equipment Seal Fire Split Crown (without ignition) Split crown explosions Probability/Frequency 5 x 10-4/km.yr 1 x 10-7/yr 1 x 10-6/yr - 1 x 10-7/yr approx. 2 x 10-4/holder.yr 3 x 10-2/yr 1.3 x 10-2/yr 1 x 10-2/demand 50 per 10-6 hrs Approx. 3 x 10-4/holder.yr < 3 x 10-5/holder.yr 1 x 10-5/yr 3 x 10-6/yr 40 per 10-6 hrs 5 x 10-4/km.yr 5 x 10-4/km.yr 6 x 10-5/m 1 x 10-4/item approx. 2 x 10-4/holder.yr Approx. 3 x 10-4/holder.yr < 3 x 10-5/holder.yr

Table 32: General summary of HSE data from HID - safety report assessment guides : [HSE]

- 51 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree

July 2004

7.2 I-Risk
The failure rates are expressed as number of failures per hour or per demand [I-Risk] Table 33: database developed in the framework of the I-Risk project
EQUIPMENT Good Poor Generic PARAMETER Managem Managem Plant ent ent Comments OREDA data.Does not include: isolation time, waiting time, detection time DEMOKRITOS judgement. Use for I-Risk Technical Model?

Safety valves, remote control valves

Time for repair (Tr) (hr)

1,5

NO

Safety valves, remote control valves Safety valves, remote control valves Safety valves, remote control valves Safety valves, remote control valves

Time for repair (Tr) and Time for 24 maintenance (Tm) (hrs) T (inspection interval)

168

1176

YES

Plant data Plant data DEMOKRITOS Plant data x 0.9 x5 judgement. OREDA, page 492 Expert judgement based on generic data according to SAVE's suggestions SAVE/RIVM judgement based on generic data

YES

Lambda (failure 1,71E-06 rate)

1,25E-05

3,15E-05

YES

Qm1 (error in maintenance)

1,00E-03

0,01

0,1

YES

Safety valves, remote control valves Safety valves fail in open position

Qm2 (error recovery failure 0,05 by independent check) Lambda (failure rate) 8,50E-07

1,00E-01

YES

1,17E-05

3,40E-05

OREDA, p. 492 OREDA page 493

Manual valves

Lambda (failure rate)

2,736E-07 1,9952E-06 5,0416E-06 All caused by seals (x 0.16 of safety valve failure values) 1,00E-03 1,00E-02 0,1 DEMOKRITOS judgement.

YES

Manual valves

Qm1

YES

10

Manual valves

Other parameters Same as Same as Same as = Tr, Tm, T, Qm2 Same as for for safety for safety for safety (not failure rate safety valves valves valves valves or Qm1) Lambda(failure rate) 8,30E-07 2,76E-06 5,59E-06 OREDA page 325

YES

11

Flow instruments

YES

- 52 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Good Poor Generic PARAMETER Managem Managem Plant ent ent

July 2004

EQUIPMENT

Comments OREDA data page 325

Use for I-Risk Technical Model?

12

Flow instruments

Time for repair (Tr) (hr)

0,2

0,6

Does not include: isolation time, waiting time, detection time SAVE/RIVM expert judgement to account for what OREDA leaves out and using Test Case B as benchmark for good. DEMOKRITOS judgement. OREDA page 329 OREDA page 332 OREDA page 338 DEMOKRITOS judgement. OREDA page 115 OREDA data, page 115

NO

13

Flow instruments

Time for repair (Tr) and Time for 24 maintenance (Tm) (hrs)

168

336

YES

14

Instruments where have to take equipment apart for repair

Time for repair (Tr) and Time for 24 maintenance (Tm) (hrs) 2,50E-06 2,50E-07 3,00E-08

168

720

YES

15 16 17

Level instrument l (failure rate) Pressure instrument Temperature instrument Instruments easy maintenance Process pump (666 lb) l (failure rate) l (failure rate)

6,09E-06 1,27E-06 7,73E-06

1,10E-05 2,94E-06 2,97E-05

YES YES YES

18

Qm1

5,00E-04

5,00E-03

5,00E-02

YES

19

l (failure rate)

4,50E-05

1,21E-04

2,28E-04

YES

20

Process pump

Tr Time for repair 2 (hrs)

24

168

Does not include: isolation time, waiting time, detection time DEMOKRITOS judgement. DEMOKRITOS judgement. DEMOKRITOS judgement. OREDA p.65

NO

21

Process pump

Time for repair (Tr) and Time for 24 maintenance (Tm) (hrs) Qo1 Qo2 1,00E-03 5,00E-02

168

720

YES

22 23

Human Error Human Error

1,00E-02 1,00E-01

1,00E-01 1,00E+00

YES YES

22

Compressor fails while running l (failure rate) (reciprocating)

6,40E-05

6,10E-04

1,63E-03

YES

- 53 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Good Poor Generic PARAMETER Managem Managem Plant ent ent 1,56E-04 1,44E-03 3,82E-03

July 2004

EQUIPMENT

Comments

Use for I-Risk Technical Model? YES

23

Compressor fails (critical, l (failure rate) reciprocating) Compressor fails owing to l (failure rate) vibration (reciprocating) Compressor fails, low gas flow (reciprocating) Compressor fails, low gas flow (reciprocating)

OREDA p.65

24

9,00E-08

2,30E-05

8,70E-05

OREDA p.65

YES

25

l (failure rate)

2,00E-06

1,01E-04

3,60E-04

OREDA p.65

YES

26

Tr Time for repair 4

32

98

OREDA p.65

YES

27 28 29 30 31 32 33 34 35 36 37 38

Compressor fails l (failure rate) (centifugal) Compressor (reciprocating)

6,70E-05

3,93E-04 70 47 1,06E-04 6,00E-06 41 6,00E-06 1,27E-04 8,20E-05 1,00E-05 39 1,52E-06

9,41E-04 5462 1749 2,77E-04 1,60E-05 537 2,40E-05 3,07E-04 2,24E-04 2,10E-05 502 5,26E-06

OREDA, p.52 OREDA p.65 OREDA, p.52 OREDA, p.107 OREDA, p.107 OREDA, p.107 OREDA, p.107 OREDA, p.125 OREDA, p.125 OREDA, p.125 OREDA, p.125 OREDA, p.345

YES YES YES YES YES YES YES YES YES YES YES YES

Tr Time for repair 1

Compressor fails Tr Time for repair 0,5 (centrifugal) Ammonia pump l (failure rate) (critical) Ammonia pump l (failure rate) (vibration) 1,21E-05 4,60E-07

Ammonia pump Tr Time for repair 0,5 Ammonia pump, l (failure rate) other modes Oil pump (critical) Oil pump (fail while running) Leak of Oil pump Oil pump Spurious operation of control valve Spurious operation of control valve Control valve fails to open Control valve fails to open l (failure rate) l (failure rate) l (failure rate) 3,00E-08 2,10E-05 8,00E-06 3,00E-06

Tr Time for repair 0,5 l (failure rate) 4,00E-08

39

Tr Time for repair 0,2

1,9

OREDA, p.345

YES

40 41

l (failure rate)

1,10E-07

1,96E-06 14

4,79E-06 58

OREDA, p.345 OREDA, p.345

YES YES

Tr Time for repair 2

- 54 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Good Poor Generic PARAMETER Managem Managem Plant ent ent l (failure rate) 4,00E-07 2,90E-06 18 2,43E-06 7 1,29E-04 3,4 1,44E-04 15 2,10E-05 8,5 7,40E-06 96 4,62E-06 36 2,55E-04 42 4,07E-04 1404 3,10E-05

July 2004

EQUIPMENT Control valve fails to close Control valve fails to close Other process sensors Other process sensors Controller Controller Electric generators Electric generators Fire fighting system Fire fighting system BATTERY CHARGER FAILS RECTIFIER MECH. FAILURE FUSE FAILS OPEN

Comments

Use for I-Risk Technical Model? YES YES YES YES YES YES YES YES YES YES YES

42 43 44 45 46 47 48 49 50 51

OREDA, p.345 OREDA, p.345 OREDA, p.322 OREDA, p.322 OREDA, p.266 OREDA, p.266 OREDA, p.155 OREDA, p.155 OREDA 92, p.441 OREDA 92, p.441 IAEA (BCAFB)

Tr Time for repair 2 l (failure rate) 8,70E-07

Tr Time for repair 2 l (failure rate) 4,10E-05

Tr Time for repair 0,2 l (failure rate) 1,20E-05

Tr Time for repair 0,5 l (failure rate) Tr Time for repair 1,20E-05

52

l (failure rate)

3,00E-07

6,00E-07

4,00E-06 IAEA (EREFE) YES

53

l (failure rate)

3,20E-07

1,30E-06

3,60E-06 IAEA (KTAKB) IAEA (KDCDO) DEMOKRITOS judgement IAEA (TAAAB) IAEA (YSFQB) YES YES YES

54 55

l (failure rate)

6,00E-08 2,00E-10

3,00E-06 1,80E-07

2,00E-05 4,20E-07

SWITCH FAILS l (failure rate) OPEN SHORT CIRCUIT IN BUS l (failure rate)

56

1,00E-09

1,00E-08

1,00E-07

57

TRANSFORME l (failure rate) R FAILS OPEN STRAINER IN COMPRESSOR l (failure rate) BLOCKS LOSS OF OFFSITE POWER EXTERNAL FIRE LOSS OF OFFSITE WATER Fi

3,00E-07

6,00E-07

4,00E-06

YES YES

58

6,00E-07

3,00E-05

3,00E-05 DEMOKRITOS judgement DEMOKRITOS judgement judgement YES

59

1,00E-07

1,40E-06

1,00E-05

60

fi

6,00E-07

6,3E-06

1,00E-05

YES YES

61

fi

1,00E-08

1,0E-07

1,00E-06

- 55 -

ARAMIS D1C APPENDIX 7 Frequencies data for the fault tree Good Poor Generic PARAMETER Managem Managem Plant ent ent fi 1,00E-05 3,7E-04 1,00E-04

July 2004

EQUIPMENT

Comments DEMOKRITOS judgement DEMOKRITOS judgement DEMOKRITOS judgement DEMOKRITOS judgement DEMOKRITOS judgement

Use for I-Risk Technical Model? YES YES

62

LEVEL RISE

63

TEMPERATUR E RISE, fi LOADING TEMPERATUR E RISE, fi UNLOADING LOW LEVEL IN fi TANK HOT AMMONIA ENTERS THE TANK

1,00E-06

6,3E-06

1,00E-05

YES

64

1,00E-06

1,0E-05

1,00E-04

65

1,00E-06

1,0E-05

1,00E-04

YES YES

66

fi

1,00E-06

1,9E-05

1,00E-04

67 68 69 70 71 72 73 74 75

CORROSION IN fi PIPING BATTERY l (failure rate) UNAVAILABLE

1,00E-06 8,00E-07

1,9E-05 2,00E-06

1,00E-04 1,00E-05 7

DEMOKRITOS judgement IAEA (BTWFB) IAEA (BTABN) DEMOKRITOS judgement DEMOKRITOS judgement OREDA, p.119 OREDA, p.119 DEMOKRITOS judgement IAEA (KTAKW) DEMOKRITOS judgement DEMOKRITOS judgement IAEA (QDAFB) ACTUAL DATA FROM INDUSTRY ACTUAL DATA FROM INDUSTRY

YES YES YES YES YES YES NO YES YES YES

BATTERY Tr Time for repair 4 UNAVAILABLE NO SYCHRG NO SYCHRG Water fire fighting pump Water fire fighting pump Water fire fighting pump l (failure rate) 8,00E-07 2,00E-06 5 3,17E-04 18 168 1,00E-06

1,00E-05 7 4,70E-04 60 8760 3,00E-06

Tr Time for repair 4 l (failure rate) 2,00E-04

Tr Time for repair 1 Tr Time for repair 24 3,00E-07

Electric ignition l (failure rate) failure IGNITION FAILURE OF FLARE

76

Tr Time for repair 24

168

8760

77 78

FLARE Tr Time for repair 24 UNAVAILABLE Flare fails to start All comps l (failure rate) 2,00E-07

168 1,00E-06

8760 5,00E-05

YES YES YES

79

fm

1,16E-03

YES

80

All comps

Tm

- 56 -