Risk Analysis Methodologies
BACK to TOP
1.
Qualitative risk analysis methodologies
In the this section, we will deal with the qualitative
methods used in risk analysis namely preliminary risk analysis (PHA), hazard
and operability study (HAZOP), and failure mode and effects analysis
(FMEA / FMECA).
1.1
Preliminary Risk Analysis
Preliminary Risk Analysis Preliminary risk analysis
or hazard analysis is a qualitative technique which involves
a disciplined analysis of the event sequences which could transform a potential
hazard into an accident. In this technique, the possible undesirable
events are identified first and then analysed separately. For each undesirable
events or hazards, possible improvements, or preventive measures are then
formulated.
The result from this methodology provides a basis
for determining which categories of hazard should be looked into more closely
and which analysis methods are most suitable. Such an analysis also proved
valuable in the working environment to which activities lacking safety
measures can be readily identified. With the aid of a frequency / consequence
diagram, the identified hazards can then be ranked according to risk, allowing
measures to be prioritised to prevent accidents.
BACK to TOP
1.2
Hazard and Operability studies (HAZOP)
The HAZOP technique was developed in the early
1970s by Imperial Chemical Industries Ltd. HAZOP can be defined as the application of a formal systematic critical examination
of the process and engineering intentions of new or existing facilities. To assess the hazard potential that arise from deviation in design specifications
and the consequential effects on the facilities as a whole.
This technique is usually performed using a set
of guidewords : NO / NOT, MORE / LESS OF, AS WELL AS, PART OF REVERSE, AND
OTHER THAN. From these guidewords, scenarios that may result in a hazard
or an operational problem iare identified. Consider the possible flow problems
in a process line, the guide word MORE OF will correspond to high flow
rate, while that for LESS THAN, low flow rate. The consequences of the
hazard and measures to reduce the frequency with which the hazard will
occur are then discussed.
This technique had gained wide acceptance in process industries as an effective tool for plant safety and operability
improvements.
BACK to TOP
1.3
Failure Mode and Effects Analysis (FMEA / FMECA)
This method was developed in the 1950s by reliability
engineers to determine problems that could arise from malfunctions of military
system. Failure mode and effects analysis is a procedure by which each potential failure
mode in a system is analysed to determine its effect on the system and
to classify it according to its severity.
When the FMEA is extended by a criticality analysis, the technique
is then called failure mode and effects criticality analysis (FMECA). Failure
mode and effects analysis has gained wide acceptance by the aerospace and
the military industries. In fact, the technique has adapted itself in
other form such as misuse mode and effects analysis.
BACK to TOP
1.4
Discussion and Conclusion
The three techniques outlined above requires
only the employment of "hardware familiar" personnel. However, FMEA tends
to be more labour intensive, as the failure of each individual components in
the system has to be considered. A point to note is that these qualitative
techniques can be used in the design as well as operational stage of a
system.
All the techniques mentioned above have seen
wide usage in the nuclear and chemical processing plants. In
fact, FMEA, one of the most documentedtechniques in use, it has been used by
"Intel" and "National Semiconductor" to improve the reliability of their
products.
For the case of preliminary risk analysis, it has seen application in safety
analysis in both industry and on offshore platforms. HAZOP, on the other hand,
has been widely used in the chemical industries for detailed failure
and effect study on the piping and instrumentation layout.
BACK
to TOP
2
Tree based techniques
In this section, fault-tree
analysis( FTA), event-tree analysis (ETA), cause - consequence analysis (CCA), management oversight risk
tree (MORT) and safety management organisation review technique (SMORT)
will be discussed.
2.1
Fault tree analysis
The concept of fault tree analysis
(FTA) was originated by "Bell Telephone Laboratories"
in 1962 as a technique with which to perform a safety evaluation of the
Minutemen Intercontinental Ballistic Missile Launch Control System.
A fault tree is a logical diagram which shows the relation between system
failure, i.e.. a specific undesirable event in the system, and failures of
the components of the system. It is a technique based on deductive logic.
An undesirable event is first defined and causal relationships of the failures
leading to that event are then identified.
Figure 1 : A fault tree depicting
the event "Fire breaks out".
Fault tree can be used in qualitative or quantitative
risk analysis. The difference in them is that the qualitative fault tree
is looser in structure and does not require use of the same rigorous logic
as the formal fault tree. Figure 1 shows a fault tree with top event
"Fire breaks out". This method is used in a wide range of industries and
there is extensive support in the form of published literature and software
packages, such as CARA.
BACK to TOP
2.2
Event tree analysis
Fault tree analysis - consists of an
analysis of possible causes starting at a system level and working down through
the system, sub-system, equipment and component, identifying all possible
causes. (What faults might we expect? How may they be arrived at?)
Assessment methods which allow quantifying
the probability of an accident and the risk associated with plant operation
based on the graphic description of accident sequences employ the fault tree or
event tree analysis (FTA or ETA) techniques.
Key Point: Fault Tree Analysis is a
logical method of analysing how and why a disaster could occur. It is a great
technique for working out the overall probability of a catastrophic event
occurring, such as a melt-down in a nuclear power plant where the substantial
cost involved is obviously necessary.
These methods are used to carry out a
mathematical analysis of the accident sequences and have been used to determine
the reliability of electronic systems. They are also widely used in the nuclear
industry but may not be suitable for general assessment of major hazard because
it involves substantial effort and cost.
BACK to TOP
2.3
Cause-Consequence Analysis
Cause-consequence
analysis (CCA)
is a blend of fault tree and event tree analysis. This technique combines
cause analysis (described by fault trees) and consequence analysis (described
by event trees), and hence deductive and inductive analysis is used. The
purpose of CCA is to identify chains of events that can result in undesirable
consequences. With the probabilities of the various events in the CCA diagram,
the probabilities of the various consequences can be calculated, thus establishing
the risk level of the system. Figure 2 below shows a typical CCA.
Figure 2 : A typical Cause-Consequence Analysis
This technique was invented by
"RISO" Laboratories
in Denmark to be used in risk analysis of nuclear power stations. However,
it can also be adapted by the other industries in the estimation of the
safety of a protective or other systems.
BACK to TOP
2.4
Management Oversight Risk Tree
Management oversight risk
tree( MORT) was developed
in the early 1970s, for the U.S. Energy Research and Development Administration
as safety analysis method that would be compatible with complex, goal-oriented
management systems. MORT is a diagram which
arranges safety program elements in an orderly and logical manner. Its
analysis is carried out by means of fault tree, where the top event is "Damage, destruction, other costs, lost production or reduced credibility
of the enterprise in the eyes of society". The tree gives an overview
of the causes of the top event from management oversights and omissions
or from assumed risks or both.
The MORT tree has more than 1500 possible basic
events compressed to 100 generic events which have been identified
in the fields of accident prevention, administration and management. A
generic MORT diagram is included at the end of this report. MORT is used
in the analysis or investigation of accidents and events, and evaluation
of safety programs. Its usefulness was revealed in literature [17], “normal
investigations revealed an average of 18 problems (and recommendations).
Complementary investigations with MORT analysis revealed additional 20
contributions per case”
.
BACK to TOP
BACK to TOP
2.5
Safety Management Organization Review Technique
Safety management organization review
technique (SMORT) is a simplified modification of MORT developed in
Scandinavia.
This technique is structured by means of analysis levels with associated
checklists, while MORT is based on a comprehensive tree structure. Owing
to its structured analytical process, SMORT is classified as one of the
tree based methodologies.
The SMORT analysis includes data collection based
on the checklists and their associated questions, in addition to evaluation
of results. The information can be collected from interviews, studies of
documents and investigations. This technique can be used to perform detailed
investigation of accidents and near misses. It also served well as a method
for safety audits and planning of safety measures.
2.6
Discussion and Conclusion
The tree-based methods are mainly used to find
cut-sets leading to the undesired events. In fact, event tree and fault
tree have been widely used to quantify the probabilities of occurrence
of accidents and other undesired events leading to the loss of life or
economic losses in probabilistic risk assessment. However, the usage of
fault tree and event tree are confined to static, logic modelling of accident
scenarios. In giving the same treatment to hardware failures and human
errors in fault tree and event tree analysis, the conditions affecting
human behaviour can not be modelled explicitly. This affects the assessed
level of dependency between events. No doubt, there exists techniques such
as human cognitive reliability to reconcile such deficiencies in
the fault tree analysis, new methodologies that model such responses have
emerged.
BACK
to TOP
3
Methodologies for analysis of dynamic system
In this section, GO method,
digraph / fault graph,
event sequence diagrams, Markov modelling, dynamic event logic analytical
methodology and dynamic event tree analysis method will be discussed.
3.1
GO method
The GO method is a success-oriented system
analysis that uses seventeen operators to aid in model construction.
It was developed by "Kaman Sciences Corporation" during the 1960s for reliability
analysis of electronics for the Department of Defence in U.S
The GO model can be constructed from engineering
drawings by replacing system elements with one or more GO operators. Such
operators are of three basic types : (1) independent, (2) dependent, and
(3) logic. Independent operators are used to model components requiring
no input and the independent operators, require at least one input in order
to have an output. Logic operators, on the other hand, combine the operators
into the success logic of the system being modelled. With the probability
data for each independent and dependent operator, the probability of successful
operation can then be calculated.
The GO method is used in practical application
where the boundary conditions for the system to be modelled are well defined
by a system schematic or other design documents. However, the failure modes
are implicitly modelled, making it unsuitable for detailed analysis of failure
modes beyond the level of component events shown in the system drawing.
Furthermore, it does not treat common cause failures nor provide structural
information (i.e. the minimum cut sets) regarding the system.
BACK to TOP
BACK to TOP
3.2
Digraph/Fault Graph
The fault graph method /
digraph matrix analysis] uses the mathematics and language of graph theory such as “path set”
(a set of models travelled on a path) and “reachability” (the complete set
of all possible paths between any two nodes).
This method is similar to a GO chart but uses
AND and OR gates instead. The connectivity matrix, derived from adjacency
matrix for the system, shows whether a fault node will lead to the top
event. These matrices are then computer analysed to give singletons (single
components that can cause system failure) or doubletons (pairs of components
that can cause system failure). Digraph method allows cycles and
feed back loops which make it attractive for dynamic system. Figure
3 shows a success oriented system digraph of simplified emergency core
cooling system.
Figure 3 : Success oriented system
digraph of simplified emergency core cooling system in a nuclear power plant
(Ralph R. Fullwood & Robert E. Hall)
BACK to TOP
3.3
Markov Modelling
Markov modelling is a classical
modelling technique used for assessing the time-dependent behaviour of many
dynamic systems. In a ‘Markov chain’ processes, transitions between
states are assumed to occur only at discrete points in time. On the other
hand, in a ‘discrete Markov process’, transitions between states are allowed
to occur at any point in time. For process system, the discrete system
states can be defined in terms of ranges of process variables as well as
component status.
This methodology also incorporates time explicitly,
and can be extended to cover situations where problem parameters are time
independent. The state probabilities of the system P(t) in a continuous
Markov system analysis are obtained by the solution of a coupled set of
first order, constant coefficient differential equations :
dP/dt = M.P(t),
where M is the matrix of coefficients whose off-diagonal
elements are the transition rate and whose diagonal elements are such that
the matrix columns sum to zero. An application of Markov modelling to a
hold-up tank problem is discussed in literature, while Pate-Cornell(1993)
used the technique to study the fire propagation for a subsystem on board
a off-shore platform in [14].
BACK to TOP
3.4
Dynamic Event Logic Analytical Methodology
The dynamic event logic analytical
methodology (DYLAM) provides an integrated framework to explicitly treat time, process
variables and system behaviour[13]. A DYLAM will usually comprised of the
following procedures : (a) component modelling, (b) system equation resolution
algorithms, (c) setting of TOP conditions and (d) event sequence generation
and analysis.
DYLAM is useful for the description of dynamic
incident scenarios and for reliability assessment of systems whose mission
is defined in terms of values of process variables to be kept within certain
limits in time[19]. This technique can also be used for identification
of system behaviour and thus, as a design tool for implementing protections
and operator procedures.
It is important to note that system specific
DYLAM simulator must be created to analyse each particular problem. Furthermore,
input data such as probabilities of a component being in certain state
at transient initiation, independency of such probabilities, transition
rates between different states, and conditional probability matrices for
dependencies among states and process variables need to be provided to
run the DYLAM package. An application of DYLAM on a reservoir problem is
given in literature.
BACK to TOP
BACK to TOP
3.5
Dynamic Event Tree Analysis Method
Dynamic event tree analysis
method (DETAM) is an approach that treats time-dependent evolution of plant hardware
states, process variable values, and operator states over the course of
a scenario. In general, a dynamic event tree is an event tree in which
branchings are allowed at different points in time. This approach is defined
by five characteristics set : (a) branching set, (b) set of variables defining
the system state, (c) branching rules, (d) sequence expansion rule and
(e) quantification tools. The branching set refer to the set of variables
that determine the space of possible branches at any node in the tree.
Branching rules, on the other hand, refer to rules used to determine when
a branching should take place (a constant time step). The sequence expansion
rules are used to limit the number of sequences.
This approach can be used to represent a wide
variety of operator behaviours, model the consequences of operator actions
and also served as a framework for the analyst to employ a causal model
for errors of commission. Thus it allows the testing of emergency procedures
and identify where and how changes can be made to improve their effectiveness.
An analysis of the accident sequence for a steam generator tube rupture
is presented in literature.
BACK to TOP
BACK to TOP
3.6
Discussion and Conclusion
The techniques discussed above address the deficiencies
found in fault/event tree methodologies when analysing dynamic scenarios.
However, there are also limitation to their usage. The digraph and GO techniques
model the system behaviour and deal, in limited extend, with changes in
model structure over time. On the other hand, Markov modelling requires
the explicit identification of possible system states and the transitions
between these states. This is a problem as it is difficult to envision
the entire set of possible states prior to scenario development. DYLAM
and DETAM can solve the problem through the use of implicit state-transition
definition. The drawbacks to these implicit techniques are implementation-
oriented. With the large tree-structure generated through the DYLAM
and DETAM approaches, large computer resources are required. The second
problem is that the implicit methodologies may require a considerable amount
of analyst effort in data gathering and model construction.
BACK to TOP
Conclusions
A total of 13 risk analysis techniques were reviewed
in the discussion above. Qualitative methodologies though lacking the ability
to account the dependencies between events, are effective in identifying
potential hazards and failures within the system. The tree-based techniques
addressed this deficiency by taking into consideration the dependencies
between each events. The probabilities of occurrence of the undesired event
can also be quantified with the availability of operational data. However,
no one has yet attempted to quantified the undesired top event in a MORT tree.
Currently, research has been made on
DYLAM and DETAM to study accident scenarios by treating time,
process variables, system behaviour and operators action through an integrated
framework. These techniques address the problem of having less than adequate modelling
of conditions affecting control system actions and operator behaviour
when using the fault/event tree( e.g. behaviour of plant process variables,
previous decisions by the operating crew). However, the drawbacks for
these techniques are the requirement for large computer resources and extensive
data collection. With the development of more efficient algorithm and powerful
computer, such methodologies would be widely applied.
BACK to TOP