Workshop aims to provide basic understanding of performing a HAZOP on a Computer / Controls System. To identify hazards, causes and consequences identification of operability factors that influence human performance identification of safeguards, preventive controls Recommendations for improvement.
Workshop aims to provide basic understanding of performing a HAZOP on a Computer / Controls System. To identify hazards, causes and consequences identification of operability factors that influence human performance identification of safeguards, preventive controls Recommendations for improvement.
Workshop aims to provide basic understanding of performing a HAZOP on a Computer / Controls System. To identify hazards, causes and consequences identification of operability factors that influence human performance identification of safeguards, preventive controls Recommendations for improvement.
Confidential Not for reproduction Copyright 2014 All rights reserved. CHAZOP Introduction Controls System Hazards and Operability Analysis
2014 2 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. The Learning Environment It is important for ACM and for you as our clients that the learning atmosphere and conditions are comfortable and suited for learning. Being respectful of others viewpoints and patient for others to ask questions is important. Rules We are all here to learn from each other Respect each others opinions This is a safe environment to learn Breaks are negotiated and managed by the group We start on time after breaks Emergency procedures CELL PHONES OFF OR ON VIBRATE
HAVE FUN! Being interactive is the key to your success in learning new skills and knowledge.
3 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Agenda Building Emergency Procedures Introductions 8:00-12:00 Theory for HAZOP of Computer/Controls System 12:00-1:00 Lunch 1:00-4:00 Continuation and CHAZOP exercises
The Learning Environment 4 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. To provide basic understanding of performing a HAZOP on a Computer/Control System
Demonstrate the concepts though a practice exercise.
Objectives of Workshop
5 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. PHA Study method - CHAZOP CHAZOP - qualitative Predictive identification of hazards, causes and consequences Identification of operability factors that influence human performance Identification of safeguards, preventive controls Recommendations for improvement.
Risk Assessment - qualitative Probabilistic based assessment of hazards Risk assessed in function of consequences & likelihood (Estimation of likelihood and consequence severity)
6 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Why do a HAZOP on a Computer/Controls System?
Why do a HAZOP on a Computer/Control System? 7 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Allows the hazards and risks associated with computer/control system designs to be analyzed and evaluated before the computer/control system is installed, commissioned, site tested , and put into operation Reflect the best thinking on how to safely operate and manage your computer/control systems Build upon and record process and computer/control system experience Assess what safety measures to use and the protection that they can provide Promote safe, efficient operation and maintenance Promote the idea that computer/control system and operating & maintenance procedures are vital plant components Reduce likelihood of incidents, accidents Improve quality, continuity, profitability and cost control Comply with governmental regulations or industrial initiatives requiring computer/control systems certification
Why do a HAZOP on a Computer/Controls System? 8 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. CHAZOP Study Objectives To identify computer/control system hazards, not to provide solutions to all hazards To provide confidence that potential hazards are identified To provide a qualitative estimate of the likelihood and the severity of potential incidents, accidents To qualitatively evaluate the consequences of failure of engineering and administrative controls 9 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. To provide management with a concrete basis for making risk management decisions To identify ways in which operability might be improved To provide information which can be useful in improving future migration or modernization To provide objective documented evidence of a thorough well conducted study for audit and insurance purposes CHAZOP Study Objectives 10 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Establish the limits of the computer system and its network Identify what plants units depend on or interact with the computer system for their operation Develop a block flow diagram of the functions of the computer in controlling the plant units Identify hazards of the units as defined by a hazard study or process HAZOP and include for any hazards associated with the interactions between units. List those computer functions associated with the hazards in any way CHAZOP Study Objectives 11 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. A HAZOP can be done on any Computer/Controls System. However, due to the level of detail required and time commitment, a HAZOP is typically performed on Computer/Controls Systems deemed to be critical. Critical Computer/Controls Systems should be identified at any facility.
What defines a critical Computer/Controls System?
On which Computer/Controls System should I do a HAZOP? 12 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. What defines a critically hazardous Computer/Controls System? A critical Computer/Controls System may be defined by one or more of the following criteria:
Any Computer/Controls System for which the consequence of deviating from the design intent causes a critical situation, incident, or accident Start-up or shutdown transition mode sequences for Computer/Controls System Maintenance operating mode transition sequence, (i.e. on/off line maintenance mode transition sequence) Abnormal operating Computer/Controls System states, modes, and transitions Emergency stop sequence reset state critical stop sequence Temporary operating modes transition sequences set reference points Commissioning or Decommissioning modes, states, transitions and procedures Proof testing, or test mode (Bypassed equipment, on-line, off-line) 13 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. When to do a HAZOP on a Computer/Controls System?
When should you do a HAZOP on a Computer/Controls System? 14 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Critical Computer/Controls System Complex Computer/Controls System, (Complex architecture requirements) New Computer/Controls System Modified Computer/Controls System Migration or upgrade of Computer/Control System Addition of new equipment to an existing Computer/Controls System Changes in the transition modes sequences (modifies the sequencing) Comply with government regulations or industrial initiatives requiring special Computer/Controls System directives With any change that requires an MOC, the Computer/Controls System should also be considered for CHAZOP re-evaluation At any time during the lifecycle of the Control/computer system, (e.g. detail design & engineering).
When to do a HAZOP on a Computer/Controls System? 15 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved.
What information do you need for the CHAZOP? Preparation for a CHAZOP? 16 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Well documented Computer/Controls System operation Up to date schematics, network, I/O, CPU, etc. drawings and instructions Control system architecture layout and hierarchy, interfaces, interconnections and computer/control equipment location depiction Structure of the Control/computer system block flow diagrams Depiction of control/computer system data transfer speed, volume and flow directions Shutdown key, (Cause and Effect Matrix) Structural drawings to locate equipment and equipment positions, HVAC Reactive chemical matrix, MSDS for chemicals Overall description of the Computer/Controls System units, parts, environment Previous PHA studies, modifications, etc. on the Computer/Controls System PHA Team tour and inspection of the Computer/Controls System to be reviewed
Preparation for a CHAZOP? 17 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Who needs to attend the chazop?
Who needs to attend?
18 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Who needs to attend the pha? Senior operations personnel involved in the day to day operation of the process area being reviewed Control systems/contact engineer involved in the day to day operation of the Control/computer system being reviewed, analyzed Equipment specialists Control system network designer Functional Safety / Process Safety Control equipment technical Site operations Site controls maintenance Other specialists as required DCS, BPCS, Vendors, manufacturers Specialized proprietary, OEM, IT - information Technology 19 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved.
Difference between process HAZOP and CHAZOP
Differences from Process HAZOP. 20 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Differences from Process HAZOP. Control/computer system hazard analysis: Usually do not have or deal with flow of liquid or gases, but have flow or transfer of data/information through network cables, or wireless, (Data: bits, bytes, words, frames, etc.).
Hazards are different, they are related to the control system elements: Operators unable or partially unable to monitor process status of plant that was still in control, computer/control system enters unpredictable operating mode, hardware Inputs and outputs frozen or in unpredictable states, operator cannot make changes or activate/deactivate overrides, or bypasses, operators is unable to turn ON or OFF equipment, or STOP the process when required. All the these events can develop into situations that may lead to an incident or severe accident.
21 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Steps in a HAZOP for a Control/computer system HAZOP for Control/computer system follows much the same process as for a process HAZOP.
Prior to the HAZOP on the Control/computer system, the operating instructions and procedures should be reviewed for completeness, clarity, etc. Break the Control/computer system to be analyzed down to individual networks, cells, sections, control room locations, elements; then follow the sequence of operating transitions modes, interaction of sections, and operator actions/reactions, alarm interventions if required. Analyze on each operating mode the transitions, sequences or interactions of the control system with the networks, cells, sections, control room locations, elements, and operator actions/reactions tasks using the chosen deviations. Using HAZOP software record the consequences of deviation from the control system intended actions and reactions, existing safeguards, and risk rank; make recommendations where risk is deemed unacceptable. All operator actions, interventions are broken down into individual steps sequence of a procedure to: Allow each step or status to be assessed more thoroughly for possible deviation of intent Provide a flow and outline for the risk assessment process 22 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved.
CHAZOP hazard types and considerations
Types of Hazards to be taken into consideration 23 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Control/computer system are related to process hazards Hazards to be taken into consideration when analysing, designing or operating Control/computer systems.
Failure of control/computer, (DCS, BPCS, PLC), systems may lead to: Loss of containment of flammable liquid or vapour gasses Toxic releases hazard Explosion hazards Fire, heat transfer hazard (radiation, convection, conduction) Hazard generated by electromagnetic noise Hazards generated by vibration Hazards generated by nuclear radiation release Hazards generated by chemical materials and substances Hazards generated by neglecting ergonomic principles in control design Hazard combinations Hazards associated with the environment in which the Control/computer system is used 24 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. What aspects of the Control/computer system might cause harm to personnel?
Consider the stability of the process under control, noise, vibration, and emission of toxic or flammable substances. Also, need to be considered, burns from hot surfaces, chemicals, or friction due to high speeds of rotating equipment.
Other factors such as the possibility of entanglement, crushing, cutting from rotating equipment and other tools. Also consider sharp edges on the machinery, hazardous chemical exposure, etc.
This stage should include all hazards that can be present during the lifecycle of the Control/computer system, including the installation, commissioning, testing, operation, maintenance, modifications, and decommissioning. Control/computer system related hazards 25 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Control/computer System Hazard Scenarios, Situations Loss of process visualization, monitoring, (loss of Operator Interface) Unexpected process start-up, shutdown, or operating mode transition Over-run, over-speed, or variations in operating speed (or any similar malfunction) Abnormal variations in the rotational speed of equipment, (pumps, motors, centrifuges, etc.) Failure of partial or total control system power supplies and one or several control I/O loop circuits (signals). Systematic errors in software code / Specifications Effects of EMC / EMI Loss of environmental controls, HVAC, (effects of temp., humidity, etc.) Operator operating mode confusion, operator error Lack of proper operating procedures and/or training, knowledge of DCS 26 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. What are we looking for /deviations/? (examples) The main purpose for the HAZOP on a Control/computer system is to identify the potential hazards and operability issues that may arise due to deviations from the partial or total failure of the control/computer system, and/or incorrect control/computer system transition modes and sequences. Typical guidewords, deviations may include: No (not/none, transition mode is not executed, no human process interface) More (more of/higher, additional steps are added to a transition sequence) Less (less of/lower, transition is not completed or executed in its entirety) Reverse (opposite to what is indicated in the transition sequence) Part of (operator completes part of steps or equipment failure results in partial completion, utility (electric power, compressed air) failure As well as (more than or also, a new step in the procedure is added) Early (sooner than) Late (later than) Out of sequence Other than (operator or control system reacts or do something completely different and unexpected) 27 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. The analysis must consider factors that influence human performance when attempting to identify potential hazards. During CHAZOP one always need to consider the potential for error when humans interact with a process and/or equipment at any level. Human Error Considerations 28 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Usually systematic Major cause of most catastrophic accidents in the process industry Impacts profitability through losses and lower quality product Affected by the corporate culture and its management systems Human Error Considerations (Common cause) 29 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Active Human Error Has a active immediate effect as the cause of a hazardous situation or is the direct initiator of a chain of events which may lead to an accident
Latent Human Error The effects of the error may only become active after a period of time. Error remains dormant, undiscovered, or hidden until conditions are suitable for its effect as the cause of a hazardous situation. (Concurrent events are usually the trigger for the error to become active). Human Error Considerations 30 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. What are we not looking for?
The Control/computer system HAZOP must not become a Control/computer system design session. Just as in any HAZOP the team is there to look for hazards and identify recommendations to reduce or eliminate the hazards.
31 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved.
CHAZOP safeguard types and considerations
Types of Safeguards to be considered 32 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Safeguarding Safeguards may include: Controllers BPCS/DCS alarms and interlocks with operator action Environmental alarms, HVAC alarms Network Communication BPCS/DCS alarms and interlocks Safety Instrumented Systems, SIS, interlocks Interlock switches Mechanical stops, physical barriers Alarms and operator intervention executive action
It is common to rely more on operator intervention as a safeguard than in a typical process HAZOP, this is due to the fact that the operator is usually present or nearby when operating the process control system and is able to readily respond. A reasonable allowance can be made for operator intervention if close involvement with the control system allows for immediate detection and correction of the deviation, for example with the use of diagnostics. (Also, Independent Emergency shutdown)
33 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Recommendations Examples of Recommendations:
Adding an HVAC alarm; control room environmental alarms Adding a Network Communication Diagnostic BPCS/DCS alarms Rewording of a step in the step transition mode sequence for clarity Rearranging the order of a step or steps in a defined operating mode sequence, (i.e. startup, shutdown, etc). Deletion of a step to transition from one operating mode to another Addition of a step to transition from one operating mode to another Division and reorganization of the transition sequence states Addition of a safety related instrumented safeguard; diagnostic alarm and operator action or shutdown interlock. Add redundancy of communication cables and/or equipment Add an additional process operator interface for critical DCS alarms
34 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved.
CHAZOP session approach
Approach for conducting a CHAZOP 35 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Section identification - definition selection assignment grouping Sections of a control/computer system can be defined taking in consideration where information from process parameters (pressure, temperature, flow, etc.) are gathered, manipulated and have a direct influence on process equipment with a specific, identified and defined design intent. Sections should be assigned on a functional basis to reflect a specific intent.
The design intent defines how the process section, node, is expected to function, run, work, operate, behave, act in the absence of deviations. Deviations apply to specific sections of a control/computer system.
Deviations from design intent or operating conditions can be identified by applying guide words to data transfer, equipment operating conditions, etc.
Sections have control/computer components (Ethernet switches, cables, controllers, etc.) that cause change in the process. Network line sections have interconnected equipment that can cause a significant change in the process if not working as intended or are defective. 36 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Section identification - definition selection assignment grouping A section represents a part of a computer/control system in which process conditions are affected and matter undergoes change. For example, a BPCS controller can be a section because a pump can be turned on, and liquid pressure is increased, or on a reactor the temperature can be increased and chemical composition of the substance in the reactor changes. In practice, a single section will frequently involve more than one process change. For example, the BPCS controller CHAZOP section for a chemical reactor will act on changes to pressure, temperature and volume. The decision as to how big a section may be will depend on the consequence of the hazardous event being studied.
37 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Guidelines and Factors to consider during control system sectioning Factors to consider Purpose or specific function of the process section or node, (e.g. a BPCS) Functional design intent of the computer/control system section Material volume, amount, quantity influenced by the computer/control system section Material physical state in the section: gas, liquid, solid, two phase, etc. Computer/control system interface or connecting points Study objectives and purpose
Guidelines Define each major computer/control system component as a section Define one communication network section between major computer/control system components, equipment Define additional sub-network sections for each data information flow path, split, bifurcation, etc.
38 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. General approach for conducting a CHAZOP Begin by defining the scope of the computer/control system in block flow diagram format depicting the main functional components with their data transfer path identified. (Communication networks, Equipment location and environment, Operator interfaces, Human errors, Equipment failure, External common failures electric power, air, utilities).
Data transfer path identified will include the interfaces to the plant sensors and actuators and the operators.
The operational network interconnection diagram then represents the design representation as an equivalent to P&ID diagrams.
For each diagram the parts, sections, (nodes), for study will be identified, and deviations from the designed intent, based on guide words, will be applied. 39 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Conducting a CHAZOP Chose a section such as the proposed architecture of control/computer system and explain and describe what is its purpose, intended design and function: Include types of process control, basic functions and considerations with respect to redundancy and diversity, including network elements cable types etc. Review of expected performance when: a) One or several control subsystem fail (e.g. PLC, DCS, network), b) Site power failure or other utility failures. Then, for each component identified apply appropriate deviations. For every identified cause or initiating event, ask the following: 1) Does a computer/controller in the system knows? 2) What does the computer/controller do? 3) Does it announces, shows, alarms, indicate, that the event happen? 4) What can/does the operator do?, or the control systems do?
40 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved.
Examples
Approach for conducting a CHAZOP 41 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Workshop Example #1 Additional Information
Control Room and Servers Rack Room have dual HVAC, dual dust filters, single humidistat, single thermostat. Buildings A, B, and C: have single HVAC, single dust filters, single humidistat, single thermostat.
Plant Outage: $5000K per day. Analyze nodes developing deviations, causes and consequences Assign the severity and likelihood for each scenario to establish the risk ranking, using the provided risk matrix Develop safeguards or IPL for respective causes to reduce risk level
42 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Workshop Example #1 43 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Additional Information
Control Room and Rack Room have dual HVAC, dual sulphur scrubbers, single humidistat, single thermostat. Sulphur, Gas, and Utilities buildings: have single HVAC, single sulphur scrubber, single humidistat, single thermostat.
Utilities building PLC/controllers are older generation controllers/PLCs or third party controllers, (other vendors).
Plant Outage: $1000K per day. Analyze nodes developing deviations, causes and consequences Assign the severity and likelihood for each scenario to establish the risk ranking, using the provided risk matrix Develop safeguards or IPL for respective causes to reduce risk level
Workshop Example #2 44 Title of Workshop. And Client Confidential Not for reproduction Copyright 2014 All rights reserved. Workshop Example #2
The Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) and Related Guidance