This document discusses safety-instrumented systems and how fault tree analysis can be used to evaluate them. It provides examples of how fault trees can be constructed to model the logic and failure modes of a safety instrumented system. Fault trees are used to calculate reliability metrics like probability of failure on demand and mean time to failure of spurious trips. The document also discusses how common cause failures, importance analysis, and sensitivity analysis can be incorporated into the fault tree modeling.
2. Safety-Instrumented Systems
Critical Processes or systems
Found in many different industries
Malfunction may cause risk
Safety, environmental, or financial
Examples:
Chemical reactor
Nuclear generator
Airbag
3. Safety-Instrumented Systems
Mitigate risks of critical systems
Restores system to safe state in event of
hazardous condition
Three elements
Inputs: Monitor system, detect hazardous
conditions
Logic solver: interprets inputs
Final elements: halt the system or process or
restore it to failsafe state
5. Example Fault Tree
OR
Top event
(hazard)
VOTE
2
Vote gate
AND
Logic gate
EV2
Basic event
EV3
Dormant
event
EV4
Basic event
EV5
Basic event
EV6
Basic event
6. Construction Logic
SIS terminology: vote to trip
Fault Trees: failure logic
SIS trip logic 1ooN NooN MooN
Fault Tree Gate
AND OR (N-M+1)
7. Construction Logic Example
VALVES
Both valves
fail open
VALVE1
Block valve
1 fails open
VALVE2
Block valve
2 fails open
XV XV
VALVES1
Either valve
fails open
VALVE3
Block valve
1 fails open
VALVE4
Block valve
2 fails open
11. Failure Data
Fault Trees constructed for a single
hazard
Basic events contribute to that hazard
Dangerous or Safe failures only
12. Failure Data
Commonly-used data
Failure rate
MTTR
Test interval
Dangerous failure %
Diagnostic coverage
Proof test coverage
Used in equation to solve PFD
13. Common Cause Failures
Affect multiple components
simultaneously
Reduce effectiveness of redundancy
Beta factor
Percent of failures due to CCF
FT assumes independence
CCFs must be accounted for
Separate basic event
Implicit inclusion
19. Spurious Trip Analysis
How often SIS engages unnecessarily
“Safe” failures
FT used to quantify MTTFspurious
Failure data: safe failure rate
Logical reverse of PFD Fault Tree
20. HIPPS Spurious Trip FT
HIPPS SPURIOUS
MTTF=1.622E+05
HIPPS
engages
unnecessarily
PTS
2
2 of 3 pressure
transmitters
falsely register
high pressure
VALVES
Valve system
engages
unnecessarily
LS
Logic Solver
fails to send
trip signal
PT1
Pressure
Transmitter
1 fails high
PT2
Pressure
Transmitter
2 fails high
PT3
Pressure
Transmitter
3 fails high
VALVE1
Block valve
1 fails closed
VALVE2
Block valve
2 fails closed
21. Optimization
Advantage of computer programs
How can we improve reliability?
Importance Analysis
Sensitivity Analysis
23. Sensitivity Analysis
Repeated changes of events to see
effect on TOP gate
Test different basic event inputs
Example
Different block valve test intervals
τ
(months)
4 6 8 12 18 24
PFDavg 1.028E-3 1.274E-3 1.547E-3 2.174E-3 3.314E-3 4.700E-3
24. Conclusion
Fault Tree Analysis
Useful tool for evaluating SIS
Well-developed methodology
Plenty of programs exist
Can model complex system logic
Can model PFD/Spurious trips
CCFs taken into account
Importance and sensitivity considerations
High-integrity pressure protection system
Seen in petrochemical applications
Prevent over-pressurization in fluid line or vessel
Over-pressurization can cause rupture or explosion
HIPPS shuts off inputs to mitigate risk
What is it?
Deductive hazard analysis
Identifies causes of hazard (TOP event)
TOP event linked to basic events via logic gates
Basic (bottom) events represent component failures or events
Quantitative
Probabilistic failure data inputs
Reliability metric outputs
Uses Boolean algebra/probability math
FTA used to analyse single hazard
Demand failure of HIPPS
Dangerous failures only
Spurious trip of HIPPS
Safe failures only
Sometime safe and dangerous failure modes must be modelled in separate events
Some software allow all modes to be built into single event
X_Mean * Y_Mean = Mean(X * Y) if there is no correlation between X and Y, i.e. They are independent
Why would this be the case if a cut set includes >1 dormant event?
(see paper for details)
Reverse of MooN is N – M +1.
AND becomes OR (not for TOP gate, though)
Calculated by comparing probability of hazard if event never occurs, to when it does occur (normal result).
Here, block valves contribute to 89% of demand failures.