Fault Tree Quantification

Quantitative Risk Analysis L09b

Fall 2013

L09b Fault Tree Quantification 1

Example
Water Pumping System

L09b Fault Tree Quantification 2

Example
Water Pumping System
• Assume a water system with a single source of water,
T1, and 2 pumps in parallel, only 1 of which is needed
for pumping capacity.
• Values V1 – V5 are normally open
• The sensing and control system automatically start the
pumps when water is needed to meet the design intent.
• AC power for the pumps and the sensing and control
system is from a single source.

L09b Fault Tree Quantification 3

Initial Fault Tree for the Water
Pumping System

not developed
to base events

S = sensing and control system

L09b Fault Tree Quantification 4

Reduced Fault Tree for the Water
Supply System
Simplified Identify minimum cut sets:
from initial FT: routes to the top event
note AC, S

1-unit CS:
2-unit CS:

L09b Fault Tree Quantification 5

Component Behavior
…recall
• bathtub curve

• For a component with a failure rate (ROCOF, λ) of 0.05 per year,

find the reliability at t = 10 years and the probability of failure at t
= 10 years.

L09b Fault Tree Quantification 7

Failure of Tested Protective Systems
example
• Water is drawn from a tank, which has a level control
system to supply water from an external source. A high-
level shut-off system activates if the level is detected
higher than full.
• Also, there is a high-level alarm.

• If the level control system and alarm each randomly fail

once in 10 years or 10-1/yr,
• how often will the tank overflow?

L09b Fault Tree Quantification 8

Failure of Tested Protective Systems
probability
• The frequency of failure of the protective system can be converted
to a probability of being in a failed state when called upon to
protect.
– How often is the system tested?
– How does frequency of testing affect the failure probability?
• If the system is tested every T years, the probability of the system
failing within any test period is ? (Assume λ constant)

Probability of failure at time T  F(T) = 1- R(T) = 1- e- lT

where λ is the failure frequency of the protective system, which is

illustrated in the following figure.

L09b Fault Tree Quantification 9

Component Behavior
tested vs untested
• As the time between tests increases, indicated by the broken line, the probability
of protective system failure approaches 1.

F(T) = 1- e- lT , l ~ constant
Cumulative failure probability of an
untested system

F(T) ~ l T Cumulative failure probability of a

frequently tested system
F(T *)test = 0 Pr of failure following test

L09b Fault Tree Quantification 10

Component Behavior
tested vs untested
• Expand probability of failure, F(T) = 1- e - lT

• If λ T << 1 (ROCOF is low or T is short), the higher

order terms are negligible.
• With this condition, cumulative probability of failure T
increases ~ linearly with T as

F(T) ~ l T

L09b Fault Tree Quantification 11

Component Behavior
…after test
• The condition of sufficiently frequent testing is shown in
the previous figure. Each time that the system is tested,
for T = T*, it is:
– Operable, F(T *)test = 0 (certain event) or
– Repaired or replaced and restored to operational condition,
F(T *)test = 0

• Therefore the probability of being in a failed state is 0

or becomes 0 following repair or replacement
(certain event).

L09b Fault Tree Quantification 12

Component Behavior
probability of failure on demand
• When a component is tested, either it works or it does not work
satisfactorily (binary case).
• The rate of occurrence of failure (ROCOF) = λ in time time
intervals of the useful life region (of bathtub curve) is
approximated to be constant.
• Assuming POI with P(failure) about the same at any time between
adjacent tests, the average time for an item to be in a failed state,
dead time, is ~ 1/2 the time between tests, T.
• Fraction of time the item is in a failed state converts λ to
probability of failure on demand (PFD)
= average dead time multiplied by λ : PFD = (1/ 2)l T

• alternatively called FDT: Fractional Dead Time

L09b Fault Tree Quantification 13
Component Behavior
probability of failure on demand

Equal testing intervals = T

L09b Fault Tree Quantification 14

Probability of Failure on Demand

• The PFD is the probability that the protective component is

in a failed state (latent failure) at the time of the system
demand, when it is called upon to perform and protect.

• Demand rate, D, is the frequency of system requirement for a

protective response to avoid mishap. An example is the water
level control system (high level detection, water shut off,
high level alarm) assuming independent operation.

• Failure frequency = Ddetect(PFDalarm)(PFDshutoff)

= Ddetect P(alarm|detect)P(shutoff|detect)

L09b Fault Tree Quantification 15

Example 9.2
• A tank has water drawn from it intermittently, and at
varying rates. It is fitted with a level control system
which supplies water from an external supply until the
tank is full again.
• There is also a high-level trip system, which actuates if
the level rises higher than the “full” level, and shuts
down the external water supply to prevent overflow.
– Assume that the high level alarm is tested every 3 months.
– It is found, on consulting records, that it has failed around once
every 10 years.

• Estimate the Hazard Rate….

L09b Fault Tree Quantification 16

Example 9.2

• The frequency of failure of the high level alarm is 0.1

per year. since it is tested every 3 months, that is, every
0.25 years.
• PFD or FDT=0.5× λ ×T =0.5×0.1×0.25 =0.0125 per year
• The demand rate, that is, the frequency of failure of level
control, is 0.1 per year.
• HR= Demand rate (D)×FDT
=0.1×0.0125 =0.00125 per year
• This is equivalent to a 1 in 800 chance per year, or
once per 800 years

L09b Fault Tree Quantification 17

Untested Protective System

• It is bad practice to install a protective system and not to

test it.
• An approximate formula for calculating the hazard rate
for a system comprising a demand and an untested
protective system is:
D
Hazard Rate 
D

L09b Fault Tree Quantification 18

Example 9.3

• If a level controller fails with a frequency of 0.1 per year

• and the (untested) high-level alarm is of a type that
typically fails with a frequency of 0.1 per year

• what is the hazard rate

L09b Fault Tree Quantification 19

Example 9.3, solution

• HR=(0.1 ×0.1)/(0.1 +0.1)

=0.01/0.2=0.05 per year

• Thus the overflow frequency of once per 10 years is

reduced by a factor of only 2 by using an untested high-
level alarm
• compared with a factor of 80 if the alarm is tested
quarterly (see example 9.1)

L09b Fault Tree Quantification 20

Example 9.4
• An electrical switch room is located where it is just conceivable
that a leak of flammable gas could enter it through its ventilation
system.
• A flammable gas detector is installed in the air intake, to shut
down the ventilation system in the event of flammable gas being
detected.
• It is estimated that:
– the frequency of gas leaks reaching the ventilation air intake is 0.001 per
year;
– the frequency of failure of the gas detector is 0.2 per year.

• It is to be decided whether, in view of the low likelihood of the gas

leak reaching the switch room,
– it is really necessary to test the gas detector at the normal frequency of once
per 3 months, or
– whether it would be reasonable to leave it off the testing schedule
altogether.

L09b Fault Tree Quantification 21

Example 9.4

Solve or H/W

L09b Fault Tree Quantification 22

Example 9.5
Heater Coil FT Quantification
FE, flow transducer
FC, flow controller
FS, flow switch
FAL, low flow alarm
SV, solenoid valve
FCV, flow control
TE, T transducer
TC, T controller
TSH, high T switch
GIV, gas isolation valve
MBV, manual bypass valve
TCV, T control valve

L09b Fault Tree Quantification 23

Example 9.5
Heater Coil FT Quantification

T = A•{B+C+(D+E)•(F+G+H)}

State the logic of the protective response

reduced FT using the
same assumptions as A
for the initial FT:
Auto
B C

Auto Manual

D E F G H
L09b Fault Tree Quantification 24
Example 9.5
Heater Coil FT Quantification
• Failure rate data for the Hot Oil Heating System are listed

• Protective components are tested 4 times/yr, so T = ?.

• Pump failure is considered the demand, D, and will be used here
as a frequency.
• Other system components are part of the protective response
system and will be used as probabilities.

L09b Fault Tree Quantification 25

Example 9.5, solution
Heater Coil FT Quantification
• Failure Data

{
FE: 0.5 x 0.02 x 0.25 = 0.0025
FS: 0.5 x 0.1 x 0.25 = 0.0125
PFD SV: 0.5 x 0.1 x 0.25 = 0.0125
(FDT) TCV: 0.5 x 0.05 x 0.25 = 0.00626
FAL: 0.5 x 0.05 x 0.25 = 0.00625

(fractional down time)

L09b Fault Tree Quantification 26

Rules for Quantifying
Frequency on FT
• Where there are two independent events, the probability
that both will occur is:
P(A · B)=P(A)×P(B)
• The probability that one or the other will occur
(i.e., A or B) is:
P(A+B) =P(A)+P(B)−P(A)×P(B)
– As P(A) and P(B) are usually small, the third term above is
usually negligible compared with the sum of the first two terms

L09b Fault Tree Quantification 27

Rules for Quantifying
Frequency on FT
• Frequencies are added at an OR gate
(getting a frequency result).
• Probabilities are added at an OR gate
(getting a probability result).
• Frequencies and probabilities cannot be added
(mixed units: meaningless).
• Frequencies cannot be multiplied
(frequency squared units: meaningless).
• One frequency can be multiplied with probabilities at an
AND gate (frequency result).

L09b Fault Tree Quantification 28

Example 9.5, solution
Heater Coil FT Quantification
• Calculate
Pr(events)
PFD of protective system

PFD of manual

PFD of auto

L09b Fault Tree

(Tweeddale, 2003) Quantification 29
Example 9.5, solution
Heater Coil FT Quantification
• Top event frequency: λ = 0.0256/yr

• FE, FS are required by both the automatic and the

manual protective response systems.

• Based on the reduced fault tree, we expect FE, FS to

contribute significantly to overall risk of heater coil burn
out.

L09b Fault Tree Quantification 30

Heater Coil Common Cause Failure

• In this analysis, random failures were approximated to

occur independently.
• Dependent or common-cause failures are due to factors
that are common to two or more components, e.g.,
quality of maintenance.
• Due to dependencies and common-cause failures, the
combined failure probabilities leading to system failure
can be much greater than calculated assuming
independence of components.

L09b Fault Tree Quantification 31

Heater Coil System Reliability, 1

• First: reduce inherent hazards, and then reduce the

inherent failure probability by increased reliability
components
• Reduce demand frequency, D: improve containment and
control (including human factors).
• Lower PFD of protective systems. How?
• Analyze measures to mitigate consequences to personnel
and to the system.

L09b Fault Tree Quantification 32

Heater Coil System Reliability, 2

• Lower PFD = (1/2) λT

– Reduce λ: more reliable components; design changes
– Increase testing frequency (cost/risk balance)
– Install redundant systems
• e.g redundant system
– For PFD = 0.01
– PFD red = 0.01 x 0.01 = 0.0001
– PFD significantly lowered if independent

Actual PFD reduction is less,

e.g., components are not fully independent in varying degrees, but can be significantly
dependent, or subject to common-cause failures.

L09b Fault Tree Quantification 33

Achievable PFD Level
Relative Categories
PFD Categories Description

0.1 – 0.01 Human error for a wide range of tasks

0.01 Simple system with regular testing & maintenance

Cost increases
0.001 Practical limit unless designed, tested, &
maintained by High Integrity Protective System
specialists

0.0001 Limited to plants, e.g., nuclear, with highest

standards of design, testing, operation,
maintenance, supervision, management, and
with a healthy safety culture.

L09b Fault Tree Quantification 34

How to Achieve High Reliability

• Reduce common-cause failures

– Use different types or designs for the 2 protective systems
– Difficult to identify all common-cause forms
– Higher level of diversity in the design
– Plan frequent tests and maintenance

• Costs of high reliability systems can be large, which

emphasizes the high priority on designs to minimize
inherent hazards.

L09b Fault Tree Quantification 35

Heater Coil System
Reliability improvement
• Separate overall system into a control system (automatic)
and a protective system (manual).
– At present, if control system fails because of FE failure, the
alarm and low-flow protection system (FE, FS, SV) cannot
operate.
– Solutions?
If the low-flow alarm and relay systems are actuated by a low-flow switch
independent of FE, FS, system reliability will be greatly improved.

• Design protective systems to operate more independently

from the control systems.

L09b Fault Tree Quantification 36

Cut Set or Path Set:
a Scenario Leading to Top Event
• A cut set (path set) is a combination of component
failures (non failures) that will lead to failure (success)
of the system.

• Cut set Method:

From control and protection systems, identify the
minimum component and operator failures that will
result in overheating of heater coils.

L09b Fault Tree Quantification 37

Cut Set Method, Frequency

• For each cut set, calculate the

Cut Set Frequency from failure rate information
(PUmp frequency and PFD values for other components)

• Only one cut set element can be a frequency, and all

other elements must be probabilities.

L09b Fault Tree Quantification 38

Example 9.5, solution
Heater Coil Cut Set Method
• Path-sets?

• Cut-sets?
combinations of two components are:
PU· FE
PU· FS
The combinations with three components are:
PU, SV, FAL
PU, SV, OP
PU, SV, GIV
PU, TCV, FAL
PU, TCV, OP
PU, TCV, GIV

L09b Fault Tree Quantification 39

Example 9.5, solution
Heater Coil Cut Set Method

PFD

Note: frequencies in italics Top event frequency

L09b Fault Tree Quantification 40
Example 9.5, solution
Heater Coil: Main Contributors
Cut sets Freq/yr IM %
PU, FS 0.0188 73 88% of total
PU, FE 0.0038 15 }
Magnitude

PU, SV, OP 0.0019 7

PU, SV, FAL
PU, TCV, OP
0.00012
0.00094
4
0.5
} 11% of total

PU, TCV, FAL

PU, TCV, GIV
PU, SV, GIV
Top event freq =
0.00006
0.00005
0.00009
0.0256/yr
0.4
0.23
0.18 } ~1.3% of total

Cut sets Ci are categorized by their importance IM:

P(Ci )
IMi = , P(C) = Õ P(ci ), ci is component in cut set C
P(TE) i ÎC

L09b Fault Tree Quantification 41

Example 9.5, solution
Heater Coil: Main Contributors

Cut-set Frequencies

2-element

L09b Fault Tree Quantification

FT quantification

• Quantify frequency of top event

• Only one component of each cut set can be a frequency.
• Cut sets show main contributors to system unreliability
– PU, FS and PU, FE cut sets contribute ~ 88% of unreliability
• Increase reliability through more independent control
and protection systems.

L09b Fault Tree Quantification 43

System Reliability

• Improve reliability:
– evaluate cost effectiveness of higher reliability units and
redundancy.
– Test and maintain within low PFD levels where λt <1.
• Also, design for independence of automatic and manual
protective systems:
– reduce or eliminate low-number cut sets, especially 1-
component.
• provide more independence between the control system
and the protection system.

L09b Fault Tree Quantification 44

Failure Rate Data Sources
• AIChE (1989), “Guidelines for Process Equipment Reliability Data,” Center for
Chemical Process Safety CCPS)
• IEEE Std 500 (1984), “IEEE Guide to the Collection and Presentation of
Electrical, Electronic, Sensing Component and Mechanical Equipment
Reliability Data for Nuclear Power Generating Stations.”
• MIL-HDBK-217F (2002), Military Handbook–Reliability Prediction of
Electronic Equipment.
• NPRD-2 (1981), “Non-electronic Parts Reliability Data,” Reliability Analysis
Center at the Rome Air Development Center.
• OREDA (1998), Offshore Reliability Data Handbook, SINTEF: Trodheim,
Norway
• Lees, F.P., (2005), Loss Prevention in the Process Industries, 3rd Ed., Sam
Mannan, Butterworth, Oxford, UK

L09b Fault Tree Quantification 45