• Author / Uploaded
• Thiru

Citation preview

1

Risk Analysis Introduction and Overview Thomas A. Mazzuchi Professor and Chairman Department of Engineering Management and Systems Engineering George Washington University

2

Terminology and Background •  Risk - A measure of potential loss due to natural or human activities - A combination of the probability or frequency of the hazard and its consequence; e.g., •  Loss - Adverse consequences of such activities that affect  Human life or health  Economics or property  The natural environment  Information , etc

3

Terminology and Background •  Engineering Systems Losses Can Be - Internal to the system; i.e,  Damage to one of the system’s components - External to the system; i.e.,  Damage to a component of the external environment in which the system must function; e.g.,  Humans  Organizations  Economic assets  Environmental assets

4

Terminology and Background •  Risk Analysis - Is the process of characterizing, managing, and informing others about the existence, nature, magnitude, prevalence, contributing factors, and uncertainties that pertain to the potential losses - Other names for risk analysis  Probabilistic Risk Analysis (PRA)  Quantitative Risk Analysis (QRA)  Probabilistic Safety Analysis (PSA)

5

Terminology and Background •  Importance of Risk Analysis - While formal methods for risk analysis have been shaped by modern demands, the concept of risk analysis is not new; it is even ancient - People are living longer, healthier, more prosperous lives and have more to loose - Today people expect greater protection than before from industry and government, and they react with litigation when they feel let down

6

Terminology and Background •  Importance of Risk Analysis - Even as public concerns about risk exert pressure on policy makers for regulations, engineering systems are increasing in complexity and autonomy  Simply making regulations without studying their effects can be costly and suboptimal— even dangerous - A proper risk analysis will adequately model the system, demonstrate the effect of mitigating measures, and communicate these to the public

7

Elements of Risk Analysis

Risk Assessment

Risk Management

Risk Communication

National Research Council (1994)

8

Elements of Risk Analysis •  Risk Assessment - The process by which the probability or frequency of loss by or to an engineering system is assessed, and the magnitude of the loss (consequences) estimated •  Risk Management - The process by which the potential (probability or frequency) for loss and/or the magnitude of loss is minimized and controlled •  Risk Communication - The process by which information about the nature and consequences of risk, as well as the risk assessment approach and the risk management options, are shared and discussed among decision makers and other stakeholders

9

Risk Assessment • 

Definition of Risk (Kaplan & Garrick, 1981) -  Risk addresses three basic questions:   What can go wrong?   How likely is it to happen?   What are the losses (or consequences)? -  A combination of hazard and likelihood -  A triple   Si a specific scenario of a hazard   Pi probability of si (or frequency)   Ci consequence of si

10

Risk Assessment • 

Modifications - Si may occur with a given probability Pi or frequency fi - Its occurrence may be static or dynamic over time - Pi and Ci may be uncertain and have probability distributions - These distributions may be a function of time or Si or a combination of the two - These quantities may be jointly distributed

11

Quantitative Risk Assessment • 

Overview

Important Risk Journals •  •  •  •  •  •  •  •  •  •  •  •  •  •  • 

Health, Risk and Society Journal of Risk and Insurance Journal of Risk and Uncertainty Journal of Risk: Health, Safety and Environment Journal of Risk Research Journal of Safety Research Journal of System Safety Risk Analysis, An International Journal Risk, Decision, and Policy Risk Management and Insurance Review Risk Management: An International Journal Safety Science The Journal of Risk Reliability Engineering and System Safety International Journal of Reliability, Quality, and Safety Eng

12

13

Societies of Interest •  •  •  •  •  •  •  •  •  •  •  •  • 

American Society of Mechanical Engineers Safety Engineering and Risk Analysis Division American Society of Safety Engineers American Statistical Association, Section on Risk Analysi IEEE Reliability Society International Association for Probabilistic Safety Assessment and Management. Risk Assessment and Policy Association Risk Theory Society Society for Maintenance Reliability Professionals Society for Reliability Engineers Society for Risk Analysis System Safety Society The Safety and Reliability Society

14

Qualitative Risk Assessment: Risk Matrices

15

Introduction •  Risk Matrix –  a table that has several categories of probability, likelihood or frequency on its rows (or columns) and several categories of severity, impact, or consequence on its columns (or rows) –  It associates a recommended level of risk, urgency, priority, or management action associated with each column-row pair (i,e, cell)

16

Introduction

Federal Highway Administration, 2006

Federal Aviation Administration, 2007

17

Introduction

Qualitative Risk Assessment •  NASA Risk Management Reporting

Qualitative Risk Assessment •  NASA Risk Management Reporting

Problems with Risk Matrices and Matrix Design Cox (2008) •  If Risk = probability * consequence Risk

Consequence Probability

p*c=constant Probability

Consequence

20

Subjective Interpretations and Input Bias Smith et al (2009) 1

PROBABILITY

Likelihood 1

SRP

Utility

Value

Value

0

Objective Subjective

21

Consequence Utility Objective Subjective

Extension of Cox for Opt. 5x5 Matrix Design Hong and Mazzuchi (2013)

22

c

Uncertainty Distribution for Portfolios of Risks Mazzuchi and Scolese (2014)

p

23

Quantitative Risk Analysis Scenario Analysis

25

Fault Trees •  The Basics of Fault Trees - A fault tree develops a deterministic description of the occurrence of the top event, in terms of the occurrence or not of intermediate events  Top events represent system-level failure - Describes intermediate events further until, at a finer level of detail, basic events are obtained  Basic events represent component-level failure - By itself, a fault tree is only a visual model of how a system failure can occur

26

Fault Trees 1.  Identify undesirable TOP event 2.  Identify first contributors 3.  Link contributors to TOP event by logic gates 4.  Identify second level contributors 5.  Link second level contributors to TOP event by logic gate

27

Fault Tree Construction • 

Symbols Event Symbols

Transfer Symbols

Basic Event Undeveloped Event

Transfer In

External Event

Transfer Out

Intermediate Event

28

Fault Tree Construction •  Symbols -  Gate Symbols and gate: Output occurs if all input events occur +

+

or gate: Output occurs if any input event occurs exclusive or gate: Output occurs if exactly one input event occurs

+

priority and gate: Output occurs if all input events occur in a specific sequence inhibit gate: Output occurs if the single input occurs in the presence of an enabling condition not or gate: Output occurs if at least one input event does not occur not and gate: Output occurs if all input events do not occur

Fault Tree Example 2 Example with Success Event Pressure Relief Valve PRV

29

Possible Ignition Source I1

Leak Isolation Valve VAL

Permanent Ignition Source Gas flowing through pipe, there is a leak I2

after the isolation valve this valve should close but then the pressure relief vale must open to relieve local pressure

30

Fault Tree Example 2 Example with Success Event

Explosion After Gas Leak Posterior to Isolation Valve +

Explosion Prior to Isolation

VAL Performs Correctly

PRV Fails

Explosion Posterior to Isolation Valve

VAL Fails

I1 Present

31

Fault Tree Example 3 Large Example V2 T1

V4

P1 C

V1 V3

V5

P2 C

Sensing & Control System

AC Power Source

Pumping System Example

32

Fault Tree Example 3 No Water Delivered When Needed No Water Delivered from P2 Branch

No Water Delivered from P1 Branch

+

+ No Water No Delivered V3 Fails to V5 Fails to Water from V1 Remain Remain from P2 Open Open +

a

S Fails to Send Signal

+ S Fails

AC Fails

b

P2 Fails to Function

AC Fails

a

No Water Delivered V4 Fails to from V1 Remain Open

+

T1 Ruptures V1 Fails to Remain Open

S Fails to Send Signal

b

No V2 Fails to Water Remain from P1 Open

+

P1 Fails to Function

AC Fails

33

Fault Tree Example 3 No Water Delivered When Needed

+ No Water Delivered from V1

S Fails

+ T1 Ruptures

V1 Fails to Remain Open

P1 Fails to Function

V4 Fails to Remain Open

Pumping Branches Fail

AC Fails

P1 Branch Fails

P2 Branch Fails

+

+

V2 Fails to Remain Open

P2 Fails to Function

Alternative Construction

V5 Fails to Remain Open

V3 Fails to Remain Open

34

Fault Tree Example 4 Block Diagram Example •  Circuit Block Diagram Example 3 1

B

D 4

A

7

5 2

C

E 6

F

35

Fault Tree Example 4 No Current at Point F + No Current at D & E

Unit 7 Fails

No Current at Point E + No Current at Point C + No Current at Pnt A

Units 5 & 6 Fail

Unit 2 Fails Unit 6 Unit 5 Fails Fails

No Current at Point D + No Current at Point B + No Current at Pnt A

Units 3 & 4 Fail

Unit 1 Unit 4 Unit 3 Fails Fails Fails

36

Event Tree Method •  The Event Tree Method is the primary technique used in PRA to generate risk scenarios •  This method can be used when … - … Successful operation of a system depends on the approximately chronological and discrete operation of its units - … Previous event tree model scenarios of successive events have led to exposure to hazards, and ultimately to undesirable consequences

37

Event Tree Method Example Initiating Event A

B

C

D

Success ↑ Failure ↓

Let A denote that subsystem A fails and A denote that it does not fail

E

Sequence Logic

System Results

ABCE

S

ABCE

F

ABCDE

S

ABCDE

F

ABCD

F

AB

F

Mutually Exclusive Events

Depends on sequence of events

38

Event Tree Method •  Building an event tree - Build from left to right - Start the sequence at the initiating event - Place protective barriers as the successive (binary) events - Calculate branching probabilities (called split fractions) from fault trees - Calculate the probability of the end mutually exclusive events as the multiple of the path split fractions

39

Event Tree Method Example 1 PUMP KLAXON P K

S

A subgrade compartment containing important control B equipment is protected from flooding using the above system. If the water rises it should close the float switch which operates a pump with separate power supply, A klaxon should also sound and alert operators to perform bailing.

40

Event Tree Method Example 1 Water Rises I

Float Switch S

Pump P

Klaxon K

Bailing B

System System Logic Results ISP

S

ISPKB

S

ISPKB ISPK

F F

IS

F

41

Event Tree Method Example 2 Backup Attempted Abnormal Signal Firewall Illegal Initiated by Access by Principal Detected by Operator Firewall Operator Hacker B F O I

System Logic

System Results

IF

S

IFOB

S

IFOB IFO

F F

42

Event Tree Method Split fractions are calculated using fault trees

Quantifying Scenario Analysis

Quantifying Fault Trees and Event Trees

44

•  How Do You Quantify Fault Trees and Event Trees - A fault tree or an event tree by itself is only a visual model of a system - It can be a representation of Boolean logic, i.e. a representation of the functioning (or not) of the system as a function of its components - Because the basic events are 0-1 (fail-no fail), we can use Boolean algebra to reduce the system expression to the lowest terms - In doing so we make the following assumptions  All events are binary  The system is coherent  I.e., failure of any component cannot improve the system

45

Boolean Reduction: Boolean Algebra Notation   X and Y   X or Y   Not X

Boolean Operator X•Y X+Y = 1-(1-X)(1-Y) X’

•  Important Laws   Commutative X•Y = Y•X   Associative X•(Y•Z) = (X•Y)•Z   Distributive X•(Y+Z) = X•Y+X•Z   Idempotent X•X = X   Absorption X+X•Y = X   Complementation X+X’ = Ω   De Morgan’s (X•Y)’ = X’+Y’   Empty/Universal Set ∅’ = Ω

Set Theory X∩Y X∪Y Xc

t

X+Y = Y+X X+(Y+Z)=(X+Y)+Z X+X = X (X’)’ = X (X+Y)’ = X’•Y’

Reducing a Fault Tree Using Boolean Algebra T = E1•E2 = (A+E3) • (C+E4) = A•C + A•E4 + C•E3 + E3•E4 = A•C + A•(A•B) + C•(B+C) + + (B+C)•(A•B) = A•C + A•A•B + C•B + C•C + + B•A•B + C•A•B = A•C + A•B + B•C + C + A•B + + A•B•C = A•C + A•B + B•C +C + A•B•C = A•C + A•B + C + A•B•C = A•B + C + A•B•C = A•B + C

This is the reduced tree and reduced Boolean expression for the tree called Min Cut Set Representation

46

Representing Systems in Terms of Their Components

47

Using the convention that X•Y=X*Y and X+Y=1-(1-X)*(1-Y) we may determine the state of the top event in terms of the component states. From previous page T=A•B + C = 1-(1-A*B)*(1-C) For example if A occurs and C occurs but B does not T=1-(1-1*0)(1-1) = 1 (Then the top event occurs)

Representing Systems in Terms of Their Components

48

•  Truth tables - Generate all possible component states and the probabilities associated with each. - For m components, each can either function or not (i.e. 2 states for each component) thus there are 2m possible states taking in to account all components. - Evaluate the system using the Boolean formula for each state

49

Representing Systems in Terms of Their Components -  Generation of All Possible States

20=1 20=1

1st Col 0 21=2 1 0 1=2 2 1 0 1 0 1

: :

2nd Col 0 0 2=4 2 1 1 0 0 2=4 2 1 1

: :

3rd Col ….. 0 0 ….. 2n-1 0 0 1 1 1 1 ….. 2n-1

: :

nth Col 0 : : 0 1 : : 1

: :

Representing Systems in Terms of Their Components •  Truth tables T=A•B + C = 1-(1-A*B)*(1-C) =1-(1-0*0)(1-0) =1-(1-1*0)(1-0) =1-(1-0*1)(1-0) =1-(1-1*1)(1-0) =1-(1-0*0)(1-1) =1-(1-1*0)(1-1) =1-(1-0*1)(1-1) =1-(1-1*1)(1-1) Note that if all elements of {A,B} occur or all elements of {C} occur then the top event occurs These are called Cut Sets

50

Representing Systems in Terms of Their Components •  Truth Tables in Excel T=A•B + C = 1-(1-A*B)*(1-C)

51

52

Some Important Definitions •  Cut Set - A collection of basic events such that, if the events occur together, the top event certainly occurs •  Min Cut Set - A cut set such that, if any basic event is removed, the remaining set is no longer a cut set •  Path Set - A collection of basic events that connect input and output  A path set merely represents a path through the graph •  Min Path Set - A path set such that, if any basic event is removed, the remaining set is no longer a path set

Min Cut Set Representation for Fault Trees

53

•  What is it? - After Boolean reduction, the Boolean formula for any fault tree will be in Min Cut Set Representation T = X11• X12• … • X1n1+ X21• X22• … • X2n2+ ….+ Xm1• Xm2• … • Xmnm where {Xi1, Xi2, … , Xini} is the ith cut set and Xij=1 if ith item failed and 0 otherwise, Letting Ci = Xi1• Xi2• … • Xini where Ci is the ith cut set indicator Ci =1 if all elements of the ith cut set fail Then T = C1+C2+….+ Cm

Min Cut Set Representation for Fault Trees •  Converting Min Cut Set Representation to a Calculable Formula T = C1+C2+….+ Cm Then we can write T = 1 – (1-C1)*(1-C2)*…*(1-Cm) And since Ci = Xi1• Xi2• … • Xini We can write T = 1 – (1-C1)*(1-C2)*…*(1-Cm) = 1 – (1- Πj=1,n1X1j)*(1-Πj=1,n2X2j)…*(1-Πj=1,nmXmj)

54

55

Example Consider the following Fault Tree [(D+E)•B]•[B•C+A]

(D+E)•B

D+E

B•C+A

B•C

56

Example T = [(D + E) • B] • [(B • C) + A] T = (B•D + B•E) • [(B•C) + A] T = (B•D•B•C) + (B•E•B•C) + (B•D•A) + (B•E•A) T = B•C•D + B•C•E + A•B•D + A•B•E The minimal cut sets of the top event are thus C1 = {B, C, D} C2 = {B, C, E} C3 = {A, B, D} C4 = {A, B, E}

57

Example Thus if A = 1 if component A fails and 0 otherwise and this is true for B,C,D,E as well we can write T = 1-(1- B*C*D)*(1- B*C*E)*(1- A*B*D)*(1- A*B*E) And if T=1 we have system failure and T=0 indicates system is functioning

58

Example

Determining Boolean Representation for Series-Parallel Systems X2 X4 X1

X3

X6 X7

X5

X2*X3

X8

X4

X6 X7

X1 X5

X8

59

Determining Boolean Representation for Series-Parallel Systems X2*X3

X4

X6 X7

X1 X5 X2*X3

X8 X4 X6*X7*X8

X1 X5 1-(1-X2*X3)*(1-X4)

X6*X7*X8

X1 X5

60

Determining Boolean Representation for Series-Parallel Systems 1-(1-X2*X3)*(1-X4) X6*X7*X8

X1 X5

X1

[1-(1-X2*X3)*(1-X4)]X5

X6*X7*X8

1-(1-X1)*(1-[1-(1-X2*X3)*(1-X4)]X5)*(1-X6*X7*X8)

61

Determining Boolean Representation for Series-Parallel Systems 2 4 1

3

6 7

5

8

System Indicator = 1 – (1-X1)(1-(1-(1-X2X3)(1-X4))X5)(1-X6X7X8) =1-(1-X1)(1-X2X3X5-X4X5+X2X3X4X5)(1-X6X7X8) =1-(1-X1)(1-X2X3X5)(1-X4X5)(1-X6X7X8) since for binary variables (X5)2= X5 Which is called min cut representation (no Xin terms)

62

Determining Boolean Representation for Series-Parallel Systems 2 4 1

3

63

6 7

5

8

What is min cut set representation? 1-(1-X1)(1-X2X3X5)(1-X4X5)(1-X6X7X8) Note that for the sets of components {1}, {2,3,5}, {4,5}, {6,7,8} if all of the items in the sets fail, then the system fails – a cut set Also not that we can not reduce any set by even a single element and have it still be a cut set – a min cut set

Determining Boolean Representation for Series-Parallel Systems 2 4 1

3

64

6 7

5

8

What is a min path? Note that for the sets of components {1,5,6}, {1,5,7} {1,5,8}, {1,2,4,6}, {1,2,4,7}, {1,2,4,8}, {1,3,4,6}, {1,3,4,7}, {1,3,4,8}, if all of the items in the sets function, then the system functions (a path from beginning to end – a path set Also not that we can not reduce any set by even a single element and have it still be a path set – a min path set

Boolean Representation for General Systems Non series-parallel structures 4

1 3 2

5

Use cut set representation Z=1-(1-X1X2)(1-X1X3X5)(1-X4X5)(1-X2X3X4)

65

Boolean Representation for General Systems As structures get more complex this becomes difficult and we may have to resort to a Fault Tree Determine the min path and min cut sets

A

in

D

F

H

B

C

E

G

out

66

Boolean Representation for General Systems

67

No Flow to Out + No Flow to H

H

No Flow From G

No Flow From F +

+

No Flow to F

No Flow From D

No Flow From A +

No Flow to D

No Flow From “in”

+ D

+ C

No Flow to E

No Flow From “in”

+

+

B

We will discount this in our analysis

No Flow From “in”

G

No Flow From E

No Flow From C

+ A

No Flow to G

F

B No Flow From “in”

E

Boolean Representation for General Systems

68

[A•(B+D)+F] •[C•(B+E)+G]+H + [A•(B+D)+F] •[C•(B+E)+G]

H

C•(B+E)+G

A•(B+D)+F +

+

A•(B+D)

C•(B+E)

F

B+D

A

B B

B+E

C

+

A

+

C D

G

B B

E

Boolean Representation for General Systems Failure = [A●(B+D)+F]●[C●(B+E)+G]+H = [A●B + A●D + F] ● [C●B + C●E + G]+H = A●B●B●C+ A●B●C●E + A●B●G + A●D●B●C+ A●D●C●E + A●D●G + F●B●C+ F●C●E + F●G +H = A●B●C+ A●B●C●E + A●B●G + A●B●C●D+ A●C●D●E + A●D●G + B●C●F+ C●E●F + F●G +H = A●B●C + A●B●G + A●C●D●E + A●D●G + B●C●F + C●E●F + F●G + H Cut Set: {A,B,C}, {A,B,G}, {A,C,D,E}, {A,D,G}, {B,C,F}, {C,E,F},{F,G},{H} Using our indicator notation T=1-(1-A*B*C)*(1-A*B*G)*(1-A*C*D*E)*(1-A*D*G) *(1-B*C*F)*(1-C*E*F)*(1-F*G)*(1-H)

69

Quantifying Event Trees (Using DeMorgan’s Laws) I

A

B

C ABC

Scenario 1

ABC AB A

Scenario 2 Scenario 3 Scenario 4

Assume split fractions are calculated using fault trees A=b+c•d B=c+e C=b•d A

B

+

+

c

G1

b c

d

C e

b

d

70

71

Quantifying Event Trees Scenario 4 I • A = I • (b+c•d) Scenario 3 I • A • B = I • (b•c+b•d) • (c+e) = I • (b•c•e + b•c•d + b•d•e) Scenario 2 I • A • B • C = I • (b•c+b•d) • (c+e) • (b•d) = I • (b•c+b•d) • (c•e) • (b•d) ={ } Scenario 1 I • A • B • C = I • (b•c+b•d) • (c•e) • (b•d) = I • (b•c+b•d) • (c•e) • (b+d) = I • b•c•e

Calculating the Probability of the Top Event •  Three Methods •  Converting Cut Set Formulation to Probability Statements •  Using Truth Tables •  Using Binary Decision Diagrams

72

Calculating the Probability of the Top Event - Method 1

73

•  Additive Law for Events A1,…, An P(A1∪…∪An) = ∑i=1,n P(Ai) – ∑it, …., Tn>t} =1 - ∏i=1,n Pr{Ti>t} if components are independent =1 - ∏i=1,n [1-Fi(t)]

126

Analyzing Parallel Systems 1

…. n

TS=max{T1,…,Tn}

System Failure = Pr{TS ≤ t} = Pr{ max{T1,…,Tn} ≤ t} = Pr{T1 ≤ t, …., Tn ≤ t} = ∏i=1,n Pr{Ti ≤ t} if components are independent = ∏i=1,n Fi(t)

127

Making Risk Time Dependent 1 2

3 Z=1-(1-X1*X2)*(1-X3)

► Use probability laws (Cuts Set Rep) P(TS