Safety in the Underground Construction and Operation of the Exploratory Studies Facility at Yucca Mountain (1995)

Bruce L. Blackford

This paper describes the two predominant design analysis techniques that are currently employed to perform safety engineering analysis on modern-day, sophisticated equipment and systems. These analysis techniques provide a cost-effective means of uncovering design flaws that otherwise would go undetected until after the equipment has been delivered to the user.

Unfortunately, tunnel equipment designers and manufacturers do not routinely perform these analyses in their design process, thereby leaving potentially catastrophic design flaws that can result in fatal accidents. Pieces of tunneling equipment in general, and tunnel boring machines (TBMs) in particular, are not mass-produced items, but rather are one-of-a-kind prototypes. As such, TBM designs are not field-proven to be fail-safe.

Failure mode, effects, and criticality analysis (FMECA) and fault-tree analysis (FTA) provide invaluable insight into a design and its potential failure mechanisms during the design process. These analyses can identify potential equipment-failure modes that can be catastrophic, while the design is still on the drawing board. It is at this point in the design process that action to correct potential safety hazards is most cost-effective. For this reason it is imperative that government agencies and management and operations contractors fully understand the benefit of these two types of safety design analysis when procuring tunneling equipment. These analyses should be a contractual requirement during the design of all tunneling equipment delivered as part of the Yucca Mountain Project (YMP).

Safety is of prime importance in today's society. In fact, we all want to know how safe our streets are after dark, or whether it is safe to swim in the ocean when we know we share it with sharks. However, when it comes to the safety of those using sophisticated, modern-day equipment, we rely on a false security, believing that the equipment designer has considered all safety issues and has resolved all critical design flaws before the equipment is delivered to the user. If this were true, we would not have manufacturer safety recalls, which occur on a regular basis. In fact, most designers in America are only concerned with equipment performance, producibility, and cost to manufacture, not safety. Safety considerations at the design level are usually limited to issues mandated by law or government regulations (e.g., federal seat-belt laws, Occupational Safety and Health Administration regulations).

Pieces of tunneling equipment in general, and TBMs in particular, are not mass-produced items, but rather are one-of-a-kind prototypes, designed for a specific user with a specific application. As such, these designs are not field-proven to be raft-safe. While TBM manufacturers have been around for decades, the engineering design effort still remains largely void of engineering analysis techniques that would provide safety insight into the design on an a priori basis.

Some government agencies (e.g., the National Aeronautics and Space Administration, the Department of Defense, and the Federal Aviation Agency) have been instrumental in developing engineering analysis techniques due to the catastrophic nature of equipment failure in their environments. Techniques such as FMECA and FTA provide great insight into the design before the item is even built. Failure of the design team to perform such analyses leaves the eventual user or operator with equipment for which safety is by chance, not by design. Failure of government agencies and their management and operations contractors to understand fully the benefit of and to require contractually these types of analyses during the design of sophisticated electrical and mechanical systems and equipment can result in preventable, fatal accidents.

This paper will describe two types of analysis, FMECA and FTA, as they apply to typical tunneling equipment and TBMs. Most designers are not even aware that these safety engineering design analyses have been developed to proactively understand equipment modes of failure while the design is still on the drawing board. This stage is the most cost-effective timeframe in which to understand basic failure modes so they can be designed out, rather than being discovered later after a catastrophic event, such as a major injury or loss of life, during in-service use.

FMECA basically consists of identifying and tabulating each of the modes by which a system, component, or part may fail, along with the resulting effect on the system or equipment. It is normally performed by considering one failure at a time (i.e., a single contingency).

The primary objective of FMECA used as a safety design analysis is to iteratively examine all potential failure modes, their causes, and their effects to give the designer information on areas where design failures may cause hazardous effects. Figure 1 shows an example of an FMECA worksheet. FMECAs should be started as soon as preliminary design information is available at the system level for early identification of all critical and catastrophic failure possibilities. This allows such potential failures to be eliminated or minimized through design correction at the earliest possible time. The FMECA is an iterative process as the design continues, evaluating not only these design changes but also any changes that were incorporated to reduce potential safety hazards.

A properly performed FMECA is invaluable to those responsible for making program decisions regarding the feasibility and adequacy of a design approach. The extent of the effort and the sophistication of the approach used in FMECA will depend on the nature of the equipment and its intended application. This makes it necessary to tailor the requirements for FMECA to each individual program.

Once the failure modes and their effects have been identified, severity classifications are assigned to provide a qualitative measure of the worst potential consequences of each failure. Severity classifications are assigned to each identified failure mode and each item is analyzed in accordance with the following loss statements, defined specifically for human safety hazards.

• category I—catastrophic—a failure mode resulting in death;
• category II—critical—a failure mode resulting in severe injury;
• category III—marginal—a failure mode resulting in minor injury; and
• category IV—minor—a failure mode that is not serious enough to cause injury.

Once a severity classification is assigned, a probability of occurrence is then assigned so that the criticality portion of the FMECA can be accomplished. The purpose of the criticality analysis is to rank each potential failure mode according to the combined influence of its severity classification and its probability of occurrence. Individual-failure-mode probabilities of occurrence should be grouped into distinct, logically defined levels establishing the qualitative failure probability level. Probability of occurrence levels are defined as follows:

• level A—frequent—a failure mode occurring more than 20 percent of the time;
• level B—probable—a failure mode occurring more than 10 percent of the time, but less than 20 percent of the time;
• level C—occasional—a failure mode occurring more than 1 percent of the time, but less than 10 percent of the time;
• level D—remote—a failure mode occurring more than 0.1 percent of the time, but less than 1 percent of the time; and
• level E extremely remote—a failure mode occurring less than 0.1 percent of the time.

The results of an FMECA can best be presented using a criticality matrix (see Figure 2). The criticality matrix provides a means of identifying each failure mode and comparing it to all other failure modes with respect to severity and probability of occurrence. The matrix is constructed by inserting item or failure-mode-identification numbers in matrix locations representing the severity-classification category and the probability of occurrence of each of the item's failure modes.

The resulting matrix display shows the distribution of the criticality of item-failure modes and provides a tool for assigning corrective action priorities. As shown in Figure 2, the further along the diagonal line from the origin the failure mode is recorded, the greater the criticality and the more urgent the need to implement corrective action.

Figure 2

Example of a criticality matrix.

FTA is also a valuable design and diagnostic tool and is one of the principle methods of system safety analysis. It is a detailed analysis that can predict the combinations of multiple failure events (i.e., multiple contingencies) inherent in a system design that are most likely to cause system failures resulting in potential accidents. In this way, FTA can identify critical and catastrophic events on a proactive basis.

FTA evaluates an undesired event by working backwards from the undesired event through an enumeration of its causes. This approach identifies all influences contributing to the undesired event, including not only hardware failures but also nonhardware causes

such as human error, rare operational or maintenance events, and unusual environmental conditions. Once these influences are identified, the relative impact of each is assessed.

The FTA process includes two major steps: (1) fault-tree construction and (2) fault-tree evaluation. The following paragraphs describe these steps.

The goal of fault-tree construction is to identify all event conditions that can result in the top-level undesired event. Before construction of the fault tree can proceed, a thorough understanding of the system is required.

A fault tree is a deductive process that graphically and logically represents the various combinations of possible fault and normal events occurring in a system that lead to the top event. An event is a dynamic change of state to a system element. System elements include hardware, software, and human and environmental factors.

Various symbols represent specific types of fault and normal events in FTA. In constructing the fault tree, these symbols are used to describe a variety of events and are common to all types of fault-tree construction. They are not repeated in this paper but are readily available from a number of FTA sources.

The fundamental logic gates for fault-tree construction are the ''OR'' and the "AND" gates. The "OR" gate describes a situation where the output event will exist if one or more of the input events exist. The "AND" gate describes the logical operation requiring the coexistence of all input events to produce the output event. The symbols for these two logic gates and some of the event symbols are shown in a simplified example of a fault tree in Figure 3.

Once constructed, the fault tree serves as an aid in determining the possible causes of an undesired event. When properly used, the fault tree often leads to the discovery of failure combinations that otherwise might not have been recognized as causes of the event being analyzed. The fault tree can also serve as a visual tool in communicating and supporting decisions based on the analysis, specifically when determining the adequacy of a system design. The fault tree provides an efficient format helpful in evaluating the safety of the design for the intended application.

The evaluation of the fault tree can be either qualitative, quantitative, or both, depending on the scope of the analysis. The primary objective of fault-tree evaluation is

to determine if there is an acceptable level of safety in the proposed system design (i.e., will the proposed design suitably minimize the probability of occurrence of the top event). If the system design is found inadequate, then it is upgraded by first identifying critical events that significantly contribute to the top event and then by changing the design to reduce the effect of the critical events. Cost constraints, contractual requirements, and other factors limit the design changes that can be made. Therefore, trade-off studies are necessary to determine what changes will be incorporated. When all design changes have been made, the fault tree is re-evaluated to determine whether the revised design provides an acceptable level of safety.

Well-proven analysis techniques exist to uncover safety-critical design flaws during the design process, rather than after the equipment has been delivered and is operating in the tunnel. The two most effective techniques are the FMECA and the FTA. In essence, these analysis techniques can be used either as a tool to uncover safety flaws during the design process, when design change is the most cost effective and can prevent potential accidents, or after an accident to assist investigators in determining the cause of the accident. The first of these is clearly preferable. Therefore, government agencies and management and operations contractors should require these two safety engineering design analyses as part of the design process for all tunneling equipment. More specifically, the Department of Energy should require FMECA and FTA of the tunneling equipment to be delivered as part of the YMP.