Académique Documents
Professionnel Documents
Culture Documents
a r t i c l e i n f o
a b s t r a c t
Article history:
Received 11 March 2013
Received in revised form
9 July 2013
Accepted 9 July 2013
The paper proposes an imprecise Fault Tree Analysis in order to characterize systems affected by the lack
of reliability data. Differently from other research works, the paper introduces a classication of basic
events into two categories, namely Initiators and Enablers. Actually, in real industrial systems some
events refer to component failures or process parameter deviations from normal operating conditions
(Initiators), whereas others refer to the functioning of safety barriers to be activated on demand
(Enablers). As a consequence, the output parameter of interest is not the classical probability of occurrence of the top event, but its Rate of OCcurrence (ROCOF) over a stated period of time. In order to
characterize the basic events, interval-valued information supplied by experts are properly aggregated
and propagated to the top. To this purpose, the DempstereShafer Theory of evidence is proposed as a
more appropriate mathematical framework than the classical probabilistic one. The proposed methodology, applied to a real industrial scenario, can be considered a helpful tool to support risk managers
working in industrial plants.
2013 Elsevier Ltd. All rights reserved.
Keywords:
Rate of Occurrence of Failure
Fault Tree Analysis
Initiator Events
Enabler events
DempstereShafer Theory
1. Introduction
Risk Analysis (RA) is dened as the process of systematic use of
available information in order to identify hazards and to estimate
the risk (IEC 60300-3-9, 1999). It consists of four basic steps, namely
hazard analysis, consequence analysis, likelihood assessment and
risk estimation (AIChE, 2000). Each step makes use of different
qualitative and quantitative techniques, which collectively guide
toward estimating the risk and ensuring the system safety.
With relation to the likelihood assessment, Fault Tree Analysis
(FTA) is the most popular and recommended technique. It makes
possible the identication and analysis of conditions and factors that
lead to the occurrence of a dened undesired event (i.e. top event)
signicantly affecting the system performance (IEC 61025, 2006).
After identifying all the possible dangerous top events, the risk
analyst needs to individuate all the possible causes (i.e. basic
events) whose combination can generate the undesired event.
Commonly, researchers do not use to distinguish among different
types of basic events and are mainly interested in the characterization of the top event in terms of its probability of occurrence.
The latter two aspects constitute the core of the present paper.
Actually, in high risk plants the role played by the identied basic
events is quite different: some of them are inherent to the process
control, others refer to the functioning of safety barriers. Furthermore, it seems more realistic and appropriate to characterize the
undesired event in terms of its rate of occurrence over a stated
period of time rather than of its probability of occurrence. Therefore, the paper proposes an imprecise FTA in which two kinds of
basic events are considered and whose output parameter is the top
event rate of occurrence. In particular, basic events are classied in
Initiators and Enablers. The rst ones refer to the component failures or process parameter deviations with respect to the standard
conditions, whereas the latter ones represent the failure of the
safety barriers. Therefore, the top event arises as a consequence of
the occurrence of some initiators together with the failure of all the
safety barriers. For the two aforementioned categories of basic
events, two different input imprecise parameters are suggested,
namely the Rate of OCcurrence Of Failure (ROCOF) for initiators, and
the average Probability of Failure on Demand (PFD) or the classical
steady-state unavailability (Q) for enablers.
In the context of the present paper, FTA is called imprecise
because the input parameters are realistically assumed as unlikely
exactly known, i.e. assessed by single values. Actually, the uncertainty on their true value leads to an interval-valued characterization of them and to the use of a more suitable mathematical
framework than the classical probabilistic one. Helton, Johnson,
1286
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292
Abbreviations
RA
FTA
ROCOF
PFD
DST
FOD
bpa
Bel
Pl
ENF
NHPP
HPP
LE
LIC
LCV
SIF
SIS
Risk Analysis
Fault Tree Analysis
Rate of OCcurrence of Failure
Probability of Failure on Demand
DempstereShafer Theory
Frame Of Discernment
Basic Probability Assignment
Belief
Plausibility
Expected Number of Failure
Non-Homogenous Poisson Process
Homogenous Poisson Process
Level Element
Level Indicator and Controller
Level Control Valve
Safety Instrumented Function
Safety Instrumented System
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292
1287
Thus, for a high conict case (i.e. higher value of parameter K), the
Yager combination rule gives more stable and robust results than
the Dempster one.
mpi : PU /0; 1
(1)
mB 0
(2)
mpi 1
(3)
pi 4PU
With relation to the Eq. (2), it means that in the evidence theory
none possibility for an uncertain parameter to be located outside of the
FOD is given.
Denition 2. the Belief is as the sum of all the bpas of the proper
subsets pk of the element of interest pi, namely:
Belpi
X
pk 4pi
mpk
(4)
Plpi
mpk
(5)
pk Xpi sB
The Plausibility can be considered as the upper bound of the set pi.
In order to aggregate evidences coming from different and independent sources of information, the DST offers several combination rules. Among them, the rstly dened rule within the
framework of the evidence theory is the Dempster one. Assuming
the independence of two generic sources of information, the
combination of the corresponding bpa on pi can be obtained as
follows:
m1 4m2 pi
8
<
:
P
pa Xpb pi
m1 pa $m2 pb
1K
for pi B
(6)
for pi sB
m1 pa $m2 pb
ut
dENFt
ENt Dt Nt
lim
Dt
dt
Dt/0
(7)
pa Xpb B
(8)
utz
ENt Dt Nt
Dt
(9)
From Eq. (9), u(t) can be interpreted as the ratio between the
mean number of failures in the interval Dt and the interval itself.
Considering the previous assumption on Dt, the probability of the
number of failures to be greater than one can be approximately set
to 0. Therefore, E[N(t Dt) N(t)] can be 0 or 1, and it can be
interpreted as the probability of occurrence of a failure event in the
interval Dt. Then, the following equation holds:
ut$Dt Pr t T t Dt
(10)
where m1 and m2 are the bpas expressed by the two sources with
relation to the events pa and pb respectively. The parameter (1-K)
in Eq. (6) is a normalization factor that allows at respecting the
axiom (3). The parameter K represents the amount of conicting
evidence between the two sources and it is calculated as follows:
In a quantitative FTA, different reliability parameters can characterize the top event. Actually, for non repairable systems, the
system unreliability is the parameter of interest. Instead, for
repairable systems, risk analysts can be focused on the estimation
of the Expected Number of Failures over a time horizon (Rausand &
Hyland, 2004).
Let consider a time interval [0,t]. N(t) represents the number of
failures over this time interval. If s and t are two different time
instants with s < t, the difference [N(t) N(s)] indicates the number
of failures occurring in the interval [s,t].
By indicating with ENF(t) the Expected Number of Failures at t,
i.e. E[N(t)] ENF(t), the unconditional intensity of failure u(t) is
dened as follows:
(11)
(12)
(13)
A AXFW AXF
(14)
1288
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292
A AXF
(15)
EXPLOSION
Therefore, from Eq. (15) arises that Eq. (12) can be written as
follows:
lt$Dt
ut$Dt
PrAXF
PrA
PrF
PrF
At
where A(t) is the component availability at the time t. With relation to a non repairable component, it is functioning at time t on
condition that it did not fail during the interval [0,t]. As a consequence, the availability A(t) in Eq. (16) turns into the component
reliability R(t) and the unconditional intensity of failure reduces to
the f(t) (i.e. the probability density function of the variable T).
Equation (16) allows at formulating the following relation between l(t) and u(t):
ut lt$At
FIRE STARTS
PROTECTION
SYSTEM
UNAVAILABLE
EVENT1
EVENT2
(17)
u l$A
TOP1
(16)
(18)
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292
Information
acquisition
( and PFD/Q)
Judgments
aggregation
Propagation to the
Top Event
1289
Calculation of
Belief and
Plausibility
(19)
QCk t
Qi t
(20)
i1
n
X
uCk t
uj t$
j1
n
Y
Qi t
(21)
i1
isj
utop t
m
X
m
Y
1 QCz t
z1
zsk
uCk t$
k1
(22)
To flare
PSV
the context of high risk process plants, the terms QCz t in (22) are
negligible because the Qi(t) are very small. In any case, this
approximation is widely used by risk analysts because it implies an
overestimation of the parameter utop(t). Therefore, Eq. (22) turns
into the following one:
m
X
utop tz
uCk t
(23)
k1
ucut uA $QB $QC $QD uB $QA $QC $QD uC $QA $QB $QD
uD $QA $QB $QC
(24)
(25)
Therefore, once all ucut have been calculated taking into account
the admitted sequences, Eq. (23) can be applied to determine the
utop.
In this particular context, Eqs. (20)e(23) previously introduced
involve the interval-valued parameters arising from the aggregation phase. The computation of such equations is based on the ordinary arithmetic operations among intervals. Considering that
generally different aggregated intervals can be associated to each
basic event, one needs to consider all their possible combinations
leading to the top. Then, for each combination z, an interval-valued
of utop (i.e. Iutop;z ) is computed with the related bpa. The latter is
calculated by means of the Cartesian product of masses
RD
Gas Outlet
Gas Inlet
K
V
LAH
1158
LE
1125
LIC
1125
High level
SIF
1130
Fluid
Outlet
LCV
1125
Table 1
List of acronyms.
Acronyms
Component
V
K
M
LE
LIC
LCV
SIF
LAH
PSV
RD
Vessel
Compressor
Compressor engine
Level element
Level indicator and controller
Level control valve
High level safety instrumented function
Level alarm high
Pressure safety valve
Rupture disc
1290
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292
Liquid to the
compressor K
TOP1
Process control
system fails
Process safety
system fails
GATE1
GATE2
LE 1125 fails:
no signal to
the LIC 1125
BE1
BE2
Operator fails
BE3
GATE3
Alarm LAH
1158 fails
E
BE6
Operator does
not operate on
alarm
E
BE4
BE5
Pl0; uth
m Iutop;z
(27)
6. Case study
The methodology described above has been applied to calculate
the ROCOF of the top event Liquid to the compressor referring to a
Table 3
Basic events input data.
Bel0; uth
X
Iutop;z 30;uth
m Iutop;z
(26)
Table 2
Minimal cut-sets.
MCS
Basic event
1
2
3
4
5
6
BE1,
BE1,
BE2,
BE2,
BE3,
BE3,
BE4,
BE5,
BE4,
BE5,
BE4,
BE5,
BE6
BE6
BE6
BE6
BE6
BE6
Basic event
Basic event
type
Expert
BE1
BE2
BE3
BE4
BE5
BE6
Expert
Expert
Expert
Expert
Expert
Expert
Expert
Expert
Expert
Expert
Expert
Expert
1
2
1
2
1
2
1
2
1
2
1
2
Lower
bound (LB)
Upper
bound (UB)
3.00E-02
3.00E-02
1.00E-01
1.00E-01
1.50E-01
1.00E-01
2.00E-01
3.50E-01
1.00E-03
2.00E-03
1.50E-03
1.00E-03
3.50E-02
4.00E-02
1.50E-01
2.00E-01
2.00E-01
2.00E-01
3.00E-01
4.00E-01
2.50E-03
3.00E-03
2.50E-03
2.00E-03
0.90
0.90
0.90
0.90
0.90
0.90
0.90
0.90
0.90
0.90
0.90
0.90
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292
1291
Table 4
Aggregated opinions of initiator events.
Aggregated opinion 1 (AO1)
BE1
BE2
BE3
LB AO1
UB AO1
m AO1
LB AO2
UB AO2
m AO2
LB AO3
UB AO3
m AO3
3.000E-02
1.000E-01
1.500E-01
3.500E-02
1.500E-01
2.000E-01
9.000E-01
9.000E-01
9.000E-01
3.000E-02
1.000E-01
1.000E-01
4.000E-02
2.000E-01
2.000E-01
9.000E-02
9.000E-02
9.000E-02
0.000E00
0.000E00
0.000E00
N
N
N
1.000E-02
1.000E-02
1.000E-02
Table 5
Aggregated opinions of enabler events.
BE4
BE5
BE6
LB AO1
UB AO1
m AO1
LB AO2
UB AO2
m AO2
LB AO3
UB AO3
m AO3
LB AO4
UB AO4
m AO4
2.0E-01
2.0E-03
1.5E-03
3.0E-01
2.5E-03
2.0E-03
4.737E-01
8.1E-01
8.1E-01
3.5E-01
1.0E-03
1.5E-03
4.0E-01
2.5E-03
2.5E-03
4.737E-01
9.0E-02
9.0E-02
0.0E00
2.0E-03
1.0E-03
1.0E00
3.0E-03
2.0E-03
5.263E-02
9.0E-02
9.0E-02
0.0E00
0.0E00
1.0E00
1.0E00
1.0E-02
1.0E-02
period of time of one year. The case study process diagram is reported in Fig. 3. Acronyms used in such a diagram are synthesized
in Table 1. The gas to be compressed is separated from the liquid
in the vessel V. Then, the separated gas is led to the compressor K.
The process is controlled by a process control system implemented
by means of the loop 1125. The latter comprises three components,
namely the level sensor (LE), the level indicator and controller
(LIC), and the level control valve (LCV). If such a loop fails
(initiator event), then an independent process safety system should
function (enabler event) to prevent the top event. In particular, the
process safety system consists of the two following protection
layers:
1. the operator that is asked to intervene when the high level
alarm is activated (LAH 1158);
2. the high level Safety Instrumented Function (SIF) (IEC 61508,
1999; IEC 61511, 2003) that stops the compressor engine.
Such a SIF is supposed to be performed by a Safety Instrumented System (SIS) that is actually not illustrated in Fig. 3.
The top event fault tree is reported in Fig. 4 where BE1, BE2 and
BE3 are the initiators (I) while BE4, BE5 and BE6 are the enablers (E).
By applying the minimal cut-set method, the following minimal
cut-sets (MCS) are found (Table 2).
It is supposed that two experts supply the interval-valued input
data for the parameters u and PFD or Q with a belief mass, suggested by the analyst, here xed to 0.9. The input data are here
simulated so that they match with those reported in databases of
similar industrial contexts and summarized in Table 3. Table 4
1292
G. Curcur et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1285e1292