Functional hazard analysis defined

Step 1 define the scope of the Functional Hazard Analysis... 

Functional Hazard Analysis A Functional Hazard Analysis (FHA) is defined [SAE ARP4761 para 3.2] as a systematic, comprehensive examination of a system s functions to identify and classify potential Failure Conditions which the system can cause or contribute to, not only if it malfunctions or fails to function, but also in its normal response to unusual or abnormal external factors. 

Control System (BPCS), including functions of Supervisory Control and Data Acquisition (SCADA) system, the alarm system (AS) and Safety Instrumented Systems (SIS) performing defined Safety Instrumented Frmetions (SIF). Proper design of layers of protection is based on hazards analysis and risk assessment with consideration of human and organizational factors. It is essential to ensure required safety integrity level (SIL) for each of these layers. 

Once the technical work and analysis is completed and the appropriate documents developed, reviews and audits of the technical work and resultant documents must be performed. Depending upon the consequences of the hazard identified in the safety function, a certain, defined level of independance is required between the originator and reviewer (assessor). This may mean a different department within the same company (preferrably one that has expertise with functional safety management and lEC 61508/62061) or outside certified SIL reviewers/ assessors. 

Because of the complexity of chemical processes, the response selection should be tailored to the characteristics and requirements of each plant and safety function. A hazard and risk analysis defines for each hazard scenario when action should be taken, giving the initiating causes, consequence severity, and protection layers. The potential for common cause should also be evaluated to ensure the actions can be implemented in the presence of the initiating cause and the SIF device fault. 

For safety, lEC 61508 [8] is the basic functional safety standard, which covers the complete safety life cycle. It describes techniques and procedures for analysis, realization and operation of safety critical systems. With respect to security, lEC 61508 Ed 2.0 (2010) contains only a few requirements Security threats are to be considered during hazard analysis in the form of a security threat analysis (lEC 61508, Part 1, 7.4.2.3). The ISO/IEC 27000-series describes best-practices advice for information security management. They consider classic security-critical systems such as databases, servers and corporate networks. Nevertheless, we use the terms as they are defined in the ISO/IEC 27000-series for this publication and those from lEC 61508 for safety. 

All safety activities refer to an item . An item in terms of ISO 26262 is defined as a system or array of systems to implement a function at the vehicle level, to which ISO 26262 is applied . The Item Definition marks the scope of the Safety Considerations on an overview level and is the starting point of all furflier safety activities. It is, in particular, a necessary preparation for the Hazard Analysis and Risk Assessment (HARA), because in order to identify malfunctions that may lead to scenarios that bear the risk of an accident (called hazards), the interfaces of the investigated system to its environment must be known, as well as the specified behavior at these interfaces. Deviations from this specified behavior constitute the item s failures, a subset of these constituting the hazardous failures. As explained above, CMSs are well-suited to be regarded as an item according to the definition in ISO 26262. So the Item Definition usually depicts the entire CMS with camera(s), processing unit(s) and display(s). 

CONSTRUCTING THE FAULT TREE. Fault tree construction begins at the top event and proceeds, level by level, until all fault events have been traced to their basic contributing events or basic events. The analysis starts with a review of system requirements, function, design, environment, and other factors to determine the conditions, events, and failures that could contribute to an occurrence of the undesired top event. The top event is then defined in terms of sub-top events, i.e., events that describe the specific "whens and wheres" of the hazard in the top event. Next, the analysts examine the sub-top events and determine the immediate, necessary, and sufficient causes that result in each of these events. Normally, these are not basic causes, but are intermediate faults that require further development. For each intermediate fault, the causes are determined and shown on the fault tree with the appropriate logic gate. The analysts follow this process until all intermediate faults have... 

Functional safety requirements of the process equipment Define hazard potential, perform Level Of Protection Analysis (LOPA)... 

In accordance with DOE-STD-3009-94, (DOE 1994) safety SSCs are divided Into two categories (1) safety-class and (2) safety-significant. DOE-STD-3009-94 defines safety-class SSCs (SCSSCs) as those SSCs, including environmental monitors and portions of process systems, whose failure could adversely affect the environment or safety and health of the public as identified by safety analysis. The phrase adversely affect refers to exceeding offsite EGs (i.e., a whole-body dose of 25 rem to the nearest located member of the public). SCSSCs are systems, structures, or components whose preventive or mitigative function is necessary to keep hazardous material exposure to the public below the EGs. 

The enterprise analyzes and prioritizes potential functional failure modes to define failure effects and identify the need for fault detection and recovery fimctions. Functional reliability models are established to support the analysis of system effectiveness for each operational scenario. Failures, which represent significant safety, performance, or environmental hazards, are modeled to completely understand system impacts. 

A strategy that makes easier for the team to handle with large nodes was proposed and the main initiating events identified during the Petrobras coke drums HAZOP analysis were presented. Some LOPA results were commented in order to provide the reader the type of answers this approach allows. These results include the identification of the logics that need to be defined as safety instrumented functions and the required target SIL to achieve a tolerable frequency of occurrence for a specific hazard scenario. 

ABSTRACT This paper is focused on the safety analysis of an analogue transceiver located in the BTM, a subsystem of the European Railway Traffic Management System (ERTMS). Balise detection is the transceiver safety related function and the ERTMS specifications define it as a SIL2, setting a maximiun tolerable hazard rate of 10 failures per hour. By means of FTA and FMEA analyses, and failure rate calculation, this paper demonstrates that a bIsT topology is suitable to accomplish safety requirements. The description of the topology and the diagrams of both analyses are also exposed. To conclude, the comparison between the values obtained for both architectures are shown and the safety improvement is e)q)lained. 

Therefore, the verifications, functional safety assessments and audits recommended by ANSI/ISA-84.00.01-2004 should be used to ensure that the requirements defined in the hazard and risk analysis are met and that predictable failures do not defeat the intent of safety requirements specification. 

---