Every low-probability, high-consequence adverse incident or catastrophic operational failure at any production or processing facility, such as a chemical plant, fluid-catalytic-cracking units (FCCU) at a petroleum refinery, nuclear energy production plant, or even a biological facility or waste management facility, is preceded by many high-probability, low-consequence events, which may or may not be recognized by alarms or are considered near-misses (Pariyani et al., Ind. Eng. Chem. Res. 49:8062-8079 (2010a); Pariyani et al., 20th European Symposium on Computer Aided Process Engineering (ESCAPE) 28:175-180 (2010b)). Some of these events remain hidden in the background of normal operating conditions. An ideal risk management system at the plant will account for the near-misses, especially those that are hidden, and develop indicators to notify the operators in advance of undesirable incidents that are likely to happen. In particular, such knowledge becomes highly desirable for unmanned plants/facilities.
For example, in the following situations, the public has been harmed by industrial accidents, adverse events, and/or catastrophic failures that could have been avoided with a DRA system. For example, the US government chemical safety board web site (www.csb.gov) is inundated with reports of accidents that took place in the chemical manufacturing facilities in the recent years that cost several lives, as well as property damage. The recurring themes in the outcome of analysis of these accidents are a) the lack of preventive maintenance, and b) the lack of attention to process near-misses. Moreover, every year billions of dollars are lost in the manufacturing industry due to “trips” (unexpected shutdowns due to malfunction of the equipment and/or control systems) at operational plants and facilities. For instance, there have been $6 billion/year losses recorded by US refineries from unexpected shut downs and associated incidents of crude and fluidized catalytic cracking (FCC) units.
An additional condition, which is frequently observed in most manufacturing or processing facilities, is silencing (muting) the alarms that are considered to be nuisance. These are alarms that are activated so often that they are considered to be of such little significance by the operators, that they are regarded as unimportant disturbances resulting from normal operations, so they are turned off or ignored like fire drills in office buildings. But such actions negate the value of the alarm system. For example, at an offshore refinery facility visited in 2011 by the inventors, most of the “low priority” alarms had been silenced. In fact, one of the reasons that the BP off shore accident in Gulf of Mexico in 2010 (where 11 people died and 17 were injured) was not identified in its early stages was because an alarm had been silenced after it had been going off in the middle of the night and awaking the workers.
Most safety activities are reactive and not proactive, and as a result many organizations wait for losses to occur before taking preventative steps to prevent a recurrence. Near miss incidents often precede loss producing events, but are either hidden within process operations and related data or are largely ignored because no injury, damage, or loss actually occurred. Thus, many opportunities to prevent an accident or adverse incident are lost. However, recognizing and reporting near miss incidents, particularly measurable near misses, such as, for example, by alarms in an alarm-monitored plant/facility or by comparative data, can make a major difference to the safety of workers within organizations, and often to the public at large, e.g., in the case of a nuclear-powered facility wherein in a systems failure poses a significantly high amount of risk. History has shown repeatedly that most loss producing events (accidents) were preceded by warnings or near-miss accidents.
Fault tree analysis (FTA) is a logical graphical method used to evaluate the reliability of complex engineering systems from qualitative and quantitative perspectives. Fault trees provide a graphical representation of combinations of component failures leading to an undesired system failure. However, in many situations, the behavior of components in a complex system and their interactions, such as failure priority, sequentially dependent failures, functional dependent failures, and dynamic redundancy management, cannot be adequately addressed by traditional fault trees due to their limited modeling capacity.
A major disadvantage of the traditional FTA is its inability to capture sequence dependencies in the system while still allowing an analytic solution. Dynamic gates may be employed to address this disadvantage. There are four major types of dynamic gates: (1) priority-AND gates (PAND gates); (2) functional dependency gates (FDEP gates); (3) sequence enforcing gates (SEQ gates); and (4) spare gates.
PAND gates have two inputs, A and B, both of which may be basic events or the output of other logic gates. The output of this gate is true if both inputs have occurred and A occurred before B.
FDEP gates include a trigger input (either a basic event or an output of another gate) and one or more dependent events. The dependent events rely upon the trigger event. When the trigger event occurs, the dependent basic events follow and the output becomes true.
SEQ gates do not open unless the inputs fail in a particular order. They are not true if the failure sequence occurs in a different order than that specified. The difference between SEQ gates and PAND gates is SEQ gates allow events to occur only in a pre-specified order and states that a different failure sequence is impossible. PAND gates do not impose such a strong assumption: they simply detect the failure order, and a failure is triggered upon the match with the order.
Spare gates often include one principal component that can be substituted by one or more backups that have the same function as the principal component. If the primary unit fails, the first alternate component begins to function. The output does not become true until all the replacements fail.
Thus there is a need, not met until the present invention, for a “dynamic risk analyzer” (DRA) system that periodically analyzes real time and historic data to assess operational risks and identify near-misses of alarm and non-alarm based process variables, which are hidden as normal operating conditions and to send alert signals and/or reports to identify the hidden risk and to reduce or prevent adverse incidents or failures.