HAZARDS ANALYSES ∗ Failure Modes and Effects Analysis (types) ∗ Event Tree and Cause Consequence Analyses ∗ Barrier and Threat Analysis ∗ Hazard and Operability Studies ∗ Fault Tree AnalysIs

SECTION 3

Failure Mode and Effects Analysis

FAILURE MODES AND EFFECTS ANALYSIS

n INDUCTIVE APPROACH

n SUBSYSTEM BY SUBSYSTEM

n COMPONENT BY COMPONENT

n DEYTAILED AND INTENSIVE

FMEA PROCEDURE1. Define the scope of the system2. Gather information

q drawings, specifications, part lists3. Partition the system into subsystems4. Develop a coding (recordkeeping)

system that corresponds to the system breakdown

5. Identify resources of value to be protected

Procedure for FMEA4.0 Subdivide the system for analysis

5.0 Identify potential failure modes for elements of the system

3.0 Choose the type of FMEA approach for the study

6.0 Evaluate potential failure modes capable of producing problems of interest

2.0 Define the problems of interest for the analysis ation

7.0 Perform quantitative evaluation (if necessary)

1.0 Define the system of interest

8.0 Transition the analysis to another level of resolution (if necessary or otherwise useful)

9.0 Use the results in decision making

Sample Breakdown Coding

More FMEA PROCESS

1. List components2. LIST ALL FAILURE MODESq e.g. closed, open, partially open, etc..

3. Determine the causes of each failure mode

4. Determine Effects of the failure5. Determine probability of failure

occurring

Questions to ask when considering effectsn Will failure of the system render an

unacceptable loss?n Will failure of this subsystem render

an unacceptable loss?n Will failure of this assembly render

an unacceptable loss?n NO means that part of the analysis

is complete

More FMEAPROCEDURE6. DETERMINE RISKq Include probability considerationsq Categorize risk using the matrix

7. Determine controls and countermeasures

8. Make recommendations

Advantagesn Exhaustive method for determining

single-point failures and consequences.

n In FMECA Risk assessment of these failures is accomplished

n Further analysis for items identified as high risk in the PHA.

n Finds hazards that were overlooked in the PHA

Disadvantagesn Costly and time consumingn Multiple element faults are missedn No check methodology for

completenessn Depends on analyst’s ability and

expertisen Human error and hostile environment

are often overlooked.n Probability is difficult to obtainn Likely to miss synergistic effects.

Resources

• Appendices• FMEA Info Centre

– http://www.fmeainfocentre.com/

7/10/2015

1

Event Tree

l System design type analysis Determine all possible outcomes from a single initiating event

l Similar to Cause-Consequence Analysisl Developed during the WASH 1400 study

~1974 (Nuclear Industry)

Key Definitions

l Initiating Eventl Failure or undesired event that intimates the start

of an (accident) sequencel Pivotal Eventl Intermediary events that the failure or success of

determine the progress to undesired outcomes

7/10/2015

2

Anatomy of an Accident

An accident is a series of interconnected events that

leads to an undesirable outcome.

Initiating Event

IntermediateEvent #1

IntermediateEvent #2

Final Event(accident)

This diagram represents a “look back” at an accident that might be developed as part of an incident investigation.

Sample Event TreePiping Failure in Flammable Pressurized Liquid System

Example Event Tree

7/10/2015

3

Advantagesl Structured and rigorousl Computerizedl Vary levels of detail possiblel Visual modell Easy to dol Models complex relationshipsl Follows fault paths across system boundariesl Combines hardware software and human interactionl Permits probability assessmentl Commercial software is available

7/10/2015

4

Disadvantages

l Only one initiating eventl Overlooks subtle dependenciesl Bernoulli--Partial success or failure not

detectedl Requires some training and experiencel Common Mistakesl Improper Initiating Eventl Not identifying all pivotal events

CAUSE CONSEQUENCE ANALYSIS

l A bottom-up, deductive, system safety analytical technique

l Applies tol Physical systems, with or without human operatorsl Decision-making/management systems

l Closely related to event treesl “expanded”

7/10/2015

5

Complementary to other Safety analysis techniques, e.g….

l Fault Tree Analysisl Failure Modes and Effects Analysis

Cause Consequence Analysis

l Explores time-sequenced system RESPONSES to initiating “CHALLENGES”

l andl Enables PROBABILITY ASSESSMENTS

Challenges

l Do not have to be abnormal eventsl Example “challenges”

Loss of Coolant Normal Operating Command

Loss of External Power High Level AlarmHigh Cost of Resource Loss of Primary

ContainmentSensor Failure Sensor Activates

7/10/2015

6

“CONSEQUENCE”

l portrays an array of outcomes…l representing staged increments of

success/failure.l each increment has an associated level of

probability, based on permutations available

Symbols*

P.L. Clemens “Event Trees , 2002

FORMAT*

*P.L. Clemens “Event Trees , 2002

7/10/2015

1

Energy Trace and Barrier Analysis

Background

• Energy Flow/Barrier Analysis is based on a useful set of concepts introduced by William Haddon, Jr., M.D*

• Used initially in highway safety and then nuclear safety.• Universal concept that applies in performance of other

analyses• May be known under other names such as Energy Flow

Analysis or Barrier Analysis

*Haddon, William, Jr., M.D., “Energy Damage and the Ten CountermeasureStrategies.” Human Factors Journal, August 1973

Energy Trace and Barrier Analysis (ETBA) is:• A useful adjunct tool to the performance of other analyses

• A hazard identification tool• A tool for evaluating the adequacy of counter measures and the vulnerability of systems

7/10/2015

2

ETBA is useful when• Designing systems.• Writing procedures (e.g., tagout-lockout).• Planning/judging operational readiness.• Investigating incidents• Making decisions about “safe-to-enter” at incident sites.• Performing Analyses

Approach• Identify all system energy sources

TYPICAL ENERGY SOURCE(S)•Electrical•Mechanical•Chemical•Radiation•Pneumatic•Hydraulic•Others

For Each Energy Source• Examine the potential for unwanted energy FLOW

• From the Source to a “Target”• To cause undesirable consequences

7/10/2015

3

Targets can be

• Personnel• Equipment• Product• Productivity• Environment• Reputation• Market share• ??

BARRIERS ARE INHIBITORS TO FLOW SUCH AS • Walls• Guard Rails• Insulation• Shielding• Personal Protective Equipment• Containment Structures• Procedures

Energy sources are varied• Electrical• Mechanical• Chemical• Radiation• Sonic• Thermal• Nuclear• Pneumatic• Hydraulic• Others

NOTE: Not all energy sources are easily recognized as energy sources. Such as• Toxic or asphyxiant gases• Pathogenic organisms• Environmental pollutants

7/10/2015

4

Barriers do not have to be physical.Barriers serve as countermeasures to control Probability and/or Severity of harm to a Target

Barriers can be • Walls• Guard rails• Diking• Insulation• Procedures• Shielding• ??

There Are Many Kinds of Targets• Personnel • Equipment • Product • Productivity• Environment• Reputation • Others

The unwanted energy released from a single source may attack a variety of targets

Barrier Strategies• Exclude energy • Limit quantity and/or level of energy• Prevent release of energy• Modify rate of release of energy• Separate energy from target in time and/or space• Isolate by interposing a material or procedural barrier• Modify target contact surface or basic structure• Strengthen (harden) potential target• Control improper energy input

7/10/2015

5

Be wary of combinations• Wind and Fire• Electrical discharge and flammable

vapors• Explosions

• Thermal• Pressure

Countermeasure Hierarchy1. Design change2. Engineered Safety Features3. Safety Devices4. Warning Devices5. Procedures and Training

Increasing Effectiveness

7/10/2015

1

Hazard and Operability Studies (HazOp)• Most Rigorous Process Hazard Analysis Technique• Gives the most information• Multidisciplinary• Based on deviations

from normal• Traditional and Functional Methods• Uses outside Process Safety

• Reliability• Training• Quality

Definitions• Hazard

• Any operation that could cause a catastrophic release of toxic, flammable or explosive chemicals or any actions that could result in personnel injury.

• Operability• Any operation inside the design envelope that would

cause a shutdown that could lead to a violation of environmental, health or safety regulations or negatively impact profitability 1

The Multidisciplinary Team• Leaders must act as facilitators• Technical experts must be free to think• Don't tie down “employees” with menial tasks• The scribe needs to understand the terms used

7/10/2015

2

Hazard and Operability Studies (HazOp)• Create a prospective (before the incident) version of an

investigation team• Visualize (imagine) ways a plant can malfunction

• What can go wrong, will go wrong • Determine the possible causes• Guide the imagination/visualization process• Systematically examine all portions of the process.

Traditional Hazard and Operability Studies (HazOp) Guide Word Approach• Guide Word• NO (not)• More• Less• As well as• Part of• Reverse • Other than

• Process Condition• Parameter

• Flow• Pressure• Temperature• Level• Composition• pH• Time

Hazard and Operability Studies (HazOp)

7/10/2015

3

Intention• This is what the segment or “node” is in the system to

accomplish. i.e. The answer to ‘why do we have this____ in our system?’

• This is critical because the consequence of a deviations is important with respect to how it affects the intention.

Hazard and Operability Studies (HazOp)• Define the Scope (of the analysis)• Scope should include consequence level of the analysis

• ex. Multiple injuries• single serious injury• process upset• shut down• environmental release

Process• Select a node• Define the “intention” for that node• Select a parameter• Apply all relevant guide words to that parameter to

establish deviations.• Determine all credible probable causes for those

deviations• Determine all probable consequences (refer to the

intention)• Identify Risks and Safeguards/Countermeasures

7/10/2015

4

ExampleParameter

•Composition

•Flow

•Pressure

•Level

Guide WordNo

More

Other than

As well as

Node 1 Feed Storage

MORE + LEVEL = OVERFLOW

Node 1 intention = store process feed stocks

7/10/2015

1

Fault Tree AnalysisLogic Tree Process Hazard Analysis

Origins of the Technique• Developed in 1962 for the use of the US military by Bell

Telephone Laboratories• Adaptation of an electonics circuit design method

• Symbolic analytical technique used in operations research

Fault Tree is --• A graphic depiction of the pathways within a system that can

lead to a foreseeable undesired event.• Pathways connect contributory events and conditions through

use of standard logic symbols • Quantifiable using numerical probabilities• .. . Only one tool

7/10/2015

2

Best used when…• Losses could be large• Numerous potential contributors• Complex systems/processes are analyzed• There are identified undesirable events• An incident has indiscernible causes

Caution: Fault Trees are resource intensive and should be undertaken when the benefits far exceed the costs

Produces• A graphic display of events and/or conditions that lead to or

enable a loss• Identifies contributors that are critical• Improves understanding of the system• Quantiative or qualitative insights into probability of an

identified loss evewnt• Guidance for deploying resourcdes• Documentation

Fault• An abnormal, undesirable state of a system or a system

element* induced • (1)by presence of an improper command or absence of a proper

one, or• (2) by a failure (see below). All failures cause faults; not all faults are caused by failures.

A system which has been shut down by safety features has NOT faulted

7/10/2015

3

Failure• Loss, by a system or system element, of functional integrity

to perform as intended.• Examples

• Relay will not pass the rated current• Pressure vessel ruptures• Valve leaks• Note: a protective device that functions as intended has not failed

e.g. blown fuse, opened relief valve

Basic Assumption for Analysis• Non-repairable system• No intentional damage to system• Markov system

• Failure rates are constant• Future is independent of the past

• Bernoulli• Two mutually exclusive states

Event Symbols• EVENT - a state produced

by antecedent events• Top Event Foreseeable

Undesired event

• BASIC EVENT – Initiating fault/failure not developed further

7/10/2015

4

Connecting Gates

“OR” Gate…produces output if any input exists. Any input,individually, must be (1) necessary and (2) sufficient to cause the output event

“AND” Gate…produces output if all inputs co-exist. All inputs, collectively, must be (1) necessary and (2) sufficient tocause the output event

Step 1: Identify the top level undesired event

Step 2: Identify 1st

Level Contributors

Step 3: Link to the TOP with a Logic Gate

Step 4: Identify 2nd Level Contributors

Step 5: Link to Level 1 with a Logic Gate

Conventions and Rules

7/10/2015

5

Conventions and Rules

NO

YES

More Rules

• Be CONSISTENT in naming fault events/conditions. Use the same name for the same thing every time

• Say WHAT failed/faulted and HOW –e.g., “Valve AV49 failed open”

Scope the AnalysisToo General Improved

Computer Outage L0ss 0f Primary Process Computer exceeding 30 minutes

Exposed conductor Human contact with an exposed component w/ voltage above 60 V

Loss of product Loss of product containment exceeding 10 gallons

Applying scoping to the “Top Event” enables the analyst to preserve resources in the analysis by confining the effort to relevant considerations. In order to “scope,” describe the level of penalty or the situation in which the event becomes intolerable/undesirable.

7/10/2015

6

EXAMPLE

AND

Fault trees expose common causes

7/10/2015

7

Other symbols

Relationships for Quantification• S = Successes • F = Failures

• Reliability… � = �(���)

• Failure Probability … �� = �(���)

�� + � = �(���)

+ �(���)

= 1

� = �� ���

= Fault Rate

“Bathtub Curve”1

1. Clemens, Pat, Fault Tree Analysis, 2002, Sverdrup Engr.

7/10/2015

8

Quantification with an OR• �� + � = �

(���)+ �

(���)= 1

• Through an OR gate with 2 inputs:• PF = 1 –R• PF = 1- (Ra* Rb)• PF = 1 –[(1 –Pa)(1 –Pb)]

• PF = Pa + Pa –Pa Pb

R = Ra*Rb

Rare Event approx. For Pa,b ≤ 0.2PF = Pa+Pb

For 3 inputs:

Quantification with an AND• Case with 2 inputs• Both of two, independent elements must fail to produce

system failure• R = Ra+Rb- Ra*Rb• PF= 1-R

• PF = 1 –[(1 –Pa) + (1 –Pb) –(1 –Pa)(1 –Pb)]• PF = Pa*Pb

3 Inputs

Propagation through AND

� � � ������

7/10/2015

9

Propagation through OR

� �� � ������

� �� ��+��

Analyze the Tree• A CUT SET is any group of fault tree initiators (basic events)

which, if all occur, will cause the top event to occur.• A MINIMAL CUT SET is a smallest group of fault tree initiators

which, if all occur, will cause the top event to occur.• Shortest path to the top event

Cut Sets indicate structural importanceIn general if other factors are equivalent…• A long Cut Set indicates there is low vulnerability• A short Cut Set generally indicates there is a higher

vulnerability• Presence of many Cut Sets is an indicator of a high

vulnerability…• and a single cut set signals a potential single point failure

7/10/2015

10

Path Sets

• PATH SET is a group of fault tree initiators which, if none of them occurs, will guarantee that the TOP event cannot occur

Find Path Sets

• TO FIND PATH SETS change all AND gates to OR gates and all OR gates to AND. You have transformed the tree to a success tree.

• Then proceed as for Cut Sets.

• Path Sets will be the result

“Perform an analysis only to reach a decision. Do not perform an analysis if that decision can be reached without it...”

Dr. V.L. GroseGeorge Washington University