L10 Event Tree

Quantitative Risk Analysis L09b

Fall 2013
Event Trees
1
L10 Event Tree
Event Tree Method
from cause to effect approach
if successful operation of a system depends on an
approximately chronological, but discrete, operation of
its units or subsystems
units should work in a defined sequence for operational success
examples?
2
L10 Event Tree
Event Tree Method
3
Breaks
misbehavior
Driver maintains
control
Driver loses
control
No accident
Accident
L10 Event Tree
Event Tree Method
Event tree analysis (ETA) is an inductive procedure
(compared to the deductive FTA) to diagram events that can
progress from an initiation event and result in outcome
events, which can include losses.
Sequential events diagrammed in an event tree (ET) include
hazard guards or mitigation barriers (success or fail) to
reduce the probability of event occurrences and outcome
losses.
In addition to event identification, probabilities of
intermediate events and outcomes are calculated from the
initiating event frequency and other information.
An ET like a FT is both qualitative and quantitative in
representing the system.
4
L10 Event Tree
Event Tree Features
A horizontal structure beginning with the FT initiating
event on the left with events from left to right in time
sequence or based on outcome severity.
Note the bowtie structure of a joined FT and ET.
Barrier events shown on top of event tree include
component operation (success/fail) subsystem operation,
software response, or human actions.
Success of a barrier results in an upward branch, , and
failure results in a downward branch, .
(Or, the directions can be opposite.)
A Boolean expression corresponds to the sequence logic
of each scenario with outcome.
5
L10 Event Tree
Event Tree Construction
Identify initiation event; estimate frequency.
Note that a separate ET is developed for each identified
initiation event from a FT top event joined to an ET
initial event to form a Bow Tie, .
Identify barriers to reduce the probability of event
progression, and estimate probabilities of success.
Develop events in time and effect sequence.
Estimate the frequency of the initiating event and the
probabilities of each event tree branch from a base event
data or from a fault tree.
Calculate probabilities/frequencies for scenario
outcomes; Estimate consequences.
6
L10 Event Tree
Example
Nuclear Reactor Protection System (NRPS)
Event heading: protective barriers
Reduce probability of loss outcomes
Mitigate consequences of loss outcomes
Each branch point:
success or failure (total probability = 1)
System barriers
RP (reactor protection): shutdown
ECA, ECB: emergency coolant, short term (post shutdown
radioactive decay)
LHR: emergency coolant, long term
7
L10 Event Tree
8
Example
Nuclear Reactor Protection System (NRPS)
coolant
reactor
shut down pipe break
A
B
C
D
E
coolant coolant
L10 Event Tree
ET Event Probabilities
How can the event probabilities in the ET be obtained?
Base events for which data are available, or
Top events of fault trees
9
L10 Event Tree
for the NPRS
FT for each ET Event
10
A
a
B

b
c d
C

e d
D

c
e h
Write logic expressions for top event occurrences:
List the cut sets of base events for each fault tree:
Identify the base events for which data are available.
L10 Event Tree
for the NPRS
Evaluation
11
Logic for A, B, C,
D assuming
independence
and REA:
A = a
B = b + cd
C = e + d
D = c + eh
Scenario 5 logic:
A, initiating event; B, shutdown; C, cooling, D, cooling
ABCD
Boolean expression and reduction:
L10 Event Tree
for the NPRS
Evaluation
12
Boolean expression and reduction:
repeat the calculations
ABCD
State ET minimum event sets of Scenario 5:
L10 Event Tree
for the NPRS
Evaluation
13
Probability of Scenario 5 from logic expression:
Pr(ABCD)
Event sets of Scenario 5:
(a,b,c,e,h), (a,b,c,d,e), (a,b,d,e,h)
L10 Event Tree
for the NPRS
Evaluation
14
Assumption made for OR terms?
Reduce probability expression to calculate Pr using
failure probabilities of the base events, a, b, c, d, e,
h.
L10 Event Tree
Pumping System (PS1)
Flowchart
15
Distinct events: AC, S, and PS to be placed on an
ET in order of consequence severity, which is ?
AC: power source
S: sensing & control
PS: pumping system
L10 Event Tree
Pumping System (PS1)
Event Tree for
16
AC failure causes failure of S and PS: place 1st in heading.
S failure causes PS failure: place 2nd.
PS failure: place 3
rd
in sequence.
Each event is subject to FTA unless?
L10 Event Tree
Pumping System (PS1)
Fault Trees
17
Develop an event tree considering only AC and pump failures. Use
sink is low as the initiating event.
Component D, replicated event, plays 2 different roles, e.g.,
signal to turn on ac power and start the pump.
Assume A, B, C, D, F events are independent.
Cut sets?
L10 Event Tree
Pumping System (PS1)
Event Tree 2
18
1st
Outcomes
L10 Event Tree
Pumping System (PS1)
Event Tree 2
19
Logic for Outcome 2:
ac = A + B + CD
What assumptions?
Recall cut sets for ac: (A), (B), (C, D)
Cut sets for P: (D,F)
P = DF
(if independent)
Express ET events in terms of base components
L10 Event Tree
Pumping System (PS1)
Event Tree 2
20
in terms of base events
L10 Event Tree
Pumping System (PS1)
Event Tree 2
The failure Outcome 3
is represented by
= I(A + B + CD)
which includes the initiating event I
(low sink level AND ac failure).
21
L10 Event Tree
Pumping System (PS1)
Frequency
The frequency of each scenario and the frequency of
system failure are calculated from the initial event
frequency and from failure probabilities of the base
components
f(system failure) =
System failure frequency in terms of base events:
22
(obtained through Boolean reduction)
Scenario 3
Scenario 2
Scenario 3 Scenario 2
L10 Event Tree
Pumping System (PS1)
Frequency
Recall from the general Boolean expression for 3 events
linked by OR,
A B C = A + B + C AB AC BC + ABC
Need base event data to calculate the pumping system
failure frequency =
23
High probabilities: joint function general expression
Low probabilities: REA approximation
Scenario 2 Scenario 3
Event sets:
(I,A), (I,B), (I,C,D), (I,A,B,C,D,F)
(IA +IB, + ICD)
L10 Event Tree
Pumping System (PS1)
Frequency
24
Assume 2 s.d. in these data:
Note frequency time unit.
L10 Event Tree
Pumping System (PS1)
Failure Frequency
The system failure frequency =
= 0.2136/month ~ 0.21/month (2 significant digits)
25
Total frequency of system failure:
Ave. time to system failure = 1/(0.21/month) = 4.8 months
Scenario 3
Scenario 2
L10 Event Tree
ETA Summary, Strengths
Represent ET event sequences following an initiating
(upset) event and additional events each modeled in a FT
(using base event data)
Analyze hazard barriers and activation sequences
designed to respond to system demand and reduce Pr or
mitigate outcomes.
Evaluate the need for improved procedures and more
effective and more nearly independent barriers to contain
hazards
26
L10 Event Tree
ETA Summary, Limitations
Only one initiating event is incorporated in an event tree
(also a strength). An ET must be developed for each
identified initiation event.
Binary states (success/fail) of events.
Acts of omission are not included.
Not a systematic method to identify system dependencies
but is an initial method to identify and analyze outcomes
of events following I (an initiation event).
27
L10 Event Tree
HOT OIL HEATING SYSTEM
Hot Oil Heating System
Event Tree and Bow Tie Application
28
L10 Event Tree
Hot Oil Heating System
29
Initiating event
L10 Event Tree
ET: Consequence Probabilities
Consequences of heating coil rupture depends on
hazards, initiation events, scenarios following initiation
events.
Use an event tree (ET) to estimate probabilities and
severities of scenario outcomes for each initiation event.
For a top event frequency of heater coils overheating and
rupturing = 0.0212/yr, similar outcomes are grouped
together, as shown below.
30
L10 Event Tree
Heating Coil Overheating Outcome
Frequencies and Severities
31
Ex application: If the probability of fatal burns to operator is
estimated to be 5 %, the operator fatal accident frequency is
(0.00034/yr)x(0.05) = 1.7x10
-5
/yr.
/Severity
(Tweeddale, 2003)
L10 Event Tree
EVENT PROPAGATION
AND PRECURSOR EVENTS
Event Propagation and Precursor Events
32
L10 Event Tree
References
Kaplan, S., On the Inclusion of Precursor and Near Miss Events in QRA: A
Bayesian Point of View and a Space Shuttle Example, Reliability Engineering
and System Safety, 27, 103115, 1990 (Kaplan, 1990)
Corcoran, W.R., Defining and Analyzing Precursors, in J.R. Phimister, et
al, ed., Accident Precursor Analysis and Management, National Academy of
Engineering, The National Academy Press, 2004 (Corcoran, 2004)
Dillon, R.L. and C.H. Tinsley, How Near-Misses Influence Decision Making
Under Risk: A Missed Opportunity for Learning, Management Science, 54(8),
2008, pp. 14251440 (Dillon, 2008)
33
L10 Event Tree
Events Preceding Upsets
Do upsets occur through preceding events, e.g., can
preceding events influence the occurrence of adverse
events?
Do random failures occur spontaneously by themselves
without precursors?
If not and if there are precursors to adverse events, why
not consider actions to reduce the likelihood of their
occurrence?
34
L10 Event Tree
Precursors
Root Cause Analysis and Corrective Action after
Identification of a Precursor Event to Prevent a
Consequential Event
35
Near miss
L10 Event Tree
Scenarios from an Initiating Failure
Each path through the tree is a scenario that progresses
from an initiating event, such as , to an end state.
36
|
c
|
c
L10 Event Tree
Scenario Branch Point Model
|
k
j
= f
k
j
|
j
37
|
j
Frequency of scenarios
through branch point j
f
k
j
k =1
N

= 1
Split fraction f
k
j
=
|
k
j
|
j
A branch point j emerges with a frequency , which can
branch to 2 or more outgoing branches each with a fraction of
incoming scenarios that continue along that branch, . So
the outgoing frequency of the k
th
branch is .
f
k
j
f
1
j
f
2
j
f
N
j
k = 1
k = 2
k
k = N
|
j
f
k
j
|
k
j
L10 Event Tree
Scenario Frequency
The frequency of a particular scenario through the tree is
the product of the initiating event frequency for that
scenario and the product of all split fractions along the
particular scenario path.
Split fractions can be in terms of parameters such as
ROCOF,
i
, (unconditional) failure rates of system
components or of humans.
38
L10 Event Tree
Simplest Scenario with Precursor
Event
|
m
= (1 f)|
c
39
|
h
= f |
c
|
c
Iniatiating Event
Near Miss
Hit
f
1 f
Split fraction f =
|
h
|
c
A precursor event emerges with an initiating
event of frequency , which can branch to a hit
(failure) with probability f (split fraction) or to a
near miss with probability 1f.
|
c
L10 Event Tree
Near Misses as Near Failures to
Inspire Actions to Lower Risk
Note that the effect of observed near misses is to show
an unidentified failure scenario, and that the total risk
level is higher than originally estimated.
Therefore, the near-miss acts more like a failure than a
success, as shown in the previous figures.
Instead of taking action to make adjustments, personnel
often conclude^ that because a system upset did not
occur it is not likely to occur, and therefore they interpret
the near miss as more of a success and accept a higher
risk or they are inured to the risk as shown by Dillon and
Tinsley.
40
L10 Event Tree
Incident Precursors
Precursors include procedure infractions and
compromises based on obsolete rules of thumb or
other inappropriate heuristics.
The difference in occurrence rates among levels of
adverse severities of major upsets, near misses,
compromises, and infractions can be categorized in
levels ~ a factor of 10 apart.
Causes of events at all levels is ~ same.
Therefore, root cause analysis of precursors and
responses to precursors can and do reduce incident rates
and incident severities.
41
(Xo_oov, 2004)
L10 Event Tree
Event Occurrence Pyramid
42
L10 Event Tree
Case Study
from Guidelines
Fault Tree p315 (check ECRA our example)
Event Tree. p327
43