HAZOP: Hazard and Operability Study Models and Analysis of Software Lecture 11 Copyright, 2003 Jerzy R. Nawrocki
Agenda Introduction Keywords Methodology UML-HAZOP
Agenda Introduction Keywords Methodology UML-HAZOP
Introduction HAZOP : HAZ ard and OP erability study; ICI Chemicals, UK, ‘70 Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Heating installation Radiation therapy machine Electron accelerator
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Railway crossing Aircraft control system
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. ExistingNew
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Heating installation Radiation therapy machine Electron accelerator ~ 200 rad up to 50 o C
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Therac-25 accident [Leveson93] Electron accelerator rad Heating installation 90 o C Auch!
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Heating installation 90 o C Electron accelerator rad Radiation therapy machine H.= A set of conditions that can lead to an accident [Leveson91]
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Oh God!
Introduction HAZOP : HAZ ard and OP erability study Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. The computer doesn’t work!
Introduction HAZOP : HAZ ard and OP erability study; ICI Chemicals, UK, ‘70 Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03]. Performed by a team of multidisciplinary experts. Structured brainstorming process.
Introduction Process description How deviations from the design intent can arise? Can they impact safety and operability? What actions are necessary?
Introduction.. the great advantage of the technique is that it encourages the team to consider less obvious ways in which a deviation may occur (..) In this way the study becomes much more than a mechanistic check-list type of review. [Lihou03]
Agenda Introduction Keywords Methodology UML-HAZOP
Keywords Primary keywords : a particular aspect of a design intent (a process condition or parameter). Safety:Operability: FlowIsolate TemperatureStart-up PressureShutdown LevelMaintain Corrode Inspect AbsorbDrain ErodePurge... Can corrosion be a design intent?
Keywords Secondary keywords : possible deviations (problems) No Less More Reverse Also Other Fluctuation Early Late They tend to be a standard set. No No : The design intent is almost eliminated (blocked) or unachievable. Examples : Flow/No Isolate/No
Keywords Secondary keywords : possible deviations (problems) NoLess More Reverse Also Other Fluctuation Early Late Less Less : Value of a parameter described by a primary keyword is less than expected. Examples : Flow/Less Temperature/Less
Keywords Secondary keywords : possible deviations (problems) No LessMore Reverse Also Other Fluctuation Early Late More More : The parameter value is greater than expected. Examples : Temperature/More Pressure/No
Keywords Secondary keywords : possible deviations (problems) No Less MoreReverse Also Other Fluctuation Early Late Reverse Reverse : The opposite direction of the design intent. Examples : Flow/Reverse Isolate/No
Keywords Secondary keywords : possible deviations (problems) No Less More ReverseAlso Other Fluctuation Early Late Also Also : The design intent (primary keyword) is OK, but there is something extra. Examples : Flow/Also = contamination Level/Also = unexpected material in a tank
Keywords Secondary keywords : possible deviations (problems) No Less More Reverse AlsoOther Fluctuation Early Late Other Other : The design intent occurs but in a different way. Examples : Composition/Other = Unexpected proportions Flow/Other = Product flows where it is unexpected
Keywords Secondary keywords : possible deviations (problems) No Less More Reverse Also OtherFluctuation Early Late Fluctuation Fluctuation : The design intent achieved only part of the time. Examples : Flow/Fluctuation = Sometimes flows, sometimes not. Temperature/Fluctuation = Sometimes hot, sometimes cold.
Keywords Secondary keywords : possible deviations (problems) No Less More Reverse Also Other FluctuationEarly Late Early Early : The design intent appears too early. Examples : Flow/Early = The product flows too early. Temperature/Early = The intended temperature (high or low) is achieved too early.
Keywords Secondary keywords : possible deviations (problems) No Less More Reverse Also Other Fluctuation EarlyLate Late Late : Opposite to early. Examples : Level/Late = The inteded level in a tank is achieved too late.
Keywords Secondary keywords : possible deviations (problems) No Less More Reverse Also Other Fluctuation Early Late Are all combinations of keywords meaningful? Temperature/No??? Corrode/Reverse???
Agenda Introduction Keywords Methodology UML-HAZOP
Methodology – Report format DeviationCauseConsequenceSafeguardsAction E.g. Flow/No Potential cause of the deviation Consequences of the cause and the deviation itself Any existing devices that prevent the cause or make its consequeces less painful Actions to remove the cause or mitigate the conse- quences
Methodology – The process Select a section of the plant For each primary keyword relevant for the plant: For each relevant secondary keyword: Think of significant consequences and record them; Record any safeguards identified; Think of any necessary actions and record them; Think of significant consequences and record them; Record any safeguards identified; Think of any necessary actions and record them; For each discovered cause for the deviation DeviationCauseConsequenceSafeguardsAction Flow/No Problem...
The HAZOP team Optimal : 6 people Maximum : 9 people Equal representation of customer and supplier Experts from a range of disciplines Team composition : questions raised during the meeting should be answered immediately. Chairman and secretary
Preparatory work 1.Assemble the data 2.Understand the subject 3.Subdivide the plant and plan the sequence 4.Mark-up the drawings 5.Devise a list of appropriate keywords 6.Prepare table headings and an agenda 7.Prepare a timetable 8.Select the team
The report Scope of the study Brief description of the process under study Keyword combinations and their meanings Description of the Action File (contains Action Response Sheets reporting on the actions performed to reduce the risks; initially empty) General comments (what was unavailable or not reviewed, what the team was assured of) Results (the number of recommended actions)
Agenda Introduction Keywords Methodology UML-HAZOP
UML-HAZOP J.Górski, A.Jarzębowicz Technical University of Gdańsk Wykrywanie anomalii w modelach obiektowych za pomocą metody UML-HAZOP, IV KKIO, Best Paper Award Detecting Defects in Object-Oriented Diagrams Using UML- HAZOP, FCDS, vol. 24, No. 4, 2002.
Strengths of UML-HAZOP UML Defect detection in UML diagrams A structured review method for UML diagrams guided by keywords (NO, MORE, LESS,..) An interesting checklist for UML diagrams Experimental evaluation shows that the method is quite efficient (defects detected per unit of time)
Weaknesses of UML-HAZOP Limited to class diagrams only. Limited to two kinds of relationships in class diagrams, Association and Generalization, from which 10 primary keywords are derived. In the presented experiments all the analysis was performed by one reviewer whilest HAZOP relies on multidisciplinary teams.
Introduction.. the great advantage of the technique is that it encourages the team to consider less obvious ways in which a deviation may occur (..) In this way the study becomes much more than a mechanistic check-list type of review. [Lihou03]
Weaknesses of UML-HAZOP Limited to class diagrams only. Limited to two kinds of relationships in class diagrams, Association and Generalization, from which 10 primary keywords are derived. In the presented experiments all the analysis was performed by one reviewer whilest HAZOP relies on multidisciplinary teams. The method lacks analysis of possible consequences of an identified defect (anomaly).
Summary HAZOP is a structured brainstorming method for risk analysis. HAZOP is a structured brainstorming method for risk analysis. It can be applied in different contexts (eg. UML-HAZOP) It can be applied in different contexts (eg. UML-HAZOP) It goes well with other analysis methods, eg. fault tree analysis (AND/OR trees of faults) It goes well with other analysis methods, eg. fault tree analysis (AND/OR trees of faults) Used by: UK Ministry of Defence, Motorola, chemical companies, etc. Used by: UK Ministry of Defence, Motorola, chemical companies, etc.
Bibliography [Lihou03] Mike Lihou, Hazard & Operability Studies, Lihou Technical & Software Services, [Lihou03] Mike Lihou, Hazard & Operability Studies, Lihou Technical & Software Services, A very good introduction to HAZOP. A very good introduction to HAZOP. [Leveson91] N. Leveson, S.Cha, T.Shimeall, Safety verification of Ada programs using software fault trees, IEEE Software, July 1991, [Leveson91] N. Leveson, S.Cha, T.Shimeall, Safety verification of Ada programs using software fault trees, IEEE Software, July 1991, FTA templates for Ada programs. FTA templates for Ada programs. [Leveson93] N. Leveson, C. Turner, An investigation of the Therac-25 Accidents, Computer, July 1993, [Leveson93] N. Leveson, C. Turner, An investigation of the Therac-25 Accidents, Computer, July 1993,
Bibliography F. Redmill, M. Chudleigh, J.Catmur, System Safety: HAZOP and Software HAZOP, John Wiley & Sons, 1999, (Amazon.com: $135!) F. Redmill, M. Chudleigh, J.Catmur, System Safety: HAZOP and Software HAZOP, John Wiley & Sons, 1999, (Amazon.com: $135!)
Quality assessment 1. What is your general impression? (1 - 6) 2. Was it too slow or too fast? 3. What important did you learn during the lecture? 4. What to improve and how?