Fault Tree Analysis for Fatality Prevention Dr Steven

Fault Tree Analysis for Fatality Prevention Dr. Steven A. Lapp President - Design Sciences, Inc.

Organization • Technology • Current Uses • Better Uses

Systems Safety Costs and Benefits Goal: Control of Technical Safety and Reliability Undesirable Events What Can Happen? What Will We Accept?

What Can Happen? Safety Reliability Explosions Fires Toxic Releases Loss of Product Poor Quality

What Will We Accept? Safety Fatalities and Injuries Equipment Loss Business Interruption You, OSHA, EPA, DOT, HSE, etc. Reliability Downtime $/day

What Can Happen? What If? , FMEA, HAZOP Power Fails Low Power Fails High Instrument Air Fails Low Relief Valve Fails Shut Relief Valve Fails Open No or Slow Operator Response to Low Level Alarm Pipe Leaks Out

Fault Tree Analysis Basic Principles • Assume Undesirable Event Has Occurred (Top Event) • Work Problem Backwards - Retrosynthetic • Active Search for Failures • Detailed Failure Development – Hardware (Specific Devices) – Human (Specific Actions)

Fatality at the XYZ Process OR Fatality Due to External Fire Fatality Due to Internal Explosion Fatality Due to Toxic Release OR Fatality at Feed Preheater Fatality at Reactor Fatality at Refining Column OR Fatality During the Run Period Fatality During the Start-Up Period Fatality During the Shutdown Period AND People Present (Internal Explosion During Start-Up) Probability of Fatality (Internal Explosion) Internal Explosion During Start-Up

Fault Tree Analysis Common Uses • Safety Integrity Level (SIL) Verification for a Safety Instrumented Function (SIF) – SIL: Related to Probability of Failure on Demand for Stand-By Systems – SIF: System which senses a particular hazard and then takes actions to move the process to a safe state

High Pressure Interlock System DO XV-1 XV-2 PLC AI PT

High Pressure Interlock Fails to Halt Flow Q=. 0099 OR Pressure Sensor Failure Q=. 008 Analog Input Failure Q=. 0005 Digital Output Failure Q=. 0003 PLC Failure Q=. 0001 Valves Fail to Halt Flow Q=. 001 AND Valve XV-1 Fails to Halt Flow Q=. 032 Valve XV-2 Fails to Halt Flow Q=. 032 OR OR Valve XV-1 Stuck Open Q=. 002 Valve XV-1 Leaks Across Q=. 03 Valve XV-2 Stuck Open Q=. 002 Valve XV-2 Leaks Across Q=. 03

Fatality at the XYZ Process OR Fatality Due to External Fire Fatality Due to Internal Explosion Fatality Due to Toxic Release OR Fatality at Feed Preheater Fatality at Reactor Fatality at Refining Column OR Fatality During the Run Period Fatality During the Start-Up Period Fatality During the Shutdown Period AND People Present (Internal Explosion During Start-Up) Probability of Fatality (Internal Explosion) Internal Explosion During Start-Up

Fault Tree Analysis Basic Principles • Assume What You Care About Has Occurred (Top Event) • Work Problem Backwards - Retrosynthetic • Active Search for Failures • Detailed Failure Development – Hardware (Specific Devices) – Human (Specific Actions)

Fault Tree Analysis (Quantitative) “Decisions made with uncertain numbers are superior to those made with no numbers at all. ” • Compute Top Event Rate or Unavailability • Determine Acceptability • Identify Critical Failure Modes – Relative Importance – Minimal Cut Sets • Case Studies – Best Changes – Justification for No Changes

Example Fault Tree for a Petrochemical Process (First Page)

Top Minimal Cut Sets

Results and Recommendations

Fault Tree Analysis (Timing) • Design • Construction/Start-Up • Operating – Worst/Most Likely Cases – Active/Passive Levels of Protection – Calibration with Plant Data – Management of Change

Follow-Up Studies • • • Human Factors Maintenance Intervals Offsite (F/N) Vulnerability Integrated Process Safety (IPS)

Data Requirements • Current Piping and Instrumentation Diagrams • Process flowsheets showing mass and energy balances • Equipment descriptions including pressure and temperature ratings and materials of construction - The basis for sizing the relief valves and rupture disks should be stated • Process layout • Plant layout

Data Requirements • Process description • Operating instructions for start-up, shutdown, and normal operations • Interlock system description • Relay drawings (or equivalent PLC drawings) for the interlock system • General physical, reactivity, and toxicity properties for the species in the process • Reports of any prior accidents

Data Requirements • Testing Intervals for Equipment and Instrumentation • Loop Sheets (if available) • Location of People Around the Process

Conclusions • Do the Fault Tree for What You Care About – – Fatality Unavailability Quality Environmental Release • Larger Fault Tree than SIL analysis – Consistency Challenge • Quantitative Analysis • Central Risk Map – Explicit Cause and Effect Scenario Development – Best Changes/No Changes – Case Studies: Process Changes, Human Factors, Maintenance Intervals, etc.