Probabilistic Risk and Safety Analyses for Ulrich Hauptmanns

Transcript Probabilistic Risk and Safety Analyses for Ulrich Hauptmanns

Probabilistic Risk and Safety Analyses for Process Plants and their Areas of Application

Ulrich Hauptmanns INNOVATION AND TECHNICAL PROGRESS: BENEFIT WITHOUT RISK?

11-13 September 2006, Ljubljana, Slovenia

Deterministic analyses - Probabilistic analyses

 Design of plants traditionally deterministic  Origin: Way of thinking of classical physics  The state of a system at a certain point in time determines its future states  Possible in the macroscopic world, not applicable in quantum physics, which is probabilistic 2

Example for the transition from the deterministic to the probabilistic approach

 Flight of a bullet  The point of touching the ground can be predicted if   the direction of flight and the initial speed are known and  the resistance of air is neglected.

Example for the transition from the deterministic to the probabilistic approach

 In case we deal with a fragment from an explosion   the direction of flight and the speed can only be predicted on the average if experience from the past is available.

Example for the transition from the deterministic to the probabilistic approach

 Direction and speed of flight are stochastic or random variables.

 They adopt specific values with certain probabilities and are hence described by probability distributions (on the basis of experience).

Example for the transition from the deterministic to the probabilistic approach

 In order to build a model differential equations with stochastic initial and boundary conditions are used.

 Instead of a single point of touching the ground a probability distribution of such points is obtained.

 The use of average values implies a loss of informa tion (e.g. maximum distance of flight 40.8 m).

Probabilistic result

1 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0 0

5 th centile

Median

20 30 40 50

Flight range in m

95 th centile Expected value

70 80 90 7

Example for the transition from the deterministic to the probabilistic approach

 If instead of dealing with a bullet our concern are the fragments after a tank rupture, additionally   mass, geometry orientation of the flight trajectory, resistance of air are random variables.

 The model then uses stochastic differential equations.

Occurrence of accidents and randomness

 Conclusion: „the behaviour of natural phenomena is governed by chance and does not follow strictly deterministic laws“.

 The instant of the occurrence of an accident and the associated volume of damage are random variables.

 They can be predicted on the average, but not in detail, i.e. for a concrete case.

Probabilistic modelling

 Probabilistic models are more comprehensive than the conventional deterministic ones.

 However, the models are more complex and require more input data.

 They model phenomena at a higher level; they provide better validated results and hence a firmer basis for decision.

Quality of analysis

 The quality of an analysis depends on the quality of the models and that of the corresponding input data.  A simple model with few but well validated input data may therefore produce more realistic results than a complex model for which sufficiently good input data is not available.

Probabilistic structural mechanics

 So far only continuous variables were addressed (position, speed etc.), whose progress is described by stochastic differential equations.

 The consideration of the stochastic character, for example, of load and strength enables one to predict the probability of failure of structures. It is the basis of the field of probabilistic structural mechanics.

Probabilistic structural mechanics

 The structures investigated may, of course, be passive components in process plants, e.g. pipework and tanks.

 Naturally, accident consequences or the design of plants may be modelled as well using stochastic equations or stochastic differential equations.

Probabilistic treatment of active components

 Besides passive components numerous active components, e.g. control valves, form part of a process plant.

 Their lifetimes can, at present, not be assessed with the help of differential equations or other models.  Instead, they are described by a statistical model which furnishes the component failure probability as a function of time.

The component model in probabilistic analyses

 Components are designated by binary variables.

 Their behaviour is characterised by just two states: „functioning“ or „failed“  These are represented by discrete stochastic variables, which adopt the two states with a certain probability. That probability depends upon the moment in time considered and, for example, on the prevailing maintenance strategy. 15

Risk and safety analyses for technical installations

 Accidents in technical installations are rare events.

 Their risk can therefore not generally be obtained from retrospect in order to „predict“ the future, as is done, for example, when the expected numbers of future traffic accidents or flue cases are assessed.

 Instead, risk is estimated by decomposition into details.

Schematic of a risk assessment

Steps in assessing risk

Event sequences 2.

Characteristics 3.

Exposure sequences 4.

Damage and risk 18

First step „Event sequences“

„Event sequences“: generation of conceivable sequences of events, also called scenarios, and assessment of the corresponding expected frequencies for their occurrence. 19

First step „Event sequences“

 Example: release of chlorine following a pipe rupture caused by overpressure with an expected frequency of 10 -6 yr -1 .  Starting points: initiating events, which, in general, are failures of operational components (in case of the example: component failure caused by overpressure) or human error.

Second step „characteristics“

„Characteristics“: Initial and boundary conditions for assessing the consequences of an event sequence for employees and the public (Example: leak size 10 cm 2 , height of release 10 m) 21

Second step „characteristics“

 The boundary conditions are stochastic in nature, i.e. at most the probability or expected frequency of occurrence of the aforementioned leak can be indicated.

 As a rule, the probability is not equal to 1 as assumed in the deterministic approach. Other leak sizes and locations are, of course, possible.

Third step „exposure sequences“

„Exposure sequences“ describes how the harmful agent (in the above case chlorine) affects the object to be protected, e.g. man. 23

Third step „exposure sequences“

 Example: Dispersion calculation with the objective of determining how many people in the surroundings of the point of release are exposed for how long to which concentrations of chlorine.  Measures like staying indoors or evacuation may be accounted for in this context.

Fourth step „damage and risk“

„Damage and risk“ addresses in the first place the damage, i.e. the effect of the accident (Example: x fatalities following chlorine exposure, y cases of grave chlorine induced acne).

Fourth step „damage and risk“

 In order to assess the risk, the amount of damage and its expected frequency of occurrence are combined (Example: x .

10 -6 yr -1 fatalities following chlorine release, y .

10 -6 yr -1 cases of grave chlorine induced acne).

Methods and data requirements

 Risk assessments are complex  A large number of different models have to be used; they require a substantial amount of input data, which are often difficult to obtain.  For the analysis of the systems of the technical installation, which is carried out using fault and event trees, mainly reliability data for technical components and human error probabilities are required.

Accident consequences

 The assessment of accident consequences requires numerous phenomena to be modelled, such as the discharge of fluids (including two-phase and multi-component flow), atmosphe ric dispersion or heat radiation from fires with their corres ponding input data.

 Additionally, relations are needed which relate the intensity of exposure to man or environment to probabilities for the occurrence of certain volumes of damage.

 This is often done using the so-called probit equations („Probability Integral“) 28

Scope and depth of risk analyses

 The scope and the depth of probabilistic risk analyses (PRA) may vary substantially.

 If only the technical systems of the plant are analyzed we perform a probabilistic safety analysis (PSA) or quantitative safety analysis (QSA), since the damage is not assessed.

 This is the most work intense part of a risk analysis.

 The focus then lies on detecting weaknesses of the safety design of a plant in order to identify areas for improvement of plant safety. 29

Simplified methods of analysis

 Risk-based analysis  LOPA  SQUAFTA 30

Risk-based analysis

 Emphasis is placed on accident consequences, the analysis of plant systems is performed in a „lumped“ fashion.  This approach is used, for example, in the Netherlands in the context of licensing process plants.

Layer of protection analysis „LOPA“

 All steps of a risk analysis are performed without much detail („screening“ analysis).

 The underlying idea is the event tree analysis.  Initiating events (e.g. failure of a coolant pump) are described by generic failure rates.  The same applies to the unavailabilities of the barriers which are to cope with the initiating events (e.g. limiting and trip systems). 32

Layer of protection analysis „LOPA“

 The barriers must be independent from one another.  In order to assess the risk, the expected frequencies for the occurrence of undesired events caused by barrier failure (e.g. release of hazardous materials) are combined with categorized accident consequences.

 LOPA provides an order of magnitude estimate of the risk. It is not meant to replace detailed analyses. 33

Semi-quantitative fault tree analysis (SQUAFTA)

 An important obstacle to an extensive use of fault tree analyses for process plants is the dearth of appropriate reliability data.

 Its consequence are lengthy and error-prone searches.

 The data quality in any case suffers from the fact that data which are not plant-specific cannot reflect important factors like the type of components, the quality of maintenance etc.

Semi-quantitative fault tree analysis (SQUAFTA)

 Therefore generic ranges for reliability data are used.

 These reflect uncertainties which stem, amongst others, from the transfer of data from their plant of origin to another plant.  Uncertainties are propagated through the evaluation of the fault tree; the result is given in terms of numbers and, additionally, by means of natural language qualifiers.

Semi-quantitative fault tree analysis (SQUAFTA)

 Reliability ranges for typical components of process plants are provided; they are chosen according to their corresponding test intervals by indicating a cardinal number.  Expected frequencies for the occurrence of initiating events and probabilities for human error are treated analogously.

Semi-quantitative fault tree analysis (SQUAFTA)

 Advantages of a comprehensive fault tree analysis are obtained at considerably less effort.

 Dependencies are accounted for; their neglect leads to non-conservative results of the safety analysis.

 The expected frequencies of occurrence may be combined with consequence assessments, for example from LOPA, in order to arrive at an assessment of risk.

Qualitative and quantitative safety analyses

 Probabilistic safety analyses (PSA) are also called quantitative safety analyses (QSA)  This does not mean that deterministic safety analyses are merely qualitative. In both cases quantitative investigations are carried out.

 Deterministic analyses are based on deterministic models with fixed (determined) boundary conditions.

Qualitative and quantitative safety analyses

 In probabilistic analyses further reaching considerations concerning models and their boundary conditions are made.

 Assumptions in deterministic analyses:   all active components of the technical system function with certainty, the integrity of passive components is assured.

 In probabilistic analyses both affirmations only apply with a certain probability.

Methods of system analysis

 Probabilistic and deterministic analyses both use the methods of system analysis which are qualitative (e.g. failure mode and effects analysis or HAZOP).  Probabilistic analyses mainly use event trees and fault trees.  The approaches differ in the type of conclusion (e.g. inductive or deductive) and their degree of detail.

„Qualitative - quantitative“

 All methods are qualitative in the first place.  Only by assigning probabilities, if the procedure in question allows this, it becomes quantitative.

„Qualitative - quantitative“

Qualitative

HAZOP

Possibility of quantification

no in part and in a global way Failure mode and effects analysis Event tree analysis Fault tree analysis yes yes 42

Methods of system analysis

 System analytical methods enable one to structure existing knowledge and to assess the safety of an installation.

 They raise questions which usually can only be answered by taking recourse to the technical, physical, chemical and biological foundations of the process in question.

 The answers are contained in the so-called success criteria. 43

Success criteria

 The qualitative analysis takes recourse to results from model calculations or experiments, i.e. quantitative information.

 Questions such as: „will the pipe wall resist a certain thermal and pressure transient?“ are raised.

 The answer may be given, for example, on the basis of a dynamic calculation of the time evolution of pressure and temperature and the pertaining fracture mechanical calculation.  For further use in the safety assessment it boils down to either „yes“ or „no“. 44

Uncertainties

 All engineering calculations are affected by uncertainties.

 The reasons are on one hand the stochastic nature of some of the phenomena involved (aleatory uncertainties) and on the other gaps in knowledge (epistemic uncertainties).

The engineer and uncertainties

 The engineer strives for performing calculations which are as reliable as possible.  Nevertheless uncertainties cannot be avoided. They are compensated by safety factors.

 They concern the models used as well as their input data.  Model uncertainties are, at present, only treated in a cursory manner.  Data uncertainties are usually accounted for, e.g. in probabilistic analyses for nuclear power plants.

Examples for safety factors

Installation Component

Cable car for materials Overhead cable Traction cable Pipework

Safety factor

3.0

5.0

1.7

Dealing with uncertainties

 Neglecting uncertainties may lead to faulty decision bases for dimensioning components and, hence, to components which are to weak.

 Safety factors do not forestall an insufficient design, overdesign is possible as well.

 Uncertainties may be treated more efficiently probabilistically, as is done in PRA and PSA.

Dealing with uncertainties

 Uncertain quantities are described by probability distributions.  A distinction between „objective“ data and „subjective“ probabilities is often made.  „Subjective“ probabilities seem to be apt for modelling human error, especially when decision processes are involved.

Dealing with uncertainties

 It makes sense to explicitly account for uncertainties in engineering calculations.

 Apart from the quantifiable uncertainties unquanti fiable uncertainties exist, e.g. forgetting an important accident sequence , different interpretations of phenomena to be modelled or even unknown phenomena.

Advantages of accounting for uncertainties

 The information base used becomes broader.

 If the quality of the different input data for treating a problem differs, this fact is propagated through the calculations and reflected by the final result.

 The meaning of safety factors becomes evident, safety reserves are made explicit.

 The credibility of the results is increased.

 Indications of areas are given where models and data should be refined.

Representation of results and their interpretation

 Risks are normally characterized by indicating the frequency of occurrence of an accident and the corresponding amount of damage.

 It is useful to indicate the uncertainty associated with the result.

 A distinction is made between   Collective or group risk Individual risk 53

Complementary frequency distribution of the expected values for late fatalities in a population of 25 nuclear power plants (DRS-A) 54

Individual risk for death depending on the distance from the point of release in a process plant 1.0E-03 1.0E-04 1.0E-05 1.0E-06 1.0E-07 1.0E-08 1.0E-09 1.0E-10 0 Expected value 5th percentile 95th percentile 500 1000 1500 2000

Distance in m

2500 3000 55

Individual risk (Isorisk lines) in the surroundings of a plant 56

Expected frequency  A probabilistic safety analysis furnishes the expected frequency of the undesired event, for example the release of a toxic substance.

 The expected frequency is a characteristic measure, which is obtained under the assumption that the plant is repaired after the accident and that it is „as good as new“ after the repair.

Potential of probabilistic methods for safety assessments  If the systems of a plant are properly designed it is assumed that the initiating events, which cause design base accidents, are coped with by the plant.

 The related accident sequences correspond to the success paths of the pertinent event trees.

 In that case the systems required to cope with the initiating event work properly. This is basically a deterministic approach. 58

Extension of the deterministic concept

 The probabilistic analysis provides a quantitative assessment of the probabilities with which the systems installed for coping with the initiating events fulfil their function and  the probability of coping with the accident.  Hence, it represents an extension of the deterministic concept, which assumes the correct functioning of all systems required for coping with an accident, i.e. an availability of 1. 59

Extension of the deterministic concept

 The success paths are supplemented by a number of conceivable event sequences resulting from a situation where one or several safety devices fail.

 They form additional paths of the event tree.

 If the systems are well designed an accident will evolve with a probability close to 1 along the success paths. The remaining paths are highly improbable.