However, uncertainties in PRAs may lead to inaccurate risk level estimations and consequently to wrong decisions [ 1 ]. Lack of knowledge about systems under study during the PRAs is one of the main causes of uncertainties, which leads to simplification of assumptions, as well as imprecision and inaccuracies in the parameters used as inputs to PRA e. A framework to use the method of moments for determining the likelihoods of different outcomes from event trees in an uncertain data environment using fault trees is described in this work.

Illustrative examples using this approach for propagating uncertainty in basic events of fault trees, following log-normal distributions, are also presented. The probability distributions of top events are compared with analyses available in the literature using different approaches, such as Monte Carlo simulation and Wilks and Fenton-Wilkinson methods. There are many concepts of risk used in different scientific, technological, or organization areas.

In a general sense, risk can be defined as the potential of loss e.

- The creative gardeners guide to blues and purples : how to mix and match over 100 stunning flowers, shrubs and trees to create a garden of beatuy?
- No There There: Race, Class, and Political Community in Oakland.
- The Globalization of Terror: The Challenge of Al-Qaida and the Response of the International Community.
- Yosemite, Sequoia & Kings Canyon!

Sometimes, risk is measured through the assessment of the probability of occurrence of an undesired event and the magnitude of consequences [ 2 ]. In this way, risk assessment encompasses the answers to the following questions [ 3 ]: What can go wrong that may lead to an outcome of hazard exposure scenario Si? Therefore, risk, Ri , for a scenario Si , can be quantitatively expressed as function of these three variables, as given by Eq.

According to Christensen et al. This hazard concept does not include the probability of adverse outcome, which is the core difference from risk term.

### Freely available

In this chapter, hazard is then considered as the properties of agents or situations capable of having adverse effects on facilities, human health, or environment, such as dangerous substance, sources of energy, or natural phenomena. PRA provides an efficient way for quantifying the risks, even in an environment of uncertainties regarding possible scenarios, data, or modeling. Risk assessment is part of risk management carried out before deciding about risk treatment and prioritizing actions to reduce risks risk-based decision-making.

Figure 1 shows a framework for PRA under uncertainty environment [ 5 , 6 ]. PRA starts with the hazard identification and scenario development, proceeds through quantification of frequencies and consequences, and ends with risk analysis and evaluation [ 5 ]. The first step of a PRA process consists of finding, recognizing, and recording risk sources hazard identification. The accident scenario development sequence or chain of undesired events consists of identifying the initiating events IEs and the sequences of events following these IEs. The latter are the critical events that initiate an accident, such as pipe rupture, overpressures, or explosion.

The sequences of events are the combinations of success or failure of the barriers or controls requested by IEs defense-in-depth layers , for example, emergency shutdown systems, human actions, or physical protection. Each sequence can lead to a desired or undesired outcome end state such as uncontrollable release of toxic gases, radiation exposure, or facility shutdown [ 6 ]. FTs quantify frequencies or probabilities of top events such as IEs or failure of defense-in-depth layers through causal relationship of basic events e.

ETs identify and evaluate each sequence frequency using data generated by FTs [ 5 ]. The consequence assessment of each accident scenario to people, property, or environment depends on many factors, such as magnitude of the event, number of people exposed to harm, atmospheric conditions, mitigating measures, etc. The consequence modeling involves the use of analytical or empirical physical or phenomenological models, such as plume dispersion, blast impact TNT equivalent , or Monte Carlo simulation [ 7 , 8 ].

## Deterministic or probabilistic analysis? | Risktec

Risk analysis is the combination and integration of the probabilities or frequencies and the consequences for identified hazards, taking into account the effectiveness of any existing controls and barriers. It provides an input to risk evaluation and decisions about risk treatment and risk management strategies [ 6 ]. There are many uncertainties associated with the analysis of risk related to both probability and consequence assessments. An assessment of uncertainties is necessary to perform risk evaluation and to take decisions.

The major categories of uncertainties are associated with data, methods, and models used to identify and analyze risks. Uncertainty assessment involves the determination of the variation or imprecision in the results, based on uncertainties of basic parameters and assumptions used in the analyses.

Uncertainty propagation of failure probability distributions in FTs and ETs, as well as variability analysis of physical processes named stochastic uncertainty and the uncertainties in knowledge of these processes named epistemic uncertainty , have to be properly accounted for in PRA results [ 9 ]. Risk evaluation involves comparing estimated levels of risk with risk criteria defined, once the context of analysis has been established.

Uncertainty assessment is important to adjust the categorization of the risk ranking, supporting the decision-makers in meeting risk criteria of standards and guidelines, as well as in visualizing and communicating risks [ 10 ]. The main techniques used for probabilistic risk assessment are fault tree analysis FTA and event tree analysis ETA [ 11 ]. Beginning with the top event, the intermediate events are hierarchically placed at different levels until the required level of detail is reached the basic events at the bottom of the tree.

Minimal cut sets MCSs of a fault tree are the combinations of basic events which are the shortest pathways that lead to the top event.

## Deterministic and Probabilistic Safety Analysis

MCSs are used for qualitative and quantitative assessments of fault trees and can be identified with support of Boolean algebra, specialized algorithms, or computer codes [ 12 ]. The probability of the top event can be assessed if the probability values or probability density functions pdfs of the basic events are available, using the identified MCSs.

For instance, using the set theory concepts [ 13 ], the probability equations of the two FTs in Figure 2 a and b can be expressed by Eqs. ETA is also a graphical logic model that identifies and quantifies possible outcomes accident scenarios following an undesired initiating event [ 14 ]. It provides systematic analysis of the time sequence of intermediate events e. Consequences can be direct e. If the success and the failure of each event are mutually exclusive binary trees and the probabilities of event occurrence are independent of each other, the frequency of each scenario is calculated as shown in Figure 3.

Many types of data must be collected and treated for use in PRAs in order to quantify the accident scenarios and accident contributors. Data include, among others, component reliability and failure rates, repair times, initiating event probabilities, human error probabilities, and common cause failure CCF probabilities. These data are usually represented by uncertainty bounds or probability density functions, measuring the degree of knowledge or confidence in the available data.

Uncertainties can be highly significant in risk-based decisions and are important for establishing research priorities after a PRA process. For well-understood basic events for which a substantial experience base exists, the uncertainties may be small. When data from experience are limited, the probability of basic events may be highly uncertain, and even knowing that a given probability is small, most of the time one does not know how small it is. The development of scenarios in a PRA introduces uncertainties about both consequences and probabilities.

Random changing of physical processes is an example of stochastic uncertainties, while the uncertainties due to lack of knowledge about these processes are the epistemic uncertainties. Component failure rates and reliability data are typically uncertain, sometimes because unavailability of information and sometimes because doubts about the applicability of available data. PRA of complex engineering systems such as those in nuclear power plants NPPs and chemical plants usually exhibits uncertainties arising from inadequate assumptions, incompleteness of modeling, CCF and human reliability issues, and lack of plant-specific data.

For this type of facility, the major of sources of uncertainties are [ 15 ]: Uncertainties in input parameters—parameters of the models e. Modeling uncertainty—inadequacy of conceptual, mathematical, numerical, and computational models. Uncertainty about completeness—systematic expert reviewing can minimize the difficulties in assessing or quantifying this type of uncertainty.

The main focus of this work is the treatment of uncertainties regarding numerical values of the parameters used in fault and event trees in the scope of PRA and their propagation in these models. If a probability density function pdf is provided for the basic events e. There are several available methods for propagating uncertainties such as analytical methods method of moments and Fenton-Wilkinson FW method , Monte Carlo simulation, Wilks method order statistic , and fuzzy set theory.

They are different from each other, in terms of characterizing the input parameter uncertainty and how they propagate from parameter level to output level [ 16 ]. The analytical methods consist in obtaining the distribution of the output of a model e. An exact analytical distribution of the output however can be derived only for specific models such as normal or log-normal distributions [ 17 ].

The Fenton-Wilkinson FW method is a kind of analytical technique of approximating a distribution using log-normal distribution with the same moments. It is a moment-matching method for obtaining an exact analytical distribution for the output closed form. This kind of closed form is helpful, when more detailed uncertainty analyses are required, for instance, in parametric studies involving uncertainty importance assessments, which require re-estimating the overall uncertainty distribution many times [ 18 ].

Using the data of historical data. A model describing the stochastic Ref. The former were used in parameters of the model are estimated from the fault trees developed for initiating events, while the available data e. Alternatively i. Process ind. Human error probabilities sequence. This means that they consist of produce an equivalent Boolean equation which can actions not routinely performed, but actions required then be used in the quantification.

An accident cognitive type depends on the time available to the sequence fault tree is generated consisting of an AND operator for thinking out the cause of the symptoms gate, having as inputs the system failures that are available to him and identifying the required response. The system fault The available time to the operator is determined on the trees that have been developed for these failures then basis of the following three time periods.

Total time within which a human action must bc cutsets. These cutsets provide combinations of simple performed. This is the time between the onset of the events that cause the accident sequence to occur. If the the course. Time period from the onset of the incident and the experience and if it is known that no failures that might time when the various indications became available to contribute to its occurrence are shared with other the operators annunciation or prompting time.

Time period required for performing the necessary simple basic event in the accident sequence fault tree actions, provided that the operator knows what has to and basically it multiplies the cutsets of the remaining be done. An illustrative example time and the level of stress affected by the severity of is the quantification of ET-l presented in Figure 2. The second important point has to do with the For the application in the ammonia storage facil- treatment of the system successes in the accident ity, it has been assumed that for all human actions of sequences.

The failure probability for this period was Boolean reduction of the accident sequence to avoid an overestimation of its frequency. In these situations the success of a frontline system implies the success of its The fifth major procedural step of the PSA includes all support systems, which cannot then be considered as the tasks associated with the quantification of accident contributing to the failure of a different frontline sequences.

This quantification implies the determina- system in the same accident sequence. Exact treatment tion in the event trees of the accident sequences to be of this problem would require linking the accident quantified and their manipulation according to the laws sequence to the success trees for those systems assumed of Boolean algebra.

Success trees are the trees resulting when the top event is replaced by its negation. If all these events, i. An accident sequence fault tree is developed. This sequence would consist of simple multiplication of the tree consists of an AND gate having as inputs the corresponding frequency and probabilities. This situ- initiating events and the top gates of the fault trees for ation is rarely true, however, owing to existing depend- the system failures in the accident sequence.

The minimal cutsets of the accident sequence fault J. Process Ind.. The fault trees of the systems assumed successful in l wind direction. Based on the above discussion the methodological 4. The minimal cutsets of this second large tree are step of determining the release categories of the generated item 2. This is actually a merging of the hazardous substance can be distinguished in the follow- cutsets of each system assumed successful in the ing four tasks.

The two lists are compared and cutsets in item 1 I Establishment of an outfzow model which imply a cutset in item 2 are eliminated. This model estimates the outflow rates and the physical 6. The remaining cutsets in item 1 are those which conditions of the ammonia following the onset of a form the accident sequence. See categories are established.

A release category refers collectively to that set of conditions which uniquely define the resulting concen- 4 Relationship of plant damage states and release tration of the hazardous substance e. Such precise knowledge, is release category. The first has to do with the physical not, however, always available. To quantify this lack of phenomena which determine the behaviour of the knowledge, each plant-damage state i can be linked released hazardous substance; the second contains the with each possible release category r, with a condi- parameters which characterize the physical properties tional probability kj, providing the probability of of the released hazardous substance and the environ- obtaining release category r, given the occurrence of mental conditions.

In the analysis of the reference The specific tasks required by this methodological facilityz9 each plant-damage state has been associated step depend heavily on the nature of the released with a range of values discrete or continuous and hazardous substance. For this reason the discussion corresponding probabilities for each of the eight here w ill refer only to the case of ammonia.

In the case of refrigerated ammonia the phenom- enology of the atmospheric dispersion following a release depends on whether the release w ill be instant- Consequence assessment aneous or continuous, and on whether the ammonia This major procedural step estimates the undesirable vapour w ill behave as a lighter-than-air or heavier- consequences associated with each release category. It follows that there are four broad classes Here again the specific tasks forming this step are of releases depending on the nature of the release and specific to the case of the release of a toxic substance, in its physical behaviour.

Each of the four classes of releases mentioned above result in concentrations which depend on the Establishment of surrounding topography amount of the released ammonia and the atmospheric The topography of the area around the site of the and meteorological conditions.

The centres of the cells were l amount of ammonia released; defined by n, radial annuli and n2 augular sectors. Population distribution in the surround- J. Papazoglou et a I.

- Probabilistic Safety Assessment in the Chemical and Nuclear Industries!
- China And Capitalism: A History of Business Enterprise in Modern China;
- The Sandman #16 The Dolls House P7: Lost Hearts.
- Related Books?

The models calcu- It follows that the frequency of an individual fatality at late the concentration of the ammonia at each point in the point p. Then dj is given by of the toxic substance that an individual would receive. The latter is determined with the help of an emergency response model simulating any protect- ive actions taken. In the analysis of the reference facility a simple emergency response model has been Computer codes implementing one or more from provided as a constraint of the BEMHA, which the various models necessary for the completion of the assumed that the exposure of each individual to the tasks of major steps 4, 5 and 6 exist and are available ammonia cloud would be limited to half-an-hour.

This team, however, identified a lack of integrated computerized packages that would allow the direct or Establishment or selection of a dose-response model indirect evaluation of Equation 1. This is particularly A dose-response model receives as input the dose true if uncertainties are to be quantified. A simple dose-response model based on a models themselves, can be quantified. The integration of the results in the case of the The risk that a certain facility presents to the ammonia storage facility has been done in two steps.

J with the associated uncertainties have the resulting health effects. One risk index that can be been calculated. This package integrates the various tasks in steps 5 and Based on the results of the first six procedural 6 along with uncertainty analysis. Details are given in steps individual risk can be calculated as follows.

### 1st Edition

Let: Refs 29 and Zso-risk curves. Maximum individual risk versus distance. Access provided by: anon Sign Out. Event trees ET and fault trees FT are the major tools, but dependences and logic cycles may exist among and within them, and are not well addressed, leading to even optimistic estimates. Repeated representations and calculations exist. Causalities are assumed deterministic, while sometimes they are uncertain. DUCG is a newly presented approach for uncertain causality representation and probabilistic reasoning, and has been successfully applied to online fault diagnoses of large complex industrial systems.

In the calculation, the problems of dependencies and circular loops are solved.