Chapter 11.

RISK ASSESSMENT

Introduction
Risk Assessment Incident Identification How accident occurs (Analysis of probability) Consequence analysis Expected damage (loss of life, damage, days outage)

This chapter discusses 1. Review probability mathematics 2. How failure probability of individual components contribute to the failure of the entire process. 3. Describe two probabilistic methods Event tree Fault tree

Probability Theory
Failure in a process occurs as a result of interaction of the individual components The overall probability depends on nature of this interaction. Average failure rate as faults/time, On average the component fails after certain period of time . The probability that the component will NOT fail during the time interval (0,t) is given by poisson distribution

As t then R(t) goes to 0 and high means less R(t). The complement of the reliability is called probability and is given by

Probability Theory
Failure density function : derivative of failure probability

The failure density function is used to determine the probability P at least one failure in the time period t0 to t1

Probability Theory
MTBF : The time interval between two failures of the component is called the mean time between failures (MTBF) and is given by

Many component exhibit bathtub failure rate

Probability Theory
Interaction between Process units Parallel: Process failure requires simultaneous failure of a number of components in parallel. Failure probabilities for the individual components must be multiplied (Parallel Probability)
n is the total number of components and Pi is the failure probability of each
component.

Total reliability for parallel units

Ri is the reliability of an individual process
component

Parallel represented by logical AND gate function.

Probability Theory
Interaction between Process units Series: Failure of any single component in the series of components will result in failure of the process. Represented by logical OR function. Overall process reliability is found by multiplying the reliabilities for the individual components.

The overall failure probability

Probability Theory
Interaction between Process units Series: For system composed of 2 components A and B

Compensates for counting the overlapping cases twice

If the failure probabilities are small , then the product term can be neglected. For this special case

Revealed and Unrevealed Failure

Revealed Failure: Failures that are immediately obvious. e.g Flat tire on a car

0+ r =MTBF

The time that the component is operational is called the period of operation and is denoted by 0. After a failure occurs, a period of time, called the period of inactivity or downtime (r), is required to repair the component.

Revealed Failure
Revealed Failure: For revealed failures the period of inactivity or downtime for a particular component is computed by averaging the inactive period for a number of failures

Where, n is the number of times the failure or inactivity occurred and r is the period for repair for a particular failure. Similarly, the time before failure or period of operation is given by So,

Revealed Failure
Availability Probability that component found functioning

Unavailability probability that the component or process is found not functioning.

For revealed failures,

Unrevealed Failure
For unrevealed failures if, u is the average period of unavailability during the inspection interval and if i is the inspection interval, then

The average period of unavailability is computed from the failure probability

For unrevealed failures

Probability of coincidence
The dangerous process episode occurs when a process upset occurs and the emergency system is unavailable. This requires coincidence of events. Assume that a dangerous process episode occurs Pd times interval Ti. The frequency of this episode is given by

For an emergency system with unavailability U, a dangerous situation will occur when the process episode occurs and the emergency system is unavailable. This is every pdU episodes.

Probability of coincidence

The mean time between coincidences (MTBC) is the reciprocal of the average frequency of dangerous coincidences:

EVENT TREE ANALYSIS

Event tree analysis evaluates potential accident outcomes that might result following an equipment failure or process upset known as an initiating event. It is a forward-thinking process, i.e. the analyst begins with an initiating event and develops the following sequences of events that describes potential accidents, accounting for both the successes and failures of the safety functions as the accident progresses.

Guidelines
1. Identify an initiating event of interest. 2. Identify the safety functions designed to deal with the initiating event. 3. Construct the event tree. 4. Describe the resulting accident event sequences.

Construction of the Event Tree

Enter the initiating event on the left hand side List the functional responses chronologically Decide whether or not the success-failure of the function can or does effect the course of the event If the answer is yes, the event tree is branched to distinguish between success and failure of the function; success always branches upword, failure downward. If the system function has no effect, the tree does not branch, but proceeds to the next system function (to the right)
17

Step 1 Identify the initiating event

system or equipment failure human error process upset [Example] Loss of Cooling Water to an Oxidation Reactor

Step 2 Identify the Safety Functions Designed to Deal with the Initiating Event
Safety system that automatically respond to the initiating event. Alarms that alert the operator when the initiating event occurs and operator actions designed to be performed in response to alarms or required by procedures. Barriers or Containment methods that are intended to limit the effects of the initiating event.

Example
Oxidation reactor high temp. Alarm alerts operator at temp T1. Operator reestablish cooling water flow to the oxidation reactor. Automatic shutdown system stops reaction at temp. T2. T2 > T1 These safety functions are listed in the order in which they are intended to occur.

Step 3: Construct the Event Tree a. Enter the initiating event and safety functions.
Oxidation reactor high temperature alarm alerts operator at temperature T1 Operator reestablishes cooling water flow to oxidation reactor Automatic shutdown system stops reaction at temperature T2

SAFETY FUNCTION

INITIATING EVENT:
Loss of cooling water to oxidation reactor

FIRST STEP IN CONSTRUCTING EVENT TREE

Step 3: Construct the Event Tree b. Evaluate the safety functions. SAFETY FUNCTION
Oxidation reactor high temperature alarm alerts operator at temperature T1 Operator reestablishes cooling water flow to oxidation reactor Automatic shutdown system stops reaction at temperature T2

INITIATING EVENT:
Loss of cooling water to oxidation reactor

Success

Failure

REPRESENTATION OF THE FIRST SAFETY FUNCTION

Step 3: Construct the Event Tree b) Evaluate the safety functions. SAFETY FUNCTION
Oxidation reactor high temperature alarm alerts operator at temperature T1 Operator reestablishes cooling water flow to oxidation reactor Automatic shutdown system stops reaction at temperature T2

INITIATING EVENT:
Loss of cooling water to oxidation reactor

Success

Failure

If the safety function does not affect the course of the accident, the accident path proceeds with no branch pt to the next safety function.

REPRESENTATION OF THE SECOND SAFETY FUNCTION

Step 3: b. Evaluate safety functions. SAFETY FUNCTION

Oxidation reactor high temperature alarm alerts operator at temperature T1 Operator reestablishes cooling water flow to oxidation reactor Automatic shutdown system stops reaction at temperature T2

INITIATING EVENT:
Loss of cooling water to oxidation reactor

Success

Completed !
Failure

COMPLETED EVENT TREE

Step 4: Describe the Accident Sequence SAFETY FUNCTION

Oxidation reactor high temperature alarm alerts operator at temperature T1
B

Operator reestablishes cooling water flow to oxidation reactor

Automatic shutdown system stops reaction at temperature T2

D A Safe condition, return to normal operation Safe condition, process shutdown

AC INITIATING EVENT: Loss of cooling water to oxidation reactor A

ACD Unsafe condition, runaway reaction, operator aware of problem AB Unstable condition, process shutdown ABD Unsafe condition, runaway reaction, operator unaware of problem

Success

Failure

ACCIDENT SEQUENCES

Example Event Tree

Reactor Feed

Cooling Coils

Cooling Water Out

Cooling Water In

Reactor TIC
Temperature Controller

Alarm at T > TA

TIA
Thermocouple High Temperature Alarm Figure 11-8 Reactor with high temperature alarm and temperature controller.

High Temp Safety Function: Alarm Alerts Operator

Operator Notices High Temp

Operator Re-starts Cooling

Operator Shuts Down Reactor

Result

Identifier: Failures/Demand:

B 0.01

C 0.25

D 0.25

E 0.1 A 0.7425 AD 0.2227 ADE 0.02475 AB 0.005625 ABD 0.001688 ABDE 0.0001875 ABC 0.001875 ABCD 0.0005625 ABCDE 0.0000625
Continue Operation Shut Down Runaway Continue Operation Shut Down Runaway Continue Operation Shut Down Runaway

0.99 0.2475 A 1 Initiating Event: Loss of Cooling 1 Occurrence/yr. 0.01 0.0025 0.000625
Shutdown = 0.2227 + 0.001688 + 0.005625 = 0.2250 occurrences/yr. Runaway = 0.02475 + 0.0001875 + 0.0000625 = 0.02500 occurrences/yr.

0.0075 0.001875

Figure 11-9 Event tree for a loss of coolant accident for the reactor of Figure 11-8.

Safety Function
0.01 Failures/Demand

Initiating Event 0.5 Occurrences/yr.

Success of Safety Function (1-0.01)*0.5 = 0.495 Occurrence/yr.

Failure of Safety Function 0.01*0.5 = 0.005 Occurrence/yr.

Figure 11-10 The computational sequence across a safety function in an event tree.

High Temp Safety Function: Alarm Alerts Operator

Operator Notices High Temp

Operator Re-starts Cooling

High Temp Shuts Down

Operator Shuts Down Reactor

Result

Identifier: Failures/Demand:

B 0.01

C 0.25

D 0.25

E 0.01

F 0.1
A 0.7425 AD 0.2450 ADE 0.002228 ADEF 0.002475 0.0002475 AB 0.005625 ABD 0.001856 ABDE 0.00001688 0.00001875 ABDEF 0.00000187 5 ABC 0.001875 ABCD 0.0006187 ABCDE 0.00000563 0.00000675 ABCDEF 0.00000062 5 Continue Operation Shut Down Shut Down Runaway Continue Operation Shut Down Shut Down Runaway Continue Operation Shut Down Shut Down Runaway

0.99 0.2475

A 1

Initiating Event: Loss of Cooling 1 Occurrence/yr.

0.01

0.00750 0.001875

0.0025 0.000625

Shutdown = 0.2450 + 0.001856 + 0.00001688 + 0.0006187 = 0.2475 occurrences/yr. Runaway = 0.0002475 + 0.000001875 + 0.000000625 = 0.0002500 occurrences/yr. Figure 11-11 Event tree for the reactor of Figure 11-8. This includes a high temperature shutdown system.

What is Fault Tree Analysis?

Fault Tree Analysis(FTA) is one of the several deductive logic model techniques, and one of the most common hazard identification tool. The deduction begins with a stated top level hazardous/undesired event. It uses logic diagrams and Boolean Algebra to identify single events and combinations of events that could cause the top event. Probability of occurrence values are assigned to the lowest events in the tree in order to obtain the probability of occurrence of the top event.

Fault tree main symbols.

Commonly Used Symbols OR gate Occasionally Used Symbols Incomplete event

AND gate

An External Event

An Event / Fault

Inhibit gate

Basic Event

FTA Symbols Explained

Basic Event: A lower most event that can not be further developed. E.g. Relay failure, Switch failure etc., An Event / Fault: This can be a intermediate event (or) a top event. They are a result logical combination of lower level events. E.g. Both transmitters fail, Run away reaction OR Gate:Either one of the bottom event results in occurrence of the top event. E.g. Either one of the root valve is closed, process signal to transmitter fails. AND Gate: For the top event to occur all the bottom events should occur. E.g. Fuel, Oxygen and Ignition source has to be present for fire.

FTA Symbols Explained

Incomplete Event: An event which has scope for further development but not done usually because of insufficient data. E.g. Software malfunction, Human Error etc., External Event: An event external to the system which can cause failure. E.g. Fire. Inhibit Gate: The top event occurs only if the bottom event occurs and the inhibit condition is true. E.g. False trip of unit on maintenance override not ON.

Procedure
Procedure for Fault Tree Analysis
Define TOP event Define overall structure. Explore each branch in successive level of detail.

Perform corrections if required and make decisions

Solve the fault tree

Define Top Event:

Procedure

Use PHA, P&ID, Process description etc., to define the top event. If its too broad, overly large FTA will result. E.g. Fire in process. If its too narrow, the exercise will be costly. E.g. Leak in the valve. The boundaries for top event definition can be a System, Sub-system, Unit, Equipment (or) a Function. Some good examples are: Overpressure in vessel V1, Motor fails to start, Reactor high temperature safety function fails etc.,

Procedure
Procedure for Fault Tree Analysis

Define TOP event

Define overall structure.

Explore each branch in successive level of detail.

Perform corrections if required and make decisions

Solve the fault tree

Procedure
Procedure for Fault Tree Analysis:
Define TOP event Define overall structure. Explore each branch in successive level of detail.

Perform corrections if required and make decisions

Solve the fault tree

Procedure
Explore each branch in successive level of detail: Continue the top down process until the root cause for each branch is identified and/or until further decomposition is considered unnecessary. So each branch will end with a basic event or an undeveloped event. Consider Common cause failure & Systematic failures in the process of decomposition. A good guide to stop decomposing is to go no further than physical (or) functional bounds set by the top event.

Procedure
Procedure for Fault Tree Analysis:
Define TOP event Define overall structure. Explore each branch in successive level of detail.

Perform corrections if required and make decisions

Solve the fault tree

Procedure
Solve the Fault Tree:

Assign probabilities of failure to the lowest level event in each branch of the tree.

From this data the intermediate event frequency and the top level event frequency can be determined using Boolean Algebra and Minimal Cut Set methods.

Procedure
Minimal Cut Set theory: The fault tree consists of many levels of basic and intermediate events linked together by AND and OR gates. Some basic events may appear in different places of the fault tree. The minimal cut set analysis provides a new fault tree, logically equivalent to the original, with an OR gate beneath the top event, whose inputs (bottom)are minimal cut sets. Each minimal cut set is an AND gate with a set of basic event inputs necessary and sufficient to cause the top event.

Procedure
Procedure for fault tree analysis:
Define TOP event Define overall structure. Explore each branch in successive level of detail.

Perform corrections if required and make decisions

Solve the fault tree

Advantages of FTA
Plus points of FTA: Deals well with parallel, redundant or alternative fault paths. Searches for possible causes of an end effect which may not have been foreseen. The cut sets derived in FTA can give enormous insight into various ways top event occurs. Very useful tool for focused analysis where analysis is required for one or two major outcomes.

Disadvantages of FTA
Minus points of FTA: Requires a separate fault tree for each top event and makes it difficult to analyze complex systems. Fault trees developed by different individuals are usually different in structure, producing different cut set elements and results. The same event may appear in different parts of the tree, leading to some initial confusion.