高完整性系统工程（一）： Safety Engineering, HAZOP & Fault Tree Analysis

目录

1. SAFETY ENGINEERING

1.1 Safety

1.2 Safety Engineering Process

1.3 Safety Engineering

1.4 Hazards

1.5 Causality 因果关系

1.6 Causality is not Correlation 因果关系不是相关关系

1.7 Past Causes as Hazards

1.8 Safety Engineering Tasks 

2. HAZOP

2.1 学习HAZOP

2.2 HAZOP概览

2.3 Assessing Hazard Risks 评估

2.4 示例场景

2.5 HAZOP Guidewords

2.6 HAZOP Process

2.7 HAZOP Outcomes

2.8 HAZOP Summary

3. FAULT TREE ANALYSIS 故障树分析

3.1 Analysis Outcomes

---

1. SAFETY ENGINEERING

1.1 Safety

In light of the above, a more precise definition:

software and hardware used under correct operating conditions don’t cause unacceptable harm to people or environment. 在正确的操作条件下使用的软件和硬件不会对人或环境造成不可接受的伤害。

1.2 Safety Engineering Process

1.3 Safety Engineering

How do we engineer safe systems? 我们如何设计安全的系统？

History

Safety engineers are experts in their domain: medical, rail signalling, aviation etc. 安全工程师是他们领域的专家：医疗、铁路信号、航空等。

Safety engineers are experts in past accidents, incidents and failures. 安全工程师是过去事故、事件和失败方面的专家。

It is difficult to guard against what you can’t predict. 要防范你无法预测的事情是很难的。

Is why air crashes are so thoroughly investigated. 这就是为什么对空难的调查如此彻底。

1.4 Hazards

Safety engineers examine past accidents etc. looking for hazards: 安全工程师检查过去的事故等，寻找危险：

things that could lead to (future) accidents 可能导致（未来）事故的事情

Then design the system to be safe in the face of these things, reducing the chance of accidents happening. 然后将系统设计成在面对这些事情时是安全的，减少事故发生的机会。

Tends to be the same factors over and over again. 往往是相同的因素反复出现。

Doing it properly requires determining causation. 做好这一点需要确定因果关系。

Not enough to know that the accident occurred because a device failed; need to understand why it failed, what caused it to fail and e.g. why the pilot didn’t notice. 仅仅知道事故的发生是由于一个设备的故障是不够的；需要了解它为什么会故障，是什么导致了它的故障，例如，为什么飞行员没有注意到。

1.5 Causality 因果关系

Not correlation.

Often contested, not always clear cut. 往往有争议，不总是明确的。

Determined by counterfactual reasoning. 通过反事实推理来确定。

A counterfactual: “if A hadn’t happened, what would be the case …” 反事实："如果A没有发生，情况会是怎样......"

“A is a cause of B when, if A hadn’t happened, B wouldn’t have happened. "如果A没有发生，B就不会发生，那么A就是B的原因。

1.6 Causality is not Correlation 因果关系不是相关关系

Absence of causation is revealed by counterfactual reasoning. 不存在因果关系是通过反事实推理来揭示的。

Confounding: deaths by drowning correlated with ice-cream consumption (common cause: warm weather) 混杂因素：溺水死亡与雪糕消费相关（共同原因：温暖的天气）

Reversed Causality: barometer reading always drops before a storm (but the barometer reading doesn’t cause the storm) 反向因果关系：气压计读数总是在暴风雨前下降（但气压计读数并不导致暴风雨的发生）

Absence of causation is revealed by counterfactual reasoning. 因果关系的缺失是通过反事实推理揭示的。

1.7 Past Causes as Haz