Vesely Hazard Analysis and Fault Tree Analysis
18
1 Hazard Analysis and Fault Tree Analysis Bill Vesely NASA HQ
Transcript of Vesely Hazard Analysis and Fault Tree Analysis
1
Hazard Analysis and Fault Tree Analysis
Bill VeselyNASA HQ
2
Use of a Fault Tree in Identifying Hazards
When a fault tree is used to identify the hazards then it is often called a Master Logic Diagram (MLD)The top event is the undesired event that can result from the hazardsThe top event is resolved to initiating events that can result in the undesired eventEach initiating event is developed into an accident scenario to assess the associated riskEach initiating event is also linked to the conditions enabling the initiating event
3
LO CV D ue to Loss o fStructural Inte grity C ause d byFire/E xplosion during Ascent
LO CV-Ascent-LS-FirExp21
APU cause d F ire/E xplosion
Fire/Explosion o f STSduring Separation
SRB caused Fire/E xplosion
RSRM failure s causingelement Fire/E xplosion
SR B System failurecausing S TS e lem entFire/Explos ion
Foreign object dam age
RSRM fails to m aintain safeSTS attitude/perform ancedue to T hrust failu re
Structure breakup ofRSRM resulting inFire/Exp of ST S ve hicle
RSRM structural failu recausing Fire/E xplosionin othe r STS elements
Structure failure ofRSRM componentsFire/Explos ion of
o ther STS e lem ents
APU exhaustleak dam age
APU fuelleak dam age
R SS destructcomm and of STSdue to elem ent failu re
M PS causedFire/E xplosion
O verpressuriz ationdue to M PS failu re
M PS fuel le ak
M PS H2 leak M PS O2 leak
OM S/RCS causedFire/Explosion
O verpressurezationdue to OM S failure
O verpressurizationdue to RCS failure
ET Fire/Explosion
E T fa ilu re caus ing e lem entF ire/Explos ion
SSM E Fire/Explosion
FCP fue l le ak
O rbote r I/F le akagePRSD caused Fire/Explosion
O rbiter fa ilu re causingelem ent Fir/Explosion
A Master Logic Diagram for the Space Shuttle for Loss of Crew and Vehicle (LOCV) Due to Fire
4
Constructing an Accident Scenario for Each Initiating Event
The accident scenario defines additional enabling events (pivotal events) which are necessary for the initiating event to progress to the undesired final event The pivotal events in the accident scenario are resolved to basic causal events at which controls are appliedThe initiating event can also be resolved to more basic causal events where controls can be instituted
5
Approaches for Constructing the Accident Scenario
Event Sequence Diagrams (ESDs) construct the accident scenario as a chain sequenceEvent Trees (ETs) construct the accident scenario as an event treeFault Trees (FTs) construct the accident scenario as a fault tree
6
Illustration of a Basic Event Sequence Diagram
Initiating Event
Pivotal Event
Pivotal Event
Final UndesiredEvent
7
Pre-Existing Crack
Pre-Existing Crack
InspectionProbability
of Detection
InspectionProbability
of Detection
Critical CrackSize
Critical CrackSize
Crack in Critical
Area
Crack in Critical
Area
RotorShift
RotorShift
Loss ofTurbinePower
Loss ofTurbinePower
PumpRub
PumpRub
High MassPiece
Liberated
High MassPiece
LiberatedUncontained
FailureUncontained
Failure FireFire LOC/VLOC/V
TurbineRub
TurbineRub
High MassPiece
Liberated
High MassPiece
Liberated
UncontainedFailure
UncontainedFailure FireFire LOC/VLOC/V
Mass HitsGox Hex
Mass HitsGox Hex LOC/VLOC/VFireFire
TurbineOverTemp
TurbineOverTemp
RedlineFailure
RedlineFailure LOC/VLOC/V
An Event Sequence Diagram (ESD) for a Hazard Analysis of Cracks Existing in the Turn-Around-Duct of the High Pressure Pump of the SSME
8
2nd Stage Impeller Blade ESD ~ Pre-Existing Flaw
Loss of Turbine Power
Loss of Impeller
Head Rise
Redline Failure
PE 5
LOC/V
PE 4
Loss of Torque
Carrying Capability
Disk Over Speed,
Burst, Case Penetration
LOC/V
PE 8 PE 9
Turbine Overtemp
PE 6 PE 7
Fire/ Explosion
Pre-Existing Crack
Critical Crack Size
Critical Area
Missed Crack
Inspection
PE 1 PE 2 PE 3
PE 10
9
Event Sequence Diagram for External Leakage of Hydrazine in the APU
MS
SufficientHydrazine Release
ExternalLeakage of Hydrazine
LOV/CIgnition SourcePresent
MS
Random FailureOr Missed Defect
Yes
No
Yes
No
Yes
Mission Success Mission Success
10
Basic Event Tree Model
Initiating Event
Pivotal Event
Pivotal Event
Pivotal Event
Yes
No
MS
MS
MS
Undesired Event
11
ET Weld Defect Event Tree No critical defect
in weld Critical defect
detected before proof
No critical defect in repaired weld
Critical defect in repaired weld
detected before proof
Critical defect survives proof
Post proof NDE required?
Critical defect in weld detected
during post proof NDE
Good-Weld Pre-Proof-NDE Post-Repair-Defects Post-Repair-NDE Proof Require-Post-
Proof-NDE Post-Proof-NDE # End-State Names
1 Good weld dNo critical defect in weld
2 Weld repair goodWeld fixed
3 Repair weldRepair weld Repair tank
4 Repair & reproof t kCritical defect Repair tank
still in weldMake Weld Critical defect 5 Flawed weld on
ETstill in weld Critical defectCritical defect still in weldstill in weld 6 Repair & reproof
t kRepair tank Critical defect in weld 7 Repair & reproof
t kRepair tank
Another chance 8 Flawed weld on ETto find defect Critical defect
Critical defect still in weldstill in weld 9 Flawed weld on
ETWeld unrepaired Critical defectstill in weld
10 Repair & reproof t kRepair tank
PRA-Weld-Model - Event Tree Diagram for Weld
Make Weld Weld
Weld Process Example
12
LOCV due to Fire From a Pre-existing Crack
Fire occurs frommass fragments
Mass fragments generated
Rubbing of Pump Rubbing of pump generates
mass fragments
Rotor shift due to crack Rotor shift causes
rubbing of pump
Crack causes rotor shift
Crack missed by inspection
Fault Tree for the Hazard of a Crack Causing a Fire and LOCV
13
SRB–TVC–APU–LF–HDZ–LK–CFL
LeakInitiating Event
ScreeningMisses Leak
SufficientQuantity
IgnitionSource
SRB_TVC_APU_LF_LK_IE SRB_TVC_APU_LF_LK_SC SRB_TVC_APU_LF_LK_SQ SRB_TVC_APU_LF_LK_IG
SRB–TVC–APU–LF–HDZ–LK–RC
LeakInitiating Event
Leak Caught,Prob. Of
Reoccurrence
SufficientQuantity
IgnitionSource
SRB_TVC_APU_LF_LK_IE SRB_TVC_APU_LF_LK_RC SRB_TVC_APU_LF_LK_SQ SRB_TVC_APU_LF_LK_IG
Accident Scenarios Modeled in Fault Trees
14
A Fault Tree is Generally Not Recommended for Scenario Modeling
An accident scenario generally involves a time sequence of eventsAccident scenario modeling is inductive and determines subsequent events and resulting consequencesAccident scenarios are best modeled using ESDs or ETsA fault tree is a deductive model resolving an undesired event into primary causesFTs are best applied in resolving the events in an accident scenario to primary causal events
15
FTA Application in Resolving an Event to Basic Causal Events
The top event of the FT is the initiating event or one of the enabling events in the accident scenarioThe FT is developed to basic causal events at which controls are appliedThe basic causal event description includes the relevant failure mode as done in standard FTAPrimitive root causes of the basic causal event are not resolved unless controls are applied at this level
16
Use of a FT in Modeling System Failures in an Accident Scenario
Certain of the enabling events (pivotal events) in the accident scenarios can in particular involve system failuresA fault tree is then constructed for each system failure to resolve to component failures or basic causesThe fault trees are then linked to the accident scenarios to evaluate the accident risks
17
Illustration of a Basic Event Sequence Diagram with a Linked Fault Tree
Initiating Event
Pivotal Event
Pivotal Event
Final UndesiredEvent
18
Reference
“Fault Tree Handbook with Aerospace Applications’, Version 1.1, NASA Publication, August 2002.
