A dynamic fault tree

The fault tree analysis is a widely used method for evaluation of systems reliability and nuclear power plants safety. This paper presents a new method, which represents extension of the classic fault tree with the time requirements. The dynamic fault tree offers a range of risk informed applications. The results show that application of dynamic fault tree may reduce the system unavailability, e.g. by the proper arrangement of outages of safety equipment. The findings suggest that dynamic fault tree is a useful tool to expand and upgrade the existing models and knowledge obtained from probabilistic safety assessment with additional and time dependent information to further reduce the plant risk.     

SCAP: a new methodology for safety management based on feedback from credible accident-probabilistic fault tree analysis system

As it is conventionally done, strategies for incorporating accident--prevention measures in any hazardous chemical process industry are developed on the basis of input from risk assessment. However, the two steps-- risk assessment and hazard reduction (or safety) measures--are not linked interactively in the existing methodologies. This prevents a quantitative assessment of the impacts of safety measures on risk control.We have made an attempt to develop a methodology in which risk assessment steps are interactively linked with implementation of safety measures. The resultant system tells us the extent of reduction of risk by each successive safety measure. It also tells based on sophisticated maximum credible accident analysis (MCAA) and probabilistic fault tree analysis (PFTA) whether a given unit can ever be made 'safe'. The application of the methodology has been illustrated with a case study.     

Probabilistic safety assessment improves surveillance requirements in technical specifications

Probabilistic Safety Assessment is widely becoming the standard method for assessing, maintaining, assuring and improving the nuclear power plant safety. To achieve one of its many potential benefits, the optimization approach of surveillance requirements in technical specifications was developed. Surveillance requirements in technical specifications define the surveillance test intervals for the equipment to be tested and the testing strategy. This optimization approach based mainly on probabilistic safety assessment results consists of three levels: component level, system level and plant level. The application of this optimization approach on system level has shown that the risk based surveillance requirements differ from existing ones in technical specifications.     

Risk-based maintenance of ethylene oxide production facilities

This paper discusses a methodology for the design of an optimum inspection and maintenance program. The methodology, called risk-based maintenance (RBM) is based on integrating a reliability approach and a risk assessment strategy to obtain an optimum maintenance schedule. First, the likely equipment failure scenarios are formulated. Out of many likely failure scenarios, the ones, which are most probable, are subjected to a detailed study. Detailed consequence analysis is done for the selected scenarios. Subsequently, these failure scenarios are subjected to a fault tree analysis to determine their probabilities. Finally, risk is computed by combining the results of the consequence and the probability analyses. The calculated risk is compared against known acceptable criteria. The frequencies of the maintenance tasks are obtained by minimizing the estimated risk. A case study involving an ethylene oxide production facility is presented. Out of the five most hazardous units considered, the pipeline used for the transportation of the ethylene is found to have the highest risk. Using available failure data and a lognormal reliability distribution function human health risk factors are calculated. Both societal risk factors and individual risk factors exceeded the acceptable risk criteria. To determine an optimal maintenance interval, a reverse fault tree analysis was used. The maintenance interval was determined such that the original high risk is brought down to an acceptable level. A sensitivity analysis is also undertaken to study the impact of changing the distribution of the reliability model as well as the error in the distribution parameters on the maintenance interval.     

Dynamic modeling of the tradeoff between productivity and safety in critical engineering systems

Short-term tradeoffs between productivity and safety often exist in the operation of critical facilities such as nuclear power plants, offshore oil platforms, or simply individual cars. For example, interruption of operations for maintenance on demand can decrease short-term productivity but may be needed to ensure safety. Operations are interrupted for several reasons: scheduled maintenance, maintenance on demand, response to warnings, subsystem failure, or a catastrophic accident. The choice of operational procedures (e.g. timing and extent of scheduled maintenance) generally affects the probabilities of both production interruptions and catastrophic failures. In this paper, we present and illustrate a dynamic probabilistic model designed to describe the long-term evolution of such a system through the different phases of operation, shutdown, and possibly accident. The model's parameters represent explicitly the effects of different components' performance on the system's safety and reliability through an engineering probabilistic risk assessment (PRA). In addition to PRA, a Markov model is used to track the evolution of the system and its components through different performance phases. The model parameters are then linked to different operations strategies, to allow computation of the effects of each management strategy on the system's long-term productivity and safety. Decision analysis is then used to support the management of the short-term trade-offs between productivity and safety in order to maximize long-term performance. The value function is that of plant managers, within the constraints set by local utility commissions and national (e.g. energy) agencies. This model is illustrated by the case of outages (planned and unplanned) in nuclear power plants to show how it can be used to guide policy decisions regarding outage frequency and plant lifetime, and more specifically, the choice of a reactor tripping policy as a function of the state of the emergency core cooling subsystem.     

Evaluation of allowed outage time considering a set of plant configurations

Allowed outage time (AOT) is the maximum time for which certain safety equipment can be put out of the operation without the plant is put in a safer operating state. A method for risk informed evaluation of AOTs is developed, which enables consideration of a set of plant configurations in the evaluation. The method bases on risk measures obtained from probabilistic safety assessment, e.g. conditional change of core damage frequency considering selected plant configurations. The results of selected examples show that better methods and more data included into the models may reduce the conservatism in the evaluations and may contribute to increased flexibility about decisions on AOT.     

A branching search approach to safety system design optimisation

Safety systems are designed to prevent or mitigate the consequences of potentially hazardous events. In many industries the failure of such systems can result in fatalities. Current design practice is usually to produce a safety system which meets a target level of performance that is deemed acceptable by the regulators. However, when the system failure will result in fatalities it is desirable for the system to achieve an optimal rather than adequate level of performance given the limitations placed on available resources.The unavailability of safety systems can be predicted using fault tree analysis methods. Formulating an optimisation problem for the system design has features which make standard mathematical optimisation techniques inappropriate. The form of the objective function is itself a function of the design variables, the design variables are mainly integers and the constraint forms can be implicit or non-linear.This paper presents a Branching Search algorithm which exploits characteristics common to many safety systems to explore the potential design space and deliver an optimal design. Efficiency in the method is maintained by performing the system unavailability evaluations using the Binary Decision Diagram method of fault tree solution. Limitations are placed on resources such as cost, maintenance down-time and spurious trip frequency. Its application is demonstrated on a High Integrity Protection System.     

Gastric esophageal surgery risk analysis with a fault tree and Markov integrated model

Reliability methods have been widely used in risk analysis of medical surgeries. In this study, the authors combine a fault tree with Markov models to assess time independent- and dependent factors together. Dynamics are integrated in the traditional fault tree, and meanwhile the processes of solving Markov are simplified with the modular approach. Continuous time Markov chains are adopted in evaluating the failure probability of a gastric esophageal surgery after categorizing basic events in the fault tree, and a certain time dependent variables, such as failure rate of medical equipment, surgery frequency, and rescue timeliness are involved into risk analysis. A case is studied with data collected from a general hospital, to illustrate the operational process of the proposed method. Results based on the inputs show that taking rescue actions into consideration can reduce the gap between the result of fault tree analysis and the reality. Sensitivity analysis for measuring the impacts of the above time relevant variables is conducted, as well as limitations of the Markov model are discussed.     

Analysis of truncation limit in probabilistic safety assessment

A truncation limit defines the boundaries of what is considered in the probabilistic safety assessment and what is neglected. The truncation limit that is the focus here is the truncation limit on the size of the minimal cut set contribution at which to cut off. A new method was developed, which defines truncation limit in probabilistic safety assessment. The method specifies truncation limits with more stringency than presenting existing documents dealing with truncation criteria in probabilistic safety assessment do. The results of this paper indicate that the truncation limits for more complex probabilistic safety assessments, which consist of larger number of basic events, should be more severe than presently recommended in existing documents if more accuracy is desired. The truncation limits defined by the new method reduce the relative errors of importance measures and produce more accurate results for probabilistic safety assessment applications. The reduced relative errors of importance measures can prevent situations, where the acceptability of change of equipment under investigation according to RG 1.174 would be shifted from region, where changes can be accepted, to region, where changes cannot be accepted, if the results would be calculated with smaller truncation limit.     

Application of the integrated safety assessment methodology to the emergency procedures of a SGTR of a PWR

This paper describes an application of the Integrated Safety Assessment (ISA) methodology to the safety and reliability assessment of emergency procedures of a nuclear power plant. The concept of ISA has been developed as a result of previous works on safety assessment and dynamic reliability. The method links the physical dynamics of the facility with its operating environment, subject to transitions between different time evolutions due to failures and/or system/operator interventions. For situations dominated by deterministic transitions (i.e. transitions upon deterministic demands as a result, for instance, of exceeding automatic actions or alarm setpoints), the methodology can be considered an extension of PSA and accident analysis techniques that replaces the static event tree with a deterministic dynamic event tree concept (DDET) based on the theory of probabilistic dynamics.In line with current studies carried out jointly by CSN and JRC-Ispra/ISEI, this paper reviews the main features of ISA and describes some of the details of its implementation in the case of a Westinghouse pressurized water reactor (PWR), in particular its application to the assessment of the emergency operating procedure (EOP) to mitigate the steam generator tube rupture (SGTR) initiating event.This application demonstrates the ISA feasibility for risk analysis of operating procedures (OP) by assessing a given set of OPs with a large PWR model of the TRETA-DYLAM-HOI software package, which is able to simulate recovery in a SGTR scenario. Some weak points in the SGTR EOP are identified and suggestions provided for their resolution.     

Condition, safety and cost profiles for deteriorating structures with emphasis on bridges

After an enormous investment in construction of highway networks undertaken in the second half of the 20th century, the highway networks of most European and North American countries are now completed or close to completion. As a result, the need in funding changed from building new highway structures to repair, rehabilitation, and replacement the existing ones. In this paper, a model for analyzing the evolution in time of probabilistic performance indicators of existing structures, in terms of condition, safety, and cost under no maintenance, preventive maintenance, and essential maintenance, is presented. This model integrates the current practice in bridge management systems based on visual inspections (condition index) with structural assessment (safety index) during the lifetime of existing structures. The proposed model allows the consideration of uncertainties in the performance deterioration process, times of application of maintenance actions, and in the effects of maintenance actions on the condition, safety, and life-cycle cost of structures by defining all parameters involved in the model as random variables. Interaction between condition and safety profiles is defined through probabilistic and deterministic relations. The probabilistic characteristics of the condition, safety, and cost profiles of deteriorating structures are computed by Monte-Carlo simulation. Several realistic examples, based on data on highway bridge components gathered in the United Kingdom, are presented.     

Delays and safety in airline maintenance

Airline maintenance operations affect the potential for flight delays and can also affect flight safety if signals of technical problems are missed or misinterpreted. In this paper, we use a probabilistic risk analysis model, represented by an influence diagram, to quantify the effect of an airline's maintenance policy on delays, cancellations and in-flight safety. The model represents the leading edge (LE) sub-system of a commercial passenger jet and consists of three tiers: (1) a set of management decision variables (e.g. the level of qualification of maintenance personnel); (2) a ground model linking policy decisions and flight delays; and (3) an in-flight model, linking policy decisions, maintenance quality and flight safety. To illustrate this model, we use data adapted (for confidentiality reasons) from a study of an existing airline. Clearly, the LE devices of an airplane are not among the most safety-critical and the risk of an accident due to poor maintenance is extremely small, but non-zero. The same model can be used for other, more critical parts of the aircraft to support maintenance policy decisions in which the trade-off between delays and safety may be more pronounced.     

考虑非平稳因素的混凝土桥梁概率极限状态评估

为建立混凝土桥梁构件的概率极限状态评估方法,借助等超概率原则分析我国在役桥梁构件评估周期及评估基准期,引入个体风险准则、社会风险准则、生命质量指标及成本优化方法确定构件运营阶段目标可靠指标,分别考虑非平稳及平稳概率模型进行荷载效应及抗力评估值确定,基于可靠度理论开展运营阶段评估分项系数校准,并以一座在役桥梁为例进行算例分析。结果发现:考虑我国在役桥梁运维实际情况,构件评估周期、评估基准期可分别取为6年、10年;对于一级、二级、三级延性破坏构件,评估目标可靠指标分别建议为3.37、3.13及2.85;采用一般运行状态或密集运行状态下平稳车辆荷载效应模型进行评估时,评估标准值可分别取为设计汽车荷载效应的0.705倍及0.805倍,考虑非平稳车载过程进行评估时,可在连续非平稳过程离散化的基础上,引入动态广义极值模型确定评估基准期内荷载效应最大值分布,并以0.95分位值作为评估标准值;对于重要性等级为一级的延性构件,恒载效应及抗力评估分项系数分别建议为1.056与1.194,一般运行状态与密集运行状态汽车荷载效应评估分项系数建议值分别为1.081与1.054,研究成果可为现行桥梁构件安全评估方法修订提供参考。     

A SIL quantification approach based on an operating situation model for safety evaluation in complex guided transportation systems

Safety analysis in guided transportation systems is essential to avoid rare but potentially catastrophic accidents. This article presents a quantitative probabilistic model that integrates Safety Integrity Levels (SIL) for evaluating the safety of such systems. The standardized SIL indicator allows the safety requirements of each safety subsystem, function and/or piece of equipment to be specified, making SILs pivotal parameters in safety evaluation. However, different interpretations of SIL exist, and faced with the complexity of guided transportation systems, the current SIL allocation methods are inadequate for the task of safety assessment. To remedy these problems, the model developed in this paper seeks to verify, during the design phase of guided transportation system, whether or not the safety specifications established by the transport authorities allow the overall safety target to be attained (i.e., if the SIL allocated to the different safety functions are sufficient to ensure the required level of safety). To meet this objective, the model is based both on the operating situation concept and on Monte Carlo simulation. The former allows safety systems to be formalized and their dynamics to be analyzed in order to show the evolution of the system in time and space, and the latter make it possible to perform probabilistic calculations based on the scenario structure obtained.     

Testing digital safety system software with a testability measure based on a software fault tree

Using predeveloped software, a digital safety system is designed that meets the quality standards of a safety system. To demonstrate the quality, the design process and operating history of the product are reviewed along with configuration management practices. The application software of the safety system is developed in accordance with the planned life cycle. Testing, which is a major phase that takes a significant time in the overall life cycle, can be optimized if the testability of the software can be evaluated. The proposed testability measure of the software is based on the entropy of the importance of basic statements and the failure probability from a software fault tree. To calculate testability, a fault tree is used in the analysis of a source code. With a quantitative measure of testability, testing can be optimized. The proposed testability can also be used to demonstrate whether the test cases based on uniform partitions, such as branch coverage criteria, result in homogeneous partitions that is known to be more effective than random testing. In this paper, the testability measure is calculated for the modules of a nuclear power plant's safety software. The module testing with branch coverage criteria required fewer test cases if the module has higher testability. The result shows that the testability measure can be used to evaluate whether partitions have homogeneous characteristics.     

Different sets of reliability data and success criteria in a probabilistic safety assessment for a plant producing nitroglycol

The lack of plant-specific reliability data for probabilistic safety assessments usually makes it necessary to use generic reliability data. Justifiably different assessments of plant behaviour (success criteria) lead to different models of plant systems. Both affect the numerical results of a probabilistic safety assessment. It is shown how these results change, if different sets of reliability data and different choices of success criteria for the safety system are employed. Differences in results may influence decisions taken on their basis and become especially important if compliance with a safety goal has to be proved, e.g. a safety integrity level. For the purpose of demonstration an accident sequence from a probabilistic safety assessment of a plant producing nitroglycol is used. The analysis relies on plant-specific reliability data so that it provides a good yardstick for comparing it with results obtained using generic data. The superiority of plant-specific data, which should of course be acquired, cannot be doubted. Nevertheless, plant safety can be improved even if generic data are used. However, the assignment to a safety integrity level may be affected by differences in both data and success criteria.     

Evaluation of tunnel safety: towards an economic safety optimum

The aim of this paper is to propose a method for the evaluation of tunnel safety using probabilistic risk assessment. The framework includes three criteria; personal-, societal- and economic risk. The use of personal and societal risk is becoming more and more widespread. There are however, still some difficulties in using the economic risk criterion. As a first step towards economic risk optimisation, the cost effectiveness of addition and removal of safety measures in tunnels is investigated. Finally, the application of the three proposed criteria is further discussed for some tunnelling projects currently underway in the Netherlands.     

An analysis of safety-critical digital systems for risk-informed design

This paper quantitatively presents the results of a case study which examines the fault tree analysis framework of the safety of digital systems. The case study is performed for the digital reactor protection system of nuclear power plants. The broader usage of digital equipment in nuclear power plants gives rise to the need for assessing safety and reliability because it plays an important role in proving the safety of a designed system in the nuclear industry. We quantitatively explain the relationship between the important characteristics of digital systems and the PSA result using mathematical expressions. We also demonstrate the effect of critical factors on the system safety by sensitivity study and the result which is quantified using the fault tree method shows that some factors remarkably affect the system safety. They are the common cause failure, the coverage of fault tolerant mechanisms and software failure probability.     

An overall model for maintenance optimization

This paper presents an approach for identifying the optimal maintenance schedule for the components of a production system. Safety, health and environment objectives, maintenance costs and costs of lost production are all taken into consideration, and maintenance is thus optimized with respect to multiple objectives. Such a global approach to maintenance optimization requires expertise from various fields, e.g., decision theory, risk analysis and reliability and maintenance modelling. Further, a close co-operation between management, maintenance personnel and analysts is required to achieve a successful result. In the past this has been a major obstacle to the extensive use of proper maintenance optimization methods in practice, and techniques to promote the communication between the involved parties of the optimization process is an essential element in the suggested approach. A simple step by step presentation of the required modelling is provided. Contrary to most current methods of RCM (Reliability Centered Maintenance), the approach is based on an analytic model, and therefore gives a sound framework for carrying out a proper maintenance optimization. The approach is also flexible as it can be carried out at various levels of detail, e.g., adopted to available resources and to the managements willingness to give detailed priorities with respect to objectives on safety vs production loss.