L09 Fault Tree Analysis

Quantitative Risk Analysis L09

Fall 2013
Fault Tree Analysis
1
L09 Fault Tree Analysis
Logic Diagram Analysis
Risk assessment includes frequencies or probability
estimates of scenario outcome events.
Values of Pr (system failure|c
1
, c
2
, ) usually are not
known and must be estimated from simpler or base
events: Pr (unit failure|c
1
, c
2
,)
Quantification of outcome events are based on primary
or base events or components for which occurrence data
(specific, generic, expert opinion) exist.
Logic diagrams link base and intermediate events and
units that occur in event sequences or scenarios for
quantification of outcome events.
2
L09 Fault Tree Analysis
Fault Tree Analysis
Fault tree analysis (FTA) is a logic diagram approach to analyze
system failures.
A fault tree (FT) begins with a potential upset (top event), and
diagrams through deduction how the top event can result from
lower level events or failures.
An event tree (ET) diagram events that are initiated by and result
through induction from a FT top event.
A FT top event is connected to lower level events through logic
gates such as: OR (union operation,), AND (intersection
operation, ).
FT and ET events are analyzed and quantified based on fail-
success (binary).
3
L09 Fault Tree Analysis
FTA Purpose
FTA requires an understanding of the system and potential failures
aided by a system block diagram or functional diagram and a
system hazard analysis of potential failure causes.
FTA can help to analyze system design, component and system
operation, human actions, and effects of the external environment
on the system
Cause and effect relationships leading to the top event are
identified, analyzed, and represented in the FT.
4
L09 Fault Tree Analysis
FTA Requirements
Identify the physical boundaries of the system to be
included in the FTA
System conditions at start of top event
External conditions at start of top event
Decide on the depth and resolution of the deductive
analysis from top event to lower level events.
FTA team tasks
5
L09 Fault Tree Analysis
FTA Construction
Define the top event, example:
What, Fire
Where, in the process oxidation reactor
When, during normal operation
Identify necessary and sufficient events, conditions, and
units to cause the top event.
6
L09 Fault Tree Analysis
FTA Construction
Connect events and conditions via logic gates
such as AND, OR
Continue with underlying events to an appropriate event
level called primary or base events to include
components or human actions
Connection to base events:
Simple, independent events
Events for which sufficient data exist (such as failure data) to
explain and quantify top event of FT
7
L09 Fault Tree Analysis
AND-Gate
Independent basic events E
1
and E
2
at time t
The TOP event failure probability, Q
T
, at time t is
Q
T
= P(E
1
E
2
) = P(E
1
|E
2
)P(E
2
) = P(E
1
)P( E
2
)
With a single AND-gate and n independent basic events occurring
at time t,
8
TOP
E 1 E 2
(independent)
L09 Fault Tree Analysis
OR-Gate
Independent basic events E
1
and E
2
at time t
The TOP event probability at time t is
Q
T
= P(E
1
E
2
) = P(E
1
) + P(E
2
) P(E
1
E
2
)
= Q
1
+Q
2
Q
1
Q
2
With a single OR-gate and n basic independent events occurring at
time t,
9
TOP
E 1 E 2
(independent)
L09 Fault Tree Analysis
Combining OR with AND Gates
with Logic
10
L09 Fault Tree Analysis
Analysis of Logic Trees
Logical (qualitative) evaluation:
Find cut sets (for failure) or path sets (for success)
by Boolean manipulations, or use logical information to
rearrange the tree for easy computation.
Probabilistic (quantitative) evaluation:
Use estimates of probabilities or frequencies for event
occurrences.
11
L09 Fault Tree Analysis
Fault Trees Identification
Fault trees help to identify how a system can fail through
one or more of component failures or human failures.
FT help to analyze the causes of failures in complex
systems from sequence of failure/success events.
Minimum cut sets determined from a reduced FT show
the scenarios of minimum failures that lead to failure
indicated by the top event occurrence, T.
12
L09 Fault Tree Analysis
FTA Main Symbols
Basic Event A basic initiating fault (component failure)
Intermediate or top
Event
Occurs as a result of events at a lower
level acting through logic gates
And Gate
Output occurs if all input events occur
Or Gate Output occurs if at least one input event
occurs
L09 Fault Tree Analysis
Flashlight
Fault Tree for a Flashlight
Switch
Bulb
+
-
+
-
Battery
Battery
Event: No light
L09 Fault Tree Analysis
Fault Tree for a Flashlight
Battery Switch Bulb
Basic Event
No light
Top Event
Or Gate
L09 Fault Tree Analysis
Symbols
L09 Fault Tree Analysis
17
FE, flow transducer
FC, flow controller
FS, flow switch
FAL, low flow alarm
SV, solenoid valve
FCV, flow control
TE, T transducer
TC, T controller
TSH, high T switch
GIV, gas isolation valve
MBV, manual bypass valve
TCV, T control valve
Hot Oil Heating System
L09 Fault Tree Analysis
Hot Oil Heating System
scope
Supply hot oil plus solvent to bitumen (asphalt solution)
tanks
Flow through heater must be maintained or heater coils
may overheat, rupture, and cause a fire.
Flow control valve, FCV, opens progressively if flow to
heater drops, e.g., flow to a bitumen tank reduced, and
returns oil back to pump.
Manual bypass valve, MBV, for FCV maintenance.
18
L09 Fault Tree Analysis
Hot Oil Heating System
HAZID
What are hazards of this oil heating system?
19
L09 Fault Tree Analysis
Hot Oil Heating System
FTA for Heater Coil Burn Out
For heater coil burn out as an upset event, identify initial
triggering events or system demands, each to be
analyzed separately.
20
L09 Fault Tree Analysis
Hot Oil Heating System
FTA for Heater Coil Burn Out
events or demands:
No or low oil flow demands
Pump failure
Flow control system failure
Oil leak (large)
Pipeline blockage
Valve closed
Excess gas flow (e.g. at a time of low oil flow)
Fuel gas control
21
L09 Fault Tree Analysis
Hot Oil Heating System
Heater Coil Burn Out -Frequency
each of this demands should be analyzed separately
Frequency of coil burn out is based on frequencies from
each of the demands:
Pump failure OR
flow control system failure OR
oil leak OR
pipeline blockage OR
valve closed OR
Can pump failure by itself cause top event?
22
L09 Fault Tree Analysis
Pump Failure Demand
Fault Tree, 1
The heater coils burn out if both the pump fails AND the
protective response fails.
The protective response fails if both the automatic response
fails AND the manual response fails.
Causes of automatic response failure: either FE fails OR FS
fails OR SV fails OR TCV fails.
Causes of manual response failure: either FE fails OR FS
fails OR FAL fails OR the operator fails OR GIV fails.
For this system, construct a fault tree based on your knowledge
of the system operation.
23
L09 Fault Tree Analysis
T = A[(BCDE)(BCFGH)]
Automatic response Manual response
State the logic expression in words.
Initial FT and Logic Based on Understanding of System
Pump Failure Demand
Fault Tree, 1
24
Represent the mishap or top event
by T.
Events leading to T are represented
by letters for system components
L09 Fault Tree Analysis
T = A[(B+C+D+E)(B+C+F+G+H)]
Automatic Manual
Boolean Algebra Logic
Pump Failure Demand
Fault Tree, 1
25
which makes what assumptions?
L09 Fault Tree Analysis
Pump Failure Demand
Fault Tree, 1 comments
Over-temperature protection system, (TSH, SV) does not
operate if pump stops, because there is no flow to the
TSH sensor. (auto response system failure)
But the oil in the heater can overheat and cause heater
coil burn out if pump stops, and FS fails, or FAL fails, or
operator, OP, fails to cut off fuel to the heater.
26
L09 Fault Tree Analysis
Pump Failure Demand
Fault Tree, 1
27
L09 Fault Tree Analysis
Pump Failure Demand
Fault Tree, 1 comments
From the initial fault tree construction, there are two
components, FE and FS, that appear more than in one
branch of the tree.
As discussed, the initial fault tree is based on our
understanding of how the system works.
An initial fault tree should be therefore reduced to avoid
repetitions, which can lead to over counting of failures
and inaccurate top event frequency or probability
calculation.
From the initial FT prepare a reduced fault tree.
28
L09 Fault Tree Analysis
FT Reduction with
Boolean Algebra,
To simplify, the logic expression is expanded and
reduced:
T = A (B+C+D+E) (B+C+F+G+H) =
= A(BB+BC+BF+BG+BH+CB+CC+CF+
CG+CH+DB+DC+DF+DG+DH+
EB+EC+EF+EG+EH)
29
L09 Fault Tree Analysis
FT Reduction with
Boolean Algebra
Boolean Identities (Idempotent, Absorption)
A A = A A AND A = A
A A = A A OR A = A
A (A B) = A A OR (A AND B) = A
B
30
L09 Fault Tree Analysis
FT Reduction
with Approximations
Boolean Identities (Idempotent, Absorption)
Fill in spaces to quantify , and identify approximation
used (RE rare event, or SI independent).
Exact Approximate
A A = A A A = A
A A = A A + A = A
A (A B) = A A + (A B) = A
31
L09 Fault Tree Analysis
Fault Tree Reduction
T = A
(BB + BC + BF + BG + BH
+ CB + CC + CF + CG + CH
+ DB + DC + DF + DG + DH
+ EB + EC + EF + EG + EH)
32
based on the previous assumptions and identities
simplify the equality
L09 Fault Tree Analysis
Fault Tree Reduction
T = A(B+C+DF+DG+DH+EF+EG+EH)
Factor and categorize this logic expression of T to
highlight system functions
T = A{B + C + (D + E)(F + G + H)}
State the logic expression in words.
33
auto auto manual
L09 Fault Tree Analysis
A
D E F G H
Manual
Auto
Auto
B C
State the logic of the
reduced FT using the
same assumptions as
for the initial FT:
Pump Failure Demand
Fault Tree after reduction, 2
34
T = A{B+C+(D+E)(F+G+H)}
protective response
L09 Fault Tree Analysis
Pump Failure Demand
Fault Tree after reduction, 2
The heater coils will burn out if both the pump fails
AND the protective response fails.
The protective response fails if either FE fails OR FS
fails OR a combination of failures occurs.
A combination of failures leading to failure of the
protective response occurs if there is (a failure of either
SV OR TCV) AND (a failure of either FAL OR the
operator OR GIV).
35
L09 Fault Tree Analysis
A
D E F G H
Manual
Auto
Auto
B C
Pump Failure Demand
Fault Tree after reduction, 2
36
T = A{B+C+(D+E)(F+G+H)}
What are the
minimum failures
that result in T?
L09 Fault Tree Analysis
Fault Tree Success Paths
A FT success path is a component or group of
components that prevents the FT top event from
occurring.
A FT can exhibit one or more success paths.
Success paths form a success tree ST, which is the
complement of a FT with all events and operations
changed to their logical complements (fail/success,
/).
37
L09 Fault Tree Analysis
Success Trees
Shows how a system can perform without failure based
on performance of components and human actions
Facilitate understanding of minimum success
requirements, with minimal path sets leading to system
performance, for system designers, operators, and
managers.
38
L09 Fault Tree Analysis
FT Cut Sets
A fault tree cut set is an event or set of basic failure
events, the simultaneous occurrence of which causes the
top event to occur.
Each cut set inactivates or cuts all success paths.
A minimum cut set is a set that cannot be reduced in size
(number of components).
Minimum cut sets are determined directly from the
reduced fault tree.
A minimal cut set fails (cuts all success paths) when all
components of the cut set fail simultaneously or co-fail
within a short time period.
39
L09 Fault Tree Analysis
Cut Sets, Path Sets
Success Path Components
1 PU
2 FE, FS, SV, TCV
3 FE, FS, FAL, OP, GIV
Single component to inactivate all paths?
Two-component combinations:
are minimal cut sets with 2 components that by co-
failure cut all success paths.
How many are there?
40
L09 Fault Tree Analysis
Cut Sets Path Sets
Success Path Components
1 PU
2 FE, FS, SV, TCV
3 FE, FS, FAL, OP, GIV
Three-component cut sets: How many?
Four-component cut sets: How many?
41
L09 Fault Tree Analysis
FT, Cut Sets, and ST, Path Sets
42
( ), (B,C) A cut sets
Input Output

A+ B C = A (B +C) = A B+ A C
[Independent, REA]
Logic:
path sets ( , ), ( , ) A B A C
L09 Fault Tree Analysis
Cut Set Evaluation
43
Cut set fails
E
2
E
r
E
1
. . .
A minimal cut set fails if (and only if) all the
basic events in the set simultaneously fail.
The probability that cut set s, with r
independent events, fails at time t is
L09 Fault Tree Analysis
TOP Event Probability
44
The TOP event occurs if at least one of the k
minimal cut sets, SI, fails. The upper bound
approximation of the TOP event probability is
TOP
CS
2
CS
k
CS
1
. . .
for independent events
(Rausand, 2004)
REA approximation
failure scenarios:
Cut sets are not
mutually exclusive!
L09 Fault Tree Analysis
Top Event Assessment
How can events and paths leading to the top event, i.e.,
cut sets, be assessed with regard to their quantitative
contribution to the top event frequency or probability?
This risk source quantification is needed to identify cost
effective direction of resources to lower risk and manage
risk within acceptable ranges.
45