HAZOP: Hazard and Operability Study

Jerzy.Nawrocki@put.poznan.pl
www.cs.put.poznan.pl/jnawrocki/models/
Models and Analysis of Software
Lecture 11
Copyright, 2003 Jerzy R. Nawrocki
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Introduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, 70
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Heating installation Radiation therapy machine
Electron
accelerator
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Railway crossing Aircraft control system
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Existing New
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Heating installation Radiation therapy machine
Electron
accelerator
~ 200 rad
up to 50
o
C
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Therac-25 accident [Leveson93]
Electron
accelerator
15 000 rad
Heating installation
90
o
C Auch!
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Heating installation
90
o
C
Electron
accelerator
15 000 rad
Radiation therapy machine
H.= A set of conditions that can lead to an accident [Leveson91]
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Oh God!
Introduction
HAZOP: HAZard and OPerability study
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
The computer
doesnt work!
Introduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, 70
Aim: identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants [Lihou03].
Performed by a team of
multidisciplinary experts.
Structured brainstorming process.
Introduction
Process
description
How deviations from the design intent can arise?
Can they impact safety and operability?
What actions are necessary?
Introduction
.. the great advantage of the technique is that it
encourages the team to consider less obvious ways
in which a deviation may occur (..) In this way the
study becomes much more than a mechanistic
check-list type of review. [Lihou03]
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Keywords
Primary keywords: a particular aspect of a design intent
(a process condition or parameter).
Safety: Operability:
Flow Isolate
Temperature Start-up
Pressure Shutdown
Level Maintain
Corrode Inspect
Absorb Drain
Erode Purge
... ...
Can corrosion be
a design intent?
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
They tend to be a standard set.
No: The design intent is almost eliminated (blocked)
or unachievable.
Examples:
Flow/No
Isolate/No
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Less: Value of a parameter described by a primary
keyword is less than expected.
Examples:
Flow/Less
Temperature/Less
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
More: The parameter value is greater than expected.
Examples:
Temperature/More
Pressure/No
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Reverse: The opposite direction of the design intent.
Examples:
Flow/Reverse
Isolate/No
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Also: The design intent (primary keyword) is OK, but
there is something extra.
Examples:
Flow/Also = contamination
Level/Also = unexpected material in a tank
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Other: The design intent occurs but in a different
way.
Examples:
Composition/Other = Unexpected proportions
Flow/Other = Product flows where it is unexpected
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Fluctuation: The design intent achieved only part of
the time.
Examples:
Flow/Fluctuation = Sometimes flows, sometimes not.
Temperature/Fluctuation = Sometimes hot,
sometimes cold.
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Early: The design intent appears too early.
Examples:
Flow/Early = The product flows too early.
Temperature/Early = The intended temperature
(high or low) is achieved too early.
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Late: Opposite to early.
Examples:
Level/Late = The inteded level in a tank is
achieved too late.
Keywords
Secondary keywords: possible deviations (problems)
No
Less
More
Reverse
Also
Other
Fluctuation
Early
Late
Are all combinations
of keywords meaningful?
Temperature/No ???
Corrode/Reverse ???
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Methodology Report format
Deviation Cause Consequence Safeguards Action
E.g.
Flow/No
Potential
cause of the
deviation
Consequences
of the cause
and the
deviation itself
Any existing
devices that
prevent the
cause or
make its
consequeces
less painful
Actions to
remove the
cause or
mitigate the
conse-
quences
Methodology The process
Select a section of the plant
For each primary keyword relevant for the plant:
For each relevant secondary keyword:
Think of significant consequences and record them;
Record any safeguards identified;
Think of any necessary actions and record them;
For each discovered cause for the deviation
Deviation Cause Consequence Safeguards Action
Flow/No Problem...
The HAZOP team
Optimal: 6 people
Maximum: 9 people
Equal representation of
customer and supplier
Experts from a range of
disciplines
Team composition: questions
raised during the meeting should
be answered immediately.
Chairman and secretary
Preparatory work
1. Assemble the data
2. Understand the subject
3. Subdivide the plant and plan the sequence
4. Mark-up the drawings
5. Devise a list of appropriate keywords
6. Prepare table headings and an agenda
7. Prepare a timetable
8. Select the team
The report
Scope of the study
Brief description of the process under study
Keyword combinations and their meanings
Description of the Action File (contains Action
Response Sheets reporting on the actions
performed to reduce the risks; initially empty)
General comments (what was unavailable or
not reviewed, what the team was assured of)
Results (the number of recommended actions)
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
UML-HAZOP
J.Grski, A.Jarzbowicz
Technical University of Gdask
Wykrywanie anomalii w modelach obiektowych za pomoc
metody UML-HAZOP, IV KKIO, Best Paper Award
Detecting Defects in Object-Oriented Diagrams Using UML-
HAZOP, FCDS, vol. 24, No. 4, 2002.
Strengths of UML-HAZOP
UML
Defect detection in UML diagrams
A structured review method for UML
diagrams guided by keywords (NO, MORE,
LESS, ..)
An interesting checklist for UML diagrams
Experimental evaluation shows that the
method is quite efficient (defects detected
per unit of time)
Weaknesses of UML-HAZOP
Limited to class diagrams only.
Limited to two kinds of relationships in class diagrams,
Association and Generalization, from which 10 primary
keywords are derived.
In the presented experiments all the analysis was performed
by one reviewer whilest HAZOP relies on multidisciplinary
teams.
Introduction
.. the great advantage of the technique is that it
encourages the team to consider less obvious ways
in which a deviation may occur (..) In this way the
study becomes much more than a mechanistic
check-list type of review. [Lihou03]
Weaknesses of UML-HAZOP
Limited to class diagrams only.
Limited to two kinds of relationships in class diagrams,
Association and Generalization, from which 10 primary
keywords are derived.
In the presented experiments all the analysis was performed
by one reviewer whilest HAZOP relies on multidisciplinary
teams.
The method lacks analysis of possible consequences of an
identified defect (anomaly).
Summary
HAZOP is a structured
brainstorming method for risk
analysis.
It can be applied in different
contexts (eg. UML-HAZOP)
It goes well with other analysis
methods, eg. fault tree analysis
(AND/OR trees of faults)
Used by: UK Ministry of Defence,
Motorola, chemical companies, etc.
Bibliography
[Lihou03] Mike Lihou, Hazard & Operability
Studies, Lihou Technical & Software Services,
www.lihoutech.com/hzp1frm.htm, 3.06.2003.
A very good introduction to HAZOP.
[Leveson91] N. Leveson, S.Cha, T.Shimeall,
Safety verification of Ada programs using
software fault trees, IEEE Software, July 1991,
48-59.
FTA templates for Ada programs.
[Leveson93] N. Leveson, C. Turner, An
investigation of the Therac-25 Accidents,
Computer, July 1993, 18-41.

Bibliography
F. Redmill, M. Chudleigh, J.Catmur, System
Safety: HAZOP and Software HAZOP, John
Wiley & Sons, 1999, (Amazon.com: $135!)

Quality assessment
1. What is your general impression? (1 - 6)
2. Was it too slow or too fast?
3. What important did you learn during the
lecture?
4. What to improve and how?