Supp HAZOP 1 Hazard Analysis Review: The Concept of Risk
ahmedmagd
27 views
49 slides
Jun 25, 2024
Slide 1 of 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
About This Presentation
Supp HAZOP 1
Slide Content
Oct. 2004
U8183 Safety Critical Systems 1
Lecture 3
Hazard Analysis
Module U8183
Safety-Critical Systems
Dr. Hong Zhu
Department of Computing
U8183 Safety Critical Systems 1
Lecture 3
Hazard Analysis
Module U8183
Safety-Critical Systems
Dr. Hong Zhu
Department of Computing
Oct. 2004
2U8183 Safety Critical Systems
Review: The Concept of Risk
The likelihood of specified harm arising from one or more
hazardswithin a specified period or in specified
circumstances.
Risk
Hazard level
Hazard
severity
Likelihood of
hazard occurring
Hazard
exposure
Likelihood of hazard
leading to an accident
Judgment of the acceptability of a risk:
Levels of risks: Intolerable, Acceptable, ALARP principle
Relies on the awareness of all hazards
2U8183 Safety Critical Systems
Review: The Concept of Risk
The likelihood of specified harm arising from one or more
hazardswithin a specified period or in specified
circumstances.
Risk
Hazard level
Hazard
severity
Likelihood of
hazard occurring
Hazard
exposure
Likelihood of hazard
leading to an accident
Judgment of the acceptability of a risk:
Levels of risks: Intolerable, Acceptable, ALARP principle
Relies on the awareness of all hazards
Oct.
2004
3U8183 Safety Critical Systems
Today’s Lecture
The concept of hazard
Techniques of hazard analysis
System safety process
Application of Hazard Analysis within the development
life-cycle
As required in regulations -IEC 61508
2004
3U8183 Safety Critical Systems
Today’s Lecture
The concept of hazard
Techniques of hazard analysis
System safety process
Application of Hazard Analysis within the development
life-cycle
As required in regulations -IEC 61508
Oct.
2004
4U8183 Safety Critical Systems
The Concept of Hazard
Definitions:
A hazardis a situation in which there is an actual or potential danger to people or
to the environment. (Neil Storey, 1996)
A hazardis a state or set of conditions of a system (or an object) that, together
with other conditions in the environment of the system (or object), will lead
inevitably to an accident (loss event). (Nancy Leveson, 1995)
Hazard: potential source of harm, where harm is defined as ‘physical injury or
damage to the health of people either directly, or indirectly as a result of damage
to property or to the environment’. (IEC 61508-4)
Example:
Stung by insects while walking in the country
Struck by lightning while walking outside in a thunderstorm
Knocked down by a car while walking in the city
A hazard is defined w.r.t. the environment of the system or component
What constitutes a hazard depends on where the boundary of the system are drawn
2004
4U8183 Safety Critical Systems
The Concept of Hazard
Definitions:
A hazardis a situation in which there is an actual or potential danger to people or
to the environment. (Neil Storey, 1996)
A hazardis a state or set of conditions of a system (or an object) that, together
with other conditions in the environment of the system (or object), will lead
inevitably to an accident (loss event). (Nancy Leveson, 1995)
Hazard: potential source of harm, where harm is defined as ‘physical injury or
damage to the health of people either directly, or indirectly as a result of damage
to property or to the environment’. (IEC 61508-4)
Example:
Stung by insects while walking in the country
Struck by lightning while walking outside in a thunderstorm
Knocked down by a car while walking in the city
A hazard is defined w.r.t. the environment of the system or component
What constitutes a hazard depends on where the boundary of the system are drawn
Oct. 2004
5U8183 Safety Critical Systems
Related Concepts
Accident:
Actual occurrences of a hazard situation
Undesired and unplanned event that results in (at least) a
specified level of loss
Incident(or near miss):
An event that involves no loss (or only minor loss) but
with the potential for loss under different circumstances
5U8183 Safety Critical Systems
Related Concepts
Accident:
Actual occurrences of a hazard situation
Undesired and unplanned event that results in (at least) a
specified level of loss
Incident(or near miss):
An event that involves no loss (or only minor loss) but
with the potential for loss under different circumstances
Oct.
2004
6U8183 Safety Critical Systems
Goals of Hazard Analysis
In development-the examination of a new system
to identify and assess potential hazards in order toeliminate or
control them.
In operation -the examination of an existing system
Toidentify and assess hazards in order to improve the level of
safety;
To formulate a safety management policy;
To train personnel;
To increase motivation for efficiency and safety of operation.
In licensing-the examination of a planned or existing
system
todemonstrate its level of safety for its acceptability by the
authorities orthe public.
2004
6U8183 Safety Critical Systems
Goals of Hazard Analysis
In development-the examination of a new system
to identify and assess potential hazards in order toeliminate or
control them.
In operation -the examination of an existing system
Toidentify and assess hazards in order to improve the level of
safety;
To formulate a safety management policy;
To train personnel;
To increase motivation for efficiency and safety of operation.
In licensing-the examination of a planned or existing
system
todemonstrate its level of safety for its acceptability by the
authorities orthe public.
Oct.
2004
7U8183 Safety Critical Systems
Techniques ofHazard Analysis
"What if' Analysis
Checklist Analysis
FMEA: Failure mode and effects analysis
FMCEA: Failure mode, effects and criticality analysis
HAZOP: Hazard and operability studies
Preliminary Hazard Analysis (also known as PrHA or Screening Level
Risk
Analysis, SLRA)
ETA: Event tree analysis
FTA: Fault tree analysis
Note: Fault Tree and Event Tree analyses are most commonly used for Risk Quantification rather than
Hazards Identification.
2004
7U8183 Safety Critical Systems
Techniques ofHazard Analysis
"What if' Analysis
Checklist Analysis
FMEA: Failure mode and effects analysis
FMCEA: Failure mode, effects and criticality analysis
HAZOP: Hazard and operability studies
Preliminary Hazard Analysis (also known as PrHA or Screening Level
Risk
Analysis, SLRA)
ETA: Event tree analysis
FTA: Fault tree analysis
Note: Fault Tree and Event Tree analyses are most commonly used for Risk Quantification rather than
Hazards Identification.
Oct. 2004
8U8183 Safety Critical Systems
A means for analysing the causes of a known hazard
Itis a top-down search method. It starts with an event
directly related to an identified hazard (called the top event),
and works backwardsto determine its cause.
Fault Tree Analysis (FTA)
Example:
An automotive brake fluid
warning lamp circuit is
shown in the diagram.
The top event is the lamp
failing to light when the
brake fluid level is low.
battery
fusefloat switch
warning
lamp
8U8183 Safety Critical Systems
A means for analysing the causes of a known hazard
Itis a top-down search method. It starts with an event
directly related to an identified hazard (called the top event),
and works backwardsto determine its cause.
Fault Tree Analysis (FTA)
Example:
An automotive brake fluid
warning lamp circuit is
shown in the diagram.
The top event is the lamp
failing to light when the
brake fluid level is low.
battery
fusefloat switch
warning
lamp
Oct.
2004
9U8183 Safety Critical Systems
Fault TreeNotation
Intermediate event (an event results
from a combinations of other events)
Basic or primary event that requires
no further development
An event that is not developed
further either because unnecessary or
no information
An event that is expected to occur
normally
A condition that must be present to
produce the output of a gate (e.g.
used to enforce an order sequence on
an AND gate
Transfer (used to link trees)
AND gate
OR gate
INHIBIT gate
In
Out
Cond
The condition Cond
determines whether
the input event In
appears at the output
2004
9U8183 Safety Critical Systems
Fault TreeNotation
Intermediate event (an event results
from a combinations of other events)
Basic or primary event that requires
no further development
An event that is not developed
further either because unnecessary or
no information
An event that is expected to occur
normally
A condition that must be present to
produce the output of a gate (e.g.
used to enforce an order sequence on
an AND gate
Transfer (used to link trees)
AND gate
OR gate
INHIBIT gate
In
Out
Cond
The condition Cond
determines whether
the input event In
appears at the output
Oct.
2004
10U8183 Safety Critical Systems
warning lamp
does not operate
primary
lamp
failure
no voltage
applied to lamp
battery
failure
fuse open-
circuit
switch contacts
fail to close
cable or
connector
failure
primary
fuse
failure
secondary
fuse
failure
primary
switch
failure
secondary
switch
failure
OR Gate:output event
occurs if ANY of the
inputs occur
basic event
taken as input fault event
resulting from
other events
fault event
not traced
top
event
2004
10U8183 Safety Critical Systems
warning lamp
does not operate
primary
lamp
failure
no voltage
applied to lamp
battery
failure
fuse open-
circuit
switch contacts
fail to close
cable or
connector
failure
primary
fuse
failure
secondary
fuse
failure
primary
switch
failure
secondary
switch
failure
OR Gate:output event
occurs if ANY of the
inputs occur
basic event
taken as input fault event
resulting from
other events
fault event
not traced
top
event
Oct.
2004
11U8183 Safety Critical Systems
Process of Fault Tree Analysis
System definition
A thorough understanding and definition of the system and its
interrelationships
Uses system functional diagrams, flow diagrams, logic diagrams or
other design representations
The physical system boundaries must be carefully defined
Fault tree construction
Identify the system state and the top events
Constructs a fault tree by selecting one top event and works top-
down to search for events that cause the top event
Use logic symbols to describe the relations
Qualitative analysis
Goal: to identify the failure modes
Method: to find to the minimal cut set
Quantitative analysis
2004
11U8183 Safety Critical Systems
Process of Fault Tree Analysis
System definition
A thorough understanding and definition of the system and its
interrelationships
Uses system functional diagrams, flow diagrams, logic diagrams or
other design representations
The physical system boundaries must be carefully defined
Fault tree construction
Identify the system state and the top events
Constructs a fault tree by selecting one top event and works top-
down to search for events that cause the top event
Use logic symbols to describe the relations
Qualitative analysis
Goal: to identify the failure modes
Method: to find to the minimal cut set
Quantitative analysis
Oct.
2004
12U8183 Safety Critical Systems
Quantitative Analysis: Cut Set and Minimal Cut Set
Cut set
A set of primary events that can cause the top event to
happen
It represents a combination of events/conditions that is
sufficient to cause the top event (an accident) to happen
Minimal cut set
A cut set that can not be reduced any further by deleting
an element but is still sufficient to cause the top event
Minimal cut set is not unique, each represent a mode of
the system that causes system failure, (i.e. failure mode)
2004
12U8183 Safety Critical Systems
Quantitative Analysis: Cut Set and Minimal Cut Set
Cut set
A set of primary events that can cause the top event to
happen
It represents a combination of events/conditions that is
sufficient to cause the top event (an accident) to happen
Minimal cut set
A cut set that can not be reduced any further by deleting
an element but is still sufficient to cause the top event
Minimal cut set is not unique, each represent a mode of
the system that causes system failure, (i.e. failure mode)
Oct. 2004
13U8183 Safety Critical Systems
Pros
Well accepted technique.
Easily understood
graphical representation.
Good at finding the
relationships to a
particular top event.
Efficient, concentrating on
known problems.
Can be quantified.
Cons
Large trees are difficult to
understand.
Bears no relationship to
system flow sheets.
Will not reveal
unanticipated accidents.
Not mathematically
unique.
Involves complex logic.
Evaluation of Fault Tree AnalysisMethod
13U8183 Safety Critical Systems
Pros
Well accepted technique.
Easily understood
graphical representation.
Good at finding the
relationships to a
particular top event.
Efficient, concentrating on
known problems.
Can be quantified.
Cons
Large trees are difficult to
understand.
Bears no relationship to
system flow sheets.
Will not reveal
unanticipated accidents.
Not mathematically
unique.
Involves complex logic.
Evaluation of Fault Tree AnalysisMethod
Oct.
2004
14U8183 Safety Critical Systems
A forward search method to identify the various possible
outcomes of a given initiating event
starting withthe events that can affect the system and trackingthem
forward to determine their possibleconsequences.
based on the distinction between success and failure.
Recording analysis results in the form of a tree:
The root of the tree is an initiating event
The subsequent layers
correspond to the functions
or subsystems
The branches corresponds to
success or failure of the
activating the subsystem
in conditions of the higher
layers.
Event Tree Analysis (ETA)
2004
14U8183 Safety Critical Systems
A forward search method to identify the various possible
outcomes of a given initiating event
starting withthe events that can affect the system and trackingthem
forward to determine their possibleconsequences.
based on the distinction between success and failure.
Recording analysis results in the form of a tree:
The root of the tree is an initiating event
The subsequent layers
correspond to the functions
or subsystems
The branches corresponds to
success or failure of the
activating the subsystem
in conditions of the higher
layers.
Event Tree Analysis (ETA)
Oct.
2004
15U8183 Safety Critical Systems
Evaluation of Event Tree AnalysisMethod
Pros
Identifies possible outcomes of an
initiating event, taking account of
other conditions that might apply.
Particularly useful for safety analysis
with mitigating circumstances.
Can be selective -only dangerous
options need to be developed.
Useful for identifying top events for
FTA analysis; FTA's can be
associated with each branch point.
Can be quantified.
Cons
For comprehensive risk
analysis, all initiating events
need to be identified.
Does not identify alternative
underlying causes of the same
outcome.
Only deals with success/fail
combinations, difficulties with
handlingdelayed recoveries.
2004
15U8183 Safety Critical Systems
Evaluation of Event Tree AnalysisMethod
Pros
Identifies possible outcomes of an
initiating event, taking account of
other conditions that might apply.
Particularly useful for safety analysis
with mitigating circumstances.
Can be selective -only dangerous
options need to be developed.
Useful for identifying top events for
FTA analysis; FTA's can be
associated with each branch point.
Can be quantified.
Cons
For comprehensive risk
analysis, all initiating events
need to be identified.
Does not identify alternative
underlying causes of the same
outcome.
Only deals with success/fail
combinations, difficulties with
handlingdelayed recoveries.
Oct.
2004
16U8183 Safety Critical Systems
Both ETA and FTA can be quantified to produce a
probabilistic hazardanalysis.
Assigning probabilities to each branch of thetree
corresponding to the probabilities of that path.
The overallprobability of failure can beobtained by
combining the probabilities of the various branches.
Probabilistic Hazard Analysis
2004
16U8183 Safety Critical Systems
Both ETA and FTA can be quantified to produce a
probabilistic hazardanalysis.
Assigning probabilities to each branch of thetree
corresponding to the probabilities of that path.
The overallprobability of failure can beobtained by
combining the probabilities of the various branches.
Probabilistic Hazard Analysis
Oct.
2004
17U8183 Safety Critical Systems
Probabilistic ETA
The ETA may be modified to include probabilities at each branch.
The sum of the probabilities is unity, becauseone of the events must
occur.
The probability of following apath to any of the leafon the right-
hand side of the diagram is simply the product of the probabilities of
taking the appropriate branches along the route.
2004
17U8183 Safety Critical Systems
Probabilistic ETA
The ETA may be modified to include probabilities at each branch.
The sum of the probabilities is unity, becauseone of the events must
occur.
The probability of following apath to any of the leafon the right-
hand side of the diagram is simply the product of the probabilities of
taking the appropriate branches along the route.
Oct.
2004
18U8183 Safety Critical Systems
Determine the probability of the top event as a
Boolean expressionof basic events.
Reduce the Boolean expression to the minimal cut
sets.
Assign probabilities of failure to basic events and
calculate probabilityof failure of top event.
In practice, fault trees can be large, thus reduce
failure modes during analysis and/or use tools.
ProbabilisticFTA
2004
18U8183 Safety Critical Systems
Determine the probability of the top event as a
Boolean expressionof basic events.
Reduce the Boolean expression to the minimal cut
sets.
Assign probabilities of failure to basic events and
calculate probabilityof failure of top event.
In practice, fault trees can be large, thus reduce
failure modes during analysis and/or use tools.
ProbabilisticFTA
Oct. 2004
19U8183 Safety Critical Systems
A method to identify hazards within a system
Origin:
The HAZOP technique was developed by ICI in the 1960s as a
methodof analysing hazards within chemical and process control
plants.
Adapted by the MOD Defence Standard 00-58 for programmable
electronics.
The method
Relies on determining answers to questions of a “what if” nature. E.g.
“what would be the effect of an increase of temperature?”
A set of guide wordsare used in context with the attributes(data) of
various components of the system being studied.
If a deviation from thenormal working of the component is credible,
then the causes, consequences and recommendations of the
investigation are documented,and the behaviour of the component is
considered as a possible hazard.
Hazard and Operability Studies (HAZOP)
19U8183 Safety Critical Systems
A method to identify hazards within a system
Origin:
The HAZOP technique was developed by ICI in the 1960s as a
methodof analysing hazards within chemical and process control
plants.
Adapted by the MOD Defence Standard 00-58 for programmable
electronics.
The method
Relies on determining answers to questions of a “what if” nature. E.g.
“what would be the effect of an increase of temperature?”
A set of guide wordsare used in context with the attributes(data) of
various components of the system being studied.
If a deviation from thenormal working of the component is credible,
then the causes, consequences and recommendations of the
investigation are documented,and the behaviour of the component is
considered as a possible hazard.
Hazard and Operability Studies (HAZOP)
Oct. 2004
20U8183 Safety Critical Systems
Guide word Chemical plant Computer-based system
NO no part of the intended result is no date or control signal exchanged
achieved
MORE a quantitative increase in the a signal magnitude or a data rate is
physical quantity too high
LESS a quantitative decrease in the a signal magnitude or a data rate is
physical quantity too low
AS WELL AS the intended activity occurs, butredundant data sent in addition to
intended value
PART OF only part of the intended activityincomplete data transmitted
occurs
REVERSE the opposite of what was intended polarity of magnitude changes
occurs, e.g. reverse flow in a pipereversed
OTHER no part of the intended activity occursdata complete but incorrect
THAN and something else happens instead
Uses of Guide Words
20U8183 Safety Critical Systems
Guide word Chemical plant Computer-based system
NO no part of the intended result is no date or control signal exchanged
achieved
MORE a quantitative increase in the a signal magnitude or a data rate is
physical quantity too high
LESS a quantitative decrease in the a signal magnitude or a data rate is
physical quantity too low
AS WELL AS the intended activity occurs, butredundant data sent in addition to
intended value
PART OF only part of the intended activityincomplete data transmitted
occurs
REVERSE the opposite of what was intended polarity of magnitude changes
occurs, e.g. reverse flow in a pipereversed
OTHER no part of the intended activity occursdata complete but incorrect
THAN and something else happens instead
Uses of Guide Words
Oct.
2004
21U8183 Safety Critical Systems
Guide wordChemical plantComputer-based system
EARLY not used signals arrive too early with
respectto clock time
LATE not used signals arrive too late with respect
to clock time
BEFORE not used signals arrive earlier than intended
within a sequence
AFTER not used signals arrive later than intended
within a sequence
Guide Words for Computer-based Systems
2004
21U8183 Safety Critical Systems
Guide wordChemical plantComputer-based system
EARLY not used signals arrive too early with
respectto clock time
LATE not used signals arrive too late with respect
to clock time
BEFORE not used signals arrive earlier than intended
within a sequence
AFTER not used signals arrive later than intended
within a sequence
Guide Words for Computer-based Systems
Oct.
2004
22U8183 Safety Critical Systems
HAZOP Study at System Block Diagram Level
PES
Emergency
Brake
Tachometer
Processing
Antenna
Processing
Tachometer
Generators
Antennae
Power
Supply
signals from
trackside
TRAIN BODY
BOGIE MOUNTED
ATP: Automatic TrainProtectionSystem
2004
22U8183 Safety Critical Systems
HAZOP Study at System Block Diagram Level
PES
Emergency
Brake
Tachometer
Processing
Antenna
Processing
Tachometer
Generators
Antennae
Power
Supply
signals from
trackside
TRAIN BODY
BOGIE MOUNTED
ATP: Automatic TrainProtectionSystem
Oct.
2004
23U8183 Safety Critical Systems
The application concerns train-carried equipment for automatic train
protection (ATP).
Main functionality:
monitors the speed of the train,
compares that speedwith the planned safe speed of the train and
automatically initiates emergency braking if an overspeed condition is recognised.
Overall structure:
equipment on both the train and track-side
information is transferred from the track-side to the train.
Components on train and their functions:
One or more antennae on board the train receivessignalsfrom the trackside giving
information on safe speeds or stopping points.
Antennae processing unit processes this information from trackside and then
passesto a PES
The tachometers measuresthe actual speed ofthe trainas a major input to a PES.
The PES produces output signalsto safety relays such as the one controlling the
emergency brake.
Description of the ATP System
2004
23U8183 Safety Critical Systems
The application concerns train-carried equipment for automatic train
protection (ATP).
Main functionality:
monitors the speed of the train,
compares that speedwith the planned safe speed of the train and
automatically initiates emergency braking if an overspeed condition is recognised.
Overall structure:
equipment on both the train and track-side
information is transferred from the track-side to the train.
Components on train and their functions:
One or more antennae on board the train receivessignalsfrom the trackside giving
information on safe speeds or stopping points.
Antennae processing unit processes this information from trackside and then
passesto a PES
The tachometers measuresthe actual speed ofthe trainas a major input to a PES.
The PES produces output signalsto safety relays such as the one controlling the
emergency brake.
Description of the ATP System
Oct.
2004
24U8183 Safety Critical Systems
HAZOP Study Sheetsof the ATP
Part AttributeGuide Cause Consequence/ Question/ Indication/
Word Implication Recommendation Protection
1. input toamplitudemore mounted too close tomay damage R1: add check toinstallation
antenna rail equipment installation checks
2. input toamplitudeless mounted too farsignal may R2: add check toinstallation
antenna from rail be missed installation checks
3. input tofrequencyother pick up of signalincorrect value Q3: is action taken
antenna than from adjacent trackpassed to processorto protect against
processing this?
4. antennasignal toother pick up of signalvalid but incorrect R4: ensure cabling
cablingATP than from nearby cablingsignal may be actedinterference is guarded
on against
5. antennavoltagemore antenna shorts toantenna and other Q5: is there protection
live rail equipment becomesagainst this?
live
6. antennapositionother failure of mountingsmay hit track R6: ensure that cable
than equipment becomeswill keep antenna clear
live of track
2004
24U8183 Safety Critical Systems
HAZOP Study Sheetsof the ATP
Part AttributeGuide Cause Consequence/ Question/ Indication/
Word Implication Recommendation Protection
1. input toamplitudemore mounted too close tomay damage R1: add check toinstallation
antenna rail equipment installation checks
2. input toamplitudeless mounted too farsignal may R2: add check toinstallation
antenna from rail be missed installation checks
3. input tofrequencyother pick up of signalincorrect value Q3: is action taken
antenna than from adjacent trackpassed to processorto protect against
processing this?
4. antennasignal toother pick up of signalvalid but incorrect R4: ensure cabling
cablingATP than from nearby cablingsignal may be actedinterference is guarded
on against
5. antennavoltagemore antenna shorts toantenna and other Q5: is there protection
live rail equipment becomesagainst this?
live
6. antennapositionother failure of mountingsmay hit track R6: ensure that cable
than equipment becomeswill keep antenna clear
live of track
Oct.
2004
25U8183 Safety Critical Systems
Part AttributeGuide Cause Consequence/ Question/ Indication/
Word Implication Recommendation Protection
7. tacho-outputno axle locked R7: check implications
metervoltage of this
8. tacho-signalas well asother signals mixed in Q8: is this a credible
meter failure?
output
9. tacho-frequencymore design fault may indicate wrongR9: check maximum
meter speed frequency
output
10. tacho-speed as well assudden changes inmay show wrong R10: check this is not
meter output caused byspeed a problem in practice
output wheel spin
11. tacho-speed no sudden wheel lockmay show zero speedR11: check protection
meter against this
output
12. tacho-speed no sudden release ofmay show wrong R12: check protection
meter locked wheels givesspeed against this
output confusing signal
2004
25U8183 Safety Critical Systems
Part AttributeGuide Cause Consequence/ Question/ Indication/
Word Implication Recommendation Protection
7. tacho-outputno axle locked R7: check implications
metervoltage of this
8. tacho-signalas well asother signals mixed in Q8: is this a credible
meter failure?
output
9. tacho-frequencymore design fault may indicate wrongR9: check maximum
meter speed frequency
output
10. tacho-speed as well assudden changes inmay show wrong R10: check this is not
meter output caused byspeed a problem in practice
output wheel spin
11. tacho-speed no sudden wheel lockmay show zero speedR11: check protection
meter against this
output
12. tacho-speed no sudden release ofmay show wrong R12: check protection
meter locked wheels givesspeed against this
output confusing signal
Oct.
2004
26U8183 Safety Critical Systems
Part AttributeGuide Cause Consequence/ Question/ Indication/
Word Implication Recommendation Protection
13. signalvoltagemore stuck at fault inmay prevent brakeR13: check protection
to em. electronics initiation against this
brake
14. signalvoltagemore failure of part ofmay prevent brakeR14: check protection
to em. electronics initiation against this
brake
15. signalvoltagemore cable fault may prevent brakeR15: check wiring
to em. initiation integrity
brake
16. powervoltagemore short circuit inovervoltage on otherQ16: confirm drive
supply drive transformersequipment transformer isolation?
to equip
17. powerfrequencyas well asoscillating frequencyinterference leadingR17: check that oscillation
supply of power-supply unitto unreliable will not cause interference
to PES operation
2004
26U8183 Safety Critical Systems
Part AttributeGuide Cause Consequence/ Question/ Indication/
Word Implication Recommendation Protection
13. signalvoltagemore stuck at fault inmay prevent brakeR13: check protection
to em. electronics initiation against this
brake
14. signalvoltagemore failure of part ofmay prevent brakeR14: check protection
to em. electronics initiation against this
brake
15. signalvoltagemore cable fault may prevent brakeR15: check wiring
to em. initiation integrity
brake
16. powervoltagemore short circuit inovervoltage on otherQ16: confirm drive
supply drive transformersequipment transformer isolation?
to equip
17. powerfrequencyas well asoscillating frequencyinterference leadingR17: check that oscillation
supply of power-supply unitto unreliable will not cause interference
to PES operation
Oct.
2004
27U8183 Safety Critical Systems
Organisation of HAZOP Studies
A HAZOP team consists of
-chairman / HAZOP leader (engineer with extensive training)
-technical secretary (recorder)
-design engineers
-application engineers
-other specialists
Team size between 4-8 members.
person postulateexploreexplainconclude record
leader yes possiblypossiblyyes
expert yes yes
designer possiblyyes
user possiblyyes
recorder possibly yes
Responsibilities of HAZOP roles
2004
27U8183 Safety Critical Systems
Organisation of HAZOP Studies
A HAZOP team consists of
-chairman / HAZOP leader (engineer with extensive training)
-technical secretary (recorder)
-design engineers
-application engineers
-other specialists
Team size between 4-8 members.
person postulateexploreexplainconclude record
leader yes possiblypossiblyyes
expert yes yes
designer possiblyyes
user possiblyyes
recorder possibly yes
Responsibilities of HAZOP roles
Oct.
2004
28U8183 Safety Critical Systems
Thorough if carried out comprehensively
Requires assumptions about the system
Requires a team with understanding of the system
environment and application
Encourages safety planning
Time consuming
Evaluation of HAZOPMethod
2004
28U8183 Safety Critical Systems
Thorough if carried out comprehensively
Requires assumptions about the system
Requires a team with understanding of the system
environment and application
Encourages safety planning
Time consuming
Evaluation of HAZOPMethod
Oct. 2004
29U8183 Safety Critical Systems
CCA starts with a critical event and determines:
the cause of the event(using both a top-down or backwards search)
the consequences that could result from it (forward search).
The procedure:
1.Selection of a critical event
2.Search for factors that constitute the critical event
3.Propagation of the potential effects of the event
4.Description ofthe interrelationshipsof the factors by a chart that
has two main areas –causechartsand a consequence chart.
Several cause charts may be attached to a consequence chart,
and may takethe form of conventional fault trees, which
show the combination of conditions under which a certain
event sequence in the consequence chartcan take place.
Cause-Consequence Analysis (CCA)
29U8183 Safety Critical Systems
CCA starts with a critical event and determines:
the cause of the event(using both a top-down or backwards search)
the consequences that could result from it (forward search).
The procedure:
1.Selection of a critical event
2.Search for factors that constitute the critical event
3.Propagation of the potential effects of the event
4.Description ofthe interrelationshipsof the factors by a chart that
has two main areas –causechartsand a consequence chart.
Several cause charts may be attached to a consequence chart,
and may takethe form of conventional fault trees, which
show the combination of conditions under which a certain
event sequence in the consequence chartcan take place.
Cause-Consequence Analysis (CCA)
Oct.
2004
30U8183 Safety Critical Systems
relief valve 1
opens?
yesno
pressure
reduced
relief valve 2
opens?
yesno
valve
failure
computer
does not
open
valve
failure
operator
does not
open
explosion
pressure too
high
CRITICAL
EVENT
Example of Cause-Consequence Diagram
Tank
PES
controller
Tank with two valves
controlled by PES
2004
30U8183 Safety Critical Systems
relief valve 1
opens?
yesno
pressure
reduced
relief valve 2
opens?
yesno
valve
failure
computer
does not
open
valve
failure
operator
does not
open
explosion
pressure too
high
CRITICAL
EVENT
Example of Cause-Consequence Diagram
Tank
PES
controller
Tank with two valves
controlled by PES
Oct.
2004
31U8183 Safety Critical Systems
Cause-ConsequenceDiagram Symbols
NoYes
No Yes
Valve opened?
t = 10
t
AND
gate
OR
gate
AND
vertex
Mutually exclusive /
exhaustive OR vertex
Mutually exclusive
OR vertex (used
after time delays)
Basic
condition
Initial
event
Event
Significant
consequence
Condition
Fixed time
delay
Variable
time delay
Decision box
(EITHER/OR
vertex)
Condition
vertex
2004
31U8183 Safety Critical Systems
Cause-ConsequenceDiagram Symbols
NoYes
No Yes
Valve opened?
t = 10
t
AND
gate
OR
gate
AND
vertex
Mutually exclusive /
exhaustive OR vertex
Mutually exclusive
OR vertex (used
after time delays)
Basic
condition
Initial
event
Event
Significant
consequence
Condition
Fixed time
delay
Variable
time delay
Decision box
(EITHER/OR
vertex)
Condition
vertex
Oct.
2004
32U8183 Safety Critical Systems
Encourages hazard management.
Provides visibility for multiple failures.
Can deal with both sequential and time-related events.
Separate diagrams are required for each initiating event,
however, theoutcomes are related to only the cause being
analysed when there couldbe other initiating events.
Compared with fault trees
CCA shows the sequence of events explicitly,which makes the
diagrams useful in studying startup, shutdown and othersequential
problems
Compared with event tree
Cause-consequence diagrams have the advantage of allowing the
representation of time delays, alternative consequence pathsand
combination of events.
Analysis of CCAMethod
2004
32U8183 Safety Critical Systems
Encourages hazard management.
Provides visibility for multiple failures.
Can deal with both sequential and time-related events.
Separate diagrams are required for each initiating event,
however, theoutcomes are related to only the cause being
analysed when there couldbe other initiating events.
Compared with fault trees
CCA shows the sequence of events explicitly,which makes the
diagrams useful in studying startup, shutdown and othersequential
problems
Compared with event tree
Cause-consequence diagrams have the advantage of allowing the
representation of time delays, alternative consequence pathsand
combination of events.
Analysis of CCAMethod
Oct. 2004
33U8183 Safety Critical Systems
FMEA is a form of reliability analysisthat emphasises
successful functioning rather than hazards and risk.
FMEA was developed by reliability engineers to permit them to
predictequipment reliability.
The goal is to establish the overall probability that the product will
operatewithout a failure for a specific length of time or,
alternatively, that theproduct will operate a certain length of time
between failures.
The method
The first step is to identify and list all components and their failure
modes, considering all possible operating modes.
For each failuremode, the effects on all the other system
components are determined alongwith the effect on the overall
system.
Finally,the probabilities and seriousness of the results of each
failure mode are calculated.
Failure Modes and Effects Analysis (FMEA)
33U8183 Safety Critical Systems
FMEA is a form of reliability analysisthat emphasises
successful functioning rather than hazards and risk.
FMEA was developed by reliability engineers to permit them to
predictequipment reliability.
The goal is to establish the overall probability that the product will
operatewithout a failure for a specific length of time or,
alternatively, that theproduct will operate a certain length of time
between failures.
The method
The first step is to identify and list all components and their failure
modes, considering all possible operating modes.
For each failuremode, the effects on all the other system
components are determined alongwith the effect on the overall
system.
Finally,the probabilities and seriousness of the results of each
failure mode are calculated.
Failure Modes and Effects Analysis (FMEA)
Oct.
2004
34U8183 Safety Critical Systems
Example of FMEA A
B
A 10
-3
open 90 X
short 5 5x10
-5
other 5 5x10
-5
B 10
-3
open 90 X
short 5 5x10
-5
other 5 5x10
-5
Com-FailureFailure% failureEffects
ponentprobmodeby modeCriticalNon-critical
Asystem of two amplifiers
wired in parallel
2004
34U8183 Safety Critical Systems
Example of FMEA A
B
A 10
-3
open 90 X
short 5 5x10
-5
other 5 5x10
-5
B 10
-3
open 90 X
short 5 5x10
-5
other 5 5x10
-5
Com-FailureFailure% failureEffects
ponentprobmodeby modeCriticalNon-critical
Asystem of two amplifiers
wired in parallel
Oct.
2004
35U8183 Safety Critical Systems
This is just an FMEA with a more detailed analysis
of the criticality of thefailure.
Two additional steps (columns) are added to the
FMEA:
the means of control already present or proposed are
determined;
the findings are modified with respect to these control
procedures,such as modifying the chance of failure or
adding an indication of whether or not further control is
necessary.
Failure Modes, Effects and Criticality Analysis
(FMECA)
2004
35U8183 Safety Critical Systems
This is just an FMEA with a more detailed analysis
of the criticality of thefailure.
Two additional steps (columns) are added to the
FMEA:
the means of control already present or proposed are
determined;
the findings are modified with respect to these control
procedures,such as modifying the chance of failure or
adding an indication of whether or not further control is
necessary.
Failure Modes, Effects and Criticality Analysis
(FMECA)
Oct.
2004
36U8183 Safety Critical Systems
Example:FMECA for a motor case of a missile
ItemFailure
mode
Cause of
failure
Possible
effects
Prob.LevelPossible action to reduce
failure rate or effect
Motor
case
RupturePoor
workmanship
Destroys
missile
0.0006Critical Close control of manufacturing
processes to ensure that
workmanship meets prescribed
standard
Defective
materials
Rigid quality control of basic
materials to eliminate defects
Damage during
transportation
Inspection and pressure testing
of completed cases
Damage during
handling
Provision of suitable pack-
aging to protect motor during
transportation
Over
pressurisation
2004
36U8183 Safety Critical Systems
Example:FMECA for a motor case of a missile
ItemFailure
mode
Cause of
failure
Possible
effects
Prob.LevelPossible action to reduce
failure rate or effect
Motor
case
RupturePoor
workmanship
Destroys
missile
0.0006Critical Close control of manufacturing
processes to ensure that
workmanship meets prescribed
standard
Defective
materials
Rigid quality control of basic
materials to eliminate defects
Damage during
transportation
Inspection and pressure testing
of completed cases
Damage during
handling
Provision of suitable pack-
aging to protect motor during
transportation
Over
pressurisation
Oct. 2004
37U8183 Safety Critical Systems
Thorough if carried out comprehensively.
Can show up unidentified hazards.
Requires assumptions about the system.
Non selective and time consuming.
Focuses on single fault conditions.
Narrative style leads to over-simplification of
external circumstances.
Evaluation of FMECA Method
37U8183 Safety Critical Systems
Thorough if carried out comprehensively.
Can show up unidentified hazards.
Requires assumptions about the system.
Non selective and time consuming.
Focuses on single fault conditions.
Narrative style leads to over-simplification of
external circumstances.
Evaluation of FMECA Method
Oct.
2004
38U8183 Safety Critical Systems
Roles of H/RA in System Development Lifecycle
Hazard and risk analysis can take place over the entire
lifecycle of a system,and areboth continuousand iterative.
Requirements
Realisation
Transition
Operation
Decommissioning
Safety
requirements
Design
assurance
Transition
into service
assurance
Operation &
maintenance
assurance
Decom-
missioning
assurance
2004
38U8183 Safety Critical Systems
Roles of H/RA in System Development Lifecycle
Hazard and risk analysis can take place over the entire
lifecycle of a system,and areboth continuousand iterative.
Requirements
Realisation
Transition
Operation
Decommissioning
Safety
requirements
Design
assurance
Transition
into service
assurance
Operation &
maintenance
assurance
Decom-
missioning
assurance
Oct.
2004
39U8183 Safety Critical Systems
Hazard and risk analysis can be applied to each phase above.
More Details of Safety Related Systems’ Lifecycle
2004
39U8183 Safety Critical Systems
Hazard and risk analysis can be applied to each phase above.
More Details of Safety Related Systems’ Lifecycle
Oct.
2004
40U8183 Safety Critical Systems
Definition of scope
to determine the boundary of the EUC
to define the scope of the hazard and risk analysis
Preliminary Hazard Identification(PHI)
a systematic study of both operational and fault conditions
using proven methods (e.g. HAZOP).
Where other similar systems are in existence, data relating to previous accidents
or incidents can be a good starting point for identifying hazards.
Preliminary Hazard Analysis(PHA)
this comprises a detailed studyof all the hazards identified by the PHI
using a systematic technique
Each hazard is considered with the functional requirements of the system to
identify safety implications and to evaluate design alternatives.
Also attempts to classify the severity of the hazards and to assign anintegrity
level to each major function.
System Safety Process
2004
40U8183 Safety Critical Systems
Definition of scope
to determine the boundary of the EUC
to define the scope of the hazard and risk analysis
Preliminary Hazard Identification(PHI)
a systematic study of both operational and fault conditions
using proven methods (e.g. HAZOP).
Where other similar systems are in existence, data relating to previous accidents
or incidents can be a good starting point for identifying hazards.
Preliminary Hazard Analysis(PHA)
this comprises a detailed studyof all the hazards identified by the PHI
using a systematic technique
Each hazard is considered with the functional requirements of the system to
identify safety implications and to evaluate design alternatives.
Also attempts to classify the severity of the hazards and to assign anintegrity
level to each major function.
System Safety Process
Oct.
2004
41U8183 Safety Critical Systems
System Hazard Analysis (SHA)
Additional study of the systems shown to require a high-level of
integrity
To extend and refine the findings of the PHA
Considering the detailed functions of the system and the
components that implement them.
System Risk Assessment(SRA)
Based on data obtained from the SHA
Arisk analysis to investigate the consequences of various hazards
and their likely rates of occurrence or probabilities
To assign integrity levels to the various components of the system
Independent safety audit(ISA)
By an independent team of assessors
Independently verify the thoroughness of the work and correctness
of the findings.
Takesdata from the hazard log and various hazard analysisreports
2004
41U8183 Safety Critical Systems
System Hazard Analysis (SHA)
Additional study of the systems shown to require a high-level of
integrity
To extend and refine the findings of the PHA
Considering the detailed functions of the system and the
components that implement them.
System Risk Assessment(SRA)
Based on data obtained from the SHA
Arisk analysis to investigate the consequences of various hazards
and their likely rates of occurrence or probabilities
To assign integrity levels to the various components of the system
Independent safety audit(ISA)
By an independent team of assessors
Independently verify the thoroughness of the work and correctness
of the findings.
Takesdata from the hazard log and various hazard analysisreports
Oct.
2004
42U8183 Safety Critical Systems
An overall scope definition should precedeany preliminary
hazard analysis
to determine the boundary of the EUC
to define the scope of the hazard and risk analysis
Important because
the number and typesof hazards will vary depending on the scope
ofthe boundary
Example 1 -Sizewell B reactor
Need to consider
-earthquakes
-planes dropping outof the sky
Example 2 -Thames flood barrier
need to consider
-extra high tides
Scope definition
In general, increasing the
system boundary results in the
increase in the hazards
2004
42U8183 Safety Critical Systems
An overall scope definition should precedeany preliminary
hazard analysis
to determine the boundary of the EUC
to define the scope of the hazard and risk analysis
Important because
the number and typesof hazards will vary depending on the scope
ofthe boundary
Example 1 -Sizewell B reactor
Need to consider
-earthquakes
-planes dropping outof the sky
Example 2 -Thames flood barrier
need to consider
-extra high tides
Scope definition
In general, increasing the
system boundary results in the
increase in the hazards
Oct.
2004
43U8183 Safety Critical Systems
2004
43U8183 Safety Critical Systems
Oct.
2004
44U8183 Safety Critical Systems
2004
44U8183 Safety Critical Systems
Oct. 2004
45U8183 Safety Critical Systems
Requirement 7.4.2.1
"A hazard and risk analysis shallbe undertaken which
shalltake intoaccount information from the overall scope
definition phase. If decisionsare taken at a later stage in
the overall E/E/PES or software safety lifecyclephases
which may change the basis on which earlier decisions
were taken, then a further hazard and risk analysis shall
be undertaken".
IEC61508’s Requirements onHazard &Risk Analysis
Note: in a legalistic sense, for shallread must!
45U8183 Safety Critical Systems
Requirement 7.4.2.1
"A hazard and risk analysis shallbe undertaken which
shalltake intoaccount information from the overall scope
definition phase. If decisionsare taken at a later stage in
the overall E/E/PES or software safety lifecyclephases
which may change the basis on which earlier decisions
were taken, then a further hazard and risk analysis shall
be undertaken".
IEC61508’s Requirements onHazard &Risk Analysis
Note: in a legalistic sense, for shallread must!
Oct.
2004
46U8183 Safety Critical Systems
Requirement 7.4.2.2
"Consideration shall be given to the elimination of hazards"
Requirement 7.4.2.3
"The hazard and hazardous events of the EUC and the EUC
control system shall be determined under all reasonably
foreseeable circumstances(including fault conditions and
reasonably foreseeable misuse). This shallinclude all relevant
human factor issues, and shall give particular attention
to abnormal or infrequentmodes of operation of the EUC".
Key area where things are likely to go wrong.
2004
46U8183 Safety Critical Systems
Requirement 7.4.2.2
"Consideration shall be given to the elimination of hazards"
Requirement 7.4.2.3
"The hazard and hazardous events of the EUC and the EUC
control system shall be determined under all reasonably
foreseeable circumstances(including fault conditions and
reasonably foreseeable misuse). This shallinclude all relevant
human factor issues, and shall give particular attention
to abnormal or infrequentmodes of operation of the EUC".
Key area where things are likely to go wrong.
Oct.
2004
47U8183 Safety Critical Systems
Requirement 7.4.2.4
"The event sequences leading to the hazardous events
determined in 7.4.2.3 shall be determined".
2004
47U8183 Safety Critical Systems
Requirement 7.4.2.4
"The event sequences leading to the hazardous events
determined in 7.4.2.3 shall be determined".
Oct. 2004
48U8183 Safety Critical Systems
Requirementsunder section 7.4.2.10
The hazard and risk analysis shall consider the following:
•each determined hazardous event and the components that contributeto it;
•the consequences and likelihood of the event sequences with which each
hazardous event is associated;
•the necessary risk reduction for each hazardous event;
•the measures taken to reduce or remove hazards and risks;
•the assumptions made during the analysis of the risks, including the
estimated demand rates and equipment failure rates -any credit taken for
operational constraints or human intervention shall be detailed;
•references to key information which relates to the safety-related systems
at each E/E/PES safety lifecycle phase (for example verification and
validation activities).
48U8183 Safety Critical Systems
Requirementsunder section 7.4.2.10
The hazard and risk analysis shall consider the following:
•each determined hazardous event and the components that contributeto it;
•the consequences and likelihood of the event sequences with which each
hazardous event is associated;
•the necessary risk reduction for each hazardous event;
•the measures taken to reduce or remove hazards and risks;
•the assumptions made during the analysis of the risks, including the
estimated demand rates and equipment failure rates -any credit taken for
operational constraints or human intervention shall be detailed;
•references to key information which relates to the safety-related systems
at each E/E/PES safety lifecycle phase (for example verification and
validation activities).
Oct.
2004
49U8183 Safety Critical Systems
Further readings
Storey, N., Safety-Critical Computer Systems,
Prentice Hall, 1996
Chapter 3: Hazard analysis
Leveson, N., Safeware, Addison Wesley, 1995
Chapter 9: Terminology
Chapter 12: The system and software safety process
Chapter 13: Hazard analysis
Chapter 14: Hazard analysis models and techniques
IEC 61508, Part 1.
2004
49U8183 Safety Critical Systems
Further readings
Storey, N., Safety-Critical Computer Systems,
Prentice Hall, 1996
Chapter 3: Hazard analysis
Leveson, N., Safeware, Addison Wesley, 1995
Chapter 9: Terminology
Chapter 12: The system and software safety process
Chapter 13: Hazard analysis
Chapter 14: Hazard analysis models and techniques
IEC 61508, Part 1.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 27
- Slides 49
- Age 526 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
28 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views