EVENT TREE ANALYSIS

Event tree analysis evaluates potential accident

outcomes that might result following an equipment
failure or process upset known as an initiating event.
It is a forward-thinking process, i.e. the analyst
begins with an initiating event and develops the
following sequences of events that describes
potential accidents, accounting for both the successes
and failures of the safety functions as the accident
progresses.

Guidelines
1. Identify an initiating event of interest.
2. Identify the safety functions designed to
deal with the initiating event.
3. Construct the event tree.
4. Describe the resulting accident event
sequences.

Step 1 Identify the initiating event

system or equipment failure
human error
process upset
[Example]
Loss of Cooling Water
to an Oxidation Reactor

Step 2 Identify the Safety Functions

Designed to Deal with the Initiating
Event
Safety system that automatically respond to
the initiating event.
Alarms that alert the operator when the
initiating event occurs and operator actions
designed to be performed in response to
alarms or required by procedures.
Barriers or Containment methods that are
intended to limit the effects of the initiating
event.

Example
Oxidation reactor high temp. Alarm alerts
operator at temp T1.
Operator reestablish cooling water flow to
the oxidation reactor.
Automatic shutdown system stops reaction
at temp. T2. T2 > T1
These safety functions are listed in the order
in which they are intended to occur.

Step 3: Construct the Event Tree

a. Enter the initiating event and safety functions.

SAFETY
FUNCTION

Oxidation reactor
high temperature
alarm alerts operator
at temperature T1

Operator
reestablishes
cooling water flow
to oxidation reactor

Automatic
shutdown system
stops reaction at
temperature T2

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

FIRST STEP IN CONSTRUCTING EVENT TREE

Step 3: Construct the Event Tree

b. Evaluate the safety functions.

SAFETY
FUNCTION

Oxidation reactor
high temperature
alarm alerts operator
at temperature T1

Operator
reestablishes
cooling water flow
to oxidation reactor

Automatic
shutdown system
stops reaction at
temperature T2

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

Success

Failure

REPRESENTATION OF THE FIRST SAFETY FUNCTION

Step 3: Construct the Event Tree

b) Evaluate the safety functions.

SAFETY
FUNCTION

Oxidation reactor
high temperature
alarm alerts operator
at temperature T1

Operator
reestablishes
cooling water flow
to oxidation reactor

Automatic
shutdown system
stops reaction at
temperature T2

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

Success

Failure

If the safety function does not affect the course of the

accident, the accident path proceeds with no branch pt to
the next safety function.

REPRESENTATION OF THE SECOND SAFETY FUNCTION

Step 3: b. Evaluate safety functions.

SAFETY
FUNCTION

Oxidation reactor
high temperature
alarm alerts operator
at temperature T1

Operator
reestablishes
cooling water flow
to oxidation reactor

Automatic
shutdown system
stops reaction at
temperature T2

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

Success

Completed !
Failure

COMPLETED EVENT TREE

Step 4: Describe the Accident Sequence

Oxidation reactor
Operator
high temperature
reestablishes
SAFETY
FUNCTION alarm alerts operator cooling water flow
at temperature T1
to oxidation reactor

Automatic
shutdown system
stops reaction at
temperature T2

A Safe condition,
return to normal
operation
AC Safe condition,
process shutdown
INITIATING EVENT:
ACD Unsafe condition,
runaway reaction,
operator aware of
problem
AB
Unstable condition,
process shutdown

Loss of cooling water

to oxidation reactor
A

ABD Unsafe condition,

runaway reaction,
operator unaware
of problem

Success

Failure

ACCIDENT SEQUENCES

Cooling Coils

Reactor Feed

Cooling Water Out

Cooling
Water In

Reactor
TIC
Temperature
Controller

Alarm
at
T > TA

TIA
Thermocouple
High Temperature Alarm

Figure 11-8 Reactor with high

temperature alarm and temperature
controller.

High Temp
Safety Function: Alarm Alerts
Operator

Identifier:
Failures/Demand:

Operator
Notices
High Temp

Operator
Re-starts
Cooling

Operator
Shuts Down
Reactor

0.01

0.25

0.25

0.1

0.99
0.2475
A
1
Initiating Event:
Loss of Cooling
1 Occurrence/yr.

0.0075
0.001875
0.01
0.0025
0.000625

Shutdown = 0.2227 + 0.001688 + 0.005625 = 0.2250 occurrences/yr.

A
0.7425
AD
0.2227
ADE
0.02475
AB
0.005625
ABD
0.001688
ABDE
0.0001875
ABC
0.001875
ABCD
0.0005625
ABCDE
0.0000625

Runaway = 0.02475 + 0.0001875 + 0.0000625 = 0.02500 occurrences/yr.

Figure 11-9 Event tree for a loss of coolant accident for the reactor of Figure 11-8.

Result

Continue Operation
Shut Down
Runaway
Continue Operation
Shut Down
Runaway
Continue Operation

Shut Down
Runaway

Safety Function
0.01 Failures/Demand

Initiating
Event

Success of Safety Function

(1-0.01)*0.5 = 0.495 Occurrence/yr.

0.5 Occurrences/yr.
Failure of Safety Function
0.01*0.5 = 0.005 Occurrence/yr.

Figure 11-10 The computational sequence across a safety function in an

event tree.

High Temp
Safety Function: Alarm Alerts
Operator

Identifier:
Failures/Demand:

B
0.01

Operator
Notices
High Temp

Operator
Re-starts
Cooling

Operator
Shuts Down

C
0.25

D
0.25

E
0.01

0.99
0.2475

A
1

Initiating Event:
Loss of Cooling
1 Occurrence/yr.

0.00750
0.001875

0.01

0.0025
0.000625

Operator
Shuts Down
Reactor

Result

F
0.1

A
0.7425
AD
0.2450
ADE
0.002228
ADEF
0.002475
0.0002475
AB
0.005625
ABD
0.001856
ABDE
0.00001688
ABDEF
0.00001875 0.000001875
ABC
0.001875
ABCD
0.0006187
ABCDE
0.00000563
ABCDEF
0.00000675 0.000000625

Continue Operation
Shut Down

Shut Down
Runaway
Continue Operation
Shut Down
Shut Down
Runaway
Continue Operation
Shut Down
Shut Down
Runaway

Shutdown = 0.2450 + 0.001856 + 0.00001688 + 0.0006187 = 0.2475 occurrences/yr.

Runaway = 0.0002475 + 0.000001875 + 0.000000625 = 0.0002500 occurrences/yr.
Figure 11-11 Event tree for the reactor of Figure 11-8. This includes a high temperature shutdown system.