Event Trees

Material taken from Crowl and Louvar, Chemical

Process Safety Principles, 2nd edition, Prentice Hall,
Upper Saddle River, NJ, 2002
Influence of Preventative Maintenance on
Unavailability
Influence of Preventative Maintenance on
Unavailability
From Chemical Process Safety, Third Edition,
By Daniel A. Crowl and Joseph F. Louvar (ISBN: 0131382268)

Figure 12-3 Computations for various types of component linkages.

Copyright 2011 Pearson Education, Inc. All rights reserved.

Start with Initiating Event
Consequence
Steps
Identify initiating event
Identify safety functions
Construct event tree
Describe resulting sequences
Reactor
 Assign Failure Rates

Alarm works 99/100

times U=0.01
Operator notices
excursion without alarm
3/4 times U=0.25
Operator restarts
cooling 3/4 time U=0.25
Operator shuts down
system 9/10 times
U=0.1
Assume 1 loss of
cooling per year Unavailability is the probability the component
or process is found not functioning.
 Computational Sequence
Consider a Safety Function
0.01 failures/demand

Success of Safety Function

0.5-0.005=0.495 occurrences/year

Initiating Event
0.5 occurrences/year

Failure of Safety Function

0.5*0.01=0.005 occurrences/year
Success

Fail
Success

Fail
Resulting Accident Event Sequences

Shut down successfully 0.225 times/year

Continue operation 0.75 times/year
Runaway reaction 0.025 times/year (every 40 years)
This is considered unacceptable
My Solution

Shutdown: 0.2244
Alarm alerts operator 0.2227
Operator notices without alarm 0.001688
Runaway 0.0274 (1/36 years)
Alarm alerts operator 0.02475
Operator notices without alarm 0.0001875
Operator fails to notice 0.0025
Continue Operation 0.7482
Reactor
0.002475

0.000025
 Revised Accident Event Sequences

Shut down successfully 0.2475 times/year

Continue operation 0.75225 times/year
Runaway reaction 0.00025 times/year (every 4,000
years)
This is a big improvement
My Solution

Shutdown: 0.2516
Alarm alerts operator / manual 0.2450
Operator notices without alarm / manual 0.001856
Automatic shutdown 0.004772
Runaway 0.000274 (1/3,644 years)
Alarm alerts operator 0.0002475
Operator notices without alarm 0.000001875
Operator fails to notice 0.000025
Continue Operation 0.7481
Event and Fault Trees

Event: start with initiating event and work towards

consequences
Fault: start with consequence and work towards
initiating events
QRA Quantitative Risk Analysis
1. Define potential event
sequences and incidents
2. Evaluate incident

Consequence
consequences (e.g., using
source, dispersion,
fire/explosion models) Not
Acceptable
3. Estimate event frequencies
(using event and fault trees)
4. Estimate event impacts on
people, environment,
property Acceptable
5. Estimate risk

Frequency
LOPA Layer of Protection Analysis
Visualizing LOPA: Swiss Cheese Model

Courtesy BP, 2010

18
Major Steps for LOPA
1. Identify Single Consequence
2. Identify accident scenario and cause (single cause-
consequence pair)
3. Identify initiating event and estimate initiating event frequency
4. Identify available Independent Protection Layers (IPL) and
estimate Probability of Failure on Demand (PFD) for each.
5. Estimate mitigated consequence frequency.
6. Plot consequence as function of frequency to estimate risk
7. Evaluate acceptability of risk
Different Approaches

Semi-quantitative without reference to human harm

Qualitative with reference to human harm
Semi-quantitative with reference to human harm
Frequency

1. Determine frequency of initiating event

2. Adjust to account for demand (how often unit is
used) and preventative maintenance schedule
3. Adjust to account for Probability of Failure on
Demand (PFD) of Independent Protection Layers
(IPL)
Classification of IPL (Independent
Protection Layer)
1. IPL is effective in preventing consequence
a. Detect or sense initiating event
b. Decide to take action or not
c. Deflect or eliminate consequence
2. IPL is independent of initiating event and other IPLs
3. IPL is auditable (capable of validation)
(Probability of Failure on Demand)
Safety Instrumented Functions
(emergency shutdown systems)
Safety Integrity Levels (SILS)
SIL1 (PFD=10-1 to 10-2) single sensor, logic solver,
final control element. Requires periodic proof testing
SIL2 (PFD=10-2 to 10-3) fully redundant sensor, logic
solver, final control element. Requires periodic proof
testing
SIL3 (PFD=10-3 to 10-4) fully redundant sensor, logic
solver, final control element. Requires careful design
and frequent validation steps to achieve low PFD.
Application

f i C f i I PFDi,j
j

If multiple scenarios lead to same consequence

f C fi C
i
Typical LOPA

2-5% of significant issues identified in Process

Hazard Analysis
Major consequences, Category 4 or 5 and/or
accidents with fatalities
Guided by historical precedent and startups and
shutdowns.
70% of accidents associated with startups and
shutdowns
Benefits of LOPA

Focus attention on major issues

Eliminate unnecessary safeguards
Establish valid safeguards to improve Process
Hazard Analysis
Require fewer resources and are faster than Fault
Tree Analysis or Quantitative Risk Analysis
Provide basis for managing layers of protection
Concern with LOPA

Does not account for influence of decisions on

effectiveness of IPLs:
Worker fatigue
Reduced preventative maintenance
Failure to replace non-functional safeguards
May give false sense of security
Topics Covered and Not Covered