Safety and reliability analysis in a polyvinyl chloride batch process using dynamic simulator-case study: Loss of containment incident

In this paper, a novel methodology in batch plant safety and reliability analysis is proposed using a dynamic simulator. A batch process involving several safety objects (e.g. sensors, controller, valves, etc.) is activated during the operational stage. The performance of the safety objects is evaluated by the dynamic simulation and a fault propagation model is generated. By using the fault propagation model, an improved fault tree analysis (FTA) method using switching signal mode (SSM) is developed for estimating the probability of failures. The timely dependent failures can be considered as unavailability of safety objects that can cause the accidents in a plant. Finally, the rank of safety object is formulated as performance index (PI) and can be estimated using the importance measures. PI shows the prioritization of safety objects that should be investigated for safety improvement program in the plants. The output of this method can be used for optimal policy in safety object improvement and maintenance. The dynamic simulator was constructed using Visual Modeler (VM, the plant simulator, developed by Omega Simulation Corp., Japan). A case study is focused on the loss of containment (LOC) incident at polyvinyl chloride (PVC) batch process which is consumed the hazardous material, vinyl chloride monomer (VCM).     

Model-based system monitoring and diagnosis of failures using statecharts and fault trees

Models such as statecharts and fault trees become increasingly more available in electronic form as they progressively find more useful applications in the development of safety critical systems. As these models typically reduce in their utility after system certification, however, useful knowledge about the behaviour of the system remains unused in the operational phase of the system lifecycle. In this paper, we show that this knowledge could be exploited in the context of an on-line hazard-directed monitoring scheme in which a suitable specification derived from design models and safety analyses forms a reference monitoring model. As a practical application of this approach, we propose a generic safety monitor that can operate on statecharts and fault trees to support the on-line detection, diagnosis and control of hazardous failures in real-time. We discuss the structuring of the monitoring model, the monitoring algorithms and report on a case study performed on a model aircraft fuel system.     

Failure mode analysis for a hazardous waste clean-up manipulator

This paper describes the application of Fault Tree Analysis to the design phase of a robot manipulator for hazardous waste retrieval. The robot is to be deployed in single-shell under-ground storage tanks at the US Department of Energy (DOE) site in Hanford, Washington. These tanks contain a variety of highly radioactive waste types, necessitating extremely safe and reliable manipulator operation. Based on preliminary design drawings of this long-reach manipulator, fault trees were constructed for several critical failure scenarios. Analysis of the trees revealed a number of ways to improve the safety and reliability of the manipulator design. This paper presents a summary of the fault tree analysis, with a discussion of the applicability of qualitative and quantitative fault tree methods to hazardous waste robotics.     

Identification of reference accident scenarios in SEVESO establishments

In the frame of the ESREL special session on ARAMIS project, this paper aims at presenting the work carried out in the first Work Package, devoted to the definition of accident scenarios. This topic is a key-point in risk assessment, and serves as basis for the whole risk quantification. A first part of the work aims at building a Methodology for the Identification of Major Accident Hazards (MIMAH), which is carried out with the development of generic fault and event trees based on a typology of equipment and substances. This work is coupled with an historical analysis of accidents. In a second part, influence of safety devices and policies will be considered, in order to build a Methodology for the Identification of Reference Accident Scenarios (MIRAS). This last one will take into account safety systems and lead to obtain more realistic scenarios.     

Safety analysis in process facilities: Comparison of fault tree and Bayesian network approaches

Safety analysis in gas process facilities is necessary to prevent unwanted events that may cause catastrophic accidents. Accident scenario analysis with probability updating is the key to dynamic safety analysis. Although conventional failure assessment techniques such as fault tree (FT) have been used effectively for this purpose, they suffer severe limitations of static structure and uncertainty handling, which are of great significance in process safety analysis. Bayesian network (BN) is an alternative technique with ample potential for application in safety analysis. BNs have a strong similarity to FTs in many respects; however, the distinct advantages making them more suitable than FTs are their ability in explicitly representing the dependencies of events, updating probabilities, and coping with uncertainties. The objective of this paper is to demonstrate the application of BNs in safety analysis of process systems. The first part of the paper shows those modeling aspects that are common between FT and BN, giving preference to BN due to its ability to update probabilities. The second part is devoted to various modeling features of BN, helping to incorporate multi-state variables, dependent failures, functional uncertainty, and expert opinion which are frequently encountered in safety analysis, but cannot be considered by FT. The paper concludes that BN is a superior technique in safety analysis because of its flexible structure, allowing it to fit a wide variety of accident scenarios.     

Fault tree developed by an object-based method improves requirements specification for safety-related systems

Fault tree analysis is frequently used to improve system reliability and safety. To be suitable for analysis of software in computerised safety-related systems, it has to be modified accordingly. This paper presents a new application: the fault trees developed by an object-based method. The object-based method integrates structural and behavioural models of a system. The developed fault tree includes information on structure and the failure behaviours of classes of the system. Away from traditional use of the fault tree, which for traditional systems emphasises qualitative and quantitative results, the result of the new application emphasises the process of fault tree development and its qualitative results. Such fault tree application reduces the probability of failures in the requirements specification phase within the software life cycle, which increases the reliability of its product; however, it does not confirm this in a quantitative manner.     

A branching search approach to safety system design optimisation

Safety systems are designed to prevent or mitigate the consequences of potentially hazardous events. In many industries the failure of such systems can result in fatalities. Current design practice is usually to produce a safety system which meets a target level of performance that is deemed acceptable by the regulators. However, when the system failure will result in fatalities it is desirable for the system to achieve an optimal rather than adequate level of performance given the limitations placed on available resources.The unavailability of safety systems can be predicted using fault tree analysis methods. Formulating an optimisation problem for the system design has features which make standard mathematical optimisation techniques inappropriate. The form of the objective function is itself a function of the design variables, the design variables are mainly integers and the constraint forms can be implicit or non-linear.This paper presents a Branching Search algorithm which exploits characteristics common to many safety systems to explore the potential design space and deliver an optimal design. Efficiency in the method is maintained by performing the system unavailability evaluations using the Binary Decision Diagram method of fault tree solution. Limitations are placed on resources such as cost, maintenance down-time and spurious trip frequency. Its application is demonstrated on a High Integrity Protection System.     

Experimental study of a transformer with superconducting elements for fault current limitation and energy redistribution

Numerous proposed and developed superconducting fault current limiters and self-limiting transformers limit successfully fault currents but do not provide uninterrupted supplying of consumers. A design investigated in the work combines the functions of a conventional transformer with the functions of fast energy redistribution and fault protection. The device constitutes a transformer containing an additional high-temperature superconducting (HTS) coil short-circuited by a thin film HTS switching element. Fault current limitation and redistribution of the power flow to a standby line are achieved as a result of a fast transition of the superconducting switching element from the superconducting into the normal state. Transient and steady-state characteristics were experimentally investigated. A mathematical model of the device operation was proposed, and the calculated results were found to be in good agreement with the experimental data. The application field and basic requirements to such devices were discussed and it was shown that the proposed device meets these requirements.     

Fault-tree structures of override control systems

The development of a systematic fault-tree synthesis procedure for the override control systems is presented in this paper. The unique configuration of the digraph model under study is first described and then analyzed in detail. On the basis of qualitative simulation of the fault propagation patterns, the corresponding generalized fault-tree structures are then established. It can be observed clearly from the simulation results that none of the existing techniques are capable of producing the correct fault-trees. To demonstrate the correctness of our analysis, successful application of the proposed structure to furnace operation is also presented.     

Fault tree construction of hybrid system requirements using qualitative formal method

When specifying requirements for software controlling hybrid systems and conducting safety analysis, engineers experience that requirements are often known only in qualitative terms and that existing fault tree analysis techniques provide little guidance on formulating and evaluating potential failure modes. In this paper, we propose Causal Requirements Safety Analysis (CRSA) as a technique to qualitatively evaluate causal relationship between software faults and physical hazards. This technique, extending qualitative formal method process and utilizing information captured in the state trajectory, provides specific guidelines on how to identify failure modes and relationship among them. Using a simplified electrical power system as an example, we describe step-by-step procedures of conducting CRSA. Our experience of applying CRSA to perform fault tree analysis on requirements for the Wolsong nuclear power plant shutdown system indicates that CRSA is an effective technique in assisting safety engineers.     

Qualitative modelling of kinematic robots for fault diagnosis

This study presents an approach, the unit circle (UC), to qualitative representation of robots. A robot is described as a collection of constraints holding among time-varying, interval-valued parameters. The UC representation is presented, and the continuous motion of the end-effector is evaluated by the change of directions of qualitative angle and qualitative length. Analytical formulas of qualitative velocity and qualitative acceleration are derived. The characteristic mapping is introduced for fault detection and diagnosis in terms of the UC. In the end, simulation results demonstrate the feasibility of the UC approach in the domain of robotic fault diagnosis, where a fault is defined as a deviation from expected behavior. The UC representation of robots concerns a global assessment of the systems behaviour, and it might be used for the purpose of monitoring, diagnosis, and explanation of physical systems. This is the first step to fault diagnosis and remediation for Beagle 2 using qualitative methods.     

Analysis of fault tolerance and reliability in distributed real-time system architectures

Safety critical real-time systems are becoming ubiquitous in many areas of our everyday life. Failures of such systems potentially have catastrophic consequences on different scales, in the worst case even the loss of human life. Therefore, safety critical systems have to meet maximum fault tolerance and reliability requirements. As the design of such systems is far from being trivial, this article focuses on concepts to specifically support the early architectural design. In detail, a simulation based approach for the analysis of fault tolerance and reliability in distributed real-time system architectures is presented. With this approach, safety related features can be evaluated in the early development stages and thus prevent costly redesigns in later ones.     

基于场景变化的社交产品交互设计

目的探讨在用户场景发生变化的情况下使用互联网产品的消费习惯变化,旨在建立基于场景的设计方法模型,为体验设计师未来设计过程中提供更加方便实用的设计思路。方法首先通过深度访谈和观察明确不同场景下的用户需求,然后通过Kano模型对用户需求进行分类,再根据分类后的用户需求建立相应的用户模型,并将不同场景下的用户模型置入现有交互设计流程中,构建出基于用户场景变化下的交互设计流程。应用场景重新设计的交互框架,经上线后数据反馈验证对于提升产品留存以及步长等数据有明显的作用。结论在现有的交互设计方法基础上,通过实验及分析验证,提出基于不同场景下的社交产品交互设计方法,通过将该流程运用于互联网社交产品中,证明该方法的有效性和合理性。     

Testing digital safety system software with a testability measure based on a software fault tree

Using predeveloped software, a digital safety system is designed that meets the quality standards of a safety system. To demonstrate the quality, the design process and operating history of the product are reviewed along with configuration management practices. The application software of the safety system is developed in accordance with the planned life cycle. Testing, which is a major phase that takes a significant time in the overall life cycle, can be optimized if the testability of the software can be evaluated. The proposed testability measure of the software is based on the entropy of the importance of basic statements and the failure probability from a software fault tree. To calculate testability, a fault tree is used in the analysis of a source code. With a quantitative measure of testability, testing can be optimized. The proposed testability can also be used to demonstrate whether the test cases based on uniform partitions, such as branch coverage criteria, result in homogeneous partitions that is known to be more effective than random testing. In this paper, the testability measure is calculated for the modules of a nuclear power plant's safety software. The module testing with branch coverage criteria required fewer test cases if the module has higher testability. The result shows that the testability measure can be used to evaluate whether partitions have homogeneous characteristics.     

A dynamic fault tree

The fault tree analysis is a widely used method for evaluation of systems reliability and nuclear power plants safety. This paper presents a new method, which represents extension of the classic fault tree with the time requirements. The dynamic fault tree offers a range of risk informed applications. The results show that application of dynamic fault tree may reduce the system unavailability, e.g. by the proper arrangement of outages of safety equipment. The findings suggest that dynamic fault tree is a useful tool to expand and upgrade the existing models and knowledge obtained from probabilistic safety assessment with additional and time dependent information to further reduce the plant risk.     

Risk evaluation by modeling of passing behavior on two-lane rural highways

Passing maneuver on rural two-lane highways is a complex task, which has a significant effect on capacity, level of service and safety. The maneuver is conditioned on the gap between two successive vehicles on the opposing lane. The minimum time to collision, defined as the remaining gap between the passing vehicle and the oncoming vehicle at the end of the passing process, expresses a measure of the risk involved in the passing maneuver.This paper develops a model that explains the minimum time to collision. The model formulation is based on the analysis of drivers’ passing decisions on two-lane rural highways using an interactive driving simulator. The simulator enables the collection of vehicle speeds and positions for different road and traffic scenarios. In addition to the driver simulator, participants responded to a questionnaire which collected information about their socio-demographic characteristics.The composed dataset was analyzed and processed to develop a model that predicts the risk associated with the passing behavior. Tobit regression models were found to be more suitable, in comparison to ordinary least square models and Hazard-based Duration models. The explanatory variables tested represent road geometry, traffic conditions and drivers’ characteristics. It was found that while the traffic related variables had the most important effect on the measure of risk chosen, factors related to the geometric design and the driver characteristics also had a significant contribution.     

Assessment of fire vulnerability for nuclear power plant safety systems by combining fault-and success-oriented logic with physical models

The time behaviour of potential accident sequences may carry important information regarding nuclear power plant (NPP) safety operation and shutdown. In the case of external and environmental events, the ability of NPP components to operate correctly can be changed dramatically in a short time. In contrast to the failures caused by internal events, these two groups of undesirable events may lead to dynamic dependent failures among components of one or several systems. Such kinds of failure should be taken into account in the models of NPP behaviour. To evaluate how successfully the tasks of the safety systems will be carded out, logical models such as fault trees are usually used. The fault trees are not efficient at describing the short-term changes of the failure probabilities for system components. A method that has some advantages over the pure fault tree logic is proposed. The main features of the method are demonstrated by using examples.     

Identification and classification of dynamic event tree scenarios via possibilistic clustering: Application to a steam generator tube rupture event

This paper illustrates a method to identify and classify scenarios generated in a dynamic event tree (DET) analysis. Identification and classification are carried out by means of an evolutionary possibilistic fuzzy C-means clustering algorithm which takes into account not only the final system states but also the timing of the events and the process evolution. An application is considered with regards to the scenarios generated following a steam generator tube rupture in a nuclear power plant. The scenarios are generated by the accident dynamic simulator (ADS), coupled to a RELAP code that simulates the thermo-hydraulic behavior of the plant and to an operators’ crew model, which simulates their cognitive and procedures-guided responses.A set of 60 scenarios has been generated by the ADS DET tool. The classification approach has grouped the 60 scenarios into 4 classes of dominant scenarios, one of which was not anticipated a priori but was “discovered” by the classifier. The proposed approach may be considered as a first effort towards the application of identification and classification approaches to scenarios post-processing for real-scale dynamic safety assessments.     

Criteria for evaluating protection from single points of failure for partially expanded fault trees

Fault tree analysis (FTA) is a technique that describes the combinations of events in a system which result in an undesirable outcome. FTA is used as a tool to quantitatively assess a system's probability for an undesirable outcome. Time constraints from concept to production in modern engineering often limit the opportunity for a thorough statistical analysis of a system. Furthermore, when undesirable outcomes are considered such as hazard to human(s), it becomes difficult to identify strict statistical targets for what is acceptable. Consequently, when hazard to human(s) is concerned a common design target is to protect the system from single points of failure (SPOF) which means that no failure mode caused by a single event, concern, or error has a critical consequence on the system. Such a design target is common with “by-wire” systems. FTA can be used to verify if a system is protected from SPOF. In this paper, sufficient criteria for evaluating protection from SPOF for partially expanded fault trees are proposed along with proof. The proposed criteria consider potential interactions between the lowest drawn events of a partial fault tree expansion which otherwise easily leads to an overly optimistic analysis of protection from SPOF. The analysis is limited to fault trees that are coherent and static.     

基于EMD-DCS的滚动轴承伪故障特征识别方法

伪故障特征是健康零部件振动信号中具有的故障特征,伪故障特征是由系统内故障零部件引起的。由于滚动轴承伪故障特征与故障特征具有相似性,针对转子-轴承系统中滚动轴承伪故障特征识别问题,提出一种基于经验模式分解(Empirical Mode Decomposition,EMD)和循环平稳度(Degree of Cyclostationarity,DCS)的伪故障特征识别方法。利用滚动轴承健康信号和伪故障信号对比分析基于单通道伪故障信号进行滚动轴承故障诊断的技术难点;建立了考虑滚动轴承打滑率的转子-轴承系统动力学模型;利用时频分析方法和循环平稳分析方法对滚动轴承伪故障特征进行分析;给出了基于EMD-DCS的滚动轴承伪故障特征识别流程;在滚动轴承故障模拟实验台上开展了滚动轴承伪故障特征识别实验。实验结果表明:基于EMD-DCS的滚动轴承伪故障信号识别方法可以有效区分滚动轴承故障特征与伪故障特征。该研究工作对于提高滚动轴承故障诊断准确率、保障设备安全运行具有理论意义和实际应用价值。