1-4244-2509-9/09/$20.00 ©2009 IEEE

Reliability Centered Preliminary Hazard Analysis

Nuo Zhao PhD Candidate, System Engineering, BUAA of China Tingdi Zhao, PhD, System Engineering, BUAA of China Jin Tian, PhD, System Engineering, BUAA of China Key Words: fuzzy set theory, hazard occurrence degree; preliminary hazard analysis, reliability; safety

SUMMARY & CONCLUSIONS

Preliminary Hazard Analysis (PHA) is a safety analysis method that is applied in the preliminary system design phase [1]. The purpose of PHA is to identify the hazards and assess the relevant risks, in order to support the following safety design. However, traditional PHA has several shortcomings. First, the reliability information of the system is always useful to system safety and rarely used in traditional PHA. Second, the qualitative risk assessment that is used in traditional PHA, specifically, the risk matrix, can easily lead to a subjective assessment. Generally speaking, the effect of traditional PHA is limited. This paper modifies the traditional PHA into the RCPHA (Reliability Centered Preliminary Hazard Analysis) with two distinct advancements: (1) a reliability centered hazard analysis is presented, with a new concept of Hazard occurrence degree, in order to use the reliability data adequately to analyze the probability of hazard occurrence; (2) a multi-level factors integrated assessment of hazard severity based on fuzzy set theory is presented, which achieves the quantitative assessment of system risk. Finally, the RCPHA is validated by analysis of a helm control system.

1 INTRODUCTION

The Preliminary Hazard Analysis (PHA) technique is a safety analysis method conducted in the preliminary design stage as well as other stages of a project for identifying hazards. By estimating and collating each hazard probability and hazard severity, designers can evaluate the level of risk and provide a suggestion for eliminating or mitigating these hazard.

One of the tools in common use in the risk assessment of traditional PHA is the risk matrix. The purpose of the risk matrix is to grade two factors: probability and severity, which is the determinant of risk assessment, into different levels, and to measure the risk with the product of the two ensuing values of the levels of the two factors. This kind of combination of hazard probability and severity is a qualitative risk measure. The measure results in assisting the decision maker with whether to accept a hazard, or for arranging the priority of these hazard identified above. In addition, the implementation of system modification also needs to involve the consideration of these risk measures. However, there are two problems with the implementation of a risk matrix. One of them is that identifying the level of a hazard probability basically depends

on the subjective analysis of the analyst. It is difficult to get a quantitative measure because there is usually not enough data available. The other problem is that there are no clear boundaries between levels of hazard severity. For a certain hazard, different analysts might give different severity measures. The two problems above in the PHA may finally lead to a risk assessment that may mislead the designer. Consequently, a quantitative risk assessment method is required to solve those problems.

Safety design has a strong relevancy with reliability design, especially in complex system design engineering. As reliability engineering matures, it is possible to conduct the hazard analysis utilizing reliability data in the early stages in the system life cycle. Presently, there are few methods that conduct the PHA utilizing reliability data efficiently, which are to the advantages of multidisciplinary integrated design engineering.

Therefore, this paper presents research on a method to handle the quantitative risk assessment in the PHA, utilizing available reliability data. This method named Reliability Centered Preliminary Hazard Analysis (RCPHA) deals with the hazard rooting in the failures of the equipments which can be analyzed in the reliability engineering activities. In the RCPHA quantitative risk assessment activities include: (1) reliability centered evaluation of hazard occurrence probability; (2) integrated fuzzy evaluation of the hazard severity; (3) quantitative measure of risk assessment.

2 THE METHOD OF RCPHA

The RCPHA is a method, which is based on the energy-release concept of accident causation theory, fuzzy theory and reliability data, evaluating the risk rooting in the failures of equipments with quantitative measures. The object of the RCPHA is a certain hazard event chain. One kind of hazard may be lead by different event chains. In the system design phase, it is useful to evaluate certain hazard event chain that assists designers in analyzing the hazard casual factors and the process of hazard occurrence, which is the basis of safety design.

There are two estimating models for quantitative measure of risk, as illustrated in the Figure 1:

(1) One model is the reliability centered evaluation model of hazard occurrence probability. This model evaluates the probability of a hazard event chain using the reliability data

which includes the data from FMECA and the results of design reliability predictions. A parameter h is presented as the final measure of the probability of the chain.

(2) The other model is the integrated fuzzy evaluation model of the hazard severity. This method abandons grading risk simply into levels in traditional PHA. It classifies the categories of the hazard effect, and breaks down these categories into several subcategories that can be easily evaluated. Evaluating criteria for these categories is also provided in this model. Finally, the parameter k represents the hazard severity estimated by the integrated fuzzy method of evaluation.

Figure 1 the composition of RCPHA method

2.1 Reliability Centered Evaluation Model of Hazard Occurrence Probability

• The Process of Hazard Occurrence According to the energy-release concept of accident

causation theory, there are always different kinds of energy, which can release accidently and trigger a hazard occurrence. These kinds of energy as well as hazardous material are generally designated as the first category of hazard resource. These failure modes of equipments that restrains or utilizes the first category of hazard resource are generally designated as the second category of hazard resource [2,3].

Focused on the design of equipments, a typical process of

hazard occurrence is presented in the Figure 2. The first category of hazard resource works by providing useful power in normal situations and carries out the functions designed. However, because of the second kind of hazard resource, random failures or failures in hazardous environment, the equipments related to the first category of hazard resource lose their functions. And then, the cumulative, dissipation or release of the first category of hazard resource triggers a hazard occurrence. • Hazard Occurrence Degree h

The hazard occurrence degree is a parameter measuring the probability of the hazard event chain. It does not mean the probability of equipments, but the measure of likelihood of all factors related to a certain hazard.

In the work of identifying hazard rooting in equipment failure, all the equipments’ information related to the first category of hazard can be identified. The information includes failure modes, rate of failure mode frequency and failure rates of the equipments. As a result, the FMECA and reliability prediction works are the basis of RCPHA.

This paper presents a concept of hazard occurrence degree, represented by the parameter hi. This measure, which is mainly based on the equipment failure rate, evaluates the probability of a hazard modified by the rate of failure mode frequency and other factors. The principle of hi’s composition is illustrated in Figure 2. Definitions of the parameters in Figure 2 are described as follow.

(1) ei: In the evaluation activity of the ith hazard, ei means the time frequency of the hazardous environment, which is a casual factor, or the frequency with which the equipment can get into a hazardous environment.

If the occurrence of hazard i does not depend on hazard environment, ei equals 1. Defining T as the time of use, Te as the time exposed to hazardous environment, the equation is ei=Te/T.

(2) λij: This parameter means a failure rate of the jth equipment related to the hazard i.

(3) αijk: This parameter defines the rate of failure mode frequency of the kth failure mode of the jth equipment for hazard i.

Figure 2 the process of hazard occurrence

The equation of hazard occurrence degree is

hi = ei·1

n

j=∏

1

m

k=∑ λij · αijk (j=1,2…,n;k=1,2…,m). (1)

2.2 Integrated Fuzzy Evaluation Model of the Hazard Severity

According to different categories of missions or different society backgrounds, people’s willingness to accept risk varies widely. Moreover, the distinction of analysts and their views in various situations may brings different results when evaluating the hazard severity. The RCPHA method analyzes the hazard effect hierarchically using an integrated fuzzy evaluation method, and measures the hazard severity with a quantitative parameter.

The integrated fuzzy evaluation method is an effectual tool which estimates project and phenomenon that could be influenced by various kinds of factors [4-6]. In the integrated fuzzy evaluation of RCPHA, there are certain aspects introduced as follow. • Designing Comment Set U

Comment set U represents an evaluation of the influence rooting in a hazard. There are generally four different degrees of the influence: Catastrophic, Critical, Marginal and Negligible. Therefore, the comment set in this paper is presented as follow:

U={u1=Catastrophic,u2=Critical,u3=Marginal,u4=Negligible} • Designing Factor Set V

Factor set V stands for collection of the hierarchical and multiple factors that are need to be taken into account in hazard severity evaluation. The evaluation could be accurate when the information of factors is detailed. So, decomposition of the factors, which are described as the First Grade Factor Set, the Second Grade Factor Set and etc, needs to be hierarchical. In the RCPHA, the First Grade Factor Set is defined as:

V={v1=casualties, v2=economic loss, v3= task failure, v4= environment damage}

On the assumption that there are n factors in the First Grade Factor Set and m comments in comment set, the sth factor in the First Grade Factor Set could be decomposed into the Second Grade Factor Set as follow, in order to achieve a more accurate evaluation.

vs ={vs1, vs2, vs3, …… }；s=1,2,……,n • Determining Factor Evaluating Vector Rs and Matrix R

Vector Rs denotes the membership degree of a single unit in factor set to the units in comment set. On the assumption that the sth factor evaluating vector is Rs={ rs1, rs2, rs3, rs4 …… rsm }, the rst represents the evaluation of membership degree of the sth factor to the tth comment.

Matrix R denotes the membership degree of the factor set to the comment set [7]. The factor set evaluating matrix is a integrated membership degree matrix, which is defined as R= Aij* Ri =(bij)n×m. The details of parameter A and parameter b are introduced as below.

• Determining the Fuzzy Vector Ai of the ith hazard and Evaluating Hazard Severity

The fuzzy vector Ai stands for the ratio of the variety of factors that are contained in ith hazard. If Aij is the fuzzy vector of the Second Grade Factor Set vi, Bij is the result vector of the ith hazard evaluated based on Aij, and Bi is therefore the total result vector of the evaluation of the ith hazard evaluation, then the formula of Bij is,

Bij =Aij* Ri = {bi1, bi2 ,..., bim}, i=1,2,..., n. (2) The final result vector of the fuzzy evaluation of the ith

hazard severity is:

Bi= Ai*R = Ai*

1

2

i

i

in

BB

B

⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦

M = Ai*(bij)n×m (3)

According to the types of the “A*R” calculation, the integrated fuzzy evaluation has various significations in different types. The epitomes of the calculation type include “Dominant Factor Extruding Type”, “Dominant Factor Determining Type” and “Average Weighted Factor Type”. In the RCPHA, all factors in the factor set contribute to the hazard effect and the dominant factor is prominent. Therefore, the “Dominant Factor Extruding Type” is suitable for the RCPHA.

The result vector B of the integrated evaluation represents the membership degree of one certain hazard to comments. In order to quantify the result of the hazard severity, the RCPHA grades four comments ranged from 0 to 1. In the RCPHA, a greater point presents a more critical hazard effect. Combined with the comment set U in this chapter, the grade vector is defined as yu=(y1=1，y2=0.8，y3=0.6，y4=0.4).

Assume that the hazard severity degree is kj, the formula of kj is:

ki = yu*BiT =（1，0.8，0.6，0.4）*Bi

T (4)

2.3 Quantitative Calculation of Risk Measure

From the definition of risk severity rate ki, ki ranges from 0 to 1. According to the formula (1) of risk occurrence probability, far less than ki, the parameter hi’s order of magnitude usually changes on 10’s powder series. So, it is necessary to switch hi to gain measurement value range from 0 to 1, and assess risk together with risk severe rate.

The quantitative measure of risk assessment is defined as wi. And the computing formula of wi is:

wi= ki *(-log10hi)-1 (5) The quantitative measures of risk assessment is the final

result of RCPHA method, who can arrange the priority of risk and help to establishing recommended preventive measures eliminating or mitigating the hazards. Trade-off of the risk acceptance will be authoritative by means of comparing or limiting the value of wi.

3 RCPHA VALIDATION WITH ANALYSIS OF HELM CONTROLLING SYSTEM OF BARGE

3.1 Hazard Analysis of Helm Controlling System

In order to carry out PHA on a barge helm controlling system, hazard resource comparison table should be established and used to looking for the first category of hazard resource in the helm controlling system. Table 1 is shown as below.

Category Hazard Resource

Electricity Power of operating system

Pressure Hydraulic pressure in Hydraulic Circuit Vibration of Hydraulic Valve

Vibration Vibration of Rectrices

Feedback Machine: tribological stress of gear wheel Feedback Machine: tribological stress of gear rack

Stress

Feedback Machine: tangent stress of gear axes

Table 1 Hazard Resource Analysis Table

Reference analysis of the first category of hazard resource uses the reliability data of equipments related to the event chain of hazard occurrence. Results of the analysis should be filled in the RCPHA table as shown in Table 2.

3.2 Quantitative Evaluation of The Hazard Occurrence Probability In Helm Controlling System

This paper analyzes hazard No.5 which is described as “Hydraulic Circuit losing voltage due to hydraulic valve vibration” in Table 2. This hazard’s event chain includes Hydraulic Valve fixing device and Hydraulic Pipeline. The hazard No.5 is the vibration generated when Hydraulic Valve is turning on or closing up. The equipment failure modes on this circumstance are shown as table 2.

The time frequency of the hazardous environment: e5=0.3; Failure rate of Hydraulic Valve fixing device:λ51=75×10-8; The frequency rate of fixing device failure mode

“loosening”: α511=0.8; The frequency rate of fixing device failure mode

“abscission”: α512=0.1; Failure rate of Hydraulic Pipeline: λ52=5×10-7; The frequency rate of Hydraulic Pipeline failure mode

“fracture”: α521=0.35; From data as above, the hazard occurrence degree is:

h5 = e5·1

n

j=∏

1

m

k=∑ λ5j ·α5jk = 0.35×10-13 (6)

Evaluation of hazard occurrence degree on hazard event chain due to other hazard resources are shown in the table 2.

3.3 Quantitative Hazard Severity Evaluation of Helm Controlling System

Focused on the character of the helm controlling system, the factors of hazard effect are divided into two grades. The First Grade Factor Set is

V={v1=casualties，v2=economic loss，v3= task failure，v4= environment damage}；

The Second Grade Factor Sets broken down from the First Grade of Factor Set are

v1={v11=no casualty，v12=injuries，v13=one person death，v14= colony death}；

v2={v21= no economic loss, v22=less than a million dollars loss, v23=more than a million dollars loss };

v3={v31=no mission effect, v32=mission blocked, v33 =mission failure};

v4={v41=no environment effect, v42=less severe environment damage, v43= severe environment damage}.

To gain the evaluating vectors of each factor, membership degrees are designed for each factor to all comments. For example, based on the factor v11, membership degree for “v11=no casualty” is 0 to “u1=Catastrophic”, 0 to “u2=Critical”, 0.2 to “u3=Marginal” and 0.8 to “u4=Negligible”. The vector “r11=(0，0，0.2，0.8)” presents the evaluating vector of v11. The other evaluating vectors of factors are

R1=

11

12

13

14

rrrr

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

=

0 0 0.2 0.80 0.1 0.7 0.2

0.3 0.7 0 00.9 0.1 0 0

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

,R2= 21

22

23

rrr

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

=0 0 0 1

0.1 0.4 0.5 00.3 0.7 0 0

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

,

R3=31

32

33

rrr

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

=0 0.2 0.5 0.3

0.1 0.4 0.5 00.5 0.5 0 0

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

,R4=41

42

43

rrr

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

=0 0 0 10 0.4 0.5 0.1

0.5 0.5 0 0

⎛ ⎞⎜ ⎟⎜ ⎟⎜ ⎟⎝ ⎠

.

The membership degrees to factor set change because of the difference of hazards. In this paper, the severity of hazard No.5, which is “Hydraulic Circuit losing voltage due to hydraulic valve vibration” in table 2, is analyzed as an emphasis. The multiple hierarchical membership degree vectors to factor sets are as follow:

A5=(0.4，0.3，0.3，0), A51=(0.4，0.55，0.05，0), A52=(0.1，0.8，0.1), A53=(0.15，0.5，0.35), A54=(1，0，0). To the Second Grade Factor Set, the results vectors of

evaluation are as follow: B51= A51*R1=(0.015，0.09，0.465，0.43)； B52= A52*R2=(0.11，0.39，0.4，0.1)； B53= A53*R3=(0.225，0.405，0.325，0.045)； B54= A54*R4=(0，0，0，1)。 The integrated fuzzy severity evaluation of hazard No.5 is:

B5=A5* R=(0.4，0.3，0.3，0)*

1

2

3

4

BBBB

⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦

=(0.1065，0.2745，

0.4035，0.2155) (7) The hazard severity degree of hazard No.5 is k5.

k5=(1,0.8,0.6,0.4)*(0.1065,0.2745,0.4035, 0.2155)T=0.65 (8) The other hazard severity degrees, which can be

calculated by the steps above, are shown in table 2.

No.i Hazard Resource

Hazardous Environm

ent Equipment Failure

Rate Failure Mode αijk Hazard hi ki wi

operating system 50×10-7 short circuit 0.5

1 Power of Operating System

Watery e1=0.95 fuse 9×10-9 not melt

down 0.35

tip-and-run injury 0.75×10-14 0.57 0.040

2

Hydraulic pressure in Hydraulic Circuit

No Hazardous Environment (NHE) e2=1

Hydraulic Valve 35×10-9 no action 0.3

helm lock by Hydraulic Valve failure

1.05×10-8 0.7 0.088

3

Hydraulic pressure in Hydraulic Circuit

NHE e3=1 Hydraulic Valve 35×10-9 shut

insufficiency 0.6

helm excursion by Hydraulic Valve failure

2.1×10-8 0.65 0.085

4

Hydraulic pressure in Hydraulic Circuit

NHE e4=1 Pipe 10×10-8 leakage 0.6 helm excursion by pipe leakage

6.0×10-8 0.65 0.09

Fixing Device 75×10-8 looseness+

falling off 0.8+ 0.1 5

Vibration of Hydraulic Valve

Vibration e5=0.7 Pipe 5×10-7 rived 0.35

Hydraulic Circuit losing voltage

0.35×10-13 0.65 0.048

6 Vibration of Rectrices

Swerve e6=0.005

Rudderpost 5×10-8 rupture 0.05 barge out of

control 1.25×10-11 0.77 0.071

7 Tribological Stress of Gear Wheel

NHE e7=1 Gear Wheel 13×10-9 seriously

frayed 0.1 feedback signal distortion

1.3×10-9 0.69 0.078

8 Tribological Stress of Gear Rack

NHE e8=1 gear rack 20×10-9 seriously frayed 0.15

feedback signal distortion

3×10-9 0.69 0.081

9 Tangent Stress of Gear Axes

NHE e9=1 Gear Axes 25×10-9 rupture 0.5 no feedback signal 1.25×10-8 0.62 0.078

Table 2 the RCPHA table of barge helm controlling system

3.4 Quantitative Risk Evaluation of Helm Controlling System

From the result of hazard No.5 analyzed in chapter 2.2 and 2.3, which described as Hydraulic Circuit loss voltage due to Hydraulic Valve vibration, the measure of risk assessment of hazard No.5 is as below :

w5= k5 *(-log10h5)-1 =0.048 (9) Those quantitative risk measures of other hazards are

shown in table 2. The quantitative risk measure of each hazard is educed by means of preliminary risk analysis of the barge helm controlling system. Furthermore, collating measures of risk assessment, the hazard due to pipeline infiltration is considered the maximal hazardous, shown as No.4 hazard in table 2.

The risk evaluation in traditional PHA method was carried out according to risk matrix evaluation. The result of traditional PHA is shown in Figure 3. In Figure 3, numbers in lattices represent the hazard serial number. It is very hard to distinguish the hazardous sequence of risk measures belonged

to the same lattice from traditional risk matrix. Moreover, result of measures from risk accepted area or unaccepted area fringe is very easy to be effected along with different views of analyst, which leads to one unacceptable hazard dropping into acceptable area, such as hazard No2, No.3,No.7.No.8,No.9 in Figure 3.

Figure 3 Risk Matrix In Traditional PHA

The result of analysis in the barge helm controlling system, which is from RCPHA method, is quantitative risk

measure of each hazard. Consequently, it can distinguish risk size from different hazard obviously. All hazards’ severity rate-occurrence degree distribution is shown in Figure 4. The histogram of sequenced risk measures is presented in Figure 5.

Figure 4 Hazards Severity Rate-Occurrence Degree

Distribution

Figure 4 The Histogram of Sequenced Risk Measures

4 COMMENTARY

Based on the traditional PHA problem in risk evaluation, this paper presents the RCPHA method, which is used to measure quantitative risk assessment. Finally, this paper validated the RCPHA method with a helm controlling system of barge. The results showed that quantitative measure of risk assessment in the RCPHA is rather helpful to risk sequencing than qualitative risk evaluation in traditional PHA, and can assists designers in system safety design.

REFERENCES

1. Clifton A. Ericson, II, Hazard Analysis Techniques for System Safety, A JOHN WILEY & SONS, INC, PUBLICATION.

2. Rune Elvik, “Laws of accident causation”, Accident

Analysis and Prevention 38 (2006), pp742–747. 3. John J. Sammarco, P.E., “Addressing the Safety of

Programmable Electronic Mining Systems: Lessons Learned”, National Institute for Occupational Safety and Health, PA 15236.

4. J. Bezdek, and J. Harris, “Fuzzy Partitions and Relations: An Axiomatic Basis for Clustering,” Fuzzy Sets and Systems 1, 1978, pp112- 127.

5. T. Y. Lin, “Measure Theory on Granular Fuzzy Sets”, 0-7803-521 1 -4/99 IEEE.

6. T. Y. Lin, “Granular Fuzzy Sets” 6th European Congress on Intelligent Techniques & Soft Computing, September 7-10, 1998, pp94-98.

7. T. Y. Lin “Sets with Partial Memberships: A Rough Sets View of Fuzzy Sets”, In 1998 World Congress of Computational Intelligence, May 4-9, 1998.

BIOGRAPHIES

Nuo Zhao, PhD Candidate, Department of System Engineering University of Beijing University of Aeronautics and Astronautics 37 Xueyuan Street Beijing,100191,China

e-mail: zhaonuo@dse.buaa.edu.cn

Nuo Zhao is a PhD Candidate of system engineering. His main researches are system safety and reliability system engineering. He works as a consultor of reliability technique for 3 years.

Tingdi Zhao, Professor, University of Beijing University of Aeronautics and Astronautics

e-mail: ztd@ buaa.edu.cn

Professor Tingdi Zhao is a PhD of system engineering. His main researches are reliability system engineering and safety system engineering.

Jin Tian, PhD, Department of System Engineering University of Beijing University of Aeronautics and Astronautics

e-mail: rabbit-tian@163.com

Jin Tian earns her doctor degrees in Physics at Beijing University of Aeronautics and Astronautics.