hazop: hazard and operability study [email protected] models and analysis of software...
TRANSCRIPT
![Page 1: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/1.jpg)
HAZOP: Hazard and Operability StudyHAZOP: Hazard and Operability Study
[email protected]/jnawrocki/models/
Models and Analysis of SoftwareLecture 11
Copyright, 2003 Jerzy R. Nawrocki
![Page 2: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/2.jpg)
AgendaAgenda
IntroductionKeywordsMethodologyUML-HAZOP
![Page 3: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/3.jpg)
AgendaAgenda
IntroductionKeywordsMethodologyUML-HAZOP
![Page 4: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/4.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, ‘70
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
![Page 5: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/5.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Heating installationHeating installationRadiation therapy machineRadiation therapy machine
Electron accelerator
![Page 6: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/6.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Railway crossingRailway crossing Aircraft control systemAircraft control system
![Page 7: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/7.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Existing New
![Page 8: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/8.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Heating installationHeating installationRadiation therapy machineRadiation therapy machine
Electron accelerator
~ 200 rad up to 50 oC
![Page 9: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/9.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Therac-25 accident [Leveson93]Therac-25 accident [Leveson93]
Electron accelerator
15 000 rad
Heating installationHeating installation
90 oCAuch!
![Page 10: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/10.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Heating installationHeating installation
90 oCElectron accelerator
15 000 rad
Radiation therapy machineRadiation therapy machine
H.= A set of conditions that can lead to an accident [Leveson91]
![Page 11: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/11.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Oh God!
![Page 12: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/12.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
The computer doesn’t work!
![Page 13: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/13.jpg)
IntroductionIntroduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, ‘70
Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Performed by a team of multidisciplinary experts.
Structured brainstorming process.
![Page 14: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/14.jpg)
IntroductionIntroduction
Process description
How deviations from the design intent can arise?Can they impact safety and operability?
What actions are necessary?
![Page 15: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/15.jpg)
IntroductionIntroduction
.. the great advantage of the technique is that it encourages the team to consider less obvious ways in which a deviation may occur (..) In this way the study becomes much more than a mechanistic check-list type of review. [Lihou03]
![Page 16: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/16.jpg)
AgendaAgenda
Introduction
KeywordsMethodologyUML-HAZOP
![Page 17: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/17.jpg)
KeywordsKeywords
Primary keywords: a particular aspect of a design intent (a process condition or parameter).
Safety: Operability:
Flow IsolateTemperature Start-upPressure ShutdownLevel MaintainCorrode InspectAbsorb DrainErode Purge... ...
Can corrosion bea design intent?
![Page 18: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/18.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)NoNo
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
They tend to be a standard set.
NoNo: The design intent is almost eliminated (blocked) or unachievable.
Examples:
Flow/No
Isolate/No
![Page 19: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/19.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
LessLess
More
Reverse
Also
Other
Fluctuation
Early
Late
LessLess: Value of a parameter described by a primary keyword is less than expected.
Examples:
Flow/Less
Temperature/Less
![Page 20: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/20.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
MoreMore
Reverse
Also
Other
Fluctuation
Early
Late
MoreMore: The parameter value is greater than expected.
Examples:
Temperature/More
Pressure/No
![Page 21: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/21.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
ReverseReverse
Also
Other
Fluctuation
Early
Late
ReverseReverse: The opposite direction of the design intent.
Examples:
Flow/Reverse
Isolate/No
![Page 22: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/22.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
Reverse
AlsoAlso
Other
Fluctuation
Early
Late
AlsoAlso: The design intent (primary keyword) is OK, but there is something extra.
Examples:
Flow/Also = contamination
Level/Also = unexpected material in a tank
![Page 23: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/23.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
Reverse
Also
OtherOther
Fluctuation
Early
Late
OtherOther: The design intent occurs but in a different way.
Examples:
Composition/Other = Unexpected proportions
Flow/Other = Product flows where it is unexpected
![Page 24: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/24.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
Reverse
Also
Other
FluctuationFluctuation
Early
Late
FluctuationFluctuation: The design intent achieved only part of the time.
Examples:
Flow/Fluctuation = Sometimes flows, sometimes not.
Temperature/Fluctuation = Sometimes hot, sometimes cold.
![Page 25: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/25.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
Reverse
Also
Other
Fluctuation
EarlyEarly
Late
EarlyEarly: The design intent appears too early.
Examples:
Flow/Early = The product flows too early.
Temperature/Early = The intended temperature (high or low) is achieved too early.
![Page 26: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/26.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
Reverse
Also
Other
Fluctuation
Early
LateLate
LateLate: Opposite to early.
Examples:
Level/Late = The inteded level in a tank is achieved too late.
![Page 27: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/27.jpg)
KeywordsKeywords
Secondary keywords: possible deviations (problems)No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Are all combinationsof keywords meaningful?
Temperature/No ???
Corrode/Reverse ???
![Page 28: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/28.jpg)
AgendaAgenda
IntroductionKeywords
MethodologyUML-HAZOP
![Page 29: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/29.jpg)
Methodology – Report formatMethodology – Report format
Deviation Cause Consequence Safeguards Action
E.g. Flow/No
Potential cause of the
deviation
Consequences of the cause
and the deviation itself
Any existing devices that prevent the
cause or make its
consequeces less painful
Actions to remove the
cause or mitigate the
conse-quences
![Page 30: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/30.jpg)
Methodology – The processMethodology – The process
Select a section of the plantSelect a section of the plant
For each primary keyword relevant for the plant:For each primary keyword relevant for the plant:
For each relevant secondary keyword:For each relevant secondary keyword:
Think of significant consequences and record them;Record any safeguards identified;Think of any necessary actions and record them;
Think of significant consequences and record them;Record any safeguards identified;Think of any necessary actions and record them;
For each discovered cause for the deviationFor each discovered cause for the deviation
Deviation Cause Consequence Safeguards Action
Flow/No Problem...
![Page 31: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/31.jpg)
The HAZOP teamThe HAZOP teamOptimal: 6 peopleMaximum: 9 people
Equal representation of customer and supplier
Experts from a range of disciplines
Team composition: questions raised during the meeting should be answered immediately.
Chairman and secretary
![Page 32: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/32.jpg)
Preparatory workPreparatory work
1. Assemble the data
2. Understand the subject
3. Subdivide the plant and plan the sequence
4. Mark-up the drawings
5. Devise a list of appropriate keywords
6. Prepare table headings and an agenda
7. Prepare a timetable
8. Select the team
![Page 33: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/33.jpg)
The reportThe report
• Scope of the study
• Brief description of the process under study
• Keyword combinations and their meanings
• Description of the Action File (contains Action Response Sheets reporting on the actions performed to reduce the risks; initially empty)
• General comments (what was unavailable or not reviewed, what the team was assured of)
• Results (the number of recommended actions)
![Page 34: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/34.jpg)
AgendaAgenda
IntroductionKeywordsMethodology
UML-HAZOP
![Page 35: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/35.jpg)
UML-HAZOPUML-HAZOP
J.Górski, A.Jarzębowicz
Technical University of Gdańsk
Wykrywanie anomalii w modelach obiektowych za pomocą metody UML-HAZOP, IV KKIO, Best Paper Award
Detecting Defects in Object-Oriented Diagrams Using UML-HAZOP, FCDS, vol. 24, No. 4, 2002.
![Page 36: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/36.jpg)
Strengths of UML-HAZOPStrengths of UML-HAZOP
• UML
• Defect detection in UML diagrams
• A structured review method for UML diagrams guided by keywords (NO, MORE, LESS, ..)
• An interesting checklist for UML diagrams
• Experimental evaluation shows that the method is quite efficient (defects detected per unit of time)
![Page 37: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/37.jpg)
Weaknesses of UML-HAZOPWeaknesses of UML-HAZOP
Limited to class diagrams only.
Limited to two kinds of relationships in class diagrams, Association and Generalization, from which 10 primary keywords are derived.
In the presented experiments all the analysis was performed by one reviewer whilest HAZOP relies on multidisciplinary teams.
![Page 38: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/38.jpg)
IntroductionIntroduction
.. the great advantage of the technique is that it encourages the team to consider less obvious ways in which a deviation may occur (..) In this way the study becomes much more than a mechanistic check-list type of review. [Lihou03]
![Page 39: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/39.jpg)
Weaknesses of UML-HAZOPWeaknesses of UML-HAZOP
Limited to class diagrams only.
Limited to two kinds of relationships in class diagrams, Association and Generalization, from which 10 primary keywords are derived.
In the presented experiments all the analysis was performed by one reviewer whilest HAZOP relies on multidisciplinary teams.
The method lacks analysis of possible consequences of an identified defect (anomaly).
![Page 40: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/40.jpg)
SummarySummary
HAZOP is a structured HAZOP is a structured brainstorming method for risk brainstorming method for risk analysis.analysis.
It can be applied in different It can be applied in different contexts (eg. UML-HAZOP)contexts (eg. UML-HAZOP)
It goes well with other analysis It goes well with other analysis methods, eg. fault tree analysis methods, eg. fault tree analysis (AND/OR trees of faults)(AND/OR trees of faults)
Used by: UK Ministry of Defence, Used by: UK Ministry of Defence, Motorola, chemical companies, etc.Motorola, chemical companies, etc.
![Page 41: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/41.jpg)
BibliographyBibliography
[Lihou03][Lihou03] Mike Lihou, Hazard & Operability Mike Lihou, Hazard & Operability Studies, Lihou Technical & Software Services, Studies, Lihou Technical & Software Services, www.lihoutech.com/hzp1frm.htm, 3.06.2003. , 3.06.2003.
A very good introduction to HAZOP.A very good introduction to HAZOP. [Leveson91][Leveson91] N. Leveson, S.Cha, T.Shimeall, N. Leveson, S.Cha, T.Shimeall,
Safety verification of Ada programs using Safety verification of Ada programs using software fault trees, software fault trees, IEEE SoftwareIEEE Software, July 1991, , July 1991, 48-59.48-59.
FTA templates for Ada programs.FTA templates for Ada programs. [Leveson93][Leveson93] N. Leveson, C. Turner, An N. Leveson, C. Turner, An
investigation of the Therac-25 Accidents, investigation of the Therac-25 Accidents, ComputerComputer, July 1993, 18-41., July 1993, 18-41.
![Page 42: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/42.jpg)
BibliographyBibliography
F. Redmill, M. Chudleigh, J.Catmur, F. Redmill, M. Chudleigh, J.Catmur, System System Safety: HAZOP and Software HAZOPSafety: HAZOP and Software HAZOP, John , John Wiley & Sons, 1999, (Amazon.com: Wiley & Sons, 1999, (Amazon.com: $135$135!)!)
![Page 43: HAZOP: Hazard and Operability Study Jerzy.Nawrocki@put.poznan.pl Models and Analysis of Software Lecture 11 Copyright,](https://reader034.vdocument.in/reader034/viewer/2022052304/56649e035503460f94aee902/html5/thumbnails/43.jpg)
Quality assessmentQuality assessment
1. What is your general impression? (1 - 6)2. Was it too slow or too fast?3. What important did you learn during the
lecture?4. What to improve and how?