Fault Tree Analysis

Part 1: Introduction

失誤樹分析沿革(1) 在 1961~1962 年間，由 Bell Telephone Lab. 的 H. A. Watson

開始發展。為空軍義勇兵飛彈的控制系統的一項研究計畫。

(2) 第一篇發表之論文： 1963 年在由 U. Of Washington 與波音公司聯合主辦之 safety Symposium 上發表。

(3) 於 70 年代初期開始被廣泛地應用。

(4) 於 1972 年“ Reactor Safety Study” ， WASH-1400 計畫中，首次為核工界所應用。

(5) 亦被用於分析大型化工廠之安全分析及液化天然氣 (LNG)工廠之安全分析。

(6) 大部分之 PRA 計畫均採用 Fault Tree Analysis ( 與 Event Tree Analysis 配合使用 ) 。

General Description

•Fault Tree Analysis (FTA) is a deductive reasoning technique that focuses on one particular accident event.

•The fault tree itself is a graphic model that displays the various combinations of equipment faults and failures that can result in the accident event.

•The solution of the fault tree is a list of the sets of equipment failures and human/operator errors that are sufficient to result in the accident event of interest.

•The strength of FTA as a qualitative tool is its ability to break down an accident into basic equipment failures and human errors. This allows the safety analyst to focus preventive measures on these basic causes to reduce the probability of an accident.

Purpose: Identify combinations of equipment failures and human errors that can result in an accident event.

When to Use:

a. Design: FTA can be used in the design phase of the plant to uncover hidden failure modes that result from combinations of equipment failures. b. Operation: FTA including operator and procedure characteristics can be used to study an operating plant to identify potential combinations of failures for specific accidents.

Type of Results: A listing of sets of equipment and/or operator failures that can result in a specific accident. These sets can be qualitatively ranked by importance.

Nature of Results: Qualitative, with quantitative potential. The fault tree can be evaluated quantitatively when probabilistic data are available.

Data Requirements:

a. A complete understanding of how the plant/system functions. b. Knowledge of the plant/system equipment failure modes and their effects on the plant/system.

Staffing Requirements

• One analyst should be responsible for a single fault tree, with frequent consultation with the engineers, operators, and other personal who have experience with the systems/equipment that are included in the analysis.

• A team approach is desirable if multiple fault trees are needed, with each team member concentrating on one individual fault tree. Interactions between team members and other experienced personnel are necessary for completeness in the analysis process.

Time and Cost Requirements: Time and cost requirements for FTA are highly dependent on the complexity of the systems involved. Modeling a small process unit could require a day or less with an experienced team. Large problems, with many potential accident events and complex systems, could require several weeks even with an experienced analysis team.

FRC

TIS)

MATERIAL A

FLOW CONTROLVALVE

MATERIAL B

FLOWCONTROLLER

EMERGENCYSHUT-OFFVALVE

HIGH TEMP INTERLOCK

BURSTING DISC

圖 1 批式反應系統

REACTOR EXPLOSION

RUNAWAYREACTION

BURSTINGDISC FAILS

FLOW CONTROLLOOP FAILS

TEMPERATUREINTERLOCK FAILS

FLOWCONTROLLER

FAILS

THERMO -COUPLE &

RELAY FAIL

VALVESTICKSOPEN

VALVE FAILSTO CLOSE

圖 2 批式反應器爆炸失誤樹分析

3.6 10-4 F/YR

1.8 10-2 F/YR

0.3 F/YR

0.2 F/YR 0.1 F/YR

0.02 Probability of failure on demand

0.05 Probability of failure on demand

0.01 Probability of failure on demand

0.06

Gate Symbol Gate Name Causal Relation

1

2

3

AND gate

OR gate

Inhibit gate

Output event occurs if all input events occursimultaneously.

Output event occurs if any one of the input eventsoccurs.

Input produces output when conditional event occurs.

Table 2.1 Gate Symbols

Gate Symbol Gate Name Causal Relation

4

5

6

PriorityAND gate

ExclusiveOR gate

mOut ofn gate

(voting orsample gate)

Output event occurs if all input events occur in theorder from left to right.

Output event occurs if one,but not both, of the input events occurs.

Output event occurs if m out of n input events occur.

Table 2.1 Gate Symbols（續）

m

n inputs

Event Symbol Meaning of Symbols

1

2

3

Basic event with sufficient data

Undeveloped event

Event represented by a gate

Table 2.2 Event Symbols

Circle

Diamond

Rectangle

Event Symbol Meaning of Symbols

4

5

6

Conditional event used with inhibit gate

House event. Either occurring or not occurring

Transfer symbol

Table 2.2 Event Symbols

Oval

House

Triangles

Classification of Failures

• Sudden versus gradual failures• Hidden versus evident failures• According to effects (critical, degraded or

incipient)• According to severity (catastrophic, critical,

marginal or negligible)• Primary failure, secondary failure and

command fault

Component Failure Characteristics

• Primary failure: component within design envelope (natural aging)

• Secondary failure: excessive stresses (neighboring components, environment, plant personnel)

• Command fault: inadvertent control signals or noises (neighboring components, environment, plant personnel)

COMPONENT FAILURE CHARACTERISTICS

Primary Faults and Failures

Primary faults and failures are equipment malfunctions that occur in the environment for which the equipment was intended. These faults or failures are the responsibility of the equipment that failed and cannot be attributed to some

external force or condition. • 本身毛病 • 沒有超出負荷 • 需修理

Secondary Faults and Failures

Secondary faults and Failures are equipment malfunctions that occur in an environment for which the equipment was not intended. These faults or failures can be attributed to some external force or condition.

• 非本身毛病 • 超出設計負荷 • 需修理

COMPONENT FAILURE CHARACTERISTICS

Command Faults and Failures

Command faults and failures are equipment malfunctions in which the componentoperates properly but at the wrong time or in the wrong place. These faults orfailures can be attributed to the source of the incorrect command.

• 非本身毛病 • 沒有超出設計負荷 • 不需修理

when the exact failure mode for a primary or secondary failure is identified, and failure data are obtained, primary and secondary failure events are the same as basic failures and are shown as circles in a fault tree.

[ EXAMPLE ]

1) Primary

2) Secondary

3)Command

• Tank rupture due to metal fatigue

• Fuse is opened by excessive current

• Earth quake cracks storage tanks

• Pressure vessel rupture because some faults external to the vessel

causes the internal pressure to exceed the design limits.

• Power is applied inadvertently to relay coil.

• Noisy input to safety monitor randomly generate spurious shutdown

signals.

Boolean Algebra

• AND: all the inputs are required to cause the output.

A

AND

B C

A

AND

C B

=

Boolean Algebra

• Inclusive OR: any input or combination of inputs will cause the output.

A

OR

B C

A

OR

C B

=

Boolean Algebra

A

EOR

B CExclusive OR: B or C but not both cause the the output A.

Boolean Algebra

EOR OR= =

A

B

A

B

A

B

Boolean Algebra

A

AND

B AND

A

AND

B D

=

C D

C

Boolean Algebra

A

OR

B OR

A

OR

B D

=

C D

C

Boolean Algebra

A

EOR

B EOR

A

“EOR”

B D

=

C D

C

ODD COMBINATIONS

Boolean Algebra

A

AND

B OR

A

OR

AND AND

=

C DB C B D

Boolean Algebra

A

OR

B L

A

OR=

(very low probability)

B

Boolean Algebra

A

AND

B L

A

AND

C L

=

(very low probability)

(very low probability)

(very low probability)

Boolean Algebra

A

OR

B AND

A

OR=

C L

B

(very low probability)

Boolean Algebra

A

AND

B H

A

=

(very high probability)

B

Boolean Algebra

A

OR

B H

A

OR

C H

=

(very high probability)

(very high probability)

(very high probability)

Boolean Algebra

A

AND

B OR

A

=

C H

B

(very high probability)