634 5 Safety and Risk i n Engineering Design {N(t)+C(t)} is obtained by multiplying the p.g.f.s of the random variables together Ez N(t) ·Ez C(t) = Ez N(t)+C(t) (5.79) where N(t) and C(t) are independent. 5.2.4.2 Cause-Consequence Analysis for Safety Systems Design Cause-consequence analysis for safety systems design is fundamentally a combina- torial symbolic logic technique, utilising the symbolic log ic of fault-tree analysis (FTA), reliability block diagramming (RBD) and event tree analysis (ETA). Each of these techniques has unique advantages and disadvantages. In most complex safety systems designs, it is beneficial to construct a model usingone technique, then trans- form that model into the domain of another technique to exploit the advantages of both. Fault trees are generated in the failure domain, reliability diagrams are gen- erated in the success domain, and event trees are generated in both the success and failure domains. Methodology to transform any one of the above models into the other two, by translating equivalent logic from the success to failure or failure to success domains, is considered later. Probabilities are propagated throughout the logic models to de- termine the probability that a system will fail, i.e. its risk, or the probability that a system will operate successfully, i.e. its reliability. Probability data may be de- rived from available empirical data or, if quantitative data are not available, then subjective probability estimates may be used. Cause-consequence analysis for safety systems design explores the system’s re- sponses to an initiating deviation from predetermined norms (such as the limits of safe operating parameters), and enables evaluation of the probabilities of un- favourable outcomes at each of a number of mutually exclusive loss levels, depend- ing upon the extent of deviation from these norms. The deviation beyond a set limit is designated an event. The analysisthen beginswith an initiating event and performsaforward (bottom- up) analysis using ETA. This technique provides data similar to those available with conventional event tree analysis; however, it affords two advantages over the con- ventional event tree—time sequencing of events is better portrayed, and discrete, staged levels of outcome are analysed. The cause portion of this technique is the safety system response to an undesired process state or condition. This process state is represented as a fault-tree TOP event and is normally, but not always, quantified by its probability of occurrence. The consequence portion of this tech nique yields a display of potential outcomes representing incremental levels of success or failure of the safety system. Each increment has an associated level of assumed or calcu- lated probability, based on variations of responses of the safety system to the various process states or conditions. The cause has an associated probability, and each con- sequence has an associated severity and probability (NASA 1359 1994). 5.2 Theoretical Overview of Safety and Risk in Engineering Design 635 Cause-consequence analysis for safety systems design is particularly useful in analysing command-start and command-stop protective devices, emergency re- sponse systems, and engineered safety features. Cause-consequence analysis is fundamentally useful in evaluating design d ecision options concerning the effects and/or benefits of sub-tiered redundant or diverse countermeasures for safety sys- tems design. This technique may be used to compliment a failure modes and effects analysis (FMEA) or, m ore specifically, a failure modes and safety effects (FMSE) analysis, otherwise known as probabilistic risk analysis (PRA). a) Fault Tree, Reliability Block Diagram, and Event Tree Transformations Fault trees, reliability block diagrams (RBDs) and event trees ar e all symbolic logic models. Fault trees are generated in the failure d omain, reliability diagrams are gen- erated in the success domain, and event trees are generated in the success and failure domains. These techniques transform any one of the above models into the other two by translating equivalent logic from the success to failure or failure to success domain. Fault trees offer comp rehensive qualitative or quantitative analysis. RBDs offer a simplistic method to represent system logic, and event trees enable systems evaluation in both the success and failure domains. Prior to considering the methods for transforming a fault tree, RBD or event tree into either of the other two logic models, it is essential to first review reliability block diagrams (RBDs): A reliability block diagram (RBD) is a deductive, top-down analysis, symbolic logic model, used to define the path from effect to cause, and generated in the suc- cess domain. Each RBD has an input and an output and flows left to right from the input to the output. Blocks may depict failure events or element functions within a system, though most RBDs typically depict system element functions only. A sys- tem element can be a sub-system, assembly, sub-assembly, component or part. Sim- ple RBDs are constructed of series, parallel, or combinations of series and parallel elements, as indicated in Fig. 5.26 (NASA 1359 1994). An RBD may contain a combination of series and parallel branches where each block represents an event or system element function. These b locks are connected in series if all elements must operate for the system to operate successfully, or they are connected in parallel if only one element needs to operate for the system to operate successfully. Reliability is the probability of successful operation during a defined time inter- val and, conversely, unreliability is the probability of failure during a defined time interval. In a safety analysis context, RBDs indicate system reliability or unreliabil- ity, where each block may represent a system element function (operates success- fully) or a failure event. Each element of a block diagram is assumed to functio n or to fail independently of the other elements. The overall system reliability can thus be determined from the relationship s between element reliability and system reliability for series and parallel systems. 636 5 Safety and Risk in Engineering Design Fig. 5.26 Simple RBD construction The relation sh ipsbetween element reliability and system reliability for series and parallel systems can be mathematically expressed as Series R S = n ∏ i R i = R 1 ∗R 2 ∗R 3 R n (5.80) Parallel R S = 1− n ∏ i (1−R i ) Parallel R S =[1−(1−R 1 )(1−R 2 )(1−R 3 ) (1−R n )] where: R S = system reliability R i = system element reliability n = number of system elements that function independently. Not all systems can be modelled with simple RBDs. Some complex systems cannot be modelled with true series and parallel branches. These systems must be modelled with a complex RBD. Such an RBD is presented in Fig. 5.27. In this example, if 5.2 Theoretical Overview of Safety and Risk in Engineering Design 637 Fig. 5.27 Layout of a complex RBD (NASA 1359 1994) element E fails, then paths B, E, G and B, E, H are not success paths; thus, this is not a true series or parallel arrangement. An RBD enables evaluation of various potential design configurations. The re- quired element reliability levels can be deter mined to achieve the desired system reliability. An RBD can also be used to identify design configuration elements in symbolic logic as a precursor to performing an FTA. The procedures to generate a simple RBD are as follows: (1) Define the system into its SBS from the available functional diagram of the system. (2) Construct a block diagram usin g the convention illustrated in Fig. 5.26. (3) Calculate system reliability bands, R SL (low) to R SH (high), from each element’s reliability band, R iL (low) to R iH (high), in the following manner: a. For series systems with n elements that are to function independently R SL = n ∏ i R iL = R 1L ·R 2L ·R 3L · ·R nL (5.81) R SH = n ∏ i R iH = R 1H ·R 2H ·R 3H · ·R nH . b. For parallel systems with n elements that are to function independently R SL = 1 − n ∏ i (1−R iL ) (5.82) R SL =[1 −(1−R 1L )(1−R 2L )(1−R 3L ) (1−R nL )] R SH = 1 − n ∏ i (1−R iH ) R SH =[1 −(1−R 1H )(1−R 2H )(1−R 3H ) (1−R nH )] c. For series-parallel systems, first determine the reliability for each parallel branch using the equations in step 3b. Then treat each parallel branch as an element in a series branch and determine the sy stem reliability by using the equations in step 3a. d. For parallel-series sy stems, first determine the reliability for each series branch using the equations in step 3a. Then treat each series branch as an 638 5 Safety and Risk in Engineering Design element in a parallel branch and determine the system reliability by using the equations in step 3b. For systems that are composed of the four arrangements given above, the relia- bilities for the simplest branches are first determined , which then become branches within the remaining block diagram. The reliability for the new branches are then determined.This process is continueduntil one of theabovefour basic arrangements remains, from which sy stem reliability is calculated. As an example, consider a high-pressure process with a high-integrity protection system (HIPS) containing two sub-systems designated S 1 and S 2 . Sub-system S 1 has three sensor components and at least one of the three must function successfully for the sub-system to operate. Sub-system S 2 is an essential instrumentation path for the protectio n system. Sub-system S 2 has three components that all need to function successfully for the sub-system to operate. The estimated reliability band for each component is given in Table 5.14. The components for sub-system S 1 are in a parallel branch with the compo- nents of sub-system S 2 . In addition, the components for sub-system S 1 form a series branch, and the components for sub-system S 2 form a parallel branch. An RBD for the sy stem is illustrated in Fig. 5.28. Sub-system S 1 reliability Low band value: R S 1 L = 1−(1 −0.80)(1−0.80)(1−0.80)=0.992 High band value: R S 1 H = 1−(1 −0.85)(1−0.85)(1−0.85)=0.997 Table 5.14 Sub-s ys tem component reliability bands Component Low High 1 A 0.80 0.85 1 B 0.80 0.85 1 C 0.80 0.85 2 D 0.90 0.95 2 E 0.90 0.95 2 F 0.90 0.95 Fig. 5.28 Example RBD 5.2 Theoretical Overview of Safety and Risk in Engineering Design 639 Sub-system S 2 reliability Low band value: R S 2 L =(0.90)(0.90)(0.90)=0.729 High band value: R S 2 H =(0.95)(0.95)(0.95)=0.857 System reliability Low band value: R SL = 1−(1 −0.992)(1−0.729)=0.998 High band value: R SH = 1−(1 −0.997)(1−0.857)=0.999 The reliability band for the combined system is 0.998 to 0.999. This example is of particular interest in that the configuration for the HIPS produces an overall reliability range that is higher than any of the sub-system reliabilities. The reliability values for the parallel sub-system S 1 are higher than the reliability values for the series sub-system S 2 , implying that the sensors configuration of the HIPS has higher priority than does the instrumentation path. The application of an RBD in safety systems design provides several advantages in that it allows evaluation of design concepts wh en desig n changes can still be incorporated. Furthermore, it tends to be easier to visualise than o ther logic models, such as fault trees, because blocks representing elements in an RBD can be arranged in a manner representing how these elements function in the system. Since RBDs are easy to visualise, they can be generated prior to conducting FTA, and transformed into a fault tree. The methods for transforming a fault tree, RBD or event tree into either of the other two logic models are as follows (NASA 1359 1994), starting with the RBD to fault tree transformation shown in Fig. 5.29. Fig. 5.29 RBD to fault tree transformation 640 5 Safety and Risk in Engineering Design b) RBD to Fault Tree Transformation A fault tree represents system functions that, if they fail, produce a TOP event fault in place of a success event, which the reliability block path indicates. The series nodes of an RBD denote an OR gate beneath the TOP event of a fault tree. The parallel paths in an RBD denote the AND gate for redundant component functions in a fault tree. The reliability diagram can thus be relatively easily transformed into a fault tree, as shown in Fig. 5.29. c) Fault Tree to RBD Transformation An RBD represents system component functions that produce success in place of a TOP fault event, if these functions prevail. A fault tree can be transformed into a reliability diagram, as illustrated in Fig. 5.30. d) RBD and Fault Tree to Event Tree Transformation An event tree represents path sets in the success branches of the tree and all the cut sets in the failure branches of the tree. Therefore, if the path sets and cut sets of a system are known for the TOP event of a fault tree, then an event tree can be Fig. 5.30 Fault tree to RBD transformation 5.2 Theoretical Overview of Safety and Risk in Engineering Design 641 Fig. 5.31 Cut sets and path sets from a complex RBD Fig. 5.32 Transform of an event tree into an RBD constructed. Cut sets and path sets may be obtained from a reliability diagram as showninFig.5.31(cf.Fig.5.32). e) Event Tree to RBD and Fault Tree Transformation An event tree represents path sets in the success branches of the tree and all the cut sets in the failure branches of the tree. To transform an event tree into an RBD, the process is reversed as illustrated in Fig. 5.32. Once the RBD is formed, a fault tree can be developed as illustrated in Fig. 5.33. These techniques allow for weaknesses of any one of the analysis techniques to be overcome by transforming a system model into an equivalent logic model as another analysis technique. For example, a complex system that may be hard to model as a fault tree might be easily modelled with an RBD. Then, the RBD can 642 5 Safety and Risk in Engineering Design Rs = 1−(1−R A ) ∗(1−R B ) ∗(1−(R C )(R D )(R E )) Fig. 5.33 Transform of an RBD to a fault tree be transformed into a fault tree, and extensive quantitative or pseudo-quantitative (partially qualitative and quantitative) analysis can be pe rformed. However, these techniques do possess some limitations, such as the following: • No new information concerning the system is obtained and the models are only as good as the models being transformed. • The cut sets and path sets required to p erform these transformations for large complex systems may require extensive computer resources to determine. f) Structuring the Cause-Consequence Diagram Previously in Sect. 5.2.1.4, a four-stage procedure to construct and analyse a cause- consequence diagram was given as: • Step 1) Component failure event ordering. • Step 2) Cause-consequence diagram construction. • Step 3) Reduction. • Step 4) System failure quantification. If this procedure is to be considered as a generally applicable approach, it m ust be capable of dealing with the events that occur in more than one fault-tree structure attached to the decision boxes in any sequence p ath. It can be shown that the cause- consequence d iagram method can deal with repeated events in a more efficient way 5.2 Theoretical Overview of Safety and Risk in Engineering Design 643 than that used for fault-tree analysis (FTA). Using the cause-consequence diagram method, there is no n eed to obtain the Boolean expression of the top event and then manipulate it to produce a minimal form prior to analysis. The cause-consequence method deals with sequences of events that either occur (fail) or do not occur (work). The probability of a particular outcome is obtained by summation of the probability of all paths that lead to the outcome. Summation of the probabilities of the mutually exclusive paths results in the development of the reduced form that would be obtained from the fault tree following Boolean reduc- tion. An algorithm has been developed that can trace through a cause-consequence diagram, and identify and extract any repeated basic events in more than one fault- tree structure on the same sequence path. Certain procedural steps are used in this extraction algorithm (Ridley et al. 1996). Procedural steps used in an extraction algorithm to identify and extract any re- peated basic events in more than one fault-tree structure on the same sequence path: • Step 1) Identify the fault-tree structures in the path under inspection. • Step 2) Each fault tree in a path is modularised and the independent sub-trees identified. • Step 3) Each independent sub-tree for each fault-tree diagram is compared to the others and, following identification of common sub-trees or individual basic events, the cause-consequence diagram is modified. • Step 4) The cause-consequence diagram is modified using the following rules: a. Following the identification of a common sub-tree or basic event, the com- mon element is extracted and set as a n ew decision box at the highest point in the cause-consequence diagram that has all dependencies below it. b. The cause-consequence diagram is then duplicated on each branch. c. Having developed a decision box forthe common sub-tree or basicevent, the decision boxes that contained the common event prior to extraction require modification. The common event(s) are set to 1 (TRUE) in the fault trees following the NO outlet branch from the new decision box, as this indicates failure, and to 0 (FALSE) in the fault trees following th e YES branch to signify that the common event(s) works. d. After extraction of the common sub-tree or basic event, each fault tree that has been modified requires reorganisation. Each fault tree containing the ex- tracted Boolean variable is inspected and the fault trees modified by setting the Boolean variable to represent the path taken in the cause-consequence diagram. e. The cause-consequence diagram is then reduced to a minimal form by re- moving any redundant decision boxes that have been identified. This proce- dure is repeated until all sequence paths have been inspected and no repeated sub-trees or basic events discovered. As an example, the technique is applied to the simple high-pressure protection sys- tem depicted in Fig. 5.34. The basic functions of the components of the system are shown in Table 5.15. The overall function of the protection system is to prevent . safety systems design is particularly useful in analysing command-start and command-stop protective devices, emergency re- sponse systems, and engineered safety features. Cause-consequence analysis. probability, and each con- sequence has an associated severity and probability (NASA 1359 1994). 5.2 Theoretical Overview of Safety and Risk in Engineering Design 635 Cause-consequence analysis for safety. 5 Safety and Risk i n Engineering Design {N(t)+C(t)} is obtained by multiplying the p.g.f.s of the random variables together Ez N(t) ·Ez C(t) = Ez N(t)+C(t) (5.79) where N(t) and C(t) are independent. 5.2.4.2