HAZOP: Hazard and Operability Study

Models and Analysis of Software
Lecture 11
HAZOP: Hazard and Operability Study

Jerzy.Nawrocki@put.poznan.pl
www.cs.put.poznan.pl/jnawrocki/models/
Copyright, 2003
Jerzy R. Nawrocki
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Introduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, 70
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Introduction
HAZOP: HAZard and OPerability study
Radiation therapy
therapy machine
machine
Radiation
Electron
accelerator
Heating installation
installation
Heating
Introduction
Railway crossing
crossing
Railway
Aircraft control
control system
system
Aircraft
Introduction
Existing
New
Introduction
Radiation therapy
therapy machine
machine
Radiation
~ 200 rad
Electron
accelerator
installation
Heating
up to 50 oC
Introduction
Therac-25 accident
accident [Leveson93]
[Leveson93]
Therac-25
15 000 rad
Electron
accelerator
installation
Heating
Auch!
90 oC
Introduction
H.= A set of conditions that can lead to an accident [Leveson91]
Radiation therapy
therapy machine
machine
Radiation
15 000 rad
Electron
accelerator
installation
Heating
90 oC
Introduction
Oh God!
Introduction
The computer
doesnt work!
Introduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, 70
Performed by a team of
multidisciplinary experts.
Structured brainstorming process.
Introduction
How deviations from the design intent can arise?
Can they impact safety and operability?
What actions are necessary?
Process
description
Introduction
.. the great advantage of the technique is that it
encourages the team to consider less obvious ways in
which a deviation may occur (..) In this way the study
becomes much more than a mechanistic check-list
type of review. [Lihou03]
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Keywords
Primary keywords: a particular aspect of a design intent
(a process condition or parameter).
Can corrosion be
a design intent?
Safety:
Operability:
Flow
Temperature
Pressure
Level
Corrode
Absorb
Erode
...
Isolate
Start-up
Shutdown
Maintain
Inspect
Drain
Purge
...
Keywords
Secondary keywords: possible deviations (problems)
They tend to be a standard set.
No:
No The design intent is almost eliminated (blocked)
or unachievable.
Examples:
Flow/No
Isolate/No
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Less:
Less Value of a parameter described by a primary
keyword is less than expected.
Examples:
Flow/Less
Temperature/Less
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
More:
More The parameter value is greater than expected.
Examples:
Temperature/More
Pressure/No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Reverse:
Reverse The opposite direction of the design intent.
Examples:
Flow/Reverse
Isolate/No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Also:
Also The design intent (primary keyword) is OK, but
there is something extra.
Examples:
Flow/Also = contamination
Level/Also = unexpected material in a tank
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Other:
Other The design intent occurs but in a different
way.
Examples:
Composition/Other = Unexpected proportions
Flow/Other = Product flows where it is unexpected
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Fluctuation:
Fluctuation The design intent achieved only part of
the time.
Examples:
Flow/Fluctuation = Sometimes flows, sometimes not.
Less
More
Reverse
Also
Other
Temperature/Fluctuation = Sometimes hot, sometimes Fluctuation

cold.
Early
Late
Keywords
No
Early:
Early The design intent appears too early.
Examples:
Flow/Early = The product flows too early.
Temperature/Early = The intended temperature
(high or low) is achieved too early.
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Late:
Late Opposite to early.
Examples:
Level/Late = The inteded level in a tank is achieved
too late.
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Keywords
No
Less
Are all combinations

of keywords meaningful?
More
Reverse
Temperature/No
???
Corrode/Reverse
???
Also
Other
Fluctuation
Early
Late
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Methodology Report format

Deviation
Cause
Consequence Safeguards
Action
E.g.
Potential Consequences Any existing Actions to
Flow/No cause of the of the cause devices that remove the
and the
deviation
prevent the
cause or
deviation itself cause or
mitigate the
make its
conseconsequeces quences
less painful
Methodology The process

Deviation
Cause
Flow/No
Problem...
Consequence Safeguards
Action
Select aa section
section of
of the
the plant
plant
Select
For each
each primary
primary keyword
keyword relevant
relevant for
for the
the plant:
plant:
For
For each
each relevant
relevant secondary
secondary keyword:
keyword:
For
For each
each discovered
discovered cause
cause for
for the
the deviation
deviation
For
Think of
of significant
significant consequences
consequences and
and record
record them;
them;
Think
Record any
any safeguards
safeguards identified;
identified;
Record
Think of
of any
any necessary
necessary actions
actions and
and record
record them;
them;
Think
The HAZOP team

Optimal: 6 people
Maximum: 9 people
Equal representation of
customer and supplier
Experts from a range of
disciplines
Team composition: questions
raised during the meeting should
be answered immediately.
Chairman and secretary
Preparatory work
1. Assemble the data
2. Understand the subject
3. Subdivide the plant and plan the sequence
4. Mark-up the drawings
5. Devise a list of appropriate keywords
6. Prepare table headings and an agenda
7. Prepare a timetable
8. Select the team
The report
Scope of the study
Brief description of the process under study
Keyword combinations and their meanings
Description of the Action File (contains Action
Response Sheets reporting on the actions
performed to reduce the risks; initially empty)
General comments (what was unavailable or
not reviewed, what the team was assured of)
Results (the number of recommended actions)
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
UML-HAZOP
J.Grski, A.Jarzbowicz
Technical University of Gdask
Wykrywanie anomalii w modelach obiektowych za pomoc
metody UML-HAZOP, IV KKIO, Best Paper Award
Detecting Defects in Object-Oriented Diagrams Using UMLHAZOP, FCDS, vol. 24, No. 4, 2002.
Strengths of UML-HAZOP
UML
Defect detection in UML diagrams
A structured review method for UML
diagrams guided by keywords (NO, MORE,
LESS, ..)
An interesting checklist for UML diagrams
Experimental evaluation shows that the
method is quite efficient (defects detected
per unit of time)
Weaknesses of UML-HAZOP
Limited to class diagrams only.
Limited to two kinds of relationships in class diagrams,
Association and Generalization, from which 10 primary
keywords are derived.
In the presented experiments all the analysis was performed
by one reviewer whilest HAZOP relies on multidisciplinary
teams.
Introduction
.. the great advantage of the technique is that it
encourages the team to consider less obvious ways
in which a deviation may occur (..) In this way the
study becomes much more than a mechanistic
check-list type of review. [Lihou03]
Weaknesses of UML-HAZOP
Limited to class diagrams only.
Limited to two kinds of relationships in class diagrams,
Association and Generalization, from which 10 primary
keywords are derived.
In the presented experiments all the analysis was performed
by one reviewer whilest HAZOP relies on multidisciplinary
teams.
The method lacks analysis of possible consequences of an
identified defect (anomaly).
Summary
HAZOP is a structured
brainstorming method for risk

analysis.
It can be applied in different
contexts (eg. UML-HAZOP)
It goes well with other analysis
methods, eg. fault tree analysis
(AND/OR trees of faults)
Used by: UK Ministry of Defence,
Motorola, chemical companies, etc.
Bibliography
[Lihou03] Mike Lihou, Hazard & Operability
Studies, Lihou Technical & Software Services,

www.lihoutech.com/hzp1frm.htm, 3.06.2003.
A very good introduction to HAZOP.
[Leveson91] N. Leveson, S.Cha, T.Shimeall,
Safety verification of Ada programs using
software fault trees, IEEE Software, July 1991,
48-59.
FTA templates for Ada programs.
[Leveson93] N. Leveson, C. Turner, An
investigation of the Therac-25 Accidents,
Computer, July 1993, 18-41.
Quality assessment
1. What is your general impression? (1 - 6)

2. Was it too slow or too fast?
3. What important did you learn during the
lecture?
4. What to improve and how?

HAZOP: Hazard and Operability Study

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

HAZOP: Hazard and Operability Study

Hochgeladen von

Copyright:

Verfügbare Formate

Models and Analysis of Software

HAZOP: Hazard and Operability Study

Temperature/Fluctuation = Sometimes hot, sometimes Fluctuation

Are all combinations

Methodology Report format

Methodology The process

The HAZOP team

brainstorming method for risk

Studies, Lihou Technical & Software Services,

1. What is your general impression? (1 - 6)

Das könnte Ihnen auch gefallen