Korean J. Chem. Eng.

, 26(6), 1429-1440 (2009)

DOI: 10.1007/s11814-009-0253-0
RAPID COMMUNICATION

Development of a new automatic system for fault tree analysis

for chemical process industries
Jiyong Kim*,‡, Jinkyung Kim**, Younghee Lee*, and Il Moon*,†

*Department of Chemical Engineering, Yonsei University,

134 Shinchon-dong, Seodaemun-gu, Seoul 120-749, Korea
**School of Chemical & Biomolecular Engineering, Georgia Institute of Technology,
311 Ferst Drive, N.W. Atlanta, GA 30332-0100, USA
(Received 28 January 2009 • accepted 5 April 2009)

Abstract−The main purpose of this study was to develop a computer automated tool for fault tree analysis (FTA)
in order to minimize the flaws of manual FTA. The automated FTA system developed in this study consists of two
steps: 1) automatic fault tree conversion from a digraph, and 2) calculation of the probability of the occurrence of the
top event and finding a minimal cut set of the top event. For the first step, we propose a new algorithm for automatic
conversion of a digraph to a fault tree. The new digraph-FT conversion algorithm has eight FT generation rules to trans-
form node information that is based on the node characteristics. Failures and faults are classified into three types to
easily synthesize fault trees and analyze fault trees precisely. The automatic FTA system was then applied the analysis
of real chemical processes to illustrate the effectiveness of the system.
Key words: Fault Tree Analysis, Automatic FTA, Digraph, Hazard Assessment, Minimal Cut Set

INTRODUCTION rate representation of the qualitative relationships between process

variables, human errors, and equipment failures [4]. The following
Risk is defined as a measure of the potential likelihood and magni- are proposed methods for making computer-aided FT synthesis more
tude of human injury, environmental damage, or economic loss [1]. efficient and concise: the reliability graphs approach of Camarda
An essential goal of risk analysis is the estimation and assessment and Trentadue [5], the decomposition approach of Shafaghi et al.
of risk by gathering and integrating information regarding accident [6], the mini-fault tree model of Kelly and Lees [7], and the knowl-
scenarios, frequencies and consequences. edge-based approach of Elliott [8]. Based on these approaches, com-
As a powerful tool for a risk assessment, fault tree analysis (FTA) puterized FT synthesis software and automated FTA software have
has long been applied for quantitative risk analysis of chemical pro- been developed, e.g., the software package PROFAT-II of Khan and
cesses, and much can be gained from the application of FTA in the Abbasi [2], CARA-Fault Tree of Sysdvest Software [9], and Fault
chemical process industry [1]. FTA is based on constructing a hy- Tree+ of Isograph Software Ltd. [10].
pothetical tree of base events that branch into numerous sub-events, Some of the above studies regarding computer-aided fault tree
which propagate the fault and eventually lead to the undesirable synthesis only concentrate on individual aspects of analyzing fault
top event [2]. FTA has the following merits: i) the results of FTA trees but not on the entire FTA procedure, including automatic con-
are reliable due to its inherent statistical analysis; ii) FTA can quanti- struction of fault trees. Furthermore, some of these products are not
tatively and qualitatively evaluate the safety concerns of a given suitable for evaluating complex systems, such as real chemical pro-
process; iii) FTA identifies the causal aspects of a system that are cesses. Therefore, in this study, an automatic FTA system is devel-
relevant to significant failures. oped from a new digraph-FT conversion algorithm. The new FTA
The conventionally applied manual construction of fault trees is system is able to automatically transform digraph process data to
dependent on the expertise of the constructor and requires enor- fault trees and evaluate the probability of occurrence of the top event.
mous manpower, cost, and time. Additionally, the results achieved
from manual construction of fault trees are often unreliable. To miti- AUTOMATIC DIGRAPH-FT CONVERSION
gate these problems, many researchers have been studying com- ALGORITHM
puter-aided FT synthesis for some time. Fussell developed a typical
fault tree synthesis methodology using transfer functions and system 1. Features of the Digraph-FT Conversion Algorithm
schematic diagrams [3], while Lapp and Powers proposed their well- Lapp and Powers proposed a new fault tree synthesis algorithm
known algorithm based on digraphs; a digraph represents an accu- based on digraphs [4]. Their automatic digraph-FT conversion algo-
rithm is used in this study. By modifying and improving Lapp &
†
To whom correspondence should be addressed. Powers’ algorithm, it is easier to apply and faster in computation.
E-mail: [email protected] The new algorithm also gives more reliable results than the original
‡
Present address: Department of Chemical & Engineering, University of algorithm. The features of the new algorithm in this study are as
Wisconsin-Madison, 1415 Engineering Drive, Madison, WI 53705, USA follows:
1429
1430 J. Kim et al.

1-1. Classification with Eight FT Generation Rules same positive feedback loop (PFBL), the values of x2 can be af-
Lapp & Powers’ algorithm consists of four FT-generation rules fected not only by f but also by x1. In the case of negative feedback
that do not consider node situations, such as deviations (+ or −) and loop (NFBL), x2 is always affected only by f. In Fig. 1(a), the op-
terms of magnitude (0, 1, 10) [4]. In this study, these four FT-gen- erating variable C is affected by variable B and failure f simulta-
eration rules are subdivided into eight types (structure I, II, III-A, neously.
III-B, III-C, IV-A, IV-B and IV-C) as node situations. This classifi- • Failure type B
cation eliminates unnecessary calculations and iterations and com- Type B(f) refers to failures that cause the relationship between
bines several steps into one. Furthermore, it is suitable to apply to variables to change to zero. In type b failures, the edge between x1
large and complex systems, and it minimizes computation time. and x2 can be considered nonexistent. For example, if a pressure
1-2. Removal of Inconsistent and Repeated Events sensor is stuck, its input/output variables become zero (See Fig. 1(b)).
The new automatic digraph-FT conversion algorithm in this study • Failure type C
checks the appearance of nodes and their relationship with the pre- Type C(f) refers to a failure that causes an inverse relationship
vious and following events to avoid logical errors such as a recur- between variables. For example, if an A/O valve is equipped in the
rence of the top event into the fault tree and infinite loop during the A/C valve location, the process works inversely to its correct con-
construction of fault trees. For example, consistency requires that figuration (See Fig. 1(c)).
X0 (+1) not be traced to X0 (−1) nor to X0 (0). Any inconsistent 2. Digraph-FT Conversion Algorithm Procedure
events that are generated in the course of the synthesis must be deleted, The new algorithm for automatic digraph-FT conversion used
and generated events must be checked for the consistency. in this study is shown in Fig. 2. The digraph-FT conversion algo-
1-3. Classification of Failures rithm was developed by using a recursive method with FT-genera-
In Lapp & Powers’ algorithm, the system variables (temperature, tion rules. For a given digraph, the algorithm investigates the top
pressure, flow rate, concentration) and failure are regarded as the event chosen at the beginning stage. According to this process, the
same node. If the system is small or simple, it is justifiable to identify algorithm also applies each FT-generation rule to compose a fault
failures with the variables. This is because a deviation in one variable tree. The recursive technique that was used to create fault trees de-
or occurrence of a failure causes a deviation in a second variable, pends on the given situations and node type. The algorithm then
although it is irrelevant whether this is caused by a variable or oc- recognizes the digraph’s next node that is related to the top event
currence of a failure. For large and complex systems, it is neces- as the new target node and applies the FT-generation rules again. If
sary that failure and faults are considered independently of the sys- the node is considered a basic event, the FT composition is com-
tem variables in order to synthesize fault trees easily and to analyze pleted. The main steps of this algorithm are summarized as follows:
fault trees precisely. Further, faults and failures are classified into (1) Is X0 a non-basic event?
three types based on the digraph representations and the patterns of It is first determined if the given node is a basic event that has
their propagation in the system. This classification of the failure no event or gate. If the node is a basic event that has no influence
increases the efficiency of the automatic FT construction algorithm on any other event or gate, it is not necessary to consider further
to make failure classification simple. and the algorithm is stopped.
• Failure type A (2) Is X0 on NFBL?
Type A(f) refers to failures that can be affected by normal operat- In step 6, it is determined if the given node is a component of an
ing variables and external influences. If both x1 and x2 are on the NFBL. If there is an external influence that is in control, nodes on
NFBLs are not affected because an NFBL has a regulatory action
itself. However, if an external influence is out of control, nodes on
NFBLs can be affected. Thus, the FT-generation rule considering
features of NFBLs needs to be developed.
(3) Is X0 a terminal node on a negative feed forward loop (NFFL)?
Step 7 determines if the given node is a terminal node of an NFFL.
In an NFFL, a start node is different from a terminal node, contrary
to NFBLs. The start node on the NFFL is only affected by external
influences; however, the terminal node is affected not only by ex-
ternal influences but also by other nodes on the NFFL. Therefore,
nodes other than the terminal node on NFFLs follow the FT-gen-
eration rule like nodes that are not on a loop. The terminal node on
an NFFL follows the FT-generation rule by considering effects of
external influences and other nodes on the NFFL.
(4) Is X0 both a node on an NFBL and the terminal node of an
NFFL?
This step checks the combined questions of step 6 and step 7 to
determine if the given node is both a node of an NFBL and the ter-
minal node of an NFFL. In this case, because a node is changed by
Fig. 1. Configurations of failure (a) Failure type A. (b) Failure type features of NFBLs and NFFLs, an FT-generation rule that consid-
B. (c) Failure type C. ers the two features simultaneously needs to be developed.
November, 2009
 Development of a new automatic system for fault tree analysis for chemical process industries 1431

Fig. 2. The new digraph-FT conversion flow chart.

(5) Remove the inconsistent and repeated event 3. FT Generation Rules

This step plays an important role in the digraph-FT conversion To correctly transform digraph information into a fault tree requires
algorithm to prevent a recurrence of the top event into the fault tree. some uniform rules. In this study, the FT-generation rules are classi-
In addition, if an event is repeated on the same level, the event will fied into four structures depending on the situation of nodes dis-
be eliminated to prevent the algorithm from becoming stuck in an cussed above. These four rules are embedded with the modified
infinite loop. transfer function presented by Fussell [3]. The fault-tree-generation
Korean J. Chem. Eng.(Vol. 26, No. 6)
1432 J. Kim et al.

in Fig. 4.
(c) Structure III
When the node is in an NFBL, a fault tree is constructed by struc-
ture III. Structure III is a FT-generation rule that considers the con-
trol ability of loop by itself and consists of three types of structures:
III-A, III-B and III-C (See Fig. 5).
(d) Structure IV
Structure IV is applied when the given node is the terminal node
of an NFFL and is also a node in an NFBL. In this case, the FT-
generation rule considers the peculiarities of being in an NFBL and
Fig. 3. FT generation rules: structure I. an NFFL at the same time. Therefore, the FT-generation rule is a
combination of structure I and II as shown in Fig. 6.

rules in this study are as follows: NEW AUTOMATIC FTA SYSTEM

(a) Structure I
When the situation of nodes belongs to the following three cases, The new automatic FTA system in this study includes both con-
those nodes form a fault tree like Fig. 3 when one of the following struction and analysis of fault trees. Before the fault trees are ana-
holds: lyzed, the fault tree produced from the above conversion algorithm
(i) The node is in a PFFL and in a PFBL. must be simplified. Because fault trees drawn directly from a com-
(ii) The node is in an NFFL and it is not a terminal node. puter algorithm usually have superfluities, some simplification can
(iii) The node is not in a loop. help to make them more clear and concise. This new automatic FTA
Structure I is the arrangement of the deviation in an input node system uses the method proposed by Wang et al. [11] for simplifi-
that has an effect on the target node by connecting to an OR gate. cation of fault trees. Two kinds of simplification are performed: alge-
(b) Structure II braic simplification and tree simplification. Algebraic simplification
When the node is a terminal node of an NFFL, this node forms basically deals with certain or negligible events. When a certain
structure II. Structure II is a FT-generation rule that considers the event (with the probability of 1) is under an OR gate, algebraic sim-
effect of the start node and also of the non-start nodes. This is shown plification is performed to remove the parent gates until an AND

Fig. 4. FT generation rules: structure II.

November, 2009
 Development of a new automatic system for fault tree analysis for chemical process industries 1433

Fig. 5. FT generation rules: (a) Structure III-C. (b) Structure III-B. (c) Structure III-C.

gate is encountered. When a certain event is under an AND gate, culated from the failure rate and the mean time to repair. Because it
the event is directly deleted. If an event with negligible probability can be difficult to obtain this reliability data for chemical processes,
is under an AND gate, the removal of the entire parent gate will users can directly input the value of the unavailability instead of
continue until an OR gate is met. If a negligible event is under an the failure rate and the mean time to repair. The procedures for com-
OR gate, the event will be directly deleted. puting the top event probability are as follows: 1) Input probability
For qualitative analysis, the automatic FTA system in this study data (the failure rate and the mean time to repair) of each basic event.
computes the probability of the occurrence of the top event with 2) Compute the unavailability for each basic event. 3) Compute the
unavailability, which is the probability that a component is not avail- probability of occurrence for each cut set. 4) Compute the proba-
able (i.e., failed, out for testing, etc.) at time t. Unavailability is cal- bility of the top event.
Korean J. Chem. Eng.(Vol. 26, No. 6)
1434 J. Kim et al.

Fig. 6. FT generation rules: (a) Structure IV-C. (b) Structure IV-B. (c) Structure IV-C.

As the next step of the automatic FTA system, quantitative analy- way to find a basic event that causes a failure of the top event. Min-
sis is used to determine the minimal cut sets. After a large fault tree imal cut sets are sets in which no smaller cut sets are included. For
has been constructed, it may be difficult to “see” how combinations small fault trees, it is often possible to enumerate the minimal cut
of events can cause the top event. In this case, it is most instructive sets by inspection. However, for larger fault trees, inspection alone
to rearrange the fault tree into its minimum cut-set form. Determin- may not be feasible. For efficient determination of minimal cut sets,
ing the minimum cut-set form of a fault tree is the most accurate the automatic FTA system in this study uses Fussell’s algorithm
November, 2009
 Development of a new automatic system for fault tree analysis for chemical process industries 1435

Fig. 7. Hazard identification and automation of FTA.

[3]. With the generated fault trees, users can search not only the min- [4]. Unsaturated hydrocarbons are chlorinated via the process shown
imal cut sets but also the ranking of basic event frequency and the in Fig. 8. Gaseous chlorine enters the process and is mixed with an
gate list. excess of gaseous hydrocarbons before entering an adiabatic tubu-
The automatic FT conversion algorithm includes the following lar thermal reactor. The hydrocarbon vapor then enters the process
procedures: 1) user-input node data representing process variables and through a compressor and passes through a steam-heated heat ex-
failure data for building the system digraph according to P&ID, 2) changer before entering the mixer. The flow of the steam to the heater
user-input names of these node and failure data, 3) selection of the is controlled by the temperature of the reactor effluent. If the com-
top event, 4) identification and classification of loops in the system pressor is shut down, a signal is sent to close the chlorine flow con-
digraph, 5) classification of fault and failure types, 6) calculation of trol valve and to open the inerts injection valve. A list of basic events
probability data, 7) automatic conversion of the system digraph into and failure events is given in Table 1.
a fault tree, and 8) the minimal user-determined representation of In this study, the digraph drawn by Lapp and Powers (1989) [5] is
cut sets or the ranking of basic event frequency. These procedures used. By analyzing the digraph, it is observed that there are 2 PFFLs,
are described schematically in Fig. 7. 2 NFFLs and an NFBL.
(1) NFFL 1
CASE STUDY P7→P8→M10→Cl2(11)→Cl2(13)
P7→P5→P6→M3→M11→Cl2(13)
1. FTA of a Chlorination Reactor (2) NFFL 2
To verify the results of the new automatic FTA system, we studied M20→M12→M13→T14
a chlorination reactor, which was adapted from Lapp and Powers M20→T12→T13→T14
Korean J. Chem. Eng.(Vol. 26, No. 6)
1436 J. Kim et al.

Fig. 8. PFD of the chlorination reactor [4].

Table 1. Basic events and failure events of the chlorination reactor

Basic and failure events Basic and failure events
Px Pressure in stream x SDCBA Shutdown controller backward
Mx Mass flow rate in stream x SDCBO Shutdown controller broken
Tx Temperature in stream x CBA Controller backward
Cl2 (11) Conc. of Cl2 in line 11 CBO controller broken
Cl2 (13) Conc. of Cl2 in line 13 COM Cl2 Cl2 flow controller on manual
FCBOCl2 Cl2 flow controller broken TSBO High temperature set pt.
FCBACl2 Cl2 flow controller backward COMSTM Steam controller on manual
FSBACl2 Cl2 flow sensor backward CBOSTM Steam controller broken
FSBOCl2 flow sensor broken CBASTM Steam controller backward
VRCl2 Cl2 valve reversed FSTH High Cl2 flow set pt.
IVS Inerts valve stuck CSD Compressor shutdown
IVR Inerts valve reversed EFAR External fire around reactor
LIF Low inerts flowrate TSTH High temperature set pt.
VRSTM Steam valve reversed

(3) PFFL 1 The top event of interest is the high temperature in the reactor
M2→P22→P4→P6→M3 (T14 (+10)). T14 (+10) is a terminal node of an NFFL and is also
M2→M3 in an NFBL. If T14 (+10) is the top event, a fault tree is constructed
(4) PFFL 2 with FT-generation rules of structure IV-B. The fault tree that is auto-
M20→M12→Cl(13)→T14 matically generated using the digraph is shown in Fig. 9 without
M20→T12→T13→T14 the probabilities of basic events. The fault tree of Fig. 9 consists of
(5) NFBL 1 3 AND gates, 40 OR gates, and 2 EOR (exclusive or) gates. On
T14→P15→P16→M18→T12→T13→T14 the other hand, the fault tree produced by Lapp and Powers had 7
November, 2009
 Development of a new automatic system for fault tree analysis for chemical process industries 1437

Fig. 9. Fault tree for the top event of the chlorination reactor.

AND gates, 59 OR gates and 11 EOR gates for the same top event, failure of the compressor, the wrong set point, and/or deviations of
T14 (+10) [4]. Due to the FT-simplification step used in this study, the flow rate and temperature.
there are fewer intermediate events (AND gates, OR gates, and EOR 2. FTA of the Nitration Unit
gates) than shown by Lapp and Powers. Nevertheless, the minimal To verify this algorithm again, we have studied here the fault tree
cut sets that directly cause a failure of the top event are the same as for the nitration unit of a hexagon industry. The unit was identified
in their results; this is because the FT simplification step in this study for the detailed FTA after all the units were screened by using in-
only eliminates unnecessary intermediate events and basic events. dices and the nitration unit was found to be potentially most hazard-
The minimal cut sets of the above fault tree are as follows: ous [2].
1. {Cl2 flow controller on manual (0), Mass flow rate in line 1 2-1. Process Boundary of the Nitration Unit and Precautions
(0)} The unit handles nitric acid and hexamine in 8 : 1 molar ratio at
2. {Cl2 flow controller broken (0), Mass flow rate in line 1 (0)} an ideal temperature of 108 oC. Any positive deviation in tempera-
3. {Cl2 flow sensor broken (0), Mass flow rate in line 1 (0)} ture or reactant proportions may cause a runaway reaction. The reac-
4. {High Cl2 flow set point (−10)}, tor is cooled while passing a mixture of water and methanol through
5. {Compressor shutdown (−10)} the cooling coil at a temperature of 58 oC. The coolant flow rate is
6. {High temperature set point (−10)} controlled by a pneumatic valve i to maintain a reaction tempera-
7. {Steam valve reversed (+1)} ture of around 108 oC. A slow-moving stirrer is used in the reactor
8. {Steam controller backward (−1)} to avoid local heating and hot-spot formation. In case of an emer-
9. {Pressure in line 7 (−1)} gency, the contents of the reactor may be discharged into an emer-
10. {Pressure in line 15 (−10)} gency tank. The discharge from the reactor is activated by either
11. {Mass flow rate in line 1 (−10)} pulling an electric chain, using an automatic button, or opening a
12. {Mass flow rate in line 21 (−10)} manually operated manhole valve. The simplified process flow di-
13. {Temperature in line 17 (+10)} agram of the unit is shown in Fig. 10.
14. {Temperature in line 21 (+10)} A detailed study of the unit reveals that to control the risk of an
Based on the results of the minimal cut sets analysis, the top event explosion in the reactor the following precautions are necessary:
(T14 (+10)) occurs mainly due to failure of the Cl2 flow controller, 1. The reactant proportions must be controlled; especially, the
Korean J. Chem. Eng.(Vol. 26, No. 6)
1438 J. Kim et al.

yielded 23 failure nodes that have a direct and indirect dependency

on the top event; namely, explosion of the nitration reactor. These
failure nodes include stirrer motor fail, control valve fail, HNO3 con-
centration falling below its permissible value, coolant leaks into the
reactor, ratio control fails, transmission error, thermostats malfunc-
tion, and signal transmission devices fail. A list of failure nodes with
their probability of failure is given in Table 3. The probability data
has been adapted from Kahn & Abbasi [2].
The digraph for the nitration unit is shown in Fig. 11. A solid line
is the normal edge between nodes and a dotted line is a failure edge
between nodes. Each gain (0, (±1), (±10)) is estimated based on
the detailed study of an accident scenario.
2-3. Fault Tree Synthesis and Analysis
The complete fault tree that is automatically generated from the
digraph in Fig. 11 is shown in Fig. 12. The probability of the oc-
currence of the top event (EXtk) is 1.8E-6 and the minimal cut sets
of the above fault tree are as follows:
1. {Coolant ingress into the reactor (+10)}
2. {Cooler control valve stuck (0), Temperature alarm stuck (0),
Sensing of higher temp. fails (+10)}
3. {Cooler control valve stuck (0), Temperature alarm stuck (0),
Temperature sensor stuck (0)}
4. {Cooler control valve stuck (0), Temperature alarm stuck (0),
Automatic discharge valve stuck (0)}
Fig. 10. PFD of the nitration unit [2]. 5. {Cooler control valve stuck (0), Automatic discharge valve
stuck (0)}, Operator ignores alarm (0)}
6. {Stirrer motor fails (0), Hexamine supply fails (0), Ratio con-
proportion of HNO3 must not be allowed to fall below eight times trol fails (0)}
that of hexamine. 7. {Stirrer motor does not start (−1), Not enough HNO3 (−10),
2. The temperature in the unit must be maintained close to 108 oC. Ratio control fails (0)}
3. Local heating must to be avoided. 8. {Upper composition alarm stuck (0), HV stuck (0), Automatic
4. Proper working of the emergency system must be ensured. discharge valve stuck (0)}
2-2. Scenario and Digraph 9. {Lower composition alarm stuck (0), HV stuck (0), Automatic
To represent the process as a digraph, 15 basic nodes were selected, discharge valve stuck (0)}
which are typical components of the nitration process, shown in 10. {Upper composition alarm stuck (0), Ratio control fails (+10)}
Table 2. 11. {Lower composition alarm stuck (0), Ratio control fails (−10)}
A detailed study of the process and accident scenario measures Analysis of these minimal cut sets revealed that the top event

Table 2. Basic events and their probabilities of occurrence

Event name Basic events Normal operation condition (gain=+1 or −1) Probability (failure rate/year)
Ptk Pressure of reactor 2-3 atm -
Ntk Flow rate of reactor 260 kgMol/Hr -
Ttk Temperature of reactor 7-10 oC -
M1 Flow rate of hexamine 20 kgMol/Hr -
M2 Flow rate of emergency tank 300 kgMol/Hr -
M3 Flow rate of HNO3 240 kgMol/Hr -
SAH Upper composition alarm On 4.6E-5
SAL Lower composition alarm On 4.6E-5
TE Temperature sensor On 6.7E-4
TY Signal transmission device On 9.8E-4
TIC TV controller On 1.3E-3
TAH Temperature alarm On 5.0E-5
TV Cooler control valve On 1.3E-3
HV Discharge control valve On 9.2E-5
HHV Manual discharge valve On 2.1E-4

November, 2009
 Development of a new automatic system for fault tree analysis for chemical process industries 1439

Table 3. Failure events and their probabilities of occurrence

Event name Failure events Available gain value Probability (failure rate/year)
A Temperature alarm fails 0 4.0E-5
B Operator ignores sounding of alarm 0 1.0E-5
C Failure of control valve (±10) 8.0E-6
D Failure of temperature sensor 0 3.0E-4
E Sensing of higher temperature fails 0, (+10) 1.0E-5
F Signal transmission device fails (±10) 3.2E-4
G Coolant supply is inadequate 0, (±1) 5.2E-6
H Failure of SAH 0, (+10) 4.0E-5
I Failure of SAL 0, (−10) 4.0E-5
J Alarm fail SAH 0, (+10) 5.0E-6
K Alarm fail SAL 0, (−10) 5.0E-6
L Ratio control fails 0, (±10) 4.0E-4
M Not enough HNO3 available (−1), (−10) 2.0E-4
N Stirrer motor fails 0, (±1) 7.0E-5
O Coolant ingress into the reactor 0, (±10) 1.5E-6
P Stirrer motor does not start on demand 0, (±1) 3.0E-4
Q Hexamine supply fails 0, (±1) 5.5E-5
R HV gets stuck 0 4.5E-5
S Operator fails to activate manual discharge 0 2.5E-4
T Manually discharge valve gets stuck 0 2.1E-4
U Operator fails to activate automatic discharge 0 1.2E-4
V Automatic discharge valve gets stuck 0 3.0E-4
W Operator ignores sounding of alarm SAH or SAL 0, (±10) 1.0E-5

Fig. 11. Digraph for nitration unit (—: normal edge, ---: failure edge).

(EXtk) occurs mainly due to the failure of control valves and com- CONCLUSION
position alarms. Therefore, the probability of the occurrence of a ni-
tration unit explosion is reduced by safety supervision or by install- An automatic FTA system based on a new digraph-FT conver-
ing additional control valves and composition alarms. sion algorithm is proposed in this paper. For simplicity in program-
Korean J. Chem. Eng.(Vol. 26, No. 6)
1440 J. Kim et al.

Fig. 12. Fault tree for explosion of the nitration unit.

ming and for application to large and complex systems in a group, of Korea by its BK21 Program.
this new algorithm includes eight FT-generation rules, which are
an improvement of the computer-aided methodology for fault tree REFERENCES
synthesis of Lapp and Powers. Additionally, steps are included that
remove inconsistent and repeated events. By classifying the failures 1. CCPS, Guideline for chemical process quantitative risk analysis,
and the fault tree simplification procedure, the fault trees created 1st edition Ed. New York: Center for Chemical Process Safety,
by the new automatic FTA system are expected to be correct and AIChE (1989).
concise. This new automatic FTA system mitigates the flaws of man- 2. F. I. Khan and S. A. Abbasi, J. Hazard. Mater., 75, 1 (2000).
ual FTA and determines the minimal cut sets and the probability of 3. J. B. Fussell, Nucl. Sci. Eng., 52, 421 (1973).
occurrence of the top event with less time and cost than manual FA. 4. S. A. Lapp and G. J. Powers, IEEE T. Reliab, R26, 2 (1977).
This system overcomes technical problems with little information, 5. P. Camarda and A. Trentadue, IEEE T. Reliab, R27, 215 (1978).
as is the case for PFD or P&ID, and executes FTA in a simple man- 6. A. Shafaghi, F. P. Lees and P. K. Andow, Reliab. Eng. Sys. Safe., 8,
ner. Because it composes and analyzes the fault trees with constant 193 (1984).
rules, this system also avoids objectivity problems associated with 7. B. E. Kelly and F. P. Lees, Reliab. Eng. Sys. Safe., 16, 39 (1986).
the FTA results, which can result from users’ logical problems or 8. M. S. Elliott, IEEE T. Reliab., R43, 112 (1994).
subjective experiences. Two case studies, FTA of a chlorination reac- 9. CARA-Fault Tree light edition 4.1 SR1, Sysdvest software (1999)
tor and a nitration unit, proved that this automatic FTA system is (www.sysdvest.com).
suitable for application to large and complex systems and is easy to 10. FaultTree+ Ver. 11.0 Demo, Isograph Software Ltd. (2008) (http://
use. www. isograph-software.com).
11. Y. Wang, T. Teague, H. West and S. Mannan, J. Loss Prevent. Proc.,
ACKNOWLEDGMENTS 15, 265 (2002).

This work was supported by the Ministry of Education (MOE)

November, 2009