1. 2010 EFCOG SAWG Meeting ��Using Quantitative Analysis to Make�Risk-based Decisions�
John A. Farquharson
2. Outline When to use the quantitative risk analysis (QRA) techniques
How to determine the level of analysis that is needed
Example 1: Aircraft maintenance procedure
Example 2: Offshore oil and gas production facility
Example 3: Nuclear facility automatic HVAC fan controller
Summary
3. Definition of Risk Terms Risk = Frequency x Consequence
Risk assessment: A formal process of increasing ones understanding of the risk by answering three questions:
What can go wrong?
How likely is it?
What are the impacts?
4. The Process of Risk Assessment
5. Definition of QRA QRA is an art and a science
Numerical estimates of:
expected frequency
projected consequences
Most effectively used after design characteristics have already been specified
6. Efficient Use of QRA Techniques Always perform the qualitative risk assessment study first
Focus on the risk-based decision
Perform the analysis with barely enough detail to answer the question
Use a phased approach for both frequency analysis and consequence analysis
7. Frequency Analysis Phased Project Phase 1 Perform qualitative study (typically failure modes and effects analysis [FMEA])
Phase 2 Prepare event trees to display accident scenarios of interest
Phase 3 Use branch point estimates to develop a frequency estimate for the accident scenarios
Phase 4 Use fault trees to solve the initiating event frequency and branch point probabilities
8. Consequence Analysis Phased Project Phase 1 Identify consequence types and screening thresholds
Phase 2 Perform subjective binning of consequence categories
Phase 3 If necessary, develop a detailed quantitative estimate of the impacts of the accident scenarios
9. Portray the Risk Combine the appropriate phases of both the frequency analysis and the consequence analysis
10. Sample QRA Projects Airline maintenance policy (required installation of the nose landing gear [NLG] pin for aircraft)
Offshore oil production facility (internal vs. external riser)
Nuclear research and development facility HVAC fan interlock study (automatic vs. manual fan shutoff capability)
11. Aircraft Maintenance Policy Evaluate the policy regarding the installation of the NLG pin for Air Canada aircraft
Risk tradeoff
inadvertently leaving pin in place after takeoff
versus
NLG collapse
12. Boeing 767 (wheels down, pilot wants them up for flight)
13. Nose Landing Gear (should we always use a safety pin on ground?)
14. Nose Landing Gear Collapse (if we dont, this could happen)
15. Technical Approach Discussed potential accident scenarios associated with NLG pin maintenance procedure
Used existing risk matrix for display/judgment of risk
Developed event scenarios using event trees
Collected data to allow estimation of scenario frequencies
16. Technical Approach (cont.) Calculated risk results
frequency of each scenario
major risk contributors to each scenario and overall risk
Identified and evaluated risk management measures
17. Maintenance Policy Options Case A - Mandatory NLG Safety Pin Installation During Towing to Hangar and Maintenance
Case B - NLG Pin Installation Only During NLG Testing or Maintenance
Case B* - Locking NLG Pin Installation Only During NLG Testing or Maintenance
18. Example Event Tree
19. Results
20. Observations and Conclusions Risk tradeoff
expected reduction in NLG collapse (Catastrophic) for Case A
versus
expected increase in planes taking off with the NLG safety pin in place (Moderate)
Conclusion
Case A policy (mandatory pin) represents a lower total risk than Case B policy
21. Offshore Oil Production �Facility QRA Produces oil and gas from predrilled offshore wells
A square centerwell runs through the hull, which can contain individual oil and gas export risers and other flow lines
22. Offshore Oil Facility (hazard of falling objects and impact from stray vessels)
23. Floating to its New Home (should oil/gas risers be inside or outside?)
24. Offshore Oil Production �Facility QRA (cont.) Two designs considered for the location of the risers
Option 1 Through the centerwell
protects the risers from external impact
however, the centerwell interior is tightly confined; an explosion or fire could be far more damaging
25. Offshore Oil Production �Facility QRA (cont.) Option 2 Outside the hull
more likely to have external impact
potential release not contained; lower consequence associated with fire or explosion
26. Analysis Steps 1. Identify initiating events
2. Identify accident mitigation factors
3. Model accident sequences using event� trees
4. Estimate frequency of initiating events� and branch point probabilities
5. Estimate consequences using index
6. Summarize results
27. Example Event Tree (Option 1)
28. Example Event Tree (Option 2)
29. Consequence Index
30. Relative Risk Index
31. Nuclear Research and Development Facility HVAC Fan Interlock Study Automatic vs. manual fan shutoff capability
Direct Digital Control (DDC) system; failures of some fans will shut off others to maintain negative pressure in radioactive areas
DDC could shut off exhaust to stand-alone fumehood while operator is working with toxic chemicals
32. Fumehood (for chemical hazard)
33.
..versus Fan (for nuclear hazard)
34. Analysis Steps 1. Identify initiating events
2. Identify accident mitigation factors
3. Model accident sequences using event� trees
4. Develop fault tree models for each� initiating event and branch point
5. Qualitatively describe potential� consequences
6. Develop failure data
7. Summarize results
35. Fan Interlock Event Tree
36. Fan Interlock Fault Tree
37. Results Scenario 1 positive pressure in rad area that does not result in an exposure: �2E-4/year (once per 5,000 years)
Scenario 2 positive pressure in rad area that does result in an exposure: �<1E-8/year (less than once per 100,000,000 years)
38. Results (cont.) Scenario 3 severe chemical exposure suffered by onsite personnel due to shutdown of exhaust fumehood: 4E-6/year (once per 250,000 years)
39. Discussion If DDC interlock system is not used:
scenario 1 would increase by approximately two orders of magnitude (~once per 50 years)
scenario 2 would also increase to approximately once per 1,000,000 years
Warning placards and training needed to limit effects of scenario 3
40. Conclusions QRA should focus on answering the risk-based question
Do only enough analysis to answer the question
Beware of dependent failures (common cause failures) where a failure causes initiating event and safeguard failure simultaneously
41. ABSG Consulting Inc.�10301 Technology Drive�Knoxville, TN �37932-3392�USA Telephone (865) 966-5232�Fax (865) 966-5287��www.absconsulting.com
