- Email: [email protected]
The propagation of faults in process plants: 1. Modelling of fault propagation
Reliability Engineering 16 (1986) 3-38
The Propagation of Faults in Process Plants: 1. Modelling of Fault Propagation B. E. Kelly and F. P. Lees Department of Chemical Engineering, Loughborough University of Technology, Loughborough, Leicestershire, Great Britain (Received: 24 May 1985)
ABSTRACT A common feature of many of the techniques introduced in recent years for the identification and assessment of hazards in process plants is that they deal with the propagation of faults through the plant. Fault propagation has application not only to design methods such as hazard and operability studies andfault trees but also to computer alarm and trip systems. An interactive, computer-based facility has been developed for the investigation of fault propagation in process plants, including fault tree synthesis and alarm system design. This paper describes the modelling of fault propagation, while fault tree synthesis, the interactive computer facility and an illustrative example are described in further, complementary papers.
INTRODUCTION
The chemical industry has faced severe problems of safety and reliability in recent years. It has responded by developing new methods of hazard identification and assessment. These methods are mainly design techniques such as failure modes and effects analysis, hazard and operability (hazop) studies and event trees, fault trees and cause--consequence diagrams, but include also developments on the operational side such as operator fault diagnosis and computer-based alarm systems. In all these activities the representation of the way in which faults propagate through the plant is a common feature. 3 Reliability Engineering 0143-8174/86/$03.50 © Elsevier Applied Science Publishers Ltd, England, 1986. Printed in Great Britain
4
B.E. Kelly, F. P. Lees
It is the purpose of this paper to describe a systematic method of representing the fault propagation structure of process plants. The method has been developed with computer-aided design in mind and is intended for both design and control applications. Its origins were work on process computer alarm analysis, but its fullest development so far has been for fault tree synthesis. This paper describes the modelling of fault propagation, which is the essence of the method. Further, complementary papers (Parts 2-4) describe the fault tree synthesis, 1 the interactive, computer-based fault propagation facility 2 and the fault tree synthesis of a pump system changeover sequence, 3 respectively. Fault trees are used mainly to discover the paths to failure in complex systems. In such systems there are usually many basic events which are potential causes of failure and many paths to failure. Complexity is therefore inherent in the problem. It is an important objective of the method described that as far as possible this complexity is handled by developing systematic treatments. These can be made the basis of computer programs which generate models and fault trees automatically from a relatively small amount of data provided by the user and which thus protect him from much of the complexity. The method described here has been taken to the point where it is capable of generating fault trees for realistic examples of industrial plant, but it is not regarded as fully developed and work is continuing on it. Some of the earlier work on fault propagation by the authors and their colleagues has already been described. In previous papers accounts have been given of work on alarm analysis 4-12 and on fault tree synthesis 6,8,13 - 17 as well as on related topics such as fault information, ~s fault propagation, 19 fault t r e e p r o b l e m s , 2 ° - 2 2 alarm handling and display 23-25 and alarm system design. 26 Several of these papers give reviews of other recent work in this field, including fault modelling, fault tree synthesis and alarm and disturbance analysis and such review is not therefore repeated here. Other work on fault tree synthesis has been described by Fussell, 27'28 by Powers, Lapp and c o - w o r k e r s , 2 9 - a7 by Salem, Apostolakis, Okrent and co-workers 3a-42 and by Taylor. 43 OVERALL A P P R O A C H The overall approach adopted to the modelling of fault propagation, starting with a plant flow diagram, is to decompose the system into its
Modelling of fault propagation
5
constituent units and then to represent the system by a plant block diagram and a set of context-independent unit models.
System decomposition The way in which the plant system is decomposed determines the representation ultimately obtained. Decomposition is therefore a crucial stage, but perhaps a rather neglected one. Decomposition may be done at various levels of detail. At one end of the spectrum a coarse decomposition may be used in which the items are broad functional units such as a complete pump set or complete control loop. At the other end the decomposition used may be a fine one in which the elements are detailed items such as the orifice plate and isolation valves on a flowmeter. The advantage of a finer level of detail is that the models tend to have greater generality and can handle more complex faults. The disadvantage is that they are much more complex so that modelling is more time-consuming and results are more complicated and difficult to interpret. The method developed is capable of handling decomposition to different levels of detail. It is normally used at an intermediate level in which items are units such as the sensor, controller and control valve in a control loop. A plant system may be decomposed into a set of units or into a set of structures. The former approach is that almost universally used and the latter receives scant attention. It has been shown, however, by Shafaghi et al. 16 that decomposition into a set of structures is possible and may enhance the transparency of the representation. The present method is based on decomposition into a set of units, but some information on structure is also utilised.
System boundaries Process plants are generally too large and too complex to analyse as complete systems, whether the analysis be manual or computer-aided. Most plants can conveniently be regarded as a set of modular sections, performing such functions as reaction and separation. It is therefore necessary to be able to handle boundaries between plant sections. In the method this is achieved by using dummy heads to represent inputs to the plant section and dummy tails to represent outputs from the section.
6
B . E . Kelp, F. P. Lees
Context independent models There is an implicit assumption that the unit models are independent of the context in which they are used. It is not always, however, a straightforward matter to ensure that a particular model is truly contextindependent. The problem was discussed by Brown and de Kleer. 44
Sequences Many processes of interest involve changes of plant state such as startup and shutdown. The method handles such systems by providing a facility which allows the state of the plant to be changed during the analysis. UNIT MODELS A fault propagation model for a unit is a representation of the propagation of input process variable deviations into output variable deviations and also of the initiation and termination of these deviations.
Model format There are various forms of representation. They include the mini-fault trees used by Fussell, 28 the input-output models/digraphs of Powers and Lapp, 33 the decision tables of Salem et al. a8 and of Berenblut and Whitehouse 4s and the transition tables of Taylor. 43 Each form tends to have advantages and disadvantages in relation to the types of information to be represented, the handling of that information and its storage. The present method is based on mini-fault trees. There are two main reasons for this choice. One is that it is well adapted to the automatic generation of models and of fault trees. The other is that it is more economical of storage. These mini-fault trees may be created manually. It is more attractive, however, to generate them automatically. For this it is convenient to provide initial information on the behaviour of a unit in the following three forms: (1) Propagation equations. (2) Event statements. (3) Decision tables.
Modelling of fault propagation
7
The decision table form is perhaps the most flexible and is widely used, but if it is used as the primary model, then by definition it must be created manually and is therefore not well adapted to automatic generation. It is also wasteful of storage. In the method the use of decision tables is generally confined to the representation of complex logical relationships for which the other forms are not suitable.
Fault initiation, propagation and termination Fault propagation modelling involves the representation of the initiation of a fault at one point, its propagation through the plant and its termination at another point. Generally, fault initiation involves the relation Initial fault: Process variable deviation fault propagation the relation Process variable deviation:Process variable deviation and fault termination the relation Process variable deviation:Terminal fault A fault is therefore initiated in a unit which by definition is unhealthy, propagates through a set of units which are generally healthy (although in some units an additional enabling fault is a condition of further propagation), and terminates in a unit which is thereby rendered unhealthy. In the method fault propagation is modelled by the use of functional equations which describe how an output variable is affected by the input variables. These functional equations are the core of the unit model. They need, however, to be supplemented by additional information on fault initiation and termination and on logical relationships within the unit. It is important in understanding the modelling process to bear in mind always that the model sought is one which will permit a fault path to be traced back from a top event to a base event. A model should therefore contain all the potential paths, even though in particular applications or circumstances some of these paths will not be valid. In other words, the model gives information that a particular fault path may exist, not that it necessarily will. This latter information is given by the tree.
8
B.E. Kelly, F. P. Lees
Propagation equations A propagation equation is a functional equation which describes the relation between an output variable of a unit and the input and other output variables of the unit. For example, if z is an output variable and if x and y are the two input variables which affect z such that an increase in z is caused by an increase in x or a decrease in y, the functional equation is z =f(x, -y)
(1)
Such a functional equation may be derived in two ways. It may be obtained from a full differential equation such as is suitable for numerical computation by reduction to functional form. Alternatively, it may be obtained from a plain language statement by encoding this statement in functional form.
1
2
Fig. 1. Modeldiagram for pipe. The use of propagation equations may be illustrated by the equations for a pipe as shown in Fig. 1. The principal propagation equations for this model are Q2OUT =f(GIIN, G2OUT) GIIN =f(QlIy, Q2OUT) TgOUT =f(TIIN)
XgOUT =f(XIlN)
(2) (3) (4) (5)
The basis of eqns (2) and (3) is explained below. The pipe model includes other equations, but the set given is sufficient to illustrate the principle. Thus eqn (4) states that the outlet temperature T2ou T is a function of the inlet temperature TltN and that an increase or a decrease in T2ou r may be caused by an increase or a decrease in TIIN , respectively.
Flow information transmission The flow-pressure gradient relations are a crucial feature of the method. An important requirement of fault propagation modelling is that there should be transmission of information in both directions. If a fault
Modelling of fault propagation
9
occurs, it must be possible to follow its effects through the plant both upstream and downstream. In the method this is achieved by modelling the flow-pressure gradient relations in a particular way. The natural formulation of the flow-pressure drop relation is Q2ou x = f ( P liN , -- P2ouT)
(6)
and this formulation was used originally. However, certain difficulties arise in using this approach and the alternative approach represented by eqn (2) was adopted. The reason is to avoid confusion over the size of absolute pressure deviations necessary to cause no flow and reverse flow. For example, using the absolute pressure approach, high downstream pressure will cause low flow, higher downstream pressure will cause no flow and still higher downstream pressure will cause reverse flow, whereas using the pressure gradient method the causes of these flow deviations are simply the corresponding pressure gradient deviations, namely low, no and reverse, respectively. Normally the pressure gradients GIIN and G2ou x in eqn (2) are coupled through the flow in the pipe and have the same sign, but this is not universally true, since a leak in the pipe can lead to a positive value of GIlN but a negative value of G2ou r. The formulation used in the method is therefore that given in eqns (2) and (3). A further advantage of this formulation is that Q and G then share the same set of deviations. The use of this pair of propagation equations amounts effectively to a modelling convention. By a further convention the flow Q is always defined at the outlet of the unit and the pressure gradient G at the inlet. It is this convention which ensures the two-way transmission of information. The transmission of flow deviations through a series of units is therefore represented by a series of alternating deviations of Q and G. Initial events
The propagation equations describe how a fault propagates but not how it is initiated. It is necessary, therefore, to provide further information on the initial events, or faults, which give rise to variable deviations. All initial events are preceded by a single character identifier. The two main initial events are F O
Fault Operator action
10
B. E. Kelly, F. P. Lees
Initial event statements
Information on initial events is provided in the form of initial event statements. An initial event statement is used to represent the effect of a fault which initiates a sequence of disturbances and takes the form Fault: Variable deviation Examples of faults F are F F
LK-LP-EN:Q2otjrLO E X T - H E A T : T2ou T HI
Another form of the information is Fault: Intermediate (dummy) event Intermediate event: Variable deviation There are two main reasons for resorting to the use of intermediate faults. One is the need to be able to incorporate logical relations, particularly A N D gates (see below). An intermediate event is the device used to satisfy the convention that a minitree should consist of only one level of development below the minitop event. The other reason is the existence of generic faults which may conveniently be represented as intermediate events. An intermediate event may be a named event such as C L - F - H A or an unnamed, or dummy, event such as A ( D U M M Y ) . In either case the name used must be one given in the fault list. An example of an intermediate event I is I
CL-F-HA: Q2oua-HI
The intermediate event has causes which are initial events F or variable deviations V: F V
CV-F-HA:CL-F-HA S3smHI:CL-F-HA
An initial event statement is also used to represent the other main type of initiating event, which is an operator action. An example of an operator action O is O H V - D - S H : Q2oua-NONE An initial event statement is also used to include the effect of a variable
Modelling offault propagation
11
deviation for those cases where this cannot be derived from the propagation equations. An example of a variable deviation V is V
Q3INNONE: T2ouvHI
Finally an initial event statement is used for convenience to represent the normal and impossible states. An example of a state S is S
N O R M A L : GIINSOME
The initial and intermediate events used are shown in Table 1. A N D gates A fault tree is a logic diagram and may in general contain both OR and A N D gates. In the method most of the OR gates in the minitrees come directly from the propagation equations. The generation of A N D gates is less straightforward, but essentially it is done by means of initial event statements and also, in some cases, of decision tables. The general form of an initial event statement containing an A N D gate is Fault A N D Variable deviation: Variable deviation There may be any combination of event types in the statement and there may be more than one A N D gate. As an example consider flow through a hand valve which is normally closed. The initial event statement for the event Q2ou T SOME is F
HV-F-OP A N D V
GIlN SOME:Q2otJT SOME
Other gates Several other types of gate are used in the method. One is an exclusive OR gate for mutually exclusive events (EX-OR gate). Another gate is an OR gate for a set of events only some of which are mutually exclusive (OR* gate). This latter gate is flagged to inform the user but is otherwise treated as a normal OR gate. A third gate is an A N D gate for systems where r out of n items must fail for the system to fail (r/n or A N D r gate). Decision tables As just described, simple logical relations may be handled in the method using an initial event statement. An alternative approach, which is
12
B. E. Kelly, F. P. Lees
TABLE 1 Initial and Intermediate Events A Abbreviations Initial event names are constructed from standard abbreviations. These include: Equipment, etc. CL control loop SEQ sequence CNT controller SIG signal line CV control valve STP setpoint HV hand valve TL trip loop RV relief valve TSW trip switch SEN sensor TV trip valve Conditions, etc. ABRT aborts LA giving low aperture AF after LK leak AT at LO low BLK blockage LP low pressure CB complete blockage MAN on manual D directed OF off DIS disarmed ON on EN environment OP open F fails OR operational FN functional PB partial blockage FT fails to SH shut HA giving high aperture ST start HI high STK stuck HP high pressure B Initial events (by principal units) General and pipe COMP-BLK complete blockage partial blockage PART-BLK leak to low pressure environment LK-LP-EN leak from high pressure environment LK-HP-EN external cold source EXT-COLD external heat source EXT-HEAT Other general FLOODING FROTHING INT-LK Dummy events A(DUMMY B(DUMMY)
flooding frothing internal leak C(DUMMY) D(DUMMY)
E(DUMMY) F(DUMMY)
Modelling of fault propagation
13
TABLE 1--contd.
Pump STARTUP SHUTDOWN AIR-LOCK CAVITATN
started up shut down air locked cavitating
RACING IMPLR-F FT-ST-UP
racing impeller failed fails to start up
Hand valve (normally open) HV-D-SH HV-F-SH
hand valve directed shut hand valve fails shut
Hand valve (normally closed) HV-D-OP HV-F-OP
hand valve directed open hand valve fails open
Sensor SEN-F-HI SEN-F-LO SEN-STK
sensor fails HI sensor fails LO sensor stuck
Controller CNT-F-HI CNT-F-LO CNT-STK CNT-MAN
controller fails HI (i.e. fails giving output HI) controller fails LO (i.e. fails giving output LO) controller stuck controller on manual
Control valve CV-F-HA CV-F-LA CV-STK CV-F-OP CV-F-SH
control control control control control
valve valve valve valve valve
fails giving too high aperture fails giving too low aperture stuck fails completely open fails completely shut
Trip switch TSW-F-ON TSW-F-OF TSW-STK TSW-DIS
trip trip trip trip
switch switch switch switch
fails on fails off stuck in normal position disarmed
Trip valve (normally open) TV-F-SH TV-FT-SH
trip valve fails shut trip valve fails to shut
Trip valve (normally closed) TV-F-OP TV-FT-OP
trip valve fails open trip valve fails to open
Setpoint STP-HI STP-LO
setpoint high setpoint low
Signal line SIG-CB SIG-PB
signal line completely blocked signal line partially blocked
(contmued)
B. E. Kelly, F. P. Lees
14
TABLE 1--contd.
Relief valve RV-F-OP RV-FT-OP RV-UNDSZ
relief valve fails open relief valve fails to open relief valve undersized
Utilities POW-LOSS IAR-LOSS STM-LOSS PAR-LOSS ING-LOSS NIT-LOSS CWT-LOSS PWT-LOSS
loss loss loss loss loss loss loss loss
of of of of of of of of
electrical power instrument air steam process air inert gas nitrogen cooling water process water
Heat exchanger FOULING VAP-BLKT
fouling vapour blanketing
Reactor, fixed bed catalytic CAT-DETN POOR-MIX
catalyst deterioration poor mixing
Special OTH-CAUS TNGPOINT NORMAL IMPOSS
other causes turning point (maximum, minimum) normal state impossible state
C Intermediate events
Control loop CL-F-HA CF-F-LA CL-F-NA CL-STK
control control control control
loop loop loop loop
fails with valve giving too high aperture fails with valve giving too low aperture fails with valve giving no aperture stuck
Trip loop TL-OR-F TL-FN-F
trip loop fails giving operational failure trip loop fails giving functional failure
Sequence SEQ-ABRT SEQ-F-AF SEQ-F-AT
sequence aborts sequence fails after sequence fails at
Modelling of fault propagation
15
preferable if the logical relations are more complex, is the use of a decision table. As an example of a decision table the relation Z = (A A N D B) OR (C A N D D)
(7)
may be represented by a form of decision table which gives only the successful outcomes. In this example this is a two-row table: A T
B T
C *
D *
Ou~ut Z
•
*
T
T
Z
where T = true * = don't care If this relation were handled as a set of initial event statements, the statements would be I I A C
A(DUMMY):Z B(DUMMY):Z AND B:A(DUMMY) AND D:B(DUMMY)
Thus the attempt to handle logical relations using this approach tends to generate d u m m y events and is rather clumsy. The use of decision tables is aimed at avoiding this. In the method a form of decision table is used in which it is assumed that any event which is omitted is a 'Don't care' event. An example of such a decision table is
V QIIN N O N E
V Q3IN N O N E
T Q2ou T N O N E
where T denotes minitree top event as described below. The effect event Q2ouT N O N E occurs when both variable deviations QIIN N O N E and Q3IN N O N E occur, regardless of the other variable deviations. Entries in the decision tables may be any type of event. Mini-fault trees
A propagation equation gives information on the relation between an output variable of the unit and the input and other output variables of the
16
B. E. Kelly, F. P. Lees
Q2 OUT
G1 IN
LO
LO
G2 OUT
LO
Fig. 2. Minitreefor event Q2ow LO (partial information only). unit. Such a propagation equation may be converted directly into a minifault tree, or minitree. The top event, or output, of the tree is usually a deviation of the variable given on the left-hand side (LHS) of the equation. The base events, or inputs, of the tree are deviations of the variables given on the right-hand side (RHS) of the equation. It should be noted that inputs of the tree may include outputs of the unit. If the sign of the RHS variable, or tree input, is positive, it gives rise to a deviation of the same sign in the LHS variable, or output, while if the sign is negative, it gives rise to a deviation of opposite sign in the LHS variable. For example, if the output deviation is LO, the input deviation in the case of an input of positive sign is LO and in the case of a negative sign HI. As an example consider the minitree for the event Q 2 o u x LO in the pipe model. The propagation equation is eqn (2). The signs of the two RHS variables are positive and therefore the input deviations which cause this output deviation must also be LO deviations. The minitree is therefore as shown in Fig. 2. A minitree derived from a propagation equation may not be complete. It is often necessary to add to it further information. This information is that given in the initial event statements and decision tables. In the pipe example described earlier there are two initial event statements which need to be added. These are F F
PART-BLK:Q2ou r LO L K - L P - E N : Q 2 o u T LO
The minitree then becomes that shown in Fig. 3. With the addition of this further information the minitree is complete. Thus it is possible to map from a propagation equation to a minitree, but it is not possible to map from a minitree to a propagation equation if
Modelling of fault propagation
O2 OUT
17
LO
I GI
LO IN
G2 OUT
LO
Fig. 3. Minitree for event Q2ouT LO (full information). the former contains more information than the latter in the form of initial event statements and/or decision tables. A minitree derived from a propagation equation will contain an OR gate. An AND gate, however, cannot be generated from a propagation equation but only from an initial event statement or decision table. For example, the minitree shown in Fig. 4 is derived from the initial event statement F
HV-F-OP AND V
GIINSOME:Q2ou T SOME
The top events of the minitrees, or minitop events, for a unit are the complete set of deviations for each variable on the LHS of the propagation equations or on the RHS of the initial event statements and decision tables, together with the intermediate events. Normally each LHS variable has deviations HI and LO so that there are two minitop events for each such variable, but in addition there are certain other deviations such as SOME and N O N E which need to be taken into account and which increase the number of a minitop events. A minitree may be written in tabular form. For example, the minitree shown in Fig. 3 may be written in the following form: Base events
Top event
Gate
V G1,N LO
T Q2ouT LO
OR
V G2ouT LO F PART-BLK F LK-LP-EN
where T denotes minitop event. By convention the depth of a minitree is limited to one level of base
18
B. E. Kelly, F. P. Lees
. Q2OUT SOME
G1 SOME IN
Fig. 4.
Minitree for event Q2ouT SOME.
events below the top event. If this single level is insufficient to represent the tree, use is made of intermediate, or dummy, events. A unit model as used in the method consists essentially of a set of minitrees in tabular form as just described. The table also contains, however, a considerable amount of additional information. This information is described below. Terminal events
So far fault initiation and propagation have been considered but not fault termination. Further information on this aspect has therefore to be provided. The type of fault termination of ultimate interest in fault modelling is an undesired event, often a hazard, such as may be taken as the top event of a fault tree. Information on a terminal event might in principle be provided by a terminal event statement of the form: Variable deviation: Terminal fault Examples of such terminal event statements are P2ou T HI: O V R P R E S T2OUT LO: U N D R T E M P This approach is not used, however. There are two reasons for using an alternative approach. One is that the inclusion in each unit model of a comprehensive set of terminal events inflates unnecessarily the size of the model. The other is that the relation between the variable deviations and a terminal event is in general a function not simply of the unit but of the plant system. For example, in
Modelling of fault propagation
19
some systems explosion might require a flammable mixture and an ignition source, while in others it might result from autodecomposition. The approach adopted, therefore, is to model the terminal event using an event model separate from the unit model. This separation of the terminal event model reduces the size of the unit models and keeps them context-independent. Event models are discussed in more detail below. Model generation The propagation equations, initial event statements and decision tables, if any, constitute the principal items of information embodied in a unit model. From this information it is possible to generate the minitrees of the unit model automatically.
Variables The process and other variables used are shown in Table 2. A variable is identified by a single letter, except for composition as described below. For flow Q no distinction is made between volumetric flow and mass flow. Pressure gradient G is used in conjunction with flow Q. The use of this additional variable is necessary in order to obtain two-way fault propagation. Thus variables Q and G are used as a pair. Variables T and X are used for temperature and composition, respectively. X is a single variable, but multicomponent systems can be handled by the use of additional subscripts (see below). Pressure P is used to represent pressure both above and below atmospheric and relief R pressure relief. As with flow, pressure and relief propagate both upstream and downstream. In order to model this feature, pressure and relief are used as a pair, although in a way different from the pair flow Q and pressure gradient G. Level L is used for the l i q u i d level in vessels. Reverse temperature U and reverse composition Y are used to model the propagation of temperature and composition, respectively, when flow is reversed. Pressure gradient G and relief R are defined at the inlet of a unit, all other variables with two exceptions at the outlet. This convention is necessary in order to obtain two-way fault propagation. The exceptions are reverse temperature U and reverse composition Y, which are defined at the point which is the inlet of the unit under normal flow conditions.
20
B. E. Kelly, F. P. Lees
Instrument signal S is used for all instrument signals, including signals from sensors to controllers or trip switches and from controllers to control valves and from trip switches to trip valves. Setpoint W is a setpoint variable which represents the desired value of a control loop or a protective system. Several other variables have been considered as candidates for inclusion in the list of variables but have been rejected. There is no reverse flow variable, this condition being handled by a deviation of the regular flow variable Q. There is no separate variable for flow ratio, which is dealt with by other means. There is no separate variable for vacuum, which is covered by the regular pressure variable P.
Variable subscripts The variable subscripts used are
1,2,3... IN,OUT,UTL,VES,SIG A,B,C... The subscript 1,2,3... refers to the port at which the variable occurs and is the principal subscript. Ports are predominantly inlets and outlets on the unit. There are inflows and outflows of material and inputs and outputs of information. An inflow is not necessarily an input. Thus the variable G, defined at inlets, is an output at inlets and an input at outlets. There are also ports associated with internal variables in units. Such a port exists only if it is shown on the model diagram and is assigned a number on this diagram. It is referred to as a vessel port. A vessel port must be connected either to a sensor or to a d u m m y tail. The variables which are associated with a vessel port are pressure, level, temperature or composition. By convention for units such as tanks and vessels in which there are no closed flow paths the ports are generally numbered in the order inlet, outlet and vessel. For units in which there are closed flow paths such as heat exchangers the ports are generally numbered inlet and outlet on first stream, inlet and outlet on second stream, and so on. For sensors the ports are generally numbered inlet, outlet, signal. The subscript I N , O U T , U T L , V E S or SIG is added to indicate the type of port. IN and O U T are of general and obvious application. U T L is used for utilities, VES on vessel ports and SIG on measurement signals.
Modelling of fault propagation
21
These two types o f subscript are used with all the variables. In addition, the subscript A , B , C . . . is used with the variables X a n d Yto denote component A , B , C . . . For binary systems these subscripts are superfluous. Typical variables with their subscripts are
PIIN Q2OUT X2OUT
XD2ou T L3vEs Variable deviations
The variable deviations used are shown in Table 3. A deviation is identified by a string of up to four letters. A deviation is applied to a variable and represents a deviation of that variable from some 'normal' value. This normal value is not necessarily a fixed value. For example, if a change is made in the process operating point, the normal values on a number of control loops may change. Deviations HI and LO are the two principal deviations. There are various ways in which a high or low deviation may be defined. The definition adopted is that high or low means sufficiently high or low to cause the top event to occur. Further degrees of high and low are not used. Deviations which overload the control loop are dealt with by the control loop structure model within the program. The deviations HI and LO are applicable to all the variables.
Q G T X P L R U Y S W
TABLE 2
TABLE 3
Variables
Variable Deviations
flow pressuregradient temperature composition pressure level relief temperature(in reverse flow) composition(in reverse flow) instrument signal setpoint
HI LO N ON E SOME NCHA SHAC REV NOP NOR
high low none some no change should activate reverse no pressure no relief
22
B. E. Kelly, F. P. Lees
TABLE 4 Invalid Combinations of Variables and Variable Deviations~
HI LO NONE SOME NCHA SHAC REV NOP N OR
Q
G
T
X
P
L
R
U
Y
S
W
Y Y Y Y N N Y N N
Y Y Y Y N N Y N N
Y Y N N N N N N N
Y Y N N N N N N N
Y Y Y yb N N yb N yb
Y Y Y N N N N N N
Y Y Y Y N N Y Y N
Y Y N N N N N N N
Y Y N N N N N N N
Y Y Y Y Y Y N N N
Y Y N N N N N N N
Y = combination valid; N = combination invalid. b Not valid in vessels. D e v i a t i o n s N O N E a n d S O M E are used in three m a i n a p p l i c a t i o n s , with t h e flow/pressure g r a d i e n t , the p r e s s u r e - r e l i e f a n d the signal variables. F o r flow Q these d e v i a t i o n s are e q u i v a l e n t to the c o n d i t i o n s N O F L O W a n d F L O W E X I S T S a n d for pressure g r a d i e n t G to the c o n d i t i o n s o f pressure g r a d i e n t c o r r e s p o n d i n g to N O F L O W a n d F L O W E X I S T S , respectively. D e v i a t i o n N O N E is also used with level. D e v i a t i o n R E V is a p p l i e d o n l y to the v a r i a b l e s flow Q, p r e s s u r e g r a d i e n t G, p r e s s u r e P a n d relief R. F o r flow Q a n d pressure g r a d i e n t G the d e v i a t i o n R E V is used to m o d e l reverse flow. As well as the d e v i a t i o n s H I a n d L O pressure has d e v i a t i o n s N O N E , S O M E , R E V a n d N O R a n d relief N O N E , S O M E , R E V a n d N O P , while i n s t r u m e n t signal has the d e v i a t i o n s N C H A a n d S H A C . T h e t r e a t m e n t o f these deviations, however, is b e y o n d the s c o p e o f this paper. T h e invalid c o m b i n a t i o n s o f v a r i a b l e s a n d variable d e v i a t i o n s are s h o w n in T a b l e 4.
Boundary conditions and not allowed faults I f the m o d e l s described are used f o r fault tree synthesis, or related a p p l i c a t i o n s , it is n e c e s s a r y to t a k e into a c c o u n t the b o u n d a r y c o n d i t i o n s a n d n o t allowed faults. A b o u n d a r y c o n d i t i o n is a v a r i a b l e d e v i a t i o n w h i c h is i n c o n s i s t e n t with a n o t h e r v a r i a b l e d e v i a t i o n elsewhere in a p a r t o f the tree a l r e a d y
Modelling of fault propagation
23
TABLE 5 Invalid C o m b i n a t i o n s of Variable Deviations for B o u n d a r y C o n d i t i o n s °
HI LO SOME NONE NCHA SHAC REV NOP NOR
HI
LO
SOME
NONE
NCHA
SHAC
REV
NOP
N N Y N N Y N N N
N N Y N N Y N N N
Y Y N N N Y N N N
N N N N N Y N N N
N N N N N Y N N N
Y Y Y Y Y N Y Y Y
N N N N N Y N N N
N N N N N Y N N N
NOR N N N N N Y N N N
a y = c o m b i n a t i o n valid; N = c o m b i n a t i o n invalid.
synthesised. For example, Q LO is a boundary condition of Q HI, since the former is inconsistent with the latter. For boundary conditions it is possible to state general rules for inconsistency of variable deviations. The following sets of variable deviations are mutually inconsistent: HI,LO,NONE,REV,NOP,NOR,NCHA and SOME,NONE,REV,NOP,NOR,NCHA The relationship between the deviation SOME and the deviations HI and LO is more complex than can be represented in this form. If HI or LO appears beneath SOME, the state of the plant is more closely defined and the second deviation (HI or LO) is retained in the tree. If, however, SOME appears beneath HI or LO, the state of the plant is not defined more closely--SOME is already implied, given that the state is HI or LO. The S O M E deviation is therefore removed from the tree. SHAC is not inconsistent with any of the other deviations, since it represents a logical state (the trip system should activate), rather than a physical state. The invalid combinations of variable deviations are shown in Table 5. This information on boundary conditions is part of the unit model. It is not, however, sufficient for the complete treatment of the boundary conditions during fault tree synthesis and needs to be supplemented at that stage by other boundary condition rules. A not allowed fault is a basic event which is inconsistent with a
B. E. Kelly, F. P. Lees
24
particular variable deviation. For example, L K - L P - E N is a not allowed fault of Q2ou T HI, since this basic event cannot be a cause of high outlet flow. For not allowed faults use is made of the initial event statements. These show that a basic event may cause certain variable deviations. Other variable deviations which are inconsistent with these variable deviations have as a not allowed fault the basic event in question. Both boundary conditions and not allowed faults are handled automatically in the method and do not require any additional information to be provided.
EVENT MODELS There are several aspects of modelling which are conveniently handled by modelling an event rather than a unit and for these an event model is used. There are three types of event which are modelled in this way: (1) Undesired events. (2) Physical and phase changes. (3) Materials failures. An undesired event is a terminal event. The top event of a fault tree is always such a terminal event. The unit models yield only variable deviations, e.g. T2otsT LO. It is necessary to express the final variable deviation as a terminal event, e.g. U N D R T E M P . As described earlier, this might in principle be done using some form of terminal event statement in the unit models, but in the method it is achieved using an event model. An event model may comprise event statements and decision tables. It is typically a single minitree, although in more complex cases it may comprise several minitrees. An event model for an undesired event may be illustrated by the model for the event U N D R T E M P . In this case the information is provided in the form of an event statement
V
T2ov x L O : U N D R T E M P
This model states that undertemperature occurs when the temperature is low. The second type of event for which an event model is used is a physical or phase change. An example is V
T2ou T LO: F R E E Z I N G
Modelling of fault propagation
25
This type of event is conditional on the fluid in the stream concerned having a susceptibility to physical or phase change, in this case freezing. The third type of event is a materials failure. An example is V X2ou T H I : C O R R O S N where X is the concentration of some corrosive impurity. Again this type of event is conditional on the unit having a susceptibility to materials failure, in this case corrosion. The expressions given are used to model the causes of the three types of event. Undesired events are used solely as the top events of fault trees. Physical and phase change and materials failure events give rise to additional failure paths, over and above those which are implicit in the unit models. A physical or phase change can give rise to a variable deviation and a materials failure to a basic event, for example FREEZING:Q2OUT N O N E and CORROSN: LK-LP-EN This latter type of event therefore provides a means by which an event which is normally treated in a unit model as an irreducible basic event can itself be made the effect of some other cause. Obviously the use of these last two types of event model in this way makes the fault tree considerably more complex. It is an advanced facility which in many applications is likely to be unnecessary, but it does offer a useful means of dealing with certain types of problem. Information on the susceptibilities of the fluid streams to physical and phase changes and of the units to materials failures is entered as part of the configuration information. This approach means that the analyst can specify which events are likely to be important at particular locations in the plant and what the effects of these events are. This last facility is important for some events, such as D I L U T I O N (with water), where the effects are dependent on the process. OTHER FEATURES Reverse flow As indicated above, reverse flow is taken into account in the method. Flow deviations involving reverse flow are treated in the same way as
26
B. E. Kelly, F. P. Lees
other variable deviations. Like the other deviations applicable to flow Q and pressure gradient G, reverse flow deviations are generated partly from the propagation equations and partly from the event statements. For the pipe model, for example, the propagation equations are eqns (2) and (3) and the event statements are F F
LK-LP-EN: Q2ou T REV LK-HP-EN:GIlN REV
Reverse flow effects include not only flow deviations but also deviations of other variables, namely temperature and composition. These other deviations arising from reverse flow are treated by making them conditional on the existence of reverse flow. This is achieved by the use of an AND gate. This A N D gate is not located, however, in the unit models, since in fault tree synthesis this would result in the generation of a series of AND gates, one for each model through which the fault propagates. Instead the A N D gate is located in the terminal event statement. For the pipe model the propagation equations for reverse temperature U and reverse composition Y are U1 IN =f(U2OUT) (8) YIIN = f ( Y 2 o u T )
(9)
Multicomponent systems In the treatment given so far there is an implicit assumption that the system considered is a binary one, but a multicomponent system is readily handled in the method. Even in a multicomponent system it is not necessary to model all the units explicitly as multicomponent ones. A unit need only be modelled explicitly as multicomponent if there is at least one component for which the propagation equation differs from those for the other components. Where this is the case, however, all the multicomponent compositions must be specified explicitly by propagation equations. A multicomponent feature need be used, therefore, only in those models which deal with processes such as mixing and separation. These constitute a relatively small proportion of the total.
Setpoints Setpoint deviations can in principle be modelled using initial event statements in the controller and trip switch models, but the method
Modelling of fault propagation
27
adopted is the use of a setpoint unit. This unit has as its output the setpoint faults, namely high or low setpoint. The setpoint unit is also a convenient device for modelling any kind of setting. For example, the set pressure of a pressure relief valve can be represented in this way. This use of the setpoint unit thus allows c o m m o n cause failures to be taken into account. For example, the set pressures of a group of relief valves might all be incorrect due to a defect in the setting procedure in the workshops.
Operator control and actions The process operator carries out manual control, adjusts the setpoint of automatic control loops and takes other actions. These activities can be taken into account in the method. An operator may act effectively as a feedback controller, taking in a measurement from a sensor and sending out an adjustment to a hand valve. If such a manual feedback control loop is to be incorporated, a special manual controller model is used. This model is very similar to a normal feedback controller model. Similarly, an operator may act as a protective device, or trip switch. If such a manual trip loop is to be incorporated, a special manual trip switch model is used. This model is very similar to a normal trip switch model. The operator also intervenes on the plant by making other adjustments which do not constitute continuously operating control or trip loops but are less structured actions. The points at which such intervention takes place are usually controller and trip switch setpoints, hand valves and units which can be switched on/off.
Computer control Computer control can be taken into account in the method. The way in which this is done depends on the computer configuration and functions. For the case of direct digital control or its equivalent where the computer carries out the functions of a controller in a feedback control loop, a computer control loop model is used. The faults are similar to those of a hardware controller.
Utilities Failure of a unit due to failure of a utility such as electrical power, cooling water or instrument air needs to be taken into account.
28
B. E. Kelly, F. P. Lees 31 SP
INPUT 1 FROM SENSOR
~
2 OUTPUTTO ~ CONTROL VALVE
Fig. 5. Model diagram for pneumatic controller. A particular feature of utility failure is that it is liable to cause faults in a number of units and thus to act as a c o m m o n cause failure. A utility failure may be handled in the method in two ways. The first, and preferred, approach is to enter in each relevant unit model a susceptibility to the fault which is then represented as an input signal from the utility. In this case the c o m m o n cause aspect of the utility failure is explicit from the outset and is incorporated in the configuration. An example is failure of instrument air to a controller. A controller model is shown in Fig. 5. In the controller model the initial event statements include the relation V
S4UTL N O N E : S 2 s I c N O N E
and in the utility model the initial event statements include the relation F
IAR-LOSS:SluT L N O N E
so that the failure IAR-LOSS in the utility is a cause of deviation S2s~ c N O N E in the controller. The subscripts 1 and 4 here refer to the utility output and the controller input (susceptibility). Alternatively, the fault may be entered directly in each unit model as one of the initial event statements. For the example just given this would require the relation F IAR-LOSS:S2sl 6 N O N E In this case the common cause aspect of the failure is implicit and it requires considerable work to identify the c o m m o n cause event in the minimum cut sets obtained. C o m m o n cause effects
The comments on c o m m o n cause failure just made in relation to utilities are of general application. If a potential c o m m o n cause fault is to be
Modelling of fault propagation
29
identified explicitly, as for example in a fault tree and its minimum cut sets, the information on that fault needs to be entered in the unit model in the event statements as a susceptibility to an input from the unit which gives rise to the c o m m o n cause fault rather than as an individual event statement.
STRUCTURAL INFORMATION In some cases the information given in the flow diagram is sufficient to model the system, but this is unusual. In most cases it is necessary to provide some additional information, of a broadly structural nature. Dividers and headers A process plant contains many points at which streams split or join. Each such point is modelled by a divider or header unit, respectively. The situations which arise when such junctions occur are varied. For example, there may be flow in some of the pipes at the junction but not in others. There are therefore a number of divider and header models. Dividers and headers are used in some cases as single units and in others as an explicit divider-header combination. A divider-header combination is used where it is necessary to provide structural information by this means. Divider-header combinations One feature on which information is needed is the structure of sets of units, particularly parallel systems. This may be illustrated by the set o f two pumps shown in Fig. 6. The flow diagram alone does not indicate whether these pumps are (1) One 100 ~ pump operating and one 100 ~ pump on standby (2) Two 100 ~ pumps operating (3) Two 50 ~o pumps operating or some other arrangement. It is necessary therefore to have some means of providing this information. In the method this is done by the use of divider and header units in defined combinations. There are models for divider and header units
30
B. E. Kelly, F. P. Lees
Fig. 6.
Pump system with various possible structures.
which are used to define particular types of system such as parallel redundant systems and bypass systems. When used in this way the divider-header pairs are declared explicitly as a combination.
Control loops Another feature on which structural information is needed is control loops. Control loops are important in fault propagation, because the function of a control loop is to prevent the propagation of normal disturbances. Without modification the method so far described to generate fault trees, or related structures, from the unit models will not always give a correct result for a control loop. It is necessary, therefore, to provide additional information. Another reason for providing this information is to improve the clarity of the fault tree. The role of the control loop in the tree structure is usually brought out clearly in a manually constructed tree, where the pattern perceived by the analyst is imparted to the tree. In fault trees generated automatically by synthesis from unit models using a relatively mechanistic approach this pattern may be missing so that the tree is opaque to the user. In an automatic method, therefore, it is desirable to restore this structure and this requires that information on control loop structure be provided at the start. The same information is also necessary to handle situations where there are control loops other than simple feedback loops such as cascade or feedforward loops. In the method each control loop is identified, the units in the loop are listed and certain additional information is provided. When a fault tree
Modelling of fault propagation
31
for the control loop is synthesised, the tree is given structure by the use of a special control loop model which has predefined branches for the different modes of loop failure. Some of these modes are associated with intermediate events which are put at the head of the main branches. An example is the intermediate event CL-STK. A more detailed account of control loops is given in Ref. 1.
Protective systems The main types of protective system which are handled are pressure relief systems and trip loops. A protective system has two basic failure modes. One is functional failure or failure to operate on demand. The other is operational failure or operation in the absence of demand. An important class of protective system is trip systems. Trip systems are another feature on which structural information is needed. Again trip systems are important, because the function of a trip system is to prevent the propagation of abnormal disturbances. As for a control loop, the method needs to be modified in order to obtain a correct result for a trip loop. Additional information has to be provided. Again another reason for doing this is to bring out the role of the trip loop in the tree structure. For trip loops an important distinction is whether the trip valve is normally open or closed. If the valve is normally closed, it is also necessary to provide information on the units through which flow will occur when the valve is open. In the method each trip loop is identified and the units in the loop are listed. When a fault tree for the trip loop is synthesised, the tree is given structure by the use of a special trip loop model, which has predefined branches for the different modes of loop failure. Some of these modes are associated with intermediate events which are put at the head of the main branches. An example is the intermediate event TL-FN-F. A more detailed account of trip loops is given in Ref. 1.
PLANT CONFIGURATION The flow diagram of a typical process plant, a heat exchanger system for cooling nitric acid, is shown in Fig. 7. The plant is one described by Lapp a n d P o w e r s 36 and has been widely discussed in the literature.
+
NITRIC ACID
[ I I i I L
COOLING WATER
Fig. 7.
Heat exchanger system: flow diagram (after Lapp and Powers).
TABLE6 HeatExchangerSystem:Configuration Stream no.
1 2 3 4 5 6 7 8 9 I0 11 12 13 14 15 16 17 18 19
Upstream Unit Port
1 2 3 4 5 7 8 9 10 3 5 12 13 9 14 15 16 16 17
1 2 2 2 2 1 2 2 2 4 3 2 1 3 2 1 1 2 1
Downstream Unit Port
2 3 4 5 6 8 9 10 3 11 12 10 12 14 2 14 12 14 8
1 1 1 1 1 1 1 1 3 1 1 3 3 1 3 3 4 4 3
Modelling of fault propagation
33
i
i
wO ~Z
0
0
Z 0
-J
m
i-
r,
r
~Z
.,k
co
~w
34
B. E. Kelly, F. P. Lees
TABLE 7 Heat Exchanger System: Unit Models Unit no.
Model no.
1
6
2 3
45 28 13 12 7 6
4
5 6 7 8
1
9 10 11 12 13 14 15 16 17
10 4 7 18 8 68 8 70 71
In the method the flow diagram is replaced by a corresponding configuration diagram as shown in Fig. 8. The conversion is straightforward. The only point which needs to be noted is the use of d u m m y heads and d u m m y tails for the inputs and outputs across the system boundaries. The configuration information is required in tabular form. The flow diagram is therefore converted to the corresponding table of connections. For the plant shown in Fig. 7 the configuration table is given in Table 6. For each unit a library model must be specified. The unit model table is shown in Table 7. Other configuration information is required again in tabular form on structural features such as divider-header combinations, control loops and protective systems and on events and event models. A fuller account of the configuration data required is given in Ref. 2.
CONCLUSION A method has been developed for the representation of the propagation of faults in process plants. It has been encoded as a suite of computer
Modelling offault propagation
35
programs which generate a fault propagation structure and carry out fault tree synthesis. The plant system is decomposed into its constituent units and is represented by a configuration diagram and a set of unit models, which are in principle context-independent. Certain additional information is provided on terminal and other events and on system structure. Throughout the work the emphasis has been on making the method easy to use. There are several features which are particularly important in this respect. First, unit models are clearly defined so as to facilitate selection of the correct model. Second, where the user does need to create a new model, the generation of the model is automatic once certain data have been provided. These data are furnished in three well-defined forms, propagation equations, event statements and decision tables, suitable to the different types of information. Third, the generation of the fault tree is also automatic once certain data have been provided. Again these data, which are concerned with system structure, are furnished in well-defined forms. The fault tree synthesis method makes extensive use of specially developed synthesis rules. The method described here is the initial, or Mark 1, version. Work is continuing on development of the method and on its applications.
ACKNOWLEDGEMENTS The authors wish to acknowledge the work on fault propagation done and reported previously by Dr P. K. Andow and Dr G. A. Martin-Solis and the work on the computer program done by Dr C. P. Murphy, and to thank the Science and Engineering Research Council for supporting this work. REFERENCES 1. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants:.2. Fault tree synthesis, Reliability Engineering, 16 (1986), pp. 39-62. 2. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 3. An interactive, computer-based facility, Reliability Engineering, 16 (1986), pp. 63-86. 3. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 4. Fault tree synthesis of a pump system changeover sequence, Reliability Engineering, 16 (1986), pp. 87-108.
36
B. E. Kelly, F. P. Lees
4. Andow, P. K. A method for process computer alarm analysis, PhD Thesis, Loughborough University of Technology, 1973. 5. Andow, P. K. and Lees, F. P. A method for process computer alarm analysis, Trans. Instn Chem. Engrs, 53 (1975), p. 195. 6. Martin-Solis, G. A. Fault tree synthesis for real time and design applications on process plant, PhD Thesis, Loughborough University of Technology, 1978. 7. Andow, P. K. and Lees, F. P. Real time analysis of process plant alarms, in Synthesis and Analysis Methods for Safety and Reliability Studies (eds G. E. Apostolakis et al.), Plenum Press, New York, 1980, p. 409. 8. Martin-Solis, G. A., Andow, P. K. and Lees, F. P. Fault tree synthesis for real time and design applications, Trans. Instn Chem. Engrs, 60 (1982), p. 14. 9. Andow, P. K. Real time analysis of process plant alarms using a minicomputer, Comput. Chem. Engng, 4 (1980), p. 143. 10. Lees, F. P. Computer support for diagnostic tasks in the process industries, in Human Detection and Diagnosis of System Failure (eds J. Rasmussen and W. B. Rouse), Plenum Press, New York, 1981, p. 369. 11. Lees, F. P. Process computer alarm and disturbance analysis: review of the state of the art, Comput. Chem. Engng, 7 (1983), p. 669. 12. Lees, F. P. Process computer alarm and disturbance analysis: outline of methods for the systematic synthesis of the fault propagation structure, Comput. Chem. Engng, 8 (1984), p. 91. 13. Martin-Solis, G. A., Andow, P. K. and Lees, F. P. An approach to fault tree synthesis for process plants, in Loss Prevention and Safety Promotion in the Process Industries 2, DECHEMA, Frankfurt, 1977, p. 367. 14. Martin-Solis, G. A., Andow, P. K. and Lees, F. P. Synthesis of fault trees containing multi-state variables, in Loss Prevention and Safety Promotion in the Process Industries 3, Swiss Soc. Chem. Ind., Basel, 1980, p. 559. 15. Shafaghi, A. Plant modelling for system safety analysis, PhD Thesis, Loughborough University of Technology, 1982. 16. Shafaghi, A., Andow, P. K. and Lees, F. P. Fault tree synthesis based on control loop structure, Trans. Instn Chem. Engrs, 62 (1984), p. 101. 17. Shafaghi, A., Lees, F. P. and Andow, P. K. An illustrative example of fault tree synthesis based on control loop structure, Reliability Engineering, 8 (1984), p. 193. 18. Lees, F. P., Andow, P. K. and Murphy, C. P. The propagation of faults in process plants: a review of the basic event/fault information, Reliability Engineering, 1 (1980), p. 149. 19. Andow, P. K., Lees, F. P. and Murphy, C. P. The propagation of faults in process plants: a state of the art review, in Chemical Process Hazards with Special Reference to Plant Design 7, Instn Chem. Engrs, Rugby, 1980, p. 225. 20. Andow, P. K. Fault trees and failure analyses: discrete state representation problems, Trans. Instn Chem. Engrs, 59 (1981), p. 125.
Modelling of fault propagation
37
21. Andow, P. K. Difficulties in fault tree synthesis for process plant, IEEE Trans. Reliab., R-29 (1980), p. 2. 22. Galluzzo, M. and Andow, P. K. Failures in control systems, Reliability Engineering, 7 (1984), p. 193. 23. Andow, P. K. and Lees, F. P. Process plant alarm systems: general considerations, in Loss Prevention and Safety Promotion in the Process Industries 1, Elsevier, Amsterdam, 1974, p. 299. 24. Hoenig, G. A computer based alarm handling system for process plant, PhD Thesis, Loughborough University of Technology, 1982. 25. Hoenig, G., Umbers, I. G. and Andow, P. K. Computer based alarm systems, in Trends in On-Line Computer Control Systems, Instn Elec. Engrs, London, p. 88. 26. Plamping, K. and Andow, P. K. The design of process alarm systems, Trans. Inst. Meas. Control, 5 (1983), p. 161. 27. Fussell, J. B. Synthetic fauh tree model, A formal methodology for fault tree construction, Aerojet Nucl. Corp., Idaho Falls, Idaho, Rep. ANCR-1098, 1973. 28. Fussell, J. B. A formal methodology for fault tree construction, Nucl. Sci. Engng, 52 (1973), p. 421. 29. Powers, G. J. and Tompkins, F. C. Fault tree synthesis for chemical processes, AIChE J., 20 (1974), p. 376. 30. Powers, G. J. and Tompkins, F. C. A synthesis strategy for fault trees in chemical processing systems, in Loss Prevention 8, Am. Inst. Chem. Engrs, New York, 1974, p. 91. 31. Powers, G. J. and Tompkins, F. C. Computer-aided synthesis for fault trees for complex processing systems, in Generic Techniques in System Reliability Assessment (eds E. J. Henley and J. W. Lynn), Noordhoff, Amsterdam, 1976, p. 307. 32. Powers, G. J. and Lapp, S. A. Computer-aided fault tree synthesis, Chem. Engng Prog., 72(4) (1976), p. 89. 33. Powers, G. J. and Lapp, S. A. Computer-aided synthesis of fault trees, IEEE Trans. Reliab., R-26 (1977), p. 2. 34. Lapp, S. A. and Powers, G. J. Computer-assisted generation and analysis of fault trees, in Loss Prevention and Safety Promotion in the Process Industries 2, DECHEMA, Frankfurt, 1977. 35. Shaeiwitz, J. A., Lapp, S. A. and Powers, G. J. Fault tree analysis of sequential systems, Ind. Engng Chem. Process Des. Dev., 16 (1977), p. 529. 36. Lapp, S. A. and Powers, G. J. Up-date of Lapp-Powers fault tree synthesis alogrithm, IEEE Trans. Reliab., R-28 (1979), p. 12. 37. Cummings, D. L., Lapp, S. A. and Powers, G. J. Fault tree synthesis from a directed graph model for a power distribution network, IEEE Trans. Reliab., Ro32 (1983), p. 140. 38. Salem, S. L., Apostolakis, G. E. and Okrent, D. On the automatic construction of fault trees, Trans. Am. Nucl. Soc., 22 (1975), p. 475. 39. Salem, S. L., Apostolakis, G. E. and Okrent, D. A computer-oriented
38
40. 41. 42. 43. 44.
45.
B. E. Kelly, F. P. Lees approach to fault tree construction, Univ. of Calif., Los Angeles, Rep. UCLA-ENG-7635, 1976. Salem, S. L., Apostolakis, G. E. and Okrent, D. A computer-oriented approach to fault tree construction, Elec. Power Res. Inst., Palo Alto, Calif., Rep. EPRI NP-288, 1976. Apostolakis, G. E., Salem, S. L. and Wu, J. S. CA T--a computer codefor the automated construction of fault trees, Elec. Power Res. Inst., Palo Alto, Calif., Rep. EPRI-705, 1978. Salem, S. L. and Apostolakis, G. E. The CAT methodology for fault tree construction, in Synthesis and Analysis Methods for Safety and Reliability Studies (eds G. E. Apostolakis et al.), Plenum Press, New York, 1978, p. 109. Taylor, J. R. An algorithm for fault-tree construction, IEEE Trans. Reliab., R-31 (1982), p. 137. Brown, J. S. and de Kleer, J. Towards a theory of qualitative reasoning about mechanisms and its role in troubleshooting, in Human Detection and Diagnosis of System Failure (eds J. Rasmussen and W. B. Rouse), Plenum Press, New York, 1980, p. 317. Berenblut, B. J. and Whitehouse, H. B. A method for monitoring process plant based on a decision table analysis, The Chemical Engineer, 318 (1977), p. 175.
The Propagation of Faults in Process Plants: 1. Modelling of Fault Propagation B. E. Kelly and F. P. Lees Department of Chemical Engineering, Loughborough University of Technology, Loughborough, Leicestershire, Great Britain (Received: 24 May 1985)
ABSTRACT A common feature of many of the techniques introduced in recent years for the identification and assessment of hazards in process plants is that they deal with the propagation of faults through the plant. Fault propagation has application not only to design methods such as hazard and operability studies andfault trees but also to computer alarm and trip systems. An interactive, computer-based facility has been developed for the investigation of fault propagation in process plants, including fault tree synthesis and alarm system design. This paper describes the modelling of fault propagation, while fault tree synthesis, the interactive computer facility and an illustrative example are described in further, complementary papers.
INTRODUCTION
The chemical industry has faced severe problems of safety and reliability in recent years. It has responded by developing new methods of hazard identification and assessment. These methods are mainly design techniques such as failure modes and effects analysis, hazard and operability (hazop) studies and event trees, fault trees and cause--consequence diagrams, but include also developments on the operational side such as operator fault diagnosis and computer-based alarm systems. In all these activities the representation of the way in which faults propagate through the plant is a common feature. 3 Reliability Engineering 0143-8174/86/$03.50 © Elsevier Applied Science Publishers Ltd, England, 1986. Printed in Great Britain
4
B.E. Kelly, F. P. Lees
It is the purpose of this paper to describe a systematic method of representing the fault propagation structure of process plants. The method has been developed with computer-aided design in mind and is intended for both design and control applications. Its origins were work on process computer alarm analysis, but its fullest development so far has been for fault tree synthesis. This paper describes the modelling of fault propagation, which is the essence of the method. Further, complementary papers (Parts 2-4) describe the fault tree synthesis, 1 the interactive, computer-based fault propagation facility 2 and the fault tree synthesis of a pump system changeover sequence, 3 respectively. Fault trees are used mainly to discover the paths to failure in complex systems. In such systems there are usually many basic events which are potential causes of failure and many paths to failure. Complexity is therefore inherent in the problem. It is an important objective of the method described that as far as possible this complexity is handled by developing systematic treatments. These can be made the basis of computer programs which generate models and fault trees automatically from a relatively small amount of data provided by the user and which thus protect him from much of the complexity. The method described here has been taken to the point where it is capable of generating fault trees for realistic examples of industrial plant, but it is not regarded as fully developed and work is continuing on it. Some of the earlier work on fault propagation by the authors and their colleagues has already been described. In previous papers accounts have been given of work on alarm analysis 4-12 and on fault tree synthesis 6,8,13 - 17 as well as on related topics such as fault information, ~s fault propagation, 19 fault t r e e p r o b l e m s , 2 ° - 2 2 alarm handling and display 23-25 and alarm system design. 26 Several of these papers give reviews of other recent work in this field, including fault modelling, fault tree synthesis and alarm and disturbance analysis and such review is not therefore repeated here. Other work on fault tree synthesis has been described by Fussell, 27'28 by Powers, Lapp and c o - w o r k e r s , 2 9 - a7 by Salem, Apostolakis, Okrent and co-workers 3a-42 and by Taylor. 43 OVERALL A P P R O A C H The overall approach adopted to the modelling of fault propagation, starting with a plant flow diagram, is to decompose the system into its
Modelling of fault propagation
5
constituent units and then to represent the system by a plant block diagram and a set of context-independent unit models.
System decomposition The way in which the plant system is decomposed determines the representation ultimately obtained. Decomposition is therefore a crucial stage, but perhaps a rather neglected one. Decomposition may be done at various levels of detail. At one end of the spectrum a coarse decomposition may be used in which the items are broad functional units such as a complete pump set or complete control loop. At the other end the decomposition used may be a fine one in which the elements are detailed items such as the orifice plate and isolation valves on a flowmeter. The advantage of a finer level of detail is that the models tend to have greater generality and can handle more complex faults. The disadvantage is that they are much more complex so that modelling is more time-consuming and results are more complicated and difficult to interpret. The method developed is capable of handling decomposition to different levels of detail. It is normally used at an intermediate level in which items are units such as the sensor, controller and control valve in a control loop. A plant system may be decomposed into a set of units or into a set of structures. The former approach is that almost universally used and the latter receives scant attention. It has been shown, however, by Shafaghi et al. 16 that decomposition into a set of structures is possible and may enhance the transparency of the representation. The present method is based on decomposition into a set of units, but some information on structure is also utilised.
System boundaries Process plants are generally too large and too complex to analyse as complete systems, whether the analysis be manual or computer-aided. Most plants can conveniently be regarded as a set of modular sections, performing such functions as reaction and separation. It is therefore necessary to be able to handle boundaries between plant sections. In the method this is achieved by using dummy heads to represent inputs to the plant section and dummy tails to represent outputs from the section.
6
B . E . Kelp, F. P. Lees
Context independent models There is an implicit assumption that the unit models are independent of the context in which they are used. It is not always, however, a straightforward matter to ensure that a particular model is truly contextindependent. The problem was discussed by Brown and de Kleer. 44
Sequences Many processes of interest involve changes of plant state such as startup and shutdown. The method handles such systems by providing a facility which allows the state of the plant to be changed during the analysis. UNIT MODELS A fault propagation model for a unit is a representation of the propagation of input process variable deviations into output variable deviations and also of the initiation and termination of these deviations.
Model format There are various forms of representation. They include the mini-fault trees used by Fussell, 28 the input-output models/digraphs of Powers and Lapp, 33 the decision tables of Salem et al. a8 and of Berenblut and Whitehouse 4s and the transition tables of Taylor. 43 Each form tends to have advantages and disadvantages in relation to the types of information to be represented, the handling of that information and its storage. The present method is based on mini-fault trees. There are two main reasons for this choice. One is that it is well adapted to the automatic generation of models and of fault trees. The other is that it is more economical of storage. These mini-fault trees may be created manually. It is more attractive, however, to generate them automatically. For this it is convenient to provide initial information on the behaviour of a unit in the following three forms: (1) Propagation equations. (2) Event statements. (3) Decision tables.
Modelling of fault propagation
7
The decision table form is perhaps the most flexible and is widely used, but if it is used as the primary model, then by definition it must be created manually and is therefore not well adapted to automatic generation. It is also wasteful of storage. In the method the use of decision tables is generally confined to the representation of complex logical relationships for which the other forms are not suitable.
Fault initiation, propagation and termination Fault propagation modelling involves the representation of the initiation of a fault at one point, its propagation through the plant and its termination at another point. Generally, fault initiation involves the relation Initial fault: Process variable deviation fault propagation the relation Process variable deviation:Process variable deviation and fault termination the relation Process variable deviation:Terminal fault A fault is therefore initiated in a unit which by definition is unhealthy, propagates through a set of units which are generally healthy (although in some units an additional enabling fault is a condition of further propagation), and terminates in a unit which is thereby rendered unhealthy. In the method fault propagation is modelled by the use of functional equations which describe how an output variable is affected by the input variables. These functional equations are the core of the unit model. They need, however, to be supplemented by additional information on fault initiation and termination and on logical relationships within the unit. It is important in understanding the modelling process to bear in mind always that the model sought is one which will permit a fault path to be traced back from a top event to a base event. A model should therefore contain all the potential paths, even though in particular applications or circumstances some of these paths will not be valid. In other words, the model gives information that a particular fault path may exist, not that it necessarily will. This latter information is given by the tree.
8
B.E. Kelly, F. P. Lees
Propagation equations A propagation equation is a functional equation which describes the relation between an output variable of a unit and the input and other output variables of the unit. For example, if z is an output variable and if x and y are the two input variables which affect z such that an increase in z is caused by an increase in x or a decrease in y, the functional equation is z =f(x, -y)
(1)
Such a functional equation may be derived in two ways. It may be obtained from a full differential equation such as is suitable for numerical computation by reduction to functional form. Alternatively, it may be obtained from a plain language statement by encoding this statement in functional form.
1
2
Fig. 1. Modeldiagram for pipe. The use of propagation equations may be illustrated by the equations for a pipe as shown in Fig. 1. The principal propagation equations for this model are Q2OUT =f(GIIN, G2OUT) GIIN =f(QlIy, Q2OUT) TgOUT =f(TIIN)
XgOUT =f(XIlN)
(2) (3) (4) (5)
The basis of eqns (2) and (3) is explained below. The pipe model includes other equations, but the set given is sufficient to illustrate the principle. Thus eqn (4) states that the outlet temperature T2ou T is a function of the inlet temperature TltN and that an increase or a decrease in T2ou r may be caused by an increase or a decrease in TIIN , respectively.
Flow information transmission The flow-pressure gradient relations are a crucial feature of the method. An important requirement of fault propagation modelling is that there should be transmission of information in both directions. If a fault
Modelling of fault propagation
9
occurs, it must be possible to follow its effects through the plant both upstream and downstream. In the method this is achieved by modelling the flow-pressure gradient relations in a particular way. The natural formulation of the flow-pressure drop relation is Q2ou x = f ( P liN , -- P2ouT)
(6)
and this formulation was used originally. However, certain difficulties arise in using this approach and the alternative approach represented by eqn (2) was adopted. The reason is to avoid confusion over the size of absolute pressure deviations necessary to cause no flow and reverse flow. For example, using the absolute pressure approach, high downstream pressure will cause low flow, higher downstream pressure will cause no flow and still higher downstream pressure will cause reverse flow, whereas using the pressure gradient method the causes of these flow deviations are simply the corresponding pressure gradient deviations, namely low, no and reverse, respectively. Normally the pressure gradients GIIN and G2ou x in eqn (2) are coupled through the flow in the pipe and have the same sign, but this is not universally true, since a leak in the pipe can lead to a positive value of GIlN but a negative value of G2ou r. The formulation used in the method is therefore that given in eqns (2) and (3). A further advantage of this formulation is that Q and G then share the same set of deviations. The use of this pair of propagation equations amounts effectively to a modelling convention. By a further convention the flow Q is always defined at the outlet of the unit and the pressure gradient G at the inlet. It is this convention which ensures the two-way transmission of information. The transmission of flow deviations through a series of units is therefore represented by a series of alternating deviations of Q and G. Initial events
The propagation equations describe how a fault propagates but not how it is initiated. It is necessary, therefore, to provide further information on the initial events, or faults, which give rise to variable deviations. All initial events are preceded by a single character identifier. The two main initial events are F O
Fault Operator action
10
B. E. Kelly, F. P. Lees
Initial event statements
Information on initial events is provided in the form of initial event statements. An initial event statement is used to represent the effect of a fault which initiates a sequence of disturbances and takes the form Fault: Variable deviation Examples of faults F are F F
LK-LP-EN:Q2otjrLO E X T - H E A T : T2ou T HI
Another form of the information is Fault: Intermediate (dummy) event Intermediate event: Variable deviation There are two main reasons for resorting to the use of intermediate faults. One is the need to be able to incorporate logical relations, particularly A N D gates (see below). An intermediate event is the device used to satisfy the convention that a minitree should consist of only one level of development below the minitop event. The other reason is the existence of generic faults which may conveniently be represented as intermediate events. An intermediate event may be a named event such as C L - F - H A or an unnamed, or dummy, event such as A ( D U M M Y ) . In either case the name used must be one given in the fault list. An example of an intermediate event I is I
CL-F-HA: Q2oua-HI
The intermediate event has causes which are initial events F or variable deviations V: F V
CV-F-HA:CL-F-HA S3smHI:CL-F-HA
An initial event statement is also used to represent the other main type of initiating event, which is an operator action. An example of an operator action O is O H V - D - S H : Q2oua-NONE An initial event statement is also used to include the effect of a variable
Modelling offault propagation
11
deviation for those cases where this cannot be derived from the propagation equations. An example of a variable deviation V is V
Q3INNONE: T2ouvHI
Finally an initial event statement is used for convenience to represent the normal and impossible states. An example of a state S is S
N O R M A L : GIINSOME
The initial and intermediate events used are shown in Table 1. A N D gates A fault tree is a logic diagram and may in general contain both OR and A N D gates. In the method most of the OR gates in the minitrees come directly from the propagation equations. The generation of A N D gates is less straightforward, but essentially it is done by means of initial event statements and also, in some cases, of decision tables. The general form of an initial event statement containing an A N D gate is Fault A N D Variable deviation: Variable deviation There may be any combination of event types in the statement and there may be more than one A N D gate. As an example consider flow through a hand valve which is normally closed. The initial event statement for the event Q2ou T SOME is F
HV-F-OP A N D V
GIlN SOME:Q2otJT SOME
Other gates Several other types of gate are used in the method. One is an exclusive OR gate for mutually exclusive events (EX-OR gate). Another gate is an OR gate for a set of events only some of which are mutually exclusive (OR* gate). This latter gate is flagged to inform the user but is otherwise treated as a normal OR gate. A third gate is an A N D gate for systems where r out of n items must fail for the system to fail (r/n or A N D r gate). Decision tables As just described, simple logical relations may be handled in the method using an initial event statement. An alternative approach, which is
12
B. E. Kelly, F. P. Lees
TABLE 1 Initial and Intermediate Events A Abbreviations Initial event names are constructed from standard abbreviations. These include: Equipment, etc. CL control loop SEQ sequence CNT controller SIG signal line CV control valve STP setpoint HV hand valve TL trip loop RV relief valve TSW trip switch SEN sensor TV trip valve Conditions, etc. ABRT aborts LA giving low aperture AF after LK leak AT at LO low BLK blockage LP low pressure CB complete blockage MAN on manual D directed OF off DIS disarmed ON on EN environment OP open F fails OR operational FN functional PB partial blockage FT fails to SH shut HA giving high aperture ST start HI high STK stuck HP high pressure B Initial events (by principal units) General and pipe COMP-BLK complete blockage partial blockage PART-BLK leak to low pressure environment LK-LP-EN leak from high pressure environment LK-HP-EN external cold source EXT-COLD external heat source EXT-HEAT Other general FLOODING FROTHING INT-LK Dummy events A(DUMMY B(DUMMY)
flooding frothing internal leak C(DUMMY) D(DUMMY)
E(DUMMY) F(DUMMY)
Modelling of fault propagation
13
TABLE 1--contd.
Pump STARTUP SHUTDOWN AIR-LOCK CAVITATN
started up shut down air locked cavitating
RACING IMPLR-F FT-ST-UP
racing impeller failed fails to start up
Hand valve (normally open) HV-D-SH HV-F-SH
hand valve directed shut hand valve fails shut
Hand valve (normally closed) HV-D-OP HV-F-OP
hand valve directed open hand valve fails open
Sensor SEN-F-HI SEN-F-LO SEN-STK
sensor fails HI sensor fails LO sensor stuck
Controller CNT-F-HI CNT-F-LO CNT-STK CNT-MAN
controller fails HI (i.e. fails giving output HI) controller fails LO (i.e. fails giving output LO) controller stuck controller on manual
Control valve CV-F-HA CV-F-LA CV-STK CV-F-OP CV-F-SH
control control control control control
valve valve valve valve valve
fails giving too high aperture fails giving too low aperture stuck fails completely open fails completely shut
Trip switch TSW-F-ON TSW-F-OF TSW-STK TSW-DIS
trip trip trip trip
switch switch switch switch
fails on fails off stuck in normal position disarmed
Trip valve (normally open) TV-F-SH TV-FT-SH
trip valve fails shut trip valve fails to shut
Trip valve (normally closed) TV-F-OP TV-FT-OP
trip valve fails open trip valve fails to open
Setpoint STP-HI STP-LO
setpoint high setpoint low
Signal line SIG-CB SIG-PB
signal line completely blocked signal line partially blocked
(contmued)
B. E. Kelly, F. P. Lees
14
TABLE 1--contd.
Relief valve RV-F-OP RV-FT-OP RV-UNDSZ
relief valve fails open relief valve fails to open relief valve undersized
Utilities POW-LOSS IAR-LOSS STM-LOSS PAR-LOSS ING-LOSS NIT-LOSS CWT-LOSS PWT-LOSS
loss loss loss loss loss loss loss loss
of of of of of of of of
electrical power instrument air steam process air inert gas nitrogen cooling water process water
Heat exchanger FOULING VAP-BLKT
fouling vapour blanketing
Reactor, fixed bed catalytic CAT-DETN POOR-MIX
catalyst deterioration poor mixing
Special OTH-CAUS TNGPOINT NORMAL IMPOSS
other causes turning point (maximum, minimum) normal state impossible state
C Intermediate events
Control loop CL-F-HA CF-F-LA CL-F-NA CL-STK
control control control control
loop loop loop loop
fails with valve giving too high aperture fails with valve giving too low aperture fails with valve giving no aperture stuck
Trip loop TL-OR-F TL-FN-F
trip loop fails giving operational failure trip loop fails giving functional failure
Sequence SEQ-ABRT SEQ-F-AF SEQ-F-AT
sequence aborts sequence fails after sequence fails at
Modelling of fault propagation
15
preferable if the logical relations are more complex, is the use of a decision table. As an example of a decision table the relation Z = (A A N D B) OR (C A N D D)
(7)
may be represented by a form of decision table which gives only the successful outcomes. In this example this is a two-row table: A T
B T
C *
D *
Ou~ut Z
•
*
T
T
Z
where T = true * = don't care If this relation were handled as a set of initial event statements, the statements would be I I A C
A(DUMMY):Z B(DUMMY):Z AND B:A(DUMMY) AND D:B(DUMMY)
Thus the attempt to handle logical relations using this approach tends to generate d u m m y events and is rather clumsy. The use of decision tables is aimed at avoiding this. In the method a form of decision table is used in which it is assumed that any event which is omitted is a 'Don't care' event. An example of such a decision table is
V QIIN N O N E
V Q3IN N O N E
T Q2ou T N O N E
where T denotes minitree top event as described below. The effect event Q2ouT N O N E occurs when both variable deviations QIIN N O N E and Q3IN N O N E occur, regardless of the other variable deviations. Entries in the decision tables may be any type of event. Mini-fault trees
A propagation equation gives information on the relation between an output variable of the unit and the input and other output variables of the
16
B. E. Kelly, F. P. Lees
Q2 OUT
G1 IN
LO
LO
G2 OUT
LO
Fig. 2. Minitreefor event Q2ow LO (partial information only). unit. Such a propagation equation may be converted directly into a minifault tree, or minitree. The top event, or output, of the tree is usually a deviation of the variable given on the left-hand side (LHS) of the equation. The base events, or inputs, of the tree are deviations of the variables given on the right-hand side (RHS) of the equation. It should be noted that inputs of the tree may include outputs of the unit. If the sign of the RHS variable, or tree input, is positive, it gives rise to a deviation of the same sign in the LHS variable, or output, while if the sign is negative, it gives rise to a deviation of opposite sign in the LHS variable. For example, if the output deviation is LO, the input deviation in the case of an input of positive sign is LO and in the case of a negative sign HI. As an example consider the minitree for the event Q 2 o u x LO in the pipe model. The propagation equation is eqn (2). The signs of the two RHS variables are positive and therefore the input deviations which cause this output deviation must also be LO deviations. The minitree is therefore as shown in Fig. 2. A minitree derived from a propagation equation may not be complete. It is often necessary to add to it further information. This information is that given in the initial event statements and decision tables. In the pipe example described earlier there are two initial event statements which need to be added. These are F F
PART-BLK:Q2ou r LO L K - L P - E N : Q 2 o u T LO
The minitree then becomes that shown in Fig. 3. With the addition of this further information the minitree is complete. Thus it is possible to map from a propagation equation to a minitree, but it is not possible to map from a minitree to a propagation equation if
Modelling of fault propagation
O2 OUT
17
LO
I GI
LO IN
G2 OUT
LO
Fig. 3. Minitree for event Q2ouT LO (full information). the former contains more information than the latter in the form of initial event statements and/or decision tables. A minitree derived from a propagation equation will contain an OR gate. An AND gate, however, cannot be generated from a propagation equation but only from an initial event statement or decision table. For example, the minitree shown in Fig. 4 is derived from the initial event statement F
HV-F-OP AND V
GIINSOME:Q2ou T SOME
The top events of the minitrees, or minitop events, for a unit are the complete set of deviations for each variable on the LHS of the propagation equations or on the RHS of the initial event statements and decision tables, together with the intermediate events. Normally each LHS variable has deviations HI and LO so that there are two minitop events for each such variable, but in addition there are certain other deviations such as SOME and N O N E which need to be taken into account and which increase the number of a minitop events. A minitree may be written in tabular form. For example, the minitree shown in Fig. 3 may be written in the following form: Base events
Top event
Gate
V G1,N LO
T Q2ouT LO
OR
V G2ouT LO F PART-BLK F LK-LP-EN
where T denotes minitop event. By convention the depth of a minitree is limited to one level of base
18
B. E. Kelly, F. P. Lees
. Q2OUT SOME
G1 SOME IN
Fig. 4.
Minitree for event Q2ouT SOME.
events below the top event. If this single level is insufficient to represent the tree, use is made of intermediate, or dummy, events. A unit model as used in the method consists essentially of a set of minitrees in tabular form as just described. The table also contains, however, a considerable amount of additional information. This information is described below. Terminal events
So far fault initiation and propagation have been considered but not fault termination. Further information on this aspect has therefore to be provided. The type of fault termination of ultimate interest in fault modelling is an undesired event, often a hazard, such as may be taken as the top event of a fault tree. Information on a terminal event might in principle be provided by a terminal event statement of the form: Variable deviation: Terminal fault Examples of such terminal event statements are P2ou T HI: O V R P R E S T2OUT LO: U N D R T E M P This approach is not used, however. There are two reasons for using an alternative approach. One is that the inclusion in each unit model of a comprehensive set of terminal events inflates unnecessarily the size of the model. The other is that the relation between the variable deviations and a terminal event is in general a function not simply of the unit but of the plant system. For example, in
Modelling of fault propagation
19
some systems explosion might require a flammable mixture and an ignition source, while in others it might result from autodecomposition. The approach adopted, therefore, is to model the terminal event using an event model separate from the unit model. This separation of the terminal event model reduces the size of the unit models and keeps them context-independent. Event models are discussed in more detail below. Model generation The propagation equations, initial event statements and decision tables, if any, constitute the principal items of information embodied in a unit model. From this information it is possible to generate the minitrees of the unit model automatically.
Variables The process and other variables used are shown in Table 2. A variable is identified by a single letter, except for composition as described below. For flow Q no distinction is made between volumetric flow and mass flow. Pressure gradient G is used in conjunction with flow Q. The use of this additional variable is necessary in order to obtain two-way fault propagation. Thus variables Q and G are used as a pair. Variables T and X are used for temperature and composition, respectively. X is a single variable, but multicomponent systems can be handled by the use of additional subscripts (see below). Pressure P is used to represent pressure both above and below atmospheric and relief R pressure relief. As with flow, pressure and relief propagate both upstream and downstream. In order to model this feature, pressure and relief are used as a pair, although in a way different from the pair flow Q and pressure gradient G. Level L is used for the l i q u i d level in vessels. Reverse temperature U and reverse composition Y are used to model the propagation of temperature and composition, respectively, when flow is reversed. Pressure gradient G and relief R are defined at the inlet of a unit, all other variables with two exceptions at the outlet. This convention is necessary in order to obtain two-way fault propagation. The exceptions are reverse temperature U and reverse composition Y, which are defined at the point which is the inlet of the unit under normal flow conditions.
20
B. E. Kelly, F. P. Lees
Instrument signal S is used for all instrument signals, including signals from sensors to controllers or trip switches and from controllers to control valves and from trip switches to trip valves. Setpoint W is a setpoint variable which represents the desired value of a control loop or a protective system. Several other variables have been considered as candidates for inclusion in the list of variables but have been rejected. There is no reverse flow variable, this condition being handled by a deviation of the regular flow variable Q. There is no separate variable for flow ratio, which is dealt with by other means. There is no separate variable for vacuum, which is covered by the regular pressure variable P.
Variable subscripts The variable subscripts used are
1,2,3... IN,OUT,UTL,VES,SIG A,B,C... The subscript 1,2,3... refers to the port at which the variable occurs and is the principal subscript. Ports are predominantly inlets and outlets on the unit. There are inflows and outflows of material and inputs and outputs of information. An inflow is not necessarily an input. Thus the variable G, defined at inlets, is an output at inlets and an input at outlets. There are also ports associated with internal variables in units. Such a port exists only if it is shown on the model diagram and is assigned a number on this diagram. It is referred to as a vessel port. A vessel port must be connected either to a sensor or to a d u m m y tail. The variables which are associated with a vessel port are pressure, level, temperature or composition. By convention for units such as tanks and vessels in which there are no closed flow paths the ports are generally numbered in the order inlet, outlet and vessel. For units in which there are closed flow paths such as heat exchangers the ports are generally numbered inlet and outlet on first stream, inlet and outlet on second stream, and so on. For sensors the ports are generally numbered inlet, outlet, signal. The subscript I N , O U T , U T L , V E S or SIG is added to indicate the type of port. IN and O U T are of general and obvious application. U T L is used for utilities, VES on vessel ports and SIG on measurement signals.
Modelling of fault propagation
21
These two types o f subscript are used with all the variables. In addition, the subscript A , B , C . . . is used with the variables X a n d Yto denote component A , B , C . . . For binary systems these subscripts are superfluous. Typical variables with their subscripts are
PIIN Q2OUT X2OUT
XD2ou T L3vEs Variable deviations
The variable deviations used are shown in Table 3. A deviation is identified by a string of up to four letters. A deviation is applied to a variable and represents a deviation of that variable from some 'normal' value. This normal value is not necessarily a fixed value. For example, if a change is made in the process operating point, the normal values on a number of control loops may change. Deviations HI and LO are the two principal deviations. There are various ways in which a high or low deviation may be defined. The definition adopted is that high or low means sufficiently high or low to cause the top event to occur. Further degrees of high and low are not used. Deviations which overload the control loop are dealt with by the control loop structure model within the program. The deviations HI and LO are applicable to all the variables.
Q G T X P L R U Y S W
TABLE 2
TABLE 3
Variables
Variable Deviations
flow pressuregradient temperature composition pressure level relief temperature(in reverse flow) composition(in reverse flow) instrument signal setpoint
HI LO N ON E SOME NCHA SHAC REV NOP NOR
high low none some no change should activate reverse no pressure no relief
22
B. E. Kelly, F. P. Lees
TABLE 4 Invalid Combinations of Variables and Variable Deviations~
HI LO NONE SOME NCHA SHAC REV NOP N OR
Q
G
T
X
P
L
R
U
Y
S
W
Y Y Y Y N N Y N N
Y Y Y Y N N Y N N
Y Y N N N N N N N
Y Y N N N N N N N
Y Y Y yb N N yb N yb
Y Y Y N N N N N N
Y Y Y Y N N Y Y N
Y Y N N N N N N N
Y Y N N N N N N N
Y Y Y Y Y Y N N N
Y Y N N N N N N N
Y = combination valid; N = combination invalid. b Not valid in vessels. D e v i a t i o n s N O N E a n d S O M E are used in three m a i n a p p l i c a t i o n s , with t h e flow/pressure g r a d i e n t , the p r e s s u r e - r e l i e f a n d the signal variables. F o r flow Q these d e v i a t i o n s are e q u i v a l e n t to the c o n d i t i o n s N O F L O W a n d F L O W E X I S T S a n d for pressure g r a d i e n t G to the c o n d i t i o n s o f pressure g r a d i e n t c o r r e s p o n d i n g to N O F L O W a n d F L O W E X I S T S , respectively. D e v i a t i o n N O N E is also used with level. D e v i a t i o n R E V is a p p l i e d o n l y to the v a r i a b l e s flow Q, p r e s s u r e g r a d i e n t G, p r e s s u r e P a n d relief R. F o r flow Q a n d pressure g r a d i e n t G the d e v i a t i o n R E V is used to m o d e l reverse flow. As well as the d e v i a t i o n s H I a n d L O pressure has d e v i a t i o n s N O N E , S O M E , R E V a n d N O R a n d relief N O N E , S O M E , R E V a n d N O P , while i n s t r u m e n t signal has the d e v i a t i o n s N C H A a n d S H A C . T h e t r e a t m e n t o f these deviations, however, is b e y o n d the s c o p e o f this paper. T h e invalid c o m b i n a t i o n s o f v a r i a b l e s a n d variable d e v i a t i o n s are s h o w n in T a b l e 4.
Boundary conditions and not allowed faults I f the m o d e l s described are used f o r fault tree synthesis, or related a p p l i c a t i o n s , it is n e c e s s a r y to t a k e into a c c o u n t the b o u n d a r y c o n d i t i o n s a n d n o t allowed faults. A b o u n d a r y c o n d i t i o n is a v a r i a b l e d e v i a t i o n w h i c h is i n c o n s i s t e n t with a n o t h e r v a r i a b l e d e v i a t i o n elsewhere in a p a r t o f the tree a l r e a d y
Modelling of fault propagation
23
TABLE 5 Invalid C o m b i n a t i o n s of Variable Deviations for B o u n d a r y C o n d i t i o n s °
HI LO SOME NONE NCHA SHAC REV NOP NOR
HI
LO
SOME
NONE
NCHA
SHAC
REV
NOP
N N Y N N Y N N N
N N Y N N Y N N N
Y Y N N N Y N N N
N N N N N Y N N N
N N N N N Y N N N
Y Y Y Y Y N Y Y Y
N N N N N Y N N N
N N N N N Y N N N
NOR N N N N N Y N N N
a y = c o m b i n a t i o n valid; N = c o m b i n a t i o n invalid.
synthesised. For example, Q LO is a boundary condition of Q HI, since the former is inconsistent with the latter. For boundary conditions it is possible to state general rules for inconsistency of variable deviations. The following sets of variable deviations are mutually inconsistent: HI,LO,NONE,REV,NOP,NOR,NCHA and SOME,NONE,REV,NOP,NOR,NCHA The relationship between the deviation SOME and the deviations HI and LO is more complex than can be represented in this form. If HI or LO appears beneath SOME, the state of the plant is more closely defined and the second deviation (HI or LO) is retained in the tree. If, however, SOME appears beneath HI or LO, the state of the plant is not defined more closely--SOME is already implied, given that the state is HI or LO. The S O M E deviation is therefore removed from the tree. SHAC is not inconsistent with any of the other deviations, since it represents a logical state (the trip system should activate), rather than a physical state. The invalid combinations of variable deviations are shown in Table 5. This information on boundary conditions is part of the unit model. It is not, however, sufficient for the complete treatment of the boundary conditions during fault tree synthesis and needs to be supplemented at that stage by other boundary condition rules. A not allowed fault is a basic event which is inconsistent with a
B. E. Kelly, F. P. Lees
24
particular variable deviation. For example, L K - L P - E N is a not allowed fault of Q2ou T HI, since this basic event cannot be a cause of high outlet flow. For not allowed faults use is made of the initial event statements. These show that a basic event may cause certain variable deviations. Other variable deviations which are inconsistent with these variable deviations have as a not allowed fault the basic event in question. Both boundary conditions and not allowed faults are handled automatically in the method and do not require any additional information to be provided.
EVENT MODELS There are several aspects of modelling which are conveniently handled by modelling an event rather than a unit and for these an event model is used. There are three types of event which are modelled in this way: (1) Undesired events. (2) Physical and phase changes. (3) Materials failures. An undesired event is a terminal event. The top event of a fault tree is always such a terminal event. The unit models yield only variable deviations, e.g. T2otsT LO. It is necessary to express the final variable deviation as a terminal event, e.g. U N D R T E M P . As described earlier, this might in principle be done using some form of terminal event statement in the unit models, but in the method it is achieved using an event model. An event model may comprise event statements and decision tables. It is typically a single minitree, although in more complex cases it may comprise several minitrees. An event model for an undesired event may be illustrated by the model for the event U N D R T E M P . In this case the information is provided in the form of an event statement
V
T2ov x L O : U N D R T E M P
This model states that undertemperature occurs when the temperature is low. The second type of event for which an event model is used is a physical or phase change. An example is V
T2ou T LO: F R E E Z I N G
Modelling of fault propagation
25
This type of event is conditional on the fluid in the stream concerned having a susceptibility to physical or phase change, in this case freezing. The third type of event is a materials failure. An example is V X2ou T H I : C O R R O S N where X is the concentration of some corrosive impurity. Again this type of event is conditional on the unit having a susceptibility to materials failure, in this case corrosion. The expressions given are used to model the causes of the three types of event. Undesired events are used solely as the top events of fault trees. Physical and phase change and materials failure events give rise to additional failure paths, over and above those which are implicit in the unit models. A physical or phase change can give rise to a variable deviation and a materials failure to a basic event, for example FREEZING:Q2OUT N O N E and CORROSN: LK-LP-EN This latter type of event therefore provides a means by which an event which is normally treated in a unit model as an irreducible basic event can itself be made the effect of some other cause. Obviously the use of these last two types of event model in this way makes the fault tree considerably more complex. It is an advanced facility which in many applications is likely to be unnecessary, but it does offer a useful means of dealing with certain types of problem. Information on the susceptibilities of the fluid streams to physical and phase changes and of the units to materials failures is entered as part of the configuration information. This approach means that the analyst can specify which events are likely to be important at particular locations in the plant and what the effects of these events are. This last facility is important for some events, such as D I L U T I O N (with water), where the effects are dependent on the process. OTHER FEATURES Reverse flow As indicated above, reverse flow is taken into account in the method. Flow deviations involving reverse flow are treated in the same way as
26
B. E. Kelly, F. P. Lees
other variable deviations. Like the other deviations applicable to flow Q and pressure gradient G, reverse flow deviations are generated partly from the propagation equations and partly from the event statements. For the pipe model, for example, the propagation equations are eqns (2) and (3) and the event statements are F F
LK-LP-EN: Q2ou T REV LK-HP-EN:GIlN REV
Reverse flow effects include not only flow deviations but also deviations of other variables, namely temperature and composition. These other deviations arising from reverse flow are treated by making them conditional on the existence of reverse flow. This is achieved by the use of an AND gate. This A N D gate is not located, however, in the unit models, since in fault tree synthesis this would result in the generation of a series of AND gates, one for each model through which the fault propagates. Instead the A N D gate is located in the terminal event statement. For the pipe model the propagation equations for reverse temperature U and reverse composition Y are U1 IN =f(U2OUT) (8) YIIN = f ( Y 2 o u T )
(9)
Multicomponent systems In the treatment given so far there is an implicit assumption that the system considered is a binary one, but a multicomponent system is readily handled in the method. Even in a multicomponent system it is not necessary to model all the units explicitly as multicomponent ones. A unit need only be modelled explicitly as multicomponent if there is at least one component for which the propagation equation differs from those for the other components. Where this is the case, however, all the multicomponent compositions must be specified explicitly by propagation equations. A multicomponent feature need be used, therefore, only in those models which deal with processes such as mixing and separation. These constitute a relatively small proportion of the total.
Setpoints Setpoint deviations can in principle be modelled using initial event statements in the controller and trip switch models, but the method
Modelling of fault propagation
27
adopted is the use of a setpoint unit. This unit has as its output the setpoint faults, namely high or low setpoint. The setpoint unit is also a convenient device for modelling any kind of setting. For example, the set pressure of a pressure relief valve can be represented in this way. This use of the setpoint unit thus allows c o m m o n cause failures to be taken into account. For example, the set pressures of a group of relief valves might all be incorrect due to a defect in the setting procedure in the workshops.
Operator control and actions The process operator carries out manual control, adjusts the setpoint of automatic control loops and takes other actions. These activities can be taken into account in the method. An operator may act effectively as a feedback controller, taking in a measurement from a sensor and sending out an adjustment to a hand valve. If such a manual feedback control loop is to be incorporated, a special manual controller model is used. This model is very similar to a normal feedback controller model. Similarly, an operator may act as a protective device, or trip switch. If such a manual trip loop is to be incorporated, a special manual trip switch model is used. This model is very similar to a normal trip switch model. The operator also intervenes on the plant by making other adjustments which do not constitute continuously operating control or trip loops but are less structured actions. The points at which such intervention takes place are usually controller and trip switch setpoints, hand valves and units which can be switched on/off.
Computer control Computer control can be taken into account in the method. The way in which this is done depends on the computer configuration and functions. For the case of direct digital control or its equivalent where the computer carries out the functions of a controller in a feedback control loop, a computer control loop model is used. The faults are similar to those of a hardware controller.
Utilities Failure of a unit due to failure of a utility such as electrical power, cooling water or instrument air needs to be taken into account.
28
B. E. Kelly, F. P. Lees 31 SP
INPUT 1 FROM SENSOR
~
2 OUTPUTTO ~ CONTROL VALVE
Fig. 5. Model diagram for pneumatic controller. A particular feature of utility failure is that it is liable to cause faults in a number of units and thus to act as a c o m m o n cause failure. A utility failure may be handled in the method in two ways. The first, and preferred, approach is to enter in each relevant unit model a susceptibility to the fault which is then represented as an input signal from the utility. In this case the c o m m o n cause aspect of the utility failure is explicit from the outset and is incorporated in the configuration. An example is failure of instrument air to a controller. A controller model is shown in Fig. 5. In the controller model the initial event statements include the relation V
S4UTL N O N E : S 2 s I c N O N E
and in the utility model the initial event statements include the relation F
IAR-LOSS:SluT L N O N E
so that the failure IAR-LOSS in the utility is a cause of deviation S2s~ c N O N E in the controller. The subscripts 1 and 4 here refer to the utility output and the controller input (susceptibility). Alternatively, the fault may be entered directly in each unit model as one of the initial event statements. For the example just given this would require the relation F IAR-LOSS:S2sl 6 N O N E In this case the common cause aspect of the failure is implicit and it requires considerable work to identify the c o m m o n cause event in the minimum cut sets obtained. C o m m o n cause effects
The comments on c o m m o n cause failure just made in relation to utilities are of general application. If a potential c o m m o n cause fault is to be
Modelling of fault propagation
29
identified explicitly, as for example in a fault tree and its minimum cut sets, the information on that fault needs to be entered in the unit model in the event statements as a susceptibility to an input from the unit which gives rise to the c o m m o n cause fault rather than as an individual event statement.
STRUCTURAL INFORMATION In some cases the information given in the flow diagram is sufficient to model the system, but this is unusual. In most cases it is necessary to provide some additional information, of a broadly structural nature. Dividers and headers A process plant contains many points at which streams split or join. Each such point is modelled by a divider or header unit, respectively. The situations which arise when such junctions occur are varied. For example, there may be flow in some of the pipes at the junction but not in others. There are therefore a number of divider and header models. Dividers and headers are used in some cases as single units and in others as an explicit divider-header combination. A divider-header combination is used where it is necessary to provide structural information by this means. Divider-header combinations One feature on which information is needed is the structure of sets of units, particularly parallel systems. This may be illustrated by the set o f two pumps shown in Fig. 6. The flow diagram alone does not indicate whether these pumps are (1) One 100 ~ pump operating and one 100 ~ pump on standby (2) Two 100 ~ pumps operating (3) Two 50 ~o pumps operating or some other arrangement. It is necessary therefore to have some means of providing this information. In the method this is done by the use of divider and header units in defined combinations. There are models for divider and header units
30
B. E. Kelly, F. P. Lees
Fig. 6.
Pump system with various possible structures.
which are used to define particular types of system such as parallel redundant systems and bypass systems. When used in this way the divider-header pairs are declared explicitly as a combination.
Control loops Another feature on which structural information is needed is control loops. Control loops are important in fault propagation, because the function of a control loop is to prevent the propagation of normal disturbances. Without modification the method so far described to generate fault trees, or related structures, from the unit models will not always give a correct result for a control loop. It is necessary, therefore, to provide additional information. Another reason for providing this information is to improve the clarity of the fault tree. The role of the control loop in the tree structure is usually brought out clearly in a manually constructed tree, where the pattern perceived by the analyst is imparted to the tree. In fault trees generated automatically by synthesis from unit models using a relatively mechanistic approach this pattern may be missing so that the tree is opaque to the user. In an automatic method, therefore, it is desirable to restore this structure and this requires that information on control loop structure be provided at the start. The same information is also necessary to handle situations where there are control loops other than simple feedback loops such as cascade or feedforward loops. In the method each control loop is identified, the units in the loop are listed and certain additional information is provided. When a fault tree
Modelling of fault propagation
31
for the control loop is synthesised, the tree is given structure by the use of a special control loop model which has predefined branches for the different modes of loop failure. Some of these modes are associated with intermediate events which are put at the head of the main branches. An example is the intermediate event CL-STK. A more detailed account of control loops is given in Ref. 1.
Protective systems The main types of protective system which are handled are pressure relief systems and trip loops. A protective system has two basic failure modes. One is functional failure or failure to operate on demand. The other is operational failure or operation in the absence of demand. An important class of protective system is trip systems. Trip systems are another feature on which structural information is needed. Again trip systems are important, because the function of a trip system is to prevent the propagation of abnormal disturbances. As for a control loop, the method needs to be modified in order to obtain a correct result for a trip loop. Additional information has to be provided. Again another reason for doing this is to bring out the role of the trip loop in the tree structure. For trip loops an important distinction is whether the trip valve is normally open or closed. If the valve is normally closed, it is also necessary to provide information on the units through which flow will occur when the valve is open. In the method each trip loop is identified and the units in the loop are listed. When a fault tree for the trip loop is synthesised, the tree is given structure by the use of a special trip loop model, which has predefined branches for the different modes of loop failure. Some of these modes are associated with intermediate events which are put at the head of the main branches. An example is the intermediate event TL-FN-F. A more detailed account of trip loops is given in Ref. 1.
PLANT CONFIGURATION The flow diagram of a typical process plant, a heat exchanger system for cooling nitric acid, is shown in Fig. 7. The plant is one described by Lapp a n d P o w e r s 36 and has been widely discussed in the literature.
+
NITRIC ACID
[ I I i I L
COOLING WATER
Fig. 7.
Heat exchanger system: flow diagram (after Lapp and Powers).
TABLE6 HeatExchangerSystem:Configuration Stream no.
1 2 3 4 5 6 7 8 9 I0 11 12 13 14 15 16 17 18 19
Upstream Unit Port
1 2 3 4 5 7 8 9 10 3 5 12 13 9 14 15 16 16 17
1 2 2 2 2 1 2 2 2 4 3 2 1 3 2 1 1 2 1
Downstream Unit Port
2 3 4 5 6 8 9 10 3 11 12 10 12 14 2 14 12 14 8
1 1 1 1 1 1 1 1 3 1 1 3 3 1 3 3 4 4 3
Modelling of fault propagation
33
i
i
wO ~Z
0
0
Z 0
-J
m
i-
r,
r
~Z
.,k
co
~w
34
B. E. Kelly, F. P. Lees
TABLE 7 Heat Exchanger System: Unit Models Unit no.
Model no.
1
6
2 3
45 28 13 12 7 6
4
5 6 7 8
1
9 10 11 12 13 14 15 16 17
10 4 7 18 8 68 8 70 71
In the method the flow diagram is replaced by a corresponding configuration diagram as shown in Fig. 8. The conversion is straightforward. The only point which needs to be noted is the use of d u m m y heads and d u m m y tails for the inputs and outputs across the system boundaries. The configuration information is required in tabular form. The flow diagram is therefore converted to the corresponding table of connections. For the plant shown in Fig. 7 the configuration table is given in Table 6. For each unit a library model must be specified. The unit model table is shown in Table 7. Other configuration information is required again in tabular form on structural features such as divider-header combinations, control loops and protective systems and on events and event models. A fuller account of the configuration data required is given in Ref. 2.
CONCLUSION A method has been developed for the representation of the propagation of faults in process plants. It has been encoded as a suite of computer
Modelling offault propagation
35
programs which generate a fault propagation structure and carry out fault tree synthesis. The plant system is decomposed into its constituent units and is represented by a configuration diagram and a set of unit models, which are in principle context-independent. Certain additional information is provided on terminal and other events and on system structure. Throughout the work the emphasis has been on making the method easy to use. There are several features which are particularly important in this respect. First, unit models are clearly defined so as to facilitate selection of the correct model. Second, where the user does need to create a new model, the generation of the model is automatic once certain data have been provided. These data are furnished in three well-defined forms, propagation equations, event statements and decision tables, suitable to the different types of information. Third, the generation of the fault tree is also automatic once certain data have been provided. Again these data, which are concerned with system structure, are furnished in well-defined forms. The fault tree synthesis method makes extensive use of specially developed synthesis rules. The method described here is the initial, or Mark 1, version. Work is continuing on development of the method and on its applications.
ACKNOWLEDGEMENTS The authors wish to acknowledge the work on fault propagation done and reported previously by Dr P. K. Andow and Dr G. A. Martin-Solis and the work on the computer program done by Dr C. P. Murphy, and to thank the Science and Engineering Research Council for supporting this work. REFERENCES 1. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants:.2. Fault tree synthesis, Reliability Engineering, 16 (1986), pp. 39-62. 2. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 3. An interactive, computer-based facility, Reliability Engineering, 16 (1986), pp. 63-86. 3. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 4. Fault tree synthesis of a pump system changeover sequence, Reliability Engineering, 16 (1986), pp. 87-108.
36
B. E. Kelly, F. P. Lees
4. Andow, P. K. A method for process computer alarm analysis, PhD Thesis, Loughborough University of Technology, 1973. 5. Andow, P. K. and Lees, F. P. A method for process computer alarm analysis, Trans. Instn Chem. Engrs, 53 (1975), p. 195. 6. Martin-Solis, G. A. Fault tree synthesis for real time and design applications on process plant, PhD Thesis, Loughborough University of Technology, 1978. 7. Andow, P. K. and Lees, F. P. Real time analysis of process plant alarms, in Synthesis and Analysis Methods for Safety and Reliability Studies (eds G. E. Apostolakis et al.), Plenum Press, New York, 1980, p. 409. 8. Martin-Solis, G. A., Andow, P. K. and Lees, F. P. Fault tree synthesis for real time and design applications, Trans. Instn Chem. Engrs, 60 (1982), p. 14. 9. Andow, P. K. Real time analysis of process plant alarms using a minicomputer, Comput. Chem. Engng, 4 (1980), p. 143. 10. Lees, F. P. Computer support for diagnostic tasks in the process industries, in Human Detection and Diagnosis of System Failure (eds J. Rasmussen and W. B. Rouse), Plenum Press, New York, 1981, p. 369. 11. Lees, F. P. Process computer alarm and disturbance analysis: review of the state of the art, Comput. Chem. Engng, 7 (1983), p. 669. 12. Lees, F. P. Process computer alarm and disturbance analysis: outline of methods for the systematic synthesis of the fault propagation structure, Comput. Chem. Engng, 8 (1984), p. 91. 13. Martin-Solis, G. A., Andow, P. K. and Lees, F. P. An approach to fault tree synthesis for process plants, in Loss Prevention and Safety Promotion in the Process Industries 2, DECHEMA, Frankfurt, 1977, p. 367. 14. Martin-Solis, G. A., Andow, P. K. and Lees, F. P. Synthesis of fault trees containing multi-state variables, in Loss Prevention and Safety Promotion in the Process Industries 3, Swiss Soc. Chem. Ind., Basel, 1980, p. 559. 15. Shafaghi, A. Plant modelling for system safety analysis, PhD Thesis, Loughborough University of Technology, 1982. 16. Shafaghi, A., Andow, P. K. and Lees, F. P. Fault tree synthesis based on control loop structure, Trans. Instn Chem. Engrs, 62 (1984), p. 101. 17. Shafaghi, A., Lees, F. P. and Andow, P. K. An illustrative example of fault tree synthesis based on control loop structure, Reliability Engineering, 8 (1984), p. 193. 18. Lees, F. P., Andow, P. K. and Murphy, C. P. The propagation of faults in process plants: a review of the basic event/fault information, Reliability Engineering, 1 (1980), p. 149. 19. Andow, P. K., Lees, F. P. and Murphy, C. P. The propagation of faults in process plants: a state of the art review, in Chemical Process Hazards with Special Reference to Plant Design 7, Instn Chem. Engrs, Rugby, 1980, p. 225. 20. Andow, P. K. Fault trees and failure analyses: discrete state representation problems, Trans. Instn Chem. Engrs, 59 (1981), p. 125.
Modelling of fault propagation
37
21. Andow, P. K. Difficulties in fault tree synthesis for process plant, IEEE Trans. Reliab., R-29 (1980), p. 2. 22. Galluzzo, M. and Andow, P. K. Failures in control systems, Reliability Engineering, 7 (1984), p. 193. 23. Andow, P. K. and Lees, F. P. Process plant alarm systems: general considerations, in Loss Prevention and Safety Promotion in the Process Industries 1, Elsevier, Amsterdam, 1974, p. 299. 24. Hoenig, G. A computer based alarm handling system for process plant, PhD Thesis, Loughborough University of Technology, 1982. 25. Hoenig, G., Umbers, I. G. and Andow, P. K. Computer based alarm systems, in Trends in On-Line Computer Control Systems, Instn Elec. Engrs, London, p. 88. 26. Plamping, K. and Andow, P. K. The design of process alarm systems, Trans. Inst. Meas. Control, 5 (1983), p. 161. 27. Fussell, J. B. Synthetic fauh tree model, A formal methodology for fault tree construction, Aerojet Nucl. Corp., Idaho Falls, Idaho, Rep. ANCR-1098, 1973. 28. Fussell, J. B. A formal methodology for fault tree construction, Nucl. Sci. Engng, 52 (1973), p. 421. 29. Powers, G. J. and Tompkins, F. C. Fault tree synthesis for chemical processes, AIChE J., 20 (1974), p. 376. 30. Powers, G. J. and Tompkins, F. C. A synthesis strategy for fault trees in chemical processing systems, in Loss Prevention 8, Am. Inst. Chem. Engrs, New York, 1974, p. 91. 31. Powers, G. J. and Tompkins, F. C. Computer-aided synthesis for fault trees for complex processing systems, in Generic Techniques in System Reliability Assessment (eds E. J. Henley and J. W. Lynn), Noordhoff, Amsterdam, 1976, p. 307. 32. Powers, G. J. and Lapp, S. A. Computer-aided fault tree synthesis, Chem. Engng Prog., 72(4) (1976), p. 89. 33. Powers, G. J. and Lapp, S. A. Computer-aided synthesis of fault trees, IEEE Trans. Reliab., R-26 (1977), p. 2. 34. Lapp, S. A. and Powers, G. J. Computer-assisted generation and analysis of fault trees, in Loss Prevention and Safety Promotion in the Process Industries 2, DECHEMA, Frankfurt, 1977. 35. Shaeiwitz, J. A., Lapp, S. A. and Powers, G. J. Fault tree analysis of sequential systems, Ind. Engng Chem. Process Des. Dev., 16 (1977), p. 529. 36. Lapp, S. A. and Powers, G. J. Up-date of Lapp-Powers fault tree synthesis alogrithm, IEEE Trans. Reliab., R-28 (1979), p. 12. 37. Cummings, D. L., Lapp, S. A. and Powers, G. J. Fault tree synthesis from a directed graph model for a power distribution network, IEEE Trans. Reliab., Ro32 (1983), p. 140. 38. Salem, S. L., Apostolakis, G. E. and Okrent, D. On the automatic construction of fault trees, Trans. Am. Nucl. Soc., 22 (1975), p. 475. 39. Salem, S. L., Apostolakis, G. E. and Okrent, D. A computer-oriented
38
40. 41. 42. 43. 44.
45.
B. E. Kelly, F. P. Lees approach to fault tree construction, Univ. of Calif., Los Angeles, Rep. UCLA-ENG-7635, 1976. Salem, S. L., Apostolakis, G. E. and Okrent, D. A computer-oriented approach to fault tree construction, Elec. Power Res. Inst., Palo Alto, Calif., Rep. EPRI NP-288, 1976. Apostolakis, G. E., Salem, S. L. and Wu, J. S. CA T--a computer codefor the automated construction of fault trees, Elec. Power Res. Inst., Palo Alto, Calif., Rep. EPRI-705, 1978. Salem, S. L. and Apostolakis, G. E. The CAT methodology for fault tree construction, in Synthesis and Analysis Methods for Safety and Reliability Studies (eds G. E. Apostolakis et al.), Plenum Press, New York, 1978, p. 109. Taylor, J. R. An algorithm for fault-tree construction, IEEE Trans. Reliab., R-31 (1982), p. 137. Brown, J. S. and de Kleer, J. Towards a theory of qualitative reasoning about mechanisms and its role in troubleshooting, in Human Detection and Diagnosis of System Failure (eds J. Rasmussen and W. B. Rouse), Plenum Press, New York, 1980, p. 317. Berenblut, B. J. and Whitehouse, H. B. A method for monitoring process plant based on a decision table analysis, The Chemical Engineer, 318 (1977), p. 175.