Introduction Chaz Op

8/10/2019 Introduction Chaz Op

1/44

1

Title of Workshop. And Client

ConfidentialNot for reproductionCopyright 2014 All rights reserved.

CHAZOP Introduction

Controls System Hazards and Operability Analysis

2014


2/44

2

Title of Workshop. And Client


The Learning Environment

It is important for ACM and for you as our clients that the learningatmosphere and conditions are comfortable and suited for learning.

Being respectful of others viewpoints and patient for others to askquestions is important.

Rules

We are all here to learn from each other

Respect each others opinions

This is a safe environment to learn

Breaks are negotiated and managed by the group

We start on time after breaks

Emergency procedures

CELL PHONES OFF OR ON VIBRATE

HAVE FUN!

Being interactive is the key to your success in learning new skills andknowledge.


3/44

3Title of Workshop. And Client


Agenda

Building Emergency Procedures Introductions

8:00-12:00 Theory for HAZOP of Computer/Controls System

12:00-1:00 Lunch

1:00-4:00 Continuation and CHAZOP exercises

The Learning Environment


4/44


5/44



PHA Study method - CHAZOP

CHAZOP - qualitative

Predictive identification of hazards, causes and consequencesIdentification of operability factors that influence human

performance

Identification of safeguards, preventive controls

Recommendations for improvement.

Risk Assessment -qualitative

Probabilistic based assessment of hazards

Risk assessed in function of consequences & likelihood(Estimation of likelihood and consequence severity)


6/44



Why do a HAZOP on a Computer/Controls System?

Why do a HAZOP on a Computer/Control System?


7/44



Allows the hazards and risks associated with computer/control systemdesigns to be analyzed and evaluated before the computer/control system

is installed, commissioned, site tested , and put into operation

Reflect the best thinking on how to safely operate and manage yourcomputer/control systems

Build upon and record process and computer/control system experience

Assess what safety measures to use and the protection that they canprovide

Promote safe, efficient operation and maintenance

Promote the idea that computer/control system and operating &maintenance procedures are vital plant components

Reduce likelihood of incidents, accidents Improve quality, continuity, profitability and cost control

Comply with governmental regulations or industrial initiatives requiringcomputer/control systems certification

Why do a HAZOP on a Computer/Controls System?


8/44



CHAZOP Study Objectives

To identify computer/control system hazards, not to providesolutions to all hazards

To provide confidence that potential hazards are identified

To provide a qualitative estimate of the likelihood and the severityof potential incidents, accidents

To qualitatively evaluate the consequences of failure ofengineering and administrative controls


9/44



To provide management with a concrete basis for making riskmanagement decisions

To identify ways in which operability might be improved

To provide information which can be useful in improving future

migration or modernization To provide objective documented evidence of a thorough well

conducted study for audit and insurance purposes



10/44



Establish the limits of the computer system and its network Identify what plants units depend on or interact with the computer

system for their operation

Develop a block flow diagram of the functions of the computer incontrolling the plant units

Identify hazards of the units as defined by a hazard study orprocess HAZOP and include for any hazards associated with theinteractions between units.

List those computer functions associated with the hazards in anyway



11/44



A HAZOP can be done on any Computer/Controls System.

However, due to the level of detail required and time commitment,a HAZOP is typically performed on Computer/Controls Systemsdeemed to be critical. Critical Computer/Controls Systems shouldbe identified at any facility.

What defines a critical Computer/Controls System?

On which Computer/Controls System should I do a HAZOP?


12/44



What defines a critically hazardous Computer/Controls System?

A critical Computer/Controls System may be defined by one or more of thefollowing criteria:

Any Computer/Controls System for which the consequence of deviatingfrom the design intent causes a critical situation, incident, or accident

Start-up or shutdown transition mode sequences for Computer/ControlsSystem

Maintenance operating mode transition sequence, (i.e. on/off linemaintenance mode transition sequence)

Abnormal operating Computer/Controls System states, modes, andtransitions

Emergency stop sequencereset statecritical stop sequence

Temporary operating modes transition sequencesset reference points

Commissioning or Decommissioning modes, states, transitions andprocedures

Proof testing, or test mode (Bypassed equipment, on-line, off-line)


13/44



When to do a HAZOP on a Computer/Controls System?

When should you do a HAZOP on a Computer/Controls System?


14/44



Critical Computer/Controls System

Complex Computer/Controls System, (Complex architecture requirements) New Computer/Controls System

Modified Computer/Controls System

Migration or upgrade of Computer/Control System

Addition of new equipment to an existing Computer/Controls System Changes in the transition modes sequences(modifies the sequencing)

Comply with government regulations or industrial initiatives requiringspecial Computer/Controls System directives

With any change that requires an MOC, the Computer/Controls System

should also be considered for CHAZOP re-evaluationAt any time during the lifecycle of the Control/computer system,(e.g. detail

design & engineering).

When to do a HAZOP on a Computer/Controls System?


15/44



What information do you need for the CHAZOP?

Preparation for a CHAZOP?


16/44



Well documented Computer/Controls System operation

Up to date schematics, network, I/O, CPU, etc. drawings and instructions

Control system architecture layout and hierarchy, interfaces, interconnectionsand computer/control equipment location depiction

Structure of the Control/computer system block flow diagrams

Depiction of control/computer system data transfer speed, volume and flow

directions

Shutdown key, (Cause and Effect Matrix)

Structural drawings to locate equipment and equipment positions, HVAC

Reactive chemical matrix, MSDS for chemicals

Overall description of the Computer/Controls System units, parts, environment

Previous PHA studies, modifications, etc. on the Computer/Controls System

PHA Team tour and inspection of the Computer/Controls System to be reviewed

Preparation for a CHAZOP?


17/44



Who needs to attend the chazop?

Who needs to attend?


18/44



Who needs to attend the pha?

Senior operations personnel involved in the day to day operation of

the process area being reviewed Control systems/contact engineer involved in the day to day

operation of the Control/computer system being reviewed, analyzed

Equipment specialists

Control system network designer

Functional Safety / Process Safety Control equipment technical

Site operations

Site controls maintenance

Other specialists as required

DCS, BPCS, Vendors, manufacturers

Specialized proprietary, OEM, IT - information Technology


19/44



Difference between process HAZOP and CHAZOP

Differences from Process HAZOP.


20/44



Differences from Process HAZOP.

Control/computer system hazard analysis:

Usually do not have or deal with flow of liquid or gases, but have flow ortransfer of data/information through network cables, or wireless, (Data:bits, bytes, words, frames, etc.).

Hazards are different, they are related to the control system elements:

Operators unable or partially unable to monitor process status of plantthat was still in control, computer/control system enters unpredictableoperating mode, hardware Inputs and outputs frozen or in unpredictablestates, operator cannot make changes or activate/deactivate overrides,or bypasses, operators is unable to turn ON or OFF equipment, or

STOP the process when required.All the these events can develop into situations that may lead to anincident or severe accident.


21/44



Steps in a HAZOP for a Control/computer system

HAZOP for Control/computer system follows much the same process as for aprocess HAZOP.

Prior to the HAZOP on the Control/computer system, the operating instructionsand procedures should be reviewed for completeness, clarity, etc.

Break the Control/computer system to be analyzed down to individual networks,cells, sections, control room locations, elements; then follow the sequence ofoperating transitions modes, interaction of sections, and operator

actions/reactions, alarm interventions if required. Analyze on each operating mode the transitions, sequences or interactions of the

control system with the networks, cells, sections, control room locations, elements,and operator actions/reactions tasks using the chosen deviations.

Using HAZOP software record the consequences of deviation from the controlsystem intended actions and reactions, existing safeguards, and risk rank; make

recommendations where risk is deemed unacceptable. All operator actions, interventions are broken down into individual steps sequence

of a procedure to:

Allow each step or status to be assessed more thoroughly for possible deviation of intent

Provide a flow and outline for the risk assessment process


22/44



CHAZOP hazard types and considerations

Types of Hazards to be taken into consideration


23/44



Control/computer system are related to process hazards

Hazards to be taken into consideration when analysing, designing oroperating Control/computer systems.

Failure of control/computer, (DCS, BPCS, PLC), systems may lead to: Loss of containment of flammable liquid or vapour gasses Toxic releases hazard Explosion hazards

Fire, heat transfer hazard (radiation, convection, conduction) Hazard generated by electromagnetic noise Hazards generated by vibration Hazards generated by nuclear radiation release Hazards generated by chemical materials and substances

Hazards generated by neglecting ergonomic principles in control design Hazard combinations Hazards associated with the environment in which the Control/computersystem is used


24/44



What aspects of the Control/computer system might cause harm to

personnel?

Consider the stability of the process under control, noise, vibration, andemission of toxic or flammable substances. Also, need to be considered,burns from hot surfaces, chemicals, or friction due to high speeds ofrotating equipment.

Other factors such as the possibility of entanglement, crushing, cuttingfrom rotating equipment and other tools. Also consider sharp edges onthe machinery, hazardous chemical exposure, etc.

This stage should include all hazards that can be present during thelifecycle of the Control/computer system, including the installation,commissioning, testing, operation, maintenance, modifications, anddecommissioning.

Control/computer system related hazards


25/44



Control/computer System Hazard Scenarios, Situations

Loss of process visualization, monitoring, (loss of Operator Interface)

Unexpected process start-up, shutdown, or operating mode transition

Over-run, over-speed, or variations in operating speed (or any similar malfunction)

Abnormal variations in the rotational speed of equipment, (pumps, motors,centrifuges, etc.)

Failure of partial or total control system power supplies and one or several control

I/O loop circuits (signals).

Systematic errors in software code / Specifications

Effects of EMC / EMI

Loss of environmental controls, HVAC, (effects of temp., humidity, etc.)

Operator operating mode confusion, operator error

Lack of proper operating procedures and/or training, knowledge of DCS


26/44



What are we looking for /deviations/? (examples)

The main purpose for the HAZOP on a Control/computer system is toidentify the potential hazards and operability issues that may arise due

to deviations from the partial or total failure of the control/computersystem, and/or incorrect control/computer system transition modes andsequences.

Typical guidewords, deviations may include: No (not/none, transition mode is not executed, no human process interface)

More (more of/higher, additional steps are added to a transition sequence) Less (less of/lower, transition is not completed or executed in its entirety)

Reverse (opposite to what is indicated in the transition sequence)

Part of (operator completes part of steps or equipment failure results in partialcompletion, utility (electric power, compressed air) failure

As well as (more than or also, a new step in the procedure is added)

Early (sooner than) Late (later than)

Out of sequence

Other than (operator or control system reacts or do something completely differentand unexpected)


27/44



The analysis must consider factors that influence humanperformance when attempting to identify potential

hazards.

During CHAZOP one always need to consider thepotential for error when humans interact with a processand/or equipment at any level.

Human Error Considerations


28/44



Usually systematic

Major cause of most catastrophic accidents in the

process industry

Impacts profitability through losses and lower quality

product

Affected by the corporate culture and its

management systems

Human Error Considerations(Common cause)


29/44



Active Human Error

Has a active immediate effect as the cause of a hazardoussituation or is the direct initiator of a chain of events which maylead to an accident

Latent Human Error

The effects of the error may only become active after a periodof time. Error remains dormant, undiscovered, or hidden untilconditions are suitable for its effect as the cause of a hazardoussituation. (Concurrent events are usually the trigger for the

error to become active).

Human Error Considerations


30/44



What are we not looking for?

The Control/computer system HAZOP must not

become a Control/computer system design session.

Just as in any HAZOP the team is there to look for

hazards and identify recommendations to reduce oreliminate the hazards.


31/44



CHAZOP safeguard types and considerations

Types of Safeguards to be considered


32/44



Safeguarding

Safeguards may include:

Controllers BPCS/DCS alarms and interlocks with operator action

Environmental alarms, HVAC alarms

Network Communication BPCS/DCS alarms and interlocks

Safety Instrumented Systems, SIS, interlocks

Interlock switches

Mechanical stops, physical barriers

Alarms and operator interventionexecutive action

It is common to rely more on operator intervention as a safeguard thanin a typical process HAZOP, this is due to the fact that the operator isusually present or nearby when operating the process control system

and is able to readily respond. A reasonable allowance can be madefor operator intervention if close involvement with the control systemallows for immediate detection and correction of the deviation, forexample with the use of diagnostics. (Also, Independent Emergencyshutdown)


33/44



Recommendations

Examples of Recommendations:

Adding an HVAC alarm; control room environmental alarms Adding a Network Communication Diagnostic BPCS/DCS alarms

Rewording of a step in the step transition mode sequence for clarity

Rearranging the order of a step or steps in a defined operating modesequence, (i.e. startup, shutdown, etc).

Deletion of a step to transition from one operating mode to another

Addition of a step to transition from one operating mode to another

Division and reorganization of the transition sequence states

Addition of a safety related instrumented safeguard; diagnostic alarm andoperator action or shutdown interlock.

Add redundancy of communication cables and/or equipment

Add an additional process operator interface for critical DCS alarms


34/44



CHAZOP session approach

Approach for conducting a CHAZOP


35/44



Section identification - definitionselectionassignmentgrouping

Sections of a control/computer system can be defined taking in considerationwhere information from process parameters (pressure, temperature, flow,etc.) are gathered, manipulated and have a direct influence on processequipment with a specific, identified and defined design intent.Sections should be assigned on a functional basis to reflect a specific intent.

The design intent defines how the process section, node, is expected to

function, run, work, operate, behave, act in the absence of deviations.Deviations apply to specific sections of a control/computer system.

Deviations from design intent or operating conditions can be identified byapplying guide words to data transfer, equipment operating conditions, etc.

Sections have control/computer components (Ethernet switches, cables,controllers, etc.) that cause change in the process. Network line sectionshave interconnected equipment that can cause a significant change in theprocess if not working as intended or are defective.


36/44



Section identification - definitionselectionassignmentgrouping

A section represents a part of a computer/control system in which process

conditions are affected and matter undergoes change. For example, a BPCScontroller can be a section because a pump can be turned on, and liquidpressure is increased, or on a reactor the temperature can be increased andchemical composition of the substance in the reactor changes. In practice, asingle section will frequently involve more than one process change. Forexample, the BPCS controller CHAZOP section for a chemical reactor will act

on changes to pressure, temperature and volume.

The decision as to how big a section may be will depend on the consequenceof the hazardous event being studied.


37/44



Guidelines and Factors to consider during control system sectioning

Factors to consider

Purpose or specific function of the process section or node, (e.g. a BPCS) Functional design intent of the computer/control system section Material volume, amount, quantity influenced by the computer/control

system section Material physical state in the section: gas, liquid, solid, two phase, etc. Computer/control system interface or connecting points

Study objectives and purpose

Guidelines Define each major computer/control system component as a section Define one communication network section between major

computer/control system components, equipment

Define additional sub-network sections for each data information flowpath, split, bifurcation, etc.


38/44


ConfidentialNot for reproduction

Copyright 2014 All rights reserved.

General approach for conducting a CHAZOP

Begin by defining the scope of the computer/control system in block flow

diagram format depicting the main functional components with their datatransfer path identified. (Communication networks, Equipment locationand environment, Operator interfaces, Human errors, Equipment failure,External common failureselectric power, air, utilities).

Data transfer path identified will include the interfaces to the plant

sensors and actuators and the operators.

The operational network interconnection diagram then represents thedesign representation as an equivalent to P&ID diagrams.

For each diagram the parts, sections, (nodes), for study will be identified,

and deviations from the designed intent, based on guide words, will beapplied.


39/44




Conducting a CHAZOP

Chose a section such as the proposed architecture of control/computersystem and explain and describe what is its purpose, intended design andfunction:

Include types of process control, basic functions and considerations withrespect to redundancy and diversity, including network elements cabletypes etc.

Review of expected performance when:

a) One or several control subsystem fail (e.g. PLC, DCS, network),

b) Site power failure or other utility failures.

Then, for each component identified apply appropriate deviations.

For every identified cause or initiating event, ask the following:

1) Does a computer/controller in the system knows?

2) What does the computer/controller do?

3) Does it announces, shows, alarms, indicate, that the event happen?

4) What can/does the operator do?, or the control systems do?


40/44




Examples

Approach for conducting a CHAZOP


41/44




Workshop Example #1

Additional Information

Control Room and Servers Rack Room have dual HVAC, dual dust filters, singlehumidistat, single thermostat.Buildings A, B, and C: have single HVAC, single dust filters, single humidistat,

single thermostat.

Plant Outage: $5000K per day.

Analyze nodes developing deviations, causes and consequences

Assign the severity and likelihood for each scenario to establish therisk ranking, using the provided risk matrix

Develop safeguards or IPL for respective causes to reduce risk level


42/44


43/44




Additional Information

Control Room and Rack Room have dual HVAC, dual sulphur scrubbers, singlehumidistat, single thermostat.Sulphur, Gas, and Utilities buildings: have single HVAC, single sulphur scrubber,single humidistat, single thermostat.

Utilities building PLC/controllers are older generation controllers/PLCs or third

party controllers, (other vendors).

Plant Outage: $1000K per day.

Analyze nodes developing deviations, causes and consequences

Assign the severity and likelihood for each scenario to establish therisk ranking, using the provided risk matrix

Develop safeguards or IPL for respective causes to reduce risk level

Workshop Example #2


44/44



Workshop Example #2

Documents

Introduction Chaz Op