system safety - m11 event tree analysis v1 · pdf filesystem safety m11 event tree analysis...

System SafetyM11 Event Tree Analysis V1.3

Matthew Squair

UNSW@Canberra

15 October 2015

1 Matthew Squair M11 Event Tree Analysis V1.3

Except for images whose sources are specifically identified, this copyright work islicensed under a Creative Commons Attribution-Noncommercial, No-derivatives 4.0International licence.

To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/


1 Introduction

2 Overview

3 Methodology

4 Limitations, advantages and disadvantages

5 Conclusions

6 Further reading


Introduction

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Introduction

Learning outcomes

The student is able to appropriately apply common cause analysis methodsas part of a hazard analysis

The student will understand the strengths and weaknesses of the methodFor a nominated initiating event the student will be able to identify andprepare an event sequences that lead to hazards

The student will understand the strengths and weaknesses of the method


Overview

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Overview

Overview

Although first describe by the physicist Christiaan Huygens, in the 17thcentury, their initial use in safety analysis was the WASH-1400 NRC reporton the safety of nuclear power plants [NRC 1975]

The potential hazardous trigger event is known as the initiator.

Event trees are an inductive, forward logic (known cause, unknown result)technique which examines all possible responses to the initiating event

They are portrayed as:

Progressing left (initiator) to right (end states)

Branches of the tree represent success or failure

Think of Blaise Pascal’s parallel worlds


Overview

Event tree example 1: Reactor core breach [NRC 1975]

Figure: WASH-1400 Example Event Tree (Executive report Fig 4-3)8 Matthew Squair M11 Event Tree Analysis V1.3

Overview

Example 2: Fire modelling

Fire modelling is a classic challenge/response analysis problem that ETsare useful for


Overview

Key definitions

Branch point (alt. node, vertice). A point at which the success offailure of the system is evaluated and a quantitative probability assigned toeach leg. These numbers may be assigned through statistical data, formalanalysis via fault tree or simply reflect our confidence as to whichassumption is more likely

End state. End states define the outcomes relative to measures of successor failure for each event sequence

Initiating event. A postulated event that could occur within the systemor it’s environment. The initiating event creates a disturbance in thesystem that has the potential to lead to a loss event depending on thedegree of successful response of various components within the system


Overview

Event tree analysis and the system lifecycle


Methodology

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Methodology

Methodology

1 Select initiating events

2 Bin the events list (optional)3 Define safety functions required to mitigate the event

ab initio for a new designInfer from the existing components/systems for existing design

4 Organise functions according to their time of intervention

5 Define success/failure states for each function

6 Prune tree to remove legs which are functionally dependant onanother function occurring, where is has not occurred

7 Replace functions with system components

8 Prune tree again based on physical/functional dependencies ofcomponents


Methodology

Selecting the Initiating Event

Usually done in three steps1 Identify candidate events

Review published studies, journals, accident reports etcFacility/system accident reports

2 Review of all components for a system

Determine if a failure or set of failures could cause a critical event ormishap

3 Review operating experience for the system

Review plant history to ensure field experience is accounted for

Dont forget external events (flood, fire etc)


Methodology

Binning the analysis

One event tree is prepared for each initiating event considered

Limits how many that can be considered

Workaround is to bin like events, we group similar initiating events inbins on basis of similar end effect or system response (discretizing thedistribution)

Investigate one representative initiating event for each bin in detail

Class discussion. What effect could ’binning’ have upon modellinguncertainty?


Methodology Event trees

Event trees

A general event tree models all credible outcomes, each path is thentraced to eventual success or failure

In practice we simplify to a Bernoulli process

Syntax and semantics

Tree (in the graph theoretic sense)

Bernoulli process - only two out paths from any vertice (node)

Success paths are the upper path, failure down

PT = PS + PF = 1

A fault tree may be attached to the node to estimate PF



Event tree with developed fault trees [NRC 1975]



Event trees

System failure probabilities Pf can be evaluated by quantifying the relevantfault tree associated with each node

1− Pf then gives the likelihood of passing along the system success branch

‘Strong’ dependencies when P(A|B) = 1 or P(A|B) = 0 for system A eventfollowing the system B event can also be incorporated in this basicapproach


Methodology Example Event Tree

Example event tree - Flood control [Clemens 2002]

Example

A compartment contains control equipment & is protected against flooding by the

system shown on the following slide. Rising flood waters closes float switch S,

powering pump P from an UPS. A klaxon K is also sounded, alerting operators to

perform manual bailing B if the pump fails. Either pumping or bailing will

dewater the compartment. Assume flooding has commenced, and analyse

responses of the dewatering system

Simplifying Assumptions:

Power is available full time

Treat only the four system components S, P, K, and B

Consider operator error as included in the bailing function, B



Example event tree - Flood control (Schematic)



Flood control (Functional Event Tree)



Flood control (Eqpmt Event Tree)



Flood control (Probabilities)



Flood control (Derived RBD)



Flood control (Path sets)



Example event tree - Flood control (Cut sets)



Example event tree - Flood control (Fault Tree)



Event Tree to Fault Tree transformation

As the preceding examples illustrates it is possible to convert between ET,FT and RBD forms

Figure: Event tree to Fault tree transforms [Clemens 2002]


Methodology Handling dependent events

Dependency in Event Trees

Event tree calculation implicitly assumes independence of branch pointevents

Does not address common cause effects due to dependencies amongstthe branch point events

Not a problem for ‘strong’ dependencies as this can be modelled in

Is a problem when we have ‘weak’ dependencies, i.e. common basicevents, such as common cause failures, in more than one of the faulttrees which develop the branch point

This is a non-trivial effect, e.g. we can reasonably expect it to occurin practice, and it can significantly affect results

The effect of dependencies can be evaluated via inked fault trees andapplication of the inclusion/exclusion principle



Dependency in Event Trees (continued)

Large errors can be introduced even for small problems

These inaccuracies will not be consistent across the outcome eventsbecause each leg may contain more (or less) coherent elements



Options for handling weak dependencies

Identify the accuracy of your analysis

Fault tree with boundary conditions. If dependencies are simple split outthe common item as a separate system and revise the event tree to reflectthe success/failure of that system as a precursor to both the dependantsystems

Fault tree link. Model dependencies using fault trees that follow the logicof the top level event tree Not taught in this course

Binary Decision Diagrams (BDDs). Use to evaluate the top level eventrates for coherent and non-coherent fault trees Not taught in this course

Question: In our original event tree analysis what other common item (s)were there?


Methodology Modelling missions

Mission modelling

A lot of systems we’re interested in don’t exist in a single state they havea defined set of mission phases, stages or mode

Event trees are useful in modelling these phases:

Mission success represents passing to the next phase/mode

Partial mission capability can also be modelled

Extreme events terminate the mission in that phase



Modelling system missions (ESDs)

Event Sequence Diagrams (ESDs) are an extension to the Event Treegrammar developed to model these phases

Mission success represents passing to the next phase/mode

Partial mission capability can also be modelled (returns to successpath)

Extreme events terminate the mission in that phase

ESDs are near equivalent to ETs, somewhat easier for non-specialists toreview



Example Mission ESD (Mars sample return)


Limitations, advantages and disadvantages

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading



Limitations of the method

Operating pathways must be anticipated

Partial successes/failures are not distinguishable

Difficult to order events if sequence is not obvious

Challenge & response model can skew safety towards a barrierapproach

Can contain unseen weak dependencies



Advantages & disadvantages

Event trees have the following advantages:

End events need not be foreseen

Useful if the success criteria are complicated

Multiple failures can be analysed

Allows probabilistic calculations (easier if events are independent)

Potential single-point failures can be identified

System weaknesses can be identified

Good for evaluating the effectiveness of protection systems

Event trees have the following disadvantages:

You can end up with event tree lantana

Dealing with dependency adds complexity to the model

If the system behaviour is steady state may not appropriate


Conclusions

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Conclusions

Conclusions

Event trees are a standard safety analysis technique in the analysis of’defence in depth’ type systems, especially when combined with fault treesto become the probabilistic risk assessment technique

Like fault trees they can become very complex, very quickly so planningand managing the model can be a significant part of the analysis task

Dependencies need to be identified and accounted for as part of theanalysis


Further reading

Bibliography

[NRC 1975] Nuclear Regulator Commission (NRC) (1975), WASH-1400(NUREG-75/014),Reactor Safety Study An Assessment of Accident Risks in U.S.Commercial Nuclear Power Plants.

[Clemens 2002] Clemens, P.L., (2002) Event Tree Analysis, 2nd Ed.

[CPS 1992] Center for process Safety (CPS), (1992) Guidelines for Hazard EvaluationProcedures, 2nd Ed. with Worked Examples (pp 461), American Institute ofChemical Engineers, 1992.

[Fragola 2001] Fragola, J.R., (2001) Mars Sample Return PRA, Presented at The 2ndNASA PRA Workshop, University of Virginia, Charlottesville, VA, 19-21 June.

[Henley 1981] Henley, E.J., Kumamoto, H., (1981) Reliability Engineering and RiskAssessment (pp 568).

[Lees 1996] Lees, F.P., (1996) Loss Prevention in the Process Industries, (pp 1,316),2nd Ed.


system safety - m11 event tree analysis v1 · pdf filesystem safety m11 event tree analysis...

Documents