HazLog: Tool support for hazard management

1
HazLog Tool support for hazard management

• Christian Hamoy
• David Hemer
• Peter Lindsay

2
Overview

• Tool support for hazard management
• Recap of Def(AUST) 5679
• Addresses shortcomings of existing tools with
  respect to 5679
• HazLog based on the DOORS requirements management
  tool

3
Hazard management

• the process of identifying, recording,
  analysing and implementing measures to control
  the effects of hazardous situations in systems
• Hazard management instrumental in ensuring the
  safety of a system
• Occurs throughout system lifecycle

4
We need tool support

• Hazard management involves tracking and recording
  lots of information
• Time consuming and tedious process
• Complex interrelationships can lead to errors in
  the process
• Want to reuse and share hazard log info
• Requires tool support

5
Existing tools

• Cassandra is the closest to our needs
• Designed to support MOD standard 00-56
• Generalised to support others (e.g. 61508)
• But shortcomings when applied to Def(AUST) 5679

6
Def(Aust) 5679

• Australian Defence standard
• Development of safety critical computer-based
  systems
• 3 main hazard identification and risk analysis
  tasks
• PHA
• System hazard analysis
• System Integrity Assessment

7
PHA

• Accidents severities
• Accident sequences system hazard external
  co-effectors -gt accidents
• Each system hazard has corresponding system
  safety requirement (SSR)
• Level of Trust (LOT) calculated for each SSR,
  based on accident sequences
• LOT represents desired level of confidence

8
Level of Trust
9
System hazard analysis

• Decompose system hazards into component hazards
• Each component hazard assigned a component safety
  requirement (CSR)

10
Safety integrity assessment

• Assign a Safety Integrity Level (SIL) to each CSR
• Assignment of SIL must be justified
• Perform cross-check of SIL against LOT for parent
  system safety requirement
• SIL can only be reduced below corresponding LOT
  under certain circumstances

11
Shortcomings of Cassandra

• Cannot represent accident sequences
• Unable to record relationships between hazards
• Risk classification cannot handle LOTs SILs
• Limited support for safety requirements
• Limited search facilities

12
HazLog a new tool

• Shortcomings of Cassandra form requirements for
  HazLog
• HazLog built on DOORS
• DOORS provides support for
• Traceability analysis
• Object linking
• Multiple views

13
Conceptual design
14
Implementation

• Implemented as collection of modules in DOORS
• object linking mechanism used
• DXL code used for calculations (e.g. LOT
  calculation) and checks (e.g. SIL allocation
  rules)

15
Linking system and component hazards

• Links between system and component level hazards
  represented as minimal cutsets
• Minimal cutset set of component hazards that
  can by themselves lead to a system hazard
• Can easily be generated from fault trees
• Cutset represented as a set of component hazards
• Linked to one or more system hazards

16
SIL allocation rules

• SIL allocation rules from 5679 encoded in HazLog
• Compare the SIL of CSR against LOT of parent SSR
• e.g. SIL of CSR shall be no less than two levels
  lower than the LOT of SSR from which it was
  derived
• Some rules depend on implementation type
• e.g. software that can be modified by a user
  after installation shall be assigned a SIL of S0
• Represented in HazLog as enumerated type

17
Example fuel storage room

• Designed to hold drums of fuel
• Exhaust fan prevents build up of vapours
• Sensor detects vapour build up
• Alarm warns against dangerous build up
• Fan and alarm activated by software component
• Software takes input from sensor

18
Accident sequence

• Acc1 person killed in explosion fatal
• SH1 Petrol vapour build up in store room
• Coeff1 Someone lights a match 0.05
• Coeff2 Petrol vapour escapes from drums 0.1
• SH1 Coeff1 Coeff2 -gt Acc1
• Probability 0.005
• LOT for corresponding SSR is T4

19
Fault Tree Analysis
20
Minimal cutsets

• CH1, CH5
• CH2
• CH3
• CH4
• 3 single points of failure!
• Improve by making exhaust fan independent of
  control software

21
Demonstration
22
Future plans

• Adding roles and responsibilities for users
• Adding status information
• Customisable report generation
• Support for multi-layered safety cases (departure
  from 5679)

23
Summary

• HazLog supports hazard management for Def(AUST)
  5679 process
• Addresses shortcomings of existing tool
• Based on DOORS
• Contact Peter.Lindsay_at_itee.uq.edu.au for more
  information