1. Review on the Hazard Analysis Techniques 2004. 4. 4. Seo Ryong Koo Dept. of Nuclear and Quantum Engineering KAIST Lab. Seminar

2. 2 Table of Contents 1.Hazard Analysis 2.Hazard Analysis Techniques 3.Tools for Safety Analysis 1.SpecTRM 2.Designsafe ® 4.Summary 5.Further Works 6.References

3. Lab. Seminar3 Hazard Analysis What is it ? Identifying all possible hazards potentially created by a product, process or application. Structured into various classes of hazard analysis and carried out throughout software process. A risk analysis should be carried out and documented for each identified hazard. Objectives : Tool for engineers and safety practitioners to identify possible hazards, provide an evaluation of the risks, prompt alternative design solutions to mitigate or control the risks to an acceptable level.

4. Lab. Seminar4 Hazard Analysis Considerations Many different types of hazard analysis have been proposed and are in use. One of the greatest problems in performing hazard analysis may be in selecting appropriate models and techniques that match the project’s goals, tasks, and skills.  Because the methods have different coverage and validity, several may be required during the life of the project. No one method is superior to all others for every objective or even applicable to all types of systems. The techniques must be used carefully and combined with a large dose of engineering judgment and expertise.  It is needed to review on the various hazard analysis techniques in my research.

5. Lab. Seminar5 Hazard Analysis Techniques Checklists Hazard Indices Fault Tree Analysis (FTA) Event Tree Analysis (ETA) Cause-Consequence Analysis (CCA) Hazards and Operability Analysis (HAZOP) Failure Modes and Effects Analysis (FMEA) Failure Modes, Effects, and Criticality Analysis (FMECA) Fault Hazard Analysis (FHA) State Machine Hazard Analysis (SMHA) Task and Human Error Analysis

6. Lab. Seminar6 Hazard Analysis Techniques Checklists Basic Description Checklists are included as an analysis technique because they guide thinking. Many of the other analysis technique incorporate some form of checklists in their procedures. Life-Cycle Phase Checklists are commonly used in all life-cycle phases, and in fact are most useful when oriented toward a specific phase. Evaluation Checklists are an excellent way to pass on lessons learned, especially for hazard identification. On the negative side, checklists may encourage users to rely on them too much and thus to overlook items not on the list. Hazard Indices Basic Description Hazard indices measure loss potential due to fire, explosion, and chemical reactivity hazards in the process industries. They can be useful in general hazard identification. The oldest and most widely used index was developed by the Dow Chemical Company: the Dow Chemical Company Fire and Explosion Index Hazard Classification Guide (Dow Index) Evaluation The indices do NOT provide a complete picture and are useful primarily to supplement other hazard analysis methods.

7. Lab. Seminar7 Hazard Analysis Techniques Fault Tree Analysis (FTA) Basic Description FTA is widely used in the aerospace, electronics, and nuclear industries. It was originally developed in 1961 by H.A. Watson at Bell Lab. FTA is primarily a means for analyzing causes of hazards, not identifying hazards. FTA is a top-down search method.  Top event  Intermediate event (pseudo event)  Basic event Four basic steps:  1st: System identification  2nd: Fault tree construction  3rd: Qualitative analysis  4th: Quantitative analysis

8. Lab. Seminar8 Hazard Analysis Techniques Fault Tree Analysis (FTA)[cont’d] Life-Cycle Phase FTA requires a completed system design and a thorough understanding of the system and its behavior in all operating modes. Evaluation Although FTA was originally developed to calculate quantitative probabilities, it is more commonly used qualitatively. Fault trees can help the analyst identify scenarios leading to hazards and can suggest possibilities for hazard elimination or control even before any analysis is performed on the tree. Knowing the minimum cut sets for a particular fault tree can provide valuable insight into potential weak points of a complex system. Limitations  The most useful fault trees can be constructed only after the product has been designed; they require detailed knowledge of the design, construction, and operation of the system.  FTA shows cause and effect relationships but little more.  Transitions between states are not represented in fault trees.

9. Lab. Seminar9 Hazard Analysis Techniques Management Oversight and Risk Tree Analysis (MORT) Basic Description MORT developed by Johnson in the 1970s for the US NRC. MORT is a standard fault tree augmented by an analysis of managerial functions, human behavior, and environmental factors. The method uses an extensive checklist of 1,500 basic events or factors. Evaluation The major advantage is its consideration of factors related to the organization, information system, management practices, and principles and goals of the enterprise. MORT is not used very often, because of its complexity.

10. Lab. Seminar10 Hazard Analysis Techniques Event Tree Analysis (ETA) Basic Description Since FTA becomes very difficult to apply in complicated systems, the general decision tree formalism (called ETA) was adapted to break up the problem into smaller parts to which FTA could be applied. ETA uses forward search to identify the various possible outcomes of a given initiating event. The event tree is drawn from left to right, with branches under each heading corresponding to two alternatives: (1) successful performance and (2) failure The ordering of the headings on the event tree is important because the ordering represents the time sequences.

11. Lab. Seminar11 Hazard Analysis Techniques Event Tree Analysis (ETA) [cont’d] Life-Cycle stage Like FTA, ETA is appropriate only after most of the design is complete. Evaluation Event trees can be helpful in;  Identifying the protection system features that contribute most to the probability of an accident  Identifying top events for subsequent fault tree analysis  Displaying various accident scenarios Event trees can become exceedingly complex, especially when a number of time-ordered system interactions are involved. Comparisons ETA -Sequence of the system state -Handling notions of continuity -Forward-search (not include detail evaluation of the individual events) FTA -Snapshots of the system state -Identifying and simplifying event scenarios -Top-down search (lose the information about ordering)

12. Lab. Seminar12 Hazard Analysis Techniques Cause-Consequence Analysis (CCA) Basic Description CCA is a relatively new technique developed by Nielson in the 1970s that combines both top-down search and forward-search. CCA starts with a critical event and determines the causes of the event and the consequences that could result from it. In CCA, several cause charts may be attached to a consequence chart.  FTA + ETA Evaluation CCA has some advantages of both FTA and ETA. On the negative side, the diagrams can become hard to handle.

13. Lab. Seminar13 Hazard Analysis Techniques Hazard and Operability Analysis (HAZOP) Basic Description HAZOP was developed by Imperial Chemical Industries in England in the early 1960s. The technique focuses not only on safety but also on efficient operations. HAZOP is a qualitative technique whose purpose is to identify all possible deviations from the design’s expected operation and all hazards associated with these deviations. HAZOP team:  Composed of experts on different aspects of the system along with an independent team leader  Will consider The design intention of the plant The potential deviations from the design intention The causes of these deviations from the design intention The consequences of such deviations The guidewards used in HAZOP. Questions are generated from the guidewords by HAZOP team.

14. Lab. Seminar14 Hazard Analysis Techniques Hazard and Operability Analysis (HAZOP) [cont’d] Life-Cycle Phase Many companies conduct preliminary HAZOPs on conceptual flowcharts and preliminary layout diagrams. A full HAZOP usually is conducted later in the design process. Evaluation HAZOP dose not attempt to provide quantitative results, but instead systematizes a qualitative approach. HAZOP has the advantage over checklists of being applicable to new design and design features and of not limiting consideration to previously identified hazards. HAZOP’s success depends on the degree of cooperation between individuals, their experience and competence, and the commitment of the team as a whole. Limitations  The drawbacks of the technique are the time and effort required: it is labor-intensive.  HAZOP relies very heavily on the judgment of the engineers performing the assessment.

15. Lab. Seminar15 Hazard Analysis Techniques Interface Analyses Basic Description Various analysis methods are used to evaluate connections and relationships between components, including incompatibilities and the possibilities for common-cause or common-mode failure.  Interface analysis methods generally use structured walkthroughs to examine the interface between components and to determine whether a connection provides a path for failure propagation. Evaluation Interface analyses are similar to HAZOP, but generalized somewhat, so they have the same benefits and limitations.

16. Lab. Seminar16 Hazard Analysis Techniques Failure Modes and Effects Analysis (FMEA) Basic Description FMEA is a form of reliability analysis that emphasizes successful functioning rather than hazards and risk. The goal is to establish the overall probability that the product will operate without a failure for a specific length of time. Like event trees, FMEAs use forward search based on an underlying chain- of-events model. The results are documented in a table with column headings such as component, failure probability, failure mode, percent failures by mode, and effect.

17. Lab. Seminar17 Hazard Analysis Techniques Failure Modes and Effects Analysis (FMEA) [cont’d] Life-Cycle Phase FMEA are appropriate when a design has progressed to the point where hardware items may be easily identified on engineering drawings and functional diagrams. Evaluation FMEA is effective for analyzing single units or single failures to enhance individual item integrity. The strength of the technique is its completeness, but that means it is also very time consuming and can become tedious and costly. All the significant failure modes must be known in advance, so FMEA is most appropriate for standard parts with few and well-known failure modes. Failure Modes, Effects, and Criticality Analysis (FMECA) FMEA with a more detailed analysis of the criticality of the failure. Fault Hazard Analysis (FHA) FMEA or FMECA by considering human error, procedural deficiencies, environmental conditions, and other events.

18. Lab. Seminar18 Hazard Analysis Techniques State Machine Hazard Analysis (SMHA) Basic Description A state machine is a model of the states of a system and the transitions between them. SMHA was first developed to identify software-related hazards by Nancy Leveson. SMHA can be used;  To analyze a design for safety and fault tolerance  To determine software safety requirements directly from the system design  To identify safety-critical software functions  To help in the design of failure detection and recovery procedures and fail-safe requirements

19. Lab. Seminar19 Hazard Analysis Techniques State Machine Hazard Analysis (SMHA) [cont’d] Life-Cycle Phase SMHA works on a model, not the design itself. Therefore, it can theoretically be used at any stage of the life cycle. The procedure is most effective if performed before the detailed design of the system. Evaluation SMHA’s most important limitation is that a model must be built, which may be difficult and time consuming. A second limitation of SMHA is that the analysis is performed on a model, not on the system itself – it will apply to the as-built system only if the system matches the model. The SMHA analysis algorithms have been adapted for the RSML language and are being applied experimentally to real systems. Work is also proceeding on automatically generating fault trees and additional standard hazard analysis models from the RSML specification.  SpecTRM tool by SAFEWARE Engineering co.

20. Lab. Seminar20 Tools for Safety Analysis: SpecTRM Introduction SpecTRM (pronounced "spectrum" and standing for Specification Tools and Requirements Methodology) is a toolset to support the specification and development of safe systems and software. This system development environment supports assurance through inspections, formal validation tools, and simulation. Key Benefits Finding errors early in development  Fix with lowest cost and impact on system design Tracing requirements and design rationale throughout system construction and documentation  Safety constraints Building required system properties into the design from the beginning Building bridges between specialists  System engineering  Software engineering  Safety engineering

21. Lab. Seminar21 Tools for Safety Analysis: SpecTRM Features SpecTRM features Intent Specifications, a new way to structure system and requirements specifications that supports system, safety, and software engineering tasks. SpecTRM includes SpecTRM-RL, an executable requirements specification language. SpecTRM-RL is used in the construction of executable, analyzable models that are readable enough to act as the software specification as well. SpecTRM's user-friendly editor supports the development of system specifications. Tools for traceability linking and editing models make SpecTRM an environment for increasing productivity during specification development. Because SpecTRM-RL requirements specifications are also executable models, system behavior can be simulated directly from the requirements. The SpecTRM toolset and SpecTRM-RL modeling language support the construction of complete requirements specifications, including some automated analysis for common omissions and mistakes.

22. Lab. Seminar22 Tools for Safety Analysis: SpecTRM

23. Lab. Seminar23 Tools for Safety Analysis: designsafe ® Background Design safety engineering, inc (dse, inc) has developed a fast, easy-to-use tool for engineers and safety professionals to incorporate safety through design by:  identifying hazards  prompting engineers to think about hazards which they otherwise might overlook  conducting a risk assessment for identified hazards  reducing risks in a structured method  preventing accidents and reducing liability What is designsafe ® ? An assessment tool for improving product designs and processes A systematic method for conducting a task-based risk assessment A technique for eliminating and controlling hazards A tool to incorporate safety by design

24. Lab. Seminar24 Tools for Safety Analysis: designsafe ® What does designsafe ® do? Gives designers a quick and easy tool to evaluate hazards and risks through design Helps companies identify potential hazards and provides methods for elimination Assists design engineers in completing a risk assessment for there product/processes Prevents accidents, reduces costs, improves productivity and reduces liability Prioritizes design activities related to risk What are the benefits of designsafe ® ? Helps user recognize hazards that might otherwise be overlooked Helps prompt risk reduction actions for existing hazards Fast and easy Assists in obtaining the CE mark for European markets Can be updated continuously and printed out Minimizes assessment time Reduces costs Can be customized to your needs Easy method to document assessments Brainstorming tool to help identify hazards

25. Lab. Seminar25 Tools for Safety Analysis: designsafe ®

26. Lab. Seminar26 Summary Hazard Analysis Techniques TechniquesLife-CycleMethod Frequency in use Characteristics Checklist or Hazard Indices All phasesQualitativeWidely-Support other techniques FTA Detail design phase Qualitative and Quantitative Most widely-Top-down search MORT Detail design phase Qualitative and Quantitative Not very often -Similar to FTA -Too complex ETA Detail design phase Qualitative and Quantitative Widely -Forward-search -Time ordering CCA Detail design phase Qualitative and Quantitative often-FTA+ETA HAZOPDesign phaseQualitativeoften-Rely on the judgment of team FMEADesign phaseQuantitativeoften-Forward-search SMHAAny phasesQualitativeNot very often -Model-based -Identify software-related hazards

27. Lab. Seminar27 Summary Tools for Safety Analysis ToolsCompany / PriceCharacteristicsMethods Ability of Safety Analysis SpetTRM Safeware Engineering co. / about 10,000 $ -Intent specification -Model simulation Formal modeling Weak Designsafe Design safety engineering, inc. / about 2,000 & -Identifying hazards -Risk assessment Informal task- based Strong

28. Lab. Seminar28 Further Works Idea for safety analysis in NuFDS Fault Tree Synthesis  The synthesis process consists of building the fault tree by matching the inputs and outputs of the mini-fault trees.  The same type of analysis can be done using state-machine models in SMHA. # synthesis: the assembling of separate or subordinate parts into a new form. From WEBSTER Synthesis using fault tree template for NuFDS specification  Define the fault tree template for software architecture block in NuFDS.  Fault tree synthesis from NuFDS.  Qualitative software safety analysis in view of software architecture. Synthesis Software Architecture Block Fault Trees based on template

29. Lab. Seminar29 Further Works Survey on the software fault tree Characteristics of SFTA Templates used in SFTA Define the template for fault tree synthesis from NuFDS

30. Lab. Seminar30 References 1.Nancy G. Leveson, “SAFEWARE: System Safety and Computers”, ADDISON-WESLEY PUBLISHING COMPANY, 1995. 2.Neil Storey, “Safety-Critical Computer Systems”, ADDISON-WESLEY PUBLISHING COMPANY, 1996. 3.Safeware Engineering Corporation, www.safeware-eng.comwww.safeware-eng.com 4.Design Safety Engineering, inc., www.designsafe.comwww.designsafe.com