Mission-Critical Systems and HAZOP [email protected] Requirements Engineering Lecture 13...

Mission-Critical Systems and HAZOPMission-Critical Systems and HAZOP

[email protected]/jnawrocki/require/

Requirements EngineeringLecture 13

Copyright, 2004 Jerzy R. Nawrocki

mailto:[email protected]






Overview of RE guidelinesOverview of RE guidelines

The requirements document

Requirements elicitation

Reqs analysis & negotiation

Describing requirements

System modelling

Requirements validation

Requirements management

RE for critical systems

Basic Interm Adv

8

6

54

3

4

4

2

36

-

6

21

3

3

3

3

21

-

1

1-

-

1

2

4

9

RE for Critical SystemsRE for Critical Systems

Basic guidelines

Create safety requirements checklists Involve external reviewers in the

validation process


Intermediate guidelines

Identify and analyse hazards Derive safety requirements from

hazard analysis Cross-check operational and

functional requirements against safety requirements


Advanced guidelines

Specify systems using formal specification

Collect incident experience Learn from incident experience Establish an organisational safety

culture

Introduction to HAZOPIntroduction to HAZOP

HAZOP: HAZard and OPerability study; ICI Chemicals, UK, ‘70

Aim: ‘identifying potential hazards and operability problems caused by deviations from the design intent of both new and existing process plants’ [Lihou03].


HAZOP: HAZard and OPerability study


Heating installationHeating installationRadiation therapy machineRadiation therapy machine

Electron accelerator




Railway crossingRailway crossing Aircraft control systemAircraft control system




Existing New




Heating installationHeating installationRadiation therapy machineRadiation therapy machine


~ 200 rad up to 50 oC




Therac-25 accident [Leveson93]Therac-25 accident [Leveson93]


15 000 rad

Heating installationHeating installation

90 oCAuch!




Heating installationHeating installation

90 oCElectron accelerator

15 000 rad

Radiation therapy machineRadiation therapy machine

H.= A set of conditions that can lead to an accident [Leveson91]




Oh God!




The computer doesn’t work!


HAZOP: HAZard and OPerability study; ICI Chemicals, UK, ‘70


Performed by a team of multidisciplinary experts.

Structured brainstorming process.


Process description

How deviations from the design intent can arise?Can they impact safety and operability?

What actions are necessary?


.. the great advantage of the technique is that it encourages the team to consider less obvious ways in which a deviation may occur (..) In this way the study becomes much more than a mechanistic check-list type of review. [Lihou03]

KeywordsKeywords

Primary keywords: a particular aspect of a design intent (a process condition or parameter).

Safety: Operability:

Flow IsolateTemperature Start-upPressure ShutdownLevel MaintainCorrode InspectAbsorb DrainErode Purge... ...

Can corrosion bea design intent?

KeywordsKeywords

Secondary keywords: possible deviations (problems)NoNo

Less

More

Reverse

Also

Other

Fluctuation

Early

Late

They tend to be a standard set.

NoNo: The design intent is almost eliminated (blocked) or unachievable.

Examples:

Flow/No

Isolate/No

KeywordsKeywords

Secondary keywords: possible deviations (problems)No

LessLess

More

Reverse

Also

Other

Fluctuation

Early

Late

LessLess: Value of a parameter described by a primary keyword is less than expected.

Examples:

Flow/Less

Temperature/Less

KeywordsKeywords


Less

MoreMore

Reverse

Also

Other

Fluctuation

Early

Late

MoreMore: The parameter value is greater than expected.

Examples:

Temperature/More

Pressure/No

KeywordsKeywords


Less

More

ReverseReverse

Also

Other

Fluctuation

Early

Late

ReverseReverse: The opposite direction of the design intent.

Examples:

Flow/Reverse

Isolate/No

KeywordsKeywords


Less

More

Reverse

AlsoAlso

Other

Fluctuation

Early

Late

AlsoAlso: The design intent (primary keyword) is OK, but there is something extra.

Examples:

Flow/Also = contamination

Level/Also = unexpected material in a tank

KeywordsKeywords


Less

More

Reverse

Also

OtherOther

Fluctuation

Early

Late

OtherOther: The design intent occurs but in a different way.

Examples:

Composition/Other = Unexpected proportions

Flow/Other = Product flows where it is unexpected

KeywordsKeywords


Less

More

Reverse

Also

Other

FluctuationFluctuation

Early

Late

FluctuationFluctuation: The design intent achieved only part of the time.

Examples:

Flow/Fluctuation = Sometimes flows, sometimes not.

Temperature/Fluctuation = Sometimes hot, sometimes cold.

KeywordsKeywords


Less

More

Reverse

Also

Other

Fluctuation

EarlyEarly

Late

EarlyEarly: The design intent appears too early.

Examples:

Flow/Early = The product flows too early.

Temperature/Early = The intended temperature (high or low) is achieved too early.

KeywordsKeywords


Less

More

Reverse

Also

Other

Fluctuation

Early

LateLate

LateLate: Opposite to early.

Examples:

Level/Late = The inteded level in a tank is achieved too late.

KeywordsKeywords


Less

More

Reverse

Also

Other

Fluctuation

Early

Late

Are all combinationsof keywords meaningful?

Temperature/No ???

Corrode/Reverse ???

Methodology – Report formatMethodology – Report format

Deviation Cause Consequence Safeguards Action

E.g. Flow/No

Potential cause of the

deviation

Consequences of the cause

and the deviation itself

Any existing devices that prevent the

cause or make its

consequeces less painful

Actions to remove the

cause or mitigate the

conse-quences

Methodology – The processMethodology – The process

Select a section of the plantSelect a section of the plant

For each primary keyword relevant for the plant:For each primary keyword relevant for the plant:

For each relevant secondary keyword:For each relevant secondary keyword:

Think of significant consequences and record them;Record any safeguards identified;Think of any necessary actions and record them;

Think of significant consequences and record them;Record any safeguards identified;Think of any necessary actions and record them;

For each discovered cause for the deviationFor each discovered cause for the deviation

Deviation Cause Consequence Safeguards Action

Flow/No Problem...

The HAZOP teamThe HAZOP teamOptimal: 6 peopleMaximum: 9 people

Equal representation of customer and supplier

Experts from a range of disciplines

Team composition: questions raised during the meeting should be answered immediately.

Chairman and secretary

Preparatory workPreparatory work

1. Assemble the data

2. Understand the subject

3. Subdivide the plant and plan the sequence

4. Mark-up the drawings

5. Devise a list of appropriate keywords

6. Prepare table headings and an agenda

7. Prepare a timetable

8. Select the team

The reportThe report

• Scope of the study

• Brief description of the process under study

• Keyword combinations and their meanings

• Description of the Action File (contains Action Response Sheets reporting on the actions performed to reduce the risks; initially empty)

• General comments (what was unavailable or not reviewed, what the team was assured of)

• Results (the number of recommended actions)

SummarySummary

HAZOP is a structured HAZOP is a structured brainstorming method for risk brainstorming method for risk analysis.analysis.

It can be applied in different It can be applied in different contexts (eg. UML-HAZOP)contexts (eg. UML-HAZOP)

It goes well with other analysis It goes well with other analysis methods, eg. fault tree analysis methods, eg. fault tree analysis (AND/OR trees of faults)(AND/OR trees of faults)

Used by: UK Ministry of Defence, Used by: UK Ministry of Defence, Motorola, chemical companies, etc.Motorola, chemical companies, etc.

BibliographyBibliography

[Lihou03][Lihou03] Mike Lihou, Hazard & Operability Mike Lihou, Hazard & Operability Studies, Lihou Technical & Software Services, Studies, Lihou Technical & Software Services, www.lihoutech.com/hzp1frm.htm, 3.06.2003. , 3.06.2003.

A very good introduction to HAZOP.A very good introduction to HAZOP. [Leveson91][Leveson91] N. Leveson, S.Cha, T.Shimeall, N. Leveson, S.Cha, T.Shimeall,

Safety verification of Ada programs using Safety verification of Ada programs using software fault trees, software fault trees, IEEE SoftwareIEEE Software, July 1991, , July 1991, 48-59.48-59.

FTA templates for Ada programs.FTA templates for Ada programs. [Leveson93][Leveson93] N. Leveson, C. Turner, An N. Leveson, C. Turner, An

investigation of the Therac-25 Accidents, investigation of the Therac-25 Accidents, ComputerComputer, July 1993, 18-41., July 1993, 18-41.

http://www.lihoutech.com/hzp1frm.htm







BibliographyBibliography

F. Redmill, M. Chudleigh, J.Catmur, F. Redmill, M. Chudleigh, J.Catmur, System System Safety: HAZOP and Software HAZOPSafety: HAZOP and Software HAZOP, John , John Wiley & Sons, 1999, (Amazon.com: Wiley & Sons, 1999, (Amazon.com: $135$135!)!)

J.Górski, A.Jarzębowicz, Wykrywanie anomalii w modelach obiektowych za pomocą metody UML-HAZOP, IV KKIO, Best Paper Award

Date post:	20-Jan-2016
Category:	Documents
Upload:	stella-robertson
View:	214 times
Download:	0 times

Mission-Critical Systems and HAZOP [email protected] Requirements Engineering Lecture 13...

Documents