Documentos de Académico
Documentos de Profesional
Documentos de Cultura
54 Hazard Analysis
Type of deviation
Typical problems
None of
Reverse of
No flow
No pressure
Reverse flow
More of
More flow
Blockage. Pump failure. Valve closed or failed shut. Leak. Suction vessel
empty. Delivery pressure too high. Vapour lock.
Pump failure. Pump reversed. Non-return valve failed. Non-return valve
reversed. Wrong routing. Back siphoning.
Reduced delivery head. Surging. Supply pressure too high. Controller saturated. Valve stuck open. Faulty flow measurement.
Blockage. Hot spots. Cooling water valve stuck. Loss of level in heater.
Fouling of tubes. Blanketing by inerts.
Pump failure. Leak. Partial blockage. Cavitation. Poor suction head.
Ejector supply low. Leakage. Barometric leg level low.
High or low concentration. Side reactions. Feed composition change.
High temperature
Less of
Part of
As well as
Other than
Lower flow
Low vacuum
Change in
composition
Impurities
Extra phase
Abnormal operations
Ingress of air, water, etc. Corrosion products. Internal leakage. Wrong feed.
Start-up and shut-down. Testing and inspection. Sampling. Maintenance.
Removal of blockage. Failure of power, air, water, steam, inert gas, etc.
Emissions.
many of which may be unexpected. A good example is the failure of an analogue output card. In
general, segregation policy should be such that all
the output channels from one card are associated
with a particular item of plant or processing function. Thus, if the card fails, or is removed for isolation purposes, that item of plant only is directly
affected. However, if one of the outputs goes to a
valve on another item of plant in a different area,
perhaps because it was wired in at a later stage,
that will fail too. Such failures would appear to be
sporadic.
It is evident that there are various aspects of
the control system that need to be subject to some
form of HAZOP study. Ideally, these should be considered as part of the HAZOP study of the process
and/or plant but, in practice, the design of the control system is seldom sufficiently complete at that
stage of the design cycle for an integrated HAZOP
study.Therefore it is necessary to carry out a seperate computer hazard and operability (CHAZOP)
study on the control system. Recognising that the
design of the application software always lags behind the design of the rest of the system,it is appropriate that the CHAZOP study concentrates on the
control systems hardware design, its I/O organisation and the system software. Consideration of the
application software is deferred to a later control
and operability (COOP) study.
54.3
CHAZOP Studies
411
Meaning
Comments
LOSS
RANGE
MIXTURE
VERSION
SECURITY
Results of the full CHAZOP should be incorporated in the hardware aspects of the detailed functional specification (DFS) described
in Chapter 62.
When applying CHAZOP the same terms are used
as in conventional HAZOP but they take on more
specific meanings. Thus:
Intention relates to the transfer of information
(signals, commands, actions) between external
elements of the control system and its internal
software functions (both application and system) via either the systems I/O and/or communications channels or by means of operator interaction.
Guidewords that are more appropriate for CHAZOP are listed in Table 54.3.
Deviations are partial or total failures of either
communications channels or processing functions.
Causes are those combinations of events that result in deviations, the consequences being outcomes that could lead to operability difficulties
and/or hazardous situations.
Recommendations are additional requirements
for inclusion in either the URS and/or DFS.
412
54 Hazard Analysis
Type of deviation
Typical problems
Loss of
No/frozen signal
No power
No communication
Memory corrupted
Range of
Distortion of signal
Channel segregation
Failure modes
Version of
Operating system
System software packages
Security of
54.4
413
Central to the argument is the design of the application software and human factors. Quite simply, people interact with control systems to operate plant. It is very easy for operators to make
mistakes: by making wrong decisions, by making
changes at the wrong time, by not making decisions, and so on. Thus the application software
needs to permit access by the operator to certain
functions necessary for carrying out the operators
role but, at the same time, it needs to override inappropriate decisions and not permit certain interventions.
It follows that, to prevent the protection systems being exercised unnecessarily, there should
be some systematic check on the design and functionality of the application software. This is best
deferred to a separate control and operability
(COOP) study since, as stated, the design of the application software lags behind the design of the rest
of the system, usually to a considerable extent. In
essence, a COOP study is used to check that the design of the application software has properly taken
into account all conceivable and relevant human
factors. It should also check that the logic is sound
for the decisions being made by the system. Unless
this is done systematically, by means of COOP or
otherwise, it is not possible to argue that the control system is not contributing to the demand on
the protection system.
54.5