Introduction Construction Example: Separator Quantitative analysis Conclusions

Chapter 3
Event Tree Analysis

Marvin Rausand
[Link]@[Link]

RAMS Group
Department of Production and Quality Engineering
NTNU

(Version 0.1)

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 1 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Slides related to the book

System Reliability Theory
Models, Statistical Methods,
and Applications
Wiley, 2004

Homepage of the book:

[Link]
books/srt

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 2 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Consequence spectrum
An accidental event is defined as the first significant deviation from a normal
situation that may lead to unwanted consequences (e.g., gas leak, falling
object, start of fire)

An accidental event may lead to many different consequences. The

potential consequences may be illustrated by a consequence spectrum

C1

C2
Accidental
event
C3

Ck

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 3 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Barriers
Most well designed systems have one or more barriers that are implemented
to stop or reduce the consequences of potential accidental events. The
probability that an accidental event will lead to unwanted consequences
will therefore depend on whether these barriers are functioning or not.

The consequences may also depend on additional events and factors.

Examples include:

I Whether a gas release is ignited or not

I Whether or not there are people present when the accidental event
occurs
I The wind direction when the accidental event occurs

Barriers are also called safety functions or protection layers, and may be
technical and/or administrative (organizational). We will, however, use the
term barrier in the rest of this presentation.
Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 4 / 24
Introduction Construction Example: Separator Quantitative analysis Conclusions

What is event tree analysis?

An event tree analysis (ETA) is an inductive procedure that shows all

possible outcomes resulting from an accidental (initiating) event, taking
into account whether installed safety barriers are functioning or not, and
additional events and factors.

By studying all relevant accidental events (that have been identified by a

preliminary hazard analysis, a HAZOP, or some other technique), the ETA
can be used to identify all potential accident scenarios and sequences in a
complex system.

Design and procedural weaknesses can be identified, and probabilities of

the various outcomes from an accidental event can be determined.

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 5 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Example
Sprinkler
Initiating Fire alarm is Frequency
Start of fire system does Outcomes
event not activated (per year)
not function

True Uncontrolled
fire with no 8.0 .10-8
True 0.001 alarm
0.01 False Uncontrolled
7.9 .10-6
0.999 fire with alarm
True
0.80 True Controlled fire
8.0 .10-5
0.001 with no alarm
False
Explosion
10 -2 per year 0.99 False Controlled fire
7.9 .10-3
0.999 with alarm

False
No fire 2.0 .10-3
0.20

– Adapted from IEC 60300-3-9

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 6 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Applications

I Risk analysis of technological systems

I Identification of improvements in protection systems and other safety
functions

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 7 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Main Steps

1. Identify (and define) a relevant accidental (initial) event that may give
rise to unwanted consequences
2. Identify the barriers that are designed to deal with the accidental event
3. Construct the event tree
4. Describe the (potential) resulting accident sequences
5. Determine the frequency of the accidental event and the (conditional)
probabilities of the branches in the event tree
6. Calculate the probabilities/frequencies for the identified consequences
(outcomes)
7. Compile and present the results from the analysis

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 8 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Accidental event

When defining an accident event, we should answer the following

questions:
I What type of event is it? (e.g., leak, fire)
I Where does the event take place? (e.g., in the control room)
I When does the event occur? (e.g., during normal operation, during
maintenance)
In practical applications there are sometimes discussions about what should
be considered an accidental event (e.g., should we start with a gas leak, the
resulting fire or an explosion). Whenever feasible, we should always start
with the first significant deviation that may lead to unwanted consequences.

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 9 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Accidental event

An accidental event may be caused by:

I System or equipment failure
I Human error
I Process upset

The accidental event is normally “anticipated”. The system designers have

put in barriers that are designed to respond to the event by terminating the
accident sequence or by mitigating the consequences of the accident.

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 10 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Accidental event

For each accidental event we should identify:

I The potential accident progression(s)
I System dependencies
I Conditional system responses

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 11 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Barriers

The barriers that are relevant for a specific accidental event should be listed
in the sequence they will be activated.

Examples include:
I Automatic detection systems (e.g., fire detection)
I Automatic safety systems (e.g., fire extinguishing)
I Alarms warning personnel/operators
I Procedures and operator actions
I Mitigating barriers

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 12 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Additional events/factors

Additional events and/or factors should be listed together with the barriers,
as far as possible in the sequence when they may take place.

Some examples of additional events/factors were given on a previous frame.

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 13 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Event sequence

Each barrier should be described by a (negative) statement, e.g., “Barrier X

does not function” (This means that barrier X is not able to performs its
required function(s) when the specified accidental event occurs in the
specified context).

Additional events and factors should also be described by (worst case)

statements, e.g., gas is ignited, wind blows toward dwelling area.
B1 B2 B3 B4 B5

Accidental Additional Barrier I does Barrier II does Barrier III does Additional Outcome /
event event I occurs not function not function not function event II occurs consequence

True

By this way the most severe consequences will come first

False

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 14 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Outcome alternatives

In most applications only two alternatives (“true” and “false”) are

considered. It is, however, possible to have three or more alternatives, as
shown in the example below:
Wind toward
residental area

Wind toward
Gas release factory

Wind toward
empty area

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 15 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

End outcomes

I In practice, many event trees are ended before the “final” consequences
are reached
I Including these “final” consequences may give very large event trees
that are impractical for visualization
I This is solved by establishing a consequence distribution for each end
event and the probability of each consequence is determined for each
end event
I In effect, this is an extension of the event tree, but it gives a more
elegant and simpler presentation and also eases the summary of the
end results

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 16 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Results in decision-making

The results from the event tree analysis may be used to:
I Judge the acceptability of the system
I Identify improvement opportunities
I Make recommendations for improvements
I Justify allocation of resources for improvements

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 17 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

End events

Out- Environmental
Freq- Loss of lives Material damage
come damage
uency 6- >
descr. 0 1-2 3-5 N L M H N L M H
20 20

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 18 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Offshore separator

To flare

PSV1 PSV2

RD
Gas outlet

Pressure
switches

LU

Separator

Gas, oil, and

water inlet
PSD1 PSD2

Fluid outlet

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 19 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Activation Pressures

Pressure in
separator RD to be opened

PSVs to be opened

PSDs to be closed

Time

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 20 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Event tree
1 2 3
PSDs do not PSVs do not
Initiating Rupture disc
close flow into relieve Outcomes
event does not open
separator pressure

True Rupture or
explosion of
True separator

False Gas flowing out

True
of rupture disc
Gas outlet
blocked False Gas relieved
to flare

False Controlled
shutdown,
no gas "lost"

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 21 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Example

Consider the generic example:

B1 B2 B3 B4

Accidental Additional Barrier I does Barrier II does Additional Outcome /

event event I occurs not function not function event II occurs consequence

True
Outcome 1
True
False
Outcome 2
True
True
Outcome 3
False

Outcome 4
True
True
Outcome 5
True
False
Outcome 6
False
True
Outcome 7
False
False
Outcome 8

False
Outcome 9

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 22 / 24

Introduction Construction Example: Separator Quantitative analysis Conclusions

Frequencies of outcomes
Let λ denote the frequency of the accidental (initiating) event. Let Pr(Bi )
denote the probability of event B(i).
When we know that the accidental even has occurred, the probability of
“Outcome 1” is:

Pr(Outcome 1 |Accidental event) = Pr(B1 ∩ B2 ∩ B3 ∩ B4 )

= Pr(B1 ) · Pr(B2 | B1 ) · Pr(B3 | B1 ∩ B2 ) · Pr(B4 | B1 ∩ B2 ∩ B3 )

Note that all the probabilities are conditional given the result of the process until
“barrier” i is reached.

The frequency of “Outcome 1” is:

λ · Pr(B1 ∩ B2 ∩ B3 ∩ B4 )

The frequencies of the other outcomes are determined in a similar way.

Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 23 / 24
Introduction Construction Example: Separator Quantitative analysis Conclusions

Pros and cons

Positive
I Visualize event chains following an accidental event
I Visualize barriers and sequence of activation
I Good basis for evaluating the need for new / improved procedures and
safety functions
Negative
I No standard for the graphical representation of the event tree
I Only one initiating event can be studied in each analysis
I Easy to overlook subtle system dependencies
I Not well suited for handling common cause failures in the quantitative
analyses
I The event tree does not show acts of omission
Marvin Rausand (RAMS Group) System Reliability Theory (Version 0.1) 24 / 24