Functional Hazard Analysis process

The DAL is an index number ranking the safety-criticality of the system functions. This ranking implies that in order to make the system safe, greater development rigor must be applied to each successively critical level. Table 2.3 correlates the hardware DALs to the five classes of failure conditions and provides definitions of hardware failure conditions and their respective DALs. Initially, the hardware DAL for each hardware function is determined by the SSA process using a functional hazard analysis (FHA) to identify potential hazards and then the preliminary system safety assessment (PSSA) process allocates the safety requirements and associated failure conditions to the function implemented in the hardware. 

This whole process of safety analysis is regulated by the ARP 4761. Identification of safety objectives is given by a fimctional approach, documented in a functional hazard analysis demonstrating compliance with these objectives is achieved by identifying the combinations of failiues, and this is documented in the System Safety Assessment (SSA). 

Emergency Management Agency, Handbook of Chemical Hazard Analysis Procedures, p. 6-7, 1989). It is likely that the absorption process functions in proportion to the square root of the duration of exposure (Perry, Chemical Engineers Handbook, 4th ed., p. 14-13 and Figs. 14-7, 14-9, and 14-21, 1963). 

Waste handling facilities have become an essential function for operation of many process systems. Historically, waste handling facilities are often overlooked and should be included in a fire hazard analysis. If the waste han-dling/treatment system cannot operate, then a plant or unit shutdown may be required. 

Use Level of Protection Analysis to evaluate the reliahility needed for safety instrumented functions. (Before startup for all serious consequences identified in the process hazards analysis)... 

More in line with the predictive use of hazards analysis, however, is the experimental and theoretical assessment that the viscosity of the liquid significantly affects this mode of initiation. Such information allows redesign of the process to eliminate handling of low viscosity liquid explosives, and quantitative measurement of the sensitivity of the system to mild shocks as a function of viscosity may allow the optimum level to be selected. This is not necessarily a new concept, only quantified in a different manner. Thirty years ago transporters of neat nitroglycerine in the oil fields were paid 25 a day. The stipend for transporting jellied nitroglycerine was seven dollars, a practical comment on the understood difference in hazard. 

Through functional-use analysis, toxicological and environmental fate data on structurally similar chemicals can be applied to each member of a functional-use class. A focus on functional use not only offers commonality in perspective for chemical innovators, but also simplifies the risk assessment process. Within a given product dass, the use and exposure patterns are generally the same, with minor variability therefore, the hazard component of the risk equation becomes a... 

Earlier method of identifying hazards involved a procedure consisting of asking questions such as what if This approach consists of questioning the proper function at every stage of the process, along with consequences or the remedial features. A checklist for the simplified process hazard analysis by the what if method is shown in Table 3.3. Although this method is an old method of hazard analysis compared with other methods such as hazop or fault tree analysis it has proven to be quite useful. 

Prototyping FDA (1995) An approach to accelerate the software development process by facilitating the identification of required functionality during analysis and design phases. A limitation of this technique is the identification of system and software problems and hazards. [Adapted.]... 

Most major chemical and pharmaceutical companies today have developed systematic methods of evaluating new (and in many cases, old) processes and materials for the hazards attendant to their manufacture. The degree of urgency in establishing a chemical process hazard analysis function has often been dictated by some untoward event (usually within the company). It is to the prediction and control or elimination of unplanned reaction events to which the chemical process hazard review must address itself. 

While a preliminary functional decomposition of the system components is created to start the process, as more information is obtained from the hazard analysis and the system design continues, this decomposition may be altered to optimize fault tolerance and communication requirements. For example, at this point the need... 

At this point in development, the safety requirements and constraints are documented and traced to the design features used to implement them. A hazard log contains the hazard information (or links to it) generated during the development process and the results of the hazard analysis performed. The log will contain embedded links to the resolution of each hazard, such as functional requirements, design constraints, system design features, operational procedures, and system limitations. The information documented should be easy to collect into a form that can be used for the final safety assessment and certification of the system. 

The first step in the acceptance process is the identification of the environment within which the pre-developed software will have to work. This environment is determined by the system-level safety function as described in the system requirements specification. Also the interface and performance requirements, as well as the safety category should be contained in the system requirements specification. This means, that during the establishment of the plant safety design base a risk and hazards analysis has been performed which rendered the categories of safety functions to be implemented by pre-developed software. This risk and hazard analysis - in spite of being out of the scope of I C engineering - has been taken as the first of four acceptance criteria that should be applied to pre-developed software independently of its safety category. 

Hazard analysis The functions, steps, and criteria for design and plan of work, which identify hazards, provide measures to reduce the probability and severity potentials, identify residual risks, and provide alternative methods of further control (SSDC) a process of examining a system, design, or operation to discover inherent hazards, characterizing them as to level of risk and identifying risk-reduction alternatives (APR 800-16) the determination of potential sources of danger and recommended resolutions in a timely manner for those conditions found in either the hardware/software systems, the person-machine relationship, or both, which cause loss of personnel capability, loss of system, or loss of life or injury to the public (NSTS 22254). 

The job safety analysis (JSA) [also referred to as the job hazard analysis (JHA)], which is a more simplified form of task analysis, has been a longstanding tool for task and function analysis. JSA has been available and utilized in general industry for many years by the industrial safety community. However, many practitioners do not understand or are simply unfamiliar with the connection between the JSA and the system safety tasks of hazard identification and analysis. It has even been suggested by some in the profession that the JSA itself is a type of oversimplified system safety analysis and, if performed earlier in the job development phase, could be used as the basis of a preliminary hazard analysis for a specific task or set of tasks. However, because JSA is often (if improperly) used to analyze a function only after it has been implemented, much of the data is not factored into the system safety process. The primary purpose of the JSA is to uncover inherent or potential hazards that may be encountered in the work environment. This basic definition is not unlike that previously discussed regarding the various system safety analyses. The primary difference between the two is subtle but important and is found in the end-use purpose of the JSA. Once the job or task is completed, the JSA is usually used as an effective tool for training and orienting the new employee into the work environment. The JSA presents a verbal picture of a specific job. 

Software System Hazard Analysis This type of analysis is conducted similar to a hardware system hazard analysis (SHA), analyzing software functional processing steps to determine whether they may have any particular hazardous effect on the system. The analysis utilizes a hazard-risk index to illustrate the severity of each potential failure. The main advantage to this method is in its ability to positively identify safety-critical hardware and software functions as well as consider the effect of the human element in system software operations. The results of the software SHA, which identifies single-point failures or errors within a system, can often be used to assist in the development of a software fault tree analysis or, to some degree, a system FMEA. However, as with the other various SWHA techniques briefly described above, this method is also time-consuming and costly to perform. 

Another well-known technique of hazard identification is the HAZOP (HAZard and OPerability) method. With this method, hazards are identified and analyzed using sessions with operational experts. At the same time, the experts come up with potential solutions and measures to cope with the identified hazards (Kletz, 1999). The advantage of HAZOP with respect to the functional approach is that also nonfunctional hazards are identified during the brainstorm with operational experts. However, in applying HAZOP, one needs to take care that hazard analysis and solution activities do not disturb the hazard identification process, which could leave certain hazards unidentified or inappropriately solved . Leaving such latent hazards in a design typically is known to be very costly in safety critical operation. 

A conprehensive product release process ensures that products are very mamre when released. Parallel to the comprehensive quality management process the safety process starts with general safety requirements which are checked for applicability and allocated to the project respectively. It continues with several tasks like performance of an Functional Hazard Assessment, production of an hardware RAM Modelling and Prediction Report and a Failure Modes, Effects and Criticality Analysis for a typical configuration and the use of the previously mentioned hazard checklist. Finally all issues of the product release checklist are to be fulfilled to get the official release. 

NOTE 2 Where a detailed hazard analysis of the BPCS demonstrates that the control and protective elemertts within the BPCS are functionally independent, it may be possible to conclude that a failure in the controlling part has a sufficiently low probability of causing the failure of the protective function. In such cases, it may be appropriate to take credit for the BPCS as a protection layer, even if the BPCS can initiate the process hazard. In accordance with ANSI/ISA-84.00.01-2004-1, Clause 9, the risk reduction claimed for the BPCS as a protection layer must be less than or equal to 10. 

The fuel gas to a fired heater is controlled by a BPCS control function (function TIC-1), which throttles a fuel control valve, CV-1, as shown in Figure F-3. A hazard analysis was performed to identify process hazards and to determine whether the safeguards were sufficient to mitigate the process hazards. The team determined that when the heater was firing hard, a low-pass flow through the tubes could result in a high firebox temperature with the potential for tube rupture, furnace fire and structural damage to the furnace. 

For this paper we treat hazard assessment as a combination of two interrelated concepts hazard identification, in which the possible hazardous events at the system boundary are discovered, and hazard analysis, in which the likelihood, consequences and severity of the events are determined. The hazard identification process is based on a model of the way in which parts of a system may deviate fi om their intended behaviour. Examples of such analysis include Hazard and Operability Studies (HAZOP, Kletz 1992), Fault Propagation and Transformation Calculus (Wallace 2005), Function Failure Analysis (SAE 1996) and Failure Modes and Effects Analysis (Villemeur 1992). Some analysis approaches start with possible deviations and determine likely undesired outcomes (so-called inductive approaches) while others start with a particular unwanted event and try to determine possible causes (so-called deductive approaches). The overall goal may be safety analysis, to assess the safety of a proposed system (a design, a model or an actual product) or accident analysis, to determine the likely causes of an incident that has occurred. 

SRS blocks. PHA, process hazard analysis SIF, safety instrument functions SIS, safety instrumentation system SRS, safety-related system. 

Also, a subsystem hazard analysis (SSHA) examines each major subsystem (such as shown on the functional organizational tree in Figure 5.3) and identifies specific hazards and safety concerns including failures, faults, processes, or procedures and human errors. An SSHA also should address hazard controls and how those controls are verified. 

In the system safety analysis process, you will come across IT-driven or microprocessor-based systems. While performing any of the system safety analyses, numerous hazardous situations will be discovered. The first step is to decide whether there are any software controls in those particular subsystems. If there are, then it can be considered a safety-critical subsystem. More formally, a safety-critical subsystem is one in which the operations must work properly or a hazardous situation will result. Safety-critical software is a software within a control system that contains one or more hazardous or safety-critical functions. 

---