(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

Similar documents
4. Hazard Analysis. Limitations of Formal Methods. Need for Hazard Analysis. Limitations of Formal Methods

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Hazard Operability Analysis

Hazard Identification

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

Failure modes and models

Understanding safety life cycles

Introduction to HAZOP Study. Dr. AA Process Control and Safety Group

Safety Engineering - Hazard Identification Techniques - M. Jahoda

Safety Critical Systems

Event tree analysis. Prof. Enrico Zio. Politecnico di Milano Dipartimento di Energia. Prof. Enrico Zio

D-Case Modeling Guide for Target System

Reliability Assessment of the Whistler Propane Vaporizers

Workshop Information IAEA Workshop

Combining disturbance simulation and safety analysis techniques for improvement of process safety and reliability

Module No. # 01 Lecture No. # 6.2 HAZOP (continued)

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

PI MODERN RELIABILITY TECHNIQUES OBJECTIVES. 5.1 Describe each of the following reliability assessment techniques by:

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Every things under control High-Integrity Pressure Protection System (HIPPS)

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

CHAPTER 4 FMECA METHODOLOGY

18-642: Safety Plan 11/1/ Philip Koopman

Suitable for anyone who is required to maintain industrial pneumatic systems. No prior knowledge of pneumatic or electrical principles is necessary.

Failure Modes and Effect Analysis of Electro-Pneumatics System

PROCEDURE. April 20, TOP dated 11/1/88

Guidelines on Surveys for Dynamic Positioning System

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

Safety Manual VEGAVIB series 60

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Hydraulic (Subsea) Shuttle Valves

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Inherently Safer Design Analysis Approaches

Solenoid Valves used in Safety Instrumented Systems

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Ultima. X Series Gas Monitor

Knowledge, Certification, Networking

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Verification and validation of computer codes Exercise

CT433 - Machine Safety

DeZURIK. KSV Knife Gate Valve. Safety Manual

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

Pressure Test Results in Injury

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Software Safety Hazard Analysis

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Raw Material Spill. Lessons Learned. Volume 05 Issue USW

Major Hazard Facilities. Hazard Identification

Valve Communication Solutions. Safety instrumented systems

ASVAD THE SIMPLE ANSWER TO A SERIOUS PROBLEM. Automatic Safety Valve for Accumulator Depressurization. (p.p.)

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

Safety Manual VEGAVIB series 60

UNIVERSITY OF WATERLOO

Incorrect Relief Valve Material Causes Release

Controller for boilers Galan - regulator for management of heating elements and circuit SolarSentinel-DBTW User guide

Selection of Hazard Evaluation Techniques

OPERATING PROCEDURES

MDEP Common Position No AP

Success Paths: A Risk Informed Approach to Oil & Gas Well Control

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

Bespoke Hydraulic Manifold Assembly

APPLICATION OF THE FAILURE MODES AND EFFECTS ANALYSIS TECHNIQUE TO THE EMERGENCY COOLING SYSTEM OF AN EXPERIMENTAL NUCLEAR POWER PLANT

Gas Network Craftsperson

TANKTRONIC. STANDARD CONFIGURATION Single Tank. ADVANCED CONFIGURATION Multiple Tanks. Twin Tank (common valve) Twin Tank (separate valves) Vent box

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

ENS-200 Energy saving trainer

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

PL estimation acc. to EN ISO

Swell UK. The UK's leading online aquatic retailer.

High Integrity Pressure Protection Systems HIPPS

A study on the relation between safety analysis process and system engineering process of train control system

Hazard Identification

Large Valve Causes Back Injury

C. (2017) 20 (6) ISSN

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Basic STPA Exercises. Dr. John Thomas

Nitrogen System Contamination

Advanced LOPA Topics

Unit 24: Applications of Pneumatics and Hydraulics

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Phase B: Parameter Level Design

Pressure Gauge Failure Causes Release

Introducing STAMP in Road Tunnel Safety

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

SPR - Pneumatic Spool Valve

Operator Exposed to Chlorine Gas

PRACTICAL EXAMPLES ON CSM-RA

Temporary Equipment Fails After 20 Years of Use Worker Gets Sandblasted

Using STPA in the Design of a new Manned Spacecraft

Real-Time & Embedded Systems

Reliability of Safety-Critical Systems Chapter 10. Common-Cause Failures - part 1

SHUTDOWN SYSTEMS: SDS1 AND SDS2

TANK MANAGER FOR TWO TANKS OPERATING MANUAL. 10/31/11 C-More T6C L color touch panel

Transcription:

A2. Hazard Analysis In the following: Presentation of analytical techniques for identifyin hazards. Non-formal, but systematic methods. Tool support for all those techniques exist. Techniques developed in general engineering, especia and armaments industry. Techniques considered are: (a) Failure modes and effects analysis (FMEA). (b) Failure modes, effects and criticality analysis (FMECA). (c) Hazard and operability studies (HAZOP). (d) Event tree analysis (ETA). (e) Fault tree analysis (FTA).

(a) Failure Modes and Effects Analysis (FMEA) FMEA identifies all ways a particular component can f of a failure on the system. Doesn t identify all hazards, since a failure does not ha hazard to be present in a system. Example: A rocket is by its nature hazardous, even if it Therefore FMEA is preliminary an engineering tool, not tool.

Process of FMEA Define scope and boundaries of the main system and of Break the main system down into subsystems. Assess each subsystem, and determine, whether the subsystem would affect the main system. If it wouldn t, ignore that subsystem. Otherwise, break this subsystem into further subsystem above, until the component level is reached.

Process of FMEA (Cont.) For each component identified as above, do the following Look at the component s failure modes = the ways, t fail. Assess the failure s effects. Usually the worst-credible case with conseque probability of occurrence is assessed, if this is possible Determine its mission phase (installation, operat repair). Identify, whether the failure is a single-point failure. ( Single point failure = failure of a single componen down the entire system.) Determine methods of corrective action.

Process of FMEA (Cont.) Document the results in an FMEA worksheet.

Subsystem: Hydraulic Control Panel Assembly: Junction Box A Subassembly: Mechanical Com- Com- Function Failure ponent ponent mode number name 45-341 Solenoid Electro-pneumatic No pneumatic s valve interface and sent from valve control of due to loss of hydraulic panel pressure valves fail closed Failed valve due to internal sprin failure from excessive wear.

Layout Analyzed in the Table Below: Pressurized air Solenoid Valve Solenoid valve operates hydraulic valve Hydraulic Valve Hydraulic liquid

Failure effects Failure propa- Single- Risk locally gation point failure next level failure class Rendered useless No pneumatic NO 4C due to loss of signal sent to working fluid hydraulic valve, resulting in longer response time to control valve 3-A Continuous Possible hydraulic NO 4C pneumatic flow valve activation through valve. or deactivation due to inappropriate pneumatic pilot signal

Limitations of FMEA FMEA is primarily designed to create products which ar create products which are safe. Example: If we apply FMEA to a gun, we obtain a g failures. So e.g. the barrel doesn t suddenly explode. However, the fact that if you direct it against a human him, is a hazard, but no failure of the gun. In general hazards need not be the result of a failure. We can of course extend FMEA to treat all situations in used and find out failures in that constellation. But that is in most cases infeasible.

Limitations of FMEA (Cont.) Direct hazard analysis will in the case of the gun immedi global hazard. We see that FMEA is an excellent engineering tool for c functioning gadgets. This contributes to but doesn t guarantee safety.

Limitations of FMEA (Cont.) Further FMEA investigates only single failures. Often accidents have the origins in a combination of mult of which on its own wouldn t have such severe consequenc

(b) Failure Modes, Effects and Criticality Analysis (FMECA) As FMEA, but additionally determine (or estimate) for ea the probability of its occurrence; the probability of the occurrence of the consequen failure has occurred; a number measuring the criticality. The product of the 3 factors measures the risk associated If the risk exceeds a certain number, action has to be

Explanation of the Measure above The product of the first 2 factors measures the p occurrence of this deviation followed by the consequence of accident. Therefore the product of all 3 factors is the product of the occurrence of the consequence and of a measure of t Since risk = product of probability of occurrence and product of all 3 factors measures the risk.

(c) Hazard and Operability Studie (HAZOP) Technique developed and used mainly in chemical indust Studies to apply it to computer based systems have bee Underlying systems theory model: Accidents caused by deviations from the design or op e.g.: if there is no flow or no control signal, although there HAZOP considers systematically each process unit in th possible deviation. Deviations are identified by using the guide words of H

Hazard and Operability Studies (HAZOP; C HAZOP carried out by a team.

General Procedure of HAZOP 1. Define objectives and scope of the analysis. 2. Select a HAZOP team. Requires a leader, who knows HAZOP well. Requires a recorder, who documents the process of HAZ 3. Dissect design into nodes and identify lines into those nod 4. Analyze deviations for each line and identify hazard contro 5. Document results in a table. 6. Track hazard control implementation.

Nodes and Lines Node = location, where process parameters can change. A chemical reactor Pipe between two units. Pump. Sensor. Line= interface between nodes E.g. pipe feeding into a reactor. Electrical power supply of a pump. Signals from a sensor to a computer. Signals from a computer to an actuator.

Guide Words of HAZOP and Possible Interpretations Guide Word Chemical Plant Computer- No More No part of intended result achieved. Quantitative increase in the physical quantitity No data or exchanged. Signal mag rate too hig Less Quantitative decrease in the physical quantitity Signal mag rate too low

Guide Words of HAZOP (Cont.) Guide Word Chemical Plant Computer- As well as Intended activity occurs, but with additional results Part of Only part of intended activity occurs Reverse Opposite of what is intended occurs, e.g. reverse flow within a pipe. Redundant addition to Incomplete transmitted. Polarity o changes rev Other than No part of intended activity occurs, and something else happens instead Data incorrect. co

New Guide Words of HAZOP for Computer-Base Guide Word Chemical Plant Computer- Early Not used Signal arriv w.r.t. clock Late Not used Signal arrive clock time. Before Not used Signal arriv intended wit After Not used Signal arriv intended wit

Steps in the HAZOP Process For all lines. For all key words and associated deviations e.g. : No flow. For all possible causes of that deviation. If that cause is hazardous or prevents efficient operat If the operator cannot recognize this deviation. Identify, which changes in the plant will make him/her recognize that. Identify changes in plant or methods which prevent deviation, make it less likely or mitig

Steps in the HAZOP Process (Cont.) For each such change If cost of change is justified Agree to changes. Agree who is responsible for action Follow up to see that action has be

Example: Temperature sensor. Line Attribute Guide Cause Consequen word Sensor Supply No Regulator or Lack of sen supply voltage cable fault detected an line shuts down More Regulator fault Damage to sensor temperatur Less Regulator fault Incorrect reading Sensor current Sensor output

(d) Event Tree Analysis (ETA) Start with faults, which can cause accidents (e.g. broken Draw a decision tree in order to identify sequences of accidents. For each such sequence determine its outcome. Probabilities can be assigned to each event to determin that scenario. Product of the failures on each path is the probabi sequence.

(d) Event Tree Analysis (ETA; Cont) Since probability of failure is usually very low, probabil usually almost 1 and can be ignored in the product.

Example: Loss of cooleant accident in a nuclear pow (ECCS = Emergency Core Cooling System) Pipe Electric ECCS Fission product break Power removal Initiating Event P1 Available 1 P2 Fails P2 Succeeds 1 P3 Fails P3 Succeeds 1 P4 Fails P4 Succeeds 1 P4 Fails P4 Containment Integrity Succeeds 1 P5 Fails P5 Succeeds 1 P5 Fails P5 P

Evaluation of Event Tree Analysis ETA handles continuity of events well. ETA good for calculation of probability of events. However, in the tree usually many events which don t res occur. ETA becomes unneessarily big. It is necessary to cut away subtrees which don t resu In general ETAs tend to become very big.

(e) Fault Tree Analysis (FTA) Whereas ETA starts with faults and determines resulting a FTA starts with a possible accident and determines se resulting in that event. Usually these conditions are disjunctive if one of the conditions is satisfied the event occurs or conjunctive if all of the conditions are satisfied the event occurs The FTA is drawn using logical gates.

Laser Activated incorrectly Primary Laser Failure Voltage on Control Input System applies Voltage to Input Prim Cabl Faul Relay Contacts closed Microswitch Contacts closed

Fault Tree Symbols Official Symbol Meaning Official Symbo Fault event resulting from other event Basic event taken as input In

Fault Tree Symbols (Cont.) Official Alternative Meaning Symbol Symbol Output to other fault tree & Out Event occurs if all inputs o >=1 Event occurs if at least one

Fault Tree Symbols (Cont.) Official Symbol Meaning Out Control Event occurs depending on control condition In

Cut Sets Fault trees can be written as Boolean formulas (take a and/or). Laser Example: ((Relay Contacts Closed and Cond1) (Micro Switch Contacts Closed Cond2)) Primary Cable Fault Primary Laser Failure (where Cond1 and Cond2 are conditions identified by c trees below the rhombuses). Boolean formulas can then be rewritten in disjunctive no an or of ands). Laser Example has to be unfolded if Cond1 or Cond2 co

Cut Sets (Cont.) Now omit conjunctions, which are implied by shorter on E.g. In (A B) (C B) B, (A B) and (C B) can be omitted. Each conjunction determines a minimal sequence of eve accident. These conjunctions are called cut sets.

Cut Sets (Cont.) Short cut sets indicate particular weaknesses of the system If the faults in a cut set are independent, the probabilit one cut set occurring is the product of the probabilities events. If the cut sets are independent, the probability of the ac the sum of the probability of each cut sequence.

Cut Sets (Cont.) Often however the events in one cut set are not indepen Implies that the probability of them occurring is much Common mistake to overlook independence, which risk estimates. Cut sets can be generated automatically.

Summary We have studied 5 techniques for Hazard analysis. FMEA and FMECA. Concentration on avoidance of failures. Allows to produce highly reliable systems, but do identify all hazards. HAZOP. Use of guide words. Adaption to computer systems still in experimental st ETA. Starts from faults. Event trees might grow too big. FTA. Starts from accidents. Seems to be most suitable technique in order to id

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback