a25c a6a8a26a4a6a8a3a4a27a8a20a19a28a30a29a32a31a8a33
a9a24a11a8a13a15a11a8a16 a17a19a18a2a20a8a11a8a22 a1a4a3a15a23 a3
System Hazard Analysis
Builds on PHA as a foundation (expands PHA)
Considers system as a whole and identifies how
system operation
interfaces and interactions between subsystems
interface and interactions between system and operators
component failures and normal (correct) behavior
could contribute to system hazards.
Refines high?level safety design constraints
Validates conformance of system design to design constraints
Traces safety design constraints to individual components.
(based on functional decomposition and allocation)
a25c a6a8a26a15a6a8a3a4a27a8a20a19a28a34a29a32a31a8a35
a0a2a1a4a3a4a5 a6a8a7a10a9a12a11a14a13a15a11a8a16 a17a19a18a21a20a8a11a8a22 a1a15a3a4a23 a3
Hazard Causal Analysis
Used to refine the high?level safety constraints into more
detailed constraints.
Requires some type of model (even if only in head of analyst)
Almost always involves some type of search through the
system design (model) for states or conditions that could lead
to system hazards.
Top?down
Bottom?up
Forward
Backward
a25c a6a8a26a4a6a8a3a15a27a14a20a19a28a30a29a32a31a8a38
a0a2a1a4a3a4a5 a6a8a7a36a9a24a11a8a13a4a11a8a16 a17a19a18a2a20a8a11a8a22 a1a4a3a4a23 a3
Forward vs. Backward Search
Initiating Final
Events States
D
C
B
A W
Z
Y
X
nonhazard
HAZARD
nonhazard
nonhazard
Forward Search
Initiating Final
Events States
B
A
C
D
W
Y
Z
X
nonhazard
HAZARD
nonhazard
nonhazard
Backward Search
a25c a6a8a26a4a6a8a3a15a27a14a20a19a28a30a29a32a31a8a37
a0a2a1a4a3a4a5 a6a8a7a36a9a24a11a8a13a4a11a8a16 a17a19a18a2a20a8a11a8a22 a1a4a3a4a23 a3
Top?Down Search
TOP EVENT
Basic or
primary events
Intermediate or
pseudo?events
Leveson ? 139
System Hazard Analysis
c
Fault Tree Analysis
Developed originally in 1961 for Minuteman.
Means of analyzing hazards, not identifying them.
Top?down search method.
Based on converging chains?of?events accident model.
Tree is simply a record of results; analysis done in head.
FT can be written as Boolean expression and simplified to show
specific combinations of identified basic events sufficient to cause
the undesired top event (hazard).
If want quantified analysis and individual probabilities for all basic
events are known, frequency of top event can be calculated.
Leveson ? 140
System Hazard Analysis
Fault Tree Example
c
valve 1
too high
Pressure
fails on
Position
Indicator
Valve 1
Light fails
on
Indicator
Open
too late
output
Computer
not open
does not open
Relief valve 2
does not open
Sensor
Failure
Operator does
not know to
open valve 2
Operator
inattentive
Valve
failure
failure
Computer does
Computer
does not issue
command to
open valve 1
or
and
and
or
or
Relief valve 1
Valve
Explosion
a25c a6a8a26a15a6a8a3a4a27a8a20a19a28a34a29a32a94a95a29
a0a2a1a4a3a4a5 a6a8a7a10a9a12a11a8a13a4a11a8a16 a17a19a18a21a20a8a11a8a22 a1a15a3a4a23 a3
Example Fault Tree for ATC Arrival Traffic
a93 a51 a51
a79a60a49a43a48 a53a30a40 a39a55a40a59a46a60a50a2a53a61a40a59a52a32a52 a54a47a68a44a49a43a48 a53a61a39a63a53a61a49 a50a47a85a63a48 a40a43a52 a49a47a50a4a54
a42a44a48 a46a47a48a32a42a56a45a47a42a92a62a55a54a43a79a60a49a59a53a61a49a47a50a57a48 a40a43a46a70a62a41a50a83a49a59a46a60a68a47a49a59a53a15a68a34a62
a64a67a65
a116 a51 a51 a51a116 a116
a48 a40a43a52 a49a34a50a2a48 a40a43a46a70a40 a42a44a48 a46a47a48a32a42a56a45a47a42 a48 a40a43a52 a49a34a50a2a48 a40a43a46a70a40 a68a43a48 a62a55a50a4a49a43a46a60a39a41a54a84a40a59a53a30a50a57a48 a42a70a54 a48 a40a59a52 a49a47a50a57a48 a40a43a46a70a40 a42a44a48a32a46a34a48a32a42a44a45a34a42a118a62a41a54a43a79a60a49a59a53a15a49a34a50a2a48 a40a43a46
a51a4a51
a48 a46a60a109a63a50a2a53a61a49a43a48 a52a78a62a55a54a59a79a60a49a43a53a61a49a34a50a2a48 a40a43a46a70a69a71a76a47a48 a52 a54 a62a41a54a43a79a60a49a59a53a15a49a34a50a2a48 a40a43a46a44a81a82a54a47a50a83a69a105a54a34a54a43a46a70a62a55a50a57a53a61a54a47a49a43a42a70a62 a81a60a54a34a50a83a69a105a54a34a54a43a46a70a49a43a53a91a53a91a48 a85a41a49a43a52a78a50a57a53a61a49 a48 a39a90a49a43a46a60a68
a51 a51 a51 a51a83a51 a51a4a51 a51
a48a40a59a46 a46a60a49a43a52a117a49a43a79a47a79a34a53a61a40a47a49a47a39a63a76a70a50a4a40 a40 a49a43a48 a53a61a39a63a53a61a49 a50a43a52 a49a43a46a60a68a59a48a32a46a82a72a84a40a59a46a70a68a43a48 a54a43a53a61a54a43a46a82a50 a68a47a54a59a79a60a49a43a53a61a50a57a45a47a53a61a54a44a50a57a53a61a49 a48 a39 a53a61a40a43a42a119a46a82a54a47a49a43a53a91a81a60a74
a51
a62a41a49a43a42a70a54a88a53a91a45a47a46a60a69a105a49a34a74 a53a91a45a34a46a60a69a105a49a47a74a55a62 a54a47a54a47a68a34a54a43a53a101a49a43a48a32a53a91a79a82a40a43a53a61a50a83a62a77a97
a64a67a65
a106 a51 a51a51 a51 a106 a93 a93 a51 a51
a69a105a40a44a49a43a48 a53a61a39a63a53a61a49 a50a47a40a59a46 a48 a46a60a49a43a52 a69a107a40a44a49a59a48a32a53a61a39a63a53a61a49 a50a59a52 a49a43a46a82a68a43a48 a46a60a72 a46a70a49a59a48a32a53a61a39a63a53a61a49 a50a34a85a63a48 a40a59a52 a49a34a50a83a54a34a62a108a50a57a76a60a54 a46a70a49a59a48a32a53a61a39a63a53a61a49 a50 a49a59a48a32a52 a62
a51a4a51
a49a43a79a47a79a34a53a61a40a47a49a47a39a77a76a104a50a4a40a88a79a60a49a59a53a61a49a43a52a32a52 a54a43a52 a39a55a40a59a46a60a62a55a54a34a39a63a45a60a50a57a48 a85a41a54a43a52 a74a90a40a59a46a70a68a43a48 a54a43a53a61a54a43a46a82a50 a46a60a40a43a46a82a109a110a50a57a53a61a49a43a46a60a62a41a72a43a53a61a54a47a62a55a62a63a48 a40a43a46a70a111a41a40a43a46a60a54 a50a4a40a115a42a87a49a43a89a78a54a44a50a57a45a47a53a91a46
a51
a53a91a45a47a46a60a69a105a49a47a74a41a62a67a46a60a40a47a50a34a62a63a79a60a49a47a50a57a48 a49a43a52 a52 a74 a53a91a45a47a46a82a69a107a49a34a74a55a62a67a48a32a46a44a48 a46a60a50a4a54a43a53a61a62a55a54a34a39a55a50a57a48a32a46a60a72a44a40a59a53 a69a71a76a47a48 a52 a54a44a49a43a48 a53a91a79a60a40a43a53a61a50a59a48 a62a90a39a55a40a59a46a60a68a43a45a82a39a55a50a2a48 a46a60a72 a53a15a40a59a42a120a81a82a49a47a62a55a54a44a50a4a40
a51
a62a55a50a4a49a47a72a47a72a34a54a43a53a61a54a47a68a43a97 a39a55a40a59a46a60a85a55a54a59a53a15a72a59a48a32a46a82a72a44a40a43a79a60a54a43a53a61a49a34a50a2a48 a40a43a46a82a62a108a85a77a48 a40a59a52 a49a47a50a4a54 a48a32a46a82a68a47a54a43a79a82a54a43a46a60a68a34a54a43a46a60a50a59a112a83a80a82a113a114a49a43a79a47a79a34a53a61a40a47a49a47a39a63a76a82a54a47a62 a48a32a46a60a49a59a52a78a49a43a79a34a79a47a53a61a40a47a49a47a39a77a76a47a97
a51a83a51
a52a42a44a48 a46a47a48 a42a44a45a47a42a92a68a43a48 a54a43a53a61a54a59a46a60a39a55a54a88a48 a46 a50a4a40a115a79a82a49a43a53a61a49a43a52 a54a59a52a55a53a91a45a47a46a60a69a105a49a34a74a55a62a63a97
a50a57a76a47a53a61a54a47a62a63a76a82a40a43a52 a68a44a39a63a53a61a40a47a62a55a62a77a48a32a46a60a72a44a50a57a48 a42a70a54a43a97
a6a8a26a15a6a8a3a4a27a8a20a19a28a34a29a32a94a8a96
a0a2a1a4a3a4a5 a6a8a7a10a9a12a11a8a13a4a11a8a16 a17a19a18a21a20a8a11a8a22 a1a15a3a4a23 a3
Example Fault Tree for ATC Arrival Traffic (2)
a58
a40a59a46a60a50a57a53a61a40a43a52a32a52 a54a43a53a10a48a32a46a82a62a55a50a57a53a91a45a60a39a55a50a57a48 a40a59a46a60a62a90a68a47a40a88a46a60a40a34a50a47a39a55a49a59a45a60a62a55a54
a51
a49a43a48a32a53a61a39a77a53a15a49 a50a34a50a83a40a88a42a70a49a59a89a78a54a88a46a60a54a34a39a55a54a47a62a55a62a41a49a43a53a61a74a90a62a63a79a60a54a34a54a47a68a44a39a63a76a60a49a59a46a60a72a47a54
a64a67a65
a58 a58 a58 a58 a58
a40a43a46a82a50a2a53a61a40a59a52a32a52 a54a43a53a101a68a47a40a47a54a34a62 a40a43a46a82a50a2a53a61a40a59a52a32a52 a54a43a53a10a48 a62a55a62a77a45a60a54a47a62 a40a43a46a82a50a2a53a61a40a43a52 a52 a54a43a53a102a48 a62a55a62a63a45a82a54a47a62 a40a59a46a60a50a57a53a61a40a43a52a32a52 a54a43a53a10a48 a62a41a62a63a45a60a54a34a62 a40a59a46a60a50a57a53a61a40a43a52a32a52 a54a43a53a10a48 a62a41a62a63a45a60a54a34a62
a46a82a40a47a50a43a48 a62a55a62a63a45a82a54a44a62a63a79a60a54a47a54a34a68 a49a59a79a47a79a47a53a61a40a43a79a34a53a91a48 a49a34a50a83a54a44a62a63a79a82a54a47a54a47a68 a49a43a79a34a79a47a53a61a40a43a79a34a53a103a48 a49a47a50a4a54a44a62a63a79a60a54a34a54a47a68 a62a63a79a60a54a47a54a34a68a44a49a47a68a47a85a77a48 a62a55a40a59a53a61a74 a62a63a79a60a54a47a54a34a68a44a49a47a68a47a85a77a48 a62a55a40a59a53a61a74
a49a34a68a47a85a63a48 a62a55a40a43a53a61a74 a49a34a68a47a85a63a48 a62a55a40a43a53a61a74a67a81a47a45a82a50a43a79a47a48 a52 a40a34a50 a49a47a68a34a85a63a48 a62a55a40a43a53a61a74a90a49a43a46a60a68a88a79a34a48a32a52 a40a47a50 a50a2a76a82a49a47a50a47a68a34a40a47a54a47a62a67a46a60a40a34a50 a50a83a40a34a40a88a52 a49a47a50a4a54a44a50a4a40a44a49a47a85a55a40a59a48 a68
a68a34a40a47a54a47a62a67a46a60a40a34a50a43a53a61a54a47a39a41a54a43a48 a85a41a54a88a48 a50a57a97 a53a61a54a47a39a41a54a43a48 a85a41a54a47a62a67a48 a50a59a81a47a45a60a50a34a68a47a40a47a54a34a62 a49a47a85a55a40a43a48 a68a44a62a55a54a59a79a60a49a43a53a61a49a47a50a57a48 a40a43a46 a62a55a54a43a79a60a49a59a53a61a49a47a50a57a48 a40a43a46
a51
a46a60a40a34a50 a40a43a52 a40a47a69a98a48a52 a50a2a97 a85a63a48 a40a59a52 a49a34a50a2a48 a40a43a46 a85a63a48 a40a59a52 a49a34a50a2a48 a40a43a46a47a97
a64a67a65
a75 a86 a58
a76a60a74a55a62a77a48 a39a41a49a43a52 a45a47a42a87a49a43a46 a40a59a46a60a50a57a53a61a40a43a52a32a52 a54a43a53a10a48 a62a41a62a63a45a60a54a34a62
a39a41a40a43a42a44a42a44a45a47a46a34a48 a39a41a49a47a50a2a48 a40a43a46 a39a55a40a43a42a44a42a56a45a47a46a47a48 a39a55a49a47a50a57a48 a40a43a46 a62a77a79a60a54a47a54a34a68a84a49a34a68a47a85a63a48 a62a55a40a43a53a61a74
a51 a51 a51
a49a43a48 a52a32a45a34a53a15a54 a49a43a48 a52a32a45a34a53a15a54 a50a83a40a44a69a71a53a61a40a43a46a82a72a84a49a59a48a32a53a61a39a63a53a61a49 a50
a64a66a65 a64a67a65
a65 a51
a49a59a48a32a52 a45a47a53a61a54
a65
a49a47a68a43a48 a40a44a40a43a46a70a69a71a53a61a40a43a46a60a72
a75 a99
a49a34a68a43a48 a40 a62a55a74a55a39a77a76a60a40a43a52 a40a47a72a43a48 a39a55a49a59a52a78a62a63a52 a48a32a79 a53a61a40a43a46a82a72a88a52 a49a59a81a60a54a43a52 a80a60a49a43a81a82a54a43a52a55a48 a46
a25c
a51
a53a15a54a34a73a43a45a60a54a59a46a60a39a55a74 a49a47a62a55a62a41a40a47a39a63a48 a49a47a50a4a54a47a68a44a69a71a48 a50a57a76 a42a44a48 a62a77a52 a54a47a49a34a68a43a48 a46a60a72
a51
a49a43a48 a53a61a39a63a53a61a49 a50a47a40a43a46 a79a47a52 a49a34a39a55a54a44a40a43a46
a79a47a52 a49a43a46a60a85a77a48 a54a47a69a100a68a43a48 a62a63a79a47a52 a49a47a74 a62a55a39a63a53a61a54a47a54a59a46
\System Hazard Analysis
FTA Evaluation
Leveson ? 143
c
operation of system.
Requires a detailed knowledge of design, construction, and
Dependencies (common?cause failure points) not easy to see.
Graphical format helps in understanding system and
relationship between events.
identifying potentially hazardous software behavior.
Can be useful in tracing hazards to software interface and
Cuts sets denote weak points of a complex design.
c
Leveson ? 144
\System Hazard Analysis
sometimes
FTA Evaluation (2)
A simplified representation of a complex process
too simplified.
Tends to concentrate on failures.
Quantitative evaluation may be misleading.
On U.S. space programs where FTA (and FMEA) were used
extensively, 35% of actual in?flight malfunctions were not
identified or were not identified as credible.
c
Leveson ? 145
Event Tree Analysis
Developed for and used primarily for nuclear power.
Underlying single chain of events model of accidents.
Forward search
Simply another form of decision tree.
Problems with dependent events.
Leveson ? 146
Event Tree Example
P1
P1 x P5
P1 x P4
P1 x P4 x P5
P1 x P3
P1 x P3 x P4
c
1?P5
P5
1?P5
P5
P4
1?P4
P4
1?P4
P3
1?P3
1?P2
P1
Fails
Fails
Fails
Fails
Fails
Succeeds
Succeeds
Succeeds
Succeeds
Succeeds
Available
Initiating event
Containment
integrity
productFission
removal
ECCSElectric powerPipe break
54321
Fails
P1 x P2
P2
c
Leveson ? 147,148
System Hazard Analysis
Event Trees vs. Fault Trees
Relief valve 1 Relief valve 2
Opens
Pressure decreases
Fails
Opens
Fails
too high
Pressure
Pressure decreases
Explosion
open valve 1
Computer does not
failure
Valve
OpenValve 1
does not issue
light fails
indicator
indicator
position
onfails on
command to
open valve 1
Computer
Computer
output
too late
Pressure
monitor
failure
Operator does not
know to open valve 2
inattentive
Operator
Valve
failure
does not open
Relief valve 2
Explosion
Relief valve 1
does not open
Pressure
too high
Leveson ? 149,150
System Hazard Analysis
c
ETA Evaluation
Events trees are better at handling ordering of events but
fault trees better at identifying and simplifying event scenarios.
Practical only when events can be ordered in time (chronology
of events is stable) and events are independent of each other.
Most useful when have a protection system.
Can become exceedingly complex and require simplication.
Separate tree required for each initiating event.
Difficult to represent interactions between events
Difficult to consider effects of multiple initiating events.
Defining functions across top of event tree and their order
is difficult.
Depends on being able to define set of initiating events that
will produce all important accident sequences.
Probably most useful in nuclear power plants where
all risk associated with one hazard (serious overheating of fuel)
designs are fairly standard
large reliance on protection systems and shutdown systems.
Cause?Consequence Analysis
Leveson ? 151
System Hazard Analysis
A combination of forward and top?down search.
Again based on converging chain?of?events.
Diagrams can become unwieldy.
Separate diagrams required for each initiating event.
Used primarily in Europe.
c
c
Leveson ? 152
System Hazard Analysis
Cause?Consequence
Diagram
critical event
open
does not
Computer
Pressure too high
opens?
Valve
Operator
open
Valve
reaction
Yes No
Relief valve 1
Pressure
Explosion
reduced
does not
NoYes
Relief valve 2
failure
opens?
failure
Uncontrolled
c
System Hazard Analysis
Leveson ? 153
HAZOP: Hazard and Operability Analysis
Unlike most techniques, HAZOP can identify hazards.
Based on model of accidents that assumes they are caused
by deviations from design or operating intentions.
Purpose is to identify all possible deviations from the design’s
expected operation and all hazards associated with these
deviations.
Software Deviation Analysis (Jon Reese)
c
Leveson ? 154
System Hazard Analysis
HAZOP Guidewords
NONE
NO, NOT,
Guideword
The intended result is not achieved, but nothing else happens
Meaning
(such as no forward flow when there should be)
MORE
or higher viscosity).
(such as higher pressure, higher temperature, higher flow,
More of any relevant physical property than there should be
LESS Less of a relevant physical property than there should be.
AS WELL AS
water, acids, corrosive products).
(such as extra vapors or solids or impurities, including air,
components are present in the system than there should be
An activity occurs in addition to what was intended, or more
PART OF
one of two components in a mixture).
Only some of the design intentions are achieved (such as only
REVERSE
backflow instead of forward flow).
The logical opposite of what was intended occurs (such as
OTHER THAN
material).
completely different happens (such as the flow of the wrong
No part of the intended result is achieved, and something
c
Leveson ? 155
Example Entry in a HAZOP report
System Hazard Analysis
Guide Word
NONE
Deviation
No flow
Possible Causes
1. Pump failure
2. Pump suction
3. Pump isolation
filter blocked
valve closed.
Possible Consequences
1. Overheating in heat
exchanger.
2. Loss of feed to reactor.
c
Leveson ? 156
System Hazard Analysis
Interface Analyses
Various types used to evaluate physical, functional, or flow
relationships.
Generally use structured walkthroughs.
Like HAZOP, effectiveness depends on procedures used
and thoroughness of application.
.
c
Leveson ? 157
System Hazard Analysis
FMEA or FMECA
Failure Modes and Effects (Criticality) Analysis
Developed to predict equipment reliability.
Forward search based on underlying single chain?of?events
and failure models (like event trees).
Initiating events are failures of individual components.
c
Leveson ? 158
System Hazard Analysis
FMECA Example (1)
B
A
Component
probability
Failure
Failure mode
by mode
% failures
Effects
Critical Noncritical
B
A
?3
?3
1x10
1x10
Short
Other
Short
Other
Open
Open
5
5
5
90
5
90
5x10
5x10
?5
5x10
?5
5x10
?5
?5
X
X
Leveson ? 159
System Hazard Analysis
c
FMECA Example (2)
Subsystem __________________________ Prepared by____________________________ Date _____________
FAILURE MODES AND EFFECTS CRITICALITY ANALYSIS
ITEM
MODES
FAILURE
CAUSE OF FAILURE POSSIBLE EFFECTS PROB. LEVEL
POSSIBLE ACTION TO REDUCE
FAILURE RATE OR EFFECTS
Motor Case Rupture a. Poor workmanship
b. Defective materials
c. Damage during
transportation
d. Damage during handling
e. Overpressurization
Destruction of missile 0.0006 Critical Close control of manufacturing
processes to ensure that
workmanship meets prescribed
standards. Rigid quality control
of basic materials to eliminate
defectives. Inspection and
pressure testing of completed
cases. Provision of suitable
packaging to protect motor during
transportation.
c a126a95a141a91a126a21a124a103a142a123a135a60a143a145a144a8a146a21a147a140
a121a123a122a91a124a103a125 a126a19a127a87a128a130a129a21a131a91a129a19a132 a133a77a134a136a135a137a129a19a138 a122a103a124a130a139 a124
ABORT: CRIT. FUNC.:
CRIT. HDW:
REVISION:
PREPARED BY: APPROVED BY: APPROVED BY (NASA):
ITEM:
FUNCTION:
FAILURE MODE:
CAUSE(S):
EFFECT(S) ON (A) SUBSYSTEM
DISPOSITION AND RATIONALE:
REDUNDANCY SCREEN:
SHUTTLE CRITICAL ITEMS LIST ? ORBITER
SUBSYSTEM: FMEA NO:
EFFECTIVITY:
VEHICLE
ASSEMBLY:
P/N RI:
P/N VENDOR:
PHASE:
QUANTITY
(D) CREW/VEHICLE (C) MISSION (B) INTERFACES
