HAZOP HAZOP Method for of Software Requirements Specification HAZOP (Hazard and Operability) HAZOP HAZOP HAZOP Abstract The digitalization of the instrumentation and control system of nuclear power plant makes the safety of computer software be the most important issue Recently, licensing criteria requires the safety analysis on the product from each phase of the lifecycle A HAZOP (Hazard and Operability) method for safety analysis of software requirements phase has been suggested HAZOP is a powerful hazard analysis technique which has a long history in process industries As the use of digital systems for nuclear power plant becomes more common, it is clear that there is a need for a HAZOP method which can be used effectively with such systems This paper describes several attempts to derive the guide phrases, checklist and the procedure for software HAZOP
HAZOP HAZOPHazard and Operability HAZOP Life Cycle Activity Groups Planning Requirements Design Implementation Integration Validation Installation Operation & Maintenance Software Requirements Management Plan Specification Design Specification Listings System Build Documents Operations Manuals Software Development Plan Software QA Plan Hardware & Software Architecture Installation Configuration Tables Integration Plan Installation Plan Design outputs Maintenance Plan Maintenance Manuals Training Plan Operations Plan Training Manuals Process Implementation Software Safety Plan Requirements Design Integration Validation Installation Change Software V&V Plan V&V Requirements Analysis V&V Design Analysis V&V ImplementationAnalysis & Test V&V Integration Analysis & Test V&V Validation Analysis & Test V&V Installation Analysis & Test V&V Change Software CM Plan CM Requirements CM Design CM Implementation CM Integration CM Validation CM Installation CM Change Process requirements Source: NUREG-0800 HAZOP (Standard Review Plan) 1, IEEE 1228-1994 2 KNICS
System Design Spec SAR PHA PHL System Design Spec SRS SAD SDD SRS SRS SAD SAD SDD SDD SRS SAD SRS SAD SDD SDD PHA: Preliminary Hazard Analysis PHL: Preliminary Hazard List SAD: SW Architecture Description SAR: SDD: SW Design Description SRS: SW Requirements Spec (V&V),,,,,,, (risk), Checklist Hazard and Operability (HAZOP) Failure Mode Effect Analysis (FMEA), Fault Tree Analysis (FTA) FTA 1960
FTA HAZOP, FMEA FTA FTA fault tree, fault tree FTA,, :,,,,,,,, HAZOP,,,,,,
HAZOP Checklist
1 (risk) 2 3 (SRS) 4 5 Checklist 6 3 HAZOP 7 8
HAZOP (Deviation) HAZOP 2 HAZOP
3Guide Phrase,,,,,,,, Guide Phrases Guide Phrases4Checklist HAZOP 3Hazard,,, RADC Stuck at all zeroes RADC Stuck at all ones RADC Stuck elsewhere RADC Below minimum range RADC Above maximum range RADC Within range, but wrong RADC Physical units are incorrect RADC Wrong data type or data size RADC Stuck at all zeroes RADC Stuck at all ones RADC Stuck elsewhere RADC Below minimum range RADC Above maximum range RADC Within range, but wrong RADC Physical units are incorrect RADC Wrong data type or data size RA Numerical value below acceptable range RA Numerical value above acceptable range RA Numerical value within range, but wrong RA Numerical value has wrong physical units RA Numerical value has wrong data type or data size RA Non-numerical value incorrect RDC RDC Calculated result is outside acceptable error bounds (too low) Calculated result is outside acceptable error bounds (too high) RDC Formula or equation is wrong RDC Physical units are incorrect RDC Wrong data type or data size R: Requirements, A: Architectual Design, D: Detail Design, C: Coding
Function is not carried out as specified (for each mode of operation) Function is not initialized properly before being executed Function executes when trigger conditions are not satisfied Trigger conditions are satisfied but function fails to execute Function continues to execute after termination conditions are satisfied Termination conditions are not satisfied but function terminates Function terminates before necessary actions, calculations, events, etc are completed Function is executed in incorrect operating mode Function uses incorrect inputs Function produces incorrect outputs
Software fails in the presence of unexpected input data Software fails in the presence of incorrect input data Software fails when anomalous conditions occur Software fails to recover itself when required HAZOP HAZOP HAZOP HAZOP,,, KNICS HAZOP
[1] NUREG/CR-6101, "Software Reliability and Safety in Nuclear Reactor Protection Systems," Lawrence Livermore National Laboratory, November 1993 [2] IEEE Std 1228, "Standard for Software Safety Plan," Institute of Electronic and Electrical Engineers, 1994 [3] NUREG/CR-6430, "Software Safety Hazard Analysis," Lawrence Livermore National Laboratory, February 1996 [4], -, KNICS-ESF-SSP121, 2003 [5] McDermid, J A & Pumfrey, D J, A Development of Hazard Analysis To Aid Software Design, COMPASS, 1994