HAZOP学习笔记

危害识别危害识别（（Hazard Identification ）过程过程——————从别人的经验可以学到的从别人的经验可以学到的
Bilbo 2008年6月2日
危害识别和分析是整个安全系统开发的核心，也是对一个系统进行安全性评价的基础。

没有hazard ，那么任何分析都无从谈起，任何措施是否也效更是没有了衡量的标准。

现有的安全技术标准都是建立在风险分析的基础上的（risk-based approach ），我们要分析的就是那些hazard risk 。

对于缺乏这方面经验的工程师来说，最快的方法就是从别人的经验获得知识。

这里总结了来自Ansaldo 的经验，主要从论文《Hazard Analysis of Complex Distributed Railway Systems 》得到，感谢论文的作者做出的工作。

更准确的说更准确的说，，这是一篇读后感或论文阅读论文阅读笔记笔记笔记。

为什么我们要花很大力气来保证系统的安全，一个简单的回答是，因为标准这样要求。

这样的标准包括IEC 61508，EN50128等等。

标准是什么？标准规定了你的系统要达到或要满足的要求或指标（有部分是定量的，更多的是定性的）。

比如CENELEC 50126标准，对hazard analysis 的要求是：
1) A set of general items affecting RAMS of railway systems that are the starting points for the identification process (checklist).
2) A log (hazard log) that records all the characteristics of the hazard, the projected mitigations and all the actions taken to achieve the desired level of safety.
3) An assessment, to be performed on the criticality of the hazard scenario, based on the frequency of occurrence, on the severity of the consequences after the application of all the possible mitigations. 可是这些都是要求，标准对如何实施这些要求却基本没有提到。

至少有两个问题没有回答：1） how to identify all the possible hazards of the systems or, in other terms, 2）how to give evidence any major hazard scenario has been considered.
当然，已经有人在这方面做了工作，比如Yellow Book ，它给出的解决方法是：
1）Identification of hazards should be based on HAZOP techniques, in which a series of keywords is applied to the main items and functions of the system. 2）The identified hazards should be analyzed in hazard workshops in which system experts verify the hazard criticality in terms of severity and frequency of occurrence.
3）Risk analysis is performed on all the hazards. In this analysis not only a quantitative fault tree of the causes should be built but also the probability that a hazard scenario evolves in accident should be estimated based on consequence trees.
4）A hazard can be closed when the set of mitigations identified are the best possible based on the As Low As Reasonable Possible (ALARP) criteria. A cost/risk analysis is needed to identify the best solution among all the possible options.
不过，Yellow Book 也没有提到下列问题：
a)How a system should be partitioned in order to apply These guidelines
leave unresolved a set of checklists and HAZOP techniques?
b)Which are the most appropriate keywords for the different aspects
of the systems?
c)How to verify mitigations have been correctly applied?
d)How is it possible to quantify events related to human activities?
How to quantify events related to new systems?
对上述4个问题，ASF提出的解决方法是：
对于问题a)和b)，按照下面的模块化的识别过程和关键字分析。

KEYWORD MEANING
Not The functional intent does not occur, or the operational aspect is not achievable
Less A quantitative decrease in the functional intent occurs
More A quantitative increase in the functional intent occurs
Early A functional step is started at the wrong time or done out of sequence
Late As for early
为此，采用了下图所示的管理过程（Hazard Action Process）：
对于hazard采用结构化的方法来记录，即hazard log，其模板如下：
Hazard Log structure
FIELDS MEANING
Unique identification number Every hazard has an unique identification number to allow tracking in the different phases of the
process.
Description A synthetic description of the hazard item. This
description is also used to group hazards in fault tree
analysis.
Causes The hazard log collects in the cause field the
initiating event or failure mode that may develop into
a hazard. These may be operator errors, component
failures, environmental effects or external events.
It also consider all the scenario leading to an hazard
that may include for instance the effects of a component
failure on the sub-assembly of which it forms a part,
the effect on a component, or sub-assembly from an
environmental or external event, or the immediate
effects of a particular operator error.
Consequences In order to better describe the hazard scenario, hazard
log collects both sub-system and system effects. The
first relates to initiating event or failure mode at
a sub-system level, the latter describe the
consequences of the sub-system effect at the system
level.
Mitigation/ safeguards Any feature that reduces the frequency of occurrence, or the severity of the hazard. These may be separately designed systems, designed aspects within the system/sub-system, relevant factors within the Project environment, operational procedures or checks, or maintenance activities. They may be applicable at all levels of the fault propagation, i.e. from primary cause through to the final consequences.
Action Any activity needed to have better knowledge of the
hazard scenario and applicable mitigation (see Section
4).
Responsible The designed person to perform the action or to manage
its execution.
Status The current status of the hazard. There are five
different allowable statuses namely Open, Cancelled,
Resolved, Transferred and Closed (see Table 4). Note An extensive description of the scenario or explanation
about status. In particular why an hazard has been
cancelled or transferred to other subsystems
Date For traceability purposes all the meetings in which
hazard log item has been modified are listed in order
to recollect the history of the item
Hazard Status
VALUES MEANING
Open States that the action to close the hazard has not been formally agreed
Cancelled The item has been determined not to be a hazard or is encompassed within another identified hazard
Resolved The action to close the hazard has been agreed, but has not been completed.
Transferred The item has been recognized to be out of the scope of the
present system and should be allocated to another Hazard Log
Closed The action to close the hazard has been formally completed and accepted
对于识别出来的hazard，无外乎采用两种方法处理：
1) To initiate or consider a change to a design, a set of procedures
or to operating instructions; （这相当于原有的需求中没有，新增加需求）
2) Providing evidence/confirmation that the design, procedures or operating instructions adequately address certain issues.（这相对于，
原有的设计已经考虑，需要对此进行确认和验证）
对于问题c)和d)，通过hazard closure process，对
a) Hazard criticality;
b) Efficiency of the mitigation proposed;
c) Evidence that these mitigations have been correctly implemented
in the final system.
进行评估来确定hazard的最终状态。

概括以下ASF的方法就是：
first, all the functional and architectural components and their interfaces are identified, then all possible hazard scenarios are identified. These scenarios are then analyzed in a series of hazard workshops and traced in a log, the hazard log, which records also measures needed to mitigate them. Mitigations become new requirements
for the systems: only providing evidence of their correct implementation the system can be certified to be safe.
以上这些过程构成的文档本质上就是safety case documents。