8/10/2019 Introduction Chaz Op
1/44
1
Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
CHAZOP Introduction
Controls System Hazards and Operability Analysis
2014
8/10/2019 Introduction Chaz Op
2/44
2
Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
The Learning Environment
It is important for ACM and for you as our clients that the learningatmosphere and conditions are comfortable and suited for learning.
Being respectful of others viewpoints and patient for others to askquestions is important.
Rules
We are all here to learn from each other
Respect each others opinions
This is a safe environment to learn
Breaks are negotiated and managed by the group
We start on time after breaks
Emergency procedures
CELL PHONES OFF OR ON VIBRATE
HAVE FUN!
Being interactive is the key to your success in learning new skills andknowledge.
8/10/2019 Introduction Chaz Op
3/44
3Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Agenda
Building Emergency Procedures Introductions
8:00-12:00 Theory for HAZOP of Computer/Controls System
12:00-1:00 Lunch
1:00-4:00 Continuation and CHAZOP exercises
The Learning Environment
8/10/2019 Introduction Chaz Op
4/44
8/10/2019 Introduction Chaz Op
5/44
5Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
PHA Study method - CHAZOP
CHAZOP - qualitative
Predictive identification of hazards, causes and consequencesIdentification of operability factors that influence human
performance
Identification of safeguards, preventive controls
Recommendations for improvement.
Risk Assessment -qualitative
Probabilistic based assessment of hazards
Risk assessed in function of consequences & likelihood(Estimation of likelihood and consequence severity)
8/10/2019 Introduction Chaz Op
6/44
6Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Why do a HAZOP on a Computer/Controls System?
Why do a HAZOP on a Computer/Control System?
8/10/2019 Introduction Chaz Op
7/44
7Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Allows the hazards and risks associated with computer/control systemdesigns to be analyzed and evaluated before the computer/control system
is installed, commissioned, site tested , and put into operation
Reflect the best thinking on how to safely operate and manage yourcomputer/control systems
Build upon and record process and computer/control system experience
Assess what safety measures to use and the protection that they canprovide
Promote safe, efficient operation and maintenance
Promote the idea that computer/control system and operating &maintenance procedures are vital plant components
Reduce likelihood of incidents, accidents Improve quality, continuity, profitability and cost control
Comply with governmental regulations or industrial initiatives requiringcomputer/control systems certification
Why do a HAZOP on a Computer/Controls System?
8/10/2019 Introduction Chaz Op
8/44
8Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
CHAZOP Study Objectives
To identify computer/control system hazards, not to providesolutions to all hazards
To provide confidence that potential hazards are identified
To provide a qualitative estimate of the likelihood and the severityof potential incidents, accidents
To qualitatively evaluate the consequences of failure ofengineering and administrative controls
8/10/2019 Introduction Chaz Op
9/44
9Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
To provide management with a concrete basis for making riskmanagement decisions
To identify ways in which operability might be improved
To provide information which can be useful in improving future
migration or modernization To provide objective documented evidence of a thorough well
conducted study for audit and insurance purposes
CHAZOP Study Objectives
8/10/2019 Introduction Chaz Op
10/44
10Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Establish the limits of the computer system and its network Identify what plants units depend on or interact with the computer
system for their operation
Develop a block flow diagram of the functions of the computer incontrolling the plant units
Identify hazards of the units as defined by a hazard study orprocess HAZOP and include for any hazards associated with theinteractions between units.
List those computer functions associated with the hazards in anyway
CHAZOP Study Objectives
8/10/2019 Introduction Chaz Op
11/44
11Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
A HAZOP can be done on any Computer/Controls System.
However, due to the level of detail required and time commitment,a HAZOP is typically performed on Computer/Controls Systemsdeemed to be critical. Critical Computer/Controls Systems shouldbe identified at any facility.
What defines a critical Computer/Controls System?
On which Computer/Controls System should I do a HAZOP?
8/10/2019 Introduction Chaz Op
12/44
12Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
What defines a critically hazardous Computer/Controls System?
A critical Computer/Controls System may be defined by one or more of thefollowing criteria:
Any Computer/Controls System for which the consequence of deviatingfrom the design intent causes a critical situation, incident, or accident
Start-up or shutdown transition mode sequences for Computer/ControlsSystem
Maintenance operating mode transition sequence, (i.e. on/off linemaintenance mode transition sequence)
Abnormal operating Computer/Controls System states, modes, andtransitions
Emergency stop sequencereset statecritical stop sequence
Temporary operating modes transition sequencesset reference points
Commissioning or Decommissioning modes, states, transitions andprocedures
Proof testing, or test mode (Bypassed equipment, on-line, off-line)
8/10/2019 Introduction Chaz Op
13/44
13Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
When to do a HAZOP on a Computer/Controls System?
When should you do a HAZOP on a Computer/Controls System?
8/10/2019 Introduction Chaz Op
14/44
14Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Critical Computer/Controls System
Complex Computer/Controls System, (Complex architecture requirements) New Computer/Controls System
Modified Computer/Controls System
Migration or upgrade of Computer/Control System
Addition of new equipment to an existing Computer/Controls System Changes in the transition modes sequences(modifies the sequencing)
Comply with government regulations or industrial initiatives requiringspecial Computer/Controls System directives
With any change that requires an MOC, the Computer/Controls System
should also be considered for CHAZOP re-evaluationAt any time during the lifecycle of the Control/computer system,(e.g. detail
design & engineering).
When to do a HAZOP on a Computer/Controls System?
8/10/2019 Introduction Chaz Op
15/44
15Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
What information do you need for the CHAZOP?
Preparation for a CHAZOP?
8/10/2019 Introduction Chaz Op
16/44
16Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Well documented Computer/Controls System operation
Up to date schematics, network, I/O, CPU, etc. drawings and instructions
Control system architecture layout and hierarchy, interfaces, interconnectionsand computer/control equipment location depiction
Structure of the Control/computer system block flow diagrams
Depiction of control/computer system data transfer speed, volume and flow
directions
Shutdown key, (Cause and Effect Matrix)
Structural drawings to locate equipment and equipment positions, HVAC
Reactive chemical matrix, MSDS for chemicals
Overall description of the Computer/Controls System units, parts, environment
Previous PHA studies, modifications, etc. on the Computer/Controls System
PHA Team tour and inspection of the Computer/Controls System to be reviewed
Preparation for a CHAZOP?
8/10/2019 Introduction Chaz Op
17/44
17Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Who needs to attend the chazop?
Who needs to attend?
8/10/2019 Introduction Chaz Op
18/44
18Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Who needs to attend the pha?
Senior operations personnel involved in the day to day operation of
the process area being reviewed Control systems/contact engineer involved in the day to day
operation of the Control/computer system being reviewed, analyzed
Equipment specialists
Control system network designer
Functional Safety / Process Safety Control equipment technical
Site operations
Site controls maintenance
Other specialists as required
DCS, BPCS, Vendors, manufacturers
Specialized proprietary, OEM, IT - information Technology
8/10/2019 Introduction Chaz Op
19/44
19Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Difference between process HAZOP and CHAZOP
Differences from Process HAZOP.
8/10/2019 Introduction Chaz Op
20/44
20Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Differences from Process HAZOP.
Control/computer system hazard analysis:
Usually do not have or deal with flow of liquid or gases, but have flow ortransfer of data/information through network cables, or wireless, (Data:bits, bytes, words, frames, etc.).
Hazards are different, they are related to the control system elements:
Operators unable or partially unable to monitor process status of plantthat was still in control, computer/control system enters unpredictableoperating mode, hardware Inputs and outputs frozen or in unpredictablestates, operator cannot make changes or activate/deactivate overrides,or bypasses, operators is unable to turn ON or OFF equipment, or
STOP the process when required.All the these events can develop into situations that may lead to anincident or severe accident.
8/10/2019 Introduction Chaz Op
21/44
21Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Steps in a HAZOP for a Control/computer system
HAZOP for Control/computer system follows much the same process as for aprocess HAZOP.
Prior to the HAZOP on the Control/computer system, the operating instructionsand procedures should be reviewed for completeness, clarity, etc.
Break the Control/computer system to be analyzed down to individual networks,cells, sections, control room locations, elements; then follow the sequence ofoperating transitions modes, interaction of sections, and operator
actions/reactions, alarm interventions if required. Analyze on each operating mode the transitions, sequences or interactions of the
control system with the networks, cells, sections, control room locations, elements,and operator actions/reactions tasks using the chosen deviations.
Using HAZOP software record the consequences of deviation from the controlsystem intended actions and reactions, existing safeguards, and risk rank; make
recommendations where risk is deemed unacceptable. All operator actions, interventions are broken down into individual steps sequence
of a procedure to:
Allow each step or status to be assessed more thoroughly for possible deviation of intent
Provide a flow and outline for the risk assessment process
8/10/2019 Introduction Chaz Op
22/44
22Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
CHAZOP hazard types and considerations
Types of Hazards to be taken into consideration
8/10/2019 Introduction Chaz Op
23/44
23Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Control/computer system are related to process hazards
Hazards to be taken into consideration when analysing, designing oroperating Control/computer systems.
Failure of control/computer, (DCS, BPCS, PLC), systems may lead to: Loss of containment of flammable liquid or vapour gasses Toxic releases hazard Explosion hazards
Fire, heat transfer hazard (radiation, convection, conduction) Hazard generated by electromagnetic noise Hazards generated by vibration Hazards generated by nuclear radiation release Hazards generated by chemical materials and substances
Hazards generated by neglecting ergonomic principles in control design Hazard combinations Hazards associated with the environment in which the Control/computersystem is used
8/10/2019 Introduction Chaz Op
24/44
24Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
What aspects of the Control/computer system might cause harm to
personnel?
Consider the stability of the process under control, noise, vibration, andemission of toxic or flammable substances. Also, need to be considered,burns from hot surfaces, chemicals, or friction due to high speeds ofrotating equipment.
Other factors such as the possibility of entanglement, crushing, cuttingfrom rotating equipment and other tools. Also consider sharp edges onthe machinery, hazardous chemical exposure, etc.
This stage should include all hazards that can be present during thelifecycle of the Control/computer system, including the installation,commissioning, testing, operation, maintenance, modifications, anddecommissioning.
Control/computer system related hazards
8/10/2019 Introduction Chaz Op
25/44
25Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Control/computer System Hazard Scenarios, Situations
Loss of process visualization, monitoring, (loss of Operator Interface)
Unexpected process start-up, shutdown, or operating mode transition
Over-run, over-speed, or variations in operating speed (or any similar malfunction)
Abnormal variations in the rotational speed of equipment, (pumps, motors,centrifuges, etc.)
Failure of partial or total control system power supplies and one or several control
I/O loop circuits (signals).
Systematic errors in software code / Specifications
Effects of EMC / EMI
Loss of environmental controls, HVAC, (effects of temp., humidity, etc.)
Operator operating mode confusion, operator error
Lack of proper operating procedures and/or training, knowledge of DCS
8/10/2019 Introduction Chaz Op
26/44
26Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
What are we looking for /deviations/? (examples)
The main purpose for the HAZOP on a Control/computer system is toidentify the potential hazards and operability issues that may arise due
to deviations from the partial or total failure of the control/computersystem, and/or incorrect control/computer system transition modes andsequences.
Typical guidewords, deviations may include: No (not/none, transition mode is not executed, no human process interface)
More (more of/higher, additional steps are added to a transition sequence) Less (less of/lower, transition is not completed or executed in its entirety)
Reverse (opposite to what is indicated in the transition sequence)
Part of (operator completes part of steps or equipment failure results in partialcompletion, utility (electric power, compressed air) failure
As well as (more than or also, a new step in the procedure is added)
Early (sooner than) Late (later than)
Out of sequence
Other than (operator or control system reacts or do something completely differentand unexpected)
8/10/2019 Introduction Chaz Op
27/44
27Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
The analysis must consider factors that influence humanperformance when attempting to identify potential
hazards.
During CHAZOP one always need to consider thepotential for error when humans interact with a processand/or equipment at any level.
Human Error Considerations
8/10/2019 Introduction Chaz Op
28/44
28Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Usually systematic
Major cause of most catastrophic accidents in the
process industry
Impacts profitability through losses and lower quality
product
Affected by the corporate culture and its
management systems
Human Error Considerations(Common cause)
8/10/2019 Introduction Chaz Op
29/44
29Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Active Human Error
Has a active immediate effect as the cause of a hazardoussituation or is the direct initiator of a chain of events which maylead to an accident
Latent Human Error
The effects of the error may only become active after a periodof time. Error remains dormant, undiscovered, or hidden untilconditions are suitable for its effect as the cause of a hazardoussituation. (Concurrent events are usually the trigger for the
error to become active).
Human Error Considerations
8/10/2019 Introduction Chaz Op
30/44
30Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
What are we not looking for?
The Control/computer system HAZOP must not
become a Control/computer system design session.
Just as in any HAZOP the team is there to look for
hazards and identify recommendations to reduce oreliminate the hazards.
8/10/2019 Introduction Chaz Op
31/44
31Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
CHAZOP safeguard types and considerations
Types of Safeguards to be considered
8/10/2019 Introduction Chaz Op
32/44
32Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Safeguarding
Safeguards may include:
Controllers BPCS/DCS alarms and interlocks with operator action
Environmental alarms, HVAC alarms
Network Communication BPCS/DCS alarms and interlocks
Safety Instrumented Systems, SIS, interlocks
Interlock switches
Mechanical stops, physical barriers
Alarms and operator interventionexecutive action
It is common to rely more on operator intervention as a safeguard thanin a typical process HAZOP, this is due to the fact that the operator isusually present or nearby when operating the process control system
and is able to readily respond. A reasonable allowance can be madefor operator intervention if close involvement with the control systemallows for immediate detection and correction of the deviation, forexample with the use of diagnostics. (Also, Independent Emergencyshutdown)
8/10/2019 Introduction Chaz Op
33/44
33Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Recommendations
Examples of Recommendations:
Adding an HVAC alarm; control room environmental alarms Adding a Network Communication Diagnostic BPCS/DCS alarms
Rewording of a step in the step transition mode sequence for clarity
Rearranging the order of a step or steps in a defined operating modesequence, (i.e. startup, shutdown, etc).
Deletion of a step to transition from one operating mode to another
Addition of a step to transition from one operating mode to another
Division and reorganization of the transition sequence states
Addition of a safety related instrumented safeguard; diagnostic alarm andoperator action or shutdown interlock.
Add redundancy of communication cables and/or equipment
Add an additional process operator interface for critical DCS alarms
8/10/2019 Introduction Chaz Op
34/44
34Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
CHAZOP session approach
Approach for conducting a CHAZOP
8/10/2019 Introduction Chaz Op
35/44
35Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Section identification - definitionselectionassignmentgrouping
Sections of a control/computer system can be defined taking in considerationwhere information from process parameters (pressure, temperature, flow,etc.) are gathered, manipulated and have a direct influence on processequipment with a specific, identified and defined design intent.Sections should be assigned on a functional basis to reflect a specific intent.
The design intent defines how the process section, node, is expected to
function, run, work, operate, behave, act in the absence of deviations.Deviations apply to specific sections of a control/computer system.
Deviations from design intent or operating conditions can be identified byapplying guide words to data transfer, equipment operating conditions, etc.
Sections have control/computer components (Ethernet switches, cables,controllers, etc.) that cause change in the process. Network line sectionshave interconnected equipment that can cause a significant change in theprocess if not working as intended or are defective.
8/10/2019 Introduction Chaz Op
36/44
36Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Section identification - definitionselectionassignmentgrouping
A section represents a part of a computer/control system in which process
conditions are affected and matter undergoes change. For example, a BPCScontroller can be a section because a pump can be turned on, and liquidpressure is increased, or on a reactor the temperature can be increased andchemical composition of the substance in the reactor changes. In practice, asingle section will frequently involve more than one process change. Forexample, the BPCS controller CHAZOP section for a chemical reactor will act
on changes to pressure, temperature and volume.
The decision as to how big a section may be will depend on the consequenceof the hazardous event being studied.
8/10/2019 Introduction Chaz Op
37/44
37Title of Workshop. And Client
ConfidentialNot for reproductionCopyright 2014 All rights reserved.
Guidelines and Factors to consider during control system sectioning
Factors to consider
Purpose or specific function of the process section or node, (e.g. a BPCS) Functional design intent of the computer/control system section Material volume, amount, quantity influenced by the computer/control
system section Material physical state in the section: gas, liquid, solid, two phase, etc. Computer/control system interface or connecting points
Study objectives and purpose
Guidelines Define each major computer/control system component as a section Define one communication network section between major
computer/control system components, equipment
Define additional sub-network sections for each data information flowpath, split, bifurcation, etc.
8/10/2019 Introduction Chaz Op
38/44
38Title of Workshop. And Client
ConfidentialNot for reproduction
Copyright 2014 All rights reserved.
General approach for conducting a CHAZOP
Begin by defining the scope of the computer/control system in block flow
diagram format depicting the main functional components with their datatransfer path identified. (Communication networks, Equipment locationand environment, Operator interfaces, Human errors, Equipment failure,External common failureselectric power, air, utilities).
Data transfer path identified will include the interfaces to the plant
sensors and actuators and the operators.
The operational network interconnection diagram then represents thedesign representation as an equivalent to P&ID diagrams.
For each diagram the parts, sections, (nodes), for study will be identified,
and deviations from the designed intent, based on guide words, will beapplied.
8/10/2019 Introduction Chaz Op
39/44
39Title of Workshop. And Client
ConfidentialNot for reproduction
Copyright 2014 All rights reserved.
Conducting a CHAZOP
Chose a section such as the proposed architecture of control/computersystem and explain and describe what is its purpose, intended design andfunction:
Include types of process control, basic functions and considerations withrespect to redundancy and diversity, including network elements cabletypes etc.
Review of expected performance when:
a) One or several control subsystem fail (e.g. PLC, DCS, network),
b) Site power failure or other utility failures.
Then, for each component identified apply appropriate deviations.
For every identified cause or initiating event, ask the following:
1) Does a computer/controller in the system knows?
2) What does the computer/controller do?
3) Does it announces, shows, alarms, indicate, that the event happen?
4) What can/does the operator do?, or the control systems do?
8/10/2019 Introduction Chaz Op
40/44
40Title of Workshop. And Client
ConfidentialNot for reproduction
Copyright 2014 All rights reserved.
Examples
Approach for conducting a CHAZOP
8/10/2019 Introduction Chaz Op
41/44
41Title of Workshop. And Client
ConfidentialNot for reproduction
Copyright 2014 All rights reserved.
Workshop Example #1
Additional Information
Control Room and Servers Rack Room have dual HVAC, dual dust filters, singlehumidistat, single thermostat.Buildings A, B, and C: have single HVAC, single dust filters, single humidistat,
single thermostat.
Plant Outage: $5000K per day.
Analyze nodes developing deviations, causes and consequences
Assign the severity and likelihood for each scenario to establish therisk ranking, using the provided risk matrix
Develop safeguards or IPL for respective causes to reduce risk level
8/10/2019 Introduction Chaz Op
42/44
8/10/2019 Introduction Chaz Op
43/44
43Title of Workshop. And Client
ConfidentialNot for reproduction
Copyright 2014 All rights reserved.
Additional Information
Control Room and Rack Room have dual HVAC, dual sulphur scrubbers, singlehumidistat, single thermostat.Sulphur, Gas, and Utilities buildings: have single HVAC, single sulphur scrubber,single humidistat, single thermostat.
Utilities building PLC/controllers are older generation controllers/PLCs or third
party controllers, (other vendors).
Plant Outage: $1000K per day.
Analyze nodes developing deviations, causes and consequences
Assign the severity and likelihood for each scenario to establish therisk ranking, using the provided risk matrix
Develop safeguards or IPL for respective causes to reduce risk level
Workshop Example #2
8/10/2019 Introduction Chaz Op
44/44
44Title of Workshop. And Client
ConfidentialNot for reproduction
Workshop Example #2