Risk Analysis, Vol. 31, No. 1, 2011 DOI: 10.1111/j.1539-6924.2010.01475.x
Fault and Event Tree Analyses for Process Systems Risk Analysis: Uncertainty Handling Formulations
Refaul Ferdous,1 Faisal Khan,1,∗ Rehan Sadiq,2 Paul Amyotte,3 and Brian Veitch1
Quantitative risk analysis (QRA) is a systematic approach for evaluating likelihood, conse- quences, and risk of adverse events. QRA based on event (ETA) and fault tree analyses (FTA) employs two basic assumptions. The first assumption is related to likelihood values of input events, and the second assumption is regarding interdependence among the events (for ETA) or basic events (for FTA). Traditionally, FTA and ETA both use crisp probabilities; however, to deal with uncertainties, the probability distributions of input event likelihoods are assumed. These probability distributions are often hard to come by and even if avail- able, they are subject to incompleteness (partial ignorance) and imprecision. Furthermore, both FTA and ETA assume that events (or basic events) are independent. In practice, these two assumptions are often unrealistic. This article focuses on handling uncertainty in a QRA framework of a process system. Fuzzy set theory and evidence theory are used to describe the uncertainties in the input event likelihoods. A method based on a dependency coeffi- cient is used to express interdependencies of events (or basic events) in ETA and FTA. To demonstrate the approach, two case studies are discussed.
KEY WORDS: Event tree analysis (ETA); fault tree analysis (FTA); interdependence; likelihoods; quantitative risk analysis (QRA); uncertainty
SYMBOLS Cd Dependency coefficient N Number of samples m(pi)/m(ci) Belief mass Pi Probability of events (i = 1, 2, ..., n) m − 1ton numbers of experts’ knowl- 1 n P˜ Fuzzy probability edge i λ Frequency n Number of events/basic events i P˜ α TFN with a α-cut Subscript (L) Minimum (left) value of a TFN P “OR” gate operation Subscript (m) Most likely value of a TFN OR P “AND” gate operation Subscript (U) Maximum (right) value of a TFN AND μ Membership function α Membership function at a specific
1 level Faculty of Engineering and Applied Science, Memorial Univer- sity, St. John’s, NL, Canada. Frame of discernment (FOD) 2Okanagan School of Engineering, University of British Null set Columbia, Kelowna, BC, Canada. ∩ Symbol for intersection 3 Department of Process Engineering and Applied Science, Dal- ⊆ Symbol for subsets housie University, Halifax, NS, Canada. ∗Address correspondence to Faisal Khan, Faculty of Engineering Bel,Pl Belief, plausibility & Applied Science, Memorial University, St. John’s, NL, Canada bpa Basic probability assignment A1B 3X5; tel: 709 737 8939; fax: 709 737 4042; fi[email protected].
86 0272-4332/11/0100-0086$22.00/1 C 2010 Society for Risk Analysis Fault and Event Tree Analyses for Process Systems Risk Analysis 87
ABBREVIATIONS place of the term “accident” in the analyses of fault trees and event trees for QRA.(2) ETA is a technique E Events used to describe the consequences of an event (initi- HHigh ating event) and estimate the likelihoods (frequency) I Independent of possible outcomes of the event. FTA represents P Perfectly dependent basic causes of occurrence of an unwanted event and LLow estimates the likelihood (probability) as well as the BE Basic events contribution of different causes leading to the un- MH Moderately high wanted event. In FTA, the basic causes are termed ML Moderately low basic events, and the unwanted event is called the top RH Rather high − event.(3 6) Kumamoto and Henley(7) provide a de- S Strong tailed description of fault tree development and anal- VH Very high ysis for a process system. VL Very low In the event tree, the unwanted event is named as VS Very strong an initiating event, and the follow-up consequences VW Very weak are termed as events or safety barriers.(8) The ETA DS Dempster & Shafer represents the dichotomous conditions (e.g., success/ W Weak failure, true/false, or yes/no) of the initiating event T, F True/false probability until the subsequent events lead to the final out- ETA Event tree analysis − come events.(8 10) AIChE(8) and Lees(11) provide a FTA Fault tree analysis detailed procedure for constructing and analyzing PDF Probability density function the ETA for a process system. MCS Monte Carlo simulation Event and fault trees help to conduct the QRA TFN Triangular fuzzy number for process systems based on two major assump- tions.(2) First, the likelihood of events or basic events 1. INTRODUCTION is assumed to be exact and precisely known, which Process systems in chemical engineering are in- is not very often true due to inherent uncertainties famous for fugitive emissions, toxic releases, fire and in data collection and defining the relationships of explosions, and operation disruptions. These inci- events or basic events.(10,12) Moreover, because of dents have considerable potential to cause an acci- variant failure modes, design faults, and poor under- dent and incur environmental and property damage, standing of failure mechanisms, as well as the vague- economic loss, sickness, injury, or death of work- ness of system phenomena, it is often difficult to pre- ers in the vicinity. Quantitative risk analysis (QRA) dict the acquired probability of basic events/events is a systematic approach that integrates quantita- precisely.(13) Second, the interdependencies of events tive information about an incident and provides de- or basic events in an event tree or fault tree are tailed analysis that helps to minimize the likelihood assumed to be independent, which is often an inaccu- of occurrence and reduces its adverse consequences. rate assumption.(14) These two assumptions indeed QRA for process systems is a difficult task as the misrepresent the actual process system behaviors failures of components and the consequences of an and impart two different types of the uncertainty, incident are randomly varied from process to pro- namely, data uncertainty and dependency uncertainty, cess. Furthermore, for a process system compris- while performing the QRA using FTA and ETA. ing thousands of components and steps, it is dif- In an attempt to circumvent the data uncertainty in ficult to acquire the quantitative information for risk analysis, a number of research works(1,10,13,15−23) all components.(1) Finally, the interdependencies of have been developed to facilitate the accommoda- various components are not known and are gener- tion of expert judgment/knowledge in quantification ally assumed to be independent for the purpose of of the likelihood of the basic events/events for QRA. simplicity. Sadiq et al.,(12) Ferson et al.,(14) and Li(24) proposed Event tree analysis (ETA) and fault tree analysis methods to describe the dependency uncertainty (FTA) are two distinct methods for QRA that de- among the basic events/events. velop a logical relationship among the events leading Fuzzy-based and evidence-theory-based formu- to an accident and estimate the risk associated with lations have been proposed and developed to ad- the accident. The term “event” is frequently used in dress data and dependency uncertainties in FTA and 88 Ferdous et al.
ETA. The interdependencies among the events (or ministic and probabilistic approaches in QRA for the basic events) are described by incorporating a de- process system. The event and fault trees for these pendency coefficient into the fuzzy- and evidence- two examples were earlier studied, respectively, in theory-based formulations for FTA/ETA. Expert Lees(11) and Skelton.(26) The deterministic approach judgment/knowledge can be used to quantify the provides a quick analysis if the probabilities are unknown or partially known likelihood and depen- known accurately.(10) Based on assigned probabili- dency coefficient of the events (or basic events). ties (Fig. 1 and Table II), the frequency of outcome events for “liquefied petroleum gas (LPG) release event tree” and the probability of top event for “run- 2. FTA AND ETA IN PROCESS SYSTEMS away reaction fault tree” are calculated as crisp val- The traditional fault and event trees can be an- ues (Table III). In the probabilistic approach, trian- alyzed either deterministically or probabilistically. gular PDFs are assumed to perform MCS (N = 5,000 The deterministic approach uses the crisp probability iterations) and the PDFs for the outcome events’ fre- of events (or basic events) and determines the prob- quency and the top event probability are determined ability of the top event and the frequency of outcome based on this assumption. The 90% confidence inter- events in the fault and event trees, respectively. The vals for the outcome events of the “LPG event tree” probabilistic approach treats the crisp probability as and top event of “runaway reaction fault tree” are a random variable and describes uncertainty using summarized in Table IV and Fig. 3, respectively. probability density functions (PDF).(10,20,23) Tradi- tionally, the probabilistic approach uses Monte Carlo 3. UNCERTAINTY IN FTA AND ETA simulation (MCS) to address the random uncertainty in the inputs (i.e., probability of basic events or FTA and ETA require probability data of events events) and propagate the uncertainty for the out- (or basic events) as inputs to conduct a compre- puts.(25) The PDFs for the inputs can be derived hensive QRA for a process system. Since most of from historical information, but are often rare, espe- the time the crisp data as well as PDFs are rarely cially when the process system comprises thousands available for all events and basic events, experts’ of components.(18) judgment/knowledge are often employed as an al- With an assumption that the events (or basic ternative to the objective data.(13) Two types of un- events) are independent, deterministic and proba- certainties, namely, aleatory and epistemic uncertain- bilistic approaches use the equations in Table I to ties, are usually addressed while using the expert’s (10,27,28) analyze the fault and event trees. Pi denotes the knowledge in QRA. Aleatory uncertainty is a probability of ith (i = 1, 2, 3, ..., n) events (or natural variation, randomness, or heterogeneity of a basic events), POR and PAND, respectively, denote physical system. It can be well described using prob- the “OR” and “AND” gate operations, and λi de- abilistic methods if enough experimental data are notes the frequency for the initiating event and the available to support the analysis.(29) Epistemic un- outcome events. certainty means ambiguity and vagueness, ignorance, Two examples—an event tree for “LPG release” knowledge deficiency, or imprecision in system (Fig. 1) and a fault tree for “runaway reaction” behaviors. (Fig. 2)—are considered to illustrate the use of deter- In QRA, it is important to characterize, repre- sent, and propagate the uncertainty accurately in or- der to get a reliable analysis. However, when the Table I. Equations Used in Traditional Fault Tree Analyses and input PDFs are “reasonably known,” MCS can be Event Tree Analyses used to estimate and propagate the uncertainties, QRA Method Equation especially two dimensional MCS, which can effec- tively deal with both aleatory and epistemic uncertain- n ties (not discussed here).(30) If knowledge is limited ETA λi = λ × Pi i=1 for definition of the PDFs, probabilistic approaches n might not be the best choice to handle the uncer- = − − FTA POR 1 (1 Pi ) tainty in QRA.(31) In addition, the independence as- i=1 n sumption of events (or basic events) might be conve- = PAND Pi nient to simplify the FTA or ETA; however, it is not i=1 always true for all cases.(14) This assumption in fact is Fault and Event Tree Analyses for Process Systems Risk Analysis 89
Large LPG Ignition Explosion Wind to DAP Delayed explosion Outcomes release (IE) (E1) (E2) (E3) at DAP (E4)
P2=0.1 Vapor cloud P5 A (Independent of wind direction) P1=0.9
P6 B Fireball Fig. 1. Event tree for LPG release. λ=0.68×10-4 (1-P2)=0.9 Events/Yr P4=0.9 Vapor cloud P7 C (Dependent on
P3=0.4 wind direction)
LPG vapor P8 D (1-P4)=0.1 (From DAP source) (1-P1)=0.1
LPG vapor P9 E (1-P3)=0.6 (From release point)
Runaway reaction (N-4)
G1
Cooling failure Protective system (N-3) inoperative (N-2)
G Fig. 2. Fault tree for runaway reaction in 2 G3 a reactor.
BE1 BE2 BE3 Trips fail (N-1) BE6
G4
BE4 BE5
Table II. Basic Events Causing the Runaway Reaction adding other kind of uncertainty, that is, the depen- dency uncertainty, during the analyses. Vesely et al.(3) Probability of show several cases of FTA where the independent Symbol Basic-Event Basic Event assumptions of basic events are not valid.
BE1 Pump fails 0.2 Fuzzy set and evidence theories have recently . BE2 Line block 0 01 been used in many engineering applications where . BE3 No cooling water 0 1 expert knowledge is employed as an alternative to BE Low coolant flow 0.01 4 crisp data or PDFs.(12,23,28,29,32) Fuzzy set theory BE5 High temp 0.01 BE6 Dump valve fails 0.001 is used to address the subjectivity in expert judg- ment, whereas the evidence theory is more promptly 90 Ferdous et al.
Table III. Deterministic Results for Fault Tree Analyses and Event Tree Analyses
LPG release event tree Frequency of outcome events (Events/Yr) A B C D E 6.1E-06 5.5E-05 2.4E-06 2.7E-07 4.1E-06
Runaway reaction fault tree Probability of top event PTop = 3.16E-04
Table IV. Frequency Determination of Outcome Events Using In this article, the probabilities of events (or basic Monte Carlo Simulation events) and their dependency coefficients are treated 90% Confidence Interval as fuzzy numbers or basic probability assignments (bpas), which are derived through expert knowl- Outcome Lower Bound Upper Bound Median edge. Fuzzy set and evidence theories along with de- Events (5th Percentile) (95th Percentile) (50th Percentile) pendency coefficients, are used to explore the data A 1.958E-06 1.024E-05 6.100E-06 and dependency uncertainty in ETA/FTA. The fuzzy B 4.935E-05 6.090E-05 5.512E-05 numbers in fuzzy set theory describe linguistic and C 7.353E-07 4.151E-06 2.443E-06 subjective uncertainty while bpas in evidence theory D 3.057E-10 5.467E-07 2.736E-07 are used to handle ignorance, incompleteness, and in- E 1.300E-06 6.850E-06 4.080E-06 consistency in expert knowledge. A generic frame- work is shown in Fig. 4 illustrating the use of fuzzy set theory and evidence theory to handle two differ- ent kinds of uncertainties in FTA and ETA. The fol- employed in handling the uncertainty that arises due lowing sections describe the fuzzy set theory and the to ignorance, conflict, and incomplete information. evidence theory with respect to handling uncertain- In addition, to describe the dependency uncertainty ties. among the basic events in FTA, Ferson et al.(14) de- scribed the Frank copula and Frechet’s limit. For known dependency, the Pearson correlation in the 4. FUZZY SET THEORY Frank copula describes the full range of depen- dencies; that is, from perfect dependence to oppo- Zadeh(33) introduced fuzzy sets, which have re- site dependence.(12) Li(24) proposed a dependency cently been applied where probability theory alone factor-based fuzzy approach to address the depen- was found insufficient to represent all types of un- dencies in performing risk analysis. Li(24) uses fuzzy certainties. Fuzzy set theory is flexible in describing numbers to define the dependency factor among linguistic terms as fuzzy sets, hedges, predicates, and basic events. quantifiers.(34) Fuzzy set theory is an extension of
1.0 0.95 Mean 0.0001366 0.8 StDev 0.00005728 N 5000
0.6
0.5 Fig. 3. 90% confidence interval for top
Probability 0.4 event probability.
0.2
0.05 0.0
0.0000 0.0000424 0.0001 0.0001306 0.00020.0002309 0.0003 Top event probability Fault and Event Tree Analyses for Process Systems Risk Analysis 91
Identification Initiating event, precursor events for event tree and the top event, basic events for the fault tree
Fault tree development Event tree development Develop failure logic Develop the consequence of initiating event Use “AND” and “OR” gates Use Success/Failure or True/False condition Proceed down to basic events Propagate the event’s consequence to the outcome events
Uncertainty analysis in FTA or ETA Uncertainty categorization to clarify the events’ or basic events’ probability
Uncertainty handling in Quantitative Analysis FTA and ETA Subjective knowledge Incomplete expert knowledge • Linguistic uncertainty • Incomplete information • Subjective uncertainty • Expert’s ignorance & conflicts
Fuzzy-based approach Evidential-based approach • Defining the occurrence probability and the • Define the frame of discernment interdependencies of event/ basic events with • Assign bpas to define the occurrence probability fuzzy number and interdependencies of events/ basic events • Determining the fuzzy numbers of the • Knowledge aggregation to clarify the occurrence and outcome events and the top event interdependencies of events/ basic events • Defuzzifying the outcome events’ frequency • Belief and bet estimate fo r the outcome events and and the top event’s probability the top event
Quantitative evaluation Estimates the likelihood of the output parameters for FTA and ETA (i.e., outcome events and top-event)
Fig. 4. Framework for fault tree analyses and event tree analyses under uncertainty. traditional set theory, which represents imprecise convex). Generally, triangular or trapezoidal fuzzy values as fuzzy numbers and characterizes the un- numbers (TFN or ZFN) are used for representing lin- certainty using a continuous membership function guistic variables.(18,21,35,36) In this study, we used tri- (μ). angular fuzzy numbers (TFN) in which the fuzzy in- tervals are derived using α-cuts. Fig. 5 shows a TFN in which fuzzy intervals are estimated using Equation 4.1. Fundamentals (1). The values pL, pm, and pR below represent the minimum, most likely, and maximum values, respec- Fuzzy numbers are used to describe the vague- tively, in an interval P˜ α: ness and subjectivity in expert judgment through a relationship between the uncertain quantity p (e.g., P˜ α = [pL + α(pm − pL), pR − α(pR − pm)]. (1) event or basic event probability) and a member- ship function μ that may range between 0 and 1. Fuzzy set theory uses the fuzzy arithmetic opera- Any shape of a fuzzy number is possible, but the tions based on α-cut formulation to manipulate fuzzy selected shape should be justified by available in- numbers.(24,37,38) Traditional fuzzy arithmetic oper- formation (but it should be normal, bounded, and ations assume that the events (or basic events) are 92 Ferdous et al.
1 4.2.1. Definition of Input Probability and Dependency Coefficient Using TFN 0.8 Experts are more comfortable using linguistic ex- μ 0.6 P α-cut level pression rather than numerical judgment when they 0.4 are asked to define an uncertain quantity like the 0.2 probability of occurrence of events (or basic events) and dependency coefficients.(28) In order to capture 0 these linguistic expressions, eight linguistic grades 01p p p 0.55 0.35 L m R are defined in the proposed approach (Fig. 6). They TFN of events probability include: Very Highly (VH), Very Low (VL), Moder- ately High (MH), Moderately Low (ML), Low (L), Fig. 5. Triangular fuzzy numberto represent the probability of events (or basic events). Moderate (M), High (H), and Rather High (RH). These grades can be used to assign the probability of events (or basic events) for ETA (or FTA). As mentioned earlier, the traditional methods of independent and use equations in Table V for FTA − , , FTA and ETA assume that the events in an event and ETA.(15 21 23 37) tree and the basic events in a fault tree are indepen- dent. However, in practice, the interdependencies 4.2. Fuzzy-Based Approach for FTA/ETA among the events (or basic events) could be ranged from perfectly dependent to oppositely dependent.A In the proposed fuzzy-based approach, the prob- scalar quantity ∈ [+1, −1] may describe the depen- ability of events (or basic events) can be defined dency between two events, where the scalar quantity linguistically and described using TFN. The interde- +1 refers to perfect dependence and −1 refers to op- pendence of events (or basic events) is defined lin- posite dependence.(14) More specifically, the positive early using a dependency coefficient (Cd) that can dependence belongs to an interval [0, +1], whereas also be described using a TFN. Fuzzy probability the negative dependence belongs to an interval [−1, and dependency coefficients are used to determine 0]. However, various levels of dependency are pos- the probability of top event and the frequency of sible in between the events (or basic events). This outcome events in fuzzy terms. The fuzzy-based ap- work explores only the positive dependence of events proach comprises the following three steps: (or basic events) at each node in FTA (or ETA). Six linguistic grades are used in this study to describe (1) Definition of input probability and depen- the different levels of interdependencies among the dency coefficient using TFN. events and basic events, which include: Perfectly De- (2) Determination of likelihood of outcome pendent (P), Very Strong (VS), Strong (S), Weak events (ETA) and top event (FTA) as a TFN. (W), Very Weak (VW), and Independent (I). The left (3) Defuzzification. bound (CdL) and the right bound (CdR) in Table VI
Method Operation α-Cut Formulation