1 Risk Analysis Introduction and Overview Thomas A. Mazzuchi Professor and Chairman Department of Engineering Managemen
Views 96 Downloads 3 File size 6MB
1
Risk Analysis Introduction and Overview Thomas A. Mazzuchi Professor and Chairman Department of Engineering Management and Systems Engineering George Washington University
2
Terminology and Background • Risk - A measure of potential loss due to natural or human activities - A combination of the probability or frequency of the hazard and its consequence; e.g., • Loss - Adverse consequences of such activities that affect Human life or health Economics or property The natural environment Information , etc
3
Terminology and Background • Engineering Systems Losses Can Be - Internal to the system; i.e, Damage to one of the system’s components - External to the system; i.e., Damage to a component of the external environment in which the system must function; e.g., Humans Organizations Economic assets Environmental assets
4
Terminology and Background • Risk Analysis - Is the process of characterizing, managing, and informing others about the existence, nature, magnitude, prevalence, contributing factors, and uncertainties that pertain to the potential losses - Other names for risk analysis Probabilistic Risk Analysis (PRA) Quantitative Risk Analysis (QRA) Probabilistic Safety Analysis (PSA)
5
Terminology and Background • Importance of Risk Analysis - While formal methods for risk analysis have been shaped by modern demands, the concept of risk analysis is not new; it is even ancient - People are living longer, healthier, more prosperous lives and have more to loose - Today people expect greater protection than before from industry and government, and they react with litigation when they feel let down
6
Terminology and Background • Importance of Risk Analysis - Even as public concerns about risk exert pressure on policy makers for regulations, engineering systems are increasing in complexity and autonomy Simply making regulations without studying their effects can be costly and suboptimal— even dangerous - A proper risk analysis will adequately model the system, demonstrate the effect of mitigating measures, and communicate these to the public
7
Elements of Risk Analysis
Risk Assessment
Risk Management
Risk Communication
National Research Council (1994)
8
Elements of Risk Analysis • Risk Assessment - The process by which the probability or frequency of loss by or to an engineering system is assessed, and the magnitude of the loss (consequences) estimated • Risk Management - The process by which the potential (probability or frequency) for loss and/or the magnitude of loss is minimized and controlled • Risk Communication - The process by which information about the nature and consequences of risk, as well as the risk assessment approach and the risk management options, are shared and discussed among decision makers and other stakeholders
9
Risk Assessment •
Definition of Risk (Kaplan & Garrick, 1981) - Risk addresses three basic questions: What can go wrong? How likely is it to happen? What are the losses (or consequences)? - A combination of hazard and likelihood - A triple Si a specific scenario of a hazard Pi probability of si (or frequency) Ci consequence of si
10
Risk Assessment •
Modifications - Si may occur with a given probability Pi or frequency fi - Its occurrence may be static or dynamic over time - Pi and Ci may be uncertain and have probability distributions - These distributions may be a function of time or Si or a combination of the two - These quantities may be jointly distributed
11
Quantitative Risk Assessment •
Overview
Important Risk Journals • • • • • • • • • • • • • • •
Health, Risk and Society Journal of Risk and Insurance Journal of Risk and Uncertainty Journal of Risk: Health, Safety and Environment Journal of Risk Research Journal of Safety Research Journal of System Safety Risk Analysis, An International Journal Risk, Decision, and Policy Risk Management and Insurance Review Risk Management: An International Journal Safety Science The Journal of Risk Reliability Engineering and System Safety International Journal of Reliability, Quality, and Safety Eng
12
13
Societies of Interest • • • • • • • • • • • • •
American Society of Mechanical Engineers Safety Engineering and Risk Analysis Division American Society of Safety Engineers American Statistical Association, Section on Risk Analysi IEEE Reliability Society International Association for Probabilistic Safety Assessment and Management. Risk Assessment and Policy Association Risk Theory Society Society for Maintenance Reliability Professionals Society for Reliability Engineers Society for Risk Analysis System Safety Society The Safety and Reliability Society
14
Qualitative Risk Assessment: Risk Matrices
15
Introduction • Risk Matrix – a table that has several categories of probability, likelihood or frequency on its rows (or columns) and several categories of severity, impact, or consequence on its columns (or rows) – It associates a recommended level of risk, urgency, priority, or management action associated with each column-row pair (i,e, cell)
16
Introduction
Federal Highway Administration, 2006
Federal Aviation Administration, 2007
17
Introduction
Qualitative Risk Assessment • NASA Risk Management Reporting
Qualitative Risk Assessment • NASA Risk Management Reporting
Problems with Risk Matrices and Matrix Design Cox (2008) • If Risk = probability * consequence Risk
Consequence Probability
p*c=constant Probability
Consequence
20
Subjective Interpretations and Input Bias Smith et al (2009) 1
PROBABILITY
Likelihood 1
SRP
Utility
Value
Value
0
Objective Subjective
21
Consequence Utility Objective Subjective
Extension of Cox for Opt. 5x5 Matrix Design Hong and Mazzuchi (2013)
22
c
Uncertainty Distribution for Portfolios of Risks Mazzuchi and Scolese (2014)
p
23
Quantitative Risk Analysis Scenario Analysis
25
Fault Trees • The Basics of Fault Trees - A fault tree develops a deterministic description of the occurrence of the top event, in terms of the occurrence or not of intermediate events Top events represent system-level failure - Describes intermediate events further until, at a finer level of detail, basic events are obtained Basic events represent component-level failure - By itself, a fault tree is only a visual model of how a system failure can occur
26
Fault Trees 1. Identify undesirable TOP event 2. Identify first contributors 3. Link contributors to TOP event by logic gates 4. Identify second level contributors 5. Link second level contributors to TOP event by logic gate
27
Fault Tree Construction •
Symbols Event Symbols
Transfer Symbols
Basic Event Undeveloped Event
Transfer In
External Event
Transfer Out
Intermediate Event
28
Fault Tree Construction • Symbols - Gate Symbols and gate: Output occurs if all input events occur +
+
or gate: Output occurs if any input event occurs exclusive or gate: Output occurs if exactly one input event occurs
+
priority and gate: Output occurs if all input events occur in a specific sequence inhibit gate: Output occurs if the single input occurs in the presence of an enabling condition not or gate: Output occurs if at least one input event does not occur not and gate: Output occurs if all input events do not occur
Fault Tree Example 2 Example with Success Event Pressure Relief Valve PRV
29
Possible Ignition Source I1
Leak Isolation Valve VAL
Permanent Ignition Source Gas flowing through pipe, there is a leak I2
after the isolation valve this valve should close but then the pressure relief vale must open to relieve local pressure
30
Fault Tree Example 2 Example with Success Event
Explosion After Gas Leak Posterior to Isolation Valve +
Explosion Prior to Isolation
VAL Performs Correctly
PRV Fails
Explosion Posterior to Isolation Valve
VAL Fails
I1 Present
31
Fault Tree Example 3 Large Example V2 T1
V4
P1 C
V1 V3
V5
P2 C
Sensing & Control System
AC Power Source
Pumping System Example
32
Fault Tree Example 3 No Water Delivered When Needed No Water Delivered from P2 Branch
No Water Delivered from P1 Branch
+
+ No Water No Delivered V3 Fails to V5 Fails to Water from V1 Remain Remain from P2 Open Open +
a
S Fails to Send Signal
+ S Fails
AC Fails
b
P2 Fails to Function
AC Fails
a
No Water Delivered V4 Fails to from V1 Remain Open
+
T1 Ruptures V1 Fails to Remain Open
S Fails to Send Signal
b
No V2 Fails to Water Remain from P1 Open
+
P1 Fails to Function
AC Fails
33
Fault Tree Example 3 No Water Delivered When Needed
+ No Water Delivered from V1
S Fails
+ T1 Ruptures
V1 Fails to Remain Open
P1 Fails to Function
V4 Fails to Remain Open
Pumping Branches Fail
AC Fails
P1 Branch Fails
P2 Branch Fails
+
+
V2 Fails to Remain Open
P2 Fails to Function
Alternative Construction
V5 Fails to Remain Open
V3 Fails to Remain Open
34
Fault Tree Example 4 Block Diagram Example • Circuit Block Diagram Example 3 1
B
D 4
A
7
5 2
C
E 6
F
35
Fault Tree Example 4 No Current at Point F + No Current at D & E
Unit 7 Fails
No Current at Point E + No Current at Point C + No Current at Pnt A
Units 5 & 6 Fail
Unit 2 Fails Unit 6 Unit 5 Fails Fails
No Current at Point D + No Current at Point B + No Current at Pnt A
Units 3 & 4 Fail
Unit 1 Unit 4 Unit 3 Fails Fails Fails
36
Event Tree Method • The Event Tree Method is the primary technique used in PRA to generate risk scenarios • This method can be used when … - … Successful operation of a system depends on the approximately chronological and discrete operation of its units - … Previous event tree model scenarios of successive events have led to exposure to hazards, and ultimately to undesirable consequences
37
Event Tree Method Example Initiating Event A
B
C
D
Success ↑ Failure ↓
Let A denote that subsystem A fails and A denote that it does not fail
E
Sequence Logic
System Results
ABCE
S
ABCE
F
ABCDE
S
ABCDE
F
ABCD
F
AB
F
Mutually Exclusive Events
Depends on sequence of events
38
Event Tree Method • Building an event tree - Build from left to right - Start the sequence at the initiating event - Place protective barriers as the successive (binary) events - Calculate branching probabilities (called split fractions) from fault trees - Calculate the probability of the end mutually exclusive events as the multiple of the path split fractions
39
Event Tree Method Example 1 PUMP KLAXON P K
S
A subgrade compartment containing important control B equipment is protected from flooding using the above system. If the water rises it should close the float switch which operates a pump with separate power supply, A klaxon should also sound and alert operators to perform bailing.
40
Event Tree Method Example 1 Water Rises I
Float Switch S
Pump P
Klaxon K
Bailing B
System System Logic Results ISP
S
ISPKB
S
ISPKB ISPK
F F
IS
F
41
Event Tree Method Example 2 Backup Attempted Abnormal Signal Firewall Illegal Initiated by Access by Principal Detected by Operator Firewall Operator Hacker B F O I
System Logic
System Results
IF
S
IFOB
S
IFOB IFO
F F
42
Event Tree Method Split fractions are calculated using fault trees
Quantifying Scenario Analysis
Quantifying Fault Trees and Event Trees
44
• How Do You Quantify Fault Trees and Event Trees - A fault tree or an event tree by itself is only a visual model of a system - It can be a representation of Boolean logic, i.e. a representation of the functioning (or not) of the system as a function of its components - Because the basic events are 0-1 (fail-no fail), we can use Boolean algebra to reduce the system expression to the lowest terms - In doing so we make the following assumptions All events are binary The system is coherent I.e., failure of any component cannot improve the system
45
Boolean Reduction: Boolean Algebra Notation X and Y X or Y Not X
Boolean Operator X•Y X+Y = 1-(1-X)(1-Y) X’
• Important Laws Commutative X•Y = Y•X Associative X•(Y•Z) = (X•Y)•Z Distributive X•(Y+Z) = X•Y+X•Z Idempotent X•X = X Absorption X+X•Y = X Complementation X+X’ = Ω De Morgan’s (X•Y)’ = X’+Y’ Empty/Universal Set ∅’ = Ω
Set Theory X∩Y X∪Y Xc
t
X+Y = Y+X X+(Y+Z)=(X+Y)+Z X+X = X (X’)’ = X (X+Y)’ = X’•Y’
Reducing a Fault Tree Using Boolean Algebra T = E1•E2 = (A+E3) • (C+E4) = A•C + A•E4 + C•E3 + E3•E4 = A•C + A•(A•B) + C•(B+C) + + (B+C)•(A•B) = A•C + A•A•B + C•B + C•C + + B•A•B + C•A•B = A•C + A•B + B•C + C + A•B + + A•B•C = A•C + A•B + B•C +C + A•B•C = A•C + A•B + C + A•B•C = A•B + C + A•B•C = A•B + C
This is the reduced tree and reduced Boolean expression for the tree called Min Cut Set Representation
46
Representing Systems in Terms of Their Components
47
Using the convention that X•Y=X*Y and X+Y=1-(1-X)*(1-Y) we may determine the state of the top event in terms of the component states. From previous page T=A•B + C = 1-(1-A*B)*(1-C) For example if A occurs and C occurs but B does not T=1-(1-1*0)(1-1) = 1 (Then the top event occurs)
Representing Systems in Terms of Their Components
48
• Truth tables - Generate all possible component states and the probabilities associated with each. - For m components, each can either function or not (i.e. 2 states for each component) thus there are 2m possible states taking in to account all components. - Evaluate the system using the Boolean formula for each state
49
Representing Systems in Terms of Their Components - Generation of All Possible States
20=1 20=1
1st Col 0 21=2 1 0 1=2 2 1 0 1 0 1
: :
2nd Col 0 0 2=4 2 1 1 0 0 2=4 2 1 1
: :
3rd Col ….. 0 0 ….. 2n-1 0 0 1 1 1 1 ….. 2n-1
: :
nth Col 0 : : 0 1 : : 1
: :
Representing Systems in Terms of Their Components • Truth tables T=A•B + C = 1-(1-A*B)*(1-C) =1-(1-0*0)(1-0) =1-(1-1*0)(1-0) =1-(1-0*1)(1-0) =1-(1-1*1)(1-0) =1-(1-0*0)(1-1) =1-(1-1*0)(1-1) =1-(1-0*1)(1-1) =1-(1-1*1)(1-1) Note that if all elements of {A,B} occur or all elements of {C} occur then the top event occurs These are called Cut Sets
50
Representing Systems in Terms of Their Components • Truth Tables in Excel T=A•B + C = 1-(1-A*B)*(1-C)
51
52
Some Important Definitions • Cut Set - A collection of basic events such that, if the events occur together, the top event certainly occurs • Min Cut Set - A cut set such that, if any basic event is removed, the remaining set is no longer a cut set • Path Set - A collection of basic events that connect input and output A path set merely represents a path through the graph • Min Path Set - A path set such that, if any basic event is removed, the remaining set is no longer a path set
Min Cut Set Representation for Fault Trees
53
• What is it? - After Boolean reduction, the Boolean formula for any fault tree will be in Min Cut Set Representation T = X11• X12• … • X1n1+ X21• X22• … • X2n2+ ….+ Xm1• Xm2• … • Xmnm where {Xi1, Xi2, … , Xini} is the ith cut set and Xij=1 if ith item failed and 0 otherwise, Letting Ci = Xi1• Xi2• … • Xini where Ci is the ith cut set indicator Ci =1 if all elements of the ith cut set fail Then T = C1+C2+….+ Cm
Min Cut Set Representation for Fault Trees • Converting Min Cut Set Representation to a Calculable Formula T = C1+C2+….+ Cm Then we can write T = 1 – (1-C1)*(1-C2)*…*(1-Cm) And since Ci = Xi1• Xi2• … • Xini We can write T = 1 – (1-C1)*(1-C2)*…*(1-Cm) = 1 – (1- Πj=1,n1X1j)*(1-Πj=1,n2X2j)…*(1-Πj=1,nmXmj)
54
55
Example Consider the following Fault Tree [(D+E)•B]•[B•C+A]
(D+E)•B
D+E
B•C+A
B•C
56
Example T = [(D + E) • B] • [(B • C) + A] T = (B•D + B•E) • [(B•C) + A] T = (B•D•B•C) + (B•E•B•C) + (B•D•A) + (B•E•A) T = B•C•D + B•C•E + A•B•D + A•B•E The minimal cut sets of the top event are thus C1 = {B, C, D} C2 = {B, C, E} C3 = {A, B, D} C4 = {A, B, E}
57
Example Thus if A = 1 if component A fails and 0 otherwise and this is true for B,C,D,E as well we can write T = 1-(1- B*C*D)*(1- B*C*E)*(1- A*B*D)*(1- A*B*E) And if T=1 we have system failure and T=0 indicates system is functioning
58
Example
Determining Boolean Representation for Series-Parallel Systems X2 X4 X1
X3
X6 X7
X5
X2*X3
X8
X4
X6 X7
X1 X5
X8
59
Determining Boolean Representation for Series-Parallel Systems X2*X3
X4
X6 X7
X1 X5 X2*X3
X8 X4 X6*X7*X8
X1 X5 1-(1-X2*X3)*(1-X4)
X6*X7*X8
X1 X5
60
Determining Boolean Representation for Series-Parallel Systems 1-(1-X2*X3)*(1-X4) X6*X7*X8
X1 X5
X1
[1-(1-X2*X3)*(1-X4)]X5
X6*X7*X8
1-(1-X1)*(1-[1-(1-X2*X3)*(1-X4)]X5)*(1-X6*X7*X8)
61
Determining Boolean Representation for Series-Parallel Systems 2 4 1
3
6 7
5
8
System Indicator = 1 – (1-X1)(1-(1-(1-X2X3)(1-X4))X5)(1-X6X7X8) =1-(1-X1)(1-X2X3X5-X4X5+X2X3X4X5)(1-X6X7X8) =1-(1-X1)(1-X2X3X5)(1-X4X5)(1-X6X7X8) since for binary variables (X5)2= X5 Which is called min cut representation (no Xin terms)
62
Determining Boolean Representation for Series-Parallel Systems 2 4 1
3
63
6 7
5
8
What is min cut set representation? 1-(1-X1)(1-X2X3X5)(1-X4X5)(1-X6X7X8) Note that for the sets of components {1}, {2,3,5}, {4,5}, {6,7,8} if all of the items in the sets fail, then the system fails – a cut set Also not that we can not reduce any set by even a single element and have it still be a cut set – a min cut set
Determining Boolean Representation for Series-Parallel Systems 2 4 1
3
64
6 7
5
8
What is a min path? Note that for the sets of components {1,5,6}, {1,5,7} {1,5,8}, {1,2,4,6}, {1,2,4,7}, {1,2,4,8}, {1,3,4,6}, {1,3,4,7}, {1,3,4,8}, if all of the items in the sets function, then the system functions (a path from beginning to end – a path set Also not that we can not reduce any set by even a single element and have it still be a path set – a min path set
Boolean Representation for General Systems Non series-parallel structures 4
1 3 2
5
Use cut set representation Z=1-(1-X1X2)(1-X1X3X5)(1-X4X5)(1-X2X3X4)
65
Boolean Representation for General Systems As structures get more complex this becomes difficult and we may have to resort to a Fault Tree Determine the min path and min cut sets
A
in
D
F
H
B
C
E
G
out
66
Boolean Representation for General Systems
67
No Flow to Out + No Flow to H
H
No Flow From G
No Flow From F +
+
No Flow to F
No Flow From D
No Flow From A +
No Flow to D
No Flow From “in”
+ D
+ C
No Flow to E
No Flow From “in”
+
+
B
We will discount this in our analysis
No Flow From “in”
G
No Flow From E
No Flow From C
+ A
No Flow to G
F
B No Flow From “in”
E
Boolean Representation for General Systems
68
[A•(B+D)+F] •[C•(B+E)+G]+H + [A•(B+D)+F] •[C•(B+E)+G]
H
C•(B+E)+G
A•(B+D)+F +
+
A•(B+D)
C•(B+E)
F
B+D
A
B B
B+E
C
+
A
+
C D
G
B B
E
Boolean Representation for General Systems Failure = [A●(B+D)+F]●[C●(B+E)+G]+H = [A●B + A●D + F] ● [C●B + C●E + G]+H = A●B●B●C+ A●B●C●E + A●B●G + A●D●B●C+ A●D●C●E + A●D●G + F●B●C+ F●C●E + F●G +H = A●B●C+ A●B●C●E + A●B●G + A●B●C●D+ A●C●D●E + A●D●G + B●C●F+ C●E●F + F●G +H = A●B●C + A●B●G + A●C●D●E + A●D●G + B●C●F + C●E●F + F●G + H Cut Set: {A,B,C}, {A,B,G}, {A,C,D,E}, {A,D,G}, {B,C,F}, {C,E,F},{F,G},{H} Using our indicator notation T=1-(1-A*B*C)*(1-A*B*G)*(1-A*C*D*E)*(1-A*D*G) *(1-B*C*F)*(1-C*E*F)*(1-F*G)*(1-H)
69
Quantifying Event Trees (Using DeMorgan’s Laws) I
A
B
C ABC
Scenario 1
ABC AB A
Scenario 2 Scenario 3 Scenario 4
Assume split fractions are calculated using fault trees A=b+c•d B=c+e C=b•d A
B
+
+
c
G1
b c
d
C e
b
d
70
71
Quantifying Event Trees Scenario 4 I • A = I • (b+c•d) Scenario 3 I • A • B = I • (b•c+b•d) • (c+e) = I • (b•c•e + b•c•d + b•d•e) Scenario 2 I • A • B • C = I • (b•c+b•d) • (c+e) • (b•d) = I • (b•c+b•d) • (c•e) • (b•d) ={ } Scenario 1 I • A • B • C = I • (b•c+b•d) • (c•e) • (b•d) = I • (b•c+b•d) • (c•e) • (b+d) = I • b•c•e
Calculating the Probability of the Top Event • Three Methods • Converting Cut Set Formulation to Probability Statements • Using Truth Tables • Using Binary Decision Diagrams
72
Calculating the Probability of the Top Event - Method 1
73
• Additive Law for Events A1,…, An P(A1∪…∪An) = ∑i=1,n P(Ai) – ∑it, …., Tn>t} =1 - ∏i=1,n Pr{Ti>t} if components are independent =1 - ∏i=1,n [1-Fi(t)]
126
Analyzing Parallel Systems 1
…. n
TS=max{T1,…,Tn}
System Failure = Pr{TS ≤ t} = Pr{ max{T1,…,Tn} ≤ t} = Pr{T1 ≤ t, …., Tn ≤ t} = ∏i=1,n Pr{Ti ≤ t} if components are independent = ∏i=1,n Fi(t)
127
Making Risk Time Dependent 1 2
3 Z=1-(1-X1*X2)*(1-X3)
► Use probability laws (Cuts Set Rep) P(TS