10. Hazard & Risk

Reliable System Design 2011by: Amir M. Rahmani

matlab1.ir

Hazard analysis Safety is a property of a system that it will not

endanger human life or the environment Probably the most important mechanism for

improving the safety of a system is to identify the ways in which it can cause the harm, i.e., hazards

A hazard is a system state that could lead to:• Loss of life• Loss of property• Release of energy• Release of dangerous materials

Hazards are the states we have to avoid

matlab1.ir

Hazard & Risk (1) A hazard is a situation in which there is actual

or potential danger to people or to the environment

(2) A hazard is a state or set of conditions of a system that, together with other conditions in the environment of the system will lead unavoidably to an accident

Characteristics of a hazard: risk Risk is a combination of severity and probability

of hazard occurrence

matlab1.ir

Hazard & Accident An Accident (Incident) is an undesired and unplanned

(but not necessarily unexpected) event that result in (at least) a specified level of loss

Hazard represents a potential for an accident to occur An elevator shaft with a door stuck open is a hazard - a

hazardous state It is not necessarily the case that an accident will result For an accident to occur requires that an environmental

circumstance arise - a blind person walks through the open door unaware of the state

For each activity it is wise to consider hazards associated with the activity and the risks associated with those hazards

matlab1.ir

Further definitions - Risk Risk Management

• is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risk Assessment• Risk assessment is the determination of

quantitative or qualitative value of risk related to a concrete situation and a recognized hazard

Risk Analysis• The process of evaluating the frequency (or

probability) of hazardous events.

matlab1.ir

Further definitions - Risk Tolerable Risk

• A risk that is allowed to exist, so that certain benefits can be gained - there being a level of confidence that the risk is under control.

Intolerable Risk• A risk that cannot be justified except in

extraordinary circumstances.

Negligible Risk • A risk that is so small and insignificant

that it can be ignored as long as existing precautions remain in place.

matlab1.ir

Risk analysis Risk analysis predicts the probability and

severity of accidents

Example: In a country with a population of 10,000,000 approximately 5000 people are killed in traffic accidents each year. In average each person spend 500 hours per year in situations where they are exposed to the risk of traffic accidents. What is the risk of being killed in a traffic accident?

(5000 / 107) / 500 = 10-6 deaths/hour

matlab1.ir

An Overview of Accidents

Taken from a publication called Out of Control from the UK Health and Safety Executive.

A set of 34 Accidents all involving control systems was analysed.

All systems possessed one or more input devices, a controller, plus one or more output devices.

matlab1.ir

Analysis discovered

Operation and Maintenance

14.7%

Specification44.1%

Changes after Commisioning

20.6%

Installation and Commisioning

5.9%Design and

Implementation14.7%

matlab1.ir

Lessons Learned A number of "good engineering

practices" are being ignored Hazard analysis in the

specification phase often does not occur - major source of failure.

Maintenance policy is often not considered at the specification stage thus making it difficult, for example, for components to be safely isolated and maintained.

"no single failure should cause a dangerous failure to the overall system" needs to become a more widely respected principle.

matlab1.ir

Hazard identification

Hazard identification is the systematic determination of a system’s hazards

Complex and sophisticated process Once identified, the set of hazards define a

set of system states that we need to avoid How could system enter one of the

hazardous states? Is it possible to avoid hazards?

matlab1.ir

Hazard analysis Hazard Analysis involves:

• Identifying the hazards that exist within a system.

• Determining the chain of events that could potentially lead to each hazard.

• Determining the consequences resulting from an occurrence of the hazard.

• Investigating any safeguards already in place to address the hazards.

matlab1.ir

Preliminary Hazard Analysis

PHA : a distinct phase of the Overall Safety Lifecycle, carried out at requirements stage.

The purpose of PHA is:• To identify safety-critical areas of the

system• To evaluate/identify major hazards

(which must be controlled or eliminated by redesign).

PHA should be carried out for ALL systems and subsystems.

matlab1.ir

Preliminary Hazard Analysis

A brief description of the system and its environment

An overview of the system’s function and its safety features

The safety objectives of the system Justification of the risk and integrity level

assignments Target failure rates and safety levels Sources of any data used within the analysis A bibliography of all documents used.

PHA Main Steps

1. PHA prerequisites 2. Hazard identification 3. Consequence and frequency estimation 4. Risk ranking and follow-up actions

matlab1.ir

1- PHA prerequisites 1. Establish PHA team 2. Define and describe the system to be analyzed

• (a) System boundaries (which parts should be included and which should not)

• (b) System description; including layout drawings, process flow diagrams, block diagrams, and so on

• (c) Use and storage of energy and hazardous materials in the system • (d) Operational and environmental conditions to be considered • (e) Systems for detection and control of hazards and accidental events,

emergency systems, and mitigation actions

3. Collect risk information from previous and similar systems (e.g., from accident data bases)

matlab1.ir

PHA - System breakdown

To be able to identify all hazards and events, it is often necessary to split the system into manageable parts, for example, into three categories

• System parts (e.g., process units)• Activities• Exposed to risk (who, what are exposed?)

matlab1.ir

2- Hazard identification

All hazards and possible accidental events must be identified. It is important to consider all parts of the system, operational modes, maintenance operations, safety systems, and so on. All findings shall be recorded. No hazards are too insignificant to be recorded. Murthy’s law must be borne in mind: “If something can go wrong, sooner or later it will”.

matlab1.ir

Hazard checklist To get a complete survey of all possible hazards it may

be beneficial to use a hazard checklist. An example of a checklist (mainly from the standard EN 1050) is given.

• Mechanical hazards• Electrical hazards

• Ex: Approach to live parts under high voltage• Thermal hazards

• Ex: Damage to health by hot or cold working environment• Thermodynamic hazards• Hazards generated by noise

• Ex: Interference with speech communication, acoustic signals, etc.• Hazards generated by vibration• Hazards generated by radiation• Hazards generated by materials/substances

• Fire or explosion hazard

matlab1.ir

3-Frequency and consequence estimation

The risk related to an accidental event is a function of the frequency of the event and the severity of its potential consequences.

To determine the risk, we have to estimate the frequency and the severity of each accidental event.

matlab1.ir

4- Risk ranking and follow-up actions

matlab1.ir

The risk is established as a combination of a given event/consequence and a severity of the same event/consequence. This will enable a ranking of the events/consequences in a risk matrix as below:

PHA Result

matlab1.ir

The results of the PHA are usually reported by using a PHA worksheet (or, a computer program).

Some analyses may require other columns, but these are the most common.

PHA – Adv. , Disadv. Positive

• Helps ensure that the system is safe• Modifications are less expensive and easier to implement in the

earlier stages of design• Decreases design time by reducing the number of surprises

Negative• Hazards must be foreseen by the analysts• The effects of interactions between hazards are not easily

recognized

matlab1.ir

matlab1.ir

Approaches to Hazard Analysis

Hazard and Operability Studies (HAZOP)

Event Tree Analysis (ETA) Fault Tree Analysis (FTA) Failure Modes and Effects Analysis

(FMEA). Failure Modes, Effects and

Criticality Analysis (FMECA). Cause Consequence Analysis (CCA)

matlab1.ir

Hazard and Operability Studies (HAZOP)

HAZOP is a technique (almost like brainstorming) whereby a group of well informed people aim to identify all the ways in which hazards may appear in a system.

Its purpose is to:• - Establish hazardous failure modes, and• - A measure of their effect by a systematic

examination of the system and its components.

matlab1.ir

Notes on HAZOP HAZOP is applicable at all stages of the

system lifecycle although it is of limited use until a relatively detailed description of the system has been developed.

Typically the selected members of the HAZOP team will have had previous experience of such systems, and complement one another (are from different backgrounds) so that the benefits of the team approach are obvious.

matlab1.ir

Event Tree Analysis Why: to investigate how a certain event can

potentially affect the system How: by forward search. For each event consider

success and failure execution (two branches in the tree). Draw a tree until system effect becomes evident

Information analyzed: initial event (usually known from the previous experience), system structure, effect of success and failure of each event, hazardous or caring effect on the system

matlab1.ir

Example of Event Tree (1)

Example of Event Tree (2)

matlab1.ir

Event Tree -Application

Risk analysis of technological systems Identification of improvements in

protection systems and other safety functions

matlab1.ir

Event Tree – Adv. , Disadv. Positive

• Visualize event chains following an accidental event• Visualize barriers and sequence of activation• Good basis for evaluating the need for new / improved procedures

and safety functions

Negative• No standard for the graphical representation of the event tree• Only one initiating event can be studied in each analysis• Easy to overlook subtle system dependencies• Not well suited for handling common cause failures in the

quantitative analyses

matlab1.ir

matlab1.ir

Fault Tree Analysis

A fault tree is a logical diagram that displays the interrelationships between a potential critical event (accident) in a system and the reasons for this event.

By constructing a fault tree you analyze how a system can fail, and the analysis also gives you insight in how the components contributes to the system reliability. With its intuitive graphical user interface, the program lets you create fault trees in a flash

matlab1.ir

Fault Tree Analysis Systematic elaboration of events that might lead to a

hazard Compound events and basic events Compound events defined as logical expressions - AND,

OR and other operators Provides:

• Systematic way to document informal analysis• Permits analysts to review and revise analysis over time

Assignment of probabilities to specific events Computation of probabilities for compound events Sophisticated dependability analysis possible Extensive, elaborate, established technique Provides:

• Mechanism for showing that design will meet dependability requirements

matlab1.ir

Primary Events:

Basic event – fault in atomic component

Undeveloped Event – fault in composite Component (may be analyzed later or

information is unavailable)

External event – expected event from environment

Intermediate event:Nodes inside a fault-tree

Fault Tree Events

... ...Fault Tree - Gates

matlab1.ir

Example – ”Wake too late”

Wake too late

Alarm clock fails Phone fails ”Inner clock”fails

matlab1.ir

Example ”Alarm clock fails”

Beeper fails

Button fails

Alarm clock fails

electronics fail

SWfails

Powerfails

Button read failsBeeper not set