A modular method for hazard and operability studies of process plant

Jefferson, Matthew

January 1999

The identification of hazards in chemical plants has become increasingly important. Not only have chemical plants become larger and more complex, but some countries now have regulations requiring that some form of formal hazard identification be carried out. With the increased speed of many other parts of the design process, hazard identification is becoming the log-jam in attempts to speed up the design of new plants still further. One of the most popular techniques for hazard identification is a hazard and operability study (HAZOP), in which a group of people attempt to identify creatively the possible hazards by applying a methodical process whereby the effect of deviations to every process variable is considered in every part of the plant. The aim of this thesis is to explore methods of improving hazard identification through the development of the HAZOP technique. This thesis examines possible improvements that can be made through a better understanding of activities and how they are carried out in HAZOP, discusses the possibilities of automated hazard identification based on HAZOP, and in particular presents a novel, modular HAZOP methodology. Modular HAZOP is based around identifying the modules that make up a chemical plant and then using previously generated HAZOP results associated with each of the modules. The hazards associated with these modules will therefore be known and rules are required to deal with the interconnections between modules. Application of these rules determines any additional hazards that might arise from the interconnection of modules. A number of important principles have been identified including, the level of decomposition required, the use of interchangeable sub-modules within modules, the fact that the majority of cause-consequence scenarios exist in adjacent modules, and the categorisation of locally and remotely propagated effects. These provide for a procedure which is adaptable to different plant configurations, but can also be quickly and easily applied. The latter principles enable the simpler fault paths, which make up most of the cause-consequence scenarios, to be identified quickly, leaving a much reduced number of fault paths which require a more thorough analysis.

620.86

Chemical plant; HAZOP

Reuse of experience in HazOp

Abrahamsen, Kristin Marheim, Knudsen, Andreas

January 2004

<p>This report presents a study of the effect of reusing experience in the Hazards and Operability Analysis method (HazOp method) with regards to how the effectiveness of the method is affected. The study was conducted by first creating a software tool for experience reuse in HazOp, then testing that tool in a student experiment in which the participants used the tool when conducting a HazOp.</p><p>During the experiment it was found that students using the tool found 21% more hazards in the system under study than their counterparts. After conducting the experiment it was found that there was a 94% certainty that this improvement was not due to random effects.</p>

hazard and operability analysis

hazop

experience reuse

Reuse of experience in HazOp

Abrahamsen, Kristin Marheim, Knudsen, Andreas

January 2004

This report presents a study of the effect of reusing experience in the Hazards and Operability Analysis method (HazOp method) with regards to how the effectiveness of the method is affected. The study was conducted by first creating a software tool for experience reuse in HazOp, then testing that tool in a student experiment in which the participants used the tool when conducting a HazOp. During the experiment it was found that students using the tool found 21% more hazards in the system under study than their counterparts. After conducting the experiment it was found that there was a 94% certainty that this improvement was not due to random effects.

hazard and operability analysis

hazop

experience reuse

Analýza bezpečnostních rizik při zpracování elektrárenských radioaktivních kalů do nízkoteplotních matric

Svoboda, Štěpán

January 2014

The aim of thesis is identification, risk analysis and and following design of technical modification and procedures on field of the low-level mixed wastes treatment. In the first part of the thesis is provided short discusses repository requirements for solidificated wastes in Czech republic. Next are described methods and matrix (including short describes of further high temperatures methods) in point of view of their specifics characteristics and risks given by their. The risks are assessed in three basic categories. The first is influence to human healthy (radiation, dust, etc.). The second is the technical safety which corresponds to level of safety of machinery equipment. The third is the technological safety depending on properties of waste together with matrix. In the next part is described experimental equipment and method for risk evaluation. Sequentially is carried out risk analysis by HAZOP method applicated on proposal of machinery equipment developed for using cement matrix, together with hierarchization of identificated risks. For more serious risks are suggested measures and solutitions for minimization their impacts. In the next part are described carried out experimets and results after implementation some recommended measures.

Método de aquisição de conhecimento para sistemas especialistas destinados à diagnose de falhas: aplicação de técnicas de análise de confiabilidade e de risco. / Knowledge acquisition method for expert system to fault diagnosis: application of technical of reliability analysis and risk.

Hidalgo, Erick Miguel Portugal

24 November 2014

O processo de aquisição do conhecimento é uma das principais etapas de desenvolvimento de um sistema especialista e é considerado como um dos estágios mais difíceis. Essa dificuldade se dá em virtude da inexistência de uma metodologia eficiente, confiável e padrão para extração e organização do conhecimento das várias fontes. O método apresentado neste trabalho é uma alternativa que pode ser empregada para adquirir o conhecimento para desenvolver sistemas especialistas para diagnóstico de falhas em diferentes áreas da indústria. Este trabalho apresenta um método que integra as técnicas de confiabilidade e risco, tais como, Análise de Modos e Efeitos de Falha (FMEA), Análise de Árvore de falhas (FTA) e Estudo de Perigo e Operabilidade (HAZOP) para aquisição do conhecimento para o diagnóstico de falhas. O método também permite estimar a periocidade da manutenção preventiva aplicando os conceitos de manutenção imperfeita e teoria de decisão multicritério. O método utilizada técnicas empregadas em análise de confiabilidade e risco para determinar a relação entre efeito da falha em um sistema e as suas causas raiz com o objetivo de estabelecer um procedimento estruturado para aquisição do conhecimento associado à relação causa-efeito em um sistema. O método foi validado com a comparação do histórico de falhas de um sistema hidráulico de uma usina hidrelétrica e, considerando-se que os eventos definidos como causa raiz registrados no histórico de falhas foram encontrados como resultados da análise pelo sistema especialista, tem-se a validação. O método para determinar a periocidade da manutenção preventiva foi validado com os resultados de artigos e com os planos de manutenção da usina. / The process of knowledge acquisition is a major step in developing an expert system and is considered as one of the most difficult stages. This difficulty is due to the lack of an efficient, reliable and standard methodology for extraction and organization of knowledge from various sources. The method presented in this thesis is an alternative that can be used to acquire the knowledge to develop expert systems for fault diagnosis in different areas of industry. This thesis presents a method that integrates risk and reliability analysis techniques such as Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA) and Hazard and Operability Study (HAZOP) for the acquisition of knowledge to fault diagnosis. The method also allows estimating the optimal intervention times of preventive maintenance by applying the imperfect maintenance and multicriteria concepts. The method uses techniques that are employed in reliability and risk analysis to determine the relationship between fault effect in the system and its root causes in order to establish a structured acquisition of knowledge associated with the causeeffect relationship in a system procedure. The method was validated by comparing the failure database related to a hydropower plant hydraulic system and, considering that the events defined as root causes recorded in the failure database were found by expert system, the method was validated. The method for determining the optimal intervention time for preventive maintenance has been validated with the results of articles and maintenance plans of the plant.

Confiabilidade

FMEA

FMEA

FTA and Expert systems

FTA e Sistema especialista

HAZOP

HAZOP

Reliability

Risco

Risk

Método de aquisição de conhecimento para sistemas especialistas destinados à diagnose de falhas: aplicação de técnicas de análise de confiabilidade e de risco. / Knowledge acquisition method for expert system to fault diagnosis: application of technical of reliability analysis and risk.

Erick Miguel Portugal Hidalgo

24 November 2014

O processo de aquisição do conhecimento é uma das principais etapas de desenvolvimento de um sistema especialista e é considerado como um dos estágios mais difíceis. Essa dificuldade se dá em virtude da inexistência de uma metodologia eficiente, confiável e padrão para extração e organização do conhecimento das várias fontes. O método apresentado neste trabalho é uma alternativa que pode ser empregada para adquirir o conhecimento para desenvolver sistemas especialistas para diagnóstico de falhas em diferentes áreas da indústria. Este trabalho apresenta um método que integra as técnicas de confiabilidade e risco, tais como, Análise de Modos e Efeitos de Falha (FMEA), Análise de Árvore de falhas (FTA) e Estudo de Perigo e Operabilidade (HAZOP) para aquisição do conhecimento para o diagnóstico de falhas. O método também permite estimar a periocidade da manutenção preventiva aplicando os conceitos de manutenção imperfeita e teoria de decisão multicritério. O método utilizada técnicas empregadas em análise de confiabilidade e risco para determinar a relação entre efeito da falha em um sistema e as suas causas raiz com o objetivo de estabelecer um procedimento estruturado para aquisição do conhecimento associado à relação causa-efeito em um sistema. O método foi validado com a comparação do histórico de falhas de um sistema hidráulico de uma usina hidrelétrica e, considerando-se que os eventos definidos como causa raiz registrados no histórico de falhas foram encontrados como resultados da análise pelo sistema especialista, tem-se a validação. O método para determinar a periocidade da manutenção preventiva foi validado com os resultados de artigos e com os planos de manutenção da usina. / The process of knowledge acquisition is a major step in developing an expert system and is considered as one of the most difficult stages. This difficulty is due to the lack of an efficient, reliable and standard methodology for extraction and organization of knowledge from various sources. The method presented in this thesis is an alternative that can be used to acquire the knowledge to develop expert systems for fault diagnosis in different areas of industry. This thesis presents a method that integrates risk and reliability analysis techniques such as Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA) and Hazard and Operability Study (HAZOP) for the acquisition of knowledge to fault diagnosis. The method also allows estimating the optimal intervention times of preventive maintenance by applying the imperfect maintenance and multicriteria concepts. The method uses techniques that are employed in reliability and risk analysis to determine the relationship between fault effect in the system and its root causes in order to establish a structured acquisition of knowledge associated with the causeeffect relationship in a system procedure. The method was validated by comparing the failure database related to a hydropower plant hydraulic system and, considering that the events defined as root causes recorded in the failure database were found by expert system, the method was validated. The method for determining the optimal intervention time for preventive maintenance has been validated with the results of articles and maintenance plans of the plant.

Confiabilidade

FMEA

FTA e Sistema especialista

HAZOP

Risco

FMEA

FTA and Expert systems

HAZOP

Reliability

Risk

Hodnocení spolehlivosti lidského činitele / Human Factor Reliability Evaluation

Richter, Marek

January 2010

This thesis is focused on evaluation human factor reliability of assembly line, which is in company Hella Autotechnik, s.r.o. from Mohelnice. This analysis will be made with several methods. At first will be estimated operator errors with method TESEO, then will be used method Fault Tree Analysis (FTA) for detection hazard factors, which are influenced by production on the assembly line. In the end will be identified hazard precaution with HAZOP study.

Incorporating human factors into process plant lifecycle

Widiputri, Diah Indriani

16 September 2011

Major accidents in the process industries occurred mostly as an outcome of multiple failures in different safety barriers and their interrelation with unsafe acts by frontline operators. This has become the reason why safety analyses in terms of plant technical aspects cannot be performed independently from analysing human response to the changing technology. Unsafe acts and errors by operators must be seen as a symptom of system insufficiencies and underlying problems, rather than as the cause of an accident. With this paradigm, the need to optimally configure the system and the whole working condition to understand human’s limitation and requirements becomes very evident. It is too naive to desire that human operators make zero error by asking them to change their behaviour and to perfectly adapt to the system. Human Factors (HF) attempts to cope with the need to understand the interrelation between human operators, the technology they are working with and the management system, with the aim to increase safety and efficiency. In achieving this goal, HF must be incorporated into the whole plant lifecycle, from the earliest design stage to plant operation and modifications. Moreover, HF analysis must comprise all kinds of operators’ activities and responsibilities in operating process plants, which can include manual works in field and supervisory control conducted remotely from a control centre/room. This work has developed techniques that provide systematic way to incorporate HF into process plant lifecycle. The new HF analysis technique, PITOPA-Design, in a combination with the classic PITOPA, is applicable for an implementation during design and operation of a plant. With the awareness that safety analysis and HF cannot be performed separately, an interconnection with HAZOPs is made possible by means of this new technique. Moreover, to provide a systematic analysis of operators’ work in control room, an additional technique, the PITOPA-CR was also developed. This HF technique can as well be integrated into a general HF analysis both during design phase and plant operation. In addition to it, results coming from PITOPA-CR will provide information required to optimally configure control and alarm system, as well as the whole alarm management system to better understand the limitation and requirements of control room operators. The structure of the development can be described as follows: i) Development of HAZOPA (the Hazards and Operator Actions Analysis), which provides the interconnection between HF analysis and HAZOPs, ii) Development of PITOPA-Design, a technique to incorporate HF consideration into design phase, which is differentiated into 3 stages to comprise the conceptual design, the basic engineering and the detail engineering phase, iii) Development of PITOPA-CR, a technique for HF analysis in control room, iv) Integration of PITOPA-CR into alarm management system, development of a technique for alarm prioritization. / Schwere Unfälle in der Prozessindustrie erfolgen meist aus einem Zusammenspiel mehrerer verschiedener Fehler und der gleichzeitigen Wechselwirkung mit falschem menschlichem Handeln. Dabei sind diese Fehlhandlungen nicht als Unfallursache anzusehen, sondern sie resultieren aus Fehlern, die in dem System selbst zu finden sind. Aus diesem Grund kann bei der Sicherheitsanalyse die technische Analyse nicht unabhängig von der Betrachtung des Human Factors (HF) durchgeführt werden. Um eine Reduzierung der Fehlhandlungen zu erreichen, müssen das Anlagendesign, die Bedienbarkeit und die Arbeitsumgebung an die menschlichen Fähigkeiten angepasst werden. Human Factors (HF) betrachtet die Interaktion zwischen menschlichen, technischen und organisatorischen Aspekten einer Anlage, mit dem Ziel die Sicherheit und Effektivität der Anlage zu optimieren. Dafür ist eine Einbindung von HF in den gesamten Lebenszyklus einer Anlage notwendig. So müssen HF- Analysen nicht nur während des Betriebs einer Anlage und bei Prozessmodifikationen durchgeführt werden, sondern auch während des gesamten Design- Prozesses, da gerade in den frühen Design-Phasen das Optimierungspotential besonders hoch ist. Eine solche Analysemethode muss alle Aufgaben eines Operators erfassen, so dass zwischen manueller Arbeit und der Arbeit in der Leitwarte unterschieden werden muss. In dieser Arbeit wurden Analysentechniken entwickelt, die einen systematischen Ansatz zur Berücksichtigung des HF über den gesamten Lebenszyklus einer verfahrenstechnischen Anlage darstellen. Mit Hilfe der neuen Analysemethode, PITOPA-Design, können Untersuchungen sowohl während der Designphase als auch während des Betriebs einer Anlage durchgeführt werden. Da solche HF-Analyse immer in Verbindung mit einer klassischen Sicherheitsanalyse erfolgen muss, bindet die neue Methode die HAZOP-Analyse direkt ein. Darüber hinaus wurde ein weiterer Ansatz für die Analyse von Operatorhandlungen in einer Messwartenarbeit entwickelt. Diese neue Analysentechnik, PITOPA-CR, bildet die Grundlage für Verbesserungen im Alarmsystem und wird in das Alarmmanagementsystem eingebunden. Die Arbeit ist wie folgt strukturiert: i) Entwicklung von HAZOPA (the Hazards and Operator Actions Analysis). Diese Methode stellt die Einbindung der HF-Analyse in HAZOP dar. ii) Entwicklung von PITOPA-Design, zur HF-Analyse während des gesamten Designprozesses einer verfahrenstechnischen Anlage. Die Methode wurde in 3 Teile eingeteilt, um die drei Designsphasen Conceptual-, Basic-, und Detail-Design zu erfassen. iii) Entwicklung von PITOPA-CR, zur HF-Analyse in der Messwarte. iv) Einbindung von PITOPA-CR in das Alarmmanagementsystem und Entwicklung einer Technik zur Alarmpriorisierung.

Human Factors (HF)

Anlagendesign

Alarmmanagementsystem

Alarmpriorisierung

HAZOP

Bedienhandlung

Human Factors (HF)

process plant design

alarm management

alarm prioritization

HAZOP

operator action

ddc:660

Verfahrenstechnik

Faktor Mensch

Sicherheitsplanung

Alarmanlage

HAZOP-Verfahren

Incorporating human factors into process plant lifecycle: HF during design and operation of a process plant

Widiputri, Diah Indriani

10 June 2011

Major accidents in the process industries occurred mostly as an outcome of multiple failures in different safety barriers and their interrelation with unsafe acts by frontline operators. This has become the reason why safety analyses in terms of plant technical aspects cannot be performed independently from analysing human response to the changing technology. Unsafe acts and errors by operators must be seen as a symptom of system insufficiencies and underlying problems, rather than as the cause of an accident. With this paradigm, the need to optimally configure the system and the whole working condition to understand human’s limitation and requirements becomes very evident. It is too naive to desire that human operators make zero error by asking them to change their behaviour and to perfectly adapt to the system. Human Factors (HF) attempts to cope with the need to understand the interrelation between human operators, the technology they are working with and the management system, with the aim to increase safety and efficiency. In achieving this goal, HF must be incorporated into the whole plant lifecycle, from the earliest design stage to plant operation and modifications. Moreover, HF analysis must comprise all kinds of operators’ activities and responsibilities in operating process plants, which can include manual works in field and supervisory control conducted remotely from a control centre/room. This work has developed techniques that provide systematic way to incorporate HF into process plant lifecycle. The new HF analysis technique, PITOPA-Design, in a combination with the classic PITOPA, is applicable for an implementation during design and operation of a plant. With the awareness that safety analysis and HF cannot be performed separately, an interconnection with HAZOPs is made possible by means of this new technique. Moreover, to provide a systematic analysis of operators’ work in control room, an additional technique, the PITOPA-CR was also developed. This HF technique can as well be integrated into a general HF analysis both during design phase and plant operation. In addition to it, results coming from PITOPA-CR will provide information required to optimally configure control and alarm system, as well as the whole alarm management system to better understand the limitation and requirements of control room operators. The structure of the development can be described as follows: i) Development of HAZOPA (the Hazards and Operator Actions Analysis), which provides the interconnection between HF analysis and HAZOPs, ii) Development of PITOPA-Design, a technique to incorporate HF consideration into design phase, which is differentiated into 3 stages to comprise the conceptual design, the basic engineering and the detail engineering phase, iii) Development of PITOPA-CR, a technique for HF analysis in control room, iv) Integration of PITOPA-CR into alarm management system, development of a technique for alarm prioritization.:ACKNOWLEDGEMENT i ABSTRACT iii ZUSAMMENFASSUNG iv CONTENTS v TABLE OF FIGURES viii LIST OF TABLES x NOMENCLATURE xi ACRONYMS AND ABBREVIATIONS xii CHAPTER 1 1 INTRODUCTION 1 1.1 Background 1 1.2 Objectives 2 1.3 Scope of Work 3 CHAPTER 2 5 THEORETICAL BACKGROUND 5 2.1 Fundamentals of Human Error 5 2.2 Human Factors (HF) 8 2.3 Motivations to Consider HF in Process Safety 9 2. 3. 1 Accidents that Address HF in Process Safety 11 2. 3. 2 Regulation and Legal Requirements 16 2. 3. 3 Business Value 19 2.4 Work of Operators in Complex Systems 19 2. 4. 1 Role of Operators in Complex Systems 20 2. 4. 2 Problems with Computerisation and Automation 24 2. 4. 3 Allocation of Functions and Levels of Automation 25 2.5 Performance Influencing Factors (PIFs) 27 2.6 Distributed Control System (DCS) and Alarm Systems 29 2. 6. 1 Alarm, Alarm System and Alarm Management 30 2. 6. 2 Most Common Alarm Problems 33 2. 6. 3 Improving Alarm Performance through Prioritization 34 2.7 Safety Analysis Methods 38 2.7.1 Qualitative Safety Analysis 39 2.7.2 Quantitative Safety Analysis 43 2.8 Mathematical Algorithms 44 2.8.1 Techniques for Multi-Criteria Decision Making (MCDM) 44 2.8.2 Classification Methods 47 CHAPTER 3 50 RECENT DEVELOPMENTS IN HF STUDIES 50 3. 1 Methods for HF analysis 50 A. Task Analysis 50 B. Techniques for Operators Actions Analysis 51 3. 2 Human Reliability Analyses (HRA) 52 3. 3 Consideration of Human Error in HAZOP 53 3. 4 HF in Process Plant Design 54 3. 5 HF in Alarm Management and DCS-Design 55 3. 6 The Need for Further Development of HF Methods 57 CHAPTER 4 58 MOTIVATION OF THE WORK 58 CHAPTER 5 61 PROCESS INDUSTRY TOOL FOR OPERATOR ACTIONS ANALYSIS (PITOPA) 61 5.1 The New Technique for Operator Actions Analysis (OAA) 64 5.2 Technique for Performance Influencing Factors (PIFs) Evaluation 65 5.3 Validation of PITOPA in the Process Industry 67 CHAPTER 6 71 EXTENDING HAZOP TO INTEGRATE HF INTO 71 GENERAL SAFETY ANALYSIS 71 6.1 Development of HAZOPA (The Hazard, Operability and Operator Actions Analysis) 72 6.2 Case Study 75 CHAPTER 7 85 APPROACH TO INCORPORATING HF CONSIDERATION 85 INTO PLANT DESIGN 85 7.1 Development of an Approach for HF Analysis in Design – The PITOPA-Design 85 7.1.1 HF Analysis in Conceptual Design Phase (HFAD–Conceptual) 88 7.1.2 HF Analysis in Basic Engineering (HFAD – Basic) 93 7.1.3 HF Analysis in Detail Engineering (HFAD-Detail) 107 7.2 Technique for HF-Design Parameters Evaluation 109 7.3 Intermediate Summary 114 CHAPTER 8 115 IMPLEMENTATION OF THE NEW PITOPA-DESIGN: 115 A CASE-STUDY 115 8.1 Conceptual Design 115 8.2 Basic Engineering 123 8.3 Detail Engineering 127 CHAPTER 9 132 APPROACH FOR IMPROVING OPERATOR PERFORMANCE 132 IN CONTROL ROOM 132 9.1 Performance Influencing Factors (PIFs) for Supervisory & Monitoring Tasks 134 9.2 Development of PITOPA-Control Room (PITOPA-CR) 140 9.2.1 Analysis of Normal Operation 142 9.2.2 Analysis of Abnormal Operation 150 9.3 Alarm Prioritization 156 9.3.1 A survey on Alarm Prioritization 156 9.3.2 Incorporation of CROAA into Alarm Prioritization 157 9.4 Intermediate Summary 165 CHAPTER 10 167 INCORPORATION OF OPERATOR ACTIONS ANALYSIS INTO ALARM MANAGEMENT 167 CHAPTER 11 171 RESULTS AND FUTURE WORKS 171 11. 1 Results 171 11. 2 Future Works 172 BIBLIOGRAPHY 174 APPENDIX A A-1 APPENDIX B B-1 / Schwere Unfälle in der Prozessindustrie erfolgen meist aus einem Zusammenspiel mehrerer verschiedener Fehler und der gleichzeitigen Wechselwirkung mit falschem menschlichem Handeln. Dabei sind diese Fehlhandlungen nicht als Unfallursache anzusehen, sondern sie resultieren aus Fehlern, die in dem System selbst zu finden sind. Aus diesem Grund kann bei der Sicherheitsanalyse die technische Analyse nicht unabhängig von der Betrachtung des Human Factors (HF) durchgeführt werden. Um eine Reduzierung der Fehlhandlungen zu erreichen, müssen das Anlagendesign, die Bedienbarkeit und die Arbeitsumgebung an die menschlichen Fähigkeiten angepasst werden. Human Factors (HF) betrachtet die Interaktion zwischen menschlichen, technischen und organisatorischen Aspekten einer Anlage, mit dem Ziel die Sicherheit und Effektivität der Anlage zu optimieren. Dafür ist eine Einbindung von HF in den gesamten Lebenszyklus einer Anlage notwendig. So müssen HF- Analysen nicht nur während des Betriebs einer Anlage und bei Prozessmodifikationen durchgeführt werden, sondern auch während des gesamten Design- Prozesses, da gerade in den frühen Design-Phasen das Optimierungspotential besonders hoch ist. Eine solche Analysemethode muss alle Aufgaben eines Operators erfassen, so dass zwischen manueller Arbeit und der Arbeit in der Leitwarte unterschieden werden muss. In dieser Arbeit wurden Analysentechniken entwickelt, die einen systematischen Ansatz zur Berücksichtigung des HF über den gesamten Lebenszyklus einer verfahrenstechnischen Anlage darstellen. Mit Hilfe der neuen Analysemethode, PITOPA-Design, können Untersuchungen sowohl während der Designphase als auch während des Betriebs einer Anlage durchgeführt werden. Da solche HF-Analyse immer in Verbindung mit einer klassischen Sicherheitsanalyse erfolgen muss, bindet die neue Methode die HAZOP-Analyse direkt ein. Darüber hinaus wurde ein weiterer Ansatz für die Analyse von Operatorhandlungen in einer Messwartenarbeit entwickelt. Diese neue Analysentechnik, PITOPA-CR, bildet die Grundlage für Verbesserungen im Alarmsystem und wird in das Alarmmanagementsystem eingebunden. Die Arbeit ist wie folgt strukturiert: i) Entwicklung von HAZOPA (the Hazards and Operator Actions Analysis). Diese Methode stellt die Einbindung der HF-Analyse in HAZOP dar. ii) Entwicklung von PITOPA-Design, zur HF-Analyse während des gesamten Designprozesses einer verfahrenstechnischen Anlage. Die Methode wurde in 3 Teile eingeteilt, um die drei Designsphasen Conceptual-, Basic-, und Detail-Design zu erfassen. iii) Entwicklung von PITOPA-CR, zur HF-Analyse in der Messwarte. iv) Einbindung von PITOPA-CR in das Alarmmanagementsystem und Entwicklung einer Technik zur Alarmpriorisierung.:ACKNOWLEDGEMENT i ABSTRACT iii ZUSAMMENFASSUNG iv CONTENTS v TABLE OF FIGURES viii LIST OF TABLES x NOMENCLATURE xi ACRONYMS AND ABBREVIATIONS xii CHAPTER 1 1 INTRODUCTION 1 1.1 Background 1 1.2 Objectives 2 1.3 Scope of Work 3 CHAPTER 2 5 THEORETICAL BACKGROUND 5 2.1 Fundamentals of Human Error 5 2.2 Human Factors (HF) 8 2.3 Motivations to Consider HF in Process Safety 9 2. 3. 1 Accidents that Address HF in Process Safety 11 2. 3. 2 Regulation and Legal Requirements 16 2. 3. 3 Business Value 19 2.4 Work of Operators in Complex Systems 19 2. 4. 1 Role of Operators in Complex Systems 20 2. 4. 2 Problems with Computerisation and Automation 24 2. 4. 3 Allocation of Functions and Levels of Automation 25 2.5 Performance Influencing Factors (PIFs) 27 2.6 Distributed Control System (DCS) and Alarm Systems 29 2. 6. 1 Alarm, Alarm System and Alarm Management 30 2. 6. 2 Most Common Alarm Problems 33 2. 6. 3 Improving Alarm Performance through Prioritization 34 2.7 Safety Analysis Methods 38 2.7.1 Qualitative Safety Analysis 39 2.7.2 Quantitative Safety Analysis 43 2.8 Mathematical Algorithms 44 2.8.1 Techniques for Multi-Criteria Decision Making (MCDM) 44 2.8.2 Classification Methods 47 CHAPTER 3 50 RECENT DEVELOPMENTS IN HF STUDIES 50 3. 1 Methods for HF analysis 50 A. Task Analysis 50 B. Techniques for Operators Actions Analysis 51 3. 2 Human Reliability Analyses (HRA) 52 3. 3 Consideration of Human Error in HAZOP 53 3. 4 HF in Process Plant Design 54 3. 5 HF in Alarm Management and DCS-Design 55 3. 6 The Need for Further Development of HF Methods 57 CHAPTER 4 58 MOTIVATION OF THE WORK 58 CHAPTER 5 61 PROCESS INDUSTRY TOOL FOR OPERATOR ACTIONS ANALYSIS (PITOPA) 61 5.1 The New Technique for Operator Actions Analysis (OAA) 64 5.2 Technique for Performance Influencing Factors (PIFs) Evaluation 65 5.3 Validation of PITOPA in the Process Industry 67 CHAPTER 6 71 EXTENDING HAZOP TO INTEGRATE HF INTO 71 GENERAL SAFETY ANALYSIS 71 6.1 Development of HAZOPA (The Hazard, Operability and Operator Actions Analysis) 72 6.2 Case Study 75 CHAPTER 7 85 APPROACH TO INCORPORATING HF CONSIDERATION 85 INTO PLANT DESIGN 85 7.1 Development of an Approach for HF Analysis in Design – The PITOPA-Design 85 7.1.1 HF Analysis in Conceptual Design Phase (HFAD–Conceptual) 88 7.1.2 HF Analysis in Basic Engineering (HFAD – Basic) 93 7.1.3 HF Analysis in Detail Engineering (HFAD-Detail) 107 7.2 Technique for HF-Design Parameters Evaluation 109 7.3 Intermediate Summary 114 CHAPTER 8 115 IMPLEMENTATION OF THE NEW PITOPA-DESIGN: 115 A CASE-STUDY 115 8.1 Conceptual Design 115 8.2 Basic Engineering 123 8.3 Detail Engineering 127 CHAPTER 9 132 APPROACH FOR IMPROVING OPERATOR PERFORMANCE 132 IN CONTROL ROOM 132 9.1 Performance Influencing Factors (PIFs) for Supervisory & Monitoring Tasks 134 9.2 Development of PITOPA-Control Room (PITOPA-CR) 140 9.2.1 Analysis of Normal Operation 142 9.2.2 Analysis of Abnormal Operation 150 9.3 Alarm Prioritization 156 9.3.1 A survey on Alarm Prioritization 156 9.3.2 Incorporation of CROAA into Alarm Prioritization 157 9.4 Intermediate Summary 165 CHAPTER 10 167 INCORPORATION OF OPERATOR ACTIONS ANALYSIS INTO ALARM MANAGEMENT 167 CHAPTER 11 171 RESULTS AND FUTURE WORKS 171 11. 1 Results 171 11. 2 Future Works 172 BIBLIOGRAPHY 174 APPENDIX A A-1 APPENDIX B B-1

info:eu-repo/classification/ddc/660

ddc:660

Safety-Bag pour les systèmes complexes / Safety-Bag for complex systems

Brini, Manel

23 November 2018

Les véhicules automobiles autonomes sont des systèmes critiques. En effet, suite à leurs défaillances, ils peuvent provoquer des dégâts catastrophiques sur l'humain et sur l'environnement dans lequel ils opèrent. Le contrôle des véhicules autonomes robotisés est une fonction complexe, qui comporte de très nombreux modes de défaillances potentiels. Dans le cas de plateformes expérimentales qui n'ont suivi ni les méthodes de développement ni le cycle de certification requis pour les systèmes industriels, les probabilités de défaillances sont beaucoup plus importantes. En effet, ces véhicules expérimentaux se heurtent à deux problèmes qui entravent leur sûreté de fonctionnement, c'est-à-dire la confiance justifiée que l'on peut avoir dans leur comportement correct. Tout d'abord, ils sont utilisés dans des environnements ouverts, au contexte d'exécution très large. Ceci rend leur validation très complexe, puisque de nombreuses heures de test seraient nécessaires, sans garantie que toutes les fautes du système soient détectées puis corrigées. De plus, leur comportement est souvent très difficile à prédire ou à modéliser. Cela peut être dû à l'utilisation des logiciels d'intelligence artificielle pour résoudre des problèmes complexes comme la navigation ou la perception, mais aussi à la multiplicité de systèmes ou composants interagissant et compliquant le comportement du système final, par exemple en générant des comportements émergents. Une technique permettant d'augmenter la sécurité-innocuité (safety) de ces systèmes autonomes est la mise en place d'un composant indépendant de sécurité, appelé « Safety-Bag ». Ce système est intégré entre l'application de contrôle-commande et les actionneurs du véhicule, ce qui lui permet de vérifier en ligne un ensemble de nécessités de sécurité, qui sont des propriétés nécessaires pour assurer la sécurité-innocuité du système. Chaque nécessité de sécurité est composée d'une condition de déclenchement et d'une intervention de sécurité appliquée quand la condition de déclenchement est violée. Cette intervention consiste soit en une inhibition de sécurité qui empêche le système d'évoluer vers un état à risques, soit en une action de sécurité afin de remettre le véhicule autonome dans un état sûr. La définition des nécessités de sécurité doit suivre une méthode rigoureuse pour être systématique. Pour ce faire, nous avons réalisé dans nos travaux une étude de sûreté de fonctionnement basée sur deux méthodes de prévision des fautes : AMDEC (Analyse des Modes de Défaillances, leurs Effets et leur Criticité) et HazOp-UML (Etude de dangers et d'opérabilité) qui mettent l'accent respectivement sur les composants internes matériels et logiciels du système et sur l'environnement routier et le processus de conduite. Le résultat de ces analyses de risques est un ensemble d'exigences de sécurité. Une partie de ces exigences de sécurité peut être traduite en nécessités de sécurité implémentables et vérifiables par le Safety-Bag. D'autres ne le peuvent pas pour que le système Safety-Bag reste un composant relativement simple et validable. Ensuite, nous avons effectué des expérimentations basées sur l'injection de fautes afin de valider certaines nécessités de sécurité et évaluer le comportement de notre Safety-Bag. Ces expériences ont été faites sur notre véhicule robotisé de type Fluence dans notre laboratoire dans deux cadres différents, sur la piste réelle SEVILLE dans un premier temps et ensuite sur la piste virtuelle simulée par le logiciel Scanner Studio sur le banc VILAD. Le Safety-Bag reste une solution prometteuse mais partielle pour des véhicules autonomes industriels. Par contre, il répond à l'essentiel des besoins pour assurer la sécurité-innocuité des véhicules autonomes expérimentaux. / Autonomous automotive vehicles are critical systems. Indeed, following their failures, they can cause catastrophic damage to the human and the environment in which they operate. The control of autonomous vehicles is a complex function, with many potential failure modes. In the case of experimental platforms that have not followed either the development methods or the certification cycle required for industrial systems, the probabilities of failure are much greater. Indeed, these experimental vehicles face two problems that impede their dependability, which is the justified confidence that can be had in their correct behavior. First, they are used in open environment, with a very wide execution context. This makes their validation very complex, since many hours of testing would be necessary, with no guarantee that all faults in the system are detected and corrected. In addition, their behavior is often very difficult to predict or model. This may be due to the use of artificial intelligence software to solve complex problems such as navigation or perception, but also to the multiplicity of systems or components interacting and complicating the behavior of the final system, for example by generating behaviors emerging. A technique to increase the safety of these autonomous systems is the establishment of an Independent Safety Component, called "Safety-Bag". This system is integrated between the control application and the actuators of the vehicle, which allows it to check online a set of safety necessities, which are necessary properties to ensure the safety of the system. Each safety necessity is composed of a safety trigger condition and a safety intervention applied when the safety trigger condition is violated. This intervention consists of either a safety inhibition that prevents the system from moving to a risk state, or a safety action to return the autonomous vehicle to a safe state. The definition of safety necessities must follow a rigorous method to be systematic. To do this, we carried out in our work a study of dependability based on two fault prevention methods: FMEA and HazOp-UML, that respectively focus on the internal hardware and software components of the system and on the road environment and driving process. The result of these risk analyzes is a set of safety requirements. Some of these safety requirements can be translated into safety necessities, implementable and verifiable by the Safety-Bag. Others cannot be implemented in the Safety-Bag. The latter must remain simple so that it is easy to be validated. Then, we carried out experiments based on the faults injection in order to validate some safety necessities and to evaluate the Safety-Bag's behavior. These experiments were done on our robotic vehicle type Fluence in our laboratory in two different settings, on the actual track SEVILLE at first and then on the virtual track simulated by the Scanner Studio software on the VILAD testbed. The Safety-Bag remains a promising but partial solution for autonomous industrial vehicles. On the other hand, it meets the essential needs for the safety of experimental autonomous vehicles.

Safety-Bag

AMDEC

HazOp-UML

Safety-Bag

Dependability

Fault tolerance

Autonomous vehicles

FMEA

HazOp-UML

Failure time data analysis

Reliability

Risk management

Risk assessment

Risk prevention