4_M02_HazardAnalysisMethod_CHN
什么是HAZOP分析
什么是HAZOP分析?
HAZOP( Hazard and Operability Analysis)分析是一种用于辨识设计缺陷、工艺过程危害及操作性问题的结构化、系统化分析方法,最初是由英国帝国化学工业公司于1960年发明的,经过不断的改进和完善,已经发展为成熟的一种风险分析方法,目前被广泛应用于各类工艺过程和项目的风险评估工作中。
HAZOP分析方法引入我国,虽然时间不长,但许多国家早已经将其作为法定的流程安全分析方
法之一。
HAZOP的主要目的是对装置的安全性和操作性进行设计审查。
HAZOP分析由生产管理、工艺、安全、设备、电气、仪表、环保、经济等工种的专家进行共同研究;这种分析方法包括辨识潜在的偏离设计目的的偏差、分析其可能的原因并评估相应的后果。
它采用标准引导词,结合相关工艺参数等,按流程进行系统分析,并分析正常/非正常时可能出现的问题、产生的原因、可能导致的后果以及应采取的措施。
HAZOP基本作业流程:选择研究节点→选择工艺参数→选择引导词→发现有价值的偏差→分析产生偏差的原因、后果及现有措施→评估风险→提出控制风险建议。
13种常用安全评价方法介绍
1 安全检查⽅法(Safety Review,SR) 安全检查⽅法可以说是第⼀个安全评价⽅法,它有时也称为⼯艺安全审查或“设计审查”及“损失预防审查”。它可以⽤于建设项⽬的任何阶段。对现有装置(在役装置)进⾏评价时,传统的安全检查主要包括巡视检查、正规⽇常检查或安全检查。(例如,如果⼯艺尚处于设计阶段,设计项⽬⼩组可以对⼀套图纸进⾏审查。)
安全检查⽅法的⽬的是辨识可能导致事故、引起伤害、重要财产损失或对公共环境产⽣重⼤影响的装置条件或操作规程。⼀般安全检查⼈员主要包括与装置有关的⼈员,即操作⼈员、维修⼈员、⼯程师、管理⼈员、安全员等等,具体视⼯⼚的组织情况⽽定。
安全检查⽬的是为了提⾼整个装置的安全操作度,⽽不是⼲扰正常操作或对发现的问题进⾏处罚。完成了安全检查后,评价⼈员对亟待改进的地⽅应提出具体的措施、建议。
2 安全检查表⽅法(Safety Checklist Analysis,SCA) 为了查找⼯程、系统中各种设备设施、物料、⼯件、操作、管理和组织措施中的危险、有害因素,事先把检查对象加以分解,将⼤系统分割成若⼲⼩的⼦系统,以提问或打分的形式,将检查项⽬列表逐项检查,避免遗漏,这种表称为安全检查表。
3 危险指数⽅法(Risk Rank,RR) 危险指数⽅法是⼀种评价⽅法。通过评价⼈员对⼏种⼯艺现状及运⾏的固有属性(以作业现场危险度、事故⼏率和事故严重度为基础,对不同作业现场的危险性进⾏鉴别)进⾏⽐较计算,确定⼯艺危险特性重要性⼤⼩,并根据评价结果,确定进⼀步评价的对象。
危险指数评价可以运⽤在⼯程项⽬的各个阶段(可⾏性研究、设计、运⾏等),或在详细的设计⽅案完成之前,或在现有装置危险分析计划制定之前。当然它也可⽤于在役装置,作为确定⼯艺及操作危险性的依据。
⽬前已有好⼏种危险等级⽅法得到⼴泛的应⽤。 此⽅法使⽤起来可繁可简,形式多样,既可定性,⼜可定量。例如,评价者可依据作业现场危险度、事故⼏率、事故严重度的定性评估,对现场进⾏简单分级,或者,较为复杂的,通过对⼯艺特性赋予⼀定的数值组成数值图表,可⽤此表计算数值化的分级因⼦,常⽤评价⽅法有:①危险度评价;②道化学⽕灾、爆炸危险指数法;③蒙德法;④化⼯⼚危险等级指数法;⑤其他的危险等级评价法。
危险与可操作性(HAZOP)分析方法、相关要求及注意事项
危险与可操作性(HAZOP)分析方法、相关要求及注意事项HAZOP是英文Hazard and Operability Studies的缩写,意为危险与可操作性分析。
它是一种被工业界广泛采用的工艺危害分析方法,也是排查事故隐患、预防重大事故和实际安全生产的重要手段之一。
正确运用HAZOP分析方法,可以:(1) 识别工艺过程潜在的危险和可操作性问题;(2) 预估危险可能导致的不利后果;(3) 理清潜在事故的形成、传播路径;(4) 找出重要事故剧情(序列)中现有的安全措施,并评估其作用;(5) 评估潜在事故的风险水平;(6) 需要时,提出降低风险的建议措施;(7) 分析过程还可以帮助团队加深对工艺系统的认知。
对涉及重点监管危险化学品、重点监管危险化工工艺和危险化学品重大危险源(以下统称“两重点一重大”)的生产储存装置进行风险辨识分析,要采用危险与可操作性分析(HAZOP)技术,一般每3年进行一次。
HAZOP分析是否能按质按量并按时完成,分析过程是否顺利进行,很大部分取决于HAZOP分析的能力和经验。
HAZOP分析必须有相关的专业知识、HAZOP分析知识、HAZOP分析经验及组织能力。
HAZOP专业能力要求HAZOP需要有扎实的化工相关的专业知识背景。
比如化工原理、物理化学、有机化工、化工机械、工艺设计、化工仪表自动化控制等。
HAZOP如果相关的专业知识不扎实,可能导致分析问题不深入,对事故发生的路径不清楚,同时也很难把握建议的有效性和可行性。
例如,对于精馏塔的分析,需对精馏塔的结构、原理及运行过程中存在的异常现象的理论分析较为清楚,清楚什么是闪点、液泛、漏液、回流比、蒸气压、馏分、安全阀的尺寸计算所依据的事故情形等等。
HAZOP应清楚控制回路类型(反馈控制、比例控制、串级控制、分程控制、压倒控制)、联锁逻辑图。
专业基础扎实便于HAZOP能够在短时间内读懂P&ID图中所表现出来的信息,尤其是相关的保护层信息。
HAZOP风险分析方法
2.1.1 事故后果等级划分 CCPS 关于事故后果等级( S) 分类见表 1。
2.1.2 事故频率等级划分 事故频率等级( L) 分类见表 2。
表 1 事故后果等级
等级 严重程度
说明
1 很低后果 职员 - - 无伤害, 无时间损失。 公众 - - 无伤害、危险或可厌之事。 环境 - - 事件不会带来工作场所和环境的危害。 设施 - - 最小的设施损害, 估计损失低于 1 万美元, 没有产品损失。
HAZOP 风 险 分 析 中 采 用 的 风 险 评 估 技 术 多 为矩阵风险评价法。 2.1 风险矩阵评价法
风险矩阵评价法是一种定性的风险评估方 法, 风险矩阵有多种形式, 如最简单的 3×3 矩阵, 国际标准化组织提供的 5×5 矩阵, 美国化学工程 师协会化学过程安全中心( CCPS) 应用的 5×7 矩 阵等。下面以 CCPS 的 5×7 矩阵为例加以说明。
1 传统 H A ZO P 分析 HAZOP 分析是一种用于辩识设计缺陷、工艺
过 程 的 危 害 及 操 作 性 问 题 的 定 性 分 析 方 法 。 HA- ZOP 分析针对工艺单元进行分析, 这些工艺单元 也称为“ 分析节点”。对于每一“ 分析节点”, 以正常 操作运行的工 艺( 状 态) 参 数 为 标 准 值 , 分 析 运 行 过程中工艺( 状态) 参 数 的 偏 离( 即 偏 差) , 同 时 分 析其产生原因、可能导致的危害后果, 根据已有的 安全保护措施提出应该增加的安全措施等。
危险与可操作性分析HAZOP
危险与可操作性分析HAZOP危险与可操作性分析(HAZOP,Hazard and Operability Analysis)是一种系统性的方法,用于识别并评估过程中可能发生的危险和操作性问题。
HAZOP分析通过结构化的问答方式,对过程进行分析,帮助工程师和操作人员识别风险,采取相应的措施来防止事故的发生。
HAZOP分析的主要步骤包括选择团队成员、定义系统边界、制定HAZOP研究的目标和范围、识别潜在的危险和操作问题、评估和分类风险以及制定相应的控制措施。
在分析中,通常需要考虑过程变量、设备故障、人员行为、环境因素等各种因素。
HAZOP分析的优势在于能够系统地考虑系统中可能发生的各种类型的风险,并找到相应的解决方法。
它可以有效地识别和预测潜在的事故风险,帮助制定合理的控制措施,从而降低事故的发生概率。
此外,HAZOP分析还可以提高工程师和操作人员对系统的认识和理解,促进团队合作和沟通。
然而,HAZOP分析也存在一些局限性。
首先,HAZOP分析所涉及的范围较大,需要耗费大量的时间和人力资源。
其次,HAZOP分析依赖于团队成员的经验和专业知识,如果团队成员的专业素养不高,可能会影响分析的准确性和可靠性。
此外,HAZOP分析只能对已有的系统进行分析,对于新设计的系统,需要借助其他方法进行分析。
因此,在进行HAZOP分析时,需要充分考虑这些因素,并制定相应的计划和措施。
首先,可以选择有经验的团队成员,包括工程师、操作人员和安全专家。
其次,应该明确分析的目标和范围,制定详细的工作计划和时间表。
然后,对于可能存在的风险和问题,应该制定相应的控制措施,并落实到实际操作中。
最后,需要定期评估和更新HAZOP分析结果,确保其有效性和可操作性。
总的来说,HAZOP分析是一种有效的方法,可以帮助识别和评估过程中的危险和操作问题,减少事故的发生概率。
然而,它需要考虑多个因素,并协调团队的合作,以便产生准确可靠的结果。
只有在正确应用和适当控制的情况下,HAZOP分析才能发挥其最大的优势,提高系统的安全性和可操作性。
HAZOP
HAZOPabbr. 危险与可操作性分析(Hazard and Operability Analysis)网络释义专业释义危险与可操作性分析危险与可操作性分析(HAZOP)是目前全球工业界广泛应用的工艺危险分析方法,是危化品从业单位排查事故隐患,预防重大事故的重要工具和有效手段。
基于698个网页-相关网页危险与可操作性研究危险与可操作性性分析短语process HAZOP艺过程HAZOPHazop analysis危险与可操作分析Human HAZOP分析法更多网络短语双语例句1. Close-out of risk assessment actions, Safety review findings, HAZOP findings,HAZID Workshop findings.风险评价工作收尾、安全审查结果、HAZOP结果、HAZID车间结果?2. This paper discussed the well control safety by combining the Hazard andOperability Analysis (HAZOP technology with the well control simulation analysis.介绍了由井控作业HAZOP技术和井控模拟相结合的方法研究井控安全问题。
3. HAZOP of well control operations is a technology which analyzes the process ofwell control operations and the deviations of parameters to identify hazards.井控作业HAZOP分析技术是从井控操作和影响工艺参数产生的偏差来识别危险。
更多双语例句百科HAZOPHAZOP以其在杜绝、减少事故的发生,降低灾害带来的损失及事故原因分析等发挥的积极重要作用,被公认为是可极大提高工厂生产安全性、可靠性的一种安全评价方法。
hazop安全分析方法的介绍_交通运输_工程科技_专业资料
hazop安全分析方法的介绍_交通运输_工程科技_专业资料HAZOP安全分析方法的介绍摘要:详细阐述 (危险性和可操作性)分析方法及进行HAZOP分析工作时应注意的事项。
关键词:安全HAZOP 分析评估措施Introduction of HAZOP Analysis AbstractGive a description of HAZOP (HAZard and OPerability)Analysis method in detail and the actionswhich should be pay attention to when start a HAZOP work(Keywords:Safety,HAZOP,Analysis,Assessment,M easure1 前言随着化工行业的蓬勃发展,易燃、易爆或巨毒类危险化学品的大量使用,在生产、使用、储存的过程中,如果人们对其危险性不能正确认识,不采取科学有效的防范措施,事故的发生并造成严重的生命财产的损失及环境污染将是不可避免的。
加强安全管理,增强员工的安全意识是防止事故发生的有效的手段,一套科学的、行之有效的危险性评价分析方法便是必不可少的措施之一。
它可以使人们对整个生产、制造、储存系统的危险性有一个明确的认识,针对性的进行管理、检查并消除安全隐患、制定严格的操作规程并加强员工的安全保护措施。
本文将介绍在国际上被普遍使用的一种HAZOP分析方法,并对HAZOP执行程序及进行HAZOP分析时应注意的问题加以讨论。
2 什么是HAZOP分析HAZOP(HAZard and OPerability study)中文的意思是“危险性和可操作性分析”,是由有经验的跨专业的专家小组对装置的设计和操作提出有关安全上的问题,共同讨论解决问题的方法。
研究中,连续的工艺流程分成许多片段,根据相关的设计参数指导词,对工艺或操作上可能出现的与设计标准参数偏离的情况来提出问题,组长引导小组成员寻找产生偏离的原因,如果该偏离导致危险发生,小组成员将对该危险做出简单的描述、评估安全措施是否充分,并可为设计和操作推荐更为有效的安全保障措施。
《风险评价技术及方法》 4._Preliminary_Hazard_List
Chapter 4Preliminary Hazard List4.1INTRODUCTIONThe preliminary hazard list (PHL)is an analysis technique for identifying and listing potential hazards and mishaps that may exist in a system.The PHL is performed during conceptual or preliminary design and is the starting point for all subsequent hazard analyses.Once a hazard is identified in the PHL,the hazard will be used to launch in-depth hazard analyses and evaluations,as more system design details become available.The PHL is a means for management to focus on hazardous areas that may require more resources to eliminate the hazard or control risk to an acceptable level.Every hazard identified on the PHL will be analyzed with more detailed analysis techniques.This analysis technique falls under the conceptual design hazard analysis type (CD-HAT).The PHL evaluates design at the conceptual level,without detailed information,and it provides a preliminary list of hazards.There are no alternate names for this technique.4.2BACKGROUNDThe primary purpose of the PHL is to identify and list potential system hazards.A secondary purpose of the PHL is to identify safety critical parameters and mishap categories.The PHL analysis is usually performed very early in the design develop-ment process and prior to performing any other hazard analysis.The PHL is used as a management tool to allocate resources to particularly hazardous areas within the design,and it becomes the foundation for all other subsequent hazard analyses 55Hazard Analysis Techniques for System Safety ,by Clifton A.Ericson,IICopyright #2005John Wiley &Sons,Inc.56PRELIMINARY HAZARD LISTperformed on the program.Follow-on hazard analyses will evaluate these hazards in greater detail as the design detail progresses.The intent of the PHL is to affect the design for safety as early as possible in the development program.The PHL is applicable to any type of system at a conceptual or preliminary stage of development.The PHL can be performed on a subsystem,a single system,or an integrated set of systems.The PHL is generally based on preliminary design con-cepts and is usually performed early in the development process,sometimes during the proposal phase or immediately after contract award in order to influence design and mishap risk decisions as the design is formulated and developed.The technique,when applied to a given system by experienced system safety per-sonnel,is thorough at identifying high-level system hazards and generic hazards that may exist in a system.A basic understanding of hazard theory is essential as well as knowledge of system safety concepts.Experience with the particular type of system under investigation,and its basic components,is necessary in order to identify sys-tem hazards.The technique is uncomplicated and easily learned.Typical PHL forms and instructions are provided in this chapter.The PHL technique is similar to a brainstorming session,whereby hazards are postulated and collated in a list.This list is then the starting point for subsequent hazard analyses,which will validate the hazard and begin the process of identifying causal factors,risk,and mitigation methods.Generating a PHL is a prerequisite to performing any other type of hazard e of this technique is highly rec-ommended.It is the starting point for more detailed hazard analysis and safety tasks,and it is easily performed.4.3HISTORYThe technique was established very early in the history of the system safety discipline. It was formally instituted and promulgated by the developers of MIL-STD-882. 4.4THEORYThe PHL is a simple and straightforward analysis technique that provides a list of known and suspected hazards.A PHL analysis can be as simple as conducting a hazard brainstorming session on a system,or it can be a slightly more structured process that helps ensure that all hazards are identified.The PHL method described here is a pro-cess with some structure and rigor,with the application of a few basic guidelines.The PHL analysis should involve a group of engineers/analysts with expertise in a variety of specialized areas.The methodology described herein can be used by an individual analyst or a brainstorming group to help focus the analysis.The rec-ommended methodology also provides a vehicle for documenting the analysis results on a worksheet.Figure4.1shows an overview of the basic PHL process and summarizes the important relationships involved in the PHL process.This process consists of com-bining design information with known hazard information to identify hazards.4.5METHODOLOGY57Figure4.1Preliminary hazard list overview.Known hazardous elements and mishap lessons learned are compared to the system design to determine if the design concept utilizes any of these potential hazard elements.To perform the PHL analysis,the system safety analyst must have two things—design knowledge and hazard knowledge.Design knowledge means the analyst must posses a basic understanding of the system design,including a list of major components.Hazard knowledge means the analyst needs a basic understanding about hazards,hazard sources,hazard components,and hazards in similar systems. Hazard knowledge is primarily derived from hazard checklists and from lessons learned on the same or similar systems and equipment.In performing the PHL analysis,the analyst compares the design knowledge and information to hazard checklists.This allows the analyst to visualize or postulate possible hazards.For example,if the analyst discovers that the system design will be using jet fuel,he then compares jet fuel to a hazard checklist.From the hazard checklist it will be obvious that jet fuel is a hazardous element and that a jet fuel fire/explosion is a potential mishap with many different ignition sources presenting many different hazards.The primary output from the PHL is a list of hazards.It is also necessary and ben-eficial to collect and record additional information,such as the prime hazard causal factors(e.g.,hardware failure,software error,human error,etc.),the major mishap category for the hazard(e.g.,fire,inadvertent launch,physical injury,etc.),and any safety critical(SC)factors that will be useful for subsequent analysis(e.g.,SC function,SC hardware item,etc.).4.5METHODOLOGYTable4.1lists and describes the basic steps of the PHL process and summarizes the important relationships involved.A worksheet is utilized during this analysis process.The PHL process begins by acquiring design information in the form of the design concept,the operational concept,major components planned for use in the system,major system functions,and software functions.Sources for this information could include:statement of work(SOW),design specifications,sketches,drawings, or schematics.Additional design integration data can be utilized to betterunderstand,analyze,and model the system.Typical design integration data includes functional block diagrams,equipment indenture lists [e.g.,work breakdown struc-ture (WBS),reliability block diagrams,and concept of operations].If the design integration data is not available,the safety analyst may have to make assumptions in order to perform the PHL analysis.All assumptions should be documented.The next step in the PHL analysis is to acquire the appropriate hazard checklists.Hazard checklists are generic lists of items known to be hazardous or that might cre-ate potentially hazardous designs or situations.The hazard checklist should not be considered complete or all-inclusive.Hazard checklists help trigger the analyst’s recognition of potential hazardous sources from past lessons learned.Typical hazard checklists include:1.Energy sources2.Hazardous functionsTABLE 4.1PHL Analysis ProcessStepTask Description 1DefinesystemDefine,scope,and bound the system.Define the mission,mission phases,and mission environments.Understand the system design,operational concepts,and major system components.2Plan PHLEstablish PHL goals,definitions,worksheets,schedule,and process.Identify system elements and functions to be analyzed.3Select team Select all team members to participate in PHL and establishresponsibilities.Utilize team member expertise from severaldifferent disciplines (e.g.,design,test,manufacturing,etc.).4Acquire data Acquire all of the necessary design,operational,and process dataneeded for the analysis (e.g.,equipment lists,functional diagrams,operational concepts,etc.).Acquire hazard checklists,lessonslearned,and other hazard data applicable to the system.5Conduct PHL a.Construct list of hardware components and system functions.b.Evaluate conceptual system hardware;compare with hazardchecklists.c.Evaluate system operational functions;compare with hazardchecklists.d.Identify and evaluate system energy sources to be used;comparewith energy hazard checklists.e.Evaluate system software functions;compare with hazardchecklists.f.Evaluate possible failure states.6Build hazard list Develop list of identified and suspected system hazards and potentialsystem mishaps.Identify SCFs and TLMs if possible frominformation available.7Recommend corrective action Recommend safety guidelines and design safety methods that willeliminate or mitigate hazards.8Document PHL Document the entire PHL process and PHL worksheets in a PHLreport.Include conclusions and recommendations.58PRELIMINARY HAZARD LIST3.Hazardous operations4.Hazardous components5.Hazardous materials6.Lessons learned from similar type systems7.Undesired mishaps8.Failure mode and failure state considerationsWhen all of the data is available,the analysis can begin.PHL analysis involves comparing the design and integration information to the hazard checklists.If the sys-tem design uses a known hazard component,hazardous function,hazardous oper-ation,and the like,then a potential hazard exists.This potential hazard is recorded on the analysis form and then further evaluated with the level of design information that is available.Checklists also aid in the brainstorming process for new hazard possibilities brought about by the unique system design.PHL output includes:identified hazards,hazard causal factor areas(if possible),resulting mis-hap effect,and safety critical factors(if any).The overall PHL methodology is illustrated in Figure4.2a.In this methodology a system list is constructed that identifies planned items in the hardware,energyIndenturedEquipment List (IEL)(a)(b)4.5METHODOLOGY5960PRELIMINARY HAZARD LISTsources,functions,and software categories.Items on the system list are then com-pared to items on the various safety checklists.Matches between the two lists trig-gers ideas for potential hazards,which are then compiled in the PHL.The overall PHL methodology is demonstrated by the brief example in Figure4.2b.The system in this example involves the conceptual design for a new nuclear-powered aircraft carrier system.From the design and operational concept information(Fig.4.2)an indentured equipment list(IEL)is constructed for the PHL.The equipment on the IEL is then compared with the hazard checklists to stimulate hazard identification.For example,“Nuclear reactor”appears on the IEL and it also appears on the hazardous energy source checklist.This match(1a)triggers the identification of one or more possible hazards,such as“Reactor over temperature.”This hazard is then added to the PHL(1b)as hazard1.“Nuclear reactor”appears on the IEL and it also appears on the general mishaps checklist.This match(2a)triggers the identification of one or more possible hazards,“Accidental release of radioactive material.”This hazard is then added to the PHL (2b)as hazard4.“Missiles”appear on the IEL and“Inadvertent weapon launch”appears on the general mishaps checklist.This match(3a)triggers the identification of“inad-vertent missile launch”as a possible hazard,which is added to the PHL(3b)as hazard6.4.6WORKSHEETIt is desirable to perform the PHL analysis using a worksheet.The worksheet will help to add rigor to the analysis,record the process and data,and help support jus-tification for the identified hazards.The format of the analysis worksheet is not criti-cal,and typically columnar-type worksheets are utilized.The following basic information should be obtained from the PHL analysis worksheet:1.Actual and suspected hazards2.Top-level mishap3.Recommendations(such as safety requirements/guidelines that can beapplied)The primary purpose of a worksheet is to provide structure and documentation to the analysis process.The recommended PHL worksheet for system safety usage is shown in Figure4.3.In the PHL worksheet in the Figure4.3second column contains a list of system items from which hazards can easily be recognized.For example, by listing all of the system functions,hazards can be postulated by answering the questions:What if the function fails to occur?or What if the function occurs inadvertently?The PHL worksheet columns are defined as follows:1.System Element Type This column identifies the type of system items underanalysis,such as system hardware,system functions,system software,energy sources,and the like.2.Hazard Number This column identifies the hazard number for referencepurposes.3.System Item This column is a subelement of data item 1and identifies themajor system items of interest in the identified category.In the example to fol-low,the items are first broken into categories of hardware,software,energy sources,and functions.Hazards are postulated through close examination of each listed item under each category.For example,if explosives is an intended hardware element,then explosives would be listed under hardware and again under energy sources.There may be some duplication,but this allows for the identification of all explosives-related hazards.4.Hazard This column identifies the specific hazard that is created as a resultof the indicated system item.(Remember:Document all potential hazards,even if they are later proven by other analyses to be nonhazardous in this application.)5.Hazard Effects This column identifies the effect of the identified hazard.Theeffect would be described in terms of resulting system operation,misopera-tion,death,injury,damage,and so forth.Generally the effect is the resulting mishap.ments This column records any significant information,assumptions,recommendations,and the like resulting from the analysis.For example,safety critical functions (SCFs),top-level mishaps (TLMs),or system safety design guidelines might be identified here.Preliminary Hazard List AnalysisSystem Element Type:No.System Item Hazard Hazard Effects Comments 123456Figure 4.3PHL worksheet.4.6WORKSHEET 6162PRELIMINARY HAZARD LIST4.7HAZARD CHECKLISTSHazard checklists provide a common source for readily recognizing hazards.Since no single checklist is ever really adequate in itself,it becomes necessary to develop and utilize several different checklists.Utilizing several checklists may generate some repetition,but will also result in improved coverage of hazardous elements.Remember that a checklist should never be considered a complete andfinal list but merely a mechanism or catalyst for stimulating hazard recognition.Refer to Appendix C of this book for a more complete set of hazard checklists.To illustrate the hazard checklist concept,some example checklists are provided in Figures4.4 through4.8.These example checklists are not intended to represent ultimate check-list sources,but are some typical example checklists used in recognizing hazards.Figure4.4is a checklist of energy sources that are considered to be hazardous elements when used within a system.The hazard is generally from the various modes of energy release that are possible from hazardous energy sources.For example,electricity/voltage is a hazardous energy source.The various hazards that can result from undesired energy release include personnel electrocution, ignition source for fuels and/or materials,sneak path power for an unintended cir-cuit,and so forth.Figure4.5contains a checklist of general sources that have been found to produce hazardous conditions and potential accidents,when the proper system conditions are present.Figure4.6is a checklist of functions that are hazardous due to the critical nature of the mission.This checklist is an example particularly intended for space programs.Figure4.7is a checklist of operations that are considered hazardous due to the materials used or due to the critical nature of the operation.Figure4.8is a checklist of possible failure modes or failure states that are con-sidered hazardous,depending on the critical nature of the operation or function involved.This checklist is a set of key questions to ask regarding the state of thesubsystemcomponent,subsystem,or system functions.These are potential ways the Array Figure4.4Example of hazard checklist for energy sources.could fail and thereby result in creating a hazard.For example,when evaluating each subsystem,answering the question “Does fail to operate cause a hazard?”may lead to the recognition of a hazard.Note that when new hardware elements and functions are invented and used,new hazardous elements will be introduced requiring expanded and updatedchecklists.Figure 4.6Example of hazard checklist for spacefunctions.Figure 4.5Example of hazard checklist for general sources.4.7HAZARD CHECKLISTS 634.8GUIDELINESThe following are some basic guidelines that should be followed when completing the PHL worksheet:1.Remember that the objective of the PHL is to identify system hazards and /ormishaps.2.The best approach is to start by investigating system hardware items,systemfunctions,and system energy sources.3.Utilize hazard checklists and lessons learned for hazardrecognition.Figure 4.7Example of hazard checklist for generaloperations.Figure 4.8Example of hazard checklist for failure states.64PRELIMINARY HAZARD LIST4.9EXAMPLE:ACE MISSILE SYSTEM654.A hazard write-up should be understandable but does not have to be detailed indescription(i.e.,the PHL hazard does not have to include all three elements ofa hazard:hazardous element,initiating mechanisms,and outcome).Chapter2described the three components of a hazard:(1)hazardous element, (2)initiating mechanism,and(3)Threat and target(outcome).Typically when a hazard is identified and described,the hazard write-up description will identify and include all three components.However,in the PHL,a complete and full hazard description is not always provided.This is primarily because of the preliminary nature of the analysis and that all identified hazards are more fully investigated and described in the preliminary hazard analysis(PHA)and subsystem hazard analysis(SSHA).Figure 4.9shows how to apply the PHL guidelines when using the PHL worksheet.4.9EXAMPLE:ACE MISSILE SYSTEMIn order to demonstrate the PHL methodology,a hypothetical small missile system will be analyzed.The basic system design is shown in Figure4.10for the Ace Missile System.The major segments of the system are the missile segment and the weapon control system(WCS)segment.The missile segment includes only those components specifically comprising the missile.The WCS segment includes those components involved in command and control over the missile,such as the operator’s console,system computer,radar,system power,and so forth.The basic equipment and functions for this system are identified in Figure4.11. During the conceptual design stage,this is the typical level of information that is available.Some basic design decisions may be necessary,such as the type of engineState system effect for hazard.Look for “Missile” in hazard checklist. Find“Inadvertent Launch” as a potential hazard.Note simplified hazard write-up.Figure4.9PHL guidelines.to be utilized,jet or solid rocket.A design safety trade study might be performed to evaluate the hazards of a jet system versus a rocket system.From this basic design information a very credible list of hazards can easily be generated.Figure 4.12shows the basic planned operational phases for the missile system.As design development progresses,each of these phases will be expanded in greater detail.The lists of components,functions,and phases are generated by the missile project designers or the safety analyst.The PHL begins by comparing each system component and function to hazard checklists,to stimulate ideas on potential hazards involved with this system design.Tables 4.2,4.3,and 4.4contain a PHL analysis of the system hardware,functions,and energy sources,respectively.For example,Table 4.2evaluates system hardware010101011010101001010101101010100101010110101010- Warhead - Battery- Computer/SW - Destruct - Fuel- Rocket BoosterFigure 4.10Ace Missile System.IndenturedEquipment List (IEL)FunctionsPhasesEnergy SourcesFigure 4.11Ace Missile System conceptual information.66PRELIMINARY HAZARD LISTMissile Storage in Shipboard MagazineMissile Transportation To ShipMissile Storage in Land StorageSiteMissile Installation in Launch TubeMissile in Standby AlertMissileLaunch SequenceMissile Flight to TargetPhase 1Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7Figure 4.12Missile functional flow diagram of operational phases.TABLE 4.2PHL Analysis of Ace Missile System—System Hardware EvaluationPreliminary Hazard List AnalysisSystem Element Type:System HardwareNo.System Item HazardHazard Effects Comments PHL-1Missile structureMissile body breaks up resulting in fuelleakage;and ignition source causing fire Missile fireGroundoperationsPHL-2Missile structure Missile body breaks up causing missile crash Missile crash FlightPHL-3Missile warhead (W /H)Detonation of W /H explosives from fire,bullet,shock,etc.W /Hexplosives detonation Use insensitive munitions (IM)PHL-4Missile W /HInitiation of W /H from inadvertent initiation commands Inadvertent W /H initiation Initiation requires both arm and fire signals PHL-5Missile W /HMissile W /H fails to initiate DudUnexplodedordnance (UXO)concern PHL-6Missile engineEngine fails to start (missile crash)Incorrect target Unsafe missile state,fuel releasePHL-7Missile engine Engine fails during flight resulting in crash Incorrect target PHL-8Missile fuel subsystemEngine fuel tankleakage and ignition source present resulting in fireMissile firePHL-9MissilecomputerComputer inadvertently generates W /H Arm-1and Arm-2commands,causing W /H initiation Inadvertent W /H initiationPHL-10Missilecomputer Computer fails togenerate W /H Arm-1or Arm-2commands Inability to initiate W /H Dud;not a safety concern PHL-11MissilecomputerComputer inadvertently generates missile destruct commandInadvertent destructSafe separation issue(continued )4.9EXAMPLE:ACE MISSILE SYSTEM67starting with the first component in the IEL,missile body,then the warhead,then the engine,and so forth.In this example,the PHL worksheet was developed as a single long table extending over several pages,but the worksheet could have been broken into many single pages.TABLE 4.2ContinuedPreliminary Hazard List AnalysisSystem Element Type:System HardwareNo.System Item HazardHazard Effects CommentsPHL-12Missilecomputer Computer fails to generate missile destruct command Inability to destruct missile PHL-13Missile batteryBattery is inadvertently activated,providing power for W /H Arm and Fire commands Inadvertent W /H Initiation Mishap also requires Arm and Fire signalsPHL-14Missile batteryBattery electrolyte leakage occurs and ignition source present resulting in fireMissile firePHL-15Missile destruct subsystem Destruct system failsUnable to destruct missileAlso requires faultnecessitating destructPHL-16ReceiverReceiver fails—no communication with missileUnable to destruct missile PHL-17ReceiverReceiver fails—creates erroneous destruct commandInadvertent missile destruct PHL-18Rocket booster Inadvertent ignition of rocketInadvertent launch Uncontrolled flight PHL-19WCScomputer Computer inadvertently generates missile launch commands Inadvertent missile launchPHL-20WCS radarElectromagnetic radiation (EMR)injures exposed personnelPersonnel RF energy injuryPHL-21WCS radar EMR causes ignition of explosivesExplosives detonation PHL-22WCS radar EMR causes ignition of fuelMissile fuel fire PHL-23WCS powerHigh-voltage electronics causes fireCabinet fireSystem damage or personnel injury68PRELIMINARY HAZARD LISTThe following results should be noted from the PHL analysis of the Ace Missile System:1.A total of 40hazards have been identified by the PHL analysis.2.No recommended action resulted from the PHL analysis,only the identifi-cation of hazards.These hazards provide design guidance to the system areas that will present mishap risk and require further design attention for safety.3.Each of the 40hazards identified in the PHL will be carried into the PHA for further analysis and investigation.4.Although this PHL did not focus on SCFs and TLMs,it is possible to start gen-erating this information,as shown in Table 4.5.The TLMs shown in Table 4.5have been established from the entire list of PHL hazards.All of the identified hazards have been consolidated into these TLM categories.After establishing the TLMs,it was then possible to identify SCFs that are associated with cer-tain TLMs,as shown in Table 4.5.TABLE 4.3PHL Analysis of Ace Missile System—System Functions EvaluationPreliminary Hazard List AnalysisSystem Element Type:System FunctionsNo.System ItemHazardHazard EffectsCommentsPHL-24Warhead initiate Warhead initiatefunction occurs inadvertentlyInadvertent W /H initiation Initiation requiresArm-1and Arm-2functionsPHL-25Warhead initiate Warhead initiatefunction fails to occurDud warhead Not a safetyconcernPHL-26Missile launch Missile launch functionoccurs inadvertentlyInadvertentmissile launch PHL-27Missile self-test Self-test function fails,resulting in unknown missile statusUnsafe missile state PHL-28Missile destruct Missile destruct functionoccurs inadvertently Inadvertent missile destructPHL-29Missile navigation Errors occur in missile navigation function Incorrect target PHL-30Missile guidance Errors occur in missileguidance functionIncorrect target PHL-31Communications with missile Communication is lost,causing inability toinitiate missile destruct systemInability to destruct missile4.9EXAMPLE:ACE MISSILE SYSTEM694.10ADVANTAGES AND DISADVANTAGESThe following are advantages of the PHL technique:1.The PHL is easily and quickly performed.2.The PHL does not require considerable expertise for technique application.TABLE 4.5Missile System TLMs and SCFs from PHL Analysis TLM No.Top-Level MishapSCF1Inadvertent W /H initiation Warhead initiation sequence 2Inadvertent missile launch Missile launch sequence 3Inadvertent missile destruct Destruct initiation sequence4Incorrect target 5Missile fire6Missile destruct fails Destruct initiation sequence7Personnel injury8Unknown missile state9Inadvertent explosives detonationTABLE 4.4PHL Analysis of Ace Missile System—System Energy Sources EvaluationPreliminary Hazard List AnalysisSystem Element Type:System Energy Sources No.System Item HazardHazard Effects CommentsPHL-32Explosives Inadvertent detonation of W /H explosivesInadvertent W /H initiation PHL-33ExplosivesInadvertent detonation of missile destruct explosives Inadvertent missile destruct PHL-34ElectricityPersonnel injury during maintenance of high-voltageelectrical equipmentPersonnel electrical injury PHL-35BatteryMissile battery inadvertently activated Prematurebattery power Power to missile subsystems and W /H PHL-36Fuel Missile fuel ignition causing fireMissile fuel fire PHL-37RF energyRadar RF energy injures personnel Personnel injury from RF energy PHL-38RF energy Radar RF energy detonates W /H explosivesExplosives detonation PHL-39RF energy Radar RF energy detonates missile destruct explosives Explosives detonation PHL-40RF energyRadar RF energy ignites fuelMissile fuel fire70PRELIMINARY HAZARD LIST。