2. An incident which starts in one item may affect
nearby items by thermal, blast, or fragment
impact. (e.g., vessels containing hazardous
materials)
Purpose of Domino Analysis:
• Predict the occurrence of incidents due to
domino effect.
• Estimate consequences and frequencies of
major incidents.
• To evaluate equipment separation to minimize
the potential for incident propagation.
3. Examples:
• LPG sphere BLEVE disaster at Feysin in
France (Lees, 1980)
• Mexico City LPG explosion (Pietersen,
1985);
4. Domino incidents may be analyzed be
either of two approaches:
• Increase the consequences of a given
incident at fixed frequency, to allow for
larger consequences due to domino effects
• Increase the failure frequency of a given
incident at fixed consequences, to allow for
domino effect contribution
5. Domino Incident Investigation
Description of Technique
Domino incidents may be considered in
two domains: either as an
• Increased frequency of occurrence of a
specified consequence (fault tree
context) or
• Increased consequence occurring at the
original frequency (event tree context).
6. In fault tree terms, extra external events
are added, to account for domino mechanisms
leading to the top event.
For example, BLEVE incidents are
frequently caused by leaks leading to pool or jet
fires. Such leaks substantially increase the
frequency of BLEVE incidents, but do not
contribute much to the consequences.
In Event Tree terms, extra outcomes are
added rather than terminating the event tree at
a single outcome.
7. An initial analysis is used to identify
primary incidents and their effect zones
Effect zones should be defined in terms
sufficient to cause equipment failure rather
than fatality or injury effects.
Domino analysis is an extension of
hazard identification. Domino Analysis is
done after primary hazards have been
identified and consequence calculations
completed.
9. Input Requirements and Availability
• Plot layout showing the orientation and
separations between equipment items
• Consequence zones sufficient to cause
domino failures and the frequencies of the
primary incidents must be determined
• If layout information is not available at
design stage, separation distances must be
assumed based on existing practices and
codes
10. Output
The output is a modified list of
consequences and frequencies for
each incident, which is integrated into
the risk calculations
12. Unavailability Analysis of Protective
System
How to determine the probability
that a protective system will be in a failed
state when a demand on that system
occurs.
(Protective systems, such as pressure
vessel relief valves, function to prevent or
mitigate the occurrence of incidents.)
13. • Protection systems are of two types: protective
systems that relieve excessive energy (e.g., relief
valves) and those that isolate the energy (e.g.,
alarm and shutdown systems).
Protective systems, can fail in two distinct
ways:
1. Protective systems can fail in a manner such that
failure is revealed
2. Protective systems fail to function on
demand.(failure is unrevealed until the demand
occurs)
14. FDT (Fractional Dead Time)
The average fraction of time that the
protective system is unavailable to do its
assigned function
(Also known as Unavailability)
If the frequency of a demand [demand
rate (D)] on a protective system is known and
the FDT of the protective system is known,
then a resulting "hazard or incident rate (H)
can be calculated as
H = D x FDT
15. Description of Technique
For a protective system, with possible unrevealed
failures, consisting of a single component. At any
time, the component can be in a failed or
operational state.
-There are only two opportunities to determine
whether the protective system is working:
1. If a demand occurs and the protective system
has to operate.
2. If a proof test is used to check the system on a
routine basis.
16. If a protective system is never proof
tested, the system will continue to degrade
until it fails.
The fractional dead time (FDT) of a
single component protective system is a
function of both the failure rate of the
component (λ), and the proof test interval
(T).
17. • Fractional Dead Time due to component
failure:
FDTC = ½ (λT)
(Assumption-Failure occurs halfway through
proof test)
• Fraction Dead Time due to on-line testing:
FDTt = tt / T
Where tt = Average on-line time.
18. • Fractional Dead Time due to human error in
leaving the protection system in failed state:
FDTet = 1/T Pet T
Where 1/T = No. of proof test per time
Pet = Probability of human error
• Fractional Dead time due to system failure
through repair:
FDTer
• Fractional Dead time due to common cause
failure:
FDTcc
19. The total fractional dead time (FDTT) is,
therefore the sum of the fractional dead
times for component or system failure
(FDTC) on-line testing duration (FDTt),
human error in proof testing (FDTet), and
repairing (FDTer) the system and common
cause failures (FDTCC).
FDTT = FDTC + FDTt +FDTet +FDTer + FDTCC
20. Fractional Dead Time for Redundant System
Where, m = No. of components/systems that
must work to be sure protection
occurs on demand
n = No. of redundant components/systems
r = n-m+1
22. Input Requirements and Availability
Following information is required
• Protective System configuration
• Maintenance programs and policies
• Failure rate data for protective system
components
• System demand data
• FDT target or Hazard rate target
23. Output
The output of this analysis is the total
FDT of the protective system.
This is used to assess the adequacy
of the design and establish appropriate
inspection and maintenance programs.
25. Reliability Analysis of Automatic
Control Systems
Automatic Control Systems are
employed to improve;
• Plant Safety Efficiency
• Product Quality
26. Old Practice
Process control system consisted of
sensors located in process lines.
Signals are transmitted to either
pneumatic or electron panel-mounted
controllers to in-line control valves.
Plant operators assess the operation
by observing the instruments mounted in a
control panel near the equipment or in a
"central" control room.
27. Types of Automatic Control
Functions
• Control Loops (regulation of
continuous process parameters like
flow, pressure, temp. level etc.)
• Sequence Controllers
• Process Interlock Systems
29. Sequence Controllers
• They set the control valve positions
according to a time-based program.
• Sequence controllers are often
mechanical timers with many user-set
switches.
• They were widely used for batch
process control, especially for plant
start-up and shut-down.
30. Process Interlocks
• Process interlocks prevents incorrect
operations or possible damage to the
process or equipment
• Signal trip units and mechanical
relays for execution of logic
functions.
• Extensively used in batch plants.
31. Microprocessor based Digital Control
System
• Introduced to petrochemical plant control
in 1975.
• A pioneering effort using micro computer
chips, cathode-ray tubes, and digital
communication technology.
• Designed to replace the then state-of-art
combination of mini computer and
electronic panel board instruments.
32. Programmable Logic Controllers
• PLC’s
• Intelligent modules to perform the tasks
of sequential control and process logic
solution.
• First used in the automotive industry and
then integrated into the Digital Distributed
Control System (DDCS).
• The total computer-based plant control
system is identified as a Programmable
Electronic System (PES).
33. Reliability of PES
It is difficult to assess the reliability
of PES due to the following reasons:
1. Complexity of control strategy
2. Programmable nature of the
controller modules
3. Integration of multiple control
functions into one large system.
34. Reliability of PES
Detailed information about, the
configuration and environment of the total
control system are required to analyze the
reliability of PES.
Quantitative methods for the analysis
of PES can be developed assuming that they
are used as protective systems.
The methodology is similar to the
Unavailability Analysis of protective
Systems.
36. 1. Develop Fault Tree for Hazardous
Demands
• Fault trees can be developed to
identify failures or deviations that
could generate hazardous process
conditions.
• These fault trees will give some
insights into where protective
systems would be most beneficial.
37. 2. Calculate Demand Rate
A demand rate (D), in units of
reciprocal time, can be determined
from qualitative analysis of fault trees
using
1. Equipment failure data
2. Human reliability data
38. 3. Define Safety Interlock
Requirements for PES
1. Defining a set of process sensors
that detect potential hazards and
sound alarms.
2. Developing actuate shutdown
systems that allow bringing the
plant operations to a safe state.
39. 4. Calculate Target Unavailability for PES
If a quantitative target has been established,
a level of average unavailability or Fractional dead
time (FDT) can be set.
FDT = H/D
H = hazard or incident rate per year
D = demand rate per year
FDT of the PES should not be greater than
that calculated from the above equation, if the
required target availability of the PES is to be met.
40. 5. Define PES Architecture
The modular system may have single, double,
or triple elements at each functional stage of the
safety system.
Safety system consists of
• Sensor
• Input channel
• Logic solver
• Communication to remaining PES
• Output channel
• Process manipulator
42. Two types of failure may occur in each signal
path of the safety system:
1. A revealed fault in which the path calls for and
executes a process shutdown when not
warranted by a plant hazard.(-referred to as a
‘fail-safe’ event)
2. An unrevealed failure in which the safety
system remains operable but unable to take the
necessary action when a hazard does occur. (-
referred to as a ‘fail-danger’ fault).
These two types of failures have different
consequences on operational reliability and must
be considered separately in the design and
reliability analysis of the safety system.
43. 6. Define System Test Methods and
Frequency
• A dangerous failure may be discovered by
a periodic test of the installed system or
by an automatic, self-diagnostic feature of
the PES.
• Detection of failures within the logic
solver is normally accomplished by an
external watchdog timer (WDT).
• Some machines have exclusive internal
diagnostics to detect system failures.
44. 6. Define System Test Methods and
Frequency
• The internal diagnostics usually perform:
- Check sums of the program stored in Read
– only – Memory (ROM)
- Tests of read/write memory
- Tests of internal registers
- Tests of arithmetic and logic functions
It is capable of self-identifying 98% of the FDT
faults within this part of PES.
45. 7. Calculation of System FDT
Failure rates of the various modules (λm) in PES is
calculated using generic component failure rate data
• Calculation method
- The number of like components in each module are
counted.
- The typical failure rate of each component type is
selected from a data bank
- The failure rate of each component type is
multiplied by the number of components.
- The module failure rate is calculated as the sum of
the failure rates of all constituent parts.
46. Failure of PES Module
• Failure rate of PES modules depend on:
- The quality of the electrical components
selected by the manufacturer
- The amount of “burn-in-time” applied to the
modules before installation in the plant
- The environmental conditions of the installed
PES equipment (temperature and humidity
control, cleanliness of the atmosphere, level
of vibration, limited electrical loads, etc.)
47. • The calculated or vendor-supplied component
failure rates (λm) must be modified when
environmental conditions vary from reference
values.
48. Signal Path Failure Rates
• Signal path failure rate (λp) can be
calculated from the reliability data of each
of the constituent modules.
λp = λm1 + λm2 + -------- + λmn
(failures/hour)
The path failure rate is obtained by summing
failure rates of only those modules that have
a direct influence on activating a shutdown.
49. 8. Calculation of FDT and System
Reliability
- Whether an acceptable FDT can be obtained
initially for a single path PES using appropriate
proof testing intervals.
To achieve low FDT and high PES reliability,
• Redundant PESs (having two or more parallel
signal paths.)
• Fault-tolerant PESs (having modules
connected in multiple signal paths)
51. Input Requirements and Availability
• Protective system philosophy
• PES configuration
• Maintenance programs and policies
• Failure rate data for the PE
components
• Unavailability and reliability targets
(if available)
52. Output
The output of this analysis is a
calculated value for the PES FDT and
unreliability.
53. Sneak Analysis
Purpose:
• A system may fail to perform as designed even if
no component or sub system has failed.
• Such failures are due to unexpected
consequences of the way the system is designed.
• The components or sub systems interact in
unexpected ways producing unexpected
outcomes.
• The components that interact in this manner may
include control systems, computer software,
operator interfaces, information displays etc.
54. • It is necessary to identify these unexpected
interactions of components,
• Otherwise, any quantitative calculations of the
probability of failure of the system may be an
under estimate.
• Sneak analysis is a method that has been
developed to systematically search for and
identify the unexpected paths or combination
of components or sub systems that may
occur.
55. Technique
• Sneak analysis is based on a systematic
search of the design of a system for
paths that can cause unexpected or
undesired actions of a system
• A path can involve any combination of
electrical circuits, computer codes,
operating instructions or mechanical
devices.
57. Sneak Paths
Sneak paths cause electrical current,
pneumatic flow, information, or mechanical
actions to flow along undesired paths or
directions in a system
Sneak Timing
Sneak timing causes events or system
actions to occur out of the desired
sequence.
58. Sneak Indications
They cause a system to improperly
indicate to the operator the condition of
the system.
Indications can be false, but conflict
with other indications as to prevent the
operator from taking the appropriate
actions.
59. Sneak Labels
They incorrectly label system
functions.
Eg., The label may show the wrong
direction of flow, incorrectly display the
status of valves or switches, or improperly
display control set points.
60. Input Requirements and Availability
• A sneak analysis can start as soon as
detailed hardware design data such as
electrical schematics and cable diagrams
are available
• Sneak analysis of software can begin as
soon as source code is created
61. Output
• The output of a sneak analysis is a set of
potential problems (sometimes called
glitches) which may impact the operation
of a system
• Potential problems are reviewed to
determine their relevancy
• Potential problems can be used in design
modifications
62. MORT Analysis
-Management Oversight and Risk Tree
Analysis
-Developed by Johnson (1980)
-Root cause analysis that specifically
identifies inadequacies in barriers/controls,
management functions etc.
Objective:
Decrease safety related losses by an order of
magnitude
63. The MORT Logic Tree analyzes a top event
down through:
-Oversights and Omissions events
-which are further developed through
branches on:
Specific Control Factors &
Management System factors
A computerized version of MORT is
available.
64. MORT has two major functions:
1. Since the MORT logic diagram
organizes risk, loss, and safety program
elements, it can be used as a master
worksheet for accident investigation and
qualitative evaluation of programs.
2. It can be used as a subsystem in a
comprehensive safety management
program of an organization. It is useful for
emergency planning.