draw event tree for this network problem

Fault Tree Diagram

The purpose of a fault tree diagram is to show the logical interrelation of the basic events that taken apart or together may lead to a system or device failure, the top fault, using a combination of "and" and "or" symbols.

From: Nuclear Reactor Kinetics and Control , 1978

Safety and Reliability

JEFFERY LEWINS PhD (Cantab), PhD (MIT) , in Nuclear Reactor Kinetics and Control, 1978

FAULT TREE DIAGRAMS

A relationship can sometimes be more usefully represented in the form of event trees and fault trees. The purpose of a fault tree diagram is to show the logical interrelation of the basic events that taken apart or together may lead to a system or device failure, the top fault, using a combination of "and" and "or" symbols. That is, a state may arise if all subsidiary states occur (equivalent to a parallelled circuit)— "and" a state may arise if any one of a number of subsidiary states arise (series circuit)— "or". It is sometimes necessary to distinguish this use of "or" from the logical "or" where this latter may exclude both or all events that occur simultaneously (either/or but not both).

Figure 7.6 illustrates how a fault tree may be used in analysing the possible failure modes of the control motor system, leading to a top fault where no control rod motion is available.

FIG. 7.6. Fault tree diagram for control motor system.

Particular care in interpretation has to be given when the same event occurs in several branches of the tree (common failure modes) if the probability of failure is to be correctly expressed. Of course there will be much qualitative skill in knowing what events should be included as the base events initiating a fault, especially "thinking the unthinkable". For example, are both motors liable to destruction by a single missile initiating from an accident within the reactor plant or from outside? If the wiring of a motor fails, is this a generic fault that would be likely to occur simultaneously in the other motor or has this been separately designed and manufactured? In discussing the probability of a serious primary failure it is appropriate, of course, to consider the consequences and causes as they affect other items of equipment and change the probabilities of what may be called secondary failures.

In the second example, Fig. 7.7, an electrical fuse is represented whose failure may lead to a system failure depending on the failure mode of the fuse and associated conditions. Note the logical "or" in this example since the current cannot at the same time be zero and overloaded, the two possible departures from the normal operating range.

FIG. 7.7. Fault tree diagram for a fused system.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780080216829500142

Subsea Risk and Reliability

Yong Bai , Qiang Bai , in Subsea Engineering Handbook (Second Edition), 2019

10.6.1 Concept

FTA is a systematic and deductive method for defining a single undesirable event and determining all possible reasons that could cause that event to occur. The undesired event constitutes the top event of a fault tree diagram, and generally represents a complete or catastrophic failure of a product or process. As well as a FMECA, an FTA can also be used for identifying product safety concerns.

Contrary to a FMECA, which is a bottom-up analysis technique, a FTA takes a top-down approach to assess failure consequences. An FTA can be applied to analyze the combined effects of simultaneous, noncritical events on the top event, to evaluate system reliability, to identify potential design defects and safety hazards, to simplify maintenance and trouble-shooting, to identify root causes during a root cause failure analysis, to logically eliminate causes for an observed failure, etc. It can also be used to evaluate potential corrective actions or the impact of design changes [11].

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128126226000105

Application of Probabilistic Risk Assessment Techniques to Distribution System Considerations

R.A. KRAMER , in Probabilistic Methods Applied to Electric Power Systems, 1987

UNIRAM CALCULATION

The UNIRAM (Neely, 1985) system consists of a series of computer programs that allow for the evaluation of the reliability of various systems. The analysis methods proceeds in three basic sequences.

In the first sequence, a model of the system is prepared. This model consists of subsystem diagrams, fault trees, and component-level mean-time-between-failure and mean-time-to-restore data. The second sequence utilizes a pre-processor program to prepare input data. The actual reliability program is executed in the third sequence and system reliability values are calculated.

In the present work, the reliability of the section of the radial feeder circuit under consideration was modeled. The input model was structured as closely as was possible to that used for the WAM and GO2 models.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780080318745500231

Marine safety

In The Maritime Engineering Reference Book, 2008

(i) Benefits to be gained from FTA

There are several benefits of employing FTA for use as a safety assessment tool. These include:

1.

The Fault Tree (FT) construction focuses the attention of the analyst on one particular undesired system failure mode, which is usually identified as the most critical with respect to the desired function, Andrews and Moss (2002).

2.

The FT diagram can be used to help communicate the results of the analysis to peers, supervisors and subordinates. It is particularly useful in multi-disciplinary teams with the numerical performance measures.

3.

Qualitative analysis often reveals the most important system features.

4.

Using component failure data, the FT can be quantified.

5.

The qualitative and quantitative results together provide the decision-maker with an objective means of measuring the adequacy of the system design.

An FT describes an accident model, which interprets the relation between malfunction of components and observed symptoms. Thus the FT is useful for understanding logically the mode of occurrence of an accident. Furthermore, given the failure probabilities of the corresponding components, the probability of a top event occurring can be calculated. A typical FTA consists of the following steps:

1.

System description.

2.

Fault tree construction.

3.

Qualitative analysis.

4.

Quantitative analysis.

These steps are illustrated in Figure 11.28.

Figure 11.28. FTA method.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780750689878000111

Fukushima Nuclear Disaster

Ashraf Labib , in Learning from Failures, 2014

9.3.4 The Cooling System Design

9.3.4.1 Power Supply

As explained, cooling systems for nuclear power plants are multi-redundant. Apart from the redundancy of the electrically driven pumps themselves, the power supply is also designed with a great deal of redundancy. At Fukushima, the four interconnected external power lines were supplemented by diesel-powered engine generators interconnected through a network of station bus bars. A schematic of the power grid across the plant is shown in Figure 9.4.

Figure 9.4. Single line diagram of Units 1–4, Fukushima Daiichi, TEPCO Interim Report, December 2011.

Station blackout would entail all power systems (internal and external) failing, or the switchgear failing. A fault tree representation of the event station blackout accident for the single line interconnection diagram of Figure 9.5 is shown. Note that the grid does not show the DC system which is shown on the fault tree diagram.

Figure 9.5. Fault tree: station blackout event.

Also note that the three undeveloped events P2, P3, and P4 depend on system redundancy as is the case with Unit 1, i.e., two diesel-powered AC generators plus a DC power supply system. An RBD of the complete power system arrangement would show that it was a highly reliable system.

The undeveloped event SW, the switching system, was also a highly redundant arrangement as can be seen from the network interconnections as shown in Figure 9.4. The full diagram for the switching system is not shown, but it will suffice to say that there was great deal of redundancy in the design.

9.3.4.2 Pump Redundancy and Diversity

In the event that there was a common mode of failure of the highly redundant power supply system for the electrically driven pumps, the stations were also equipped with steam-turbine-driven pumps, and all these pumps were interconnected with crossovers in such a way that the likelihood at loss of cooling due to pump failure in any of the four units was greatly minimized.

9.3.4.3 Redundant Water Sources

As a protection against failure of storage of the water needed for cooling, through accidental chemical contamination, for example, or dry out, there was also redundancy of the cooling water storage arrangements.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124167278000096

Incident Investigation

In Lees' Loss Prevention in the Process Industries (Fourth Edition), 2012

31.5.3.9 Commercial Methods

There are several publicly available commercial root cause investigation methods, three of which are discussed below.

The TapRooT® system is a commercially available process and set of techniques to investigate process safety incidents, analyze, and develop corrective actions. It is widely used in the US process industry. The TapRooT® system (process and tools) combines both inductive and deductive techniques for systematic investigation of the correctable root causes of problems. TapRooT® goes beyond the simple technique of 'asking why' or the standard techniques of cause and effect (sometimes known as fishbone diagrams) or fault tree diagrams. Embedded intelligence allows TapRooT® to be used by people in the field to investigate everyday problems and yet, is robust enough for a complex major process safety accident investigation. Tools and techniques are used in all phases of an investigation – from initial planning through the collection of information and root cause analysis to the development of corrective actions and the presentation of an investigation to management or other interested parties. The system is supported by patent pending TapRooT® software and provides a trendable incident/root cause database and corrective action management database (TapRooT®, www.taproot.com).

Another commercial incident investigation methodology is the Apollo incident investigation and problem solving techniques method published by Apollo Associated Services Inc. The Apollo approach uses cause and effects charting and provides investigators with basic problem solving concepts to reach root causes. The reference is accompanied by worked examples and a training video. Guidance is provided to consider personnel performance factors, problems with written procedures and instructions, and general hardware deficiencies.

A third commercial root cause method is the REASON methodology developed by Decision Systems Inc. (REASON, www.rootcause.com). This methodology is designed to provide a standard process that allows all options to be identified, modeled, and analyzed. The approach is presented as a standard operating procedure in a step-by-step format, to guide the investigator to ask the right questions to identify all relevant causes of the event. The REASON root cause analysis is a systematic process and software package for gathering and ordering relevant data, identifying internal causes that generated or allowed the problem to develop, and provides decision makers comparative cost effectiveness benefits of various possible remedies.

The US National Safety Council (1995) published a systematic approach for incident investigation that presents principles of investigation and the role of management leadership. The publication includes a guide for identifying causal factors and corrective actions using a set of workbook charts that lead the investigator to the underlying causes of incidents. Although this methodology is systematic, it may not be sufficiently sophisticated and rigorous for complex process safety events.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123971890000318

Reliability and Safety Processes

Dr Eduardo Calixto , in Gas and Oil Reliability Engineering (Second Edition), 2016

6.5.1 Time-Independent FTA

Time-independent FTA is used when the probabilities of basic events are constant over time. No matter what the probability characteristic is, the fault tree is created from the top event to the basic event for event combinations. For top event analysis, FTA is simpler than RBD in terms of representation, but both actually give the same result for opposite logic. A simple example of FTA and RBD is represented by a simple SIF that includes an initiating element (sensor), logic element, and final element (valve), as shown in Fig. 6.14A. Fig. 6.14B represents the SIF RBD, the inverse logic of FTA, and shows similar results. To calculate the probability of SIF failure based on FTA and RBD we have, respectively:

Figure 6.14. Fault tree RBD.

1.

The probability of SIF failure in the fault tree diagram is:

$\text{P}\left(\text{Sensor}\right)=0.1$

$\text{P}\left(\text{Logic}\text{Element}\right)=0.1$

$\text{P}\left(\text{Valve}\right)=0.1$

$\text{P}\left(\text{SIF}\text{Failure}\right)=\text{P}\left(\text{Sensor}\right)\cup \text{P}\left(\text{Logic}\text{Element}\right)\cup \text{P}\left(\text{Valve}\right)$

$\begin{array}{c}\text{R}1=\text{P}\left(\text{Sensor}\right)\cup \text{P}\left(\text{Logic}\text{Element}\right)=(\text{P}\left(\text{Sensor}\right)+\text{P}\left(\text{Logic}\text{Element}\right))-(\text{P}\left(\text{Sensor}\right)\times \text{P}\left(\text{Logic}\text{Element}\right))\\ =(01+01)-(0.1\times 0.1)=0.2-0.01=0.19\end{array}$

$\text{R}1\cup \text{P}\left(\text{Valve}\right)=(\text{R}1+\text{P}\left(\text{Valve}\right))-(\text{R}1\times \text{P}\left(\text{Valve}\right))=(0.19+0.1)-(0.19\times 0.1)=0.29-0.019=0.271$

2.

The probability of SIF failure on RBD is:

$\text{P}\left(\text{SIF}\text{Failure}\right)=1-\text{Reliability}$

$\text{Reliability}=(1-\text{P}\left(\text{Sensor}\right))\times (1-\text{P}\left(\text{Logic}\text{Element}\right))\times (1-\text{P}\left(\text{Valve}\right))$

$\text{Reliability}=(1-0.1)\times (1-0.1)\times (1-0.1)=0.729$

$\text{P}\left(\text{SIF}\text{Failure}\right)=1-0.729=0.271$

The SIF example is simple in terms of FTA configuration, but in some cases fault trees are more complex to model and calculate. In the SIF example, other logic gates such as k/n (a parallel condition where k means number of components required and n means the number of total components in parallel) and standby can also be used, as shown in Fig. 6.15A and B, respectively.

Figure 6.15. Fault tree RBD: (A) k/n and (B) standby configuration.

To calculate the probability of SIF failure based on FTA and RBD we have, respectively:

The probability of SIF failure if:

$\text{P}\left(\text{sensor}1\right)=0.1$

$\text{P}\left(\text{sensor}2\right)=0.1$

$\text{P}\left(\text{sensor}3\right)=0.1$

$\text{P}\left(\text{logic}\text{element}\right)=0.1$

$\text{P}\left(\text{control}\text{valve}\right)=0.1$

$\text{P}\left(\text{manual}\text{bypass}\text{valve}\right)\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$4$}\right.0.1$

Thus $\text{P}\left(\text{SIF}\text{failure}\right)=\text{P}\left(\text{VT}\left(\text{2/3}\right)\right)\cup \text{P}\left(\text{logic}\text{element}\right)\cup \text{P}\left(\text{SB}\right)$

$\mathrm{P}(\mathrm{VT}(2/3))=1-\mathrm{R(VT}(2/3)\mathrm{)}$

Thus as the probability of events is the same we apply the following equation:

$R_S\left(k,n,R\right)=\sum _{r=k}^n\left(\begin{array}{c}n\\ r\end{array}\right)R^r{\left(1-R\right)}^{n-r}$

where k  =   number of parallel blocks required; n  =   number of parallel blocks; and R  =   reliability.

$R=\sum _2^3\left(\begin{array}{c}3\\ 2\end{array}\right)\left({0.9}^2\right){\left(1-0.9\right)}^{3-2}=\left(\begin{array}{c}3\\ 2\end{array}\right)\left({0.9}^2\right){\left(1-0.9\right)}^{3-2}+\left(\begin{array}{c}3\\ 3\end{array}\right)\left({0.9}^3\right){\left(1-0.9\right)}^{3-3}$

$=\left(3\times 0.81\times 0.1\right)+\left(1\times 0.729\times 1\right)=0.243+0.729=0.972$

$\mathrm{P}\left(\mathrm{VT}(2/3)\right)=1-\mathrm{R}\left(\mathrm{VT}(2/3)\right)=1-0.972=0.028$

$\mathrm{P}\left(\mathrm{SB}\right)=1-\mathrm{R}\left(\mathrm{SB}\right)$

$\mathrm{R}\left(\mathrm{SB}\right)=\mathrm{R}\left(\text{control}\text{Valve}\right)+((1-\mathrm{R}\left(\text{control}\text{Valve}\right))\times \mathrm{R}\left(\text{Manual}\text{Bypass}\text{valve}\right))=\left(0.9\right)+(\left(0.1\right)\times \left(0.9\right))=0.99$

$\mathrm{P}\left(\mathrm{SB}\right)=1-0.99=0.01$

$\text{Res}1=\mathrm{P}\left(\mathrm{VT}(2/3)\right)\cup \mathrm{P}\left(\text{logic}\text{Element}\right)=\mathrm{P}\left(\mathrm{VT}(2/3)\right)+\mathrm{P}\left(\text{logic}\text{Element}\right)-(\mathrm{P}\left(\mathrm{VT}(2/3)\right)\times \mathrm{P}\left(\text{logic}\text{Element}\right))=0.028+0.1-(0.028\times 0.1)=0.128-0.0028=0.1252$

$\mathrm{P}(\text{SIF}\text{failure})=\text{P}(\text{VT}(2/3)\cup \text{P}(\text{logic}\text{Element})\cup \text{P}(\text{SB})=\text{Res}1\cup \text{P}(\text{SB})=\text{Res}1+\text{P}(\text{SB})-(\text{Res}1\times \text{P}(\text{SB}))=0.1252+0.01-(0.1252\times 0.01)=0.1352-0.001252=0.133958=13.4\%$

The probability of SIF failure is:

$\mathrm{R}\left(\text{Sensor}1\right)=1-\text{P}\left(\text{Sensor}1\right)=1-0.1=0.9$

$\text{R}\left(\text{Sensor}2\right)=1-\text{P}\left(\text{Sensor}2\right)=1-0.1=0.9$

$\text{R}\left(\text{Sensor}3\right)=1-\mathrm{P}\left(\text{Sensor}3\right)=1-0.1=0.9$

$\mathrm{R}\left(\text{Logic}\text{Element}\right)=1-\text{P}\left(\text{Logic}\text{Element}\right)=1-0.1=0.9$

$\mathrm{R}\left(\text{Control}\text{Valve}\right)=1-\text{P}\left(\text{Control}\text{Valve}\right)=1-0.1=0.9$

$\mathrm{R}\left(\text{Manual}\text{Bypass}\text{Valve}\right)=1-\text{P}\left(\text{Manual}\text{Bypass}\text{Valve}\right)=1-0.1=0.9$

$\text{Thus}\text{P}\left(\text{SIF}\text{failure}\right)=1-(\text{R}\left(\text{VT}(2/3)\right)\times \text{R}\left(\text{Logic}\text{Element}\right)\times \text{R}\left(\text{SB}\right))=1-(0.972\times 0.9\times 0.99)=1-0.866052=0.133948=13.4\%$

The important feature of FTA in addition to calculating top event probability is to identify events or combinations of events that trigger top events, which are called cut set events. The cut set events are important for assessing an incident and knowing how close the incident is in the top event based on the current event. In the SIF failure fault tree in Fig. 6.15A, there are five cut sets, as shown in Fig. 6.16.

Figure 6.16. Cut set in fault tree.

•

Failure of sensors 1 and 2 (k/n  =   2/3);

•

Failure of sensors 1 and 3 (k/n  =   2/3);

•

Failure of sensors 2 and 3 (k/n  =   2/3);

•

Failure of logic element;

•

Failure of control valve and manual bypass valve.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128054277000063

Quantification of Oil Spill Risk

D.S. Etkin , ... A.J. Wolford , in Oil Spill Science and Technology (Second Edition), 2017

2.2.4 Fault-Tree Analysis

Fault-tree analysis (FTA) is another frequently applied technique to determine the probability of a spill occurring under various circumstances. FTA for spills involves analyzing sequences of events that may (or may not) lead up to a system failure (in this case a spill) and assigning probabilities to each event. Fig. 2.6 shows a "fault-tree diagram" for an analysis of vessel allisions with WTG at the wind farm.

Figure 2.6. Fault-tree diagram for Vessel-WTG allision analysis [9].

Each event (circle) has a probability associated with it (Table 2.1). The outer portions deals with the probability of an allision (i.e., the impact of a moving object with a stationary object). The green parts relate to the probability of an oil spill resulting from the allision. The logic behind this diagram is that an oil spill would occur from a WTG allision only if a vessel allides with the WTG and there is sufficient force to cause spillage from either the vessel or the WTG. The probability of an allision depends on the vessel being in the vicinity of a WTG (because WTGs are located proximal to the shipping lane) and the vessel not avoiding hitting the WTG, because of an environmental event or a vessel operation failure. The environmental event and vessel failure scenarios each depend on at least one of the three things happening. The probabilities of each independent event are multiplied together to get the probabilities of the sets of circumstances that would lead to a spill. This type of analysis can be applied to a large variety of spill circumstances in which there is some knowledge of the probabilities of occurrence of the relevant sub-events.

Table 2.1. Probability of Occurrence per Vessel Trip Applied to FTA [9]

Vessel Type	Fault-Tree Basic Events per Vessel Trip
	WTG Vicinity		Environmental Event			Vessel Failure
	Vessel Deviation From Course	Vessel in Route	Storm	Hurricane	Earthquake Tsunami	Human Error	Steering Failure	Propulsion Failure
A	0.028	1.0	0	0.004731	0.000003	0.00034	0	0
B	0.028	1.0	0	0.000114	0	0.00032	0	0
C	0.028	1.0	0	0.000437	0	0.00032	0	0
D	0.028	1.0	0	0.000038	0	0.00032	0	0
E	0.028	1.0	0	0	0.000017	0.00031	0.00002	0.00003
F	0.042	1.0	0	0	0.000022	0.00047	0.00002	0.00002
G	0.042	1.0	0.0004	0	0.000034	0.00047	0.00002	0.00002
H	0.042	1.0	0.0007	0	0.000020	0.00069	0.00003	0.00003
I	0.042	1.0	0	0.000798	0	0.00044	0.00002	0.00002

A, cruise/dry cargo ships; B, tankers; C, tow/tugboats; D, tank barge; E, ferries; F, commercial fishing vessels; G, charter fishing vessels; H, touring vessels; I, dry cargo barge.

The value of conducting a comprehensive location- or situation-specific spill probability analysis for contingency planning and risk management is that it provides an evaluation of the range of possible spill scenarios and the probabilities that they will occur. This will allow for appropriate measures to be taken to address spills that occur, focusing on preparation for spills with the highest likelihood for first-tier responses, but also allowing for more complex responses for more rare, but potentially more consequential, spills. The next part of the risk analysis involves analyzing impacts of the various spill scenarios to better determine the complete risk (probability   ×   impacts) of each type of spill scenario to focus particular attention on the highest risk (high probability–high impact) spills for prevention measures and for response planning, recognizing that sometimes smaller spills can cause higher impacts than larger ones if they are in an inopportune location.

Each spill risk analysis requires consideration of the best customized approach to analyze the probability of spillage, as well as the distributions of spill volumes and scenarios that might occur. Careful consideration needs to be given to the purpose of the analysis, the degree of risk "tolerance" for the end-user, and the specific ways in which spills might conceivably occur based on the location, potential sources, and time frame.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128094136000023

Safety System Engineering for Offshore Oil

Huacan Fang , Menglan Duan , in Offshore Operation Facilities, 2014

7.4.2.1 Optimization of Security Measures

This is one of the important measures for oil and gas fields' production safety; the fault tree analysis method is usually applied to optimize it and the steps are as follows.

1.

Draw the fault tree figure

Take a pressure vessel on an offshore FPSO as an example to select the optimized security measures; the fault tree diagram is drawn first, as shown in Figure 7-36.

2.

List configuration parameters

If the X₃ and X₄ are on behalf of the basic event (regulator failure), X₁, X₂, A₁, and A₂ represent intermediate events (representing explosion less than operating pressure, safety valve failure, overpressure explosion, and pressure control failure); then the configuration function Φ(X) of the fault tree is:

(7-239) $\Phi \left(\text{X}\right)={\text{X}}_1·{\text{A}}_1={\text{X}}_1\left({\text{X}}_2+{\text{A}}_2\right)={\text{X}}_1\left({\text{X}}_2+{\text{X}}_4·{\text{X}}_3\right)$

3.

Solve the minimal cut set

According to the Boolean algebra method introduced before, operations can be carried out by Equation (7-239); Φ(X) is expressed as follows:

(7-240) $\Phi \left(\text{X}\right)={\text{X}}_1·{\text{X}}_2+{\text{X}}_1{\text{X}}_4{\text{X}}_3={\text{X}}_1{\text{X}}_2+{\text{X}}_4{\text{X}}_3$

In Equation (7-240), for the explosion X₁, which is less than the operating pressure, is caused by regulator failure, so X₁X₄X₃ is equivalent to X₁X₁X₃. Thus, the minimal cut sets obtained are X₁X₂ and X₁X₃.

4.

Calculate the accident probability

The event probability of X₁, X₂, and X₃ in the original system is shown in Table 7-19, and there are three improvement schemes, 1, 2, 3; the probability of their basic events X₁, X₂, and X₃ is also shown in the table, so the probability of the top event can be calculated according to this equation:

(7-241) $g=q_1{q}_2+q_1{q}_3-q_1{q}_2{q}_3$

Table 7-19. Calculated Results for Optimization of Security Measures

		Original System	Improvement Project Pending
			1	2	3
Basic event	X1	0.01	0.001	0.01	0.01
	X2	0.02	0.02	0.002	0.02
	X3	0.03	0.03	0.03	0.003
New investment cost Y in safety measure, 10,000 Yuan	—	0.4	0.2	0.3
Probability of top event		0.000494	0.0000494	0.0003194	0.000229
Risk degree, R i = E · g		—	2.47	15.97	11.47
(Pi -P 0)/P 0 · 100 (%)		0	−90	−35.3	−53.56
ΔRi = R 0-R i		0	22.23	8.73	13.23
Benefit, ΔRi /Y		0	55.575	43.65	44.1

Put the relative numerical values into Equation (7-241), respectively, and get the probability of the top event, as shown in Table 7-19.

5.

Calculate risk degree R

The degree of risk for the original system is R ₀; the risk degree of improvement for the project is R _i, then:

(7-242) $\{\begin{array}{l}{R}_0=E.P_0\\ R_i=E.P_i\end{array}$

P ₀ and P _i in Equation (7-242), respectively, express the top event occurrence probability of the original system and each improvement scheme, and E is the loss of the accident; it includes the number of casualties, loss of working hours or economic loss, and so. R_i is as shown in Table 7-19, when calculating, the economic loss of an accident is 50,000 Yuan.

6.

Calculate reduction of R

This refers to ΔR_i that describes the drop-out value of risk degree R for various improvement projects, namely:

(7-243) $\mathrm{\Delta }{R}_i=R_{\mathrm{0}}-R_i$

ΔR_i that is calculated according to the preceding equation is also listed in Table 7-19 in order to compare it easily.

7.

Select the optimal project

If the safety measure costs Y needed to invest for various improvement projects have been calculated, respectively, and listed in Table 7-19, ΔRi/Y should be the benefits of various improvement projects. Then the optimal scheme can be selected by comparing the probability of the top event (incident), new investment cost in safety measures, and benefit obtained. The improved scheme 1 is the best solution shown in Table 7-19, although the investment cost of this project is the highest of the three improvement projects. However, the probability of its accident is the lowest in the three schemes, and the first scheme results in the highest benefit.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978012396977400007X

Reactor safety and security

Raymond L. Murray , Keith E. Holbert , in Nuclear Energy (Seventh Edition), 2015

21.5 Probabilistic risk assessment

The results of an extensive investigation of reactor safety were published in 1975. The document is variously called the Reactor Safety Study, WASH-1400, or the Rasmussen Report, after its principal author. This study (NRC, 1975) involved 60 scientists and cost several million dollars. The technique used was probabilistic risk assessment (PRA), a formal method of analyzing reactor systems. The objective is to find the chance of an undesired event such as core damage, breach of containment, or release of radioactivity and to determine potential causes. The first step is to investigate all of the possible faults in the equipment or processes. Flow diagrams of fluid systems and circuit diagrams of electrical systems serve as reference. Event trees are logic diagrams relating an initiating event to either successful mitigation or failure. Figure 21.4 shows a simple event tree. Probabilities of success and failure at each branch are applied. The principal logic diagrams are the fault trees, which trace causes and effects mathematically by use of Boolean algebra, a form of set theory. Figure 21.5(A) shows a simple high-pressure injection system to which we can apply the concept for illustration. The failure of both pumps and/or the valve prevents cooling water from reaching the reactor. In Figure 21.5 (B), the fault tree diagram shows two gate types: the AND (∩) that requires two or more events to result in failure and the OR (∪) that requires only one event. We have attached symbols A, B, C, F, and T to the various events for use in the mathematical manipulation. Note that F occurs if both A and B occur, expressed in Boolean algebra as an intersection

Figure 21.4. Simple event tree

(after Breeding et al., 1985).

Figure 21.5. Simple example of PRA diagrams

(after Vesely et al., 1981).

(21.3) $\mathrm{F}=\mathrm{A}\cap \mathrm{B}$

Also, T occurs if either C or F occurs, expressed as a union

(21.4) $\mathrm{T}=\mathrm{C}\cup \mathrm{F}$

Theory (e.g., WASH-1400 Appendix: NRC, 1975) tells us what the probability of T is in terms of C and F, namely,

(21.5) $P\left(\mathrm{T}\right)=P\left(\mathrm{C}\right)+P\left(\mathrm{F}\right)-P\left(\mathrm{C}\cap \mathrm{F}\right)$

Insert the formula for F and note that because A, B, and C are independent events, the probabilities P(A   ∩   B) and P(C   ∩   A   ∩   B) are simply products of the separate probabilities. Thus,

(21.6) $P\left(\mathrm{T}\right)=P\left(\mathrm{C}\right)+P\left(\mathrm{A}\right)P\left(\mathrm{B}\right)-P\left(\mathrm{A}\right)P\left(\mathrm{B}\right)P\left(\mathrm{C}\right)$

The virtue of Boolean algebra is seen by comparison of this formula with the statement in words that the probability of failure of the high-pressure injection system is the sum of the probabilities of individual failures of the valve and the pumps less the probability of failure of both valves and pumps, which was included already.

Example 21.3

To illustrate numerically, let event probabilities P(A) and P(B) be 10^–3 and P(C) be 10^–4. Inserting numbers,

$P\left(\mathrm{T}\right)={10}^{-4}+{\left(10^{-3}\right)}^2-{\left(10^{-3}\right)}^2\left({10}^{-4}\right)\cong 1.01\times {10}^{-4}$

This shows that the top event is dominated by the possibility of valve failure. The product of three probabilities can be neglected assuming rare events. The numerical result illustrates two ideas: that fault trees can reveal potential vulnerabilities and that redundancy in safety equipment is beneficial. The figure calculated can be included in the simple event tree of Figure 21.4.

Several good books on fault trees are listed in the Further Reading section at the end of this chapter. Among important topics discussed in those references are: Venn diagrams, used to visualize relationships of intersections and unions; conditional probability, related to sequences of events; the Bayes theorem, a technique for updating failure probability data; and common mode failures, those in which several components can fail from a single cause such as environment, design, and manufacturing.

The ultimate objective of PRA is to estimate risks to people, calculated by use of a principle most simply stated as

(21.7) $\mathrm{Risk}=\mathrm{Frequency}\times \mathrm{Consequences}$

For reactors, frequency means the number of times per year of operation of a reactor that the incident is expected to occur, and consequences includes the number of injuries or fatalities, either immediate or latent, as well as property damage. The technique of PRA is used to determine which changes in equipment or operation are most important to ensure safety and also give guidance on emergency plans.

Example 21.4

For 2009, the U.S. Census Bureau reports 10.8 million motor vehicle accidents with 35,900 resultant deaths. The number of deaths per accident is

$\mathrm{Consequence}=\frac{\mathrm{Risk}}{\mathrm{Frequency}}=\frac{35,900\mathrm{deaths}/\mathrm{y}}{10.8\times {10}^6\mathrm{accidents}/\mathrm{y}}=0.00332\mathrm{death}/\mathrm{accident}$

For a national population of 306.8 million, the individual risk becomes

$\frac{35,900\mathrm{deaths}/\mathrm{y}}{306.8\times {10}^6\mathrm{individuals}}=1.17\times {10}^{-4}\mathrm{deaths}/\left(\mathrm{person}\bullet \mathrm{year}\right)$

In recent years, the regulation of nuclear activities including reactor operation and handling of radioisotopes has changed. Currently, regulations are risk-informed and performance-based, in contrast with previous prescriptive approaches. As discussed in an American Nuclear Society position statement (ANS, 2004), "risk-informed" implies use of probability in prioritizing challenges to safety, and "performance-based" makes use of measurable safety parameters. Fuller explanations are found in publications of the NRC (NRC, 1999; Apostolakis et al., 2012).

If an incident occurring at a nuclear plant has the potential of releasing radioactivity to the atmosphere, a chain of reactions to alert or warn the public is set in motion. In the U.S., the NRC and the Federal Emergency Management Agency (FEMA) cooperate in providing requirements and in monitoring tests of readiness. Each nuclear station and the state in which it is located are required to have emergency plans in place and to hold drills periodically, resembling action to be taken in a real accident situation. In such exercises, state and local officials are notified, and an emergency team made up of many organizations makes a coordinated response. Included are radiation protection staff, police and fire departments, highway patrol, public health officers, and medical response personnel. Command posts are set up; weather observations are correlated with radiation conditions to evaluate the possible radiation exposure of the public. Advisories are sent out by radio and television, sirens are sounded, and the public is advised to take shelter in homes or other buildings. In extreme cases, people would be urged to evacuate the affected area.

In case of an actual accident involving reactors or transportation of fuel or waste, members of the public who suffer a loss can be compensated. In 1957 Congress passed the Price–Anderson Act to provide rules about nuclear insurance that were favorable to the development of the nuclear industry. The Act was renewed in 2005 for 20   y. Nuclear plants are required to take out insurance from private companies in the amount of $300 million. In the event of an accident, all reactors would be assessed to bring the total liability to approximately $10 billion. The Act has been criticized as unfairly benefiting the nuclear industry because any excess cost would be borne by government and thus taxpayers.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124166547000216

autenliturmlime92.blogspot.com

Source: https://www.sciencedirect.com/topics/engineering/fault-tree-diagram

Share this post