- Email: [email protected]
The propagation of faults in process plants: 2. Fault tree synthesis
Reliability Engineering 16 (1986) 39-62
The Propagation of Faults in Process Plants: 2. Fault Tree Synthesis B. E. Kelly a n d F. P. Lees Department of Chemical Engineering, Loughborough University of Technology, Loughborough, Leicestershire, Great Britain (Received: 24 May 1985)
ABSTRACT A computer-based method and an interactive computer facility have been developed for the investigation of fault propagation in process plants, including fault tree synthesis and alarm system design. The modelling of fault propagation is described in a companion paper. This paper describes fault tree synthesis, while the interactive facility is described in a further, complementary paper.
INTRODUCTION A facility has been developed for the investigation of fault propagation in process plants. In an accompanying paper 1 (Part 1) a description is given of the method of modelling fault propagation. In the present paper the method of synthesising the fault tree is described. The description is illustrative rather than comprehensive. The synthesis of a fault tree for a process plant is complex and is governed by a large number of rules, models and heuristics. It is not possible to describe all of these and this account is therefore confined to an indication of some of the principal problems and an outline of the approach taken to their solution. In the suite of programs developed fault tree generation is carried out by the program F L T G E N . This paper is therefore essentially a description of the main principles on which this program is based. Full details of the symbols and abbreviations used are given in Ref. 1. 39 Reliability Engineering 0143-8174/86/$03-50 © Elsevier Applied Science Publishers Ltd, England, 1986. Printed in Great Britain
40
B. E. Kelly, F. P. Lees
Further, complementary papers 2'3 (Parts 3 and 4, respectively) describe an interactive, computer-based fault propagation facility and the fault tree synthesis of a pump system changeover sequence.
OVERVIEW OF T R E E SYNTHESIS
Minitrees A minitree consists of a single output which is related by a specified logic to one or more inputs. The output event is the minitree top, or minitop, event and is a transmissive or intermediate event. The input events may be basic, diamond, transmissive or intermediate events. A basic event is a fault, usually mechanical. A diamond event is a process variable deviation which is not developed further. The reason for there being no further development of such an event is either that the event crosses the system boundary or that it is a looped event, as explained below. A transmissive event is a process variable deviation within the system boundary. A n intermediate event is a form of d u m m y event and is used as a device to limit each minitree to a single level of events below the minitop event. The input and output events are connected by a logic gate, which in the vast majority of cases is an OR or an A N D gate.
Top event A fault tree is a logic tree for a particular event. The first step in fault tree synthesis is therefore selection of the event for which the fault tree is to be constructed. The top event must be one of the undesired events given in the event library. A typical example is the event U N D R T E M P .
Initial synthesis The fault tree is then constructed from the top event down by developing the individual branches using the appropriate minitrees. The top event of the fault tree will also be the top event of a minitree in the event model where it occurs. This minitree is therefore placed below the top event. The input events in this minitree will normally contain a number of transmissive events. Each such transmissive is the minitop
41
Fault tree synthesis
event of a further minitree, either in the same event model or in a connected unit model. A second level of minitrees is thus generated and these are placed below their respective transmissives. A similar procedure is carried out for intermediate events. The process is continued until all the transmissive and intermediate events have been developed and all the branches terminate in basic and diamond events only. Development of the tree is carried out vertically rather than horizontally. In other words, starting with an undeveloped minitree, one transmissive is developed by tracing the sequence of cause events right down to its terminations in basic and/or diamond events, before any other transmissive is developed. This vertical development of the tree is shown in Fig. 1. In principle, therefore, the fault tree synthesis process is straightforward, but in practice there are a number of features of the tree consistency and structure which render it a non-trivial problem.
Consistency checking It is necessary to check the tree for consistency in order to ensure that the boundary conditions have not been violated and that not allowed faults have not occurred. The tree must be checked both for series and for parallel consistency. Series consistency is consistency of events within a single branch of the TOP EVENT
I
Fig. 1. Fault tree synthesis by vertical development.
42
B. E. Kelly, F. P. Lees
tree. Parallel consistency is consistency of events in one branch of the tree with events in other branches under the same A N D gate. Series consistency checking can be carried out during tree generation, but parallel consistency checking can be done only when the initial tree synthesis is complete.
Special systems There are certain features which are treated in the method as special systems using an appropriate special system model. Each special system model has a standard structure and the use of such models therefore imparts this structure to the tree generated.
Looping and suppression The fault tree obtained is liable to contain looped events or variable deviations which have already occurred elsewhere in the tree and for which a subtree has therefore been developed. The tree may also contain a large number of minor or repeated faults. This is due to the fact that the fault tree is generated from a number of unit models each of which contains a comprehensive set of faults, including relatively minor faults, and that the same faults may be repeated for a whole set of units in a line. It is necessary, therefore, to have methods of handling looped events and to be able to prune the tree of trivial or repeated faults, although this needs to be done with great care.
Rationalisation There are a number of operations and checks on the tree which can be carried out only when the full tree has been generated. These include both further consistency checking and tree consolidation. It is necessary, therefore, to rationalise the crude tree generated in the initial synthesis.
Stored and drawn trees F L T G E N carries out the processes of tree development and tree drawing separately and sequentially. The stored tree contains the full information on the tree constructed. Options exist, however, to suppress the drawing of some parts of the tree. For example, it may be desired to suppress the
Fault tree synthesis
43
drawing of subtrees which have already been drawn in another part of the tree. LOOPING, SUPPRESSION AND CONSOLIDATION Looped events often occur in the trees which are developed for control loops and trip loops. These special systems trees tend to be very similar to the main tree. Another common source of looped events is the splitting and merging of process streams in dividers and headers. The size of the fault tree drawn may be reduced by identifying the looped events and suppressing the drawing of their subtrees. Thus the use of looped events is a device for limiting the size of the drawn tree. F L T G E N contains an option to use looped events and thus to suppress the associated subtrees in the drawn trees. If this option is selected, the looped events are drawn as diamond events. The use of the option also affects the stored tree in so far as the subtrees of events identified as looped are not generated. Instead, the tree structure is modified so that the looped event points to the first, and only, occurrence of the subtree. The minimum cut sets of the tree can therefore be obtained whether or not the looping option is selected. It is also desirable to be able to prune the tree to remove trivial or repeated faults. This needs to be done with great care, because even an apparently insignificant fault may have serious consequences. Unless some action is taken, however, the tree may be dominated by blockage and leakage faults which are not those of primary interest to the analyst. It is desirable, therefore, to provide him with means to remove these faults so that he can on occasion study the tree without them. One method of pruning the tree is fault suppression. This is available in FLTGEN in several forms. The first option is to effect complete suppression of certain nominated types of basic event such as COMP-BLK and LK-LP-EN both in the drawn tree and in the stored tree. The second option, which is less drastic, carries out partial suppression of nominated types of basic event so as to eliminate repetition of those events in a branch in the drawn tree but not in the stored tree. For example, consider the two-pipe system shown in Fig. 2(a). The fault tree for Q3 LO initially generated is that shown in Fig. 2(b), while that obtained after fault suppression is that given in Fig. 2(c). The suppression process eliminates one of the LK-LP-EN and one of the PART-BLK faults. There is no suppression at the bottom level of a branch.
44
B. E. Kelly, F. P. Lees
1
=,
2
I=
31=
0)
® (a)
LK-LP-EN UNIT 2
Q3
LO
G2
LO
PART-BLK UNIT 2
Q2
LO
PART-BLK UN IT 2
G1
LO
PART-BLK UNIT 1
Q1
LO
PART-BLK UNIT 1
I [ LK-LP-EN UNIT 1
I
1 (b)
LK-LP-EN UNIT 2
Q3
LO
G2
LO
PART-BLK UNIT 2
Q1
LO
PART-BLK UNIT 1
I (c)
Fig. 2. Fault
illustrating partial fault suppression: (a) two-pipe system; (b) tree before suppression; (c) tree after partial fault suppression. tree
The third option carries out suppression of transmissive and intermediate events in the drawn but not in the stored tree wherever such an event is the sole cause of the event above. This has the effect of telescoping long sequences of such events, particularly flow and pressure gradient deviations, which are not of prime significance. Figure 2(c) illustrates this type of suppression also.
45
Fault tree synthesis
Another method of pruning is fault consolidation. This involves replacing certain nominated types of basic event in a section of the tree with an equivalent single basic event, or at least with a smaller set of basic events. The heuristics for fault consolidation have not been developed and F L T G E N does not have an option for fault consolidation. Both looping and suppression are carried out as part of the initial synthesis.
TREE CONSISTENCY As described above, there are two types of consistency, series and parallel. The two types of consistency may be illustrated by considering the tree shown in Fig. 3. For series consistency each event under Event 1 must be TOP EVENT
I EVENT2
Fig. 3.
I
I EVENT1
Fault tree illustrating series and parallel consistency.
consistent with the top event, with Event 1 and with every other event between it and Event 1. For parallel consistency each event under Event 1 must be consistent with Event 2 and the branch beneath it. The rules for parallel consistency are as follows: (1) The events under Event 1 are always affected by the boundary conditions of Event 2. (2) The events under Event 1 are affected by the boundary conditions of the immediate causes of Event 2 if either (a) the causes are linked by an A N D gate, or (b) there is only a single cause. (3) The causes of events whose boundary conditions affect the events under Event 1 will also affect the events under Event 1 if condition (2)(a) or (b) applies to the causes of such events. In F L T G E N series consistency is checked during the initial tree synthesis and parallel consistency as part of the tree rationalisation process.
46
B. E. Kelly, F. P. Lees
TREE S T R U C T U R E
Special systems In process plant systems there are features which have, or may have imposed on them, a characteristic structure. In the method such features are treated as special systems using an appropriate special system model. These are (1) (2) (3) (4) (5) (6)
Divider-header combinations. Control loops. Trip loops. Physical and phase changes. Materials failures. Sequential operations.
Each special system model has a standard structure and the use of such a model therefore imparts this structure to the tree generated. This has two advantages. One is that it is easier to develop rules and heuristics for tree synthesis and rationalisation for such systems. The other is that the tree generated is more transparent. In general, the treatment of a special system involves (1) Identification. (2) Model selection. (3) Tree development. (4) Rationalisation.
Divider-header combinations Dividers and headers may be used as single units, but they may also be used in defined combinations. The features which are treated as divider-header combinations are (1) Bypass systems. (2) Parallel systems.
Bypass systems A bypass system as defined here is a system with a bypass which is normally shut. A system with a bypass which is normally open is treated as a parallel system. A bypass system involves a divider and header in
Fault tree synthesis
1
2
3
47
5
im
Fig. 4.
Bypass system: control valve and bypass.
combination. The identification of the divider and header as a bypass system is made in the configuration data. The principal use of bypass systems is on control valves. A typical bypass system on a control valve is shown in Fig. 4. The system is shown in the normal operating mode with the bypass valve shut. This system requires special treatment, because the application of the synthesis rules would otherwise give an incorrect result. Thus Fig. 5 shows the fault tree which would normally be obtained for Q5 HI using these rules. This fault tree is incorrect, however, as it stands. The correct minimum cut Set is HVF-OP and not HV-F-OP A N D Q1 SOME. This is because some flow Q5
HI
I
G7
SOME
G4
HI
SOME
Q4
HI
G3
HI
SOME
Q3
HI
SOME
G2
HI
SOME
Q2
HI
SOME
G1
HI
SOME
Q1
HI
I Q7
I
HV-F-OP
I G6
I Q6
I G2
I 0.2
I G1
I Q1
Fig. 5.
SOME
Fault tree for bypass system: fault tree for Q5ou r HI obtained using normal method (and incorrect).
48
B. E. Kelly, F. P. Lees
through valve, and pipe, is the normal condition given that Q5 HI exists. The problem arises because there is in fact a relation between streams 2 and 5 which is not fully taken into account. In order to overcome the problem it is necessary to associate the divider and the header explicitly and to treat them as a divider-header combination. The method adopted to deal with this problem is to separate faults which are internal to the divider-header combination from those which are external to it. This is done by declaring a divider-header combination in the configuration information. The fault tree for an event in such a combination is then built as shown in Fig. 6. The fault tree for Q5 HI then becomes as shown in Fig. 7(a). Three of the faults in this tree are then eliminated as shown. A fault classified as an internal fault is not allowed under the domain of external faults and vice-versa. Thus G2 HI is not permissible under the domain of external faults because it is an internal one. Q2 HI is not permissible under the domain of internal faults because it is an external one. These are therefore each impossible events and the branch is deleted up to the OR gate. Q2 S O M E is a certain event, since there is normally some flow into the combination if there is flow, HI or LO, out of it, and is deleted up to the A N D gate. The final fault tree is as shown in Fig. 7(b). Parallel systems A parallel system is defined here as a system with two or more flow paths which are normally open. The flow paths need not be identical. A parallel system involves a divider and header in combination. The identification of the divider and header as a parallel system is made in the configuration data. This system requires special treatment for reasons similar to those for TOP EVENT
'
+
INTERNAL FAULTS
1 EXTERNAL EVENTS
] FAULTS PERMITTING PROPAGATION OF EXTERNAL EVENTS
Fig. 6. Fault tree for bypass system: special systems model.
49
Fault tree synthesis HI
Q5
L
I EXTERNAL FAULTS
INTERNAL FAU LTS
Q2
1
HI
I G7
SOME
G4
HI
SOME
Q4
HI
G1
G3
HI
Q1
SOME
Q3
HI
SOME
G2
HI
I
1
I Q7
I
G6
HV-F-OP
I
HI
I
HI
I Q6
L G2
SOME
I (a)
Q5
HI
I INTERNAL FAULTS
EXTERNAL FAULTS
I G7
I SOME
(32
SOME
G1
I Q7
HI
I
I
HI
t
HV-F-OP
Q1
HI
(b)
Fig. 7. Fault tree for bypass system: fault tree for Q5ou x HI obtained using special systems model: (a) fault tree before fault elimination; (b) fault tree after fault elimination.
the bypass system. The treatment of a parallel system is identical with that o f a bypass system with one exception. This exception is the treatment of low flow through the system. The reason why a different treatment is necessary in this case is the large variety of ways in which these events can occur in such a system. The problem arises due to the need to accommodate both parallel and r-outof-n systems. An r-out-of-n (r/n) system is defined here as one in which
50
B. E. Kelly, F. P. Lees LOW FLOW THROUGH PARALLEL SYSTEM
INTERNAL FAULTS CAUSING FLUID LO,r~.,~(e.g. LK-LP-EN)
EXTERNAL FAULTS INTERNAL FAULTS CAUSING FLOW RESTRICTION (e,g. PUMP SHUTDOWN) IN INDIVIDUAL BRANCHES
Fig. 8. Fault tree for parallel system: fault tree for Qour LO obtained using special systems model. there are n paths of which r must fail for the system to fail. The standard fault tree for low flow through a parallel system is shown in Fig. 8.
Control loops Control loops are important in fault propagation, because the function of a control loop is to prevent the propagation of disturbances. The control loops, therefore, are key features. A control loop is identified as such in the configuration data. There are three special models for control loops. These models depend on whether the variable of interest is controlled or manipulated by the control loop and whether the control loop is feedback or feedforward. The three models used are for the following cases: (1) Controlled variable deviation in either feedback or feedforward loop. (2) Manipulated variable deviation in feedback loop. (3) Manipulated variable deviation in feedforward loop. C o n t r o l l e d variable deviation
A control loop has four generic modes which can cause a controlled variable deviation: (1) A fault in the control loop itself which is alone sufficient to cause the deviation.
51
Fault tree synthesis
(2) A potentially controllable deviation in one of the inputs to the control loop A N D a fault in the control loop which prevents it from taking the necessary corrective action. (3) An uncorrectable deviation in one of the inputs to the control loop. (4) A fault undctectable by, or misleading to, the control loop. In this context an input variable is any variable, upstream or downstream, which affects the controlled variable. For example, in a flow control loop the downstream pressure is an input variable. An uncorrectable deviation is one for which the control loop has insufficient potential correction and which therefore overloads the loop. The uncorrectable deviations for a control loop are those which cause no flow and reverse flow of the manipulated variable. These will be flow and pressure gradient deviations. Thus deviations HI and LO are correctable. So also are N O N E and REV, unless the deviation occurs in the manipulated stream. An undetectable or misleading fault is one which causes the control loop to take no action or even the action opposite to that which it should take. For example, a leak located downstream of the flow sensor and upstream of the control valve in a flow control loop would cause the flow sensor to read high and the control valve to shut, whereas given the leak it is necessary for the valve to open to maintain the flow. The generic fault tree for a controlled variable deviation is shown in Fig. 9. CONTROLLED VARIABLE DEVIATION
1
I CONTROL LOOP ~U~
!
I CONTROL LOOP STUCK
INPUT VARIABLE CONTROLLABLE DEVIATION
1
Fig. 9.
2
I INPUT VARIABLE UNCONTROLLABLE DEVIATION
3
I UNDETECTABLE FAULTS AND MISLEADING FAULTS
4
Fault tree for control loop: special systems model for controlled variable deviation.
52
B. E. Kelly, F. P. Lees
Manipulated variable deviation It is necessary to take into account also manipulated variable deviations. In this case it is necessary to distinguish between feedback and feedforward control loops. A feedback control loop has three generic modes which can cause a manipulated variable deviation: (1) A fault in the control loop itself which is alone sufficient to cause the deviation. (2) A potentially correctable deviation of the manipulated variable A N D a fault in the loop which prevents it making the necessary corrective action. (3) A fault transmitted by a healthy control loop. The generic fault tree for a manipulated variable deviation in a feedback control loop is shown in Fig. 10. The concept of manipulated variable deviations is not as straightforward as that of controlled variable deviations and requires some further explanation. Consider the heat exchanger system shown in Fig. 11 in which a process stream on the tube side is being cooled by cooling water on the shell side. The controlled variable is the tube side temperature and the manipulated variable is the cooling water flow. Low flow of coolant may be caused by a fault in the control loop (Type 1 fault above), by a partial blockage in the cooling water line A N D temperature
MANIPULATED VARIABLE DEVIATION
CONTROL LOOP FAULT
I
I
FAULT CAUSI NG MANIPULATED VARIABLE DEVIATION 1
CONTROL LOOP STUCK
2
FAULT TRANSMITTED BY HEALTHY CONTROL LOOP
3
Fig. 10. Fault tree for control loop: special systems model for manipulated variable
deviation in feedback loop.
Fault tree synthesis
53
6)
Fig. 11.
Heat exchanger system.
control loop stuck (Type 2 fault) or by low inlet temperature of the process stream (Type 3 fault). A feedforward control loop has three generic modes which can cause a manipulated variable deviation: (1) A fault in the control loop itself which is alone sufficient to cause the deviation. (2) A potentially correctable deviation of the manipulated variable. (3) A fault transmitted by a healthy control loop. The generic fault tree for a manipulated variable deviation in a feedforward control loop is shown in Fig. 12.
MAN IPU LATED VARIABLE DEVIATION
I CONTROL LOOP FAULT
1
t FAULT CAUSING MANIPULATED VARIABLE DEVIATION
2
FAULT TRANSMITTED BY HEALTHY CONTROL LOOP
3
Fig. 12. Fault tree for control loop: special systems model for manipulated variable deviation in feedforward loop.
54
B. E. Kelly, F. P. Lees TL-FN-F
I
I
TRIP DOES NOT ACTIVATE
TRIP SHOULD ACTIVATE
Fault tree for trip loop: special systems model for open valve trip loop.
Fig. 13.
Trip loops Trip loops also are important in fault propagation, because the function of a trip loop is to prevent the propagation of disturbances which may have serious consequences. The trip loops also, therefore, are key features. A trip loop is identified as such in the configuration data. There are two special models for the functional failure of trip loops. These models depend on whether the trip valve is normally open or normally closed. The special model for an open valve trip loop is shown in Fig. 13, that for a closed valve trip loop in Fig. 14. The difference between the two trip loop models is that the closed valve trip loop cannot operate if there is any form of blockage or shut valve in any of the lines through which the fluid released by the opening of the trip valve must pass. Trip loop operational failure does not require special models.
Physical and phase changes A physical or phase change is a possible cause of a variable deviation, over and above the possible causes in the unit model. An example is that TL-FN-F
I
I
TRIP DOES NOT ACTIVATE
I FAULT IN TRIP LOOP COMPONENT
Fig. 14.
TRIP SHOULD ACTIVATE
I FAULT IN PIPEWORK
Fault tree for trip loop: special systems model for closed valve trip loop.
Fault tree synthesis
55
freezing causes no flow. The causes of the physical or phase change are given by an event model for that change. Information on which parts of the plant section under study, if any, are liable to physical or phase change of the fluid is entered as part o f the configuration input data.
Materials failures A materials failure is a possible cause of an event which is normally considered as a basic event, in other words an event with no causes in the model for that unit. An example is that corrosion in a pipe is a possible cause o f a leak in that pipe. The causes of the materials failure are given by an event model for that failure. Information on which parts of the plant section under study, if any, are liable to a particular materials failure is entered as part of the configuration input data. The treatments of physical and phase changes and/or materials failures as causes o f events which would otherwise be treated as basic events are rather advanced features and are brought into play only if the user selects them as options in F L T G E N .
Sequential operations Fault trees for sequential operations may be synthesised. The characteristic feature of a sequence is that there is a series of different plant configurations which must be considered. A sequential operation is often carried out by a process control computer. For a sequence there are two types of top event which may be examined. One is an undesired event, which is treated in the usual way, except that it is necessary to consider the causes o f this event for each stage of the sequence. The other type of event, which is of particular interest if the sequence is computer controlled, is failure to complete the sequence, or abortion o f the sequence. A sequential operation consists of a series of stages, each o f which must be successful for the sequence as a whole to be successful. In the method this latter type of fault is treated by making the top event the event Sequence Aborts. The overall tree is that for the failure of the whole sequence. The causes o f the top event are Sequence Aborts At Stage 1 OR Sequence Aborts After Stage 1. The causes of the latter event are Sequence Aborts At Stage 2 OR Sequence Aborts After Stage 2. And so on. The tree is therefore as shown in Fig. 15.
56
B. E. Kelly, F. P. Lees SEQ-ABRT
I
I SEQ-F-AT STEP 1
SEQ-F-AF STEP 1
I
I
SEQ-F-AT STEP 2
Sr:Q-F-AF STEP 2
ETC.
Fig. 15. Fault tree for sequential operation.
The following events are used in developing sequential trees: SEQ-ABRT SEQ-F-AT SEQ-F-AF
sequence aborts sequence fails at sequence fails after
In contrast to most fault trees, therefore, a fault tree for a sequence need not be concerned with hazardous events but may be concerned with failure to complete the sequence. However, hazardous events may occur in a sequential operation. For these a separate treatment is required. An illustrative example of the synthesis of a sequential fault tree is given in Ref. 3.
TREE RATIONALISATION After the initial fault tree has been synthesised, it is necessary to rationalise it. The rationalisation process covers the following aspects: (1) Impossible and certain events. (2) Parallel consistency. (3) Combination of branches. (4) Trip loop functional failure effects.
Fault tree synthesis
57
Impossible and certain events It is necessary during tree construction to check for the occurrence of events which are impossible or certain. An impossible event arises if (1) All the causes of the event violate the boundary conditions currently in force. (2) The event is the output of an A N D gate and one of the causes violates the boundary conditions. A certain event occurs if (1) The event Q S O M E or G S O M E occurs in a stream where the flow Q or pressure gradient G is known to be HI or LO. (2) The event Q N O N E is traced to a closed valve. (3) The event G S O M E occurs at a point where pressure is atmospheric. An impossible event must be deleted from the tree. In addition, if the impossible event is an input to an A N D gate, the output event o f this gate itself becomes an impossible event and must be removed. This process is continued as far as necessary. A certain event must also be removed from the tree. In addition, all the events above the certain event must be removed until an A N D gate is encountered. As an example of an impossible event consider the header system shown in Fig. 16. If the two inlet ports of the header are each capable of providing 100 ~o of the desired throughput, the model for low flow out of the header is as given in Fig. 17. Essentially, low flow out of the header will occur if there is a restriction downstream giving G2ou r LO, or the flow in both inlet lines is reduced. For simplicity, reverse flow effects are not included in the model shown here. The impossible events in this model are the two Q2otJr N O N E events, which would otherwise be causes of no flow at the inlet ports. They are
Fig. 16.
Header system.
58
B. E. Kelly, F. P. Lees
9~_~_~q~ z_
-~-<~ c5 .A o
I0
z z 0
..
oD ~9 z_
~-<29
0 e~
,xZ
~-<~
"0
8-
rZ v,N
.,3 gr~
0
-!
o
q
z
~0 0
59
Fault tree synthesis
2
Fig. 18.
3
TAIL
Pipe-valve system.
inconsistent with the top event of this model Q2ou T LO. This system also illustrates another type of deletion. Q2ou T LO, as well as being the top event of the model, is also a potential cause of low flow at the two inlet ports. The second occurrence of Q2ou r LO can add nothing to the definition of the fault tree, since Q2ou T LO has already occurred in this branch of the fault tree and so such events are removed from the tree. As an example of a certain event consider the pipe-valve (closed) system shown in Fig. 18. The fault tree for the event Q1 SOME in the pipe-valve system is shown in Fig. 19. The event G3 SOME is the certain event and is deleted from the tree. As a result of the consequent deletions the tree reduces to the form shown in Fig. 20. Parallel consistency
Parallel consistency has been described above. It can be checked only at the rationalisation stage, because the checks involve comparisons with other branches in the tree. One branch under an AND gate must be synthesised before the other branches and so parallel consistency checking is possible only when the initial synthesis has been completed.
Q1 G1 Q2
SOME
I I
SOME SOME
I G2
SOME
i HV-F-OP
I SOME
Q3
I G-'I
Fig. 19.
SOME
Fault tree for pipe-valve system with certain event: initial fault tree for Q1 SOME.
B. E. Kelly, F. P. Lees
60
Q1
G2
SOME
SOME
HV-F-OP
Fig. 20. Fault tree for pipe-valve system with certain event: reduced fault tree for QI SOME. The checking of parallel consistency is done in two stages: (1) Identification of the boundary conditions in each branch which affect other branches. (2) Identification and deletion of events in these other branches which violate these boundary conditions.
Combination of branches Combination of branches is an operation carried out on special systems models. Its object is to check that the events occurring in two different branches of the same special systems model should appear in the final tree and, if so, in which branch. The combination process is applied to (1) The undetectable/misleading and controllable input variable deviation branches of controlled variable control loop models. (2) The manipulated variable deviation and fault transmitted by healthy control loop branches of manipulated variable control loop models. (3) The internal faults causing fluid loss and flow restriction branches of parallel system models. A detailed treatment of the combination process is beyond the scope of this paper.
Trip loop functional failure effects The main treatment of trip loop functional failure effects is carried out as part of rationalisation. During the synthesis stage the only action taken is to note the events which may have to be ANDed with trip functional failure to propagate through the trip loop. Identification of the causes of trip functional failure and selection of the events which should actually be ANDed with trip functional failure are done during rationalisation.
Fault tree synthesis
61
CONCLUSION One of the applications of the method developed for the representation of fault propagation in process plants is fault tree synthesis. The fault tree is synthesised from the minitrees of the unit and event models. The synthesis of the tree is simple in concept but more difficult in practice. It is necessary in generating the tree not to violate the boundary conditions and to eliminate not allowed faults. It is necessary to incorporate structure, associated with certain features such as divider-header combinations and control and trip loops, into the tree. These features are handled using special systems models. It is also necessary to combine branches and to provide the option to suppress less important faults. The tree is therefore synthesised in two stages. The first stage consists of the initial synthesis of the tree. The second stage consists of the rationalisation of the initial tree to produce the final tree. The overall process of synthesis thus involves a series of operations. For the most part these operations are governed by rules, but in a few instances use is made of heuristics to make an operation more manageable. These heuristics are less readily justified than rules, but work well in practice. The need for the set of structure models, rules and heuristics appears to be due to several causes. One is the nature of process plants, which are among the more complicated systems analysed using fault trees. Flow effects in particular are difficult to handle. Another cause is the requirements of modelling for computer simulation, which involve a much more systematic treatment. This is a well known characteristic of computer simulation. A third cause is the requirement set in the project that the method developed should be as systematic as possible so that the fault tree is developed automatically from the unit models. The method of fault tree synthesis developed has been encoded as a computer program F L T G E N and tested on a number of examples. These include the heat exchanger system described in the first paper, a reactor system, a distillation system and a pipeline system as well as the computercontrolled pump system described in the fourth paper. The account of the method and of the program given here is illustrative rather than comprehensive. There are many problems in tree synthesis and more rules and heuristics are used in the method than are described here.
62
B. E. Kelly, F. P. Lees
ACKNOWLEDGEMENTS The authors wish to acknowledge the work on fault propagation done and reported previously by Dr P. K. Andow and Dr G. A. Martin-Solis and the work on the computer program done by Dr C. P. Murphy, and to thank the Science and Engineering Research Council for supporting this work.
REFERENCES 1. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 1. Modelling of fault propagation, Reliability Engineering, 16 (1986), pp. 3-38. 2. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 3. An interactive, computer-based facility, Reliability Engineering, 16 (1986), pp. 63-86. 3. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 4. Fault tree synthesis of a pump system changeover sequence, Reliability Engineering, 16 (1986), pp. 87-108.
The Propagation of Faults in Process Plants: 2. Fault Tree Synthesis B. E. Kelly a n d F. P. Lees Department of Chemical Engineering, Loughborough University of Technology, Loughborough, Leicestershire, Great Britain (Received: 24 May 1985)
ABSTRACT A computer-based method and an interactive computer facility have been developed for the investigation of fault propagation in process plants, including fault tree synthesis and alarm system design. The modelling of fault propagation is described in a companion paper. This paper describes fault tree synthesis, while the interactive facility is described in a further, complementary paper.
INTRODUCTION A facility has been developed for the investigation of fault propagation in process plants. In an accompanying paper 1 (Part 1) a description is given of the method of modelling fault propagation. In the present paper the method of synthesising the fault tree is described. The description is illustrative rather than comprehensive. The synthesis of a fault tree for a process plant is complex and is governed by a large number of rules, models and heuristics. It is not possible to describe all of these and this account is therefore confined to an indication of some of the principal problems and an outline of the approach taken to their solution. In the suite of programs developed fault tree generation is carried out by the program F L T G E N . This paper is therefore essentially a description of the main principles on which this program is based. Full details of the symbols and abbreviations used are given in Ref. 1. 39 Reliability Engineering 0143-8174/86/$03-50 © Elsevier Applied Science Publishers Ltd, England, 1986. Printed in Great Britain
40
B. E. Kelly, F. P. Lees
Further, complementary papers 2'3 (Parts 3 and 4, respectively) describe an interactive, computer-based fault propagation facility and the fault tree synthesis of a pump system changeover sequence.
OVERVIEW OF T R E E SYNTHESIS
Minitrees A minitree consists of a single output which is related by a specified logic to one or more inputs. The output event is the minitree top, or minitop, event and is a transmissive or intermediate event. The input events may be basic, diamond, transmissive or intermediate events. A basic event is a fault, usually mechanical. A diamond event is a process variable deviation which is not developed further. The reason for there being no further development of such an event is either that the event crosses the system boundary or that it is a looped event, as explained below. A transmissive event is a process variable deviation within the system boundary. A n intermediate event is a form of d u m m y event and is used as a device to limit each minitree to a single level of events below the minitop event. The input and output events are connected by a logic gate, which in the vast majority of cases is an OR or an A N D gate.
Top event A fault tree is a logic tree for a particular event. The first step in fault tree synthesis is therefore selection of the event for which the fault tree is to be constructed. The top event must be one of the undesired events given in the event library. A typical example is the event U N D R T E M P .
Initial synthesis The fault tree is then constructed from the top event down by developing the individual branches using the appropriate minitrees. The top event of the fault tree will also be the top event of a minitree in the event model where it occurs. This minitree is therefore placed below the top event. The input events in this minitree will normally contain a number of transmissive events. Each such transmissive is the minitop
41
Fault tree synthesis
event of a further minitree, either in the same event model or in a connected unit model. A second level of minitrees is thus generated and these are placed below their respective transmissives. A similar procedure is carried out for intermediate events. The process is continued until all the transmissive and intermediate events have been developed and all the branches terminate in basic and diamond events only. Development of the tree is carried out vertically rather than horizontally. In other words, starting with an undeveloped minitree, one transmissive is developed by tracing the sequence of cause events right down to its terminations in basic and/or diamond events, before any other transmissive is developed. This vertical development of the tree is shown in Fig. 1. In principle, therefore, the fault tree synthesis process is straightforward, but in practice there are a number of features of the tree consistency and structure which render it a non-trivial problem.
Consistency checking It is necessary to check the tree for consistency in order to ensure that the boundary conditions have not been violated and that not allowed faults have not occurred. The tree must be checked both for series and for parallel consistency. Series consistency is consistency of events within a single branch of the TOP EVENT
I
Fig. 1. Fault tree synthesis by vertical development.
42
B. E. Kelly, F. P. Lees
tree. Parallel consistency is consistency of events in one branch of the tree with events in other branches under the same A N D gate. Series consistency checking can be carried out during tree generation, but parallel consistency checking can be done only when the initial tree synthesis is complete.
Special systems There are certain features which are treated in the method as special systems using an appropriate special system model. Each special system model has a standard structure and the use of such models therefore imparts this structure to the tree generated.
Looping and suppression The fault tree obtained is liable to contain looped events or variable deviations which have already occurred elsewhere in the tree and for which a subtree has therefore been developed. The tree may also contain a large number of minor or repeated faults. This is due to the fact that the fault tree is generated from a number of unit models each of which contains a comprehensive set of faults, including relatively minor faults, and that the same faults may be repeated for a whole set of units in a line. It is necessary, therefore, to have methods of handling looped events and to be able to prune the tree of trivial or repeated faults, although this needs to be done with great care.
Rationalisation There are a number of operations and checks on the tree which can be carried out only when the full tree has been generated. These include both further consistency checking and tree consolidation. It is necessary, therefore, to rationalise the crude tree generated in the initial synthesis.
Stored and drawn trees F L T G E N carries out the processes of tree development and tree drawing separately and sequentially. The stored tree contains the full information on the tree constructed. Options exist, however, to suppress the drawing of some parts of the tree. For example, it may be desired to suppress the
Fault tree synthesis
43
drawing of subtrees which have already been drawn in another part of the tree. LOOPING, SUPPRESSION AND CONSOLIDATION Looped events often occur in the trees which are developed for control loops and trip loops. These special systems trees tend to be very similar to the main tree. Another common source of looped events is the splitting and merging of process streams in dividers and headers. The size of the fault tree drawn may be reduced by identifying the looped events and suppressing the drawing of their subtrees. Thus the use of looped events is a device for limiting the size of the drawn tree. F L T G E N contains an option to use looped events and thus to suppress the associated subtrees in the drawn trees. If this option is selected, the looped events are drawn as diamond events. The use of the option also affects the stored tree in so far as the subtrees of events identified as looped are not generated. Instead, the tree structure is modified so that the looped event points to the first, and only, occurrence of the subtree. The minimum cut sets of the tree can therefore be obtained whether or not the looping option is selected. It is also desirable to be able to prune the tree to remove trivial or repeated faults. This needs to be done with great care, because even an apparently insignificant fault may have serious consequences. Unless some action is taken, however, the tree may be dominated by blockage and leakage faults which are not those of primary interest to the analyst. It is desirable, therefore, to provide him with means to remove these faults so that he can on occasion study the tree without them. One method of pruning the tree is fault suppression. This is available in FLTGEN in several forms. The first option is to effect complete suppression of certain nominated types of basic event such as COMP-BLK and LK-LP-EN both in the drawn tree and in the stored tree. The second option, which is less drastic, carries out partial suppression of nominated types of basic event so as to eliminate repetition of those events in a branch in the drawn tree but not in the stored tree. For example, consider the two-pipe system shown in Fig. 2(a). The fault tree for Q3 LO initially generated is that shown in Fig. 2(b), while that obtained after fault suppression is that given in Fig. 2(c). The suppression process eliminates one of the LK-LP-EN and one of the PART-BLK faults. There is no suppression at the bottom level of a branch.
44
B. E. Kelly, F. P. Lees
1
=,
2
I=
31=
0)
® (a)
LK-LP-EN UNIT 2
Q3
LO
G2
LO
PART-BLK UNIT 2
Q2
LO
PART-BLK UN IT 2
G1
LO
PART-BLK UNIT 1
Q1
LO
PART-BLK UNIT 1
I [ LK-LP-EN UNIT 1
I
1 (b)
LK-LP-EN UNIT 2
Q3
LO
G2
LO
PART-BLK UNIT 2
Q1
LO
PART-BLK UNIT 1
I (c)
Fig. 2. Fault
illustrating partial fault suppression: (a) two-pipe system; (b) tree before suppression; (c) tree after partial fault suppression. tree
The third option carries out suppression of transmissive and intermediate events in the drawn but not in the stored tree wherever such an event is the sole cause of the event above. This has the effect of telescoping long sequences of such events, particularly flow and pressure gradient deviations, which are not of prime significance. Figure 2(c) illustrates this type of suppression also.
45
Fault tree synthesis
Another method of pruning is fault consolidation. This involves replacing certain nominated types of basic event in a section of the tree with an equivalent single basic event, or at least with a smaller set of basic events. The heuristics for fault consolidation have not been developed and F L T G E N does not have an option for fault consolidation. Both looping and suppression are carried out as part of the initial synthesis.
TREE CONSISTENCY As described above, there are two types of consistency, series and parallel. The two types of consistency may be illustrated by considering the tree shown in Fig. 3. For series consistency each event under Event 1 must be TOP EVENT
I EVENT2
Fig. 3.
I
I EVENT1
Fault tree illustrating series and parallel consistency.
consistent with the top event, with Event 1 and with every other event between it and Event 1. For parallel consistency each event under Event 1 must be consistent with Event 2 and the branch beneath it. The rules for parallel consistency are as follows: (1) The events under Event 1 are always affected by the boundary conditions of Event 2. (2) The events under Event 1 are affected by the boundary conditions of the immediate causes of Event 2 if either (a) the causes are linked by an A N D gate, or (b) there is only a single cause. (3) The causes of events whose boundary conditions affect the events under Event 1 will also affect the events under Event 1 if condition (2)(a) or (b) applies to the causes of such events. In F L T G E N series consistency is checked during the initial tree synthesis and parallel consistency as part of the tree rationalisation process.
46
B. E. Kelly, F. P. Lees
TREE S T R U C T U R E
Special systems In process plant systems there are features which have, or may have imposed on them, a characteristic structure. In the method such features are treated as special systems using an appropriate special system model. These are (1) (2) (3) (4) (5) (6)
Divider-header combinations. Control loops. Trip loops. Physical and phase changes. Materials failures. Sequential operations.
Each special system model has a standard structure and the use of such a model therefore imparts this structure to the tree generated. This has two advantages. One is that it is easier to develop rules and heuristics for tree synthesis and rationalisation for such systems. The other is that the tree generated is more transparent. In general, the treatment of a special system involves (1) Identification. (2) Model selection. (3) Tree development. (4) Rationalisation.
Divider-header combinations Dividers and headers may be used as single units, but they may also be used in defined combinations. The features which are treated as divider-header combinations are (1) Bypass systems. (2) Parallel systems.
Bypass systems A bypass system as defined here is a system with a bypass which is normally shut. A system with a bypass which is normally open is treated as a parallel system. A bypass system involves a divider and header in
Fault tree synthesis
1
2
3
47
5
im
Fig. 4.
Bypass system: control valve and bypass.
combination. The identification of the divider and header as a bypass system is made in the configuration data. The principal use of bypass systems is on control valves. A typical bypass system on a control valve is shown in Fig. 4. The system is shown in the normal operating mode with the bypass valve shut. This system requires special treatment, because the application of the synthesis rules would otherwise give an incorrect result. Thus Fig. 5 shows the fault tree which would normally be obtained for Q5 HI using these rules. This fault tree is incorrect, however, as it stands. The correct minimum cut Set is HVF-OP and not HV-F-OP A N D Q1 SOME. This is because some flow Q5
HI
I
G7
SOME
G4
HI
SOME
Q4
HI
G3
HI
SOME
Q3
HI
SOME
G2
HI
SOME
Q2
HI
SOME
G1
HI
SOME
Q1
HI
I Q7
I
HV-F-OP
I G6
I Q6
I G2
I 0.2
I G1
I Q1
Fig. 5.
SOME
Fault tree for bypass system: fault tree for Q5ou r HI obtained using normal method (and incorrect).
48
B. E. Kelly, F. P. Lees
through valve, and pipe, is the normal condition given that Q5 HI exists. The problem arises because there is in fact a relation between streams 2 and 5 which is not fully taken into account. In order to overcome the problem it is necessary to associate the divider and the header explicitly and to treat them as a divider-header combination. The method adopted to deal with this problem is to separate faults which are internal to the divider-header combination from those which are external to it. This is done by declaring a divider-header combination in the configuration information. The fault tree for an event in such a combination is then built as shown in Fig. 6. The fault tree for Q5 HI then becomes as shown in Fig. 7(a). Three of the faults in this tree are then eliminated as shown. A fault classified as an internal fault is not allowed under the domain of external faults and vice-versa. Thus G2 HI is not permissible under the domain of external faults because it is an internal one. Q2 HI is not permissible under the domain of internal faults because it is an external one. These are therefore each impossible events and the branch is deleted up to the OR gate. Q2 S O M E is a certain event, since there is normally some flow into the combination if there is flow, HI or LO, out of it, and is deleted up to the A N D gate. The final fault tree is as shown in Fig. 7(b). Parallel systems A parallel system is defined here as a system with two or more flow paths which are normally open. The flow paths need not be identical. A parallel system involves a divider and header in combination. The identification of the divider and header as a parallel system is made in the configuration data. This system requires special treatment for reasons similar to those for TOP EVENT
'
+
INTERNAL FAULTS
1 EXTERNAL EVENTS
] FAULTS PERMITTING PROPAGATION OF EXTERNAL EVENTS
Fig. 6. Fault tree for bypass system: special systems model.
49
Fault tree synthesis HI
Q5
L
I EXTERNAL FAULTS
INTERNAL FAU LTS
Q2
1
HI
I G7
SOME
G4
HI
SOME
Q4
HI
G1
G3
HI
Q1
SOME
Q3
HI
SOME
G2
HI
I
1
I Q7
I
G6
HV-F-OP
I
HI
I
HI
I Q6
L G2
SOME
I (a)
Q5
HI
I INTERNAL FAULTS
EXTERNAL FAULTS
I G7
I SOME
(32
SOME
G1
I Q7
HI
I
I
HI
t
HV-F-OP
Q1
HI
(b)
Fig. 7. Fault tree for bypass system: fault tree for Q5ou x HI obtained using special systems model: (a) fault tree before fault elimination; (b) fault tree after fault elimination.
the bypass system. The treatment of a parallel system is identical with that o f a bypass system with one exception. This exception is the treatment of low flow through the system. The reason why a different treatment is necessary in this case is the large variety of ways in which these events can occur in such a system. The problem arises due to the need to accommodate both parallel and r-outof-n systems. An r-out-of-n (r/n) system is defined here as one in which
50
B. E. Kelly, F. P. Lees LOW FLOW THROUGH PARALLEL SYSTEM
INTERNAL FAULTS CAUSING FLUID LO,r~.,~(e.g. LK-LP-EN)
EXTERNAL FAULTS INTERNAL FAULTS CAUSING FLOW RESTRICTION (e,g. PUMP SHUTDOWN) IN INDIVIDUAL BRANCHES
Fig. 8. Fault tree for parallel system: fault tree for Qour LO obtained using special systems model. there are n paths of which r must fail for the system to fail. The standard fault tree for low flow through a parallel system is shown in Fig. 8.
Control loops Control loops are important in fault propagation, because the function of a control loop is to prevent the propagation of disturbances. The control loops, therefore, are key features. A control loop is identified as such in the configuration data. There are three special models for control loops. These models depend on whether the variable of interest is controlled or manipulated by the control loop and whether the control loop is feedback or feedforward. The three models used are for the following cases: (1) Controlled variable deviation in either feedback or feedforward loop. (2) Manipulated variable deviation in feedback loop. (3) Manipulated variable deviation in feedforward loop. C o n t r o l l e d variable deviation
A control loop has four generic modes which can cause a controlled variable deviation: (1) A fault in the control loop itself which is alone sufficient to cause the deviation.
51
Fault tree synthesis
(2) A potentially controllable deviation in one of the inputs to the control loop A N D a fault in the control loop which prevents it from taking the necessary corrective action. (3) An uncorrectable deviation in one of the inputs to the control loop. (4) A fault undctectable by, or misleading to, the control loop. In this context an input variable is any variable, upstream or downstream, which affects the controlled variable. For example, in a flow control loop the downstream pressure is an input variable. An uncorrectable deviation is one for which the control loop has insufficient potential correction and which therefore overloads the loop. The uncorrectable deviations for a control loop are those which cause no flow and reverse flow of the manipulated variable. These will be flow and pressure gradient deviations. Thus deviations HI and LO are correctable. So also are N O N E and REV, unless the deviation occurs in the manipulated stream. An undetectable or misleading fault is one which causes the control loop to take no action or even the action opposite to that which it should take. For example, a leak located downstream of the flow sensor and upstream of the control valve in a flow control loop would cause the flow sensor to read high and the control valve to shut, whereas given the leak it is necessary for the valve to open to maintain the flow. The generic fault tree for a controlled variable deviation is shown in Fig. 9. CONTROLLED VARIABLE DEVIATION
1
I CONTROL LOOP ~U~
!
I CONTROL LOOP STUCK
INPUT VARIABLE CONTROLLABLE DEVIATION
1
Fig. 9.
2
I INPUT VARIABLE UNCONTROLLABLE DEVIATION
3
I UNDETECTABLE FAULTS AND MISLEADING FAULTS
4
Fault tree for control loop: special systems model for controlled variable deviation.
52
B. E. Kelly, F. P. Lees
Manipulated variable deviation It is necessary to take into account also manipulated variable deviations. In this case it is necessary to distinguish between feedback and feedforward control loops. A feedback control loop has three generic modes which can cause a manipulated variable deviation: (1) A fault in the control loop itself which is alone sufficient to cause the deviation. (2) A potentially correctable deviation of the manipulated variable A N D a fault in the loop which prevents it making the necessary corrective action. (3) A fault transmitted by a healthy control loop. The generic fault tree for a manipulated variable deviation in a feedback control loop is shown in Fig. 10. The concept of manipulated variable deviations is not as straightforward as that of controlled variable deviations and requires some further explanation. Consider the heat exchanger system shown in Fig. 11 in which a process stream on the tube side is being cooled by cooling water on the shell side. The controlled variable is the tube side temperature and the manipulated variable is the cooling water flow. Low flow of coolant may be caused by a fault in the control loop (Type 1 fault above), by a partial blockage in the cooling water line A N D temperature
MANIPULATED VARIABLE DEVIATION
CONTROL LOOP FAULT
I
I
FAULT CAUSI NG MANIPULATED VARIABLE DEVIATION 1
CONTROL LOOP STUCK
2
FAULT TRANSMITTED BY HEALTHY CONTROL LOOP
3
Fig. 10. Fault tree for control loop: special systems model for manipulated variable
deviation in feedback loop.
Fault tree synthesis
53
6)
Fig. 11.
Heat exchanger system.
control loop stuck (Type 2 fault) or by low inlet temperature of the process stream (Type 3 fault). A feedforward control loop has three generic modes which can cause a manipulated variable deviation: (1) A fault in the control loop itself which is alone sufficient to cause the deviation. (2) A potentially correctable deviation of the manipulated variable. (3) A fault transmitted by a healthy control loop. The generic fault tree for a manipulated variable deviation in a feedforward control loop is shown in Fig. 12.
MAN IPU LATED VARIABLE DEVIATION
I CONTROL LOOP FAULT
1
t FAULT CAUSING MANIPULATED VARIABLE DEVIATION
2
FAULT TRANSMITTED BY HEALTHY CONTROL LOOP
3
Fig. 12. Fault tree for control loop: special systems model for manipulated variable deviation in feedforward loop.
54
B. E. Kelly, F. P. Lees TL-FN-F
I
I
TRIP DOES NOT ACTIVATE
TRIP SHOULD ACTIVATE
Fault tree for trip loop: special systems model for open valve trip loop.
Fig. 13.
Trip loops Trip loops also are important in fault propagation, because the function of a trip loop is to prevent the propagation of disturbances which may have serious consequences. The trip loops also, therefore, are key features. A trip loop is identified as such in the configuration data. There are two special models for the functional failure of trip loops. These models depend on whether the trip valve is normally open or normally closed. The special model for an open valve trip loop is shown in Fig. 13, that for a closed valve trip loop in Fig. 14. The difference between the two trip loop models is that the closed valve trip loop cannot operate if there is any form of blockage or shut valve in any of the lines through which the fluid released by the opening of the trip valve must pass. Trip loop operational failure does not require special models.
Physical and phase changes A physical or phase change is a possible cause of a variable deviation, over and above the possible causes in the unit model. An example is that TL-FN-F
I
I
TRIP DOES NOT ACTIVATE
I FAULT IN TRIP LOOP COMPONENT
Fig. 14.
TRIP SHOULD ACTIVATE
I FAULT IN PIPEWORK
Fault tree for trip loop: special systems model for closed valve trip loop.
Fault tree synthesis
55
freezing causes no flow. The causes of the physical or phase change are given by an event model for that change. Information on which parts of the plant section under study, if any, are liable to physical or phase change of the fluid is entered as part o f the configuration input data.
Materials failures A materials failure is a possible cause of an event which is normally considered as a basic event, in other words an event with no causes in the model for that unit. An example is that corrosion in a pipe is a possible cause o f a leak in that pipe. The causes of the materials failure are given by an event model for that failure. Information on which parts of the plant section under study, if any, are liable to a particular materials failure is entered as part of the configuration input data. The treatments of physical and phase changes and/or materials failures as causes o f events which would otherwise be treated as basic events are rather advanced features and are brought into play only if the user selects them as options in F L T G E N .
Sequential operations Fault trees for sequential operations may be synthesised. The characteristic feature of a sequence is that there is a series of different plant configurations which must be considered. A sequential operation is often carried out by a process control computer. For a sequence there are two types of top event which may be examined. One is an undesired event, which is treated in the usual way, except that it is necessary to consider the causes o f this event for each stage of the sequence. The other type of event, which is of particular interest if the sequence is computer controlled, is failure to complete the sequence, or abortion o f the sequence. A sequential operation consists of a series of stages, each o f which must be successful for the sequence as a whole to be successful. In the method this latter type of fault is treated by making the top event the event Sequence Aborts. The overall tree is that for the failure of the whole sequence. The causes o f the top event are Sequence Aborts At Stage 1 OR Sequence Aborts After Stage 1. The causes of the latter event are Sequence Aborts At Stage 2 OR Sequence Aborts After Stage 2. And so on. The tree is therefore as shown in Fig. 15.
56
B. E. Kelly, F. P. Lees SEQ-ABRT
I
I SEQ-F-AT STEP 1
SEQ-F-AF STEP 1
I
I
SEQ-F-AT STEP 2
Sr:Q-F-AF STEP 2
ETC.
Fig. 15. Fault tree for sequential operation.
The following events are used in developing sequential trees: SEQ-ABRT SEQ-F-AT SEQ-F-AF
sequence aborts sequence fails at sequence fails after
In contrast to most fault trees, therefore, a fault tree for a sequence need not be concerned with hazardous events but may be concerned with failure to complete the sequence. However, hazardous events may occur in a sequential operation. For these a separate treatment is required. An illustrative example of the synthesis of a sequential fault tree is given in Ref. 3.
TREE RATIONALISATION After the initial fault tree has been synthesised, it is necessary to rationalise it. The rationalisation process covers the following aspects: (1) Impossible and certain events. (2) Parallel consistency. (3) Combination of branches. (4) Trip loop functional failure effects.
Fault tree synthesis
57
Impossible and certain events It is necessary during tree construction to check for the occurrence of events which are impossible or certain. An impossible event arises if (1) All the causes of the event violate the boundary conditions currently in force. (2) The event is the output of an A N D gate and one of the causes violates the boundary conditions. A certain event occurs if (1) The event Q S O M E or G S O M E occurs in a stream where the flow Q or pressure gradient G is known to be HI or LO. (2) The event Q N O N E is traced to a closed valve. (3) The event G S O M E occurs at a point where pressure is atmospheric. An impossible event must be deleted from the tree. In addition, if the impossible event is an input to an A N D gate, the output event o f this gate itself becomes an impossible event and must be removed. This process is continued as far as necessary. A certain event must also be removed from the tree. In addition, all the events above the certain event must be removed until an A N D gate is encountered. As an example of an impossible event consider the header system shown in Fig. 16. If the two inlet ports of the header are each capable of providing 100 ~o of the desired throughput, the model for low flow out of the header is as given in Fig. 17. Essentially, low flow out of the header will occur if there is a restriction downstream giving G2ou r LO, or the flow in both inlet lines is reduced. For simplicity, reverse flow effects are not included in the model shown here. The impossible events in this model are the two Q2otJr N O N E events, which would otherwise be causes of no flow at the inlet ports. They are
Fig. 16.
Header system.
58
B. E. Kelly, F. P. Lees
9~_~_~q~ z_
-~-<~ c5 .A o
I0
z z 0
..
oD ~9 z_
~-<29
0 e~
,xZ
~-<~
"0
8-
rZ v,N
.,3 gr~
0
-!
o
q
z
~0 0
59
Fault tree synthesis
2
Fig. 18.
3
TAIL
Pipe-valve system.
inconsistent with the top event of this model Q2ou T LO. This system also illustrates another type of deletion. Q2ou T LO, as well as being the top event of the model, is also a potential cause of low flow at the two inlet ports. The second occurrence of Q2ou r LO can add nothing to the definition of the fault tree, since Q2ou T LO has already occurred in this branch of the fault tree and so such events are removed from the tree. As an example of a certain event consider the pipe-valve (closed) system shown in Fig. 18. The fault tree for the event Q1 SOME in the pipe-valve system is shown in Fig. 19. The event G3 SOME is the certain event and is deleted from the tree. As a result of the consequent deletions the tree reduces to the form shown in Fig. 20. Parallel consistency
Parallel consistency has been described above. It can be checked only at the rationalisation stage, because the checks involve comparisons with other branches in the tree. One branch under an AND gate must be synthesised before the other branches and so parallel consistency checking is possible only when the initial synthesis has been completed.
Q1 G1 Q2
SOME
I I
SOME SOME
I G2
SOME
i HV-F-OP
I SOME
Q3
I G-'I
Fig. 19.
SOME
Fault tree for pipe-valve system with certain event: initial fault tree for Q1 SOME.
B. E. Kelly, F. P. Lees
60
Q1
G2
SOME
SOME
HV-F-OP
Fig. 20. Fault tree for pipe-valve system with certain event: reduced fault tree for QI SOME. The checking of parallel consistency is done in two stages: (1) Identification of the boundary conditions in each branch which affect other branches. (2) Identification and deletion of events in these other branches which violate these boundary conditions.
Combination of branches Combination of branches is an operation carried out on special systems models. Its object is to check that the events occurring in two different branches of the same special systems model should appear in the final tree and, if so, in which branch. The combination process is applied to (1) The undetectable/misleading and controllable input variable deviation branches of controlled variable control loop models. (2) The manipulated variable deviation and fault transmitted by healthy control loop branches of manipulated variable control loop models. (3) The internal faults causing fluid loss and flow restriction branches of parallel system models. A detailed treatment of the combination process is beyond the scope of this paper.
Trip loop functional failure effects The main treatment of trip loop functional failure effects is carried out as part of rationalisation. During the synthesis stage the only action taken is to note the events which may have to be ANDed with trip functional failure to propagate through the trip loop. Identification of the causes of trip functional failure and selection of the events which should actually be ANDed with trip functional failure are done during rationalisation.
Fault tree synthesis
61
CONCLUSION One of the applications of the method developed for the representation of fault propagation in process plants is fault tree synthesis. The fault tree is synthesised from the minitrees of the unit and event models. The synthesis of the tree is simple in concept but more difficult in practice. It is necessary in generating the tree not to violate the boundary conditions and to eliminate not allowed faults. It is necessary to incorporate structure, associated with certain features such as divider-header combinations and control and trip loops, into the tree. These features are handled using special systems models. It is also necessary to combine branches and to provide the option to suppress less important faults. The tree is therefore synthesised in two stages. The first stage consists of the initial synthesis of the tree. The second stage consists of the rationalisation of the initial tree to produce the final tree. The overall process of synthesis thus involves a series of operations. For the most part these operations are governed by rules, but in a few instances use is made of heuristics to make an operation more manageable. These heuristics are less readily justified than rules, but work well in practice. The need for the set of structure models, rules and heuristics appears to be due to several causes. One is the nature of process plants, which are among the more complicated systems analysed using fault trees. Flow effects in particular are difficult to handle. Another cause is the requirements of modelling for computer simulation, which involve a much more systematic treatment. This is a well known characteristic of computer simulation. A third cause is the requirement set in the project that the method developed should be as systematic as possible so that the fault tree is developed automatically from the unit models. The method of fault tree synthesis developed has been encoded as a computer program F L T G E N and tested on a number of examples. These include the heat exchanger system described in the first paper, a reactor system, a distillation system and a pipeline system as well as the computercontrolled pump system described in the fourth paper. The account of the method and of the program given here is illustrative rather than comprehensive. There are many problems in tree synthesis and more rules and heuristics are used in the method than are described here.
62
B. E. Kelly, F. P. Lees
ACKNOWLEDGEMENTS The authors wish to acknowledge the work on fault propagation done and reported previously by Dr P. K. Andow and Dr G. A. Martin-Solis and the work on the computer program done by Dr C. P. Murphy, and to thank the Science and Engineering Research Council for supporting this work.
REFERENCES 1. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 1. Modelling of fault propagation, Reliability Engineering, 16 (1986), pp. 3-38. 2. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 3. An interactive, computer-based facility, Reliability Engineering, 16 (1986), pp. 63-86. 3. Kelly, B. E. and Lees, F. P. The propagation of faults in process plants: 4. Fault tree synthesis of a pump system changeover sequence, Reliability Engineering, 16 (1986), pp. 87-108.