A2.

Hazard Analysis
In the following: Presentation of analytical techniques for identifying and classifying hazards. Not formal, but systematic methods. Techniques developed in general engineering, especially in the chemical industry and in military areas. Techniques considered are: (a) (b) (c) (d) (e) (f)

Failure modes and eects analysis (FMEA). Failure modes, eects and criticality analysis (FMECA). Hazard and operability studies (HAZOP). Event tree analysis (ETA). Fault tree analysis (FTA). Probabilistic hazard analysis.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-1

(a) Failure Modes and Eects Analysis (FMEA)

FMEA identies all ways a particular component can fail and the eects of a failure on the system. Doesnt identify all hazards, since a failure does not have to occur for a hazard to be present in a system. Example: A rocket is by its nature hazardous, even if it operates correctly. Therefore FMEA is preliminary an engineering tool, not a safety analysis tool.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-2

Process of FMEA Dene scope and boundaries of the main system and of this analysis. Break the main system down into subsystems. Assess each subsystem, and determine,whether the failure of the subsystem would aect the main system. If it wouldnt, ignore that subsystem. Otherwise, break this subsystem into further subsystems and repeat the above, until one has reached the component level. For each component obtained, do the following: Look at the components failure modes = the ways, the component can fail. Assess the failures eects. Usually the worst-credible case with consequence severity and probability of occurrence is assessed, if this is possible to calculate.
:::::::::::::::::::::::::::::

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-3

Process of FMEA (Cont.) Determine its mission phase (installation, operation, maintenance, repair). Identify, whether the failure is a single-point failure. (Single point failure = failure of a single component that could bring down the entire system.) Determine methods of corrective action.
:::::::::::::::::::::::::::::::::::::::::

Document the results in an FMEA worksheet.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-4

Failure eects locally

Rendered useless due to loss of working uid

Singlepoint failure NO

Date: 10/13/96 Analyst: John Doe Page:: 13 Risk Control, failure recommendation class 4C Manually operate hydraulic panel valve. Verify air supply inlet pressure from source. Inspects for leaks. 4C Inspec and test regularly. Assure correct and smooth spring-plunger sleeve alignment

Continuous pneumatic ow through valve.

Failure propagation next level No pneumatic signal sent to hydraulic valve, resulting in longer response time to control valve 3-A Possible hydraulic valve activation or deactivation due to inappropriate pneumatic pilot signal NO

Failure mode No pneumatic signal sent from valve due to loss of pressure fail closed

Mission phase Ops.

Subsystem: Hydraulic Control Panel Assembly: Junction Box A Subassembly: Mechanical ComComFunction ponent ponent number name 45-341 Solenoid Electro-pneumatic valve interface and control of hydraulic panel valves

Failed valve due to internal spring failure from excessive wear.

Ops.

Limitations of FMEA FMEA is primarily designed to create products which are correct, not to create products which are safe. Example: If we apply FMEA to a gun, we obtain a gun, which has no failures. So eg. the barrel doesnt suddenly explode. However, the fact that if you direct it against a human being you can kill him, is a hazard, but no failure of the gun. In general hazards need not be the result of a failure. We can of course extend FMEA to treat all situations in which a gadget is used and nd out failures in that constellation. But that is in most cases infeasible. Direct hazard analysis will in the case of the gun immediately identify the global hazard. We see that FMEA is an excellent engineering tool for creating perfectly functioning gadgets. This contributes to but doesnt guarantee safety.
Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-7

Limitations of FMEA (Cont.) Further FMEA investigates only single failures. Often accidents have the origins in a combination of multiple failures, each of which on its own wouldnt have such severe consequences.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-8

(b) Failure Modes, Eects and Criticality Analysis (FMECA)

As FMEA, but additionally determine (or estimate) for each failure: the probability of its occurrence; the probability of the occurrence of the consequences, provided the failure has occurred; a number measuring the criticality. The product of these 3 factors measures the risk associated with that failure. If the risk exceeds a certain number, action has to be taken.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-9

(c) Hazard and Operability Studies (HAZOP)

Technique developed and used mainly in chemical industries. Studies to apply it to computer based systems have been carried out. Underlying systems theory model: Accidents caused by deviations from the design or operating intentions, eg.: if there is no ow or no control signal, although there should be one. HAZOP considers systematically each process unit in the design and each possible deviation. Deviations are identied by using the guide words of HAZOP. HAZOP carried out by a team. A2-10

Critical Systems, CS 411, Lent term 2002, Sec. A2

General Procedure of HAZOP 1. Dene objectives and scope of the analysis. 2. Select a HAZOP team. Requires a leader, who knows HAZOP well. Requires a recorder, who documents the process of HAZOP. 3. Dissect design into nodes and identify lines into those nodes. 4. Analyze deviations for each line and identify hazard control methods. 5. Document results in a table. 6. Track hazard control implementation.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-11

Nodes and Lines Node = location, where process parameters can change. Examples:
:::::::::::

A chemical reactor Pipe between two units. Pump. Sensor.

Line= interface between nodes

:::::::::

Eg. pipe feeding into a reactor. Electrical power supply of a pump. Signals from a sensor to a computer. Signals from a computer to an actuator.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-12

Guide Words of HAZOP and Possible Interpretations Guide Work Chemical Plant Computer-based System

No

No part of intended result achieved. Quantitative increase in the physical quantitity Quantitative decrease in the physical quantitity Intended activity occurs, but with additional results Only part of intended activity occurs

No data or control signal exchanged. Sign magnitude or data rate too high.

More

Less

Sign magnitude or data rate too low.

As well as Part of

Redundant data sent in addition to intended value. Incomplete transmitted. data

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-13

Guide Words of HAZOP (Cont.) Reverse Opposite of what is intended occurs, eg. reverse ow within a pipe. Other than No part of intended activity occurs, and something else happens instead Not used Polarity of magnitude changes reversed.

Data complete but incorrect.

Early

Signal arrives too early w.r.t. clock time Signal arrives too late w.r.t. clock time Signal arrives earlier than intended within a sequence Signal arrives later than intended within a sequence A2-14

Late

Not used

Before

Not used

After

Not used

Critical Systems, CS 411, Lent term 2002, Sec. A2

Steps in the HAZOP Process

For all lines. For all key words and associated deviations eg. : No ow. For all possible causes of that deviation. If that cause is hazardous or prevents ecient operation If the operator cannot recognize this deviation Identify which changes in the plant will make him recognize that. Identify changes in plant or methods which prevent deviation, make it less likely or mitigate its eects. For each such change If cost of change is justied Agree to changes. Agree who is responsible for action. Follow up to see that action has been taken.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-15

Example: Temperature sensor. Guide word No Regulator or cable fault Lack of sensor signal detected and system shuts down Damage to sensor Consider overvoltage protection Incorrect temperature reading Include voltage monitoring Cause Consequence Recommend.

Line

Attribute

Sensor supply line

Supply voltage

More

Regulator fault

Less

Regulator fault

Sensor output

Sensor current

(d) Event Tree Analysis (ETA)

Start with faults, which can cause accidents (e.g. broken pipe). Draw a decision tree in order to identify sequences of faults resulting in accidents. For each such sequence determine its outcome. Probabilities can be assigned to each event to determine the likelihood of that scenario. Product of the failures on each path is the probability of that event sequence. Since probability of failure is usually very low, probabilities of success are usually almost 1 and can be ignored in the product.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-17

Example: Loss of cooleant accident in a nuclear power station

(ECCS = Emergency Core Cooling System) Fission Pipe Electric ECCS product Power removal

break

Containment Integrity Succeeds 1P4 Succeeds 1P5 Fails P5 Succeeds 1P5 Fails P5

P1

Succeeds 1P3 Available 1P2 Initiating Event P1 Fails P2 Fails P3 Fails P4 Succeeds 1P4 Fails P4

P1 x P5

P1 xP4

P1 x P4 x P5 P1 x P3

P1 x P3 x P4 P1 x P2

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-18

Evaluation of Event Tree Analysis ETA handles continuity of events well. ETA good for calculation of probability of events. However, in the tree usually many events which dont result in an accident occur. ETA becomes unneessarily big. It is necessary to cut away subtrees which dont result in an accident. In general ETAs tend to become very big.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-19

(e) Fault Tree Analysis (FTA)

Whereas ETA starts with faults and determines resulting accidents (events), FTA starts with a possible accident and determines sequences of faults resulting in that event. Usually these conditions are disjunctive if one of the conditions is satised the event occurs or conjunctive if all of the conditions are satised the event occurs The FTA is drawn using logical gates.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-20

Laser Activated incorrectly

Primary Laser Failure

Voltage on Control Input

System applies Voltage to Input

Primary Cable Fault

Relay Contacts closed

Microswitch Contacts closed

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-21

Fault Tree Symbols Ocial Symbol Meaning Fault event resulting from other event

Basic event taken as input Fault event not fully traced. Taken as input but causes unknown
In

Input from other fault tree

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-22

Fault Tree Symbols (Cont.) Ocial Symbol Alternative Symbol Meaning

Out

Output to other fault tree

&

Event occurs if all inputs occur Event occurs if at least one input occurs

>=1

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-23

Fault Tree Symbols (Cont.) Ocial Symbol

Out

Meaning

Control

Event occurs depending on control condition

In

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-24

Cut Sets Fault trees can be written as a Boolean formula (take and and or as Boolean and and or). Laser Example: (Rel. Cont. Cl. Mic. Swi. Con. Cl.) Prim. Cable Fault Prim. Las. Fail. Boolean formulas can then be rewritten in disjunctive normal form (ie. as an or of ands). Laser Example is already in such a form Now one can minimize the conjunctions (the ands) in it, so that no shorter conjunction would have the same result. Eg. (A B) (C B) B can be replaced by B. Each conjunction determines a minimal sequence of events resulting in an accident. These conjunctions are called cut sets.
::::::::::::::::

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-25

Cut Sets (Cont.) Short cut sets indicate particular weaknesses of the system. If the faults in a cut set are independent, the probability of the events in one cut set occurring is the product of the probabilities of the individual events. If the cut sets are independent, the probability of the accident occurring is the sum of the probability of each cut sequence. Often however the events in a cut set are not independent. Implies that the probability of them occurring is much higher. Common mistake to overlook independence, which results in too low risk estimates.

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-26

(f) Probabilistic Hazard Analysis

Has been integrated into (a) - (e).

Critical Systems, CS 411, Lent term 2002, Sec. A2

A2-27