(a) Explain the methodology of HAZOP.

HAZOP is a team based assessment which involves the use of a multidisciplinary team of specialists. A team leader is selected to guide the team and ensure that each discipline can make its contribution. A typical team would include a safety specialist, engineering specialists and operational staff; other specialists could be utilised depending on the operation under assessment, for example building and services engineers. HAZOP guide words are key supporting elements in the execution of a HAZOP analysis: The identification of deviations from the design intent is achieved by a questioning process using predetermined guide words. The role of the guide word is to stimulate imaginative thinking, to focus the study and elicit ideas and discussion. In addition to guide words, other key words used in HAZOP are study nodes, intention, deviations, causes and consequences. Study nodes: the locations on the plant or services at which the process parameters are investigated for deviation from the design intent. Intention: describes how the plant is designed to operate. Deviation: the departures from the intention. Cause: the reasons why deviations may occur. Consequences: the results of the deviations.

Example - HAZOP guide words, meanings and applications:

Guide word No Less Reverse

Meaning Negation of the design intent Quantitative decrease Logical opposite of the intent

Parameter Flow Temperature Open

Deviation No flow Low temperature Close

The HAZOP analysis process is executed in four phases as illustrated below:

An example to illustrate the process could be the delivery of liquid propane to a fixed tank currently fitted with a pressure relief valve and a liquid level gauge. Table 3 indicates how HAZOP could be applied to this simple situation.

HAZOP is a powerful assessment tool detecting deviations through a methodical approach using specialists guided and aided by a formal system. Although formal, the approach encourages free thinking amongst the team members and the freedom to develop new guide words means that the approach can be used in all situations. The approach requires a team to be gathered and will fail if specialists with the appropriate skills and expertise are not available.

(b) Explain the methodology of FTA (Fault Tree Analysis)

The fault tree is a logic diagram based on the principle of multi-causality, which traces all branches of events which could contribute to an accident or failure. It uses sets of symbols, labels and identifiers, as shown below.

Logic Symbol

Graphic Representation

Description
The output event occurs if at least one of the input events occurs.

OR gate

AND gate

The output event occurs if all input events occur.

Logic Symbol BASIC Event

Graphic Representation

INTERMEDIATE EVENT

Description A basic initiating fault (or failure event). It requires no further development into more basic faults or failures. An event that is normally expected to occur resulting from the combination of more basic faults acting through logic gates. An event not examined further because information is unavailable or because its consequence is insignificant

UNDEVELOPED EVENT

The steps of a fault tree analysis: There are nine steps involved in implementing a fault tree analysis. 1. Identify the top event or incident 2. Decide on the level of resolution 3. Define the analysis boundary conditions

4. 5. 6. 7. 8. 9.

Define the systems physical boundaries Define the systems initial conditions Construct the fault tree Determine the minimal fault tree Rank the elements Quantify the fault tree

A fault tree diagram is drawn from the top down. The starting point is the undesired event of interest (called the top event because it gets placed at the top of the diagram). Then it is required to logically work out (and draw) the immediate contributory fault conditions leading to that event. These may each in turn be caused by other faults and so on. It could be endless (though, in fact, it should naturally have to stop when it gets as far as primary failures). The trickiest part of the whole thing is actually getting the sequence of failure dependencies worked out in the first place. Lets consider a simple example to illustrate the point.

The above figure shows a simple fault tree for a fire. For the fire to occur there needs to be: Fuel. Oxygen. An ignition source. Notice that an AND gate is used here to connect them because all three need to be present at the same time to allow the top event. The example shows that, in this scenario, there happen to be three possible sources of fuel and three possible sources of ignition. An OR situation applies in each case, because it would only need one of these to be present. The example also shows a single source of oxygen (e.g. the atmosphere). In order to prevent the loss taking place, the diagram is examined for AND gates. This is because the loss can be prevented if just one of the conditions is prevented.

As a pure illustration, the above simple fault tree diagram will be quantified to show the calculation steps.

Essentially: Add the probabilities which sit below an OR gate Multiply the probabilities which sit below an AND gate So, in this example, combining probabilities upwards to the next level gives: Probability of FUEL being present = 0.1 + 0.02 + 0.09 = 0.21 Probability of OXYGEN being present = 1 Probability of IGNITION being present = 0.2 + 0.05 + 0.1 = 0.35 Now showing the tree diagram with the calculation

Now calculating the probability of the top event. These faults are below an AND gate, so we multiply the probabilities, giving 0.21 x 1 x 0.35 = 0.0735. The top of the fully quantified fault tree then looks like this:

(c) Explain the methodology of ETA (Event Tree Analysis)

Figure 1 Figure 1 shows an overview of the basic ETA process and summarizes the important relationships involved in the ETA process. The ETA process involves utilizing detailed design information to develop event tree diagrams (ETDs) for specific initiating event (IEs). In order to develop the ETD, the analyst must have first established the accident scenarios, IEs, and pivotal events of interest. Once the ETD is constructed, failure frequency data can be applied to the failure events in the diagram. Usually the failure frequency data is derived from FTA of the failure event. Since 1 = Probability of success + Probability of failure, the probability of success can be derived from the probability of failure calculation. The probability for a particular outcome is computed by multiplying the event probabilities in the path. Table 1

Table 1 lists and describes the basic steps of the ETA process, which involves performing a detailed analysis of all the design safety features involved in a chain of events that can result from the initiating event to the final outcome.

Figure 2 Figure 2 shows the event tree concept. The ETA is based on binary logic in which an event either has or has not happened or a component has or has not failed. It is valuable in analyzing the consequences arising from a failure or undesired event. An ET begins with an IE, such as a component failure, increase in temperature/pressure, or a release of a hazardous substance that can lead to an accident. The consequences of the event are followed through a series of possible paths. Each path is assigned a probability of occurrence and the probability of the various possible outcomes can be calculated. The ETA begins with the identified IE listed at the left side of the diagram in Figure 2. All safety design methods or countermeasures are then listed at the top of the diagram as contributing events. Each safety design method is evaluated for the contributing event: (a) operates successfully and (b) fails to operate. The resulting diagram combines all of the various success/failure event combinations and fans out to the right in a sideways tree structure. Each success/failure event can be assigned a probability of occurrence, and the final outcome probability is the product of the event probabilities along a particular path. Note that the final outcomes can range from safe to catastrophic, depending upon the chain of events.

Figure 3 An example of ET structure with quantitative calculations is displayed in Figure 3. The ET model logically combines all of the system design safety countermeasure methods intended to prevent the IE from resulting in an incident/accident/failure/damage. A side effect of the analysis is that many different outcomes can be discovered and evaluated. The following diagram shows a quantified event tree for the action following a fire on a conveyor system.

The only outcome resulting in control of the event is where the sensor, valve and water spray operate (the example is a little contrived but serves to demonstrate the principles). Notice how the frequencies of the outcomes are calculated. Notice also that the sum of all the outcome frequencies adds up to 2 in this case, i.e. the frequency of the initiating event (the conveyer belt fire). The event tree could be used to check that there were adequate fire detection, warning and extinguishing systems.

(d) Explain the methodology of FMEA (Failure Mode and Effect Analysis)

The basic steps for performing an Failure Mode and Effects Analysis (FMEA) include:

Assemble the team. Establish the ground rules. Gather and review relevant information. Identify the item(s) or process(es) to be analyzed. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for each item or process to be analyzed. Evaluate the risk associated with the issues identified by the analysis. Prioritize and assign corrective actions. Perform corrective actions and re-evaluate risk. Distribute, review and update the analysis as appropriate.

A typical failure modes and effects analysis incorporates some method to evaluate the risk associated with the potential problems identified through the analysis. In the FMEA context, the method is through Risk Priority Numbers. To use the Risk Priority Number (RPN) method to assess risk, the analysis team must:

Rate the severity of each effect of failure. Rate the likelihood of occurrence for each cause of failure. Rate the likelihood of prior detection for each cause of failure (i.e. the likelihood of detecting the problem before it reaches the end user or customer). Calculate the RPN by obtaining the product of the three ratings: RPN = Severity x Occurrence x Detection

Low Number Description Severity ranking encompasses what is important to the industry, company or Severity customers (e.g., safety standards, environment, legal, production continuity, scrap, loss of business, damaged reputation)

Low Number

High Number

Low impact

High impact

Rank the probability of a failure occuring during the expected lifetime of the product or Not likely to Occurence service Rank the probability of the problem being detected and acted upon before it has Detection happened detected detected occur Very likely to be Not likely to be Inevitable

The RPN can then be used to compare issues within the analysis and to prioritize problems for corrective action. The sample shown in Figure 1 can be used as an example when learning how the FMEA works. The team in this case is analyzing the tire component of a car. Figure 1: FMEA for Car Tire
Function or Failure Potential Impact Process Step Type SEV Causes What are the Briefly outline Describe function, step what has or item being gone analyzed wrong What is the impact on the key output How severe is What causes the effect to the key input variables or internal the to go wrong? requirements? customer? occur? or detect it should it detect? occur? Tire function: support weight of car, Flat tire traction, comfort Stops car journey, driver and passengers stranded 10 Puncture 2 Tire checks before journey. While driving, steering pulls to one side, excess noise 3 60 this likely to failure from occuring to number frequently is either prevent the easy is it priority How existing controls that How Risk Potential OCC Detection Mode DET RPN

Recommended Actions What are the actions for

Responsibility

Target Date

Action Taken What were the actions

SEV OCC DET RPN

Who is responsible for What is the target reducing the occurence of the the recommended cause or improving the action? detection? Carry spare tire and Car owner appropriate tools to change tire effect permantly carried in trunk From immediate recommended action? reduced the risk. Spare tire and appropriate tools 4 2 3 24 date for the the RPN to see if the action has implemented? Now recalculate

In the FMEA in Figure 1, for example, a flat tire severely affects the customer driving the car (rating of 10), but has a low level of occurrence (2) and can be detected fairly easily (3). Therefore, the RPN for this failure mode is 10 x 2 x 3 = 60.

The Failure Modes, Effects Analysis (FMEA) procedure is a tool that has been adapted in many different ways for many different purposes. It can contribute to improved designs for

products and processes, resulting in higher reliability, better quality, increased safety, enhanced customer satisfaction and reduced costs. The tool can also be used to establish and optimize maintenance plans for repairable systems and/or contribute to control plans and other quality assurance procedures. It provides a knowledge base of failure mode and corrective action information that can be used as a resource in future troubleshooting efforts and as a training tool for new engineers. In addition, an FMEA is often required to comply with safety and quality requirements, such as ISO 9001, QS 9000, ISO/TS 16949, Six Sigma, FDA Good Manufacturing Practices (GMPs), Process Safety Management Act (PSM), etc.