Fault Tree Analysis Part 5 DigraphBased Fault Tree

Fault Tree Analysis Part 5: Digraph-Based Fault Tree Synthesis Procedure (Multiple Loops)

HEAT EXCHANGER WITH MULTIPLE FEEDBACK LOOPS V 1 1 A. O. 10 2 3 HOT 4 T 9 5 6 V 2 TRC A. C. COLD SET PT. AIR 8 SUPPLY 7

T 3

MULTIPLE FEEDBACK LOOP OPERATOR IF the Output Variable Is On Two NFBLs of Equal Power and Speed Output (Value) OR Large or Fast Disturbances Off both Loops Pass Disturbances AND Disturbances A Inactive Loops OR OR Inputs (Value) Inact Both (Off both NFBLs) Loop I Causes Loop I Normal Loop II Causes AND OR OR EOR Inact Loop II Loop I Causes Loop II OK (prob = 1) AND Loop I OK (prob = 1) EOR Loop II Causes

A OR BOTH Loop I Cause Loop I Inact. CAUSE Loop II Inact. Loop II Cause AND EOR EOR Loop II Causes AND OR EOR OR Loop I Inact. Loop II Inact. Causes Loop II Causes Loop I

(page 1) T 4(+1) OR -1 T 3(+1) OR -2 2 NFBL OR -3 Fire at Hx(+10) T 2(+10) OR -14 T 1(+10) T 9(+10) OR -15 T 8(+10) OR -4 (page 3) AND -16 (page 2)

(page 2) AND -16 OR -17 Fire at Hx (+1) OR -18 T 2(+1) T 9(+1) OR -20 OR -21 T 1(+1) AND -19 T 8(+1) -9 Loop I Inactive (page 3) -6 -7 Loop I cause Loop II cause (page 3) -11 Loop II inactive (page 3)

(page 3) OR -4 AND -8 -7 AND -5 AND -10 OR -9 EOR -6 -6 OR -12 EOR -7 OR -11 M 2(+1) (page A) M 9(-1) (page B) OR -13 V 1 stuck TRC on Sensor manual stuck V 2 stuck TRC on manual Sensor stuck

(page A) -22 OR 1 NFBL -23 -24 OR EOR -25 AND Falls Open (+1) OR -26 Reversed -12 1 NFBL OR -27 OR Set Point (+1) -28 Air Press. (+10) AND TRC Falls High (+1) Air Press. (+1) -30 -29 EOR OR -31 TRC Stuck TRC On Manual TRC Reversed Sensor Stuck (page C)

(page B) OR OR -37 Falls Closed (+1) OR Set Point (+1) -39 -13 Reversed (1) OR -41 AND TRC Falls High (+10) EOR -40 (page 3) -42 Air Press. (+10) 1 NFBL AND -38 OR (10) -36 Air Press. (+1) 1 NFBL -43 EOR OR TRC Stuck -45 -44 TRC Sensor On Stuck Manual TRC Reversed -32 (page C)

(page C) P 5(-1) -32 OR OR -33 Temp. Sensor Fails Low (+1) AND -34 2 NFBL EOR No reverse gain -35 T 3(-1)

[Example] TANK PRESSURIZATION PROBLEM This process separates a two-phase stream (stream 1) into vapor (stream 2) and liquid (stream 3) using a flash tank. Level in the tank is controlled by a negative feedback loop through a level controller. A pressure sensor monitors the tank pressure which is relayed back to the control room. Should the operator see a high pressure on the indicator, he is instructed to manually open valve V 1 which drains the tank and reduces the pressure. The relief valve is designed to vent the vapor portion of the tank mixture when high tank pressure is encountered.

7 RV 1 2 P 5 L LC 4 V 1 3 A. O. 6

• TOP EVENT: • Normal Conditions: Flow in stream 1, 2, and 3. Tank 50% full. Level controller on automatic. Relief valve and V 1 closed. • Equipment Behavior: Level Sensor : P 5 increases when level increases. The sensor has stuck during operation. Level Controller: P 4 increases when P 5 increases. The controller set point may be changed. The controller may be switched to manual operation. Control Valve : Increasing P 4 causes the valve to open. Valve V 1: The valve is manually operated. It may stick. Relief Valve : The valve may fail shut. If the relief valve is full of liquid, it will not vent the system fast enough.

PLUG IN LINE 2 +1 +10 +1 0 ( RV FAILS CLOSED) LOOP II +1 0 (OPERATOR OPENS WRONG VAL VE) 0 (V 1 STUCK) +1 OPERATOR ACTION -1 0 ( L = +10) 0 (PRESSURE SENSOR) INOPERATIVE 0 (OPERATOR DOES NOT SEE PRESSURE INDICATOR) LOOP I -10 +1 +1 L +1 (LEVE 0 L SE NSOR K) STUC -1 LOOP III R LE OL L) TR UA ON AN (C M ON V 1 P RVP 0 +1 +1 +1 -1 LEVEL SET POINT

(page 1) OR 2 NFBL (Loops Pass Disturbance) AND No Uncontrollable Disturbances! ( Loops Cause ) OR (See Page 2) OR OR Plug In Line 2 L (0) Loop I inactive OR * V 1 Stuck ** Operator Action (0) Operator Opens Wrong Valve OR Pressure Sensor Inoperative L (+10) Loop II OR inactive RV L (+10) Falls Closed VIP (0) OR AND Operator does not See Pressure Indicator (See Page 2 ***) Loop I RVP (0) cause inconsistent RVP (-10) OR Loop II cause

(page 2) ( Loops Cause ) OR AND L (+10) ( Done ) OR *** L (+10) 1 NFBL OR L (0) ( Done ) RVP (0) RV Falls ( See Page 1 ) Closed * *** AND OR RVP (-10) VIP (0) Loop I inactive Loop II cause ( Done ) ** OR Isolation valve Closed in error Level Set Pt. (+10) ( See Page 1 ) Loop I cause Loop II inactive OR L (-10) AND L (+10) ( Done ) RVP (-10) *** Both cause