L10 Event Tree

Quantitative Risk Analysis L09bFall 2013

Event Trees

1

L10 Event Tree

Event Tree Method

• from cause to effect approach• if successful operation of a system depends on an

approximately chronological, but discrete, operation of its units or subsystems– units should work in a defined sequence for operational success

examples?

2

L10 Event Tree

Event Tree Method

3

Breaksmisbehavior

Driver maintainscontrol

Driver losescontrol

No accident

Accident

L10 Event Tree

Event Tree Method

• Event tree analysis (ETA) is an inductive procedure (compared to the deductive FTA) to diagram events that can progress from an initiation event and result in outcome events, which can include losses.

• Sequential events diagrammed in an event tree (ET) include hazard guards or mitigation barriers (success or fail) to reduce the probability of event occurrences and outcome losses.

• In addition to event identification, probabilities of intermediate events and outcomes are calculated from the initiating event frequency and other information.

• An ET like a FT is both qualitative and quantitative in representing the system.

4

L10 Event Tree

Event Tree Features

• A horizontal structure beginning with the FT initiating event on the left with events from left to right in time sequence or based on outcome severity. Note the bowtie structure of a joined FT and ET.

• Barrier events shown on top of event tree include component operation (success/fail) subsystem operation, software response, or human actions.

• Success of a barrier results in an upward branch, , and failure results in a downward branch, . (Or, the directions can be opposite.)

• A Boolean expression corresponds to the sequence logic of each scenario with outcome.

5

L10 Event Tree

Event Tree Construction

• Identify initiation event; estimate frequency. Note that a separate ET is developed for each identified initiation event from a FT top event joined to an ET initial event to form a Bow Tie, .

• Identify barriers to reduce the probability of event progression, and estimate probabilities of success.

• Develop events in time and effect sequence.• Estimate the frequency of the initiating event and the

probabilities of each event tree branch from a base event data or from a fault tree.

• Calculate probabilities/frequencies for scenario outcomes; Estimate consequences.

6

L10 Event Tree

ExampleNuclear Reactor Protection System (NRPS)

• Event heading: protective barriers– Reduce probability of loss outcomes– Mitigate consequences of loss outcomes

• Each branch point: success or failure (total probability = 1)

• System barriers– RP (reactor protection): shutdown– ECA, ECB: emergency coolant, short term (post shutdown

radioactive decay)– LHR: emergency coolant, long term

7

L10 Event Tree 8

ExampleNuclear Reactor Protection System (NRPS)

coolantreactor

shut downpipe break

A

BC

D

E

coolant coolant

L10 Event Tree

ET Event Probabilities

• How can the event probabilities in the ET be obtained?– Base events for which data are available, or– Top events of fault trees

9

L10 Event Tree

for the NPRS FT for each ET Event

10

A

a

B

∪

∩b

c d

C

∪

e d

D

∪

∩c

e h

Write logic expressions for top event occurrences:

List the cut sets of base events for each fault tree:

Identify the base events for which data are available.

L10 Event Tree

for the NPRS Evaluation

11

Logic for A, B, C, D assumingindependenceand REA:

A = aB = b + c·dC = e + dD = c + e·h

Scenario 5 logic:

A, initiating event; B, shutdown; C, cooling, D, cooling

A B C D

Boolean expression and reduction:

L10 Event Tree

for the NPRS Evaluation

12

Boolean expression and reduction:

repeat the calculations

A B C D

State ET minimum event sets of Scenario 5:

L10 Event Tree

for the NPRS Evaluation

13

Probability of Scenario 5 from logic expression:

Pr(A B C D)

Event sets of Scenario 5:

(a,b,c,e,h), (a,b,c,d ,e), (a,b,d,e,h)

L10 Event Tree

for the NPRS Evaluation

14

Assumption made for OR terms?

Reduce probability expression to calculate Pr using failure probabilities of the base events, a, b, c, d, e, h.

L10 Event Tree

Pumping System (PS1)Flowchart

15

Distinct events: AC, S, and PS to be placed on an ET in order of consequence severity, which is ?

AC: power sourceS: sensing & controlPS: pumping system

L10 Event Tree

Pumping System (PS1)Event Tree for

16

AC failure causes failure of S and PS: place 1st in heading.S failure causes PS failure: place 2nd.PS failure: place 3rd in sequence.

Each event is subject to FTA unless…?

L10 Event Tree

Pumping System (PS1)Fault Trees

17

• Develop an event tree considering only AC and pump failures. Use “sink is low” as the initiating event.

• Component D, “replicated event,” plays 2 different roles, e.g., signal to turn on ac power and start the pump.

• Assume A, B, C, D, F events are independent.

Cut sets?

L10 Event Tree

Pumping System (PS1)Event Tree 2

18

1st

Outcomes

L10 Event Tree

Pumping System (PS1)Event Tree 2

19

Logic for Outcome 2:

ac = A + B + C·D

What assumptions?

Recall cut sets for ac: (A), (B), (C, D)

Cut sets for P: (D,F)

P = D·F (if independent)

Express ET events in terms of base components

L10 Event Tree

Pumping System (PS1)Event Tree 2

20

in terms of base events

L10 Event Tree

Pumping System (PS1)Event Tree 2

The failure Outcome 3 is represented by

= I(A + B + C•D)which includes the initiating event I (low sink level AND ac failure).

21

L10 Event Tree

Pumping System (PS1)Frequency

The frequency of each scenario and the frequency of system failure are calculated from the initial event frequency and from failure probabilities of the base components

f(system failure) =System failure frequency in terms of base events:

22

(obtained through Boolean reduction)

Scenario 3 Scenario 2

Scenario 3 Scenario 2

L10 Event Tree

Pumping System (PS1)Frequency

• Recall from the general Boolean expression for 3 events linked by OR,

A B C = A + B + C – AB – AC – BC + ABC

• Need base event data to calculate the pumping system failure frequency =

23

• High probabilities: joint function general expression

• Low probabilities: REA approximation

Scenario 2Scenario 3

Event sets: (I,A), (I,B), (I,C,D), (I,A,B,C,D,F)(IA +IB, + ICD)

L10 Event Tree

Pumping System (PS1)Frequency

24

Assume 2 s.d. in these data:

Note frequency time unit.

L10 Event Tree

Pumping System (PS1)Failure Frequency

• The system failure frequency =

= 0.2136/month ~ 0.21/month (2 significant digits)

25

Total frequency of system failure:

Ave. time to system failure = 1/(0.21/month) = 4.8 months

Scenario 3

Scenario 2

L10 Event Tree

ETA Summary, Strengths

• Represent ET event sequences following an initiating (upset) event and additional events each modeled in a FT (using base event data)

• Analyze hazard barriers and activation sequences designed to respond to system demand and reduce Pr or mitigate outcomes.

• Evaluate the need for improved procedures and more effective and more nearly independent barriers to contain hazards

26

L10 Event Tree

ETA Summary, Limitations

• Only one initiating event is incorporated in an event tree (also a strength). An ET must be developed for each identified initiation event.

• Binary states (success/fail) of events.• Acts of omission are not included.• Not a systematic method to identify system dependencies

but is an initial method to identify and analyze outcomes of events following I (an initiation event).

27

L10 Event Tree

HOT OIL HEATING SYSTEM

Hot Oil Heating SystemEvent Tree and Bow Tie Application

28

L10 Event Tree

Hot Oil Heating System

29

Initiating event

L10 Event Tree

ET: Consequence Probabilities

• Consequences of heating coil rupture depends on hazards, initiation events, scenarios following initiation events.

• Use an event tree (ET) to estimate probabilities and severities of scenario outcomes for each initiation event.

• For a top event frequency of heater coils overheating and rupturing = 0.0212/yr, similar outcomes are grouped together, as shown below.

30

L10 Event Tree

Heating Coil Overheating Outcome Frequencies and Severities

31

Ex application: If the probability of fatal burns to operator is estimated to be 5 %, the operator fatal accident frequency is (0.00034/yr)x(0.05) = 1.7x10-5/yr.

/Severity

(Tweeddale, 2003)

L10 Event Tree

EVENT PROPAGATION AND PRECURSOR EVENTS

Event Propagation and Precursor Events

32

L10 Event Tree

References

• Kaplan, S., “On the Inclusion of Precursor and Near Miss Events in QRA: A Bayesian Point of View and a Space Shuttle Example,” Reliability Engineering and System Safety, 27, 103–115, 1990 (Kaplan, 1990)

• Corcoran, W.R., “Defining and Analyzing Precursors,” in J.R. Phimister, et al, ed., Accident Precursor Analysis and Management, National Academy of Engineering, The National Academy Press, 2004 (Corcoran, 2004)

• Dillon, R.L. and C.H. Tinsley, “How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning,” Management Science, 54(8), 2008, pp. 1425–1440 (Dillon, 2008)

33

L10 Event Tree

Events Preceding Upsets

• Do upsets occur through preceding events, e.g., can preceding events influence the occurrence of adverse events?

• Do random failures occur spontaneously by themselves without precursors?

• If not and if there are precursors to adverse events, why not consider actions to reduce the likelihood of their occurrence?

34

L10 Event Tree

Precursors

• Root Cause Analysis and Corrective Action after Identification of a Precursor Event to Prevent a Consequential Event

35

Near miss

L10 Event Tree

Scenarios from an Initiating Failure

• Each path through the tree is a scenario that progresses from an initiating event, such as , to an end state.

36

c

c

L10 Event Tree

Scenario Branch Point Model

kj fk

j j

37

j

Frequency of scenarios through branch point j

fkj

k 1

N

1Split fraction fkj

kj

j

A branch point j emerges with a frequency , which can branch to 2 or more outgoing branches each with a fraction of incoming scenarios that continue along that branch, . So the outgoing frequency of the kth branch is .

fkj

f1j

f2j

fNj

k 1

k 2

k

k N

j

fkj

kj

L10 Event Tree

Scenario Frequency

• The frequency of a particular scenario through the tree is the product of the initiating event frequency for that scenario and the product of all split fractions along the particular scenario path.

• Split fractions can be in terms of parameters such as ROCOF, λi , (unconditional) failure rates of system components or of humans.

38

L10 Event Tree

Simplest Scenario with Precursor Event

m (1 f)c

39

h fc

cIniatiating Event

Near Miss

Hit

f

1 – f

Split fraction f = hc

A precursor event emerges with an initiating event of frequency , which can branch to a hit (failure) with probability f (split fraction) or to a near miss with probability 1–f.

c

L10 Event Tree

Near Misses as Near Failures to Inspire Actions to Lower Risk

• Note that the effect of observed near misses is to show an unidentified failure scenario, and that the total risk level is higher than originally estimated.

• Therefore, the near-miss acts more like a failure than a success, as shown in the previous figures.

• Instead of taking action to make adjustments, personnel often conclude^ that because a system upset did not occur it is not likely to occur, and therefore they interpret the near miss as more of a success and accept a higher risk or they are inured to the risk as shown by Dillon and Tinsley.

40

L10 Event Tree

Incident Precursors

• Precursors include procedure infractions and compromises based on obsolete ‘rules of thumb’ or other inappropriate heuristics.

• The difference in occurrence rates among levels of adverse severities of major upsets, near misses, compromises, and infractions can be categorized in levels ~ a factor of 10 apart.

• Causes of events at all levels is ~ same.• Therefore, root cause analysis of precursors and

responses to precursors can and do reduce incident rates and incident severities.

41

L10 Event Tree

Event Occurrence Pyramid

42

L10 Event Tree

Case Study

• from Guidelines – Fault Tree p315 (check ECRA our example)– Event Tree…. p327

43