System Hazard Analysis Builds on PHA as a foundation (expands PHA) Considers system as a whole and identifies how system operation nterfaces and interactions between subsystems interface and interactions between system and operators component failures and normal (correct) behavior could contribute to system hazards Refines high-level safety design constraints Validates conformance of system design to design constraints Traces safety design constraints to individual components (based on functional decomposition and allocation) Hazard Causal Analysis Used to refine the high-level safety constraints into more detailed constraints Requires some type of model (even if only in head of analyst) Almost always involves some type of search through the system design(model) for states or conditions that could lead to system hazards Top-down Bottom-up Forward Backward
c ✙✝✟✚☎✝✟✄☎✛✟✔✓✜✣✢✥✤✟✦ ✠✘☛✟✌✎☛✟✏✑✓✒✂✔✟☛✟✖✁☎✄✎✗✄ System Hazard Analysis Builds on PHA as a foundation (expands PHA) Considers system as a whole and identifies how system operation interfaces and interactions between subsystems interface and interactions between system and operators component failures and normal (correct) behavior could contribute to system hazards. Refines high−level safety design constraints Validates conformance of system design to design constraints Traces safety design constraints to individual components. (based on functional decomposition and allocation) c ✙✝✟✚✎✝✟✄☎✛✟✔✓✜✧✢✥✤✟★ ✂✁☎✄☎✆✝✟✞✡✠☞☛✍✌✎☛✟✏✑✓✒✕✔✟☛✟✖✁✎✄☎✗✄ Hazard Causal Analysis Used to refine the high−level safety constraints into more detailed constraints. Requires some type of model (even if only in head of analyst) Almost always involves some type of search through the system design (model) for states or conditions that could lead to system hazards. Top−down Bottom−up Forward Backward
Forward vs, Backward search Initiating Final Initiation Final Events States Events States A dw nonhazard A nonhazard X」 HAZARD Bhx HAZARD C nonhazard Y nonhazard nonhazard z nonhazard Forward Search Backward search Top-Down Search TOP EVENT Intermediate or seudo Basic or primary events
c ✙✝✟✚☎✝✟✄✎✛✍✔✓✜✣✢✥✤✟✫ ✂✁☎✄☎✆✝✟✞✩✠✘☛✟✌☎☛✟✏✑✓✒✂✔✟☛✟✖✁☎✄☎✗✄ Forward vs. Backward Search Initiating Final Events States D C B A W Z Y X nonhazard HAZARD nonhazard nonhazard Forward Search Initiating Final Events States B A C D W Y Z X nonhazard HAZARD nonhazard nonhazard Backward Search c ✙✝✟✚☎✝✟✄✎✛✍✔✓✜✣✢✥✤✟✪ ✂✁☎✄☎✆✝✟✞✩✠✘☛✟✌☎☛✟✏✑✓✒✂✔✟☛✟✖✁☎✄☎✗✄ Top−Down Search TOP EVENT Basic or primary events Intermediate or pseudo−events
System Hazard Analysis Fault Tree Analysis Developed originally in 1961 for Minuteman Means of analyzing hazards, not identifying them Top-down search method Based on converging chains-of-events accident model Tree is simply a record of results; analysis done in head FT can be written as boolean expression and simplified to show specific combinations of identified basic events sufficient to cause the undesired top event(hazard If want quantified analysis and individual probabilities for all basic events are known, frequency of top event can be calculated Fault Tree Example System Hazard Anal Explosion Relief valve 1 Relief valve 2 Pressure does not open does not open too high Valve Computer does Valve Operator does not know to Operato failure not open failure inattentive alve 1 open valve 2 Sensor/ computer Computer Valve 1 Failure[output/does not issue Position/ Indicator too late command to Indicator/ Light fails open valve 1 fails ony
Leveson − 139 System Hazard Analysis c Fault Tree Analysis Developed originally in 1961 for Minuteman. Means of analyzing hazards, not identifying them. Top−down search method. Based on converging chains−of−events accident model. Tree is simply a record of results; analysis done in head. FT can be written as Boolean expression and simplified to show specific combinations of identified basic events sufficient to cause the undesired top event (hazard). If want quantified analysis and individual probabilities for all basic events are known, frequency of top event can be calculated. Leveson − 140 System Hazard Analysis Fault Tree Example c valve 1 too high Pressure fails on Position Indicator Valve 1 Light fails on Indicator Open too late output Computer not open does not open Relief valve 2 does not open Sensor Failure Operator does not know to open valve 2 Operator inattentive Valve failure failure Computer does Computer does not issue command to open valve 1 or and and or or Relief valve 1 Valve Explosion
Example Fault Tree for ATC Arrival Traffic A pair of controlled aircraft violate minimum separation standards Violation of minimum Violation of distance or time Violation of minimum separation in-trail separation while separation between streams between arrival traffic and on final approach to of aircraft landing on different departure traffic from nearb same runwa feeder airports OR Two aircraft on final Two aircraft landing An aircraft violates the An aircraft fails approach to parallel consecutively on different non-transgression zone to make tum runways not spatially runways in intersecting or while airport is conducting from base to staggered converging operations violate independent ILS approaches final approach min imum difference in to parallel runways threshold crossing time Example Fault Tree for ATC Arrival Traffic(2) Controller instructions do not cause aircraft to make necessary speed change OR Controller do Controller issues Controller issues Controller issues Controller issues not issue speed appropriate speed appropriate speed speed advisory speed advisory advisory but pilot ory and pile that does not too late to avoid does not receive it. receives it but does avoid separation separation not follow it violation Human Controller issi communication communication speed advise failure failure OR OR Radio failure Radio on wrong Psychological slip Wrong label abel in fre associated with misleading aircraft planview display screen
c ✙✝✟✚✎✝✟✄☎✛✟✔✓✜✧✢✥❫❴✢ ✂✁☎✄☎✆✝✟✞✡✠☞☛✟✌☎☛✟✏✑✓✒✕✔✟☛✟✖✁✎✄☎✗✄ Example Fault Tree for ATC Arrival Traffic ❪ ✸ ✸ ❖❁✶✰✵ ✺✣✭ ✬✼✭❀✳❁✷✂✺❂✭❀✹✥✹✻✴❉✱✶✰✵ ✺❂✬❄✺❂✶ ✷✴❯❄✵✭✰✹✶✴✷☎✻ ✯✱✵ ✳✴✵✥✯✽✲✴✯❭❃✼✻✰❖❁✶❀✺❂✶✴✷✾✵✭✰✳❋❃✮✷❙✶❀✳❁❉✴✶❀✺✎❉✧❃ ❅❈❆ t ✸ t ✸ t ✸ ✵✭✰✹✶✧✷✂✵✭✰✳❋✭ ✯✱✵ ✳✴✵✥✯✽✲✴✯ ✵✭✰✹✶✧✷✂✵✭✰✳❋✭ ❉✰✵❃✼✷☎✶✰✳❁✬✮✻❚✭❀✺✣✷✾✵ ✯❋✻ ✵✭❀✹✶✴✷✾✵✭✰✳❋✭ ✯✱✵✥✳✧✵✥✯✱✲✧✯✈❃✮✻✰❖❁✶❀✺✎✶✧✷✂✵✭✰✳ ✸☎✸ ✵ ✳❁♠❄✷✂✺❂✶✰✵ ✹◆❃✼✻❀❖❁✶✰✺❂✶✧✷✂✵✭✰✳❋❊●▲✴✵ ✹✻ ❃✮✻✰❖❁✶❀✺✎✶✧✷✂✵✭✰✳✱◗❘✻✴✷❙❊✐✻✧✻✰✳❋❃✼✷✾✺❂✻✴✶✰✯❋❃ ◗❁✻✧✷❙❊✐✻✧✻✰✳❋✶✰✺❬✺❬✵❯✮✶✰✹◆✷✾✺❂✶ ✵✬❩✶✰✳❁❉ ✸ ✸ ✸ ✸❙✸ ✸☎✸ ✸ ✭❀✳ ✵ ✳❁✶✰✹✉✶✰❖✴❖✧✺❂✭✴✶✴✬❄▲❋✷☎✭ ✭ ✶✰✵ ✺❂✬❄✺❂✶ ✷✰✹✶✰✳❁❉❀✵✥✳❘❍❚✭❀✳❋❉✰✵ ✻✰✺❂✻✰✳❘✷ ❉✴✻❀❖❁✶✰✺❂✷✾✲✴✺❂✻✱✷✾✺❂✶ ✵✬ ✺❂✭✰✯✇✳❘✻✴✶✰✺❬◗❁❏ ❃✮✶✰✯❋✻❳✺❬✲✴✳❁❊✐✶✧❏ ✸ ✺❬✲✧✳❁❊✐✶✴❏✼❃ ✻✴✻✴❉✧✻✰✺❡✶✰✵✥✺❬❖❘✭✰✺❂✷❙❃▼❛ ❅❈❆ ❥❊✐✭✱✶✰✵ ✸ ✸ ❥ ✸ ❪ ✸ ❪ ✸ ✸ ✺❂✬❄✺❂✶ ✷✴✭❀✳ ✵ ✳❁✶✰✹ ❊❦✭✱✶❀✵✥✺❂✬❄✺❂✶ ✷❀✹✶✰✳❘❉✰✵ ✳❁❍ ✳❋✶❀✵✥✺❂✬❄✺❂✶ ✷✧❯❄✵✭❀✹✶✧✷❙✻✧❃❧✷✾▲❁✻ ✳❋✶❀✵✥✺❂✬❄✺❂✶ ✷ ✶❀✵✥✹❃ ✶✰❖✴❖✧✺❂✭✴✶✴✬▼▲❤✷☎✭❳❖❁✶❀✺❂✶✰✹✥✹✻✰✹ ✬✼✭❀✳❁❃✼✻✧✬❄✲❁✷✾✵❯✮✻✰✹❏❩✭❀✳❋❉✰✵ ✸☎✸✻✰✺❂✻✰✳❘✷ ✳❁✭✰✳❘♠♥✷✾✺❂✶✰✳❁❃✮❍✰✺❂✻✴❃✼❃❄✵✭✰✳❋♦✮✭✰✳❁✻ ✷☎✭s✯❲✶✰❨◆✻✱✷✾✲✴✺❬✳ ✸ ✺❬✲✴✳❁❊✐✶✴❏✮❃❈✳❁✭✴✷✧❃❄❖❁✶✴✷✾✵✶✰✹ ✹❏ ✺❬✲✴✳❘❊❦✶✧❏✼❃❈✵✥✳✱✵ ✳❁✷☎✻✰✺❂❃✼✻✧✬✼✷✾✵✥✳❁❍✱✭❀✺ ❊●▲✴✵ ✹✻✱✶✰✵ ✺❬❖❁✭✰✺❂✷❀✵❃❩✬✼✭❀✳❁❉✰✲❘✬✼✷✂✵ ✳❁❍ ✺✎✭❀✯①◗❘✶✴❃✼✻✱✷☎✭ ❃✼✷☎✶✴❍✴❍✧✻✰✺❂✻✴❉✰❛ ✬✼✭❀✳❁❯✼✻❀✺✎❍❀✵✥✳❘❍✱✭✰❖❁✻✰✺❂✶✧✷✂✵✭✰✳❘❃❧❯▼✵✭❀✹✶✴✷☎✻ ✸ ✵✥✳❘❉✴✻✰❖❘✻✰✳❁❉✧✻✰✳❁✷❀♣❙P❘qr✶✰❖✴❖✧✺❂✭✴✶✴✬❄▲❘✻✴❃ ✵✥✳❁✶❀✹◆✶✰❖✧❖✴✺❂✭✴✶✴✬▼▲✴❛ ✸❙✸ ✯✱✵ ✳✴✵ ✯✱✲✴✯❭❉✰✵ ✻✰✺❂✻❀✳❁✬✼✻❳✵ ✳ ✷☎✭s❖❘✶✰✺❂✶✰✹ ✹✻❀✹✼✺❬✲✴✳❁❊✐✶✧❏✼❃❄❛ ✷✾▲✴✺❂✻✴❃❄▲❘✭✰✹❉✱✬❄✺❂✭✴❃✼❃▼✵✥✳❁❍✱✷✾✵ ✯❋✻✰❛ ✝✟✚✎✝✟✄☎✛✟✔✓✜✧✢✥❫✟❵ ✂✁☎✄☎✆✝✟✞✡✠☞☛✟✌☎☛✟✏✑✓✒✕✔✟☛✟✖✁✎✄☎✗✄ Example Fault Tree for ATC Arrival Traffic (2) ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵✥✳❘❃✼✷✾✺❬✲❁✬✼✷✾✵✭❀✳❁❃❩❉✴✭❳✳❁✭✧✷✴✬✼✶❀✲❁❃✼✻ ✶✰✵✥✺❂✬▼✺✎✶✸ ✷✧✷❙✭❳✯❋✶❀❨◆✻❳✳❁✻✧✬✼✻✴❃✼❃✮✶✰✺❂❏❩❃❄❖❁✻✧✻✴❉✱✬❄▲❁✶❀✳❁❍✴✻ ❅❈❆ ✿✭✰✳❘✷✂✺❂✭❀✹✥✹✻✰✺❡❉✴✭✴✻✧❃ ✿✭✰✳❘✷✂✺❂✭❀✹✥✹✻✰✺✡✵❃✼❃▼✲❁✻✴❃ ✿✭✰✳❘✷✂✺❂✭✰✹ ✹✻✰✺❢✵❃✼❃❄✲❘✻✴❃ ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵❃✮❃❄✲❁✻✧❃ ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵❃✮❃❄✲❁✻✧❃ ✳❘✭✴✷✰✵❃✼❃❄✲❘✻✱❃❄❖❁✻✴✻✧❉ ✶❀❖✴❖✴✺❂✭✰❖✧✺❬✵✶✧✷❙✻✱❃❄❖❘✻✴✻✴❉ ✶✰❖✧❖✴✺❂✭✰❖✧✺❣✵✶✴✷☎✻✱❃❄❖❁✻✧✻✴❉ ❃❄❖❁✻✴✻✧❉✱✶✴❉✴❯▼✵❃✼✭❀✺❂❏ ❃❄❖❁✻✴✻✧❉✱✶✴❉✴❯▼✵❃✼✭❀✺❂❏ ✶✧❉✴❯❄✵❃✼✭✰✺❂❏ ✶✧❉✴❯❄✵❃✼✭✰✺❂❏❈◗✴✲❘✷✰❖✴✵ ✹✭✧✷ ✶✴❉✧❯❄✵❃✼✭✰✺❂❏❩✶✰✳❁❉❳❖✧✵✥✹✭✴✷ ✷✂▲❘✶✴✷✴❉✧✭✴✻✴❃❈✳❁✭✧✷ ✷❙✭✧✭❳✹✶✴✷☎✻✱✷☎✭✱✶✴❯✼✭❀✵❉ ❉✧✭✴✻✴❃❈✳❁✭✧✷✰✺❂✻✴✬✮✻✰✵❯✮✻❳✵ ✷✾❛ ✺❂✻✴✬✮✻✰✵❯✮✻✴❃❈✵ ✷❀◗✴✲❁✷✧❉✴✭✴✻✧❃ ✶✴❯✼✭✰✵❉✱❃✼✻❀❖❁✶✰✺❂✶✴✷✾✵✭✰✳ ❃✼✻✰❖❁✶❀✺❂✶✴✷✾✵✭✰✳ ✸ ✳❁✭✧✷ ✭✰✹ ✹✭✴❊❜✵ ✷✂❛ ❯❄✵✭❀✹✶✧✷✂✵✭✰✳ ❯❄✵✭❀✹✶✧✷✂✵✭✰✳✴❛ ❅❈❆ ❑ ▲❁❏✼❃▼✵✬✮✶✰✹ ❱ ✲✴✯❲✶✰✳ ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵❃✮❃❄✲❁✻✧❃ ✬✮✭✰✯✱✯✱✲✴✳✧✵✬✮✶✴✷✂✵✭✰✳ ✬✼✭✰✯✱✯✽✲✴✳✴✵✬✼✶✴✷✾✵✭✰✳ ❃▼❖❁✻✴✻✧❉❚✶✧❉✴❯❄✵❃✼✭✰✺❂❏ ✸✶✰✵ ✸ ✸ ✹✥✲✧✺✎✻ ✶✰✵ ✹✥✲✧✺✎✻ ✷❙✭✱❊●✺❂✭✰✳❘❍❚✶❀✵✥✺❂✬❄✺❂✶ ✷ ❅❇❆ ❅❈❆ ❆✶✧❉✰✵✭ ✸✶❀✵✥✹ ✲✴✺❂✻ ❆✶✴❉✰✵✭✱✭✰✳❋❊●✺❂✭✰✳❁❍ ❑❃✼❏✼✬▼▲❁✭✰✹✭✴❍✰✵✬✼✶❀✹◆❃❄✹ ✵✥❖ ❝✺❂✭✰✳❘❍❳✹✶❀◗❁✻✰✹ P❁✶✰◗❘✻✰✹✼✵ ✳ c ✙ ✸ ✺✎✻✧■✰✲❁✻❀✳❁✬✼❏ ✶✴❃✼❃✮✭✴✬❄✵✶✴✷☎✻✴❉✱❊●✵ ✷✾▲ ✯✱✵❃▼✹✻✴✶✧❉✰✵ ✳❁❍ ✶✰✵ ✸ ✺❂✬❄✺❂✶ ✷✴✭✰✳ ❖✴✹✶✧✬✼✻✱✭✰✳ ❖✴✹✶✰✳❁❯▼✵✻✴❊❞❉✰✵❃❄❖✴✹✶✴❏ ❃✼✬❄✺❂✻✴✻❀✳
System Hazard Analysis FTA Evaluation Graphical format helps in understanding system and relationship between events Can be useful in tracing hazards to software interface and identifying potentially hazardous software behavior Cuts sets denote weak points of a complex design Dependencies(common-cause failure points)not easy to see Requires a detailed knowledge of design, construction, and operation of system System Hazard Analysis FTA Evaluation(2) A simplified representation of a complex process sometimes too simplified. Tends to concentrate on failures Quantitative evaluation may be misleading On U.s. space programs where FTA (and FMEA) were used extensively, 35%of actual in-flight malfunctions were not identified or were not identified as credible
\System Hazard Analysis FTA Evaluation Leveson − 143 c operation of system. Requires a detailed knowledge of design, construction, and Dependencies (common−cause failure points) not easy to see. Graphical format helps in understanding system and relationship between events. identifying potentially hazardous software behavior. Can be useful in tracing hazards to software interface and Cuts sets denote weak points of a complex design. c Leveson − 144 \System Hazard Analysis sometimes FTA Evaluation (2) A simplified representation of a complex process too simplified. Tends to concentrate on failures. Quantitative evaluation may be misleading. On U.S. space programs where FTA (and FMEA) were used extensively, 35% of actual in−flight malfunctions were not identified or were not identified as credible
Event Tree Analysis Developed for and used primarily for nuclear power Underlying single chain of events model of accidents Forward search Simply another form of decision tree Problems with dependent events reson-146 Event Tree EXample 2 Pipe break: Electric power: ECCS Fission product: Containment removal ntegrity Succeeu-Pl Succeeds 1一P4 Fails P1xP5 P5 Succeeds Succeeds P1xP4 Fails P1xP4x P5 Available Succeeds 1-P4 P1x P3 Initiating event Fails Fails P1xP3X P4 P4
c Leveson − 145 Event Tree Analysis Developed for and used primarily for nuclear power. Underlying single chain of events model of accidents. Forward search Simply another form of decision tree. Problems with dependent events. Leveson − 146 Event Tree Example P1 P1 x P5 P1 x P4 P1 x P4 x P5 P1 x P3 P1 x P3 x P4 c 1−P5 P5 1−P5 P5 P4 1−P4 P4 1−P4 P3 1−P3 1−P2 P1 Fails Fails Fails Fails Fails Succeeds Succeeds Succeeds Succeeds Succeeds Available Initiating event Containment integrity Fission product removal Pipe break Electric power ECCS 1 2 3 4 5 Fails P1 x P2 P2
-147.148 System Hazard Analysis Event Trees vs Fault trees Relief valve 1. Relief valve 2 Pressure decreases Pressure Pressure decreases Fails Explosing Relief valve 1 Relief valve 2 A too high Operator does not Valve Computer does no Valve perator failure open valve I know to open valve 2 Pressure Comput monitor oes not issue indicator indicator /\light fails too late
c Leveson − 147,148 System Hazard Analysis Event Trees vs. Fault Trees Relief valve 1 Relief valve 2 Opens Pressure decreases Fails Opens Fails too high Pressure Pressure decreases Explosion open valve 1 Computer does not failure Valve Valve 1 Open does not issue light fails indicator indicator position fails on on command to open valve 1 Computer Computer output too late Pressure monitor failure Operator does not know to open valve 2 inattentive Valve Operator failure does not open Relief valve 2 Explosion Relief valve 1 does not open Pressure too high
OLev System Hazard Analysis ETA Evaluation Events trees are better at handling ordering of events but fault trees better at identifying and simplifying event scenarios Practical only when events can be ordered in time(chronology of events is stable)and events are independent of each other Most useful when have a protection system Can become exceedingly complex and require simplication Separate tree required for each initiating event Difficult to represent interactions between events Difficult to consider effects of multiple initiating events Defining functions across top of event tree and their order is difficult Depends on being able to define set of initiating events that will produce all important accident sequences Probably most useful in nuclear power plants where all risk associated with one hazard (serious overheating of fuel) designs are fairly standard large reliance on protection systems and shutdown systems
Leveson − 149,150 System Hazard Analysis c ETA Evaluation Events trees are better at handling ordering of events but fault trees better at identifying and simplifying event scenarios. Practical only when events can be ordered in time (chronology of events is stable) and events are independent of each other. Most useful when have a protection system. Can become exceedingly complex and require simplication. Separate tree required for each initiating event. Difficult to represent interactions between events Difficult to consider effects of multiple initiating events. Defining functions across top of event tree and their order is difficult. Depends on being able to define set of initiating events that will produce all important accident sequences. Probably most useful in nuclear power plants where all risk associated with one hazard (serious overheating of fuel) designs are fairly standard large reliance on protection systems and shutdown systems
System Hazard analysis Cause-Consequence Analysis Used primarily in Europe A combination of forward and top-down search Again based on converging chain -of-events Diagrams can become unwieldy Separate diagrams required for each initiating event Cause-Consequence Uncontrolled Diagram eaction Valve failure does not critical event Pressure too high open Relief valve 1 opens? YesNo Operator Valve does not failure open Relief valve 2 opens? N Pressure reduced Explosion
Cause−Consequence Analysis Leveson − 151 System Hazard Analysis A combination of forward and top−down search. Again based on converging chain−of−events. Diagrams can become unwieldy. Separate diagrams required for each initiating event. Used primarily in Europe. c c Leveson − 152 System Hazard Analysis Cause−Consequence Diagram critical event open does not Computer Pressure too high opens? Valve Operator open Valve reaction Yes No Relief valve 1 Pressure Explosion reduced does not Yes No Relief valve 2 failure opens? failure Uncontrolled
HAZOP: Hazard and Operability Analysis Unlike most techniques, HAZOP can identify hazards Based on model of accidents that assumes they are caused by deviations from design or operating intentions Purpose is to identify all possible deviations from the designs expected operation and all hazards associated with these deviations Software Deviation Analysis(Jon Reese System Hazard Analysis HAZOP Guidewords Guideword Meaning NO NOT The intended result is not achieved, but nothing else happens NONE (such as no forward flow when there should be) MORE More of any relevant physical property than there should be (such as higher pressure, higher temperature, higher flow, or higher viscosity) LESS Less of a relevant physical property than there should be AS WELL AS An activity occurs in addition to what was intended, or more components are present in the system than there should be (such as extra vapors or solids or impurities, including air water, acids, corrosive products) PART OF Only some of the design intentions are achieved (such as only one of two components in a mixture) REVERSE The logical opposite of what was intended occurs(such as backflow instead of forward flow) OTHER THAN No part of the intended result is achieved, and something completely different happens(such as the flow of the wrong material)
c System Hazard Analysis Leveson − 153 HAZOP: Hazard and Operability Analysis Unlike most techniques, HAZOP can identify hazards. Based on model of accidents that assumes they are caused by deviations from design or operating intentions. Purpose is to identify all possible deviations from the design’s expected operation and all hazards associated with these deviations. Software Deviation Analysis (Jon Reese) c Leveson − 154 System Hazard Analysis HAZOP Guidewords NONE NO, NOT, Guideword The intended result is not achieved, but nothing else happens Meaning (such as no forward flow when there should be) MORE or higher viscosity). (such as higher pressure, higher temperature, higher flow, More of any relevant physical property than there should be LESS Less of a relevant physical property than there should be. AS WELL AS water, acids, corrosive products). (such as extra vapors or solids or impurities, including air, components are present in the system than there should be An activity occurs in addition to what was intended, or more PART OF one of two components in a mixture). Only some of the design intentions are achieved (such as only REVERSE backflow instead of forward flow). The logical opposite of what was intended occurs (such as OTHER THAN material). completely different happens (such as the flow of the wrong No part of the intended result is achieved, and something
