Event tree analysis

Piero Baraldi

Politecnico di MilanoDipartimento di Energia

FailureProbabilty

Assessment

AccidentScenarios

Identification

Evaluation ofthe

consequences

Riskevaluation

RISK = {Si, pi, xi}4321

pi/xi A B C D

International StandardsBest PracticesLessons learnt

Expert judgmentsFlow and transport codes

Finite Element MethodsDC/AC power flows, etc.

ALARP = as low as reasonably practicable

FTAETA

Markov Models

Hazard Analysis

Hazop

FMECA

Monte Carlo Simulation

Classical Techniques for PRA: Event Tree Analysis

Event Tree Analysis (ETA)

Objectives1. Identification of possible scenarios

(accident sequences), developing from a givenaccident initiator (possibly identified by a FMECA)

2. Computation of accident sequence probability

Event Tree Analysis (ETA)

• Systematic and quantitative• Inductive (search for consequences)

ETA: procedure steps1. Define an accident initiator event (I):

• a system/component failure• an external, potentially disruptive event (e.g. an earthquake, hurricane,…)

2. Identify “headings” Sk :• safety/protection functions, systems, procedures demanded by I• phenomena potentially influencing the development of an accident sequence

3. Specify failure/success states of Sk

4. Combine the states of all Sk to generate accident sequences

Example 1: Fire protection system

Example 1: Event Tree

The sequences can be further split by adding the smoke detector, the alarm and the emergency door

ETA typologies

• Functional event tree• First stage: safety functions are identified (cooling, venting, …) • Second stage: safety functions are substituted by the actual

safety systems

• System event treeThe accident sequences in a plant are identified with respect to the protection and safety systems/components involved (valves, pumps, pipes, tanks, etc.)

• Phenomenological event treeDescription of the accident phenomenological evolution outside the plant (winds, sea currents, animals/plants, etc.)

ETA: some general comments (1)

1. One event tree for each accident initiator2. Time and logic of Sk interventions are important for the

tree structure (simplifications possible)3. Sk states are, in general, conditional on accident initiator

and previous Sj’s states

ETA: some general comments (2)

4. Conditional probabilities are assigned to Sk states (upon previous identification, e.g. by FTA)

Sequence probability = product of the conditional probabilities of the events in a branch“Failure” probability = sum of the probabilities of the sequences leading to failures

𝑃𝑃 𝐼𝐼𝑆𝑆1𝑆𝑆2 = 𝑃𝑃 𝑆𝑆2 𝑆𝑆1𝐼𝐼 � 𝑃𝑃 𝑆𝑆1𝐼𝐼= 𝑃𝑃 𝑆𝑆2 𝑆𝑆1𝐼𝐼 � 𝑃𝑃 𝑆𝑆1|𝐼𝐼 � 𝑃𝑃(𝐼𝐼)

Example 2: release of flammable gas

IE S1 S2 S3

S4

Exercise 1: Loss Of Coolant Accident (LOCA)

AA

MM

MM

M

M

A High Pressure Injection SystemSRV

RPV

CST

Low Pressure Injection System

Suppression Pool

Depressurize System

RPV = Reactor Pressure VesselCST = Condensate Storage Tank (which temporarily stores water used in the plant)SRV = Safety Relief Valve

ECS = Emergency Cooling System

• A small pipe crack can induce the loss of coolant (SLOCA) from the reactor pressure vessel (RPV). The frequency of this event is 5.0⋅10-4 y-1

• Under the SLOCA condition, the RPV water level drops due to the crack and decay heat. When it drops under a given low level, the high pressure injection system (HPIS) starts to pump water into the core

• In case that the HPIS works properly, the RPV can be depressurized under control and low pressure injection system (LPIS) will take care of long term heat removal to bring the core to safe status

• If HPIS fails (at a probability of 2.0⋅10-3), the water level goes down to another setting level and trigger-starts LPIS. The operator has to open the safety relief valve (SRV) to relieve the RPV pressure in order to keep LPIS pumping the water into the core

• In case either the operator fails to open SRV (at probability of 5.0⋅10-3) or LPIS fails (at probability of 5.0⋅10-4), the core will be damaged (CD)

Exercise 1: Loss Of Coolant Accident (LOCA)

You are required to:• build the event tree for the initiating event «SLOCA» • Compute the probability of core damage due to a «SLOCA»

Exercise 1: Loss Of Coolant Accident (LOCA)

Exercise 1: SolutionSLOCA HPIS SRV LPIS

OK

CD

OK

CD

CD

5.0E-4

5.0E-3

2.0E-3

5.0E-4

5.0E-4

HPIS = High Pressure Injection SystemLPIS = Low Pressure Injection SystemCD = Core Damage

ETA + FTA

Success stateS1

Failure stateF1

I

S2 =

S2 =

• The FT top events must be conditioned on the sequences identified by the ETA up to the intervention of the system of interest

• It may occur that the event of interest is independent of the previous ones in the sequence

Event Tree AnalysisSLOCA HPIS SRV LPIS

OK

CD

OK

CD

CD

5.0E-4

5.0E-3

2.0E-3

5.0E-4

5.0E-4

HPIS Unavailable

LPIS Unavailable

Fail toDepressurize

Fault Tree Analysis – HP, DP

HPIS Unavailable

Suction Valve Fail to open

HPIS Pump Failure

Injection ValveFail to open

PumpFail to start

PumpFail to run

Fault Tree Analysis – HP, DP

SRV mech. failure

Operator Fail to Depress.

Fail toDepressurize

Fault Tree Analysis – LP

LPIS Unavailable

Suction Valve Fail to open

Injection Valve Fail to open

Pump Section Fail

Train A Failure

Suction Valve Fail to open

LPIS Pump Failure

Injection Valve Fail to open

Pump AFail to start

Pump AFail to run

Train B Failure

Suction Valve Fail to open

LPIS Pump Failure

Injection Valve Fail to open

Pump BFail to start

Pump BFail to run

Exercise 2: kick during well drilling

Hazard:Kick

managedpressure drillingsystem

BlowoutPreventer

stack Casing

Exercise 2: System description

To avoid the blowout accident, well safety barriers are designed and put in place to avoid that a kick, that is an unwanted flow of hydrocarbons inside the well, could result into a blowout, that is the spill out of fluids (either oil rig or underground formation mud, or both) from the well to the environment. Three safety barriers are considered for the purpose of limiting the consequences of kick onset (Grayson et al., 2012): (i) a full Managed Pressure Drilling (MPD) influx management system, (ii) a Blowout Preventers stack (BOP) and (iii) casing. A) Following a kick initiating event, if a Constant Bottom Hole Pressure (CBHP) technique is in place (resorting to a full MPD influx management system to continuously control the Bottom Hole Pressure (BHP), maintaining it lower than the formation pressure, reducing the occurrence of gas influxes inside the well) a rapid kick detection, control and circulation out of the well can be made possible, and blowout avoided without demanding the BOP. However, the CBHP system can only be used under specified conditions of influx volume V (i.e., volume threshold Vth equal to 10 bbl) and maximum surface pressure SP (i.e., maximum surface pressure threshold SPth equal to 800 psi) : when the influx exceeds the CBHP operational limits, only the BOP and casing can withstand the developing scenario. B) A BOP is a stack of valves installed at the top of the well that can be closed if the pressure control inside the wellbore is lost. By closing these valves, the safety procedures are initiated for restoring the pressure inside the well at nominal values and controlling the formation. The BOP is composed by three ram preventers and an annular preventer, that are used to shut in the well. C) Casing is a pipe that is assembled and inserted into a drilled section of borehole and is typically held in place with cement. It must withstand the load acting on it when the kick has entered in the well and the BOP has shut-in the well, to avoid an underground blowout and the loss of the wellbore integrity with severe consequences.

Exercise 2

You are required to:• build the event tree for the initiating

event kick

Exercise 2: Solution

Kick