JP5987581B2 - FT calculation support program, FT calculation support method, and FT calculation support apparatus - Google Patents

Description

  The present invention relates to a technique of an FT calculation support program, an FT calculation support method, and an FT calculation support apparatus.

  In the construction and operation of a process system such as a chemical plant, it is possible to identify the potential danger of each process that constitutes the process system and to evaluate the risk of each identified process qualitatively and quantitatively. is important. In order to ensure the safety of the process system, it is indispensable to carry out risk management for reducing the above-described potential danger based on the evaluation result.

HAZOP (Hazard & Operability study) is known as a method for qualitatively evaluating the potential risk of a process. Similarly, FTA (Fault Tree Analysis) is known as a technique for quantitatively evaluating the potential danger of a process. In addition to HAZOP and FTA, there are evaluation methods such as What-if analysis method and FMEA (Failure Mode and Effect Analysis) method as risk assessment concepts. This is illustrated in the “Guidelines for Assessment”.

  HAZOP is based on the “shift” from the state quantity (temperature, pressure, flow rate, composition, etc.) in the steady state of each process, and the guide word (none, increase, decrease, reverse rotation, etc.) about “shift” It is a technique to clarify the cause and result. For example, by assuming a “deviation” in the process such as “increase in flow rate”, a device failure or a human error causing “increase in flow rate” is clarified. Then, as a result of such "flow rate increase" caused by such equipment failure or human error, the degree of influence on the process system is examined. The qualitative evaluation method by HAZOP has an advantage that the potential danger of each process constituting the process system can be comprehensively identified.

  FTA is a probabilistic risk assessment method established by quantitative risk analysis of commercial reactors, and is used not only in the nuclear field but also in various fields such as the chemical industry, electronics / electric industry, and machinery industry. This is an evaluation method. The FTA, for example, takes events that are undesirable for the process system (specific dangerous events and disaster events that can occur) as top events, deliberating the causes and factors a priori, and determining the root causes and factors (basic events). Identify. A basic event is an event that cannot be further resolved in the path of origin leading to the top event. In FTA, these causal relationships are logically connected using logical symbols (AND gate, OR gate, etc.) and expressed in a tree form. The structure of the causal relationship developed from the basic event to the top event in a tree shape is called a fault tree (FT: Fault tree or fault tree, hereinafter referred to as FT).

  In FT, the causal relationships (basic events, events derived from basic events, etc.) of multiple events leading to the top event are connected with logical symbols, so by giving the occurrence frequency and probability of occurrence of basic events, It is possible to recursively determine the frequency of occurrence of an undesirable event for the top system process system. The quantitative evaluation method based on FTA has an advantage that an event that is not desirable for the process system can be evaluated using a specific numerical index such as the occurrence frequency and the occurrence probability based on the FT.

The above-mentioned HAZOP and FTA evaluation methods are unified to create a risk scenario that leads to a disaster event (an event that occurs in the process system that is undesirable for the process system) in the form of a flowchart, and the created flowchart is automatically converted to FT. Patent Document 1 discloses a technique for quantitatively evaluating the risk of a process system based on a converted FT.

  In the technology disclosed in Patent Document 1, the risk scenario is based on a failure of the equipment constituting each process in the process system as a basic event, and an occurrence event that can occur after the failure is developed in a causal relationship. . It is configured to reach a disaster event (top event) that finally occurs, and covers the potential danger of each process. Also, the FT is automatically converted from the created flowchart, and the occurrence frequency and occurrence probability of disaster events are calculated along the FT, so that the occurrence frequency and occurrence probability of the top event are reduced (suppressed). The HAZOP / FTA information can be cross-referenced and used, such as reviewing risk scenarios.

Japanese Patent No. 3622302

  Based on the FT converted from the risk scenario, when the occurrence probability of the finally occurring disaster event, which is the top event, is determined, an event that has mutual dependency and includes concurrent elements (common factor event) The existence of is a problem. In other words, when calculating the occurrence probability of the top event based on the FT, if there are multiple common factor events, the occurrence probability of each common factor event is calculated redundantly. The probability of occurrence will be inaccurate.

  In the risk scenario of Patent Document 1, the failure of the equipment constituting each process in the process system is regarded as a basic event, and the occurrence events that can occur after the failure are developed in a causal chain relationship. It is configured to reach disaster events that occur in In cases where there are few occurrences of causal linkages, for example, an operator who examines the safety evaluation of the process system constructs a risk scenario while grasping common cause events, and the probability of occurrence of a disaster event, etc. Calculations can be made. However, there are many cases where there are multiple occurrences in multi-stage causal relationships, and there are multiple occurrences, and operators etc. construct risk scenarios while grasping common cause events one by one. It is difficult.

  The problem of the disclosed technology is to provide a technology that supports the calculation of the probability of occurrence for a disaster event by identifying events that are mutually dependent and include concurrent elements in a hazard scenario. .

One aspect of the disclosed technique is exemplified by the configuration of the following FT calculation support program. That is, the FT calculation support program is caused by an abnormal event that may occur in the target equipment in the process, and leads to a disaster event of the process that occurs as a result of a chain of occurrence events that can occur after the abnormal event. Perform process safety assessment calculations based on scenarios. The FT calculation support program includes a step of extracting, from a scenario, names and attributes of components that are operated at least in response to an occurrence event, and occurrences included in the scenario based on the extracted names and attributes. A step of searching for all the components to be operated in response to the event, and if there is a component having the same name and attribute as the extracted name and attribute as a result of the search, the same name and Identifying the attribute component as a common factor event, calculating a safety assessment index of the scenario leading to the process disaster event based on the identified common factor event, and calculating the process disaster event Outputting a safety assessment index for the following scenarios.

  According to such a configuration, it is possible to extract a component having the same name and attribute as the name and attribute of the component that is operated according to the occurrence event from the scenario, and the extracted component is shared. It can be identified as a causal event. Then, based on the identified common factor event, a scenario safety evaluation index leading to the process disaster event can be calculated, and the calculated scenario safety evaluation index leading to the process disaster event can be output. As a result, even if a common factor event is included in the scenario, it is possible to accurately calculate the probability of occurrence for a disaster event.

  According to the present FT calculation support program, it is possible to provide a technology for identifying an event including mutually dependent elements that are mutually dependent in a risk scenario, and to support the calculation of an accurate occurrence probability for a disaster event.

It is a figure explaining a common factor event. It is a figure explaining a common factor event. It is a figure which shows an example of the FT calculation assistance apparatus of this embodiment. It is a figure which illustrates the hardware constitutions of information processing apparatus. It is a figure of the process system for demonstrating FT calculation assistance processing. It is a figure which illustrates the flowchart of FT calculation assistance processing. It is a figure showing an example of an initial input screen. It is a figure which illustrates HAZchart produced | generated based on the disaster scenario of an explanatory example. It is a figure which shows an example of a display screen. It is a figure which shows an example of a display screen. It is a figure which illustrates HAZchart produced | generated based on the disaster scenario of an explanatory example. It is a figure which illustrates FT produced | generated based on the disaster scenario of an explanatory example. It is a figure which illustrates the display screen of the probability of occurrence to the disaster event calculated based on the common factor event. It is a figure which illustrates the display screen which prompts the update of initial registration information. It is a figure which illustrates the display screen of the result by which the initial registration information was updated. It is a figure which illustrates the detailed flowchart of S1. It is a figure which illustrates the detailed flowchart of S4. It is a figure which illustrates the detailed flowchart of S5.

  Hereinafter, an FT calculation support apparatus according to an embodiment will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the FT calculation support apparatus is not limited to the configuration of the embodiment.

  Hereinafter, the FT calculation support apparatus will be described with reference to FIGS. 1 to 8C. First, before explaining the FT calculation support apparatus of the present embodiment, common factor events (common factor events) will be described with reference to FIGS. 1 to 2.

<Common cause events>
1 and 2 are explanatory diagrams for explaining a common factor event. FIG. 1A shows an example of a process flow in which a predetermined flow rate is output by two pumps A and B. FIG. FIG. 1B is an example of a fault tree (FT, hereinafter referred to as FT) created based on the flow of FIG. 1A, for example, “the flow rate becomes 0” as a top event. .

  In FIG. 1B, the top event 901 “flow rate becomes 0” is positioned at the top of the FT, and the cause / factor causing the top event 901 is “pump A stop” event 903, “ An event 904 “pump B stop” is developed as a lower event. Since the sub-events “pump A stop” and “pump B stop” occur at the same time and the top event 901 that “the flow rate becomes 0” can occur, each sub-event is an AND gate 902 indicating a logical product. It is connected. Further, in the event 903, as a cause / factor causing occurrence of “pump A stop”, an event 907 of “pump A failure” and an event 908 of “power failure” are developed as lower events. The lower event “pump A failure” and “power failure” can cause the event “pump A stop” to occur. Therefore, each lower event is connected by an OR gate 905 indicating a logical sum. . Similarly, in the event 904, as a cause / factor causing “pump B stop”, an event 909 with “pump B failure” and an event 910 with “power failure” are expanded as subordinate events. Are connected by an OR gate 906 indicating a logical sum.

  In FIG. 1B, events 907 to 910 are basic events leading to the top event 901 that “the flow rate becomes 0”.

  In FTA, the potential risk of the process is quantitatively evaluated by calculating the probability of occurrence of the top event 901 that “the flow rate becomes 0” based on the FT illustrated in FIG.

  For example, the occurrence probability of “pump A failure” and “pump B failure” is 1E-2 (“E” represents a power of 10 and “1E-2” represents 10 (−2)). If the occurrence probability of “power failure” is 1E-3, the occurrence probabilities of “pump A stop” and “pump B stop” are respectively calculated as 1.1E-2. Further, the occurrence probability of the top event 901 that “the flow rate becomes 0” is calculated as 1.21E-4 from the occurrence probability of “pump A stop” and “pump B stop”.

  As described above, in the FTA, the occurrence probability of the top event 901 that “the flow rate becomes 0” can be obtained by giving the occurrence probability of the basic event based on the FT illustrated in FIG. .

  However, when the power supply of each pump is supplied from the same location, if a power failure occurs in pump A, a power failure also occurs in pump B. That is, in the FT illustrated in FIG. 1B, the “power failure” that is a basic event is an event that includes mutually dependent elements that are dependent on each other. It is a common factor event in the process of outputting the flow rate. FIG. 2 illustrates an FT created in consideration of such a common factor event.

  In the FT illustrated in FIG. 2, the top event 901 with “flow rate becomes zero” is positioned at the top of the FT, and as a cause / factor causing the top event 901, an event 912 with “pump stop”, “ A common factor event 913 with “power failure” is developed as a subordinate event. “Pump stop” and “power outage” can generate an event that the occurrence of each event is “the flow rate becomes 0”, so the event 912 and the common factor event 913 are connected by an OR gate 911 indicating a logical sum. The In the event 912, the event 907 with “pump A failure” and the event 909 with “pump B failure” are expanded as subordinate events as causes / factors for causing “pump stop”. Are connected by an AND gate 914 indicating a logical product. This is because the “pump A failure” of the event 907 and the “pump B failure” of the event 909 may occur at the same time and the “pump stop” of the event 912 may occur.

  In FIG. 2, events 907, 909, and 913 are basic events that reach the top event 901 that “the flow rate becomes 0”.

  As calculated in FIG. 1B, the occurrence probability of “pump A failure” and “pump B failure” is 1E-2, the occurrence probability of “power failure” is 1E-3, and the FT illustrated in FIG. Based on this, the occurrence probability of the top event 901 that “the flow rate becomes 0” is calculated. The occurrence probability of the event 912 with “pump stop” is calculated as 1E-4, and the occurrence probability of the top event 901 with “the flow rate becomes 0” is calculated as 1.1E-3.

  The occurrence probability of the top event 901 that “the flow rate becomes 0” calculated based on the FT in FIG. 1B is 1.21E-4, and the top event 901 calculated based on the FT in FIG. The occurrence probability is 1.1E-3 >> 1.21E-4. That is, in the process of outputting a predetermined flow rate by the two pumps A and B illustrated in FIG. 1A, the risk of the top event 901 calculated in consideration of the common factor event is the common factor event. It can be seen that the difference between the occurrence probabilities, which is higher than the calculated risk without considering the above, and is an index of the risk is different by one digit (about 10 times).

  As described above, in the construction and operation of a process system, when common factor events are not taken into account, there is a risk of misjudging the potential danger of each process in a safe (small occurrence probability) direction. Therefore, in order to properly evaluate the potential risk of the process, it is necessary to identify common factor events included in the assumed risk scenario and perform FT calculation in consideration of the identified common factor events .

  In the FT calculation support apparatus according to the present embodiment, which will be described next, a component that is operated in response to an occurrence event (a basic event or a cause event derived from the basic event) from the created risk scenario. Extract names and attributes. Then, all the constituent elements included in the scenario are searched based on the extracted name and attribute, and the common factor event is specified. The FT calculation support apparatus according to the present embodiment performs an FT calculation of the probability of occurrence of a process disaster event based on the specified common factor event, so that even if a common factor event is included in the scenario, Enables accurate calculation of occurrence probability.

<Example>
Hereinafter, the FT calculation support apparatus 10 according to the embodiment will be described based on the drawings of FIGS. 3 to 4.
〔Device configuration〕
FIG. 3 is a diagram illustrating an example of the FT calculation support apparatus 10 according to the present embodiment. The FT calculation support apparatus 10 illustrated in FIG. 3 is generated as a result of a chain of occurrence events that can occur after an abnormal event, for example, due to an abnormal event that may occur with respect to the target equipment in the process. This is an information processing apparatus that performs a process safety evaluation calculation based on a scenario leading to a process disaster event.

The FT calculation support device 10 illustrated in FIG. 3 includes an information processing device 300 and a storage device 200. The information processing device 300 is connected to the storage device 200. The information processing device 300 may be connected to the storage device 200 via a network, for example. The information processing device 300 and the storage device 200 may constitute a part of a cloud that is a computer group on the Internet, for example. The network includes a public network such as the Internet, a wireless network such as a mobile phone network, and an internal network such as a LAN (Local Area Network) and a WAN (Wide Area Network). Further, the information processing apparatus 300 may include the storage device 200.

The storage device 200 is a storage device that includes a storage medium that stores various programs and various data. The storage device 200 is also called an external storage device. As the storage device 200,
For example, there are a solid state drive device, a hard disk drive device, and the like. The storage device 200 can include a portable recording medium such as a CD (Compact Disc) drive device, a DVD (Digital Versatile Disk) drive device, and a BD (Blu-ray Disc) drive device.

  The storage device 200 includes a risk scenario generation DB 210, an FT generation DB 220, a failure probability DB 230, a human error DB 240, and a safety evaluation management DB 250. The risk scenario generation DB 210, the FT generation DB 220, the failure probability DB 230, the human error DB 240, and the safety evaluation management DB 250 may each be included in separate storage devices.

The information processing apparatus 300 includes a personal computer (PC, personal computer), a tablet PC, a general-purpose computer such as a PDA (personal digital assistant), a dedicated computer such as a server machine, or a computer such as a smartphone (multifunctional mobile phone). It can be realized using an electronic device equipped with

  FIG. 4 illustrates a hardware configuration of the information processing apparatus 300. An information processing apparatus 300 illustrated in FIG. 4 has a so-called general computer configuration.

The information processing apparatus 300 includes a CPU (Central Processing Unit) 301, a main storage unit 302, an auxiliary storage unit 303, an input unit 304, an output unit 305, which are connected to each other via a connection bus.
A communication unit 306 is included. In the information processing apparatus 300, the CPU 301 develops a program stored in the auxiliary storage unit 303 so as to be executable in the work area of the main storage unit 302, and controls peripheral devices through the execution of the program. Thereby, the information processing apparatus 300 can implement a function that matches a predetermined purpose. The main storage unit 302 and the auxiliary storage unit 303 are recording media that can be read by the information processing apparatus 300 that is a computer.

  The CPU 301 is a central processing unit that controls the entire information processing apparatus 300. The CPU 301 performs processing according to a program stored in the auxiliary storage unit 303. The main storage unit 302 is a storage medium on which the CPU 301 caches programs and data and develops a work area. The main storage unit 302 includes, for example, a RAM (Random Access Memory) and a ROM (Read Only Memory).

  The auxiliary storage unit 303 stores various programs and various data in a recording medium in a readable and writable manner. The auxiliary storage unit 303 stores an operating system (OS), various programs, various tables, and the like. The OS includes a communication interface program that exchanges data with an external device or the like connected via the communication unit 306. Examples of the external device include other information processing devices and storage devices on a network connected via a network.

The auxiliary storage unit 303 is, for example, an EPROM (Erasable Programmable ROM), a solid state drive device, a hard disk drive (HDD, Hard Disk Drive) device, or the like. As the auxiliary storage unit 303, for example, a CD drive device, a DVD drive device, a BD drive device, or the like can be presented. Examples of the recording medium include a silicon disk including a nonvolatile semiconductor memory (flash memory), a hard disk, a CD, a DVD, a BD, and a USB (Universal Serial Bus) memory.

  The input unit 304 receives an operation instruction or the like from a user or the like. The input unit 304 is an input device such as an input button, a keyboard, a pointing device, a wireless remote controller, a microphone, and a camera. Information input from the input unit 304 is notified to the CPU 301 via the connection bus.

The output unit 305 outputs data processed by the CPU 301 and data stored in the main storage unit 302. The output unit 305 is an output device such as a CRT (Cathode Ray Tube) display, an LCD (Liquid Crystal Display), a PDP (Plasma Display Panel), an EL (Electroluminescence) panel, an organic EL panel, a printer, and a speaker. Communication unit 30
6 is, for example, an interface with a network or the like.

  In the information processing apparatus 300 of the FT calculation support apparatus 10, the CPU 301 reads out various programs and various data stored in the auxiliary storage unit 303 to the main storage unit 302 and executes them, thereby executing the danger scenario generation unit 110 and the scenario generation. Functions as the support unit 120, the FT generation unit 130, the common factor event determination unit 140, the FT disaster probability calculation unit 150, and the output unit 160 are realized.

  Note that any one of the functional units may be included in another information processing apparatus. For example, an information processing device including the risk scenario generation unit 110, an information processing device including the scenario generation support unit 120, an information processing device including the FT generation unit 130, and an information processing device including the common factor event determination unit 140 The information processing apparatus including the FT disaster probability calculation unit 150 and the information processing apparatus including the output unit 160 are connected via a network or the like to function as the information processing apparatus 300 of the FT calculation support apparatus 10. Also good. The FT calculation support apparatus 10 distributes functional units to a plurality of information processing apparatuses, and each functional unit is realized, thereby reducing the load.

[Function block configuration]
In the FT calculation support apparatus 10 illustrated in FIG. 3, the information processing apparatus 300 includes a risk scenario generation unit 110, a scenario generation support unit 120, an FT generation unit 130, a common factor event determination unit 140, an FT disaster probability calculation unit 150, Each function unit of the output unit 160 is included. The processing by each functional unit described above is provided by the CPU 301 of the information processing apparatus 300 executing a computer program that is executably expanded on the main storage unit 302.

  Further, in the FT calculation support apparatus 10, the risk scenario generation DB 210, the FT generation DB 220, the failure probability DB 230, the human being constructed in the storage device 200 as the storage destination of the data referred to or managed by the above functional units. It has error DB240 and safety evaluation management DB250.

  The risk scenario generation DB 210 stores the names of the equipment that constitutes each process in the process system, the system type to which the equipment belongs, the malfunction mode associated with the equipment, and the like. In addition, a protection function (including a human recovery operation when an abnormality occurs, detection means, etc.) associated with the operation operation of the equipment is stored. The danger scenario generation DB 210 stores various parts such as a display frame for displaying the danger scenario in a flowchart and connection wiring.

  The FT generation DB 220 supports various components such as display frames, logic symbols, and connection wiring for drawing FTs based on the generated risk scenario, failure cases associated with recovery operations, and devices that support defense functions. The failure action attached, the cause of failure associated with the human action corresponding to the defense function, and the like are stored.

  The failure probability DB 230 stores failure probabilities associated with facility equipment. The human error DB 240 stores error probabilities associated with human recovery operations as protective functions. The safety evaluation management DB 250 stores the generated risk scenario and the corresponding FT and FTA analysis results.

  The risk scenario generation unit 110 generates, for example, an abnormal event such as a failure as an initial event for the equipment in the target process, and generates a risk scenario for the process system including the target process. The risk scenario generation unit 110 is based on, for example, an initial event input by an operator or the like, a chain of occurrence events that can occur after the initial event, or a disaster event of a process that occurs as a result of the chain of occurrence events. Generate a flowchart-like risk scenario.

  The danger scenario generation unit 110 refers to the danger scenario generation DB 210 based on the equipment that is operated in response to the occurrence event, and acquires various setting information of the equipment. The various setting information includes the name of the equipment, the system type to which the equipment belongs, and a malfunction mode associated with the equipment. The danger scenario generation unit 110 outputs the acquired various setting information to the output unit 305 of the information processing apparatus 300 and presents it to the operator or the like.

  The operator or the like selects, for example, a malfunction mode associated with the facility device based on various setting information presented on the output unit 305.

  In addition, the risk scenario generation unit 110 refers to the risk scenario generation DB 210 according to the malfunction mode selected by the operator or the like from the various setting information presented, and finds an event discovery method (such as an alarm) and an event The protection function associated with the operation operation of the equipment such as the recovery operation (operation of the equipment, operator operation) is acquired. The danger scenario generation unit 110 outputs the acquired protection function to the output unit 305 of the information processing apparatus 300 and presents it to the operator or the like.

  The operator or the like selects, for example, a method for finding an event appropriate for the process, an event recovery operation, and the like based on the protective function presented in the output unit 305. Then, when there is an occurrence event that can occur subsequently by the selected protection function, for example, an occurrence event that can occur after the initial event is reviewed. As a result of the review, a new occurrence event is added / inserted, and each time the risk scenario generation unit 110 repeats the above-described processing.

  The scenario generation support unit 120 arranges the paths of occurrence events from the initial event to the disaster event included in the generated danger scenario in chronological order according to the operator's request. Each organized event is arranged in a time series on a flowchart, for example, and is output to the output unit 305 of the information processing apparatus 300. Further, the scenario generation support unit 120 refers to the risk scenario generation DB 210 when rearranging the path of the generated event from the initial event to the disaster event in chronological order, and follows the generated event (including the initial event). A setting frame for the protective function is inserted between the paths of events that can occur immediately (including disaster events). The setting frame of the protection function to be inserted is inserted between the paths in a pair in the arrangement order of the setting frame of the event detection method and the setting frame of the event recovery operation.

  A flowchart (HAZchart) of the risk scenario completed by the processes of the risk scenario generation unit 110 and the scenario generation support unit 120 is stored in the safety evaluation management DB 250. The risk scenario flowchart may be temporarily stored in a predetermined area of the main storage unit 302 of the information processing apparatus 300, for example.

  The FT generation unit 130 determines a disaster event of a process that occurs as a result of a chain of occurrence events from a risk scenario flowchart (HAZchart) completed by the processes of the risk scenario generation unit 110 and the scenario generation support unit 120 as a top event. Generated FT. The FT generation unit 130 stratifies each occurrence event (except for the top event) based on the time series order of the occurrence events arranged in the flowchart of the risk scenario. Each stratified event constitutes the FT skeleton.

Further, the FT generation unit 130 refers to the FT generation DB 220 based on the recovery operation (equipment operation, operator operation) of the event selected corresponding to the occurrence event, and performs the recovery operation of the selected event. The failure case is an AND event of the corresponding occurrence event. Then, the FT generation unit 130 refers to the FT generation DB 220 based on the event discovery method (alarm or the like) selected corresponding to the occurrence event, and the failure operation of the device associated with the event discovery method, Get failure reason associated with human action. The FT generation unit 130 sets the failure event associated with the acquired event discovery method and the failure cause associated with the human action as a lower event of the failure example of the event recovery operation. The FT generation unit 130 determines an OR event when there are a plurality of failure events associated with the failure operation of the device associated with the acquired event discovery method and the human action.

  The FT generation unit 130 refers to the FT generation DB 220 based on each occurrence event that is hierarchized, an AND event based on a recovery event corresponding to the occurrence event, an OR event based on an event discovery method, and the like, and an FT corresponding to each event. The various parts for drawing are acquired, and an FT with the disaster event of the process as the top event is generated. In the generated FT, the path of the logical causal chain relationship of the occurrence event leading to the top event is expanded in a tree shape.

  The FT generated by the processing of the FT generation unit 130 is stored in the safety evaluation management DB 250. The risk scenario flowchart may be temporarily stored in a predetermined area of the main storage unit 302 of the information processing apparatus 300, for example.

  The common factor event determination unit 140 includes the name of the equipment that is operated in response to the occurrence event of the danger scenario, the attribute such as the type of the system to which the equipment belongs, the malfunction mode associated with the equipment, etc. Based on the information, common factor events that are mutually dependent and include concurrent elements are determined. The common factor event determination unit 140 determines the identity of the name and attribute of the equipment and the associated malfunction mode between the FT events expanded in a tree shape, and identifies the common factor event. The identified common factor event is delivered to the FT disaster probability calculation unit 150.

  The FT disaster probability calculation unit 150 may generate a risk scenario by referring to the failure probability DB 230 and the human error DB 240 based on the common factor event delivered from the common factor event determination unit 140 and the generated basic event of the FT. Calculate the probability of a disaster event in the process. The FT disaster probability calculation unit 150 acquires a failure probability associated with the facility device of the basic event and an error probability associated with the human recovery operation as the protective function. The FT disaster probability calculation unit 150 calculates the occurrence probability of each occurrence event along each logical symbol in the order of the logical causal chain relationship of the occurrence event from the acquired failure probability and error probability to the top event, and the occurrence event The occurrence probability of the top event is calculated from each occurrence probability. The FT disaster probability calculation unit 150 outputs the calculated occurrence probability to the output unit 305 of the information processing apparatus 300 and presents it to the operator or the like.

  The occurrence probability of the top event calculated by the processing of the FT disaster probability calculation unit 150 is associated with the generated risk scenario as a safety evaluation index of the scenario leading to the disaster event (top event) of the process, and safety evaluation is performed. Stored in the management DB 250. Note that the calculated occurrence probability of the top event may be temporarily stored in a predetermined area of the main storage unit 302 of the information processing device 300, for example.

  The output unit 160 is an interface between the operator and the FT calculation support apparatus 10. For example, in response to a browsing request from an operator or the like, information stored in each DB is acquired and output so that the operator or the like can browse. For example, the output unit 160 outputs the acquired information to the output unit 305 of the information processing apparatus 300 and presents it to an operator or the like.

[Process flow]
Hereinafter, the FT calculation support processing of this embodiment will be described with reference to FIGS. 5 to 8C.

<Example of FT calculation processing>
FIG. 5 is an example of a process system for explaining the FT calculation support processing. The process system of FIG. 5 includes a gas-liquid separator 20, a liquid level gauge 21, and a control valve (LCV: Liquid Control Valve) 22. The liquid level gauge 21 has an alarm function that detects the position of the liquid level in the gas-liquid separator 20 and notifies an alarm when an abnormality such as a drop in the liquid level is detected.

  In the process of FIG. 5, a mixture of liquid and gas (gas) flows into the gas-liquid separator 20 and is separated into gas and liquid in the gas-liquid separator 20, and the gas and liquid are separated through different piping paths. It flows out of the liquid separator 20. A control valve 22 for adjusting the flow rate is installed in a path through which the liquid separated by the gas-liquid separator 20 flows out.

  In the process system of FIG. 5, for example, a recovery operation by a DCS (Distributed Control System), an operator, or the like is performed by a signal from the liquid level gauge 21. For example, the DCS that receives the signal controls the opening degree of the control valve 22 that adjusts the flow rate, and automatically operates so that the position of the liquid level in the gas-liquid separator 20 is restored to a normal state. The operator or the like knows that the liquid level in the gas-liquid separation device 20 has been lowered by the alarm notification from the liquid level gauge 21, and performs control instructions to the DCS, manual opening / closing operation of the control valve 22, for example. A recovery operation is performed so that the position of the liquid level in the separator 20 is restored to a normal state. That is, in the explanation example of FIG. 5, the alarm function of the liquid level gauge 21 corresponds to an event detection method as a protective function, and automatic control by DCS and recovery control by operation instruction, and manual operation of the control valve by the operator are events. This corresponds to the recovery operation.

  In the case of the process of FIG. 5, in the case where the opening degree of the control valve 22 is excessive and the liquid level in the gas-liquid separator 20 is lowered, the liquid level in the gas-liquid separator 20 is lowered, resulting in a pipe that flows out the liquid. An event that gas is mixed in the path can be assumed. Below, the case where the opening degree of the control valve 22 becomes excessive will be described as an explanatory example, and the FT calculation support processing of this embodiment will be described.

<FT calculation processing flow>
FIG. 6 is an example of a flowchart of FT calculation support processing by the information processing apparatus 300. The information processing apparatus 300 of the FT calculation support apparatus 10 executes an FT calculation support procedure by a computer program that is executed in the main storage unit 302 in an executable manner.

  In the flowchart illustrated in FIG. 6, the start of the FT calculation support process can present, for example, the activation of a computer program stored in the auxiliary storage unit 303. Next, the information processing apparatus 300 that executes the FT calculation support process outputs, for example, an initial input screen for generating a risk scenario to the output unit 305, and initially registers an event of the risk scenario to the operator or the like. Prompt and obtain initial registration information (S1).

FIG. 7A is an example of an initial input screen output to the output unit 305 in order to generate a risk scenario. The initial input screen 30 in the figure includes a “Line” field 30f, a “Causes” field 30a, a “Consequences” field 30b, an “HC / FT” field 30e, a “Safeguards” field 30c, and a “Probability” field 30d. A line number is entered in the “Line” field 30f, and a danger scenario can be registered for each line. In the “Causes” field 30a, an initial event for generating a danger scenario is input. The initial event input to the “Causes” field 30a is an abnormal event that may occur with respect to the target equipment in the process. In the “Consequences” field 30 b, a disaster scenario that reaches a disaster event of a process that occurs as a result of a chain of occurrence events that can occur subsequently from the initial event is input. In the “HC / FT” field 30e, HAZchart and FT identification information generated in the risk scenario analysis is input. In the “Safeguards” field 30c, safety measures (including assumed safety measures) are displayed. "Probability" field 30d
Is inputted with the probability of disaster occurrence calculated as a result of the FT calculation support processing.

  For example, the operator or the like performs initial registration of the risk scenario along the case (example of explanation) assumed in the process of FIG. In the case of the explanation example, since the excessive opening degree of the control valve 22 is an abnormal event that may occur in the target equipment in the process, the “Causes” field 30a of the initial input screen 30 in FIG. Enter "Excessive degree". Further, in the case of the explanation example, since the liquid level in the gas-liquid separator 20 is lowered and gas is mixed into the piping path through which the liquid flows out, “Liquid Liquid” is displayed in the “Consequences” field 30b of the initial input screen 30 in FIG. Enter a disaster scenario that says “Surface reduction → Gas enters the line”. Further, in the case of the explanation example, since the alarm of the liquid level gauge 21 is the current safety measure, the “liquid level gauge alarm” is entered in the “Safeguards” field 30c of the initial input screen 30 of FIG. 7A.

Returning to the flowchart illustrated in FIG. 6, the information processing apparatus 300 generates a risk scenario based on the initial registration information (S2). The risk scenario is generated by generating an HAZchart in which an initial event, a chain of occurrence events that occur after the initial event, and a disaster event that is the result of the chain of occurrence events are expanded into a flowchart. Then, the information processing apparatus 300 generates an FT based on the HAZchart of the generated danger scenario (S3). The acquired initial registration information is stored in the safety evaluation management DB 250 in association with the HAZchart identification number and the FT identification number. Also, the HAZchart identification number of the risk scenario generated in S2 and the FT identification number generated in S3 are the same management such as “XXXX” such as “HC-XXXX” and “FT-XXXX”. A number is assigned and managed as a set of information such as “HC-XXXX / FT-XXXX”.

<HAZchart generation flow>
FIG. 8A illustrates a detailed flowchart of S1. In the flowchart of FIG. 8A, the information processing apparatus 300 sets an abnormal event of the facility device registered as the initial event as an initial event in HAZchart (S21). The information processing apparatus 300 refers to the risk scenario generation DB 210, acquires a drawing part or the like associated with the initial event, and generates an HAZchart initial event.

  In S22, the information processing apparatus 300 analyzes the input character string of the disaster scenario in order to identify a disaster event that occurs as a result of the chain of occurrence events that occur after the initial event and the chain of occurrence events. The target character string of In S23 to S26, the information processing apparatus 300 repeatedly executes the generated event analysis process by, for example, morphological analysis on the target character string.

  In S23 to S26, the information processing apparatus 300 executes analysis processing such as morphological analysis. The information processing device 300 uses the chain of occurrence events included in the disaster scenario as an intermediate event from the chain of occurrence events included in the disaster scenario (excluding disaster events) by the processing of S23 to S26. Identify events that occur as a result of chaining as disaster events. The information processing apparatus 300 refers to the risk scenario generation DB 210 according to the identified intermediate event and disaster event, acquires drawing parts associated with each event, and generates an HAZchart intermediate event and disaster event. .

In the processing from S23 to S26, analysis processing is performed by paying attention to characters constituting the target character string in order from the front (S23). And the separator showing the event progress contained in an object character string is specified (S24). For example, in the disaster scenario in the example of “Liquid level drop → Gas enters the line”, “→” representing the event progress is included as a separator between “Liquid level drop” and “Gas enters the line”. It is. The information processing apparatus 300 specifies a separator representing event progress by analyzing the target character string. In addition, arbitrary characters, symbols, etc. can be set for the separator representing the event progress.

  In S25, the separator specified in S24 is sandwiched, and the preceding and following character strings are specified as events that occur in chronological order along the event progress. For example, in the disaster scenario of the explanation example “Liquid level drop → Gas enters the line”, the separator “→” is sandwiched, and the events “Liquid level drop” and “Gas enter the line” appear before and after. It is arranged. The information processing apparatus 300 sandwiches the separator “→”, specifies the description range of the character string arranged before and after, and configures the HAZchart progress events in the order before and after the specified event contents (“liquid level lowering”). ”,“ Gas enters the line ”), the drawing parts and the like are acquired from the risk scenario generation DB 210 to generate HAZchart intermediate events and disaster events.

  In S26, the analysis process of S23-S25 is repeatedly executed in order until the end of the target character string.

  In S27, the information processing apparatus 300 arranges the configuration of the HAZchart generated by the processing in S21 to S26 in time series order. The information processing apparatus 300 arranges the initial event generated in S21 at the head, and arranges the configuration analyzed in S23 to S26 in time series along the disaster scenario. Then, a protection function setting frame constituting a pair is inserted in the order of the event detection method and the event recovery operation into a path that does not include the protection function between the event and the subsequent event. The information processing apparatus 300 acquires a protection function setting frame that constitutes a pair in the order of the event detection method and the event recovery operation from the risk scenario generation DB 210, and passes the HAZchart event path to the subsequent event path. insert.

  In the HAZchart generated in S21 to S27, the causal relationship from the occurrence event that can occur subsequently to the disaster event can be organized and grasped in time series by the process of S27. In addition, a protective function setting frame comprising a pair in the order of the event detection method and event recovery operation is inserted between the path of the event and the subsequent event. Method and event recovery action).

  For example, the HAZchart generated by the processing of S21 to S27 is displayed on the output unit 305 of the information processing apparatus 300 and presented to the operator or the like.

  FIG. 7B illustrates a HAZchart generated based on the risk scenario in the explanation example. In the HAZchart in the illustrated example, the direction from the initial event toward the disaster event is the time-series direction of the causal chain relationship, and “LCV excessive opening” is arranged at the top as the initial event 31a of the danger scenario. The “liquid level drop” input as the intermediate event is arranged in the middle following the initial event 31a as an occurrence event (intermediate event 31b) that occurs from the initial event. Further, “gas enters the line” input as the disaster scenario is arranged at the lowest level as the disaster event 31c of the process. As described above, in the HAZchart shown in the figure, the initial event 31a, the intermediate event 31b, and the disaster event 31c are arranged in time series order.

  A pair of protection function setting frames configured by an event discovery method 31d and an event recovery operation 31e is inserted between the path between the initial event 31a and the intermediate event 31b. Similarly, between the path between the intermediate event 31b and the disaster event 31c, a pair of protection function setting frames constituted by an event discovery method 31f and an event recovery operation 31g are inserted. In this way, in the HAZchart in the example, since the protective function setting frame is inserted between the path of the event and the subsequent event, the operator who presented the HAZchart can be aware of the existence of the protective function. .

The setting frame 31h is a “successful” scenario setting frame associated with the event recovery operation 31e, and the setting frame 31j is a “successful” scenario setting frame associated with the event recovery operation 31g.

  In the example disaster scenario, since the “liquid level alarm” is the current safety measure, the current safety measure is set as a protective function based on HAZchart in FIG. 7B.

  An operator or the like operates an input device such as a pointing device, for example, designates a setting frame of HAZchart presented from the information processing apparatus 300, and inputs setting of a protection function.

  For example, the information processing apparatus 300 receives an operation instruction of an input device such as a pointing device, and from the risk scenario generation DB 210 based on the initial registration information acquired in S1, the name of the equipment, the system type to which the equipment belongs, and the equipment And a protection function (including a human recovery operation when an abnormality occurs, detection means, etc.) associated with the operation operation of the equipment and the like. The acquired various information is presented to the operator.

  FIGS. 7C and 7D exemplify display screens for acquired information with reference to the danger scenario generation DB 210. FIG. 7C is an example of a display screen of a method for finding an event as a protective function, and FIG. 7D is an example of a display screen of a human recovery operation as a protective function.

  In the display screen 32 of FIG. 7C, a plurality of detection systems, alarms, and the like presented in the area 32a are information acquired from the danger scenario generation DB 210. The display screen 32 in the figure shows a state in which the system type to which the equipment device associated with the event discovery method displayed in the area 32a is selected by the operator or the like and the name of the equipment equipment is set in the area 32b. Show.

  The operator selects a “liquid level detection system” that includes the “liquid level gauge alarm” that is the current safety measure in accordance with the disaster scenario in the explanation example from a plurality of detection systems, alarms, etc. presented in the area 32a. , “LCV” which is the name of the target equipment is set in the area 32b. In the area 32c, the malfunction mode “abnormal detection value” associated with the equipment is automatically displayed.

  The information processing apparatus 300 registers the “liquid level detection system” selected by the operator or the like in the HAZchart event discovery method 31f.

  In the display screen 33 of FIG. 7D, the information displayed in the areas 33a, 33b, and 33c is information acquired from the danger scenario generation DB 210. The operator confirms the failure mode “recovery operation failure” by the “operator” displayed in the areas 33a, 33b, and 33c, and sets a human recovery operation as a protective function.

  The information processing apparatus 300 registers the “operator recovery operation” set by the operator or the like in the HAZchart event recovery operation 31g.

  FIG. 7E illustrates an example of HAZchart in which the protection function is set as described above and is generated based on the danger scenario. In the HAZchart of FIG. 7E, a “liquid level detection system” is set as the event detection method 31f in the protective function inserted between the intermediate event 31b and the disaster event 31c, and “operation” is set as the event recovery operation 31g. "Recovery action" is set.

<FT>
Returning to the flowchart illustrated in FIG. 6, the information processing apparatus 300 generates an FT based on the HAZchart of the generated disaster scenario (S3). The generation of the FT from the HAZchart has been described in the function description of the FT generation unit 130.

  FIG. 7F illustrates an FT according to the disaster scenario in the description example. FIG. 7F is an FT generated based on the HAZchart illustrated in FIG. 7E.

  In the FT of FIG. 7F, “Gas enters the line” of the top event 34a, “Low liquid level” of the event 34c, and “LCV opening excessively” of the event 34e are respectively the disaster event 31c and the intermediate event 31b of FIG. 7E. This corresponds to the initial event 31a. In the FT of FIG. 7F, the top event 34a, the event 34c, and the event 34e are hierarchized in the order of time series opposite to the HAZchart of FIG. 7E.

  Further, in the FT of FIG. 7F, “operator recovery operation failure” of event 34d, which is a “failure” example of “operator recovery operation” set as the event recovery operation 31g of FIG. The AND gate 34b is connected as an AND event corresponding to "surface reduction".

  In the FT of FIG. 7F, the event 34d includes “not notice the alarm” of the event 34m associated with the human action, “discovered but operation failure” of the event 34n, and “discovery means failure” of the event 34p. Are connected by OR event as a lower event. Furthermore, the event 34p is connected to the “DCS failure” of the event 34r, the “liquid level meter failure” of the event 34s, and the “alarm failure” of the event 34t as OR events as lower events. 34k and 34q are OR gates.

  In the FT of FIG. 7F, the “failure” case of the “liquid level detection system” set as the event detection method 31f of FIG. 7E is connected to the event 34e of “excessive LCV opening” as a lower event. Yes. As an example of a “failure” in the “liquid level detection system”, an “air control valve failure” in event 34g, a “DCS failure” in event 34h, and a “liquid level meter failure” in event 34j are OR gates 34f as OR events. It is tied with.

  In the FT of FIG. 7F, when the “liquid level gauge failure” of event 34j occurs, “LCV opening excessive” of event 34e occurs, “liquid level drop” of event 34c occurs, “ The top event 34a of “entering” occurs.

  In the process system illustrated in FIG. 5, a “liquid level gauge alarm” is assumed as a safety measure when the “LCV opening excessively” of the event 34 e occurs. Then, for example, in the FT of FIG. 7F, when the “liquid level meter failure” of the event 34j is the same as the “liquid level meter failure” of the event 34s (common factor event), the “discovery means failure” of the event 34p is Occurs, and the event 34d “operator recovery operation failure” occurs.

  In other words, in the danger scenario of the explanation example, when the “liquid level gauge failure” occurs, the “liquid level drop” of the abnormal event in the gas-liquid separator 20 caused by “LCV opening excessive” cannot be found. Therefore, the “Liquid Level Alarm” assumed as a safety measure does not work. For this reason, for example, the recovery operation (manual control valve operation or the like) of the operator who has received the alarm notification is not performed, and the top event 34a that “gas enters the line” occurs. It can be seen that the “liquid level gauge alarm” assumed in the danger scenario of the explanation example is inappropriate as a safety measure for the initial event of “excessive LCV opening”.

  In the FT of FIG. 7F, the “DCS failure” of the event 34h connected as the OR event to the event 34e also exists in the OR event connected as the lower event of the event 34p (the event 34r). It is the same.

  In the FT calculation support process of the present embodiment, it is possible to determine the appropriateness of the process safety measure by specifying such a common factor event and improve the accuracy of the disaster occurrence probability.

<Common factor event determination flow>
Returning to the flowchart illustrated in FIG. 6, the information processing apparatus 300 determines a common factor event from events (components) developed in the FT (S4).

  FIG. 8B illustrates a detailed flowchart of S4. In the flowchart of FIG. 8B, the information processing apparatus 300 sequentially selects combinations of two nodes from all the basic event nodes in the FT generated in S3 (S41). Here, for example, in the FT of FIG. 7F, the basic event is the lowest event where there is no subsequent event such as events 34g, 34h, 34j, 34m, 34n, 34r, 34s, and 34t. The basic event node is a component constituting the FT. The combination of basic event nodes is arbitrary.

  In S42, the information processing apparatus 300, in the selected two components (“node” in the figure), the “name (equipment name” in the figure) ”of the equipment and the“ type (in the figure) to which the equipment belongs. Then, “device type”) ”and“ function failure mode (“failure mode” in the figure ”)” associated with the equipment are all determined to be the same. For example, the information processing apparatus 300 extracts the “name” of the facility device, the “type” to which the facility device belongs, and the “failure mode” associated with the facility device for one component. Then, the other component is searched based on the extracted “name”, “type”, and “functional failure mode”. As a result of the search, if the same “name”, “type”, and “failure mode” as the extracted “name”, “type”, and “failure mode” exist, it is determined that they are the same (S42, YES), the process proceeds to S43. As a result of the search, if the same “name”, “type”, and “malfunction mode” as the extracted “name”, “class”, and “malfunction mode” do not exist, it is determined that they are not identical (S42). , NO), the process proceeds to S44.

  For example, in FIG. 7F, the information processing apparatus 300 selects the event 34j and the event 34s. Then, the information processing apparatus 300 extracts the “name” of the facility device of the event 34j, the “type” to which the facility device belongs, and the “failure mode” associated with the facility device. In event 34j, the “name” of the equipment is “LCV”, the “type” to which the equipment belongs is “liquid level detection system”, and the “failure mode” associated with the equipment is “detection value”. "Abnormal" is extracted. The information processing apparatus 300 associates the extracted “LCV”, “liquid level detection system”, and “detection value abnormality” with the “name” of the equipment in the event 34s, the “type” to which the equipment belongs, and the equipment. Search for “malfunction mode”. Since the event 34s is the same event discovery method as the event 34j, the “name” of the equipment of the event 34s, the “type” to which the equipment belongs, and the “failure mode” associated with the equipment are the event Matches 34j. The information processing apparatus 300 proceeds to S42.

  In S43, the information processing apparatus 300 identifies the two selected components as common factor events. For example, a flag indicating a common factor event may be set in the identified component. In S44, the information processing apparatus 300 sets the two selected components as independent events.

  In S45, the iterative process of S41-S45 is performed until the combination of all the constituent elements is completed. The information processing apparatus 300 delivers the information of the component identified as the common factor event to S5 and S6. For example, in FIG. 7F, the information processing apparatus 300 has the “name” of the equipment that has extracted S34j, S34s, S34h, and S34r as common factor events, the “type” to which the equipment belongs, and the “function” associated with the equipment. Together with “failure mode”, it is transferred to S5 and S6.

<Safety measures judgment flow>
Returning to the flowchart illustrated in FIG. 6, the information processing apparatus 300 determines the suitability of the initially registered safety measure from the common factor event identified in S <b> 4 (S <b> 5).

  FIG. 8C illustrates a detailed flowchart of S5. In the flowchart of FIG. 8C, the information processing apparatus 300 identifies the disaster scenario path by the initial event and the top event to be analyzed (S51). Then, the information processing apparatus 300 sequentially selects all detection systems and automatic countermeasure systems that contribute to human actions in the identified disaster scenario path as candidates for safety measures (S52). For example, in the HAZchart of FIG. 7E, the “LCV liquid level detection system” set as the event discovery method 31f is selected by the process of S52.

  In S53, the information processing apparatus 300 determines that the target candidate is a facility that contributes to the prevention of disaster progress when it is assumed that the equipment failure that constitutes the malfunction mode of the initial event has occurred in the equipment that constitutes the target system. Determine if the configuration. For example, the information processing apparatus 300 may determine whether the target candidate selected in S52 is the common factor event specified in S4, and may determine whether the facility configuration contributes to disaster progress protection. This is because when the detection system and the automatic response system that contribute to human actions as the target candidates are common factor events, the equipment configuration does not contribute to disaster progress protection.

  In the information processing apparatus 300, the target candidates selected in S52 are the “name” of the facility device extracted as the common factor event, the “type” to which the facility device belongs, and the “failure mode” associated with the facility device. It is determined whether or not they are the same. When the target candidate selected in S52 is the same as the equipment extracted as the common factor event, the information processing apparatus 300 determines that the target candidate is not an equipment configuration that contributes to disaster progression protection (S53, NO). , The process proceeds to S54. If the target candidate selected in S52 is not the same as the equipment extracted as the common factor event, the information processing apparatus 300 determines that the target candidate is the equipment configuration that contributes to disaster progress protection (S53, YES), and S55. Migrate to

  By the process of S53, for example, the “LCV liquid level detection system” set as the event discovery method 31f is determined to be a common factor event specified in S4, so that the target candidate is not an equipment configuration that contributes to disaster progress protection. The

  In S54, the information processing apparatus 300 temporarily stores the target candidate system name in a predetermined area of the main storage unit 302, for example, and proceeds to S55.

  In S55, the information processing apparatus 300 sets the next target candidate and performs an iterative process until all target candidates are completed in the disaster scenario path. The information processing apparatus 300 delivers the target candidate system name stored in S54 to S7.

<Calculation of FT disaster probability>
Returning to the flowchart illustrated in FIG. 6, the information processing apparatus 300 calculates the probability of occurrence of a disaster event based on the common factor event (common factor event) identified in S4 (S6). The information processing apparatus 300 is associated with the failure probability associated with the equipment device of the basic event and the human recovery operation as a protective function from the failure probability DB 230 and the human error DB 240 based on the basic event generated in S3. Get the error probability. The information processing apparatus 300 calculates the occurrence probability of reaching the disaster event from the acquired failure probability and error probability and the common factor event along the path connected by each logical symbol.

  The probability of occurrence leading to the disaster event calculated in S6 is, for example, displayed on the output unit 305 of the information processing apparatus 300 and presented to the operator or the like. The occurrence probability of reaching the disaster event calculated in S6 is stored in the safety evaluation management DB 250 in association with the HAZchart and FT identification numbers as an index of the safety evaluation of the scenario leading to the disaster event of the process.

  FIG. 7G illustrates a display screen of the occurrence probability of reaching the disaster event calculated based on the common factor event.

  In the display screen 35 illustrated in FIG. 7G, the initial registration information acquired in S1 is displayed in the areas 35a, 35b, and 35d. In FIG. 7G, the area 35a displays “LCV opening excessively” registered as an initial event, the area 35b displays “displaced liquid → gas enters line” registered as a disaster scenario, and the area 35d displays “Liquid level alarm” registered as the current safety measure is displayed. The area 35c displays the HAZchart identification number and the FT identification number assigned when the disaster scenario is generated in S2.

  In the display screen 35 illustrated in FIG. 7G, the probability of occurrence of the disaster event calculated in S6 is displayed in the area 35e. The probability of occurrence of a disaster event that reflects the common factor event in the FT in the description example is “1.91E-004”.

  Returning to the flowchart illustrated in FIG. 6, the information processing apparatus 300 updates the initial registration information, and presents the result of the suitability of the safety measure determined in S5 to the operator (S7). For updating the initial registration information, for example, the display screen 36 illustrated in FIG. 7H is presented to the operator to prompt the update of the initial registration information. An operator or the like operates an input device such as a pointing device, for example, operates an operation button 36a on the display screen 36 presented from the information processing apparatus 300 to execute update processing.

  The information processing apparatus 300 receives an operation instruction of an input device such as a pointing device, for example, and updates the “Safeguards” field 30c of the initial input screen 30 based on the target candidate system name delivered in S5. Further, the “Probability” field 30d is updated based on the occurrence probability of reaching the disaster event calculated in S6.

  Furthermore, the information processing apparatus 300 performs an update process of the “Safeguards” field 30c of the initial input screen 30 based on the suitability of the safety measure determined in S5. For example, as a result of the determination processing in S5, the information processing apparatus 300 searches for the character string of the safety measure in the “Safeguards” field 30c corresponding to the delivered target candidate system name, and deletes it from the “Safeguards” field 30c. Also good. For example, when a plurality of safety measures are registered, the character string of the safety measure associated with the target candidate system name may be highlighted. As a result of the update, it is only necessary to present to the operator or the like that the current safety measures displayed in the “Safeguards” field 30c are not an equipment configuration that contributes to disaster progress protection (inappropriate safety measures).

  In addition, as explained in FIG. 7B, in HAZchart, since a protective function setting frame is inserted between the path of an event and a subsequent event, an operator who is presented with HAZchart is aware of the existence of the protective function. be able to. For example, the operator can examine the intermediate event 31b between the initial event 31a and the disaster event 31c that have already been input in more detail from the presence of the presented protective function. In this case, the operator may add a plurality of events such as intermediate events 31b ′ and 31b ″ between the intermediate event 31b and the disaster event 31c displayed by HAZchart and between the initial event 31a and the intermediate event 31b. Is possible. When such an additional change occurs, the information processing apparatus 300 updates the “Consequences” field 30b of the initial input screen 30 together with the update process described above.

For example, when the intermediate event 31b ′ is added between the initial event 31a and the intermediate event 31b, the information processing apparatus 300 inserts the added intermediate event 31b ′ between the initial event 31a and the intermediate event 31b. Then, the “Consequences” field 30 b of the initial input screen 30 is updated. The information processing apparatus 300 extracts a character string from the intermediate event 31b ′ added by HAZchart, and inserts it between the character strings of the initial event 31a and the intermediate event 31b in combination with a separator representing event progress such as “→”.

  FIG. 7J illustrates a display screen of a result of updating the initial registration information. The example of the display screen in FIG. 7J is a screen example in which the character string “Liquid level alarm” is deleted from the “Safeguards” field 30c set in the initial input screen 30 illustrated in FIG. 7A as a result of the update process. is there.

〔effect〕
As described above, in the FT calculation support process according to the present embodiment, all the components that are operated in response to the occurrence event included in the disaster scenario are searched, and components having the same name and attribute exist. In this case, since the constituent element can be identified as a common factor event, even when there are a plurality of common factor events in the scenario, the exact probability of occurrence of a disaster event can be calculated. If safety measures are set, the suitability of the set safety measures is determined based on the identified common factor event. Based on the determination result, it is possible to deploy an appropriate safety measure by reviewing the safety measure that has been assumed in the past, so that a process system with high safety accuracy can be constructed.

  Further, in the FT calculation support process of the present embodiment, a disaster scenario from an occurrence event that can occur subsequently to a disaster event due to an initial event can be arranged and displayed in chronological order as HAZchart. For this reason, the causal relationship between complicated events can be easily grasped. In addition, a protective function setting frame comprising a pair in the order of the event detection method and event recovery operation is inserted between the path of the event and the subsequent event. Method and event recovery action).

<Computer-readable recording medium>
A program for causing a computer or other machine or device (hereinafter, a computer or the like) to realize any of the above functions can be recorded on a recording medium that can be read by the computer or the like. The function can be provided by causing a computer or the like to read and execute the program of the recording medium.

  Here, a computer-readable recording medium is a recording medium that stores information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from a computer or the like. Say. Examples of such a recording medium that can be removed from a computer or the like include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a Blu-ray disk, a DAT, an 8 mm tape, a flash memory, and the like. There are cards. In addition, as a recording medium fixed to a computer or the like, there are a hard disk, a ROM (read only memory), and the like.

DESCRIPTION OF SYMBOLS 10 FT calculation support apparatus 20 Gas-liquid separation apparatus 21 Level gauge 22 Control valve 110 Risk scenario generation part 120 Scenario generation support part 130 FT generation part 140 Common factor event determination part 150 FT disaster probability calculation part 160 Output part 200 Storage device 210 Danger scenario DB
220 FT generation DB
230 Failure probability DB
240 Human Error DB
250 Safety evaluation management DB
300 Information processing device 301 CPU
302 Main storage unit 303 Auxiliary storage unit 304 Input unit 305 Output unit 306 Communication unit

Claims (5)

The process based on a scenario that is caused by an abnormal event that may occur with respect to the equipment in the target process and that leads to a disaster event of the process that occurs as a result of a chain of occurrence events that may occur after the abnormal event FT calculation support program for performing safety evaluation calculation of
On the computer,
For the equipment in the process, extracting from the scenario the name and attribute of the first component that is operated at least in response to the occurrence event;
Retrieving the first based on the name and attributes extracted from the components, the name and attributes of all of the components driving operation corresponding to the generated event included in the scenario is executed,
As a result of the search, when there is a second component having the same name and attribute as the name and attribute extracted from the first component, the second component having the same name and attribute is Identifying a common factor event that is interdependent with the first component and includes concurrent elements ;
Based on the specified common factor event and the probability index specified for each of the other components excluding the common factor event , the probability index leading to the disaster event of the process follows the abnormal event. Calculating along the path of a chain of possible occurrences and calculating a safety assessment index for the scenario;
Outputting the calculated safety index of the scenario leading to the disaster event of the process to a display device ;
FT calculation support program for executing In the scenario, when a safety measure is set as a component that is operated in response to the occurrence event, the suitability of the set safety measure is determined based on the specified common factor event Step to do,
The FT calculation support program according to claim 1, further executing: Arranging the occurrence events included in the scenario in chronological order, and inserting a protection function between the occurrence events and the occurrence events that can occur subsequently;
The FT calculation support program according to claim 1 or 2, further executing The process based on a scenario that is caused by an abnormal event that may occur with respect to the equipment in the target process and that leads to a disaster event of the process that occurs as a result of a chain of occurrence events that may occur after the abnormal event FT calculation support method for performing safety evaluation calculation of
Computer
For the equipment in the process, extracting from the scenario the name and attribute of the first component that is operated at least in response to the occurrence event;
Retrieving the first based on the name and attributes extracted from the components, the name and attributes of all of the components driving operation corresponding to the generated event included in the scenario is executed,
As a result of the search, when there is a second component having the same name and attribute as the name and attribute extracted from the first component, the second component having the same name and attribute is Identifying a common factor event that is interdependent with the first component and includes concurrent elements ;
Based on the specified common factor event and the probability index specified for each of the other components excluding the common factor event , the probability index leading to the disaster event of the process follows the abnormal event. Calculating along the path of a chain of possible occurrences and calculating a safety assessment index for the scenario;
Outputting the calculated safety index of the scenario leading to the disaster event of the process to a display device ;
FT calculation support method for executing The process based on a scenario that is caused by an abnormal event that may occur with respect to the equipment in the target process and that leads to a disaster event of the process that occurs as a result of a chain of occurrence events that may occur after the abnormal event FT calculation support device for performing safety evaluation calculation of
For the equipment in the process, extracting from the scenario the name and attribute of the first component that is operated at least in response to the occurrence event;
Means for retrieving the first based on the name and attributes extracted from the components, the name and attributes of all of the components driving operation corresponding to the generated event included in the scenario is executed,
As a result of the search, when there is a second component having the same name and attribute as the name and attribute extracted from the first component, the second component having the same name and attribute is Means for identifying a common factor event that is interdependent with the first component and includes concurrent elements ;
Based on the specified common factor event and the probability index specified for each of the other components excluding the common factor event , the probability index leading to the disaster event of the process follows the abnormal event. Means for calculating along the path of a chain of possible occurrences and calculating a safety assessment index for said scenario;
Means for outputting to the display device an index of a safety assessment of the scenario leading to the disaster event of the calculated process;
FT calculation support device comprising:

Images