Module19 - Event Tree Analysis

Risk ID & Assessment Training Course DNV Consulting
Module 19: Event Tree Analysis
MODULE 19
EVENT TREE ANALYSIS
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module19.doc ©2004 DNV. All Rights Reserved
Module 19: Event Tree Analysis Page i
CONTENTS
19. EVENT TREE ANALYSIS..........................................................................................1
19.1 BACKGROUND ....................................................................................................1
19.2 DESCRIPTION OF TECHNIQUE.........................................................................2
19.3 SAMPLE PROBLEM...........................................................................................14
19.4 OTHER ASPECTS OF EVENT TREE ANALYSIS ............................................17

19.4.1 Advantages of Event Trees ...............................................................................17
19.4.2 Problems with Event Trees................................................................................17
19.4.3 Identification and Treatment of Possible Errors .................................................17
19.4.4 Strengths and Weaknesses.................................................................................18
Module 19: Event Tree Analysis Page 1
19. EVENT TREE ANALYSIS

19.1 BACKGROUND
Event trees are graphical representations of a logic model which identify and quantify possible
outcomes following an initiating event. The event tree provides systematic coverage of the
time sequence of event propagation, either through a series of protective system actions,
normal plant functions and operator interventions (a pre-incident application), or where loss of
containment has occurred through the range of consequences possible (a post-incident
application). Consequences can be direct (fires, explosions, etc.), or indirect (domino
incidents on adjacent plants).
Each event following the initiating event is conditional on the occurrence of its precursor
event. Outcomes of each precursor event are most often binary (SUCCESS or FAILURE,
YES or NO), but can also include multiple outcomes (for example, 100%, 20% or 0% in the
operation of a control valve).
Event trees have found widespread applications in risk assessments for both the nuclear and
chemical industries. Two distinct applications can be identified. The “pre-incident”
application examines the protective or other systems in place which would prevent incident
precursors developing into an actual incident. The event tree analysis of such systems is often
sufficient in itself for the purposes of estimating the safety of the system. The “post-incident”
application is used to allocate the many possible outcomes for flammable and toxic releases.
The event tree analysis is rarely sufficient of itself in this application; it is usually an input to
the determination of incident frequency used in the risk calculation.
19.2 DESCRIPTION OF TECHNIQUE
As noted above, there are two common uses of event trees: pre-incident and post-incident.
The use of a pre-incident event tree would commonly be to evaluate the effectiveness of a
multi-element protective system. A post-incident event tree would commonly be used to
identify and quantify the various consequence types (e.g. flash fire, VCE, BLEVE, or
unignited safe dispersal) that might arise from a single release of hazardous material. Figure
19.1, Figure 19.2 and Figure 19.3 show pre-incident event trees; Figure 19.4 and Figure 19.5
show post-incident event trees. The pre-incident examples correspond to loss of coolant to an
exothermic reactor subject to runaway and accidents due to failures of protective systems.
The post-incident case corresponds to the release of a flammable material and the different
consequences which could result. A good description of pre-incident event trees is given in
the HEP Guidelines (CCPS 1992) and the PRA Procedures Guide (NUREG 1983).
It is possible, and even useful, to combine pre- and post-incident event trees into a single event
tree. For example, the likelihood of detection of a leak and hence successful ESD may depend
on whether the leak is immediately ignited or not. If it is immediately ignited, it may be
detected by flame detectors, depending on the number of flame detectors and the flame size.
Otherwise, detection will depend on gas detectors, taking into account the number of
detectors and the gas build-up in the area.
In a risk analysis application, event trees can be developed independently or follow from fault
tree analysis. The top event of the fault tree is normally a frequency of failure of some item
leading to a hazardous incident. This top event becomes the initiating event in the event tree
sequence. The top event in the fault tree may arise following the initiating event analyzed
using an event tree (e.g., loss of a protective system function). Note the difference in meaning
of the term initiating event between the applications of fault tree and event tree analysis. A
fault tree may have initiating events that lead to the single top event, but an event tree will
have only one initiating event which leads to many possible outcomes.
The construction of an event tree is sequential, and like fault tree analysis, it is top-down (or
left-right in the usual event tree convention). Analysis starts at the initiating event, and in time
sequence all relevant safety functions or events that could affect the outcome are entered.
Each branch of the event tree represents a separate outcome (event sequence). The sequence
of activities is shown in the logic diagram (Figure 19.6).
Figure 19.1 Example of Pre-Incident Event Tree – Excess Shuttle Tanker Stand-Off
Shuttle FPSO
Tanker
Excess Offset Alarm Fails? Excess Tension Alarm Fails? Quick Break-away Fails? OUTCOME
Yes Large spiill to sea

Yes
No Small spill to sea
Yes
Yes Large spill to sea
No
Excess Stand-off No Small spill to sea
1
Yes Large spill to sea
No
No Small spill to sea
Figure 19.2 Example of Pre-Incident Event Tree - Fire in the Engine Room
Fire in the Fire Fuel supply Ventilation Bulkheads Firefighting Consequences

engine room detected? shutdown? shutdown? intact? successful?
4.75 Fire contained
and extinguished
0.6
Yes 0.9 2.851 Fire contained
and extinguished
0.99
0.4
0.5 0.158 Fire contained
and extinguished
0.1
Fire in multiple
0.8 0.128
8.0 per year compartments
but extinguished
0.5
0.2
0.032 Fire not extinguished
Evacuation required
0.01 0.08 Fire not extinguished

Evacuation required
Figure 19.3 Example of Pre-Incident Event Tree – Failure of Protective Systems
Large Leak ESD fails? Deluge fails? Blowdown fails? Frequency Consequences
per year
0.0012 Long release
1.8 x 10-7
0.05 no deluge
~1 Long release
1.5 x 10-4
with deluge
0.08 Medium release
3 x 10 -3 2.7 x 10-8
1.2e-4 no deluge
per year
0.92 Short release
3.1 x 10-7
no deluge
0.95 0.08 Medium release
2.3 x 10-4
~1 with deluge
0.92 Short release

2.6 x 10-3
with deluge
Figure 19.4 Example of Post-Incident Event Tree - Flammable Release

Release of more Immediate Wind Delayed Strong orWeak Consequence
than 2 kg/s of Ignition towards TR Ignition Explosion
vapour C D E F
B ABCD Jet
0.05 0.2
ABCD
Jet
0.8 0.1 ABCDEF Strong Expl.
0.3
0.2 0.9 ABCDEF
Yes Weak Expl.
0.95
0.7 ABCDE No Ignition
Pipework
Release 0.33ABCDEF
Strong Expl.
A 0.3
0.8 0.67ABCDEF Weak Expl.
No
0.7 ABCDE No Ignition
AB Neglect
Figure 19.5 Example of Post-Incident Event Tree - Ship Collision

Hull Ho le d b e lo w Severe se a Flo o d ing not Ship Consequence
p enetra te d ? w a ter line? sta te ? c o nta ine d ? bec omes s
unsta b le?
Ship sinks
Ship sinks
Ship rem a ins

a flo a t
Ship sinks
Ship sinks
Ship
c o llisio n Ship rem a ins
a flo a t
Ship rem a ins
a flo a t
Ship rem a ins
a flo a t
Step 1 - Identify the Initiating Event
The initiating event might be a pipe leakage, a vessel rupture, an internal explosion, etc. The
frequency of this incident will have been estimated from historical records or by fault tree
analysis.
The event tree will be used to trace this incident through its various hazardous consequences.
The event tree will be simplest for incidents (e.g., toxic releases or internal explosions) which
have few different possible outcomes, and most complex for releases that are both flammable
and toxic as these have many possible outcomes.
Step 2 - Identify Safety Function/Hazard Factor and Determine Outcomes
A safety function is a device, action, or barrier that can prevent an incident precursor from
developing into an actual incident (often used in pre-incident analysis). A hazard factor is an
outcome branch that modifies the event analysis in some significant way (often used in
post-incident analysis).
Safety functions may be of many types, most of which can be characterized as having
outcomes of either success or failure on demand:
• Automatic safety systems.
• Alarms to alert operators.
• Operator action to mitigate incident.
• Mitigation system actions, such as quench systems, PRV, etc.
• Barriers or containment to limit effect of initiating event.
Hazard promoting factors are more varied and would include, for example:
• Ignition or no ignition of release.

• Explosion or flash fire.
• Liquid spill contained in dike or not.
• Daytime or night-time.
• Meteorological conditions.
The term “heading” is used to label a safety function or hazard factor. Most of the above
branches are binary choices, but this is not a constraint. Meteorological conditions may be
represented by a whole list, as consequences will vary depending on the particular combination
of wind speed, atmospheric stability, and wind direction.
The analyst must be careful to list all those headings that could affect materially the outcome
of the initiating event. These must be in chronological order of occurrence. Headings such as
ignition may appear more than once in the event tree depending on which branch is being
followed (see Figure 19.4).
Figure 19.6 Logic Diagram for Event Tree Analysis
Step 1 Identify the initiating

event
Identify safety function/ hazard

Step 2 and determine outcomes
Construct event tree through out

Step 3 all important outcomes
Classify the outcomes in categories

Step 4 of similar consequence
Estimate probability of each

Step 5 branch in the event tree
Step 6 Quantify the outcomes
Step 7 Test the outcomes
Step 3 - Construct the Event Tree
The event tree displays graphically the chronological progression of the event. The tree is
constructed (conventionally) left to right, starting with the initiating event. The event tree
displays the development of accident sequences, beginning with the initiating event and
proceeding to the control and safety system responses. The results are clearly defined
accidents that can result from the initiating event. An analyst tries to lay out actions of the
safety functions chronologically, although many times the events may occur almost
simultaneously. The analyst should carefully factor in the normal process control response to
upset conditions when evaluating the safety system response to upsets.
The first step in constructing the event tree is to enter the initiating event and safety functions
that apply to the analysis. The initiating event is listed on the left-hand side of the page, and
the safety functions are listed across the top of the page. Figure 19.7 shows the first
completed step for a generic accident. The line underneath the initiating event description
represents the progression of the accident path from the occurrence of the initiating event to
the first safety function.
The next step is to evaluate the safety function. Normally only two possibilities are
considered: success or failure of the safety function. The analyst should assume that the
initiating event has occurred, define the success/failure criteria for the safety function, and
decide whether the success or failure of the safety function affects the course of the accident.
If the accident is affected, the event tree divides (i.e., at a branch point) into two paths to
distinguish between the success and failure of the safety function. Normally, success of the
function is denoted by an upward path, and failure of the function, by a downward path. If the
safety function does not affect the course of the accident, the accident path proceeds, with no
branch point, to the next safety function. Letters (for example, A, B, C or D) are often used
to indicate success of the safety function, and “bars” over the letters indicate failure of the
function (for example, A ). For our example, the first safety function does affect the course of
the accident, as shown by the branch point depicted in
Figure 19.8.
Figure 19.7 First Step in Constructing an Event Tree
Initiating Safety Safety Safety

Event Function 1 Function 2 Function 3 Sequence Description
A B C D
Initiating
Event
A Success
Failure
Figure 19.8 Developing the First Safety Function in the Event Tree

A B C D
Initiating
Event
A Success
Failure
Every branch point developed in the event tree creates additional accident paths that must be
evaluated individually for each of the subsequent safety systems. When evaluating a safety
function on an accident path, the analyst must assume the previous successes and failures have
occurred as dictated by the path. This can be seen in the example when the second safety
function is evaluated (Figure 19.9). The upper path requires a branch point because the first
safety function was successful, but the second safety function can still affect the course of the
accident. The lower path allows the second safety function no opportunity to affect the course
of the accident if the first safety function fails. The lower accident path proceeds directly to
the third safety function.
Figure 19.10 shows the completed event tree for our example. The upper most accident path
has no branch point for the third safety function because, in the design of this system, an upset
does not challenge the third function if the first and second safety functions were successful.
The other accident paths contain branch points for the third safety function because it can still
affect the outcome of the accident paths. Some branches may be more fully developed than
others. In a pre-incident analysis, the final sequence might correspond to successful
termination of some initiating event or a specific failure mode.
This listing of the safe recovery and incident conditions is an important output of this analysis.
For a post-incident analysis, final results might correspond to specific incident types (e.g.,
BLEVE, VCE, flash fire, safe dispersal, etc.).
The event heading should be indicated at the head of the sheet, over the particular branch.
Each branch leaving a node should be labelled SUCCESS/FAILURE, YES/NO, or other label
as appropriate. It is usual to have SUCCESS or YES branch upwards, FAILURE and NO
branch downward. Safety functions or hazard factors may refer to all limbs of the event tree
or only to some (see Figure 19.6). Many analysts label each heading with a letter identifier
starting with the initiating event. Every final sequence can then be specified with a unique
letter combination (also shown in
Figure 19.8).
Step 4 - Classify the Outcomes
The objective in constructing the event tree is to identify important possible outcomes that
have a bearing in the risk analysis. Thus if the investigation of the potential for offsite fatalities
was the goal of the analysis, then only outcomes relevant to that need be developed. Branches
leading to lesser consequences can be left undeveloped. Where outcomes are of significance,
it is often adequate to stop at the incident itself (e.g. explosion, large toxic drifting vapour
cloud). The subsequent risk analysis calculations will consider further individual outcomes
(e.g., wind direction or atmospheric stability effects). Many outcomes developed through
different branches of the event tree will be similar (e.g. an explosion can arise from more than
one particular sequence of events, see Figure 19.6). The final outcomes determined above can
be classified according to type of consequence model that must be employed to complete the
analysis.
Figure 19.9 Developing the Second Safety Function in the Event Tree

A B C D
Initiating
Event
A Success
Failure
Figure 19.10 Developing the Third Safety Function in the Event Tree

A B C D
Accident Sequence Description for ABC
Accident Sequence Description for ABCD

Initiating
Event Accident Sequence Description for ABCD
A Success
Accident Sequence Description for ABD
Failure Accident Sequence Description for ABD
Step 5 - Estimate the Probability of an Event Tree Branch
Each heading in the event tree (other than the initiating event) usually corresponds to a
conditional probability of some outcome given the preceding event has occurred. Thus the
probabilities associated with each limb must sum to 1.0 for each heading. This is true for
binary or multiple limbs.
The source of such conditional probability data may be from historical records, component
reliability data, plant data, environmental data, or expert opinion. If expert opinion is used,
effort should be made to justify the values developed. It may be necessary to use fault tree
techniques to determine some probabilities, especially for complex safety systems encountered
in pre-incident analyses. This is unusual for post-incident analyses.
Step 6 - Quantify the Outcomes
The mathematics for evaluation of event trees is simple. The frequency of each outcome may
be determined by multiplying the initiating event frequency by the conditional probabilities
along each limb leading to the particular outcome. As a check, the sum of all the outcome
frequencies must equal the initiating event frequency. The above calculation assumes no
dependency among events or partial success or failure.
Step 7 - Test the Outcomes
As with fault trees, poor event trees analysis can lead to results which are inaccurate (e.g., due
to poor data) or incorrect (e.g., important branches have been omitted). It is an important
step in the analysis to review the results for common sense and against historical records. This
step is best done by an independent reviewer.
Analysts will require a complete understanding of the system and of the mechanisms that lead
to all possible hazardous outcomes. This may be in the form of a time sequence of instructions
or control actions, or in the sequence of physical events that lead to hazardous consequences,
(e.g., the spreading characteristics of a dense vapour cloud).
19.3 SAMPLE PROBLEM
The sample problem is a post-incident analysis of a large leakage of pressurized flammable

material from an isolated LPG storage tank. An engineering analysis of the problem indicates
that the potential consequences include BLEVE of the tank if the leak is ignited (either
immediately or by flashback). If the leak does not immediately ignite, it can drift toward a
populated area with several ignition sources and explode (a vapour cloud explosion; VCE), or
produce a flash fire. Other downwind areas have a lower probability of ignition. The data
relevant to the event tree are given in Table 19.1.
Using Table 19.1, an event tree is developed to predict possible outcomes from the leakage of
LPG. This event tree is not exhaustive. Not every outcome is developed to completion; some
events are terminated at entry points to specific consequence models. For example, three
outcomes are possible from BLEVEs (thermal impact, physical overpressure, and fragments).
In practice, these outcomes would be investigated separately in the BLEVE consequence
model calculation.
The event tree for the LPG leak initiating event is given in Table 19.2. From this, a total of six
outcomes are predicted. These outcomes and their predicted frequencies are given in Table
19.2.
The total frequency of all outcomes is a check to ensure that this equals the initiating event
frequency of 1 × 10-4 per year (i.e. 100.0 × 10-6 per year).
Table 19.1 Sample Event Tree Input Data
Event Frequency or Source of data

Probability
A. Large leakage of pressurized LPG 1.0 × 10-4 per year Fault Tree Analysis
B. Immediate ignition at tank 0.1 Expert option
C. Wind blowing toward populated area 0.15 Wind rose data
D. Delayed ignition near populated area 0.9 Expert opinion
E. VCE rather than flash fire 0.5 Historical data
F. Jet flame strikes the LPG tank 0.2 Tank layout geometry
Figure 19.11 Example Event Tree for LPG Storage Tank Release
Immediate Wind blowing Delayed VCE rather Jet flame

ignition toward ignition near than strikes the
at tank populated populated flash fire LPG tank
B area area E F
C D ABF
BLEVE
ABF Local Thermal
Hazard
Large leakage
of pressurized LPG ABCDE
VCE
A
ABCDEF Flash Fire
and BLEVE
ABCDEF
Flash Fire
Success
ABCD Safe:
- Effects away from people
Failure ABC Safe:

- Effects away from people
Table 19.2 Sample Event Tree Outcomes and Frequencies
Outcome Sequences leading to Frequency

outcome (per year)
BLEVE ABF 1.0 × 10-4 × 0.1 × 0.2
= 2.0 × 10-6
-4
Local thermal hazard AB F 1.0 × 10 × 0.1 × 0.8
= 8.0 × 10-6
VCE A B CDE 1.0 × 10-4 × 0.9 × 0.15 × 0.9 × 0.5
6.1 × 10-6
-4
Flash fire and BLEVE A B CD E F 1.0 × 10 × 0.9 × 0.15 × 0.9 × 0.5 × 0.2
= 1.2 × 10-6
-4
Flash fire A B CD E F 1.0 × 10 × 0.9 × 0.15 × 0.9 × 0.5 × 0.8
= 4.9 × 10-6
-4
Safe Dispersal ABCD + AB C (1.0 × 10 × 0.9 × 0.15 × 0.1)
+ (1.0 × 10-4 × 0.9 × 0.85)
= (1.35 × 10-6) + (76.5 × 10-6)
= 77.9 × 10-6
Total all outcomes = 100.0 × 10-6
19.4 OTHER ASPECTS OF EVENT TREE ANALYSIS
19.4.1 Advantages of Event Trees
Key advantages of event tree analysis are:
• Event trees portray the event outcome in a systematic, logical, self-documenting form that
is easily audited by others.
• The logical and arithmetic computations are simple and the format is usually compact.
• Pre-incident event trees highlight the value and potential weaknesses of protective systems,
especially indicating outcomes that lead directly to failures with no intervening protective
measures.
• Post-incident event trees highlight the range of outcomes that is possible from a given
incident, including domino incidents.
19.4.2 Problems with Event Trees
Some difficulties and problems commonly encountered with event tree analysis are:
• The event tree assumes all events to be independent, with any outcome conditional only on
the preceding outcome branch.
• Every node of an event tree doubles the number of outcomes (binary logic) and increases
the complexity of classification and combination of frequency.
• From a practical standpoint this limits the number of headings that can be reasonably
handled to 7 or 8.
19.4.3 Identification and Treatment of Possible Errors
Below are a series of points which commonly lead to errors, and hence need to be considered
in event tree analysis:
• If multiple fault trees are used to establish the frequencies of various nodes or decision
points, common cause failures or mutually exclusive events can arise that invalidate event
tree logic. These problems arise if the same basic event appears in the fault trees that are
used establish the probabilities of branching at the various event tree nodes.
− For example, an electrical power failure basic event may appear in several fault trees
that support an event tree. Failure by the risk analyst to recognise and deal with the
commonality of the electrical power failure basic event will result in serious errors.
− Independent review of final event trees is the best method to identify such faults.
• Errors can arise in the conditional probability data leading to major errors in the predicted
final outcome frequencies. The analyst should document sources of data employed to allow
for subsequent checking.
19.4.4 Strengths and Weaknesses
The strengths of event tree analysis are:
• It is widely used and well accepted.
• It is suitable for many hazards in QRA which arise from sequences of successive failures.
• It is a clear and logical form of presentation.
• It is simple and readily understood.
Its weaknesses are:
• It is not efficient where many events must occur in combination as it results in too many
redundant branches. FTA or Cause Consequence Analysis (CCA) are preferable for this.
• All events are assumed to be independent.
• It loses its clarity when applied to systems which do not fall into simple failed or working
states (e.g. human error, adverse weather etc.).

Module19 - Event Tree Analysis

Uploaded by

Module19 - Event Tree Analysis

Uploaded by

Risk ID & Assessment Training Course DNV Consulting

Module 19: Event Tree Analysis

EVENT TREE ANALYSIS

19. EVENT TREE ANALYSIS..........................................................................................1

19.1 BACKGROUND ....................................................................................................1

19.2 DESCRIPTION OF TECHNIQUE.........................................................................2

19.3 SAMPLE PROBLEM...........................................................................................14

19.4 OTHER ASPECTS OF EVENT TREE ANALYSIS ............................................17

19. EVENT TREE ANALYSIS

19.2 DESCRIPTION OF TECHNIQUE

Yes Large spiill to sea

Fire in the Fire Fuel supply Ventilation Bulkheads Firefighting Consequences

0.01 0.08 Fire not extinguished

Figure 19.3 Example of Pre-Incident Event Tree – Failure of Protective Systems

0.92 Short release

Figure 19.4 Example of Post-Incident Event Tree - Flammable Release

Figure 19.5 Example of Post-Incident Event Tree - Ship Collision

Ship rem a ins

Step 1 - Identify the Initiating Event

Step 2 - Identify Safety Function/Hazard Factor and Determine Outcomes

• Ignition or no ignition of release.

Figure 19.6 Logic Diagram for Event Tree Analysis

Step 1 Identify the initiating

Identify safety function/ hazard

Construct event tree through out

Classify the outcomes in categories

Estimate probability of each

Step 6 Quantify the outcomes

Step 7 Test the outcomes

Step 3 - Construct the Event Tree

Figure 19.7 First Step in Constructing an Event Tree

Initiating Safety Safety Safety

Initiating Safety Safety Safety

Step 4 - Classify the Outcomes

Initiating Safety Safety Safety

Initiating Safety Safety Safety

Accident Sequence Description for ABCD

Failure Accident Sequence Description for ABD

Step 5 - Estimate the Probability of an Event Tree Branch

Step 6 - Quantify the Outcomes

Step 7 - Test the Outcomes

19.3 SAMPLE PROBLEM

The sample problem is a post-incident analysis of a large leakage of pressurized flammable

Table 19.1 Sample Event Tree Input Data

Event Frequency or Source of data

Immediate Wind blowing Delayed VCE rather Jet flame

Failure ABC Safe:

Table 19.2 Sample Event Tree Outcomes and Frequencies

Outcome Sequences leading to Frequency

19.4 OTHER ASPECTS OF EVENT TREE ANALYSIS

19.4.1 Advantages of Event Trees

Key advantages of event tree analysis are:

19.4.2 Problems with Event Trees

19.4.3 Identification and Treatment of Possible Errors

19.4.4 Strengths and Weaknesses

The strengths of event tree analysis are:

• It is widely used and well accepted.

• It is a clear and logical form of presentation.

• It is simple and readily understood.

Its weaknesses are:

• All events are assumed to be independent.

You might also like