fault tree analysis part 4: digraph-based fault tree synthesis procedure (nffl and lapp-powers...

Fault Tree Analysis

Part 4: Digraph-Based Fault Tree Synthesis Procedure (NFFL and

Lapp-Powers Algorithm)

Glossary

Feed Forward Loop (FFL): Two or more paths from one node in a digraph to another different node in the digraph .

Negative Feed Forward Loop (NFFL): A FFL in which the sign of the product of the normal gains of one of the branches of the FFL is different from the others .

+1-1

+1

-1 -1

Glossary

Variable with the start of the NFFL as an input .

start

[Example] HEAT EXCHANGER WITH TEMPERATURE FEEDFORWARD LOOP

The process shown in the next figure tries to maintain T3 at a set temperature by sensing the temperature of stream 1 and changing the flow of cold fluid in stream 7. The top event of fault tree in this example is T3 (+1).

P6

THE GENERAL FAULT-TREE STRUCTURES FOR NFFL

Two Paths on NFFL :

(1) T1 (+1) T2 (+1) T3 (+1)

(2) T1 (+1) P5 (+1) P6 (-1) M7 (+1) T3 (-1)

Apply the FT structure of a tree along process path (1)

T3 (+1)

T2 (+1)

AND

T1 (+1) NOT (M7(+1))

T3 (+1)

T2 (+1)

AND

T1 (+1) OR

M7 (0) M7 (-1)

Event before the start of NFFL

AND

Disturbance propagates Disturbances on alternate

down both loop paths paths fail to cancel one

another

GeneralizeT3 (+1) T3 (+1)

T2 (+1) T2 (+1)

AND AND

T1 (+1) NOT (M7(+1)) T1 (+1) OR

M7 (0) M7 (-1)

OUTPUT (value)

OR

OR AND

INPUTS (value to give INPUTS (value withthe desired output value) too large or too fastWHICH DO NOT START disturbances to giveTHE NFFL the desired output value) WHICH STARTS THE NFFL

INPUT (value to give FAIL THE OTHERThe desired output value) SIDE(S) OF THEWHICH STARTS NFFL NFFL

OR

OR “EOR”

ALL EDGE CONDITIONS ON ALL EDGE CONDITIONS ON

THE OTHER BRANCH(ES) OF THE OTHER BRANCH(ES) OF

THE NFFL TO GIVE ZERO GAIN THE NFFL TO GIVE REVERSE

GAIN

THE GENERALFT STRUCTURE FOR NFFL

T3 (+1)

OR

M3 (+1) M2 (+1) M4 (-1) Ext. Flre at Heat Exchanger

* T2 (+1)

OR AND

No. Input T1 (+10) T1 (+1) OR Off NFFL

M7 (-1) T7 (+1)

M8 (-1) Plug In P6 (+1) C.W. Line (+1) OR

OR OR

T8 (+1)

Temp Set Pt. (+1 ) P5 (-1)*

OR

Temp T1 (-10) ANDSensor (Inconsistent)Low

T1 (-1) OR

(No. Zero (No. rev Gain Edges) Edges)

OR

OR “EOR”

Control TRC Temp Control TRC TempValve on Sensor Valve Reversed SensorStuck Manual Stuck Reversed Reversed

OR

M1(+1)

THE LAPP-POWERS ALGORITHM

Principles :

The procedure starts at the top event and asks for the local input events which cause the top event. Each of these inputs is then checked for

(1) Conditional edges,

(2) Whether it is on a negative feedback loop,

(3) Whether it is the node before the start of a NFFL.

THE LAPP-POWERS FAULT TREE SYNTHESIS ALGORITHM

The procedure discussed below is a systematic means for generating fault trees. Once the method is learned, it is possible to accurately and rapidly generate fault trees for a wide range of processes. When learning the method, keep several things in mind :

1. The definitions of feedback and feed orward loops are the keys to the method. Make sure you can find these loops in the process and digraph model.

2. The value of a process variable deviation (-10, -1, +1, +10) is important to the fault tree development. Make sure you understand the definitions of these deviations and how feedback and feed forward loops behave when encountering variables with different ranges.

3. Take the input variables one at time and don’t jump ahead.

LAPP-POWERS FAULT TREE SYNTHESIS ALGORITHM

1. SELECT A TOP EVENT

2. CONSTRUCT A DIGRAPH FOR THE PROCESS WITH THE TOP EVENT AS THE OUTPUT VARIABLE

3. FIND AND CLASSIFY ALL LOOPS IN THE DIGRAPH

A. NEGATIVE FEEDBACK LOOPS (NFBL) NEGATIVE FEEDFORWARD LOOPS (NFFL)

B. LIST THE VARIABLES ON THE NFBL LIST THE VARIABLES ON THE BRANCHES OF THE NFFL

C. LIST THE LOCAL INPUT VARIABLES LIST THE VARIABLES ON THE NFFL WHICH HAVE OFF THE NFBL FOR EACH OF THE THE START OF THE NFFL AS THEIR INPUT NFBL VARIABLES

D. DETERMINE THE CAPABILITY OF THE LOOPS TO CONTROL SLOW CHANGES OF MAGNITUDE , IN THE LOCAL INPUT VARIABLES OFF THE NFBLs AND THE VARIABLE AT THE START OF THE NFFLs.

1

.

E. DETERMINE THE CAPABILITY OF THE LOOPS TO CONTROL RAPID CHANGES OF MAGNITUDE IN THE LOCAL INPUT VARIABLES OFF THE NFBLs AND THE VARIABLE AT THE START OF THE NFFLs.

STEP 4 ON THE NEXT PAGE

10

LAPP-POWERS FAULT TREE SYNTHESIS ALGORITHM (Continued)

4. ARE THERE ANY YES 5. SELECT ONE AND 6. IS THE OUTPUT NONPRIMAL VARIABLES CALL IT THE CURRENT VARIABLE ON IN THE FAULT TREE ? OUTPUT VARIABLE A NFBL ?

NO

STOP

NO

7. IS THE OUTPUT VARIABLE 8. DOES THE OUTPUT ON A NFFL AND DOES IT VARIABLE HAVE HAVE THE START OF THE VALUE = 0 ? NFFL AS AN INPUT ?

NO

YES

OUTPUT (VALUE)

OR

INPUT (VALUE TO GIVETHE DESIRED OUTPUT VALUE)

YES

OUTPUT (VALUE = 0)

OR

LOCAL EDGE INPUT (VALUE = 0 )CONDITIONS WHICH ON THE NFBLGIVE ZERO GAINON THE NFBL

REMOVE INCONSISTENT VARIABLES AND GO TO STEP 4 REMOVE INCONSISTENT VARIABLES AND GO TO STEP 4 Output (value)

OR

OR AND

INPUTS (VALUE TO GIVE THE INPUT (VALUE WITH TOO LARGE INPUT (VALUE TO GIVE FAIL THE OTHER SIDE(S)DEGIRED OUTPUT VALUE) OR TOO FAST DISTURBANCE TO THE DESIRED OUTPUT VALUE) OF THE NFFLWHICH DO NOT START THE NFFL GIVE THE DESIRED OUTPUT VALUE) WHICH STARTS THE NFFL WHICH STARTS THE NFFL

OR

OR “EOR”

ALL EDGE CONDITIONS ON THE OTHER BRANCH (ES)OF THE NFFL TO GIVE ZERO GAIN.

ALL EDGE CONDITIONS ON THE OTHERBRANCH(ES) OF THE NFFL TO GIVE REVERSED GAIN.

REMOVE INCONSISTENT VARIABLES AND GO TO STEP 4 NFBL

NO

Output (VALUE)

LAPP-POWERS FAULT TREE SYNTHESIS ALGORITHM (Continued)

NFBL

OR

UNCONTROLLABLE INPUTS CONTROL LOOP CAUSESPASS THROUGH THE NFBL THE DEVIATION

OR EOR

INPUTS (VALUE TO GIVE LARGE OR LOCAL EDGE CONDITIONS INPUT (VALUE TOFAST DISTURBANCE) NOT ON NFBL OR WHICH CAUSE REVERSED GIVE DESIRED OUTPUTSET POINT GAIN ON THE NFBL VALUE) ON THE NFBL

CONTROLLABLE DISTURBANCES PASS THROUGH THE NFBL

AND

OR LOOP INACTIVE

ORINPUTS (VALUE FOR CONTROLLABLE DISTURBANCE INTO THE NFBL) NOT ONNFBL LOCAL EDGE CONDITIONS INPUT (VALUE=0)

WHICH GIVE A ZERO GAIN ON THE NFBLON THE NFBL

REMOVE INCONSISTENT VARIABLES AND GO TO STEP 4

[EXAMPLE] HEAT EXCHANGER WITH TEMPERATURE FEEDBACK CONTROL

The process shown in the next figure is used to cool nitric acid prior to mixing with benzene in a nitration reactor. The temperature of stream 8 is important. If it is too high (T8 (+1)), the nitration becomes too fast and an explosion may occur.

HEAT EXCHANGERHOTNITRICACID

TEMPERATURE SENSOR

TO REACTOR

1

3

2 8

AIR TO OPEN TRC SET POINT

5

6

COOLING WATER

4

7

• TOP EVENT: T8 (+1)

• Normal Condition: Flow in streams 1, 2 , 3 , 4 , 7 and 8; Controller on automatic; Temperatures fluctuations in stream 1 and 7.

• Equipment Behavior: Temperature Sensor : P5 increases when T2 increases. The sensor sticks or fails low. Temperature Recorder Controller : P6 increases when P5 increases. The controller set point may be changed. It may be put in the manual mode of operation, stick in a position, or be reversed. An external fire near the controller causes P6 to go down. Loss of instrument air sends P6 down. Valve : M4 increases when F6 increases. The valve might stick in position or it could be installed and reverse acting. Heat Exchanger : The exchanger is a shell and tube unit with countercurrent flow. The cooling water is on the shell-side. The tubes are of high quality and double tube sheets are used. Water will mix with the acid if the tubes leaks. This causes T2 to go up. Increases M1, T1, T4, causes T2 to increases. An external fire at the heat exchanger causes T2 to increase.

.

M 7

M 4

T 2

WATERLEAKSINTDACID

T 8EXT. FIRE AT

HWAT EXCHANGER

M 2

M 8

M 1

M 3

T 1

T 4

T 7

P 5

TEMRSENSORFAILSLOW

P 6

SETPOINT

EXT.FIREATTRC

INSTRUMENTAIR

PRESSURE

+1

-10 (HX FOULED)

+1

0 V

AL

VE

ST

UC

K

+1 -1(C

ON

TR

OL

VA

LV

E

RE

VE

RSE

D)

+1 +1

+1+1

+1

+1

-1

+1

+1

+1

+1 0

(TEM

P. S

ENSO

R S

TUC

K)

-10+1

-1 (TRC REVERSED)

0 (TRC STUCK)

0 (ON MANUAL)

-1

+1

TEMPERATURE FEEDBACK CONTROL

NFBL :

T 1 M 7 Set Point Temp Sensor

Fails Low

T 4 Instrument

Air Pressure

M 1 Ext. Fire

at TRC

M 2

M 3

Water leaks

into acid

Ext. Fira

At Heat

Exchanger

M 4 P 6 P 5 T 2

T 2 M 4 P 6 P 5 T 2-1 +1 +1 +1

LocalInputsOffNFBL

LocalInputson NFBL

TEMPERATURE FEEDBACK CONTROL CAPABILITY

Local InputVariableOff NFBL

SlowDisturbance

FastDisturbance

+1 Yes Yes

T1 - 1 Yes Yes

+10 No No

- 10 No No

+1 Yes Yes

T4 - 1 Yes Yes

+10 No No

- 10 Yes Yes

+1 Yes Yes

M1 or - 1 Yes Yes

M2 +10 No No

-10 No No

TEMPERATURE FEEDBACK CONTROL CAPABILITY

Local InputVariableOff NFBL

SlowDisturbance

FastDisturbance

+1 Yes Yes

M 3 -1 Yes Yes

+10 No No

-10 No No

Water Leaks +1 Yes Yes

Into Acid +10 No No

Ext. Fire at +1 Yes Yes

Heat Exchanger +10 No No

TEMPERATURE FEEDBACK CONTROL CAPABILITY

Local InputVariableOff NFBL

Slow Disturbance

FastDisturbance

+1 Yes Yes

- 1 Yes Yes

M 7 +10 Yes Yes

- 10 No No

No No

Set Point ( commandment to system )

+1 Yes Yes

Instrument Air - 1 Yes Yes

Pressure +10 No No

- 10 No No

Temp. Sensor No No

Fails Low

T 8 (+1) OR

T 2 (+1)

OR

OR

M3 (-10 ) M2 (+10 ) M1 (+10 ) Large T1 (+10 ) T4 (+10 ) Large Water Leak Ext. Fire OR Into Acid OR at Heal Exch. M8 (+10 ) (+10 )

AND

OR OR

T7 (+10 )

M3 (-1) M2 (+1) M1 (+1) T1 (+1) T4 (+1) Water Ext. Fire Leaks Into at Heal OR OR Acid Exch. (+1) T7 (+1) (+1)

HX M4 ( 0 )

Fouled (* page 2)

EOR

(no rev. M4 (-1)edge)

OR

M7 (-10 ) EOR ( Page 3 )

AND

M7 (-1) P6(0)

(** page 2)

M8 (+1)

Heat Exchanger withSingle Temperature

Feedback to Cold Stream

NFBL

NFBL

M 4 ( 0 )

OR

P 6 ( 0 ) ValveStuck

OR

TRCStuck

TRConManual

P 5 ( 0 )

OR

Temp. SensorStuck

T 2 ( 0 ) (inconsistent)

EOR

ControlValveReversed

P 6 (-1)

OR NFBL

OR EOR

SetPoint(+1)

Ext. FireAt TRC(+10)

Instrument AirPressure (-10)

TRCReversed

P 5 (-1)

OR

Temp. SensorFallsLow

EOR

(none)

T 2 (-1)

AND

( no +1 disturbance) (Inconsistent)

AND

OR

Ext.FireAtTRC

InstrumentAir PressureLow (-1)

( Go to on Page 2 )

NFBL

[ Example ] HEAT EXCHANGER WITH TEMPERATURE CONTROL LOOP AND PUMP

SHUTDOWN SYSTEM

The process here maintains the temperature of stream 4 in two ways. First, there is a negative feedback loop from the outlet temperature ( T3 ) through the cooling water flow rate ( M6 ). Second, a sensor on the pump will completely close the nitric acid feed valve if the pump shuts down.

13

IINO( IIOT )

215

COOLING WATER(OUTLET)

3

3

4 3IINOTO

(REACTOR)

HEATEXCHANGER

2

TEMPERATURECONTROLLER

5

7

8

6

4

TEMPERATURESENSOR

9

11

10

6

COOLINGWATER

ON OFF

3HNO

(HOT)

3HNO

EXT.FIREAT HEAT

EXCHANGER

3T

4T

2M

1M

3M

4M

+18T

9T

10T

2T

1T

3M

6P8

M

11P

PUMPSHUTDOWN

9M

10M

7P

INSTRUMENTAIR

PRESSURE EXT. FIREAT. TRC

+1

+1

+1

+1

+1

+1

+1

+1

+1+1

-1

+1-1

-1

+1+1

+1-1

+1

-10

+1

0 (LIN

E 11 P

LU

OO

ED

)

+1

PUMPSHUTDOWN

0

1

11

0P

1

M8

TEMPERATURE FEEDBACK/PUMP SHUTDOWN

Instr. Air

Pressure

Ext. Fire

At TRC

EXT. Fire

At Heat Exchanger

3T

8M 7

P6P

3T

+1 +1 +1 +1

NFBL:

LocalInputsOffNFBL

8T

9M

2T

5M

3M

2M

8M 7

P6P

3T

LocalInputOn NFBL

TEMPERATURE FEEDBACK/PUMP SHUTDOWN NFBL CAPABILITY

Local Input

Variable

Off NFBL

Slow

Disturbance

Fast

Disturbance

+1 Yes Yes

-1 Yes Yes

+10 No No

-10 Yes Yes

+1 Yes Yes

-1 Yes Yes

+10 No No

-10 No No

+1 Yes Yes

-1 Yes Yes

+10 No No

-10 No No

8T

2T

5M

TEMPERATURE FEEDBACK/PUMP SHUTDOWN NFBL CAPABILITY

Local InputVariableOff NFBL

SlowDisturbance

FastDisturbance

+1 Yes Yes

-1 Yes Yes

+10 No No

-10 No No

+1 Yes Yes

+10 No No

+1 Yes Yes

-1 Yes Yes

+10 Yes Yes

-10 No No

+1 No No

-1 Yes Yes

+10 No No

-10 No No

+1 Yes Yes

+10 No No

3M or

2M

9M

Ext. Fire atHeat Exchanger

Instr. AirPressure

Ext. Fire at TRC

TEMPERATURE FEEDBACK/PUMP SHUTDOWN

NFBL Branch 1 : Pump Shutdown

Branch 2 : Pump Shutdown

-109

M8

M+1 -1

3T

+111

P-10

11(P 1)

2M

3T

Start of NFFL = Pump Shutdown

End of NFFL = 3T

*Variables which have the start of the NFFL (Pump Shutdown)

as an input

CAPABILITY Slow Fast

Pump Shutdown +1 Yes Yes

(0, 1 only allowed values)

4T ( 1)

OR

3T ( 1)

OR EOR

Large Ext.Fire at HeatExch. (+10)

2M ( 10)

OR

1M ( 10)

11P ( 1)(Value not

Allowed)

3M ( 10)

OR

4M ( 10)

8T ( 10)

OR

9T ( 10)

OR

10T ( 10)

5M ( 10)

2T ( 10)

OR

1T ( 10)

AND

OR

Ext. Fireat HeatExch. (+1)

2M ( 1)

OR

1M ( 1)

8T ( 1)

OR

9T ( 1)

OR

10T ( 1)

5M ( 1) 2

T ( 1)

OR

1T ( 1)

3M ( 1)

OR

4M ( 1)

8M ( 1) (no rev. edge)

OR

EOR

(page 2)

AND

9M ( 1)

7P (0)

OR

9M ( 10)

OR

10M ( 10) AND

Pumpshutdown

OR

EOR

(no rev. edge)

OR

Valve stuck3

HNO Line 11Plugged

OR(page3)

NFBL

NFBL

NFFL

(see * on page 3)

(page 2)EOR

Water Control

Valve Reversed7

P ( 1)

OR

OR EOR

Ext. Fire

at TRC

(+10)

Instrument

Air Pressure

(-10)

TRC

Reversed6

P ( 1)

OR

(no –10 Inputs

off NFBL)

EOR

AND

(no –1 Inputs

off NFBL)3

T ( 1)(inconsistent)

(no rev.

edge)

AND

OROR

Ext. Fire

At TRC

(+1)

Instrument

Air Pressure

(-1)

6P (0)

OR

Temp

Sensor

Stuck

3T (0)

(Inconsistent)

NFBL

NFBL

TRC stuck

(page 3)

OR

8M (0)

7P (0)

OR *

TRC

stuck6

P (0)

OR

Temp.

Sensor

Stuck

3T (0)

(Inconsistent)

(no zero

Gain edge)

(no zero

Gain edge)

[Example]

A HEAT EXCHANGER WITH TEMPERRATURE FEEDBACK TO

THE HOT FEED STREAM AND PUMP SHUTDOWN

The outlet temperature of this process is on feedback control through the flow rate of hot nitric acid. A pump shutdown

closes valve v2. Using the digraph given on Figure 8, construct a

fault tree for the event too high.

4T

4T

8M ( 10)

OR

AND

Pump

Shutdown

OR

10M ( 10)

Line 11

Plugged

V2

Reversed

V2

Stuck

NFFL