Risk Analysis = Hazard Analysis + Risk Assessment
Hazard Analysis Methods
A crucial distinction between different hazard analysis methods is whether
the analysis starts with a component failure and tries to investigate
the possible effects on the occurrence of hazards, or whether they start
with a specific hazard and try to trace back by which sorts of
component failures
they may be caused.
-
Failure Modes and Effects Analysis (FMEA) assumes that the
failure modes of the system components are known. On the basis
of these failure modes, the causes of each failure is then evaluated in the system.
Characteristics of the method:
- FMEA is a forward analysis method.
- FMEA investigates effects of a single component failure; it is not possible
to investigate the problems caused by combinations of component failures.
-
Failure Modes, Effects and Criticality Analysis (FMECA) is an extended
variant of FMEA, where the criticality of each effect is recorded.
- It is considered
as state -of-the-art to perform FMECA instead of FMEA.
-
Hazard and Operability Studies (HAZOP) use a series of guide words to
investigate the effects of deviations from normal operating conditions
during each phase of a system's operation.
- FMEA is a forward analysis method.
- HAZOP originated from criticality analysis of chemical
processes. It focuses of the effects of normal and exceptional
parameter variations on the system.
-
Event Tree Analysis (ETA) takes as its starting point the events that can affect
the system and tracks them forward through sequences of interfaceing system components
to determine their possible consequences.
- FMEA is a forward analysis method.
- ETA is superior to FMEA/FMECA since it analysis the
combination of execptional behaviours in a chain of system
components.
- The results of an ETA are typically displayed as a horizontal
tree structure: The root is the component causing the initial failure
event, at each level of the tree, a new component is introduced and
analysed for the two cases "component fails/does not fail".
- For a chain of n components, the ETA tree contains
2(n-1) leaves.
-
Fault Tree Analysis (FTA) starts with an identified hazard as the root of a tree
and works backwards to determine its possible causes. A cause can be defined as an
AND or OR combination of events, thereby revealing the combinations of component failures that may cause the
hazard. A fault tree analysis follows the system structure, such that the upper levels in a fault tree
correspond to the system, and the lower levels correspond to system components.
-
Common Mode Failure Analysis (CMF) has the purpose to identify
potential failures in redundant systems. The failures of
interest are those which may occur in both systems at the same time.
Such failures may, for instance, occur if the
redundant components all run the same software in a synchronous way
using active replication techniques.
-
Cause Consequence Diagrams are a combination of fault tree analysis
and event tree analysis: Given the occurrence of an initiating event,
the causes of this event are revealed using fault tree analysis, and the
consequences are evaluated using an event tree analysis.
Jan Peleska
/ Bremen Institute of Safe Systems BISS /
<
jp@informatik.uni-bremen.de>
/ 20JUNE1998