Introduction Chaz Op

1
Title of Workshop. And Client

Confidential Not for reproduction
Copyright 2014 All rights reserved.
CHAZOP Introduction
Controls System Hazards and Operability Analysis

2014
2
The Learning Environment
It is important for ACM and for you as our clients that the learning
atmosphere and conditions are comfortable and suited for learning.
Being respectful of others viewpoints and patient for others to ask
questions is important.
Rules
We are all here to learn from each other
Respect each others opinions
This is a safe environment to learn
Breaks are negotiated and managed by the group
We start on time after breaks
Emergency procedures
CELL PHONES OFF OR ON VIBRATE

HAVE FUN!
Being interactive is the key to your success in learning new skills and
knowledge.

3
Agenda
Building Emergency Procedures
Introductions
8:00-12:00 Theory for HAZOP of Computer/Controls System
12:00-1:00 Lunch
1:00-4:00 Continuation and CHAZOP exercises

The Learning Environment
4
To provide basic understanding of performing a HAZOP on a
Computer/Control System

Demonstrate the concepts though a practice exercise.

Objectives of Workshop

5
PHA Study method - CHAZOP
CHAZOP - qualitative
Predictive identification of hazards, causes and consequences
Identification of operability factors that influence human
performance
Identification of safeguards, preventive controls
Recommendations for improvement.

Risk Assessment - qualitative
Probabilistic based assessment of hazards
Risk assessed in function of consequences & likelihood
(Estimation of likelihood and consequence severity)

6
Why do a HAZOP on a Computer/Controls System?

Why do a HAZOP on a Computer/Control System?
7
Allows the hazards and risks associated with computer/control system
designs to be analyzed and evaluated before the computer/control system
is installed, commissioned, site tested , and put into operation
Reflect the best thinking on how to safely operate and manage your
computer/control systems
Build upon and record process and computer/control system experience
Assess what safety measures to use and the protection that they can
provide
Promote safe, efficient operation and maintenance
Promote the idea that computer/control system and operating &
maintenance procedures are vital plant components
Reduce likelihood of incidents, accidents
Improve quality, continuity, profitability and cost control
Comply with governmental regulations or industrial initiatives requiring
computer/control systems certification

Why do a HAZOP on a Computer/Controls System?
8
CHAZOP Study Objectives
To identify computer/control system hazards, not to provide
solutions to all hazards
To provide confidence that potential hazards are identified
To provide a qualitative estimate of the likelihood and the severity
of potential incidents, accidents
To qualitatively evaluate the consequences of failure of
engineering and administrative controls
9
To provide management with a concrete basis for making risk
management decisions
To identify ways in which operability might be improved
To provide information which can be useful in improving future
migration or modernization
To provide objective documented evidence of a thorough well
conducted study for audit and insurance purposes
10
Establish the limits of the computer system and its network
Identify what plants units depend on or interact with the computer
system for their operation
Develop a block flow diagram of the functions of the computer in
controlling the plant units
Identify hazards of the units as defined by a hazard study or
process HAZOP and include for any hazards associated with the
interactions between units.
List those computer functions associated with the hazards in any
way
11
A HAZOP can be done on any Computer/Controls System.
However, due to the level of detail required and time commitment,
a HAZOP is typically performed on Computer/Controls Systems
deemed to be critical. Critical Computer/Controls Systems should
be identified at any facility.

What defines a critical Computer/Controls System?

On which Computer/Controls System should I do a HAZOP?
12
What defines a critically hazardous Computer/Controls System?
A critical Computer/Controls System may be defined by one or more of the
following criteria:

Any Computer/Controls System for which the consequence of deviating
from the design intent causes a critical situation, incident, or accident
Start-up or shutdown transition mode sequences for Computer/Controls
System
Maintenance operating mode transition sequence, (i.e. on/off line
maintenance mode transition sequence)
Abnormal operating Computer/Controls System states, modes, and
transitions
Emergency stop sequence reset state critical stop sequence
Temporary operating modes transition sequences set reference points
Commissioning or Decommissioning modes, states, transitions and
procedures
Proof testing, or test mode (Bypassed equipment, on-line, off-line)
13
When to do a HAZOP on a Computer/Controls System?

When should you do a HAZOP on a Computer/Controls System?
14
Critical Computer/Controls System
Complex Computer/Controls System, (Complex architecture requirements)
New Computer/Controls System
Modified Computer/Controls System
Migration or upgrade of Computer/Control System
Addition of new equipment to an existing Computer/Controls System
Changes in the transition modes sequences (modifies the sequencing)
Comply with government regulations or industrial initiatives requiring
special Computer/Controls System directives
With any change that requires an MOC, the Computer/Controls System
should also be considered for CHAZOP re-evaluation
At any time during the lifecycle of the Control/computer system, (e.g. detail
design & engineering).

When to do a HAZOP on a Computer/Controls System?
15

What information do you need for the CHAZOP?
Preparation for a CHAZOP?
16
Well documented Computer/Controls System operation
Up to date schematics, network, I/O, CPU, etc. drawings and instructions
Control system architecture layout and hierarchy, interfaces, interconnections
and computer/control equipment location depiction
Structure of the Control/computer system block flow diagrams
Depiction of control/computer system data transfer speed, volume and flow
directions
Shutdown key, (Cause and Effect Matrix)
Structural drawings to locate equipment and equipment positions, HVAC
Reactive chemical matrix, MSDS for chemicals
Overall description of the Computer/Controls System units, parts, environment
Previous PHA studies, modifications, etc. on the Computer/Controls System
PHA Team tour and inspection of the Computer/Controls System to be reviewed

Preparation for a CHAZOP?
17
Who needs to attend the chazop?

Who needs to attend?

18
Who needs to attend the pha?
Senior operations personnel involved in the day to day operation of
the process area being reviewed
Control systems/contact engineer involved in the day to day
operation of the Control/computer system being reviewed, analyzed
Equipment specialists
Control system network designer
Functional Safety / Process Safety
Control equipment technical
Site operations
Site controls maintenance
Other specialists as required
DCS, BPCS, Vendors, manufacturers
Specialized proprietary, OEM, IT - information Technology
19

Difference between process HAZOP and CHAZOP

Differences from Process HAZOP.
20
Differences from Process HAZOP.
Control/computer system hazard analysis:
Usually do not have or deal with flow of liquid or gases, but have flow or
transfer of data/information through network cables, or wireless, (Data:
bits, bytes, words, frames, etc.).

Hazards are different, they are related to the control system elements:
Operators unable or partially unable to monitor process status of plant
that was still in control, computer/control system enters unpredictable
operating mode, hardware Inputs and outputs frozen or in unpredictable
states, operator cannot make changes or activate/deactivate overrides,
or bypasses, operators is unable to turn ON or OFF equipment, or
STOP the process when required.
All the these events can develop into situations that may lead to an
incident or severe accident.

21
Steps in a HAZOP for a Control/computer system
HAZOP for Control/computer system follows much the same process as for a
process HAZOP.

Prior to the HAZOP on the Control/computer system, the operating instructions
and procedures should be reviewed for completeness, clarity, etc.
Break the Control/computer system to be analyzed down to individual networks,
cells, sections, control room locations, elements; then follow the sequence of
operating transitions modes, interaction of sections, and operator
actions/reactions, alarm interventions if required.
Analyze on each operating mode the transitions, sequences or interactions of the
control system with the networks, cells, sections, control room locations, elements,
and operator actions/reactions tasks using the chosen deviations.
Using HAZOP software record the consequences of deviation from the control
system intended actions and reactions, existing safeguards, and risk rank; make
recommendations where risk is deemed unacceptable.
All operator actions, interventions are broken down into individual steps sequence
of a procedure to:
Allow each step or status to be assessed more thoroughly for possible deviation of intent
Provide a flow and outline for the risk assessment process
22

CHAZOP hazard types and considerations

Types of Hazards to be taken into consideration
23
Control/computer system are related to process hazards
Hazards to be taken into consideration when analysing, designing or
operating Control/computer systems.

Failure of control/computer, (DCS, BPCS, PLC), systems may lead to:
Loss of containment of flammable liquid or vapour gasses
Toxic releases hazard
Explosion hazards
Fire, heat transfer hazard (radiation, convection, conduction)
Hazard generated by electromagnetic noise
Hazards generated by vibration
Hazards generated by nuclear radiation release
Hazards generated by chemical materials and substances
Hazards generated by neglecting ergonomic principles in control design
Hazard combinations
Hazards associated with the environment in which the Control/computer
system is used
24
What aspects of the Control/computer system might cause harm to
personnel?

Consider the stability of the process under control, noise, vibration, and
emission of toxic or flammable substances. Also, need to be considered,
burns from hot surfaces, chemicals, or friction due to high speeds of
rotating equipment.

Other factors such as the possibility of entanglement, crushing, cutting
from rotating equipment and other tools. Also consider sharp edges on
the machinery, hazardous chemical exposure, etc.

This stage should include all hazards that can be present during the
lifecycle of the Control/computer system, including the installation,
commissioning, testing, operation, maintenance, modifications, and
decommissioning.
Control/computer system related hazards
25
Control/computer System Hazard Scenarios, Situations
Loss of process visualization, monitoring, (loss of Operator Interface)
Unexpected process start-up, shutdown, or operating mode transition
Over-run, over-speed, or variations in operating speed (or any similar malfunction)
Abnormal variations in the rotational speed of equipment, (pumps, motors,
centrifuges, etc.)
Failure of partial or total control system power supplies and one or several control
I/O loop circuits (signals).
Systematic errors in software code / Specifications
Effects of EMC / EMI
Loss of environmental controls, HVAC, (effects of temp., humidity, etc.)
Operator operating mode confusion, operator error
Lack of proper operating procedures and/or training, knowledge of DCS
26
What are we looking for /deviations/? (examples)
The main purpose for the HAZOP on a Control/computer system is to
identify the potential hazards and operability issues that may arise due
to deviations from the partial or total failure of the control/computer
system, and/or incorrect control/computer system transition modes and
sequences.
Typical guidewords, deviations may include:
No (not/none, transition mode is not executed, no human process interface)
More (more of/higher, additional steps are added to a transition sequence)
Less (less of/lower, transition is not completed or executed in its entirety)
Reverse (opposite to what is indicated in the transition sequence)
Part of (operator completes part of steps or equipment failure results in partial
completion, utility (electric power, compressed air) failure
As well as (more than or also, a new step in the procedure is added)
Early (sooner than)
Late (later than)
Out of sequence
Other than (operator or control system reacts or do something completely different
and unexpected)
27
The analysis must consider factors that influence human
performance when attempting to identify potential
hazards.
During CHAZOP one always need to consider the
potential for error when humans interact with a process
and/or equipment at any level.
Human Error Considerations
28
Usually systematic
Major cause of most catastrophic accidents in the
process industry
Impacts profitability through losses and lower quality
product
Affected by the corporate culture and its
management systems
Human Error Considerations (Common cause)
29
Active Human Error
Has a active immediate effect as the cause of a hazardous
situation or is the direct initiator of a chain of events which may
lead to an accident

Latent Human Error
The effects of the error may only become active after a period
of time. Error remains dormant, undiscovered, or hidden until
conditions are suitable for its effect as the cause of a hazardous
situation. (Concurrent events are usually the trigger for the
error to become active).
Human Error Considerations
30
What are we not looking for?

The Control/computer system HAZOP must not
become a Control/computer system design session.
Just as in any HAZOP the team is there to look for
hazards and identify recommendations to reduce or
eliminate the hazards.

31

CHAZOP safeguard types and considerations

Types of Safeguards to be considered
32
Safeguarding
Safeguards may include:
Controllers BPCS/DCS alarms and interlocks with operator action
Environmental alarms, HVAC alarms
Network Communication BPCS/DCS alarms and interlocks
Safety Instrumented Systems, SIS, interlocks
Interlock switches
Mechanical stops, physical barriers
Alarms and operator intervention executive action

It is common to rely more on operator intervention as a safeguard than
in a typical process HAZOP, this is due to the fact that the operator is
usually present or nearby when operating the process control system
and is able to readily respond. A reasonable allowance can be made
for operator intervention if close involvement with the control system
allows for immediate detection and correction of the deviation, for
example with the use of diagnostics. (Also, Independent Emergency
shutdown)

33
Recommendations
Examples of Recommendations:

Adding an HVAC alarm; control room environmental alarms
Adding a Network Communication Diagnostic BPCS/DCS alarms
Rewording of a step in the step transition mode sequence for clarity
Rearranging the order of a step or steps in a defined operating mode
sequence, (i.e. startup, shutdown, etc).
Deletion of a step to transition from one operating mode to another
Addition of a step to transition from one operating mode to another
Division and reorganization of the transition sequence states
Addition of a safety related instrumented safeguard; diagnostic alarm and
operator action or shutdown interlock.
Add redundancy of communication cables and/or equipment
Add an additional process operator interface for critical DCS alarms

34

CHAZOP session approach

Approach for conducting a CHAZOP
35
Section identification - definition selection assignment grouping
Sections of a control/computer system can be defined taking in consideration
where information from process parameters (pressure, temperature, flow,
etc.) are gathered, manipulated and have a direct influence on process
equipment with a specific, identified and defined design intent.
Sections should be assigned on a functional basis to reflect a specific intent.

The design intent defines how the process section, node, is expected to
function, run, work, operate, behave, act in the absence of deviations.
Deviations apply to specific sections of a control/computer system.

Deviations from design intent or operating conditions can be identified by
applying guide words to data transfer, equipment operating conditions, etc.

Sections have control/computer components (Ethernet switches, cables,
controllers, etc.) that cause change in the process. Network line sections
have interconnected equipment that can cause a significant change in the
process if not working as intended or are defective.
36
Section identification - definition selection assignment grouping
A section represents a part of a computer/control system in which process
conditions are affected and matter undergoes change. For example, a BPCS
controller can be a section because a pump can be turned on, and liquid
pressure is increased, or on a reactor the temperature can be increased and
chemical composition of the substance in the reactor changes. In practice, a
single section will frequently involve more than one process change. For
example, the BPCS controller CHAZOP section for a chemical reactor will act
on changes to pressure, temperature and volume.
The decision as to how big a section may be will depend on the consequence
of the hazardous event being studied.

37
Guidelines and Factors to consider during control system sectioning
Factors to consider
Purpose or specific function of the process section or node, (e.g. a BPCS)
Functional design intent of the computer/control system section
Material volume, amount, quantity influenced by the computer/control
system section
Material physical state in the section: gas, liquid, solid, two phase, etc.
Computer/control system interface or connecting points
Study objectives and purpose

Guidelines
Define each major computer/control system component as a section
Define one communication network section between major
computer/control system components, equipment
Define additional sub-network sections for each data information flow
path, split, bifurcation, etc.

38
General approach for conducting a CHAZOP
Begin by defining the scope of the computer/control system in block flow
diagram format depicting the main functional components with their data
transfer path identified. (Communication networks, Equipment location
and environment, Operator interfaces, Human errors, Equipment failure,
External common failures electric power, air, utilities).

Data transfer path identified will include the interfaces to the plant
sensors and actuators and the operators.

The operational network interconnection diagram then represents the
design representation as an equivalent to P&ID diagrams.

For each diagram the parts, sections, (nodes), for study will be identified,
and deviations from the designed intent, based on guide words, will be
applied.
39
Conducting a CHAZOP
Chose a section such as the proposed architecture of control/computer
system and explain and describe what is its purpose, intended design and
function:
Include types of process control, basic functions and considerations with
respect to redundancy and diversity, including network elements cable
types etc.
Review of expected performance when:
a) One or several control subsystem fail (e.g. PLC, DCS, network),
b) Site power failure or other utility failures.
Then, for each component identified apply appropriate deviations.
For every identified cause or initiating event, ask the following:
1) Does a computer/controller in the system knows?
2) What does the computer/controller do?
3) Does it announces, shows, alarms, indicate, that the event happen?
4) What can/does the operator do?, or the control systems do?

40

Examples

Approach for conducting a CHAZOP
41
Workshop Example #1
Additional Information

Control Room and Servers Rack Room have dual HVAC, dual dust filters, single
humidistat, single thermostat.
Buildings A, B, and C: have single HVAC, single dust filters, single humidistat,
single thermostat.

Plant Outage: $5000K per day.
Analyze nodes developing deviations, causes and consequences
Assign the severity and likelihood for each scenario to establish the
risk ranking, using the provided risk matrix
Develop safeguards or IPL for respective causes to reduce risk level

42
Workshop Example #1
43
Additional Information

Control Room and Rack Room have dual HVAC, dual sulphur scrubbers, single
humidistat, single thermostat.
Sulphur, Gas, and Utilities buildings: have single HVAC, single sulphur scrubber,
single humidistat, single thermostat.

Utilities building PLC/controllers are older generation controllers/PLCs or third
party controllers, (other vendors).

Plant Outage: $1000K per day.
Analyze nodes developing deviations, causes and consequences
Assign the severity and likelihood for each scenario to establish the
risk ranking, using the provided risk matrix
Develop safeguards or IPL for respective causes to reduce risk level

Workshop Example #2
44
Workshop Example #2

Introduction Chaz Op

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Introduction Chaz Op

Enviado por

Direitos autorais:

Formatos disponíveis

1

Title of Workshop. And Client

Você também pode gostar