Applying HAZOP to Software Engineering Models

HAZOP is a powerful hazard analysis technique which has a long history in process industries. As the use of programmable electronic systems becomes more common, it is clear that there is a need for a HAZOP method which can be used effectively with such systems. This paper describes several attempts to derive such a process, and identifies some requirements which must be met by any PES HAZOP procedure. MODELLING THE HAZOP PROCESS The HAZOP study was initially developed to support the chemical process industries, and after nearly 25 years of successful application it is generally considered to be an effective yet simple hazard identification method. However, the apparent simplicity of the method belies the subtlety of the associated concepts, and as a precursor to use of HAZOP to support the software development process it is important to clarify the definitions and activities that contribute to HAZOP. HAZOP is a semi-formalised team based activity that systematically reviews a representation of a system and its operating procedures in order to identify potential hazards. It is based upon the principle that a problem can only arise when there is some deviation from the intent of the system as represented by the model under review. The procedure is to search the representation, element by element (traditionally this has been line by line for Process & Instrumentation diagram models) for every conceivable deviation from its normal operation using a list of guidewords. These are carefully chosen to prompt open, free-ranging thought about all possible system abnormalities. As each deviation is derived, the team then discuss potential causes and consequences and recommend appropriate remedial action or identify emergent requirements. This paper provides three different models of the HAZOP study: a “formal” model expressed in Z, an algorithmic model and a causal model. These different perspectives will help us to draw out the apparent subtleties and will enable us to move towards a justified strategy for the application of HAZOP on Software Engineering Models. In particular, the formal model enables us to investigate the consistency of HAZOP studies, the causal model allows us to integrate HAZOP with causal safety techniques such as Failure Modes and Effects Analysis, and the algorithmic model provides us with a sound basis for the provision of methodological tool support.