(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

Transcription

1 A2. Hazard Analysis In the following: Presentation of analytical techniques for identifyin hazards. Non-formal, but systematic methods. Tool support for all those techniques exist. Techniques developed in general engineering, especia and armaments industry. Techniques considered are: (a) Failure modes and effects analysis (FMEA). (b) Failure modes, effects and criticality analysis (FMECA). (c) Hazard and operability studies (HAZOP). (d) Event tree analysis (ETA). (e) Fault tree analysis (FTA).

2 (a) Failure Modes and Effects Analysis (FMEA) FMEA identifies all ways a particular component can f of a failure on the system. Doesn t identify all hazards, since a failure does not ha hazard to be present in a system. Example: A rocket is by its nature hazardous, even if it Therefore FMEA is preliminary an engineering tool, not tool.

3 Process of FMEA Define scope and boundaries of the main system and of Break the main system down into subsystems. Assess each subsystem, and determine, whether the subsystem would affect the main system. If it wouldn t, ignore that subsystem. Otherwise, break this subsystem into further subsystem above, until the component level is reached.

4 Process of FMEA (Cont.) For each component identified as above, do the following Look at the component s failure modes = the ways, t fail. Assess the failure s effects. Usually the worst-credible case with conseque probability of occurrence is assessed, if this is possible Determine its mission phase (installation, operat repair). Identify, whether the failure is a single-point failure. ( Single point failure = failure of a single componen down the entire system.) Determine methods of corrective action.

5 Process of FMEA (Cont.) Document the results in an FMEA worksheet.

6 Subsystem: Hydraulic Control Panel Assembly: Junction Box A Subassembly: Mechanical Com- Com- Function Failure ponent ponent mode number name Solenoid Electro-pneumatic No pneumatic s valve interface and sent from valve control of due to loss of hydraulic panel pressure valves fail closed Failed valve due to internal sprin failure from excessive wear.

7 Layout Analyzed in the Table Below: Pressurized air Solenoid Valve Solenoid valve operates hydraulic valve Hydraulic Valve Hydraulic liquid

8 Failure effects Failure propa- Single- Risk locally gation point failure next level failure class Rendered useless No pneumatic NO 4C due to loss of signal sent to working fluid hydraulic valve, resulting in longer response time to control valve 3-A Continuous Possible hydraulic NO 4C pneumatic flow valve activation through valve. or deactivation due to inappropriate pneumatic pilot signal

9 Limitations of FMEA FMEA is primarily designed to create products which ar create products which are safe. Example: If we apply FMEA to a gun, we obtain a g failures. So e.g. the barrel doesn t suddenly explode. However, the fact that if you direct it against a human him, is a hazard, but no failure of the gun. In general hazards need not be the result of a failure. We can of course extend FMEA to treat all situations in used and find out failures in that constellation. But that is in most cases infeasible.

10 Limitations of FMEA (Cont.) Direct hazard analysis will in the case of the gun immedi global hazard. We see that FMEA is an excellent engineering tool for c functioning gadgets. This contributes to but doesn t guarantee safety.

11 Limitations of FMEA (Cont.) Further FMEA investigates only single failures. Often accidents have the origins in a combination of mult of which on its own wouldn t have such severe consequenc

12 (b) Failure Modes, Effects and Criticality Analysis (FMECA) As FMEA, but additionally determine (or estimate) for ea the probability of its occurrence; the probability of the occurrence of the consequen failure has occurred; a number measuring the criticality. The product of the 3 factors measures the risk associated If the risk exceeds a certain number, action has to be

13 Explanation of the Measure above The product of the first 2 factors measures the p occurrence of this deviation followed by the consequence of accident. Therefore the product of all 3 factors is the product of the occurrence of the consequence and of a measure of t Since risk = product of probability of occurrence and product of all 3 factors measures the risk.

14 (c) Hazard and Operability Studie (HAZOP) Technique developed and used mainly in chemical indust Studies to apply it to computer based systems have bee Underlying systems theory model: Accidents caused by deviations from the design or op e.g.: if there is no flow or no control signal, although there HAZOP considers systematically each process unit in th possible deviation. Deviations are identified by using the guide words of H

15 Hazard and Operability Studies (HAZOP; C HAZOP carried out by a team.

16 General Procedure of HAZOP 1. Define objectives and scope of the analysis. 2. Select a HAZOP team. Requires a leader, who knows HAZOP well. Requires a recorder, who documents the process of HAZ 3. Dissect design into nodes and identify lines into those nod 4. Analyze deviations for each line and identify hazard contro 5. Document results in a table. 6. Track hazard control implementation.

17 Nodes and Lines Node = location, where process parameters can change. A chemical reactor Pipe between two units. Pump. Sensor. Line= interface between nodes E.g. pipe feeding into a reactor. Electrical power supply of a pump. Signals from a sensor to a computer. Signals from a computer to an actuator.

18 Guide Words of HAZOP and Possible Interpretations Guide Word Chemical Plant Computer- No More No part of intended result achieved. Quantitative increase in the physical quantitity No data or exchanged. Signal mag rate too hig Less Quantitative decrease in the physical quantitity Signal mag rate too low

19 Guide Words of HAZOP (Cont.) Guide Word Chemical Plant Computer- As well as Intended activity occurs, but with additional results Part of Only part of intended activity occurs Reverse Opposite of what is intended occurs, e.g. reverse flow within a pipe. Redundant addition to Incomplete transmitted. Polarity o changes rev Other than No part of intended activity occurs, and something else happens instead Data incorrect. co

20 New Guide Words of HAZOP for Computer-Base Guide Word Chemical Plant Computer- Early Not used Signal arriv w.r.t. clock Late Not used Signal arrive clock time. Before Not used Signal arriv intended wit After Not used Signal arriv intended wit

21 Steps in the HAZOP Process For all lines. For all key words and associated deviations e.g. : No flow. For all possible causes of that deviation. If that cause is hazardous or prevents efficient operat If the operator cannot recognize this deviation. Identify, which changes in the plant will make him/her recognize that. Identify changes in plant or methods which prevent deviation, make it less likely or mitig

22 Steps in the HAZOP Process (Cont.) For each such change If cost of change is justified Agree to changes. Agree who is responsible for action Follow up to see that action has be

23 Example: Temperature sensor. Line Attribute Guide Cause Consequen word Sensor Supply No Regulator or Lack of sen supply voltage cable fault detected an line shuts down More Regulator fault Damage to sensor temperatur Less Regulator fault Incorrect reading Sensor current Sensor output

24 (d) Event Tree Analysis (ETA) Start with faults, which can cause accidents (e.g. broken Draw a decision tree in order to identify sequences of accidents. For each such sequence determine its outcome. Probabilities can be assigned to each event to determin that scenario. Product of the failures on each path is the probabi sequence.

25 (d) Event Tree Analysis (ETA; Cont) Since probability of failure is usually very low, probabil usually almost 1 and can be ignored in the product.

26 Example: Loss of cooleant accident in a nuclear pow (ECCS = Emergency Core Cooling System) Pipe Electric ECCS Fission product break Power removal Initiating Event P1 Available 1 P2 Fails P2 Succeeds 1 P3 Fails P3 Succeeds 1 P4 Fails P4 Succeeds 1 P4 Fails P4 Containment Integrity Succeeds 1 P5 Fails P5 Succeeds 1 P5 Fails P5 P

27 Evaluation of Event Tree Analysis ETA handles continuity of events well. ETA good for calculation of probability of events. However, in the tree usually many events which don t res occur. ETA becomes unneessarily big. It is necessary to cut away subtrees which don t resu In general ETAs tend to become very big.

28 (e) Fault Tree Analysis (FTA) Whereas ETA starts with faults and determines resulting a FTA starts with a possible accident and determines se resulting in that event. Usually these conditions are disjunctive if one of the conditions is satisfied the event occurs or conjunctive if all of the conditions are satisfied the event occurs The FTA is drawn using logical gates.

29 Laser Activated incorrectly Primary Laser Failure Voltage on Control Input System applies Voltage to Input Prim Cabl Faul Relay Contacts closed Microswitch Contacts closed

30 Fault Tree Symbols Official Symbol Meaning Official Symbo Fault event resulting from other event Basic event taken as input In

31 Fault Tree Symbols (Cont.) Official Alternative Meaning Symbol Symbol Output to other fault tree & Out Event occurs if all inputs o >=1 Event occurs if at least one

32 Fault Tree Symbols (Cont.) Official Symbol Meaning Out Control Event occurs depending on control condition In

33 Cut Sets Fault trees can be written as Boolean formulas (take a and/or). Laser Example: ((Relay Contacts Closed and Cond1) (Micro Switch Contacts Closed Cond2)) Primary Cable Fault Primary Laser Failure (where Cond1 and Cond2 are conditions identified by c trees below the rhombuses). Boolean formulas can then be rewritten in disjunctive no an or of ands). Laser Example has to be unfolded if Cond1 or Cond2 co

34 Cut Sets (Cont.) Now omit conjunctions, which are implied by shorter on E.g. In (A B) (C B) B, (A B) and (C B) can be omitted. Each conjunction determines a minimal sequence of eve accident. These conjunctions are called cut sets.

35 Cut Sets (Cont.) Short cut sets indicate particular weaknesses of the system If the faults in a cut set are independent, the probabilit one cut set occurring is the product of the probabilities events. If the cut sets are independent, the probability of the ac the sum of the probability of each cut sequence.

36 Cut Sets (Cont.) Often however the events in one cut set are not indepen Implies that the probability of them occurring is much Common mistake to overlook independence, which risk estimates. Cut sets can be generated automatically.

37 Summary We have studied 5 techniques for Hazard analysis. FMEA and FMECA. Concentration on avoidance of failures. Allows to produce highly reliable systems, but do identify all hazards. HAZOP. Use of guide words. Adaption to computer systems still in experimental st ETA. Starts from faults. Event trees might grow too big. FTA. Starts from accidents. Seems to be most suitable technique in order to id