Safety and Hazard Analysis

(CHE 1007)

Dr.A.Babu Ponnusami
Associate Professor
SCHEME

MODULE-5
LECTURE-4
Fault Tree Analysis
Review of Probability Theory
• Equipment failures or faults in a process occur as a result of a co
mplex interaction of the individual components.
• The overall probability of a failure in a process depends highly o
n the nature of this interaction.
• Data are collected on the failure rate of a particular hardware co
mponent.
• With adequate data it can be shown that, on average, the compon
ent fails after a certain period of time.
• This is called the average failure rate and is represented by μ with
units of faults/time.
• The probability that the component will not fail during the time i
nterval (0, t) is given by a Poisson distribution:

where R is the reliability

• The complement of the reliability is called the failure probability
(or sometimes the unreliability), P, and it is given by:

• The time interval between two failures of the component is called t

he mean time between failures (MTBF) and is given by the first m
oment of the failure density function:

• For the simultaneous failure of a number of components in parallel,

the overall probability will be obtained by multiplying individual p
robability(AND GATE).
• For series components the overall process reliability is found by mult
iplying the reliabilities for the individual components (OR GATE):
Example:1
• The water flow to a chemical reactor cooling coil is controlled by the
system shown in Figure. The flow is measured by a differential press
ure (DP) device, the controller decides on an appropriate control strat
egy, and the control valve manipulates the flow of coolant. Determin
e the overall failure rate, the unreliability, the reliability, and the MT
BF for this system. Assume a 1-yr period of operation.
(Failure rate of: Control valve, Controller and DP cell are 0.6, 0.29
and 1.41 faults/Yr respectively)

• Ans: Work Sheet

 Fault Tree Analysis
General Description
• Fault tree analysis was developed in 1962 for the U.S. Air Force by
Bell Telephone Laboratories for use with the Minuteman system…
was later adopted and extensively applied by the Boeing
Company…is one of many symbolic logic analytical techniques
found in the operations research discipline.
• Fault Tree Analysis (FTA) is a deductive reasoning technique that
focuses on one particular accident event.
• The fault tree itself is a graphic model that displays the various
combinations of equipment faults and failures that can result in the
accident event.
• The solution of the fault tree is a list of the sets of equipment
failures and human/operator errors that are sufficient to result in
the accident event of interest.
Purpose: Identify combinations of equipment failures
and human errors that can result in an accident event.
When to Use:
a. Design: FTA can be used in the design phase of
the plant to uncover hidden failure modes that
result from combinations of equipment failures.
b. Operation: FTA including operator and procedure
characteristics can be used to study an operating
plant to identify potential combinations of failures
for specific accidents.
Type of Results: A listing of sets of equipment and/or
operator failures that can result in a specific accident.
These sets can be qualitatively ranked by importance.

Nature of Results: Qualitative, with quantitative

potential. The fault tree can be evaluated quantitatively
when probabilistic data are available.
Data Requirements:

a. A complete understanding of how the plant/system

functions.
b. Knowledge of the plant/system equipment failure
modes and their effects on the plant/system.
 Staffing Requirements
• One analyst should be responsible for a single fault tree, with fre
quent consultation with the engineers, operators, and other perso
nal who have experience with the systems/equipment that are inc
luded in the analysis.
• A team approach is desirable if multiple fault trees are needed, w
ith each team member concentrating on one individual fault tre
e. Interactions between team members and other experienced per
sonnel are necessary for completeness in the analysis process.
• Time and Cost Requirements: Time and cost requir
ements for FTA are highly dependent on the complexi
ty of the systems involved. Modeling a small process
unit could require a day or less with an experienced t
eam. Large problems, with many potential accident e
vents and complex systems, could require several we
eks even with an experienced analysis team.
 HIGH TEMP
EMERGENCY INTERLOCK
SHUT-OFF
VALVE
BURSTING
FLOW TIS DISC
CONTROLLER )

FRC

FLOW
CONTROL
VALVE

MATERIAL
B

MATERIAL
A
 REACTOR EXPLOSION
3.6  10-4 F/YR

RUNAWAY BURSTING
REACTION DISC FAILS
0.02
Probability
of failure
1.8  10-2 F/YR
on demand

FLOW CONTROL TEMPERATURE

LOOP FAILS INTERLOCK FAILS

0.3 F/YR 0.06

FLOW VALVE THERMO -

VALVE FAILS
CONTROLLER STICKS COUPLE &
TO CLOSE
FAILS OPEN RELAY FAIL
0.2 F/YR 0.1 F/YR 0.05 0.01
Probability Probability
of failure of failure
on demand on demand
 Gate Symbol Gate Name Causal Relation

Output event occurs if all input events occur

1 AND gate
simultaneously.

Output event occurs if any one of the input events

2 OR gate
occurs.

Input produces output when conditional event

3 Inhibit gate
occurs.

Table 2.1 Gate Symbols

 Gate Symbol Gate Name Causal Relation

Priority Output event occurs if all input events occur in the

4 AND gate order from left to right.

Exclusive Output event occurs if one,but not both, of the

5
OR gate input events occurs.

m
Out of
m
n gate Output event occurs if m out of n input events
6 (voting or occur.
sample gate)
n inputs

Table 2.1 Gate Symbols

 Event Symbol Meaning of Symbols

1 Basic event with sufficient data

Circle

2 Undeveloped event

Diamond

3 Event represented by a gate

Rectangle

Table 2.2 Event Symbols

 Event Symbol Meaning of Symbols

4 Conditional event used with inhibit gate

Oval

5 House event. Either occurring or not occurring

House

6 Transfer symbol

Triangles

Table 2.2 Event Symbols

COMPONENT FAILURE CHARACTERISTICS
Primary Faults and Failures
Primary faults and failures are equipment malfunctions that occur in the
environment for which the equipment was intended. These faults or
failures are the responsibility of the equipment that failed and cannot be
attributed to some external force or condition.
Secondary Faults and Failures
Secondary faults and Failures are equipment malfunctions that occur in
an environment for which the equipment was not intended. These faults
or failures can be attributed to some external force or condition.
Command Faults and Failures
Command faults and failures are equipment malfunctions in which the
component operates properly but at the wrong time or in the wrong
place. These faults or failures can be attributed to the source of the
incorrect command.
 Fault tree examples

mple from original 1961 Bell Labs study

Part of an actual TCAS fault tree (MITRE, 1983)

© Copyright 2014 John Thomas
 Fault Tree cut-sets
• Cut-set: combination of basic
events (leaf nodes) sufficient
to cause the top-level event
– Ex: (A and B and C)

• Minimum cut-set: a cut-set th

at does not contain another c
ut-set
– Ex: (A and B)
– Ex: (A and C)

© Copyright 2014 John Thomas

 FTA uses an accident model

Fault Tree:

dent model:
Accident Chain-of-failure-events
model:
Relay Relay Excessive
spring Causes contacts Causes current
fails fail closed provided
© Copyright 2014 John Thomas
 Fault Tree Exercise
• Hazard: Toxic chemical released
• Design:
Tank includes a relief valve opened by an operator to pr
otect against over-pressurization. A secondary valve is i
nstalled as backup in case the primary valve fails. The
operator must know if the primary valve does not open
so the backup valve can be activated.
Operator console contains both a primary valve positio
n indicator and a primary valve open indicator light.
Draw a fault tree for this hazard and system design.
Fault Tree Exercise
 Example of an actual incident
• System Design: Same
• Events: The open position indicator light and open indicator light b
oth illuminated. However, the primary valve was NOT open, and the
system exploded.
• Causal Factors: Post-accident examination discovered the indicato
r light circuit was wired to indicate presence of power at the valve, b
ut it did not indicate valve position. Thus, the indicator showed only
that the activation button had been pushed, not that the valve had op
ened. An extensive quantitative safety analysis of this design had ass
umed a low probability of simultaneous failure for the two relief val
ves, but ignored the possibility of design error in the electrical wirin
g; the probability of design error was not quantifiable. No safety eva
luation of the electrical wiring was made; instead, confidence was es
tablished on the basis of the low probability of coincident failure of t
he two relief valves.
 Finding Cut Sets
1. Ignore all tree elements except the initiators (“leaves/basics”).
2. Starting immediately below the TOP event, assign a unique letter t
o each gate, and assign a unique number to each initiator.
3. Proceeding stepwise from TOP event downward, construct a matri
x using the letters and numbers. The letter representing the TOP even
t gate becomes the initial matrix entry. As the construction progresse
s:
Replace the letter for each AND gate by the letter(s)/number(s) fo
r all gates/initiators which are its inputs. Display these horizontally, i
n matrix rows.
Replace the letter for each OR gate by the letter(s)/number(s) for
all gates/initiators which are its inputs. Display these vertically, in ma
trix columns. Each newly formed OR gate replacement row must also
contain all other entries found in the original parent row
• 4. A final matrix results, displaying only numbers representing initi
ators. Each row of this matrix is a Boolean Indicated Cut Set. By in
spection, eliminate any row that contains all elements found in a le
sser row. Also eliminate redundant elements within rows and rows
that duplicate other rows. The rows that remain are Minimal Cut Se
ts.
 Example:2
• Compute the MTBF, failure rate, reliability, and probability of failure
of the top event of the system shown in Figure. Also show the minim
al cut sets.

• Ans: Work sheet

 A Cut Set Example
• PROCEDURE:
• –Assign letters to gates. (TO
P gate is “A.”) Do not repea
t letters.
• –Assign numbers to basic in
itiators. If a basic initiator a
ppears more than once, repr
esent it by the same number
at each appearance.
• –Construct a matrix, starting
with the TOP “A” gate.
 FTA Strengths
• Captures combinations of failures
• More efficient than FMEA
– Analyzes only failures relevant to top-level event
• Provides graphical format to help in understanding the syste
m and the analysis
• Analyst has to think about the system in great detail during tre
e construction
• Finding minimum cut sets provides insight into weak points o
f complex systems
 FTA Limitations
• Independence between events is oft
en assumed
• Common-cause failures not always
obvious
• Difficult to capture non-discrete ev
ents
– E.g. rate-dependent events, conti
nuous variable changes
• Doesn’t easily capture systemic fact
ors
 FTA Limitations (cont)
• Difficult to capture delays and other temporal factors
• Transitions between states or operational phases not represented
• Can be labor intensive
– In some cases, over 2,500 pages of fault trees
• Can become very complex very quickly, can be difficult to revie
w