5.1 Event Frequency/Probability Estimation
Careful definition of the event or chain of events that lead ultimately to a particular hazard scenario is an important precursor to evaluating the frequency of the scenario. The level of detail required should reflect:
• The overall goals of the risk assessment.
• The relative contribution of the individual scenario to the overall risk.
• The relative contribution of individual event chains to the scenario.
Effort should not be wasted in detailed evaluation of events or scenarios that have no material affect on the conclusions of the risk assessment.
It will often be appropriate to apply a cut off at a particular (low) frequency or probability and exclude scenarios or events that occur at a lower frequency or probability. However, justification for such a cut off should always be made that this simplification has no effect on the conclusions.
The technique of Fault Tree Analysis should be used to determine the frequency of a scenario whenever detailed analysis is required or whenever the potential causes are complex. Guidance on Fault Tree Analysis is given below.
In simple cases, explicit fault tree analysis is not necessary and the scenario frequency can be determined by calculation using the laws of probability. Note that use of such a simplification still implies a simple fault tree, often with only one or two branches, even though no specific fault tree diagram has been produced or detailed analysis of causes made.
The technique of Event Tree Analysis should be used to determine the potential outcomes of a scenario and their frequency. Explicit use of Event Trees should be used in complex situations, particularly those where mitigation and control measures, such as shutdown valves, passive fire protection and explosion suppression systems, can play a significant part. In simple situations, there is no need to explicitly produce event trees and simple calculation will suffice.
Events within fault trees and event trees can be quantified as either probabilities or frequencies. It is important that the two are properly distinguished in both logic diagrams and calculations. Checking the dimensions of calculations and results can often detect errors in both construction and quantification of fault trees and event trees.
5.2 Fault Trees
The basic process of fault tree construction is to take the scenario definition (top event) and to trace it back to the possible causes, which can be
component failures, human errors, environmental conditions or other pertinent
events. The procedure should be followed methodically, by first identifying the immediate precursors and then identifying the precursors to those events. An example fault tree is given in Figure 1.
Figure 1: Fault Tree Analysis
Fault trees are relatively easily quantified (see below). However, if the same event occurs two or more times in the fault tree, simple evaluation may cause error. It is usually best to redraw the fault tree so that each event only occurs once. If this is not possible, then a commercially available computer programme that can handle this type of situation should be used to evaluate the fault tree.
Fault trees mostly use two types of logic gates, AND and OR. Each gate has a number of inputs, but only one output.
For AND gates, all inputs must be true for the output to be true. The inputs to AND gates are either all probabilities or all probabilities except for one frequency. An AND gate which has frequencies for two or more of its inputs is
Valves Fail
not possible. The frequency/probability of the output is calculated by multiplying the inputs.
For OR gates, one or more of the inputs must be true for the output to be true.
The inputs to OR gates are either all probabilities or all frequencies. Input units cannot be mixed and the output will be of the same type. The output value is calculated by addition of the inputs. However, this addition should be made using Boolean arithmetic. For example two input probabilities of 0.9 give an output probability of 0.99, not 1.8. A probability of greater than 1 is meaningless.
Even if a fault tree is not quantified, it can still be useful as a graphical display, not only of the potential causes of the top event, but also of the way in which the individual causes can combine to lead to the top-event.
Care should be taken that individual branches of the fault tree are independent. Where the likelihood of an event in one branch depends on the likelihood of another event, then the two are said to be dependent. Where practicable the fault tree should be redrawn to make the dependency explicit to avoid errors in the evaluation of the tree.
Many safety systems include redundancy, where two or more systems (equipment or procedures) are provided that can provide similar protection. If one system fails, the other may still work. However, in such cases, the possibility always exists that whatever caused the first system to fail might result in failure of the second system also. This is referred to as common cause failure. Two systems of different types will often have a lower likelihood of common cause failure than two identical systems.
Common cause failure can be included in fault trees explicitly as in the example in Figure 1. The probability/frequency of common cause failure can be evaluated by considering the relative likelihood of modes of failure that might lead to a common failure compared to other failure modes. For example, a safety system of two actuated valves in series that must close to protect against a hazard, common cause failure modes might include:
• Failure of a control signal to reach the valves.
• Solids in the line blocking the valve and preventing closure.
Either of these single causes can prevent both valves from closing. Other failure modes will only lead to failure of a single valve to close. The ratio of common cause failure modes to other failure modes can thus be calculated.
5.3 Event Trees
The basic process of event tree analysis is to take the initial state of the scenario and work through to the possible outcomes. Possible outcomes may be affected by such factors as prevailing environmental conditions, safety systems, actions by personnel and presence of ignition sources.
At each branch point in the event tree, a choice is made between two or more possible outcomes. Usually the choice between two outcomes is sufficient, but occasionally three or more outcomes of a single gate can be used. Figure 2 is an example event tree.
Figure 2: Example Event Tree Analysis
Event trees are relatively straightforward to evaluate by simple calculation of the outcome frequencies at each branch point. The probabilities at each branch point must sum to one and the sum of the final outcome frequencies (not the frequencies at each branch point) must equal frequency for the scenario.
When the likelihood of an event in the event tree is dependent on some factor that also affects the frequency of the scenario itself, then the scenario should be split into two or more sub-scenarios and separate event trees used that avoid such dependence.
Unquantified event trees can be useful to provide a graphical explanation of the way an incident can develop.
5.4 Basic Data
Probability and frequency data for the evaluation of fault trees and event trees should be derived or determined on a "Best Estimate" basis. A "Best Estimate" is the most likely value given the available information. An optimistic approach (i.e. use of data that errs on the side of danger) should never be
Yes
Ignition at A Ignition at B Explosion on
ignition Outcomes
Ignition at A Ignition at B Explosion on
ignition Outcomes
used. A conservative approach (i.e. use of data that errs on the side of safety) can be used, but too much use of overly conservative data may result in a build up of uncertainty in the calculations and unrealistic results.
Data for the quantification of fault trees and event trees can come from many sources such as:
• Accident records.
• Near miss records.
• Maintenance records.
• Reliability and other performance related data bases.
• Human error trials
Data sources in the public domain that will be of most use to Group Companies are:
• OGP Database - is a database compiled by the Oil and Gas Producers Association (formerly E&P Forum) (OGP, Risk Assessment Data Directory [Ref. 15]). This includes some data on ignition probability, which is otherwise hard to find.
• Offshore Reliability Database (OREDA) is a database compiled by oil companies in the offshore sector (mostly North Sea) (Det Norske Veritas, Offshore Reliability Data [Ref. 16]).
• AEA Technology database - a collection of reliability data drawn from conventional plant (AEA Technology, SRD Association Reliability Data Bank [Ref. 17]).
• FACTS is an incident data base compiled by the Dutch research organisation TNO (TNO, FACTS database [Ref. 18]).
• Worldwide Offshore Accident Database (WOAD) is a database with an offshore focus compiled by Det Norske Veritas (Det Norsk Veritas, WOAD - Worldwide Offshore Accident Database [Ref. 19]).
• MHIDAS is an incident database compiled on behalf of the UK Health and Safety Executive (AEA Technology, MHIDAS Accident Database, [Ref. 20]).
In many cases, available data will not be precisely that required and some engineering judgement may be necessary to adjust or apply the data for the relevant application. Care should be taken that such judgements are not too optimistic. Where such judgements are made, they should be clearly recorded.
[15] Risk Assessment Data Directory, Oil and Gas Producers Association Report No 11.8/250, 1996.
[16] Offshore Reliability Database (OREDA), Det Norske Veritas, 1992.
[17] SRD Association Reliability Databank, AEA Technology.
[18] FACTS database, TNO Department of Industrial Safety, Appeldorn, The Netherlands.
[19] WOAD - Worldwide Offshore Accident Database, Det Norsk Veritas, Oslo, Norway.
[20] MHIDAS Accident Database, MHIDAS Administrator, AEA Technology, Warrington, United Kingdom.
Some incident data is sensitive to particular interpretations or categorisations of the incident from which it is drawn. Care should be taken that such uncertainties are allowed for, such that they do not affect the conclusions of the assessment.
Data of this type is statistical in nature and there is always a level of uncertainty, which can be high when dealing with events of which there are very few examples. Care should always be taken regarding uncertainty in the base data, in particular to avoid conclusions that are not actually statistically significant. For example, an offshore helicopter safety study might show lower risks to personnel by using one type of helicopter rather than another. In such a case, a check should be made that the difference in risk between the two helicopter types is real and not just a result of uncertainty in the base data.
5.5 Presentation of Risk
Whenever risk is presented, whether in quantitative or semi-quantitative terms it should be qualified both by the type of risk (examples are: risk of fatality, risk of a particular spill size) and by an associated unit time (an example is: risk of fatality per year).
The presentation of risk should be selected to fulfil the goal of the assessment.
The most common forms of risk presentation include:
• Individual risk - a single number representing the risk of a particular level of harm to a person or location.
• Risk contours - individual risk plotted over an area so as to show the relative risk between locations.
• Potential loss of life - a summation of individual risks over an exposed population. Similar parameters can be derived for outcome types other than fatality.
• Cumulative Frequency Curves or F-N Curves - a graph of the frequency of events with a particular consequence or greater versus the consequence magnitude.
Individual risk is a measure of risk to specific or average individuals in a population, but does not give information on the size of the incidents causing the risk.
Potential loss of life and cumulative frequency curves are examples of measures of group risk, which apply to a population as a whole, but they give no information on who is exposed to the risk.
The term risk aversion is often used to express the postulate that larger incidents are of greater concern than a number of smaller incidents, even if the product of the number of incidents and the consequences is the same in both cases. Risk aversion can be built into group risk calculations and interpretations by simple weighting of higher consequence events according to predetermined and recorded criteria. If a risk presentation includes risk aversion, it should be clearly stated. However, care should be taken when using risk aversion since the results are not easy to interpret.
5.6 Individual Risk
Individual risk is the frequency with which an individual (or location) suffers a defined degree of harm. The specific individual and degree of harm should always be specified. Also presentation of individual risks should clearly state specifics of the exposure to relevant hazards. For example, does the individual risk apply only whilst on a particular site or does it include for time spent at home, or at another site?
Average individual risk is where individual risk is averaged over a population.
It is important that the population over which the averaging takes place is appropriate. Increasing the size of the population group can significantly decrease the average individual risk if large numbers of people have low exposures to the hazards of interest.
5.7 Risk Contours
A plot of individual risk on a map provides a graphic picture of the geographical distribution of risk. Such contours can be useful to show to what extent a plant affects neighbouring communities and installations. They can also be useful to show to what extent incidents on one unit can lead to incidents on another (escalation).
Further details on the calculation and interpretation of risk contours can be found in specialist papers e.g. Ramsay, Sylvester-Evans and English: Siting and Layout of Major Hazard Installations, [Ref. 21].
5.8 Potential Loss of Life
The potential loss of life represents the number of fatalities that might be expected per unit time. This parameter can be combined with the plant life time to give the number of fatalities expected over the entire life of the plant.
Differences in the likely number of fatalities over the plant life time can be an effective method of quantifying the benefit of safety measures. However such calculations can only be made where the effectiveness of the safety measure is amenable to quantification.
5.9 Cumulative Frequency (F-N) Curves
Figure 3 is an example of a cumulative frequency curve. The approximate slope of the curve shows the relative important of small more common events to large less common events and can be used to judge risk aversion.
The two-dimensional nature of cumulative frequency curves makes them hard to interpret. The best use of these curves is in communicating the nature and extent of the overall risk.
[21] Siting and Layout of Major Hazard Installations, C. G. Ramsay, R. Sylvester-Evans, M. A. English, IChem E Symposium Series No 71, I Chem E, 1983.
Figure 3: Example Cumulative Frequency Curve 1E-1
1E-2 1E-3 1E-4 1E-5 1E-6 1E-7 1E-8 1E+0
Frequency of N or more Fatalities (per year)
1 10 100 1,000
Number Of Fatalities (N) 1E-1
1E-2 1E-3 1E-4 1E-5 1E-6 1E-7 1E-8 1E+0
Frequency of N or more Fatalities (per year)
1 10 100 1,000
Number Of Fatalities (N)