Safety analysis

Michal Sojka

Czech Technical University in Prague,FEE and CIIRC

January 8, 2020

SESAMOSecurity and Safety Modelling

1 / 15

Outline

1 HAZOP

2 Example

2 / 15

HAZOP

Outline

1 HAZOP

2 Example

3 / 15

HAZOP

HAZOP studyHazard and operability study

Methodical investigation of the hazards and operational problems to whichthe plant or system being studied could give rise.

Goals:1 Identify possible deviations from design intent (the intention of the

designer)2 Investigate deviation’s possible causes and consequences.

Deviations can occur in either a component of the system or aninteraction between components of the system.Always carried out by a team!

4 / 15

HAZOP

Team structure

Roles involved in the study:Study leaderDesignerUser or intended userExpertRecorder

Optimal team size: 4 – 10 persons

5 / 15

HAZOP

Study processInput: – Design representation with elements and their attributes.

– Interpretation of guide word for different attributes.Process:

Explain design intent;foreach entity e in design representation do

foreach attribute a of element e doforeach guide word w do

Investigate deviation of (e, a) suggested by w;if deviation is credible then

Investigate causes and consequences and document;end

endend

endSign-off the documentation

Output: – Identified hazards– Questions– Recommendations

6 / 15

HAZOP

Guide wordsand their generic meaning

No no part of the intention is achievedMore a quantitative increaseLess a quantitative decrease

As well as all design intent but with additional resultsPart of only some of the intention is achievedReverse the logical opposite of the intention

Other than result other than original intention is achievedEarly relative to clock timeLate relative to clock time

Before related to order or sequenceAfter related to order or sequence

7 / 15

HAZOP

Guide word interpretationGuide word Wire UDP message Code executionNo Missing or broken No message received Not executedMore Too high voltage Duplicate reception Executed more oftenLess Too low voltage Lost message Executed less oftenAs well as Noisy signal or EMI More data in the

messageSomething else runsin parallel (e.g. IRQ)

Part of N/A Partial message re-ceived

Only part of code isexecuted

Reverse Negative voltage N/A N/AOther than Other wire Unexpected mes-

sage receivedOther code is exe-cuted instead

Early N/A Message receivedearlier than expected

Executed too early

Late N/A Message receivedlater than expected

Executed too late

Before N/A Two messagesswapped

Before other code

After N/A Two messagesswapped

After other code

8 / 15

Example

Outline

1 HAZOP

2 Example

9 / 15

Example

Steer-by-wire for a teleoperated roboti.e. your semestral work

10 / 15

Example

Steer-by-wire for a teleoperated roboti.e. your semestral work

11 / 15

Example

Steer-by-wire for a teleoperated roboti.e. your semestral work

12 / 15

Example

System contextWith external interfaces

0*

Steer-by-wiresystem

Motor + IRC sensor

i2: PWM signal

WWW browser

i4: HTTP protocol

IRC sensor

i1: IRC signal

i3: IRC signal

Power supply

i5: Electric power

“*” means that this level can be expanded13 / 15

Example

Detailed designEntities: eX, attributes: […]

Board 1 Board 2

IRC sensor

e1:IRC decoder1[Execution,

priority]

Motor+

IRC sensor

e6:IRC decoder2[Execution,

priority]

WWW browser

e7:WWW server

[Priority,Resource needs]

e3:Position variable

[Value]

e2:Sending task

[Period,Destination

addr.]

e4:Receiving task

[Execution,Period]

e12:Ethernet

[Bandwidth,Message]

e8:Setpoint[Value]

e5:Controller

[Execution,Period,Priority]

e9:History storage

[Size/length]

e11:State

[Value]

e7:Actual position

[Value]

e10:Constants[Value]

14 / 15

Example

References

F. Redmill, M. Chudleigh, J. Catmur; System Safety: HAZOP andSoftware HAZOP, Wiley, 1999.

15 / 15