Embed Size (px)
Citation preview
Probabilistic Risk Assessment (PRA)
Context: Multiple Barriers
*http://www.rpsgroup.com/Energy/Services/Advisory/Downstream/pdf/RPS-Final-Hazard-White-Paper_Nov2010_combined.aspx
No Hazard
Hazard
Example 1: Nuclear Power Plant 3
Example 2: Well Drilling (Oil & Gas Industry)
*http://www.rpsgroup.com/Energy/Services/Advisory/Downstream/pdf/RPS-Final-Hazard-White-Paper_Nov2010_combined.aspx
Unwanted consequences:
Blow outHazard:
Kick
kick detection
system
managedpressure drillingsystem
BlowoutPreventer
stack Casing
The «swiss cheese» model 5
Initiatingevent
Loss of barrier integrity Increase risk level Initiating events may give rise to accidents
( Khakzad et al., 2013)
Blowout with catastrophic consequences
Kick
Kick detection system
Managed pressure drilling(MPD) Blowout preventer
(BOP)
Casing
Barriers
(Flow-meter,Pit volume)
Safety Barrier Failure Probability
Kick detection system 8.32E-01
MPD System 8.14E-02
BOP 7E-04
Casing 2E-04
Abimbola et al., 2015
Example: Well Drilling (Oil & Gas Industry)
Nuclear industryChernobyl, Fukushima → direct casualties + difficult to quantify long term effects
Oil and GasLarge fatality accidents on average every 2 to 3 years over the last 30 years* (offshore and onshore)
2001 - P36, sinking of semi-submersible, 11 fatalities2005 - Bombay High, ship collision with platform and riser fire, 22 fatalities2007 - Usumacinta, jack up collision with platform, 22 fatalities2003 - Chongqing, sour gas blow out, 243 fatalities2004 - Skikda, explosion on LNG plant, 27 fatalities2005 - Texas City, explosion on refinery isomerisation unit, 15 fatalities2009 - Nigeria, pipeline explosion, 100 fatalities2009 - Jaipur, explosion in gasoline storage area, 12 fatalities2010 - Congo, gasoline road tanker overturned, 230 fatalities2010 – BP Gulf of Mexico explosion and oil spill
Accident examples
*http://www.rpsgroup.com/Energy/Services/Advisory/Downstream/pdf/RPS-Final-Hazard-White-Paper_Nov2010_combined.aspx
• Need of demonstrating the acceptability of the unavoidable level of RISK introduced by (nuclear power plants, energy production plants, oiland gas industry,…)
• Need of identifying suitable risk MITIGATION strategies to reduce consequences on human safety, environment and economics
PRA: Why?
Definition of risk
1. What undesired conditions may occur? (Accident) Scenarios, S
2. With what probability do they occur? Probability, p
3. What damage do they cause? Consequences, x
FailureProbabilty
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
RISK = {Si, pi, xi}
Probabilistic Risk Analysis
FailureProbability
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
Riskevaluation
International StandardsBest PracticesLessons learnt
Expert judgmentsFlow and transport codes
Finite Element MethodsDC/AC power flows, etc.
FTAETA
Markov Models
Hazard Analysis
Hazop
FMECA
Monte Carlo Simulation
RISK = {Si, pi, xi}
Definition of risk
FailureProbabilty
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
Riskevaluation
RISK = {Si, pi, xi}4321
pi/xi A B C D
International StandardsBest PracticesLessons learnt
Expert judgmentsFlow and transport codes
Finite Element MethodsDC/AC power flows, etc.
ALARP = as low as reasonably practicable
FTAETA
Markov Models
Hazard Analysis
Hazop
FMEA
Monte Carlo Simulation
The level of risk is not acceptable andrisk control measures are required tomove the risk figure to the previousregions
The level of risk is broadly acceptable andgeneric control measures are requiredaimed at avoiding deterioration
The level of risk can be tolerable onlyonce a structured review of risk-reduction measures has been carriedout
Risk matrix
pProbability of occurrence
xConsequence
dp/dx = -1
dp/dx = -1.5
unacceptable
acceptable
Farmer’s curve
FTAETA
Markov Models
Hazard Analysis
Hazop
FMEA
Petri Nets
Risk analysis and mitigation in practice
FailureProbabilty
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
Riskevaluation
Re-design
Maintenance
•Complex Phenomena•Etc.
•Stochastically dependent components •Effects of covariates•Dynamic behaviors •Complex relationships•Etc.
Risk mitigation
International StandardsBest PracticesLessons learnt
Expert judgmentsFlow and transport codes
Finite Element MethodsDC/AC power flows, etc.
RISK = {Si, pi, xi}
•Unknown Unknowns
FTAETA
Markov Models
Hazard Analysis
Hazop
FMEA
Petri Nets
Risk analysis in practice
FailureProbabilty
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
Riskevaluation
Re-design
Maintenance
•Complex Phenomena•Etc.
•Stochastically dependent components •Effects of covariates•Dynamic behaviors •Complex relationships•Etc.
Risk mitigation
International StandardsBest PracticesLessons learnt
Expert judgmentsFlow and transport codes
Finite Element MethodsDC/AC power flows, etc.
RISK = {Si, pi, xi}
•Unknown Unknowns
Risk mitigation
FailureProbabilty
Assessment
AccidentScenarios
Identification
Evaluation ofthe
consequences
Riskevaluation
Risk mitigationRe-design
Maintenance
International StandardsBest PracticesLessons learnt
Expert judgmentsFlow and transport codes
Finite Element MethodsDC/AC power flows, etc.
DiagnosticsPrognosticsDegradation Models
RedundanciesReliable components
FTAETA
Markov Models
Hazard Analysis
Hazop
FMEA
Petri Nets
A technique for hazard identification:Failure Mode and Criticality Analysis (FMECA)
AccidentScenarios
Identification
Hazard Analysis
Hazop
FMEA
FTAETA
1919Piero Baraldi
FMECA
• Qualitative• Inductive
AIM:
Identification of those component failuremodes which could fail the system and/or become accident initiators
19
Piero Baraldi
FMECA
FMECA is usually carried out by a team ofmembers with diverse skills (multidisciplinary)
If performed as a timely, iterative activity, it isan effective tool in the decision making process
Design
FMECA Criticalities
Revise Design
FMECA LOOP
Piero Baraldi
FMEA: Procedure steps
1. Decompose the system in functionally independent subsystems;
Piero Baraldi
1. Decompose the system in functionally independent subsystems
FMEA: Procedure steps
Piero Baraldi
Motorsubsystem
Electric subsystem
EXAMPLE: car
Piero Baraldi
1. Decompose the system in functionally independentsubsystems
2. Define the mission phases (e.g., start-up, shut-down, maintenance, etc.) and their expecteddurations
FMEA: Procedure steps
Piero Baraldi
1. Decompose the system in functionally independentsubsystems
2. Define the mission phases (e.g., start-up, shut-down,maintenance, etc.) and their expected durations
3. For every mission phase, define each of theindependent units in terms of: required functions and outputs internal and interface functions expected equipment utilization and performance Internal and external restraints
FMEA: Procedure steps
Piero Baraldi
1. Decompose the system in functionally independentsubsystems
2. Define the mission phases (e.g., start-up, shut-down,maintenance, etc.) and their expected durations
3. For every mission phase, define each of theindependent units in terms of: required functions and outputs internal and interface functions expected equipment utilization and performance Internal and external restraints
4. Construct block diagrams (evidence therelationships between the items)
FMEA: Procedure steps
Piero Baraldi
Motorsubsystem
Electric subsystem
EXAMPLE: car
Piero Baraldi
1. Decompose the system in functionally independentsubsystems
2. Define the mission phases (e.g., start-up, shut-down,maintenance, etc.) and their expected durations
3. For every mission phase, define each of theindependent units in terms of: required functions and outputs internal and interface functions expected equipment utilization and performance Internal and external restraints
4. Construct block diagrams (highlight therelationships between the items)
5. Compile the FMECA table
FMEA: Procedure steps
2929Piero Baraldi
FMECA TABLE
SUBSYSTEM:OPERATION MODE:
component
Failuremode
Effect on other
functionality
Effects on other items
Effects on plant
Probability* Severity + Criticality Detection methods
Protections and
mitigation
Description
Failure modes
relevant for the
operational mode
indicated
Effects on the
functionality of the
item
Effects of failure
mode on adjacent item and surroundi
ng environme
nt
Effects on the
functionality and
availability of the
entire plant
Probability of failure
occurrence(sometimes qualitative)
Worst potential conseque
nces (qualitativ
e)
Criticality rank of the
failure mode on the basis
of its effects
and probability (qualitativ
e estimation
of risk)
Methods of
detection of the
occurrence of the failure event
Protections and
measures to avoid
the failure occurrenc
e
29
3030Piero Baraldi
SUBSYSTEM:OPERATION MODE:
component Functions
PROCESSSHUTDOWN
VALVE
Shutdown the process(Designed with a closing time
of 10s)
FMECA TABLE
30
3131Piero Baraldi
SUBSYSTEM:OPERATION MODE:
FMECA TABLE
Component Functions Failure Modes
PROCESSSHUTDOWN
VALVE
Shutdown the process(Designed with a closing
time of 10s)•Close too slowly (> 14s)•Close too fast (<6s)
31
Failure mode: The manner by which a failure is observed.Generally, it describes the observable effect of themechanism through which the failure occurs (e.g., short-circuit, open-circuit, fracture, excessive wear)
3232Piero Baraldi
SUBSYSTEM:OPERATION MODE:
component Failure mode Effects on other items Effects on subsystem
Effects on plant Probability*
Description Failure modes relevant for the
operational mode indicated
Effects of failure mode on adjacent components and
surrounding environment
Effects on the functionality of the
subsystem
Effects on the functionality and availability of the
entire plant
Probability of failure occurrence(sometimes qualitative)
• Very unlikely: once per 1000 year or seldom
• Remote: Once per 100 year
• Occasional: Once per 10 years
• Probable: Once per year
• Frequent: Once per month or more often
FMECA TABLE
32
3333Piero Baraldi
SUBSYSTEM:OPERATION MODE:
Safe = no relevant effects
•Marginal = Partially degradated system but no damage to humans
•Critical = system damage and damage also to humans. If no protective actions are undertaken the accident could lead to loss of the system and serious consequences on the humans
•Catastrophic = Loss of the system and serious consequences on humans
component Failure mode Effects on other
components
Effects on subsystem
Effects on plant
Probability* Severity + Criticality
Description Failure modes
relevant for the
operational mode
indicated
Effects of failure mode on adjacent components
and surrounding environment
Effects on the
functionality of the
subsystem
Effects on the functionality
and availability of
the entire plant
Probability of failure
occurrence(sometimes qualitative)
Worst potential
consequences (qualitative)
Criticality rank of the
failure mode on
the basis of its effects
and probability (qualitative estimation
of risk)
FMECA TABLE
33
3434Piero Baraldi
SUBSYSTEM:OPERATION MODE:
component
Failuremode
Effects on other
components
Effects on subsystem
Effects on plant
Probability* Criticality+
Detection methods
Protections and
mitigation
Remarks
Description
Failure modes
relevant for the
operational mode
indicated
Effects of failure
mode on adjacent
components and
surrounding environmen
t
Effects on the
functionality of the
subsystem
Effects on the
functionality and
availability of the
entire plant
Probability of failure
occurrence(sometimes qualitative)
Criticality rank of
the failure mode on the basis
of its effects
and probabilit
y (qualitativ
e estimation of risk)
Methods of
detection of the
occurrence of the failure event
Protections and
measures to avoid the
failure occurrence
Remarks and
suggestions on the need to consider
the failure mode as accident initiator
Evident Failure(detected instantaneously)e.g. spurious stop of a running pump
Hidden Failure(can be detected only during testing of the item)e.g. fail to start of a standby pump
FMECA Table34
3535Piero Baraldi
Exercise: Domestic Hot Water35
3636Piero Baraldi
Example Boiler System: FMECA (1)Component Failure mode Detection
methodsEffect on whole
systemCompensating provision and
remarks
Critically class Failure frequency
Pressure relief valve (V04)
Jammed openObserve at
pressure relief valve
↑ operation of TS controller;
gas flow due to hot water loss
Shut off water supply, reseal or
replace relief valve
Safe Likely
Jammed close Manual testing
No consequences.If combined with other component
failure: rupture of container or
pipes
Periodic inspection;replacement
Critical Rare
Gas valve (V03)
Jammed open
Water at faucet too hot; pressure relief valve open
(observation)
Burner continues to
operate, pressure relief valve opens
Open hot water faucet to relieve pressure. Shut off gas supply. Pressure relief
valve compensates.
IE1
Critical Likely
Jammed close
Observe at output (water
temperature too low)
Burner ceases to operate Replacement Safe Negligible
36
3737Piero Baraldi
Example Boiler System 2: FMECA (2)
Component Failure mode
Detection methods
Effect on whole system
Compensating provision and
remarks
Critically class Failure frequency
Temperature measuring and
comparing device (Tsc01)
Fail to react to
temperature rise above
preset level
Observe at output (water at faucet too hot);Pressure relief valve opens
Controller, gas valve, burner continue to
function “on”. Pressure relief valve opens
Pressure relief valve
compensates. Open hot water faucet to relieve pressure. Shut off gas supply.
IE2
Critical Negligible
Fail to react to
temperature drop below preset level
Observe at output (water at faucet too cold)
Controller, gas valve, burner continue to
function “off”.
replacement Safe Negligible
37
Piero Baraldi
FMEA: comments1. Only single failures, except for standby and
protection components
2. No common cause failures
3. At system design phase, no components but functions
4. Simple and systematic (computer tools available)
5. Subjective (relies on analyst’s expertise)
Where to study?
Red Book:• Chapter 2• Chapter 3: Sections 3 and 3.3
39
