624 5 Safety and Risk i n Engineering Design
in an information integrated technology (IIT) program considered in Sect. 3.3.3.4
and illustr ated in Fig. 3.46.
The beta factor model is extensively used in predictions, in which the appropri-
ate values for beta are selected on the basis of expert engineering judgement. The
problem with the model, though, is the lack of any detailed data for generic sys-
tems, assemblies and components, to provide an adequate assessment of safety in
engineering design—especially in the preliminary design phase. As a result, quite
large beta factors have been applied without any justification, and caution needs to
be exercised when selecting these beta values, otherwise the estimates will give un-
justifiably pessimistic results with possible over-design of safety-related systems.
A somewhat different approach to the beta factor model has thus been taken in
which the beta values are not used but predictions are made directly from event
data using expert judgment. This approach necessitates identifying the root causes
of failure and the likelihood of generating simultaneous failures in similar equip-
ment (Hughes 1987). Fundamentally, the basis of this approach, typical to IIT, is to
represent the variability of a component failure probability by distributions that can
be estimated directly from a relatively small d atabase. However, some researchers
have pointed out the deficiencies of expert engineering judgement as applied to
common cause failures, and contend that analysis of such failures is a knowledge-
based decision process and, therefore, is itself subject to error or uncertainty (Do-
erre 1987).
b) Problems with Applying CCF in Safety and Risk Analysis
for Engineering Design
Problems with applying CCF in safety and risk analysis for engineering design as-
sessment in the preliminary design phase can thus be reviewed.
These problems are summarised as (Hanks 1998):
• The lack of a suitable comprehensive database for CCF.
• Use of simple CCF models giving pessimistic results for redundancy systems.
• The assumption that similar components will be similarly affected.
• Errors in understanding the nature of CCF and applying the appropriate method-

ology.
Various alternative models that refine the beta factor method have thus been pro-
posed, such as a binomial failure rate model that assumes that a component has
a constant independent failure rate and a susceptibility to common cause sho cks at
a constant rate (NUREG/CF-1401 1980). This has been extended to include com-
mon cause shocks that do not necessarily result in catastrophic failure. A practical
method of common cause failure modelling modifies the beta factor model to take
account of the levels o f redundancy and diversity in systems (Martin et al. 1987).
It was previously noted that the simple b eta model is pessimistic when applied to
redundancy systems. This can also be the case when it is applied to a range of sim-
ilar components even if they are installed in one system. To illustrate this problem,
5.2 Theoretical Overview of Safety and Risk in Engineering Design 625
an example is given based on a simplified high-pressure protection redundancycon-
figuration relating to the high-integrity protection sub-system (HIPS) illustrated in
Fig. 5.22. As indicated in Sect. 5.2.3.2, the function of the HIPS sub-system is to
prevent a high-pressure surge p assing through the process, thereby protecting the
process equipment from exceeding its individual pressure ratings.
A schematic of the simplified configuration is given in Fig. 5.23. In this example,
a possible source of CCF is the contamination of the upstream high-pressure line. In
theory, all the regulators should be equally affected—however, much depends upon
the design features of the m ain valves and their control systems. Contamination of
the h igh-pressure line will affect the active control valve,A
1
, in the operating stream.
Whether it will affect the monitor valve M
1
, and to what extent, depends on the way
the control system functions. Both the regulators in the standby stream should be
unaffected. In this example, there is a potential for CCF to occur but normal practice
would be to assume that CCF applies equally to all the four identical valves—so, it

will be seen that the result of any prediction would be pessimistic. Another problem
in this case would be the total misunderstanding of how to apply CCF prediction
methodology.
In Fig. 5.23, there are two control streams,one functioning as an operating stream
with two identical regulators (pressure valves), M
1
and A
1
, and the other functioning
as a standby stream with two identical regulators, M
2
and A
2
. Each stream’s regu-
lator configuration consists of a monitor valve, M
i
, and an active control valve, A
i
(i = 1,2). The first regulator in the operating stream, the monitor valve M
1
, is fully
open in readiness to take over control should the pressure rise above apredeter-
mined level due to failure of the active control valve A
1
. The active control valve A
1
controls the outlet pressure. Similarly, the first regulator in the standby stream, M
2
,
is fully open and will function in a similar manner as valve M

1
, should the standby
stream be activated. The second regulator in the standby stream, A
2
,isclosedand
will take over pressure regulation if either of the regulators in the operating stream
fails to reduce the outlet pressure to below a predetermined level.
Common cause failures can arise from a wide range of potential problems, typ-
ically identified through factor tree charts and associated questions concerning the
potential root causes of design integrity problems (as indicated in Sect. 5.2.1.2, and
Figs. 5.6 through to 5.8).
Fig. 5. 23 Schematic of a sim-
plified high-pressure protec-
tion system
626 5 Safety and Risk in Engineering Design
Table 5.13 A nalysis of valve data to determine CCF beta factor
Valve type CCF beta factor
Ball, plug and gate valves 0.01–0.02
Relief valves, all types 0.05
Check and non-return valves 0.05
Cut-off valves 0.05
Large r egulators/control valves 0.10–0.19
Small re gulators/control valves 0.05–0.12
Actuators, all types 0.05–0.16
Minimising the effects of CCF is thus an on-going process, already from the
early phases of engineering design to the in-service life. Any attempt to cut corners
or costs will almost inevitably expose engineered installations to a higher level of
CCF-induced failures, with resulting increased costs of failure maintenance, lost
production and possible loss of life.
Design criteria databases do not usually include common cause failure data.

One problem is that CCF data for a particular component can be specific to the
application and, hence, require a whole series of design, operation and mainte-
nance considerations for a particular process. Detailed analysis of valve data from
a large database collected from maintenance and operational records has yielded
useful information on the incidence of CCF (Hanks 1998). The data, summarised
in Table 5 .13, cover a wide range of valve types and applications, including actua-
tors.
This quantification of the CCF beta value, indicating that a significant portion of
the total failure rate of a component arises from common cause failures, has placed
upper limit constraints on obtaining sufficiently high levels of reliability and safety
in critical risk control circuits. As indicated previously, redundancy is one method
in avoiding this problem, although the approach does lead to large increases in the
false alarm rate (FAR).
This is overcome, however, by utilising voting redundancy where several items
are u sed in parallel and a selected amount are required to be in working order.
The voting redundancy problem involves the simultaneous evaluation and selec-
tion of available components and a system-level design configuration that collec-
tively meets all design constraints and, at the same time, optim ises some objec-
tive function, usually system safety, r e liability, o r cost. In practice, though, each of
these parameters may not be exactly known and there is some element of risk that
the constraint will not actually be met or the objective function value may not be
achieved.
5.2 Theoretical Overview of Safety and Risk in Engineering Design 627
5.2.4 Theoretical Overview of Safety and Risk Evaluation
in Detail Design
Safety and risk evaluation determines safety risk an d criticality values for each in-
dividual item of equipment at the lower systems levels of the systems breakdown
structure (SBS). Safety and risk evaluation determines the causes and consequences
of hazardous events that occur randomly, together with a determination of the fre-
quencies with which these events occur over a specified period of time based on

critical component failure rates. Safety and risk evaluation is considered in the de-
tail design phase of the engineering design p rocess, and includes basic concepts of
modelling such as:
i. Point process event tree analysis in designing for safety.
ii. Cause-consequence analysis for safety systems design.
iii. Failure modes an d safety effects evaluation.
5.2.4.1 Point Process Event Tree Analysis in Designing for Safety
The most extensive safety study to date is the US Nuclear Regulatory Commis-
sion’s report “Reactor Safety Study” (NUREG-75/014 1975). In October 1975, the
NRC issued the final results of a 3-year study of the risks from postulated accidents
during the operation of nuclear power reactors of the type used in the USA. This re-
port, known as the “Reactor Safety Study (RSS)”, or by its NRC document number,
WASH 1400, was the first comprehensive study that attempted to quantify a variety
of risks associated with power reactor accidents. Since that time, about 40 reactors
have been analysed using the same general methodology as WASH 1400 but with
considerably improved computer codes and data.
The most recent and the most detailed of these studies has been the effort under-
taken by the NRC to analyse five differentreactorsusing the very latest methodology
and experience data available. In June 1989, the second draft of this work, “Severe
Accident Risks: An Assessment for Five U.S. Nuclear Power Plants” (NUREG 1150
1989), was issued for public comment. There is, however, widely h eld belief that
the risks of severe nuclear accidents are small. This conclusion rests in part upon
the probabilistic analysis used in these studies (NUREG/CR-0400 1978).
The analysis used in these studies provides a suitable example in order to better
understand the application of point process event tree analysis in the evaluation of
safety and risk in the detail design phase. The approach to safety evaluation, as
researched in these two studies, consider ed the sources of the risk, its magnitude,
design requirements, and risk determination through probabilistic safety evaluation
(PSE). These points of approach, although very specific to the example, need to be
briefly explained (Rasmussen 1989).

628 5 Safety and Risk in Engineering Design
a) Determining the Source of Risk
During full power operation, a nuclear power reactor generates a large amount of ra-
dioactivity. Most of this r adioactivity consists of fission products, resulting from the
fission process, which are produced inside the reactor fuel. The fuelis uranium diox-
ide, a ceramic material that melts at about 5,000
◦
F. The fuel effectively contains the
radioactive fission products unless it is heated to the melting point. At temperatures
in this range, essentially all the gaseous forms of radioactivity will be released from
the fuel. In addition, some of the more volatile forms of the solid fission products
may be released as fine aerosols. If any of these forms were to be released into the
atmosphere, they could be spread by prevailing winds.
b) Designing for Safety Requirements
Design requirements for safety in US nuclear plants mandate that the plants have
systems to contain any radioactivity accidentally released from the fuel. The main
system for accomplishing this is the containment building, an airtight structure that
surrounds the reactor. In addition, all reactors have a system for removing aerosols
from the containment atmosphere. In many reactors, this system consists of a wa-
ter spray that can create the equivalent of a heavy rainstorm inside the contain-
ment building. Boiling water reactors (BWR) accomplish this function by passing
released gases through a pool of water. The principal goal of the reactor safety phi-
losophy is to prevent the accidental release of radioactivity. As a backup, systems
are added tha t prevent the release of rad ioactivity to the atmosphere even if it were
released from the fuel. Despite these efforts, one can always postulate ways in which
these systems might fail to prevent the accidental release of radioactivity.
It is the task of probabilistic safety evaluation (PSE) to identify how this might
happen, to determine how likely it is to happen and, finally, to determine the health
effects and economic impacts of the radioactive releases upon the public.
c) Probabilistic Safety Evaluation (PSE)

• The first step in a PSE analysis begins by developing the causes and likelihood
of heating the fuel to its melting point due to either external causes (earthquakes,
floods, tornadoes, etc.) or internal causes. This analysis involves developing
a logical relationship between the failures of plant components and operators,
and the failure of system safety functions. The result of this analysis is an esti-
mate of the probability of accidentally melting the fuel, a condition often called
‘core melt’. Of the plants analysed thus far, most have an estimated likelihood of
core melt of between 1 in 10,000 and 1 in 100,000 per plant year.
• The second step in a PSE analysis is to determine the type and amount of radioac-
tivity that might be released in the d ifferent accidents identified. These fractions
of the various types of radioactivity released are called the ‘source terms’ for
5.2 Theoretical Overview of Safety and Risk in Engineering Design 629
the accident. The values from WASH 1400 are in most cases significantly larger
than those from NUREG 1150. The lower values of NUREG 1150 are the result
of new information gained from m ajor research in the USA, Japan and Western
Europe. These experiments, and the measurements at Three Mile Island confirm
that the values used in WASH 1400 are too high.
• The final step in a PSE analysis is to calculate the effects of any radioactivity re-
leased in the accident. Sophisticated computer models have been developed to do
this calculation. These models require input of the source terms, the population
density around the site, and weather data for recent years from the plant site. The
code then calculates thousands of cases to generate curves that give the magni-
tude of given r isks versus their probabilities. The results of the calculations are in
the form of fatality curves. The curves generally give the frequency in units per
reactor year for events of a given size, and have a wide range of consequences,
from quite small at high frequencies to quite large at very low frequencies.
• Curves of this shape are typical of all accidents where a number of factors affect
the magnitude of the event. In the case of catastrophic accidents, clearly this
refers to accidents of low probability near the high-consequence end of the scale.
These extreme accidents come about only if the various factors affecting the

magnitude of the consequences are all in their worst states. Thus, for example,
the core must melt, then the containment must fail above ground level, the wind
must be blowing towards an area of relatively high population density, inversion
conditions must prevail, and civil protectio n efforts must fail to be effective.
Criticism of the Reactor Safety Study pointed to inadequacies in the statistical
methodology, particularly the uncritical use of the log-normal distribution to derive
probability estimates for the failure of individual nuclear safety systems (NUREG/
CR-0400 1978). There is an inherent weakness to the approach, in that there is no
way of being sure that a critical initiating event has not been overlooked. The logic
event tree consists of the initiating event and the success or failure response of each
of the applicable engineered safety features. After identifying the accident sequence,
the probability of occurrence of each engineered safety system in the sequence must
be evaluated. As no empirical data are available on which to base estimates of sys-
tem failure rates, it is necessary to use techniques that generate system failure rates
from comparative estimates of failures of similar equipment. The extended use of
event trees to derive probability estimates for both the failur e of individual n uclear
safety systems, as well as the accident sequences was developed b y the US Depart-
ment of Defense and the US National Aeronautics and Space Authority (NASA;
NUREG 1150 1989).
With the identification of potential accidents and the quantification of their
probability and magn itude, accident sequences are identified by means of lo gic
diagrams—in this case, logic event trees. The starting point for the development
of these logic event trees is the identification of the event that initiates a potential
accident (due to a catastrophic failure event) or potential incident (due to a criti-
cal failure event). A typ ical initiating event for the nuclear reactor safety example
would be a pipe break that results in a loss of coolant. Initiating events are usu-
ally identified using technical information and engineering judgment, similar to an
630 5 Safety and Risk in Engineering Design
Fig. 5.24 Typical logic event tree for nuclear reactor safety (NUREG-751014 1975)
integrated information technology (IIT) program considered in Section 3.3.3.4 and

in Fig. 3.41.
Figure 5.24 shows a typical lo gic event tree with an initiating event of a pipe
break in a nuclear reactor coolant lin e, with probab ility of occurrence of
λ
.The
logic event tree is simplified in that only seven out of 2
4
possibilities need to be
considered—for example, if electric power fails with an event rate of
λ
P
2
, then none
of the engineering safety features will function. The output of the logic event tree
is the release category consequences with th eir event rates. Since the probability of
occurrence is small (i.e. equivalent to the concept of a rare event), the probabilities
are approx imated by omitting all 1 −P
i
terms.
d) Point Process Consequence Analysis
The basic methodology of the Reactor Safety Study used an approach of determin-
ing a demand failure rate. This can briefly be explained as the control of the rate
of reaction in an atomic power plant by the insertion of control rods. The times at
which control is needed is termed the transient demand, and was assumed to occur
in an operating time equivalent to a Poisson process. When a transient demand oc-
curs, the conditional probability that the safety system does not function, resulting
in the consequence of an accident, was determined. Based on the Reactor Safety
Study, a method for evaluating consequences as a result of safety system failure in
a catastrophic-event process such as a nuclear reactor has been researched (Thomp-
son 1988).

Suppose the events initiating accident sequences (as in Fig. 5.24) occur in time
according to a stochastic point process with an event rate of
μ
(t).Furthermore,
let N(t) denote the number o f events up to time t,andT
i
(i = 1,2,3, ,k) denote
5.2 Theoretical Overview of Safety and Risk in Engineering Design 631
the time at which the ith initiating event occurs. Suppose further that the ith ini-
tiating event yields the consequence C
i
. Assume that C
i
is a non-negative random
variable with failure distribution function P(C
i
≤ c)=F(c), and survival function
P(C
i
≥ c)=F

(c). The consequences can be assumed to be identically distributed
and independent of one another, with the understanding that there are several kinds
of risks, each with its own initiating event rate and consequence distribution. Fi-
nally, the evolution of consequences has been assumed to follow a point process.
Actually, the consequences of many accidents and incidents are difficult to express
numerically and most are vector valued in time. The basic methodology of the Re-
actor Safety Study in dealing with this problem was to conduct a separate study for
each type of consequence, and to present the risk in terms of an event rate against
a consequence in the formof a risk curve, as illustrated in Fig. 5.25. In mathematical

terms, if
μ
k
(t) is the event rate at time t of consequences exceeding k, the critical
number of consequences, then the risk curve is a graph for fixed t of
μ
k
(t) versus k.
The event rate of consequences that exceed k is related to the process of initiating
events and the distribution of consequences
μ
k
(t)=[1−F(k)]
μ
(t) (5.66)
where:
F(k) is the failure distribution function of C
i
.
Fig. 5. 25 Risk curves from nuclear safety study (NUREG 1150 1989) Appendix VI WASH 1400:
c.d.f. for early fatalities
632 5 Safety and Risk in Engineering Design
Different process systems designs have different consequence sequences. The
consequence sequences, S, of a particular process, P, over a time period, t, can be
expressed as
S
P
(t)=

0 N(t)=0

C
1
+C
2
+C
3
+ C
N(t)
N(t) > 0
(5.67)
Characteristics of S
P
(t) are determined by N(t) and the distribution of the con-
sequences C
i
, where the sequence of c onsequences constitutes a point process. Of
specific interest is to determine the catastrophic event having the greatest conse-
quence when one accident is too much in the sequence of consequences. This is
done by defining an expression for S

P
in the catastrophic case
S
P
(t)=

0 N(t)=0
max[C
1
+C

2
+C
3
+ C
N(t)
] N(t) > 0
(5.68)
Probability S

P
(t) being less than k, the critical number of consequences is given
by
P(S

P
(t) ≤ k)=P

(5.69)
where:
P

=
∞
∑
n=0
P[C
i
≤ k; i = 1,2,3, ,n|N(t)=n]
If C
i

is a non-negative random variable with the failure distribution function
P(C
i
≤ c)=F(c),then
P(S

P
(t) ≤ k)=
∞
∑
n=0
[F(k)]
n
·P[N(t)=n]
(5.70)
=
ψ
t
[F(k)] (5.71)
where:
ψ
t
= probability generating function of N(t) (i.e. Bernoulli transform)
and if C
i
is a non-negative random variable with the survival function P(C
i
≥ c)=
F


(c),then
P(S

P
(t) > k)=1−
ψ
t
[F(k)] ≤[1−F(k) ·EN(t)] (5.72)
Thus, for consequences exceeding k, the critical number o f consequences (or the
‘cut-off value’ between acceptable and un acceptable consequ ences), the prob a bility
of the occurrence of an unacceptable consequence within time t will be less than
F

(k)EN(t),whereF

(k) is the survival function P(C
i
> k),andEN(t) is the ex-
pected value or mean of N(t), the number of events on (0,t].
If system failure is now identified with obtaining an unacceptable consequence,
then F

(k) is the demand failure rate (such as the demand to control the rate of reac-
tion in an atomic power plant by the insertion of c ontrol rods). This demand failure
rate yields an upper bound for the probability of failure. Since k is the unaccept-
able critical number of consequences, the probability of a consequence exceeding
5.2 Theoretical Overview of Safety and Risk in Engineering Design 633
that value must be as small as possible—that is, F

(k) will be near 0 with an upper

bound when F(k) is near 1.
The expected maximum consequence can be expressed as
EC

(t)=
∞

0
{1−
ψ
t
[F(k)]}dk (5.73)
EC

(t)=
∞
∑
n=0
∞

0
{1−[F(k)]
n
}dk ·P[N(t)=n] (5.74)
From Eqs. (5.72) and (5.74) we get:
EC(t)·P[N(t) ≥ 1] ≤ EC

(t) ≤ EC(t)·N(t)
where:
EC(t)=the expected value of consequence C in period t

EC

(t)=the expected value of consequence C

in period t
P[N(t) ≥ 1]=the probability that the number of events ≥ 1.
The expected time to the first critical event with unacceptable consequence is given
as
EV
k
=
∞

0
ψ
t
[F(k)]dt (5.75)
EV
k
=
∞
∑
n=1
ET
n
[F(k)]
n
[1−F(k)] (5.76)
where:
T

n
= timeofoccurrenceofthenth initiating event.
The probability generating function (p.g.f.), or Bernoulli transform
ψ
t
, needs to
be defined in greater detail: Thus, given a random variable N(t), its generating func-
tion
ψ
t
(z) is expressed as
ψ
t
(z)=
∞
∑
n=1
z
n
P[N(t)=n] (5.77)
ψ
t
(z)=Ez
N(t)
(5.78)
ψ
t
(z) is a function in terms of z with the following properties:
• The p.g.f. is determined by and also determinesC
•

ψ

t
(1) is the expectation of N(t)
•
ψ

t
(1) is the expectation of N(t) ·[N(t)−1].
Probability generating functions also provide for addition of independent ran-
dom variables. For example, if N(t) and C(t) are independent, then the p.g.f. of