HAZOP: Hazard and Operability Study

Models and Analysis of Software
Lecture 11
HAZOP: Hazard and Operability Study
Jerzy.Nawrocki@put.poznan.pl
www.cs.put.poznan.pl/jnawrocki/models/
Copyright, 2003  Jerzy R. Nawrocki

Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Introduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, ‘70
Aim: ‘identifying potential hazards and operability problems
caused by deviations from the design intent of both new and
existing process plants’ [Lihou03].
Introduction
HAZOP: HAZard and OPerability study
Radiation therapy
Radiation therapy machine
machine Heating installation
Heating installation
Electron
accelerator
Introduction
Railway crossing
Railway crossing Aircraft control
Aircraft control system
system
Introduction
Existing New
Introduction
Radiation therapy
~ 200 rad Electron up to 50 oC

accelerator
Introduction
Therac-25 accident
Therac-25 accident [Leveson93]
[Leveson93] Heating installation
15 000 rad Electron Auch! 90 oC

accelerator
Introduction
H.= A set of conditions that can lead to an accident [Leveson91]
Radiation therapy
15 000 rad Electron 90 oC

accelerator
Introduction
Oh God!
Introduction
The computer
doesn’t work!
Introduction
HAZOP: HAZard and OPerability study; ICI Chemicals, UK, ‘70
Performed by a team of
multidisciplinary experts.
Structured brainstorming process.

Introduction
How deviations from the design intent can arise?

Can they impact safety and operability?
What actions are necessary?
Process
description
Introduction
.. the great advantage of the technique is that it

encourages the team to consider less obvious ways in
which a deviation may occur (..) In this way the study
becomes much more than a mechanistic check-list
type of review. [Lihou03]
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Keywords
Primary keywords: a particular aspect of a design intent (a
process condition or parameter).
Can corrosion be Safety: Operability:

a design intent? Flow Isolate
Temperature Start-up
Pressure Shutdown
Level Maintain
Corrode Inspect
Absorb Drain
Erode Purge
... ...
Keywords
Secondary keywords: possible deviations (problems)
They tend to be a standard set. No
Less
No:
No The design intent is almost eliminated (blocked)
or unachievable. More
Reverse
Examples:
Also
Flow/No Other
Isolate/No Fluctuation
Early
Late
Keywords
No
Less
Less:
Less Value of a parameter described by a primary
keyword is less than expected. More
Reverse
Examples:
Also
Flow/Less Other
Temperature/Less Fluctuation
Early
Late
Keywords
No
Less
More:
More The parameter value is greater than expected.
More
Reverse
Examples:
Also
Temperature/More Other
Pressure/No Fluctuation
Early
Late
Keywords
No
Less
Reverse:
Reverse The opposite direction of the design intent.
More
Reverse
Examples:
Also
Flow/Reverse Other
Isolate/No Fluctuation
Early
Late
Keywords
No
Less
Also:
Also The design intent (primary keyword) is OK, but
there is something extra. More
Reverse
Examples:
Also
Flow/Also = contamination Other
Level/Also = unexpected material in a tank Fluctuation
Early
Late
Keywords
No
Less
Other:
Other The design intent occurs but in a different
way. More
Reverse
Examples:
Also
Composition/Other = Unexpected proportions Other
Flow/Other = Product flows where it is unexpected Fluctuation
Early
Late
Keywords
No
Less
Fluctuation:
Fluctuation The design intent achieved only part of
the time. More
Reverse
Examples:
Also
Flow/Fluctuation = Sometimes flows, sometimes not. Other
Temperature/Fluctuation = Sometimes hot, Fluctuation
sometimes cold.
Early
Late
Keywords
No
Less
Early:
Early The design intent appears too early.
More
Reverse
Examples:
Also
Flow/Early = The product flows too early. Other
Temperature/Early = The intended temperature Fluctuation
(high or low) is achieved too early.
Early
Late
Keywords
No
Less
Late:
Late Opposite to early.
More
Reverse
Examples:
Also
Level/Late = The inteded level in a tank is Other
achieved too late.
Fluctuation
Early
Late
Keywords
No
Less
Are all combinations
of keywords meaningful? More
Reverse
Also
Temperature/No ???
Other
Corrode/Reverse ???
Fluctuation
Early
Late
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
Methodology – Report format
Deviation Cause Consequence Safeguards Action
E.g. Potential Consequences Any existing Actions to

Flow/No cause of the of the cause devices that remove the
deviation and the prevent the cause or
deviation itself cause or mitigate the
make its conse-
consequeces quences
less painful
Methodology – The process
Deviation Cause Consequence Safeguards Action
Flow/No Problem...
Select aa section
Select section of
of the
the plant
plant
For each
For each primary
primary keyword
keyword relevant
relevant for
for the
the plant:
plant:
For each
For each relevant
relevant secondary
secondary keyword:
keyword:
For each
For each discovered
discovered cause
cause for
for the
the deviation
deviation
Think of
Think of significant
significant consequences
consequences andand record
record them;
them;
Record any
Record any safeguards
safeguards identified;
identified;
Think of
Think of any
any necessary
necessary actions
actions and
and record
record them;
them;
The HAZOP team
Optimal: 6 people
Maximum: 9 people
Equal representation of
customer and supplier
Experts from a range of

disciplines
Team composition: questions

raised during the meeting should
be answered immediately.
Chairman and secretary
Preparatory work
1. Assemble the data

2. Understand the subject
3. Subdivide the plant and plan the sequence
4. Mark-up the drawings
5. Devise a list of appropriate keywords
6. Prepare table headings and an agenda
7. Prepare a timetable
8. Select the team
The report
• Scope of the study

• Brief description of the process under study
• Keyword combinations and their meanings
• Description of the Action File (contains Action
Response Sheets reporting on the actions
performed to reduce the risks; initially empty)
• General comments (what was unavailable or
not reviewed, what the team was assured of)
• Results (the number of recommended actions)
Agenda
Introduction
Keywords
Methodology
UML-HAZOP
UML-HAZOP
J.Górski, A.Jarzębowicz
Technical University of Gdańsk
Wykrywanie anomalii w modelach obiektowych za pomocą

metody UML-HAZOP, IV KKIO, Best Paper Award
Detecting Defects in Object-Oriented Diagrams Using UML-
HAZOP, FCDS, vol. 24, No. 4, 2002.
Strengths of UML-HAZOP
• UML
• Defect detection in UML diagrams
• A structured review method for UML
diagrams guided by keywords (NO, MORE,
LESS, ..)
• An interesting checklist for UML diagrams
• Experimental evaluation shows that the
method is quite efficient (defects detected
per unit of time)
Weaknesses of UML-HAZOP
Limited to class diagrams only.

Limited to two kinds of relationships in class diagrams,
Association and Generalization, from which 10 primary
keywords are derived.
In the presented experiments all the analysis was performed
by one reviewer whilest HAZOP relies on multidisciplinary
teams.
Introduction
.. the great advantage of the technique is that it

encourages the team to consider less obvious ways in
which a deviation may occur (..) In this way the study
becomes much more than a mechanistic check-list
type of review. [Lihou03]
Weaknesses of UML-HAZOP
Limited to class diagrams only.

Limited to two kinds of relationships in class diagrams,
Association and Generalization, from which 10 primary
keywords are derived.
In the presented experiments all the analysis was performed
by one reviewer whilest HAZOP relies on multidisciplinary
teams.
The method lacks analysis of possible consequences of an
identified defect (anomaly).
Summary
 HAZOP is a structured brainstorming

method for risk analysis.
 It can be applied in different contexts
(eg. UML-HAZOP)
 It goes well with other analysis
methods, eg. fault tree analysis
(AND/OR trees of faults)
 Used by: UK Ministry of Defence,
Motorola, chemical companies, etc.
Bibliography
 [Lihou03] Mike Lihou, Hazard & Operability
Studies, Lihou Technical & Software Services,
www.lihoutech.com/hzp1frm.htm, 3.06.2003.
A very good introduction to HAZOP.
 [Leveson91] N. Leveson, S.Cha, T.Shimeall, Safety
 verification of Ada programs using software fault

trees, IEEE Software, July 1991, 48-59.
FTA templates for Ada programs.
 [Leveson93] N. Leveson, C. Turner, An
investigation of the Therac-25 Accidents,
Computer, July 1993, 18-41.
Bibliography
 F. Redmill, M. Chudleigh, J.Catmur, System
Safety: HAZOP and Software HAZOP, John Wiley
& Sons, 1999, (Amazon.com: $135!)

Quality assessment
1. What is your general impression? (1 - 6)

2. Was it too slow or too fast?
3. What important did you learn during the
lecture?
4. What to improve and how?

HAZOP: Hazard and Operability Study

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HAZOP: Hazard and Operability Study

Uploaded by

Copyright:

Available Formats

Models and Analysis of Software

HAZOP: Hazard and Operability Study

Copyright, 2003  Jerzy R. Nawrocki

~ 200 rad Electron up to 50 oC

15 000 rad Electron Auch! 90 oC

15 000 rad Electron 90 oC

Structured brainstorming process.

How deviations from the design intent can arise?

.. the great advantage of the technique is that it

Can corrosion be Safety: Operability:

E.g. Potential Consequences Any existing Actions to

Experts from a range of

Team composition: questions

1. Assemble the data

• Scope of the study

Wykrywanie anomalii w modelach obiektowych za pomocą

Limited to class diagrams only.

.. the great advantage of the technique is that it

Limited to class diagrams only.

 HAZOP is a structured brainstorming

 verification of Ada programs using software fault

1. What is your general impression? (1 - 6)

You might also like