564 5 Safety and Risk i n Engineering Design structural dependencies. For each sequence of the event tree, the fault trees of the composing events are linked in one large fault tree that follows the logic depicted in the event tree, and the fault tree is then solved with the usual techniques to compute the p robability of occurrence of that sequence. Figure 5.12 shows the previous example of an initiating event that requires two systems, S 1 and S 2 , to intervene, where both systems are explicit on the event tree without care to their dependence. The hazardous event (accident and/or incident) sequences in Fig. 5.12 may now be calculated using Bayes’ theorem of conditional probability: (I)(S 1 )(S 2 )=P(S 2 |S 1 I)P(S 1 |I)P(I) (I)(S 1 )(F 2 )=P(F 2 |S 1 I)P(S 1 |I)P(I) (I)(F 1 )(S 2 )=P(S 2 |F 1 I)P(F 1 |I)P(I) (I)(F 1 )(F 2 )=P(F 2 |F 1 I)P(F 1 |I)P(I) (5.4) If the probab ility of the sequence (I)(S 1 )(S 2 ) is to be evaluated, a fault tree is developed with the top event occurring when the initiating event I, and the failure of both systems S 1 and S 2 occur. In place of the events S 1 and S 2 , the corresponding system fault trees can be substituted, thu s obtaining a large fault tree that can be logically simplified (accounting for the existing dependencies) and evaluated so as to give the probability of the top event, i.e. the probability of the sequence of interest. With this method, the dependencies are properly treated even if the analysis had, a priori, no information that the dependency existed. This is particularly useful in evaluating systems for safety critical consequences during the engineering design stage when information concerning the d ependencies of hazardous events is still System 1 success state S1 System 2 S2 (I) (S1) (S2) System 2 F2 (I) (S1) (F2) (I) (F1) (S2) (I) (F1) (F2) System 2 S2 System 2 F2 System 1 failed state F1 Initiating Event E1 Fig. 5.12 Event tree with fault-tree linking 5.2 Theoretical Overview of Safety and Risk in Engineering Design 565 vague. Conversely, the resulting fault tree for an accident sequence may b e rather large, necessitating more time for safety analysis during the design stage. In summary, all the significant dependencies of hazardous events among systems are explicitly represented in the event trees with boundary conditions. The fault trees for the individual events are then simple and independent. However, great care must be taken in identifying all the existing dependencies. In the fault-tree link approach, dependencies of hazardous events are included in the fault trees for the various systems and, thus, are not dependent. The accident sequence in the linked fault tree is rather large and complex but all dependencies are treated automatically. In Fig. 5.13, a simplified version o f a functional event tree is illustrated for the case of a pipe rupture in the primary cooling circuit of a nuclear reactor. It is evident from these simplified event trees that for realistic systems, event tree analysis and, thus, safety analysis in engineering design can become quite complicated. 5.2.1.4 Cause-Consequence Analysis for Safety in Engineering Design The cause-consequence analysis (CCA) method or, alternatively, the cause- consequencediagram (CCD) method is a tool forsystem safety and risk analysis. As with the fault-tree analysis method, the cause-consequence diagram documents the failure logic of the system. In addition to this, the cause-consequence diagram pro- duces the exact failur e probability in an efficient calcu lation p rocedure. The cause- consequence diagram technique, as applied to static systems, has been shown to yield the same result as those produced by the solution of the equivalent fault tree and binary decision diagram. On this basis, general rules have been devised for the construction of a cause-consequence diagram, given a static system. The use of the method in this manner has significant implications in terms of efficiency of con- ducting safety analysis, and can be shown to have benefits for determining safety in engineering design. Safety analysis of industrial systems is carried out to reduce the risk of adverse events such as injury or death, as well as to aid in the protection of systems and facilities, by reducin g the frequency or consequences of accide nts and/or incidents. Since the early 1960s, various mathematical models have been used to perform re- liability analysis in order to predict the likelihood that a system will function under a given demand. Each analysis model had different features that made it more ap- propriate to specific types of systems, and the most efficient analysis was to utilise the simplest technique. The most commonly employed technique to assess the prob- ability of failure of industrial systems is fault-tree analysis (FTA). For systems containing independent failure events, it has been shown that the FTA technique produces a logical description of the failure process and yields, among o ther results, the system’sunreliability.It has been highlighted, however, that this technique has limitations even when it is applied to systems containing indepen- dent failure events, in that the structural extent of backward analysis for this tree- based deductive method quickly becomes multi-branch ed for complex systems, and in itself becomes complex. Qualitatively, if the fault tree is complex, the n finding the 566 5 Safety and Risk in Engineering Design Fig. 5.13 Function event tree for loss of coolant accident in nuclear reactor (NUREG 75/014 1975) 5.2 Theoretical Overview of Safety and Risk in Engineering Design 567 minimal cut sets can be time-intensive. In addition, the top event probability, found via the inclusion-exclusion formula, may also be computationally time-consuming if the system contains a moderate number of m inimal cut sets. In the past, this problem was solved by using a simple approximation for the probability of occurrence of the top event. These approximations, however, can be inaccurate if the likelihood of component failure is large. The problem of inaccu- racies due to approximation techniques has been alleviated by the development of the binary decision diagram (BDD) approach. BDDs are based on Bryant’s trees (Bryant 1986) to obtain the exact top event probability efficiently by expressing the system failure mod es a s disjoint paths. The calculation of the top event probabil- ity is achieved by summing the probabilities of these disjoint paths. This analysis procedure makes the BDD technique more efficient than the traditional FTA tech- nique. The BDDs, however, cannot be constructed from the system description, and are developed from the fault-tree representation of the system. During the conver- sion process, the BDD loses all the cau sality information that is represented in the fault-tree structure. In additio n to this, an inefficient ordering of the basic events can result in an excessively large diagram that can prove difficult to analyse, reducing the efficiency of the method. A technique has been developed that represents all system outcomes, given an initial event, on a diagram that contains a full textual description of th e systems behaviour, and produces an exact quantification of system failure prob a bility. This technique is based on the cause-consequence diagram (CCD) method developed at RISO Laboratories in Denmark in the 1970s to aid in reliability analysis of nuclear power p lant (Villemeur 1991). The cause-consequence diagram method involves the identification of the poten- tial modes of failure of individual components and then relates the causes to the ultimate consequences for the system. The consequences evaluated inclu de those that represent system failure as well as those that represent other systems behaviour. As all consequence sequences are investigated, the method can assist in identifying system outcomes that may not have been envisaged during the earlier design phases. Cause-consequence analysis (CCA) is most frequently applied to systems where the system state changes with time (Nielsen et al. 1975). Application of cause- consequence analysis to a static system, and development of rules for the construc- tion of a cause-consequence diagram representing a static system have been used in a high-integrity protection system (HIPS) to prevent the passage of a high-pressure surge in downstream vessels in a process engineering design (Ridley et al. 1996). The Cause-Consequence Diagram Method Cause-consequence diagramming is a technique that embodies both causal and con- sequence analysis. The technique provides a diagrammatic notation for expressing the potential consequencesofanevent(normally,ahazard)andthe factors that influ- ence the outcome. The basic notation is introduced in the context of the example in Fig. 5 . 14. In this diagram, the hazard is ‘ignition’. The final outcomes (or so-called 568 5 Safety and Risk in Engineering Design Fig. 5.14 Example cause- consequence diagram YES No fire Minor fire Major fire Alarm on Sprinkler on Ignition YES NO NO significant consequences) are shown in octagons and vary from ‘no fire’, ‘minor fire’, to ‘major fire’. The main factors that influence the outcomes are shown in ‘condition vertices’ (i.e. YES or NO branching), specifically ‘alarm on’ and ‘sprin- kler on’. The diagram shows that a major fire will occur as a resu lt of the ignition hazard only if both the sprinkler and alarm system fail. If the frequency with which the hazard will occur can be estimated, and the probability that the sprinkler and alarm systems will fail on demand (and, importantly, to what degree these failures are correlated), then the frequency with wh ich the hazard will give rise to this in- cident can be estimated. This is an essential step on the way to estimating the risk arising from the hazard. Symbols Used for a Cause-Consequence Diagram There are basically six types o f symbols used for constructing a cause-consequence diagram. These symbols include the decision box, fault-tree arrow, initiator triangle, time delay box, OR gate, and consequence box, as illustrated in Table 5.4. The cause-consequence diagram is thus developed from an initiating event, i.e. an event that starts a particular operational sequence, or an event that activates cer- tain safety systems. The cause-consequence diagram is comprised of two conven- tional safety analysis techniques, the fault-tree analysis (FTA) method and the event tree analysis (ETA) method. The event tree analysis method is used to identify the various paths that the sys- tem could take, following the initiating event, depending on whether certain sub- systems/components function correctly or not. The fault-tree analysis method is used to describe the failure causes of the sub- systems considered in the event tree part of the diagram. This relationship is shown in Fig. 5.15. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 569 Table 5.4 Cause-consequence diagram symbols and functions SYMBOL FUNCTION The decision box represents the functionality of a component/system. The NO box represents failure to perform correctly, the probability of which is obtained via a fault tree or single component failure probability q i Fault tree arrow represents the number of the fault tree structure which corresponds to the decision box The initiator triangle represents the initiating event for a sequence where λ indicates the rate of occurrence YES Ft1 t = x hrs λ= NO Sprinkler on q i Time delay 1 indicates that the time starts from the time at which the delay symbol is entered and continues up to the end of the time interval in the delay symbol OR gate symbol: Used to simplify the cause- consequence diagram when more than one decision box enters the same decision box or consequence box Consequence box represents the outcome event due to a particular sequence of events Initiating event Consequence part: Identification of sequence depending on accident or incident limiting systems. Event tree analysis Causal part: Cause of accident or incident limiting systems. Fault tree analysis Fig. 5.15 Structure of the cause-consequence diagram 570 5 Safety and Risk in Engineering Design Rules for construction and quantification The cause-consequence diagram tech- nique has been applied to a static safety system and found to yield results similar to those produced by a conventional fault tree (Ridley et al. 1996). On the basis of this study, general rules have been devised for the correct construction of the cause- consequence d iagram, as given below. The use of the cause-consequence method in this manner has significant implications in terms of efficiency o f reliability analysis, and can be shown to have computational benefits for analysing static safety systems. Step 1. Component failure event ordering If th e order of failure is irrelevant, which is typically the case in a static system, then the CCD can be initiated by considering any of the components in the system. The analysis of the CCD should yield identical results regardless of the component or variable ordering; however, the actual diagrams may vary in size. The first step of CCD construc tion is there- fore deciding on the order in which component failure events are to be taken. To ensure a logical development of the causes of the system failure mode (i.e. initiating event), the ordering should follow the temporal action of the system, or the system’s activation for the function required. Step 2. Cause-consequence diagr am construction The second stage involves the actual construction of the CCD. Starting from the initiating component, the func- tionality of each component or sub-system is investigated and the consequences of these sequences determined. If the decision box is governed by a sub-system, then the probab ility of failure will be ob tained via a fault-tr ee diagram. Step 3. Reduction If any decision boxes are deemed irrelevant (for example, the boxes attached to the NO and YES branches are identical, and their outcomes and consequences are the same), then these should be removed and the diagram reduced to a minimal form. Removal o f these boxes will in no way affect the end result. Th is is illustrated in Fig. 5.16 where failure (F) can occur due to either of the two paths that terminate in the same failure fu nction consequence, affecting either the NO or YES branches of component A. On one path, the component (A) works, on the other it fails, proving that the state of component (A) represented by the decision box is irrelevant. When a redundant Fig. 5.16 Redundant decision box 5.2 Theoretical Overview of Safety and Risk in Engineering Design 571 decision box is identified, reduction is achieved by removing the box and replacing it with the next decision/consequence box. When no further redundancies exist, the cause-consequence diagram is deemed minimal. Step 4. System failure quantification The probability of each consequence for a static system is determined by su mming the probability of each set of events that lead to this particular outcome. Each sequence probability is obtained by simply multiplying the probabilities of the component events represented by the branch. This is possible b ecause each sequence of events is mutually exclusive, and the probability of a component failure event is assumed independent. Three-component systems The cause-consequence diagram approach for static systems can be demonstrated by a very simple system example. The approachshows that it has potential advantages in comparison to a conventional fault-tree analysis for larger systems. The system example contains three components A, B and C, and system failure is caused by either A and B failing together, or C failing alone. The system failure causes are illustrated as a fault-tree structure in Fig. 5.17. The cause-consequence diagram can be constructed according to the following steps: Step 1. Componentfailure eventordering The ordering chosen is that of A, B and C. Step 2. Cause-consequence diagram construction The CCD is constructed by in- specting the failures of the components in that order (refer to Fig. 5.18). Step 3. Reduction Boxes 3 and 4 are both irrelevant and are therefore removed. This process reduces the CCD, the final form being illustrated in Fig. 5.19 and, as no further redundancies exist, the diagram is minimal. Step 4. System failure quantification The probability of system failure is equal to the sum of the probability of the three sequence paths that lead to the conse- Fig. 5.17 Example fault tree indicating system failure causes TOP G1 Function C Function A Function B C AB 572 5 Safety and Risk in Engineering Design Fig. 5.18 Cause-consequence diagram for a three-component system 5.2 Theoretical Overview of Safety and Risk in Engineering Design 573 quence ‘F’. Therefore, since the paths are mutually exclusive: Probability of failure = P(path 1 )+P(path 2)+P(path 4) = q A ·q B + q A ·(1−q B ) ·q C +(1−q A ) ·q C = q A ·q B + q A ·q C −q A ·q B ·q C + q C −q A ·q C = q A ·q B + q C −q A ·q B ·q C The fault-tree quantification calculates the top event probability to be iden tical to that obtained by the cause-consequence diagram approach. By studying the reduced form of the CCD, it can be noted that it is equivalent to the binary decision diagram (BDD) for the fault tree in Fig. 5.17 with the variable ordering A < B < C, as il- lustrated in Fig. 5.20. The top event probability can also be obtained directly from the BDD by multiplying the probabilities down the paths that lead to the terminal 1 node. Fig. 5.19 Reduced cause- consequence diagram Fig. 5.20 BDD with variable ordering A < B < C . the method in this manner has significant implications in terms of efficiency of con- ducting safety analysis, and can be shown to have benefits for determining safety in engineering design. Safety. Function B C AB 572 5 Safety and Risk in Engineering Design Fig. 5.18 Cause-consequence diagram for a three-component system 5.2 Theoretical Overview of Safety and Risk in Engineering Design 573 quence. event tree analysis and, thus, safety analysis in engineering design can become quite complicated. 5.2.1.4 Cause-Consequence Analysis for Safety in Engineering Design The cause-consequence analysis