fredag den 12. februar 2010

Quantitative Risk Analysis


In some situations the qualitative risk analysis or the ALARP principle is insufficient: The safety people are torn and disagrees internally. Consequently, it is time to use the heavier "quantitative risk analysis"-tool.
The fault tree is integrated into Excel and models a scenario, where a passenger is trapped between closing doors. (All numbers and technical barriers are hypothetical).



Interpretation

The quantitative risk analysis is the right way to estimate the frequency of a hazard.
It removes personal obsessions from a safety problem and ensures that the discussions are conducted on an objective basis.
The fault tree above concerns a commuter fleet operating 365 days pr. year with 80 trains with 100 departures pr train pr. day. This result in c = 2.9E-06 departures every year pr. fleet.
In order to have an accident, there have to be squeezed a passenger arm, leg or items like e.g. a baby carriage, umbrella etc. between the closing doors. This is judged to happen continuously when passengers passes the doors, meaning d = 1.
There are three barriers that prevent the hazard:
A human based departure procedure, where the train driver looks out of the window and checks the doors before departure (e). It is estimated that the driver miss a check every 4'Th day due to distraction or lacking of concentration, meaning e = 1/(4*b).
There are also two technical functions:
- A traction blocking that prevents the train from driving if the door controllers indicate the doors are open (f). This function is part of the train computer and is expected to be reliable with a failure rate of 1 failure pr. 1,000,000 departures.
- A trap detection system in the door controller that prevents the passengers from being squeezed in a closing door (g). This function is sensitive to door mechanics; the FRACAS system indicates a failure rate of 1 failure pr. 10,000 departures.
As it can be seen we will end up having an accident where the train departs with a passenger trapped between doors every year. The Safety department has recorded an incident the recent year, indicating the fault tree is trustable.
Can we accept this? What are our quantitative acceptance criterion? It should be written and stated in the safety management system of the Operator.
The safety management now decides that the above result is unacceptable. We can only allow the hazard to occur every 10,000'End year.
A deeper analysis shows that the failures on the detection function only occurs for thin objects like a small child's arm.
It is judged that the detection system in the daily life is activated by large objects like a person; thin objects only occurs 3 times pr. day, meaning d = 3/b.
The sensors are adjusted and a maintenance program introduced; the following test result shows an improved reliability in the area of 1 failure pr. 100,000 departures (g).
An additional departure procedure is introduced stating the train conductor has to supervise the train doors before departure in front of a dedicated door. A new technical feature makes it possible to firstly close the other doors and finally, the train conductor enters the last door before departure. The improved procedure is expected to be more reliable with an estimated human failure rate of 1 failure pr. 10,000 departures (e).
These mitigating actions result in a dramatically lowering of the frequency of the hazard to app. 10,000 years between accidents, hereby fulfilling the acceptance criterion.
  

As a side effect, the analysis proves the importance of the departure procedure and the detection function.

The old rule, KISS, (Keep It Simple Stupid) is recommended for quantitative analysis. The fault trees easily swell up into large trees with several undocumented values based on engineering judgement. This only starts new discussions instead.

Next chapter >> 4.5 Common Cause Failures (CCF)

Focus on the Source

The "Guide to the application of EN 50126-1 for safety", TR 50126-2: Feb. 2007, concerns risk modelling and quantitative risk models.

Chapter 5.2, "Generic Risk Model" says:

Modelling predominantly represents a simplification and generalisation of reality but, enhances our understanding of causal relationships, highlights important factors and provides a useful tool for anticipation and potentially prediction of future.
A risk model may be created for a specific task (e.g., occurrence of a hazard, a combination of hazards, an operation, a sub-system, etc.) for a particular application or for a whole railway system by applying the risk assessment process to the relevant task or to the railway system.
[.....]
Developing a risk model for a whole railway system is a demanding task [....] the report does not recommend a single generic risk model for a whole railway system. [....]
Annex D lists essential steps for building such a model [....]

10 kommentarer:

Adoracionamalia sagde ...

I think the gate of technical barriers must be OR gate instead of AND gate and so the final solution is less restrictive.

In the second fault tree I think both gates have to be OR gates and have to exist other top AND gate. In total three gates.

Congratulations for your site!

Troels Winther sagde ...

Thank you.

You are completely right. I have updated the post. Hopefully, it is better now.

appicharlak sagde ...

The UK Case Law No.5 does not allow risk definition to be stated in mere mathematical terms. It requires the employer to take active steps to eliminate the hazard to prevent accident from taking place. This type of action is not recognised in the European Norms for Railways. The system approach to safety is not catered to in this sector. Therefore, to claim that EN 50126 provides for something beyound the ALARP Principle and IEC 61508 is a statement made without understanding the UK HSE good practices. Several papers have been published on the topic of railway safety in the proceedings of the International System Conferences organised by the IET which refute the position advanced on this blog.

Troels Winther sagde ...

@Appicharlak

Thank you for your comment.

The Safety Plan has to be accepted by the Safety Authority. This will be a suitable place to write down any laws that has to be followed.

The UK Case Law No. 5 seems to be a guard against cases where a quantitative risk analysis proves something that is contrary to common sense like e.g. that an ordinary PC with a home made software program can be used as an interlocking system on a desolate line. In such a case I think Safety Authorities and Assessors would give the ALARP principles higher priority and recommend the installation of an approved interlocking system instead.

Carol sagde ...

This is an amazing analysis. I'm not usually scared of the train but I think I'd be more cautious now.

appicharlak sagde ...

@ Troels

Thanks for your reply and your efforts to spread awareness.

But I would be hard pressed to look for the Safety Authority who has safety awareness.

Here is how safety is delegated to the front line staff.
http://www.raib.gov.uk/cms_resources.cfm?file=/Bulletin%20(Seaburn)%2002-2011.pdf

In comparison, here is how safety is treated first:
http://www.nucor.com/story/chapter3/

Unknown sagde ...

Super post,keep sharing this useful information
Best safety courses training institute in chennai
nebosh training institute in chennai

harrishvijay sagde ...
Denne kommentar er fjernet af forfatteren.
harrishvijay sagde ...

Thanks for sharing good information. Keep posting.

ISO Lead auditor course in Bahrain

Buy Adderall Online sagde ...

Get the great reference, Purchase Order Software Organizer is a business program that provides easy and speedy management of entire sales and purchase orders for your organization with error free data entry records.
Also provide