12-1 Review of Probability Theory	557
A dangerous high-pressure reactor situation occurs only when both the alarm system and the shutdown system fail. These two components are in parallel. For the alarm system the components are in series:
2
R =	11 Ri = (0.87)(0.96) = 0.835,
i=1
P = 1 — R = 1 — 0.835 = 0.165,
µ = —ln R = —ln(0.835) = 0.180 faults/yr,
MT 3F =	1	= 5.56 yr.
	µ	
For the shutdown system the components are also in series:
2
R =	11 Ri = (0.87)(0.66) = 0.574,
i=1
P = 1 — R = 1 — 0.574 = 0.426,
µ = —ln R = —ln(0.574) = 0.555 faults/yr,
MT 3F =	1	= 1.80 yr.
	µ	
The two systems are combined using Equation 12-6:
2
P =	11 Pi = (0.165)(0.426) = 0.070,
i=1
R =1 — P = 0.930,
µ = —ln R = —ln(0.930) = 0.073 faults/yr,
MT 3F =	1	= 13.7 yr.
	µ	
For the alarm system alone a failure is expected once every 5.5 yr. Similarly, for a reactor with a high-pressure shutdown system alone, a failure is expected once every 1.80 yr. However, with both systems in parallel the MT 3F is significantly improved and a combined failure is expected every 13.7 yr. The overall failure probability is given by
P = P(A)P(S),
where P(A) is the failure probability of the alarm system and P(S) is the failure probability of the emergency shutdown system. An alternative procedure is to invoke Equation 12-9 directly. For the alarm system
P(A) = P1 + P2 — P1P2.
558	Chapter 12 • Risk Assessment
For the shutdown system
P(S) = P3 + P4 — P3P4.
The overall failure probability is then
P = P(A)P(S) = (P1 + P2 — P1P2)(P3 + P4 — P3P4).
Substituting the numbers provided in the example, we obtain
P = [0.13 + 0.04 — (0.13)(0.04) ] [0.34 + 0.13 — (0.34)(0.13) ] = (0.165)(0.426) = 0.070.
This is the same answer as before.
If the products P1P2 and P3P4 are assumed to be small, then
P(A) = P1 + P2,
P(S) = P3 + P4,
and
P = P(A)P(S) = (P1 + P2)(P3 + P4)
= 0.080.
The difference between this answer and the answer obtained previously is 14.3%. The component probabilities are not small enough in this example to assume that the cross-products are negligible.
Revealed and Unrevealed Failures
Example 12-2 assumes that all failures in either the alarm or the shutdown system are immediately obvious to the operator and are fixed in a negligible amount of time. Emergency alarms and shutdown systems are used only when a dangerous situation occurs. It is possible for the equipment to fail without the operator being aware of the situation. This is called an unrevealed failure. Without regular and reliable equipment testing, alarm and emergency systems can fail without notice. Failures that are immediately obvious are called revealed failures.
A flat tire on a car is immediately obvious to the driver. However, the spare tire in the trunk might also be flat without the driver being aware of the problem until the spare is needed.
Figure 12-6 shows the nomenclature for revealed failures. The time that the component is operational is called the period of operation and is denoted by To. After a failure occurs, a period of time, called the period of inactivity or downtime (Tr), is required to repair the component. The MTBF is the sum of the period of operation and the downtime, as shown.
12-1 Review of Probability Theory	559
Component Status
Operational
Failed
Component Repaired
T
o
MTBF
Component Fails
Component Repaired
Tr
Time
Figure 12-6 Component cycles for revealed failures. A failure requires a period of time for repair.
For revealed failures the period of inactivity or downtime for a particular component is computed by averaging the inactive period for a number of failures:
Tr =—	1 n	n	(12-12)
		aTri,	
		i=1	
where
n is the number of times the failure or inactivity occurred and
Tri is the period for repair for a particular failure.
Similarly, the time before failure or period of operation is given by
To =	1 n	n	(12-13)
		aToi,	
		i=1	
where is the period of operation between a particular set of failures.
Toi
The MTBF is the sum of the period of operation and the repair period:
MTBF =	1	= Tr + To.	(12-14)
	A		
560	Chapter 12 • Risk Assessment
It is convenient to define an availability and unavailability. The availability A is simply the probability that the component or process is found functioning. The unavailability U is the probability that the component or process is found not functioning. It is obvious that
A + U = 1.	(12-15)
The quantity To represents the period that the process is in operation, and Tr + To represents the total time. By definition, it follows that the availability is given by
	A=	To		(12-16)
and, similarly, the unavailability is		,		
		Tr + To		
	U=	Tr		(12-17)
		.		
		Tr + To		
By combining Equations 12-16 and 12-17 with the result of Equation 12-14, we can write the equations for the availability and unavailability for revealed failures:
U = mTr, A = mTo.	(12-18)
For unrevealed failures the failure becomes obvious only after regular inspection. This situation is shown in Figure 12-7. If Tu is the average period of unavailability during the inspection interval and if Ti is the inspection interval, then
U=	Tu
	.
	Ti
The average period of unavailability is computed from the failure probability:
Tu = J Ti P1t) dt.
0
Combining with Equation 12-19, we obtain
JTi P1t) dt.
0
U= 1
Ti
(12-19)
(12-20)
(12-21)
12-1 Review of Probability Theory	561
Component Status
Operational
Failed
Component Repaired Component Fails
Ti
Tu
Failure Not Noticed until Inspection
Time
Figure 12-7 Component cycles for unrevealed failures.
The failure probability P(t) is given by Equation 12-2. This is substituted into Equation 12-21 and integrated. The result is
1	(1 — e—µTi).	(12-22)
U = 1 —			
µTi		
An expression for the availability is
A=
µTi
1 (1 — e µTi).
–
(12-23)
If the term µTi V1, then the failure probability is approximated by
P(t) - µt,
and Equation 12-21 is integrated to give, for unrevealed failures,
1
U= 2 µTi.
(12-24)
(12-25)
This is a useful and convenient result. It demonstrates that, on average, for unrevealed failures the process or component is unavailable during a period equal to half the inspection interval. A decrease in the inspection interval is shown to increase the availability of an unrevealed failure.
562	Chapter 12 • Risk Assessment
Equations 12-19 through 12-25 assume a negligible repair time. This is usually a valid assumption because on-line process equipment is generally repaired within hours, whereas the inspection intervals are usually monthly.
Example 12-3
Compute the availability and the unavailability for both the alarm and the shutdown systems of Example 12-2. Assume that a maintenance inspection occurs once every month and that the repair time is negligible.
Solution
Both systems demonstrate unrevealed failures. For the alarm system the failure rate is m = 0.18 faults/yr. The inspection period is 1/12 = 0.083 yr. The unavailability is computed using Equation 12-25:
U= 2 mti = (1/2)(0.18)(0.083) = 0.0075,
1
A =1 - U = 0.992.
The alarm system is available 99.2% of the time. For the shutdown system m = 0.55 faults/yr. Thus U= 1 2 mti = (1/2)(0.55)(0.083) = 0.023,
A =1 - 0.023 = 0.977.
The shutdown system is available 97.7% of the time.
Probability of Coincidence
All process components demonstrate unavailability as a result of a failure. For alarms and emergency systems it is unlikely that these systems will be unavailable when a dangerous process episode occurs. The danger results only when a process upset occurs and the emergency system is unavailable. This requires a coincidence of events.
Assume that a dangerous process episode occurs Pd times in a time interval Ti. The frequency of this episode is given by
Pd  l =	(12-26)
.	
Ti	
For an emergency system with unavailability U, a dangerous situation will occur only when the process episode occurs and the emergency system is unavailable. This is every PdU episodes.
12-1 Review of Probability Theory	563
The average frequency of dangerous episodes ld is the number of dangerous coincidences divided by the time period:
pdU	(12-27)
ld =	= lU. Ti	
For small failure rates U = 12mti and pd = lTi. Substituting into Equation 12-27 yields
ld =	1	(12-28)
	2lmti.	
The mean time between coincidences (MTBC) is the reciprocal of the average frequency of dangerous coincidences:
MTBC =	1	2		(12-29)
	=			
	ld			
		.		
		lmti		
Example 12-4
For the reactor of Example 12-3 a high-pressure incident is expected once every 14 months. Compute the MTBC for a high-pressure excursion and a failure in the emergency shutdown device. Assume that a maintenance inspection occurs every month.
Solution
The frequency of process episodes is given by Equation 12-26:
l = 1 episode/[(14 months)(1 yr/12 months)] = 0.857/yr. The unavailability is computed from Equation 12-25:
U= 1 2 mti = (1/2)(0.55)(0.083) = 0.023.
The average frequency of dangerous coincidences is given by Equation 12-27:
ld = lU = (0.857)(0.023) = 0.020.
The MTBC is (from Equation 12-29)
1
=
1 ld
MTBC =
= 50 yr.
0.020
It is expected that a simultaneous high-pressure incident and failure of the emergency shutdown device will occur once every 50 yr.
If the inspection interval ti is halved, then U = 0.023, ld = 0.010, and the resulting MTBC is 100 yr. This is a significant improvement and shows why a proper and timely maintenance program is important.