This action might not be possible to undo. Are you sure you want to continue?
© CHSS Ltd 2007
Page 2 of 66 Sales Ref: sc/715/v2.1
Page No Assessing and Evaluating Risk Definitions Hazard Identification Who may be Harmed and in What Circumstances Evaluating the Risks Record the Significant Findings Review Task Analysis Meep Analysis Information Sources Accident and Incident Data Risk Rating Principles and Techniques of Failure Tracing Methods The Basic Concept of HAZOP Relation to other Analysis Tools Failure Modes Effects Analysis (FMEA) Fault Tree Analysis And/Or Gates Numerical Evaluation of Fault Tree Event Tree Analysis References Tables Table 1: Risk Assessment Factor Table 2: Action Required Table 3: Risk Assessment Matrix Table 4: Public Tolerance of Incidents Table 5: Tolerability of Risk from Nuclear Power Stations, HSE Table 6: A List of Guide Words Table 7: Completed HAZOP Study Results Table 8: Sample FMEA Worksheet for a Hydraulic System Table 9: Sample FMEA Worksheet for a Hydraulic Pump 11 11 13 24 25 31 38 to 40 47 48 5 6 7 8 9 13 14 15 16 17 20 22 28 30 42 44 49 50 52 56 64
© CHSS Ltd 2007
Page 3 of 66 Sales Ref: sc/715/v2.1
International Diploma-A3 Contents Cont’d Figures Figure 1: Flow Diagram Demonstrating Risk Management Figure 2: Accident Triangles.1 . HSE Figure 4: An Example of a Simple Flowsheet Figure 5: Why do we Want to Apply Numerical Methods to Safety Problems? Figure 6: Or Gate Figure 7: And Gate Figure 8: Example Fault Tree Figure 9: Numerical Evaluation of Fault Tree (and Gate) Figure 10: Numerical Evaluation of Fault Tree (or Gate) Figure 11: Accident on a Roundabout Figure 12: Example of a Fault Tree Numerical Analysis Figure 13: Example Event Tree Figure 14: Numerical Evaluation of an Event Tree Figure 15: Worked Example Event Tree Figure 16: Bow-Tie model 5 21 26 35 43 50 50 51 52 53 54 55 58 59 60 63 © CHSS Ltd 2007 Page 4 of 66 Sales Ref: sc/715/v2. HSG 65 Figure 3: Tolerability of Risk from Nuclear Power Stations.
1999) The following diagram demonstrates risk management as a flow diagram. Risk assessment is the cornerstone for the management of health and safety at work. © CHSS Ltd 2007 Page 5 of 66 Sales Ref: sc/715/v2. Before discussing the process of assessing and evaluating risk there must first be clarification on the key terminologies.1 . Figure 1: Flow diagram demonstrating risk management The process of risk management is complex and contains a range of practices leading to the control of all elements of risk in the workplace. Having identified the risks.risks to which an organisation is exposed”. See later for further explanation of the terms used.the eradication or minimisation of the adverse effects of ….International Diploma-A3 Assessing and Evaluating Risk Risk Management can be defined as “…. A suitable and sufficient assessment requires that greater risks be given more detailed assessments. (Ridley and Channing. the control measures must then be compared with minimum acceptable standards.
For health and safety purposes the definition of hazard is “the potential to cause harm”. previous exposure and so on.g. Again for the purpose of assessing and evaluating risk this must be clear and is defined as “the probability of harm from a particular hazard being realised”. noise.g. Hazards may be either: Physical e. legionella. Therefore most people are able to recognise hazards as they develop and take corrective action. danger” and hazardous is “risky” which is of little help in distinguishing between the terms hazard and risk for the purpose of assessing and evaluating risk. has the potential to cause harm. the individuals’ personal characteristics / predisposition to suffering with noise related effects. have widely different perceptions regarding risk and would find it difficult to apply their experience to formal workplace risk assessments. Chemical e. electricity. Biological e. There are many variations on the risk assessment process. Risk Again from the normal use of the word i. Psychological e. alkali. People do. This is a very broad definition and in many ways can be interpreted to mean anything. wrongly sited controls and indications. trauma. machinery. risk. the frequency of the noise. Clearly this is dependant on a number of different factors (risk factors) such as how loud the noise is.e. © CHSS Ltd 2007 Page 6 of 66 Sales Ref: sc/715/v2. the dictionary definition is “chance of disaster or loss”.e.International Diploma-A3 Definitions Hazard The dictionary definition of hazard is “chance. Most people undertake risk assessment as a normal part of their every day lives. Activities. Ergonomic e. hepatitis virus (usually a disease causing agent). the following system is based on the “5 Steps to Risk Assessment” IND (G) 163L published in the UK by HSE. physical stress.g. oils. for a variety of reasons. HIV virus. such as crossing the road and driving to work. heat.1 .g.g. Clearly this implies a certain probability of occurrence or likelihood. gravity. routinely call for a complex and ongoing analysis of the hazards and risks involved in order to avoid damage and injury. acid. workload/pressure/hours of work. how long an individual is exposed to the noise. It would be helpful therefore to categorise hazards to make identification easier. The risk is the likelihood that it actually will cause harm. For example noise is a hazard i. water.
etc.e. © CHSS Ltd 2007 Page 7 of 66 Sales Ref: sc/715/v2. Evaluate the risks arising from the hazards and decide whether the existing precautions are adequate or more should be done. biological and ergonomic hazards are not easy to identify by visual inspection. The use of electrical equipment clearly needs to be assessed very thoroughly. is counted to provide score of the overall effectiveness of the safety performance. anything with the potential to cause harm) must be considered. Review the assessment if there is a significant change or evidence that the original assessment was inadequate. lack of training and inadequate operating procedures.1 . Psychological. The purpose of an inspection is to identify hazards that are not controlled to an acceptable standard at the time of the inspection.International Diploma-A3 Risk Assessment Involves Five Steps: Look for and identify the hazards. If for example. an inspection failed to identify any unsafe electrical equipment / wiring it would not be listed as a hazard and might not be assessed. Record the significant findings. Visual inspections are poor at detecting unsafe acts. Proactively the process can be completed through organised inspections. all of which are key issues in risk assessment. The reasons for avoiding an over reliance on workplace inspections as a means of identifying hazards are: For the purposes of risk assessment all hazards (i. This ‘Snapshot’ approach is not sufficiently thorough to be relied upon for the purposes of risk assessment since the control measures that were in place may not remain in place for long. samples. Inspections: Strictly. tours and reactively by examining injury / accident and ill-health reports. The technique has little scientific validity (the observer’s attentiveness is sure to vary) but has the advantage of raising the profile of the safety improvement effort. The number of non-compliance’s. surveys. Samples: This is a random sampling exercise in which observers follow a predetermined route usually at normal walking pace and note any omissions or noncompliances. Hazard Identification Hazard identification can be completed in a number of different ways. Decide who might be harmed and in what circumstances. Hazards that appear to be well controlled at that time will usually be ignored. safety inspections should be considered to be a monitoring tool or technique rather than a hazard identification exercise.
e. The assessment should be recorded. It is important to ensure that all groups of employees and others who might be affected are considered. new or inexperienced workers.International Diploma-A3 Surveys: As with building surveys. Some hazards may be identified but a tour gives a general impression rather than a thorough analysis of hazards. etc…are being maintained. night cleaners. through the art or science of estimating (or guesstimating). any disabled staff or pregnant workers. the general public. When analysed the statistical information can be manipulated to provide important causal leads on risk areas where action should have been taken or indeed where the action taken is not appropriate to minimise the risks. documented.g. a safety survey is normally carried out by a specialist who will either be focussing on specific topics (e. those who work alone. maintenance staff. security guards. young persons. a survey of fire precautions) or will be asked to report on the main strengths and weaknesses. Tours: A safety tour is (usually) an unscheduled examination of the workplace to assess whether or not acceptable standards of housekeeping.e. safe access. fire precautions. do not forget office staff.g. © CHSS Ltd 2007 Page 8 of 66 Sales Ref: sc/715/v2. Injury and ill health Reports: Accident statistics can be a useful tool when identifying risks which are not well controlled.1 . members of the public and any one else who may be affected by the work activity. Who May be Harmed and in What Circumstances In making an overall assessment of “risk”. for example a hazard assessed as high risk will require immediate action and perhaps considerable expenditure whereas a low or negligible risk can be given a less pressing timescale for action and costs expended may be limited. This is based on the ‘reasonably practicable’ principle. Specific action should be taken to identify groups of employees who might be especially at risk. A different approach will be necessary in the case of absolute legal requirements or those qualified only by the word ‘practicable’. it is necessary. i. visitors. to take account of the likelihood of harmful circumstances happening and the severity of the injury that might result. The primary purpose of risk assessment is to enable decisions to be made on the need for action and on the priority of action. Detailed reports are normally produced as a result of surveys. Account must also be taken of the presence of any risks to visitors. The organisation should have specific event recording systems in place to ensure that all relevant data is gathered in sufficient detail to facilitate proper analysis.
1 . published guidance or other published information. the most probable result is bruising or at worst a fractured bone.International Diploma-A3 Evaluating the Risks Risk assessment requires an evaluation of two principal factors: Likelihood – a subjective or objective evaluation of the probability of occurrence. This technique is particularly useful for justifying expenditure on risk control relative to other risks and quantitative assessments from probability data. Consideration will need to be given to the following: Where is the hazard? How many people are affected? How knowledgeable are they? How many times does the hazard occur (frequency)? What is the extent of possible exposure (duration. semi-quantitative which provides a crude scoring mechanism and allows the risks to be rated and prioritised. This can be assessed by relating to accident statistics or common sense. which are based on the experience and expertise of the assessor. If however the cable is trailing across the top of a very busy stairs then a single death or even multiple deaths could be a more appropriate assessment. The judgement of risk rating may then be via qualitative means. In selecting the appropriate category it is important to be realistic. Likelihood This requires an assessment or evaluation of the likelihood (probability) of the hazard resulting in a loss. For example it is remotely possible that someone tripping over a cable in an office may be killed. © CHSS Ltd 2007 Page 9 of 66 Sales Ref: sc/715/v2. and Severity – the scale of the consequences of the occurrence. concentrations etc)? Severity This requires an assessment or evaluation of the possible outcome(s) if the hazard was not sufficiently controlled and things went wrong. In some cases the information can be obtained from manufacturers' data. time.
(where harm will occur frequently).International Diploma-A3 Risk rating using qualitative or semi-quantitative means is often referred to as ‘relativistic’ assessment since it is scored relative to other risks. In order to carry out these. Fault Tree Analysis (FTA). Truly quantitative assessments based on the probabilities of events (such as the failure of safety critical components.g. (for example injuries where people may be off work for more than three days). Such techniques are applied in high risk processes and industries such as nuclear installations and in aviation for example. A useful.1 . This semi-quantitative approach is not absolutely essential and. (for example death or major injury as defined in RIDDOR). Probability theory is based on the scale that extends from 0 – 1. This is because the data needed to calculate probabilities is simply not available. © CHSS Ltd 2007 Page 10 of 66 Sales Ref: sc/715/v2. advanced risk assessment techniques the numerical data must be supplied. where zero represents no occurrence and 1 represents a certainty. etc) are difficult to apply in most situations. method of estimating likelihood and severity can be useful when determining priority as regards health and safety effort. (where it is certain or near certain that harm will occur). Failures Modes and Effect Analysis (FMEA) and Event Tree Analysis (ETA) can be used to determine the frequency of events occurring or the probability that a particular event will occur. The Severity of harm: 1) 2) 3) Minor Medium Major (for example. There are many versions of the technique. Specific techniques such as Hazard and Operability (HAZOP) studies. the following system is taken from the UK’s HSE document Successful Health and Safety Management HSG 65. Where the data is available for a series of linked events e. a flammable gas release followed by an ignition source then the final probability of the last event can be calculated. it should not mask the main purposes of the assessment as discussed earlier. whereas quantitative assessments are often described as ‘probabilistic’ assessments. all other injuries including those where people are off for periods of up to three days). although not wholly scientific. The Likelihood of harm: 1) 2) 3) Low Medium High (where harm will seldom occur). even when it is used.
Theses numbers provide an indication of priority and the extent of the risk. or more usually five. training. © CHSS Ltd 2007 Page 11 of 66 Sales Ref: sc/715/v2. rows and columns for likelihood and severity. As a rough guide: 6 or 9 is a high risk and may require the provision of considerable resources involving special equipment. 3 or 4 1 Table 2: Action Required Note that this system provides an indication of risk only and is based on subjective judgement therefore employers must satisfy themselves that the risk assessment and the actions taken to deal with the hazards they have identified are adequate. Some ‘organisations’ are using a matrix similar to the one above but with four.International Diploma-A3 Severity of outcome Minor (1) Likelihood of event Low (1) Medium (2) High (3) 1 2 3 Medium (2) 2 4 6 Major (3) 3 6 9 Table 1: Risk Assessment Factor Multiply the Severity number by the Likelihood number to arrive at the risk factor for each hazard. and the number of times a hazard has occurred. 2. A more complicated technique will involve giving numerical ratings to a number of factors such as the numbers of people exposed to hazards. and consideration of the most effective methods of eliminating or controlling hazards (see principles of control). high levels of supervision. The number of times an accident has resulted from this type of hazard in the past can also form part of the assessment. is a significant risk and will require an appropriate level of resources. is a low risk but actions should still be taken to try to reduce these risks further if possible within reasonable limits. This produces a number on a scale of 1 to 9. the higher the number the greater the priority and risk and therefore the more resources which may be needed to control the risk.1 .
scaled as 1 (low) to 5 (high). Red area: Tolerability of risk to be endorsed to the management. risk is classified by three characters: A measure of the likelihood of an event. Incidents can have consequences in all four consequence categories. for the same scenario. Yellow area: Incorporate risk reduction measures to reduce the risk to a level which is as low as reasonably practicable (ALARP). The category of consequence: People (P). E. © CHSS Ltd 2007 Page 12 of 66 Sales Ref: sc/715/v2. A measure of the consequence severity with that event. Safety and Environment Management (HSEMS). The overall risk of an incident is classified according to which of the consequences has the highest rating.International Diploma-A3 Alternative Risk Assessment Matrix The purpose of the Risk Assessment Matrix (RAM) is to set objectives for actions. different classifications may apply to P. These risks are too serious to be left to the standard procedures in the management system. Asset (A). budgets and resources. The red coloured shading in the RAM represents the high risk area. When the RAM is applied to make judgements in the light of the agreed risk tolerability criteria. Risk controls are specified in the Health. The level of risk then determines the priority for action. The management of the risk is within the accountability of the competent staff. The control level to be reached is ALARP and this needs to be demonstrated in the HSEMS. the blue. With increasing risk the priority for action increases. yellow the medium risk area and blue the low risk area. and R. scaled as A (low) to E (high). Additional controls are requires. Additional controls should be applied to show risks have been reduced to ALARP. The intersection of the chosen column with the chosen row is the risk classification. Environment (E) or Reputation (R). In fact. yellow and red areas are normally set as follows: Blue area: Manage for continuous improvement.1 . using existing procedures. Using the RAM. Management starts to become involved more. with an increasing call on resources and increasing management involvement. A.
etc. © CHSS Ltd 2007 Page 13 of 66 Sales Ref: sc/715/v2. e. The records should therefore cover the following key points: Identify significant findings such as the hazards and the risks they present.g. Identify the individuals affected which could include persons not directly under the control of the employer. Identify existing controls and the need for further controls as necessary. members of the public.1 . It also forms the basis for the organisation’s action plan. Remember that the format of the record is not laid down in law but it should not over complicate the assessment nor trivialise the risks.g. e.International Diploma-A3 Consequence severity People Assets Environment No effect Slight effect Minor effect Localised effect Major effect Massive effect Reputation Increasing Probability A B Never heard of in the industry Has occurred in the industry C Incident has occurred in Opco D Happened several times a year Opco E Happened several times year location 0 1 2 3 4 No injury Slight injury Minor injury Major injury Single fatality Multiple fatalities No damage Slight damage Minor damage Localised damage Major damage Extensive damage No impact Slight impact Limited impact Considerable impact National impact International impact Low Medium High Risks 5 Table 3: Risk Assessment Matrix Record the Significant Findings The record should lead management to take the relevant actions to protect health and safety. guidance. It should therefore be linked to other documents such as the health and safety policy and may refer to procedures and health and safety arrangements. Refer to other documents where appropriate.
Accident / incident investigations should routinely consider whether or not the risk assessment needs to be reviewed. Increased work throughput / rate. New legal requirements change in acceptable standards. © CHSS Ltd 2007 Page 14 of 66 Sales Ref: sc/715/v2. Evidence of injuries. Evidence that the original assessment is inadequate. New information about the hazards. There has been a significant change in the matters to which it relates.1 .International Diploma-A3 Review Assessments should be reviewed if: There is reason to suspect that it is no longer valid. New process or plant which is not covered in the original assessment or introduces a significant change to the working environment. Some of the ‘significant changes’ that might require a review of the risk assessment are: The workplace layout. ill health or near misses would be among the reasons for suspecting that an assessment may no longer be valid. The competence of the people carrying out the work.
the equipment and materials used and any hazards involved. etc) and monitor those who carry out the work to ensure that the system does not deteriorate. there is no predefined format for the recording of JSA work but will be determined by the organisation systems and the needs of the employer.g. The process is often used in conjunction with the development of Safe Systems of Work.International Diploma-A3 Task Analysis Job Safety Analysis Job Safety Analysis (JSA) is a work study technique in which a task is carefully observed and every detail recorded. codes of practice. Maintain the system (by supervision. © CHSS Ltd 2007 Page 15 of 66 Sales Ref: sc/715/v2. work instructions. Develop a safe system for carrying out the work. e. Implement the safe system. The distinctive feature is the work study style observation of how the work is done followed by careful evaluation to develop the ‘ideal’ system of work. etc. in many ways ‘job safety analysis’ is similar to the risk assessment process. The process is as follows: Select the process to be studied. Evaluate the risks involved in the activity (refer to accident records etc). Priorities are often based on previous Record in detail how the job is done. As noted above. accidents.1 . Job Safety Analysis goes further than merely identifying hazards. The method of working is then evaluated so as to identify hazards. safety training etc. At this stage reference is made to applicable standards. legislation. This is best done by observation and discussion with those ‘job holders’ actually doing the job under review. The information can be recorded on a chart or JSA worksheet. An ‘ideal’ safe method is then developed and implemented.
access to. Materials What materials does the activity have the potential to expose employees to and how are they handled. The degree of detail of analysis should depend on the level of risk involved. maintenance routines and statutory inspections where applicable. instruction that is required and what level of supervision is adequate for the task being analysed. Task analysis should then consider these points in adequate depth to ensure the development of a safe system of work. Do particular disabilities. mechanical or manual? Following consideration of this element risks can be controlled. training.1 . © CHSS Ltd 2007 Page 16 of 66 Sales Ref: sc/715/v2. guarding arrangements. etc. welfare facilities. but in any case all components of the work should be included in the analysis. The activity can be broken down into individual elements so that hazards – conditions or actions. seating. Does the condition of floors. at each stage can be analysed. A useful approach to ensuring the key areas are considered for analysis is to consider the four main elements of the activity.International Diploma-A3 MEEP Analysis MEEP Approach All risks arising from the work activity must be assessed. Is there specific information. heating. Equipment & Plant What is used? Is it suitable? Consider the design and ergonomic factors. isolation from energy sources and other hazards which the equipment may produce such as noise and vibration. ventilation. environmental noise. layout and working space have an adverse effect on exposure to risks? Remember that for outdoor activities the weather can change very quickly and the hazards on a bright July morning are very different to a dark November afternoon. egress from. means of escape. People Consider who is involved and their levels of competence. Environment Take into account the levels of lighting. the presence of the public or other persons have an effect on the activity and the level of risk involved.
Policies. Internal Sources Health and safety practitioner (Advisor / Officer etc). Accident records. Plant registers. Medical records. Health and safety representative.1 .International Diploma-A3 Information Sources When identifying hazards for the purpose of conducting risk assessments and subsequent evaluation of the risks the employer must consider the source of data for the evaluation which can of course be either internal to an organisation or external. © CHSS Ltd 2007 Page 17 of 66 Sales Ref: sc/715/v2. Company safety library. Risk assessments. Safety committee minutes. Inspection reports.
plant. manuals. equipment. European & British Standards Consultants and Specialists CHSS. e.chssgulf.International Diploma-A3 External Sources National Government Bodies.com.hse. National Safety Organisations / Professional Institutions. This makes for a vast data source but untrustworthy sites are common place. The Internet A number of sites exist relating to health and safety including: www.gov. UK HSE. European Health and Safety Agency. (CHSS website). Care must be taken when relying on data sourced from the internet since its use is unregulated.g. Data sheets. and www.uk (HSE website now has a very useful search engine for access to on-line information). etc.1 . Suppliers / Manufacturers Suppliers of substances. International Labour Organisation. Libraries International. © CHSS Ltd 2007 Page 18 of 66 Sales Ref: sc/715/v2.
Employment policy. Labour law and industrial relations. collective bargaining. Management development. Social security.1 . The ILO formulates international labour standards in the form of Conventions and Recommendations setting minimum standards of basic labour rights: freedom of association. the ILO has a unique tripartite structure with workers and employers participating as equal partners with governments. © CHSS Ltd 2007 Page 19 of 66 Sales Ref: sc/715/v2. In order to attain these objectives. It provides technical assistance primarily in the fields of: Vocational training and vocational rehabilitation. abolition of forced labour. Since 1994. It was founded in 1919 and is the only surviving major creation of the Treaty of Versailles which brought the League of Nations into being and it became the first specialised agency of the UN in 1946. equality of opportunity and treatment and other standards regulating conditions across the entire spectrum of work related issues. Labour administration. the ILO has been engaged in a process of modernising and strengthening its labour standards system. the ILO assists members States as well as employers’ and workers’ organisations in ratifying ILO Conventions and implementing international labour standards. It promotes the development of independent employers’ and workers’ organisations and provides training and advisory services to those organisations. Labour statistics and occupational safety and health. Working conditions.International Diploma-A3 International Information Sources The International Labour Organisation (ILO) The International Labour Organisation is the United Nations (UN) specialised agency which seeks the promotion of social justice and internationally recognised human and labour rights. Within the UN system. Co-operatives. the right to organise.
was established on 7 April 1948. unwanted event which had the potential to result in loss but didn’t for some reason.1 . mental and social well-being and not merely the absence of disease or infirmity. Subsequently there are more near misses than there are minor injuries than there are major injuries than there are fatalities. © CHSS Ltd 2007 Page 20 of 66 Sales Ref: sc/715/v2. Health is defined in WHO’s Constitution as a state of complete physical. The European Agency acts as a catalyst for developing. Accident and Incident Data There is no definition of accident or incident in law however a useful definition is that an accident is an unplanned. That reason usually being chance. collecting. healthier and more productive. A correlation exists between the severity of an outcome of an event and the frequency of that event occurring. The Agency is also a tripartite European Union organisation and brings together representatives from three key decision-making groups in each of the EU Member States – governments. The World Health Organisation (WHO) The World Health Organisation. In a similar fashion incident can be defined as an unplanned. unwanted event which results in loss. is the attainment by all peoples of the highest possible level of health. In terms of health and safety loss is usually regarded as personal injury. as set out in its Constitution. Located in Bilbao (Spain) the Agency has co-ordinated a network since 1997 with Focal Points in each Member State of the Union. analysing and disseminating information that improves the state of occupational safety and health in Europe. employers and workers’ organisations. the United Nations specialised agency for health.International Diploma-A3 European Agency for Safety at Work The European Agency for Safety and Health at Work aims to make Europe’s workplaces safer. WHO’s objective.
HSG 65 1 Major over 3 day lost-time Injury 7 For every 7 Minor Injuries 189 For every 189 noninjury accidents For example drivers of cars for the most part during their driving life will experience a near miss. © CHSS Ltd 2007 Page 21 of 66 Sales Ref: sc/715/v2. a fewer number will experience a collision. a fewer number still will experience a major collision. When gathering accident and incident data for the purposes of monitoring risk control measures the employers must be confident that the accidents and incidents are actually reported and that unreporting of events is not commonplace within the workforce. The actual numbers and ratios involved are not relevant however what is relevant is the figure of the relationship that there are a greater number of minor events than there are major events. Similarly if we take the view that an incident is the same as an accident without the outcome of an injury then by reducing the number of near misses it follows that the number of accidents and major accidents will be reduced.International Diploma-A3 Figure 2: Accident triangle.1 .
whereas the dictionary definition of “tolerate” includes “put up with”.1 . 2001. one method of displaying the data will be by grouping the data recorded into for example quarterly time spans. As mentioned earlier the influence of under reporting.000 people are killed each year by traffic in the UK. Acceptability does not necessarily mean tolerability.000 women of dying as a result of childbirth people are not put off having children.International Diploma-A3 Analysing Trends By gathering accident and incident data over time an analysis can be performed whereby the numbers of events are measured over that time period. In order to counter this difficulty. Protecting People. (See Element A2). Because the number of events recorded will be influenced by these other parameters then the data recorded on the chart will include a number of peaks and troughs which can make ‘spotting the trends’ difficult. This trend time or trend analysis will now be subject to a number of different influences. possibly even over reporting and of course the nature of the operation will influence the figures that are actually reported. Arguably acceptability relates to the willingness to accept the presence of a particular risk to secure certain benefits to tolerate a risk implies the individuals who are at risk do not regard the presence of the risk as being a fact of life or negligible but some thing which needs to be regularly reviewed and controlled. Whether the number of events actually increases or decreases will then give a measure of a trend over the period of time. The view of risk varies significantly depending on whether the individuals are capable of judging the extent of the hazard by experience or whether there is a lack of understanding from the cause or the presence of the danger or whether there is a © CHSS Ltd 2007 Page 22 of 66 Sales Ref: sc/715/v2. Risk Rating Acceptability and Tolerability of Risk The HSE have examined the concepts of acceptability and tolerability of risk in some detail in their document Reducing Risks. A dictionary definition of “accept” includes “agree to”. Similarly despite the fact that there is an average chance of 1 in 10. Clearly agreeing to the presence of a particular risk and putting up with a particular risk are different concepts. Consequently the trend may be influenced by aspects other than the actual events themselves. Similarly where the amount of work that an organisation carries out is reduced consequently the number of undesirable events (accidents / incidents) will decrease regardless of any changes in safety management practices. For example most people are undeterred from using the road and car as a means of transport despite learning that over 5.
Moreover. Risk familiarity / dread. Risk transfer or substitution. Hazards giving rise to concerns can be put into two broad categories: Individual concerns or how individuals see the risk from a particular hazard affecting them and things they value personally. This is not surprising since one of the most important questions for individuals incurring a risk is how it affects them. Societal concerns or the risks or threats from hazards which impact on society and which. Parliament or the Government of the day. Typical examples relate to nuclear power generation. Whether danger money is paid. This is not a misperception of risk by either. Societal risk is therefore a subset of societal concerns. unless they consider the risks as negligible. could have adverse repercussions for the institutions responsible for putting in place the provisions and arrangements for protecting people. though they may be willing to live with a risk that they do not regard as negligible. if realised. could provoke a socio-political response. The level of technology required to control the risk.g. while the public may look at the outrage involved. their family and things they value. Whether the alternatives are worse.g. Societal concerns due to the occurrence of multiple fatalities in a single event is known as societal risk. Naturally occurring hazards. Though they may be prepared to engage voluntarily in activities that often involve high risks. Local or media interest. were they to materialise. risk of events causing widespread or large scale detriment or the occurrence of multiple fatalities in a single event. Confidence in control measures. railway travel. they would want such risks to be kept low and clearly controlled.1 © CHSS Ltd 2007 . This type of concern is often associated with hazards that give rise to risks which. Perception of risk may be affected by factors such as: Who controls the risk. In many circumstances the risk assessor looks at the hazard associated with a situation or event. simply a different way of defining a particular risk. Page 23 of 66 Sales Ref: sc/715/v2. e. Benefits to individual / society. e. if it secures them or society certain benefits. A lack of understanding therefore can lead to a lack of toleration as a result of dread. The proximity of the risk.International Diploma-A3 large dread factor in terms of the consequence of realising risks. as a rule they are far less tolerant of risks imposed on them and over which they have little control. or the genetic modification of organisms.
Hazards giving rise to societal concerns share a number of common features. They often give rise to risks which could cause multiple fatalities; where it is difficult for people to estimate intuitively the actual threat; where exposure involves vulnerable groups, e.g. children; where the risks and benefits tend to be unevenly distributed for example, between groups of people with the result that some people bear more of the risks and others less, or through time so that less risk may be borne now and more by some future generation. People are more averse to those risks and in such cases are therefore more likely to insist on stringent Government regulation. The opposite is true for hazards that are familiar, often taken voluntarily for a benefit, and individual in their impact. These do not as a rule give rise to societal concerns. Nevertheless, activities giving rise to such hazards (for example, bungee jumping) are often regulated to ensure that people are not needlessly put at risk. In dealing with societal risk the term outrage is often used to describe the public’s reaction, based on a number of subjective, personal factors. These factors can be summarised in a series of questions about the potential hazard. To describe the outrage level, see what column these hazard criteria fit into: High outrage or Low outrage
Coerced Industrial Exotic Memorable Dreaded An emergency Not knowable Controlled by others Process is not responsive Done by someone unknown or not trusted Table 4 Public tolerance of incidents
Voluntary Natural Familiar Nondescript Not dreaded Chronic Knowable Controlled by the individual Process is responsive Done by someone trusted
If the words in the first column best describe the hazard, then the public outrage is likely to be high. Regardless of what the assessors believe, the public will perceive the hazard as being associated with a high risk. If, however, the words in the second column best describe the hazard, then the outrage is likely to be low. Where risks aren’t so clearly defined, risk communication and consultation are important.
© CHSS Ltd 2007
Page 24 of 66 Sales Ref: sc/715/v2.1
Radon provides a good example of a situation where the public has a low outrage level where assessors consider that there is a high hazard level, while the Electro Magnetic Flux controversy provides an example of high public outrage and current low hazard estimates by assessors.
Levels of Fatal Risk
(average figures, approximated) Per annum 1 in 100 1 in 1,000 1 in 10,000 1 in 1 million 1 in 10 million Risk of death from five hours of solo rock climbing every weekend. Risk of death due to work in high risk groups within relatively risky industries such as mining. Risk of death in an accident at work in the very safest parts of industry. General risk of death in a fire or explosion from gas at home. Risk of death by lightning.
Table 5: Tolerability of Risk from nuclear power stations, HSE "To the extent that we give remote risks any thought at all we do so knowing that each of us will ultimately die from some cause or other and that it could happen this year or next in any case. In fact on average in Britain a man of twenty has roughly a 1 in 1,100 chance of dying within a year, while a man of forty the chance is around in 1 in 600. At sixty it is 1 in 65 for a man and 1 in 110 for a woman. Each particular risk or cause of death is just one contributor to the overall risk we run." HSE, 2004
As Low as is Reasonably Practical ALARP
"ALARP" is short for "as low as reasonably practical ". ALARP means that the level of risk has been balanced against the resources (time, money and manpower) necessary to combat the risk. Positive action is taken unless the cost of the action is grossly disproportionate to the risk. A risk that is controlled to the ALARP standard may be considered tolerable. In essence, making sure a risk has been reduced ALARP is about weighing the risk against the sacrifice needed to further reduce it. The decision is weighted in favour of health and safety because the presumption is that the duty-holder should implement the risk reduction measure. To avoid having to make this sacrifice, the duty-holder must be able to show that it would be grossly disproportionate to the benefits of risk reduction that would be achieved. Thus, the process is not one of balancing the costs and benefits of the measures but, rather, of adopting measures except where they are ruled out because they involve grossly disproportionate sacrifices. Extreme examples might be: To spend £1m to prevent five staff suffering bruised knees is obviously grossly disproportionate; but
Page 25 of 66 Sales Ref: sc/715/v2.1
© CHSS Ltd 2007
To spend £1m to prevent a major explosion capable of killing 150 people is obviously proportionate.
In reality many decisions about the risk and the controls that achieve ALARP are not so obvious. Factors come into play such as ongoing costs set against remote chances of one-off events, or daily expense and supervision time required to ensure that, e.g. employees wear ear defenders set against a chance of developing hearing loss at some time in the future. It requires judgement. There is no simple formula for computing what is ALARP. Figure 3: Tolerability of risk from nuclear power stations, HSE, 2001
© CHSS Ltd 2007
Page 26 of 66 Sales Ref: sc/715/v2.1
life support machines and through a myriad of other uses.1 . A residual risk of one in a million per year is extremely small when compared to everyday levels of risk. In practice most industries in the UK do much better than that. 1992.000 (10-4) per annum. Nevertheless the HSE suggested in their publication ‘The tolerability of risk from nuclear power stations’. Boundary Between the ‘Tolerable’ and ‘Unacceptable’ Regions for Risk Entailing Fatalities The HSE does not have.000 (10-6) per annum for both workers and the public corresponds to a very low level of risk and should be used as a guideline for the boundary between the broadly acceptable and tolerable regions. e. because: Hazards that give rise to such levels of individual risks also give rise to societal concerns and the latter often play a far greater role in deciding whether a risk is unacceptable or not. a criterion for individual risk as widely applicable as for the boundary between the broadly acceptable and tolerable regions. using gas and electricity. that an individual risk of death of 1 in 1.000 (10-3) per annum should on its own represent the dividing line between what could be just tolerable for any substantial category of workers for any large part of a working life. The limits were derived for activities most difficult to control and reflect agreements reached at international level. by providing homes with light and heat. many of the activities entailing such a low level of residual risk also bring benefits that contribute to lowering the background level of risks.International Diploma-A3 Boundary Between the ‘Broadly Acceptable’ and ‘Tolerable’ Regions for Risk Entailing Fatalities The HSE believes that an individual risk of death of 1 in 1. The HSE suggest that these limits should be used with caution. and what is unacceptable for any but fairly exceptional groups.000. though electricity kills a number of people every year and entails an individual risk of death in the region of one in a million per annum. For members of the public who have a risk imposed on them ‘in the wider interest of society’ this limit is judged to be lower. for this boundary. Indeed many activities which people are prepared to accept in their daily lives for the benefits they bring. it also saves many more lives. © CHSS Ltd 2007 Page 27 of 66 Sales Ref: sc/715/v2.g. at 1 in 10. operating lifts. for example. This is because risks may be unacceptable on grounds of a high level of risk to an exposed individual or because of the repercussions of an activity or event on wider society. For example. or engaging in air travel. entail or exceed such levels of residual risk. Moreover.
or to industrial or leisure developments. HAZOP studies aim to identify hazards and operability problems in plants. The technique is now widely used as a standard procedure for safety assessment in the process. The procedure proved to be so successful that it gained acceptance within industry as a useful tool for qualitative hazard analysis. Hazard and Operability Studies HAZOP (hazard and operability) studies are procedural tools designed to highlight the deficiency and shortcomings in the design and operation of industrial plants. Hazard Analysis (HAZAN). e. petroleum industries and many others. and does not advise against granting planning permission on safety grounds for developments where such individual risk is less than 1 in a million per year. In the case of most housing developments. (HAZOP). It was initially developed by Imperial Chemical Industries (ICI) Ltd for improving the safety of their chemical plants. Principles and Techniques of Failure Tracing Methods Several formal methods of assessing risk and minimising the consequences have developed such as: Hazard and Operability Studies. hospitals or old people’s homes. schools.g. © CHSS Ltd 2007 Page 28 of 66 Sales Ref: sc/715/v2. Different criteria are applied to sensitive developments where those exposed to the risk are more vulnerable. Failure Modes and Effects Analysis (FMEA). chemical. could reduce the plant's ability to achieve target productivity in a safe manner. which if they were to occur. Event Tree Analysis (ETA).000 per annum. Fault Tree Analysis (FTA). the HSE advises against granting planning permission for any significant development where individual risk of death for the hypothetical person is more than 10 in a million per year.International Diploma-A3 Risks Giving Rise to Societal Concerns Where societal concerns arise because of the risk of multiple fatalities occurring in one event from a single major industrial activity the HSE propose that the risk of an accident causing the death of 50 people or more in a single event should be regarded as intolerable if the frequency is estimated to be more than 1 in 5.1 .
To reduce taxes. and proportion new measures of control to such assessments. HAZOP will cost about 1.1 . Legal requirement for suitable and sufficient risk assessment. At the design stage.5 to 2% of the total project cost. for existing plant the cost may be as high as 5% of the original cost. and for prioritising or targeting control measures. It is an expensive process and it is important to consider whether the expense is necessary to complete a 'suitable and sufficient risk assessment'. The principle of reasonable practicability means to assess risk.International Diploma-A3 There are four primary reasons for carrying out a HAZOP on high risk plants: To protect workers / society. This has led to a methodology of quantified risk assessment which is an important element in producing a balanced decision on the precautions to be applied to reduce the components of the overall risk. particularly where major hazards are concerned. Knowledge of plant. © CHSS Ltd 2007 Page 29 of 66 Sales Ref: sc/715/v2.
International Diploma-A3 The Basic Concept of HAZOP Key Definitions Intention: how the plant is expected to perform. part of. as well as. Start up / shutdown conditions. Emergency. less. Changes in chemical condition. Changes in physical condition. Study nodes: locations on plant and instrumentation (P&I) drawings setting scope of studies. Deviations: departures from design intent. Parameters These are departures from the intention which are discovered by systematically applying the guidewords: Changes in quantity. reverse and other than). Changes inside the vessel. Causes: reasons deviations might occur. Guide words: used to qualify or quantify intention in order to discover deviations. (No. © CHSS Ltd 2007 Page 30 of 66 Sales Ref: sc/715/v2. more. Consequences: results of deviations from design intent.1 .
In effect.1 . will explore every conceivable way in which that design could deviate from the design intention. © CHSS Ltd 2007 Page 31 of 66 Sales Ref: sc/715/v2. which are posed to test the integrity of each part of the design. the guidewords are used to ensure that the questions.International Diploma-A3 Deviations / Simple Guidewords These are simple words that further breakdown the parameters and are used to qualify the intention in order to guide and stimulate the creative thinking process and so discover deviations. which are derived from method study techniques. A list of simplified guidewords is given below: Table 6: List of guidewords The questioning is focussed in turn on every part of the design. Each part is subjected to a number of questions formulated around a number of guidewords.
should they occur. When considering future upgrades. e. instrumentation engineer. it can be treated as meaningful. The team will be chaired by an experienced facilitator who will guide and supervise the team throughout the study. whole plants or parts of the facilities. Once 'checking' items have been eliminated the final document can be produced. The team will possess a blend of expertise and skills reflecting the operational requirements of the plant under investigation. as required. However. it is also useful for upgrading plants. process engineer. Existing Control Like all base link assessments. injury or loss. and operation.International Diploma-A3 Consequences and Causes These are the resulting hazards of the deviations. HAZOP can also be applied at every phase of project development. commissioning. A typical team will consist of a safety engineer. detailed design. Ideally. electrical engineer. Application of HAZOP Studies The HAZOP technique can be applied to new plants as well as existing plants. Further Action This should be detailed and numbered for easy reference. operation engineer. © CHSS Ltd 2007 Page 32 of 66 Sales Ref: sc/715/v2. existing controls should be documented in detail or refereed to. conceptual design and planning. standard operating conditions.g.1 . These are described below. There are ten stages in implementing a HAZOP study. HAZOP should be conducted at the design stage. Other science and engineering disciplines may be added to the team to suit the particular requirements of a specific plant. and mechanical engineer. Particular features of the HAZOP technique are the team approach and the key definitions employed in the studies. which can cause damage. as this allows design alterations with minimum additional costs. changes etc. These are the reasons why deviations might occur. Once a deviation has been shown to have a conceivable or realistic cause. Team Approach HAZOP utilises the collective effort of a multidisciplinary team to investigate possible variations and deviations from the design intent. construction.
selection of plant location. The team leader prepares a plan for the sequence of the study based on how the plant is operated.International Diploma-A3 1. Liability. Quality issues. Meeting revised safety and environmental regulations. Existing Plant The study scope may include: 2. durations and the frequencies of the sessions. The objectives and scope of the study should be defined by management. Delivery of the wrong chemicals in the right containers. 3. guide the team members and maintain their concentration on the tasks assigned to them. e. the schedules. Select the team. Human error.g. © CHSS Ltd 2007 Page 33 of 66 Sales Ref: sc/715/v2. New Plant (conceptual stage): Check the safety of the proposed plant design. Develop a list of equipment specifications for vendors . The main task of the team leader is to identify problems. Check the viability of process modifications. The selection of the size and composition of the team should ensure that the group approach is maintained and that the team possesses the levels of knowledge necessary to ensure a complete study. Verification of the effectiveness of the safety systems in the proposed plant. Software. and an experienced plant operator with detailed knowledge of the process. define study nodes. The rest of the team should be skilled engineers in the disciplines relevant to the plant operation. the team leader estimates the team-hours needed for the study. These will differ depending on the stage of a project/plant. to ensure that the study is implemented methodically. insurability. aeroplane crash. Select the team leader (chairman and Secretary). Check the viability of plant upgrading. The effects of a major disaster on the plant. The team leader plays a vital role in the success of the HAZOP study. etc. e.g. Prior to arranging meetings. Loss prevention. and process design principles. Define the objectives and scope of the study. Improve the safety of the existing plant. valve actuation.1 . The power. Effects of wind at average/maximum speeds. The team leader should be an independent and experienced HAZOP facilitator with knowledge of chemical engineering.
etc. Collect the data. Implement design modifications. In their investigation. etc. process and Instrumentation diagrams. Design review. Between these nodes are the plant components (pumps. the team defines the physical boundaries of the systems and equipment on which the HAZOP is carried out. Define physical boundaries. The team is assisted by a set of checklists and the P & I diagrams. maintenance supervisor.) have a defined design intent. The team detects possible causes of the deviations and recommends corrective actions. and a safety engineer. or the implementation of additional safety features. and may also include many checking actions to confirm the design intention or flow parameter. isometrics and fabrication drawings. 6. vessels. This can vary from plant to plant. Process the Data. logic diagrams. The recording process is a crucial part of the HAZOP study and it is important that all ideas are recorded. The checklists are applied at specific areas in the plant known as study nodes. Corrective action may include design modifications. instrument electrical engineer. flowsheets. equipment. volume. vessels. and process parameters such as flow. etc. flow. heat exchangers. temperature. Record the results. process engineer. 7.International Diploma-A3 For example. information to contractors. and equipment manufacturers' manuals. Typically. The HAZOP form. etc. In continuous process plants the processing of the data is minimal as the existing up-to-date flowsheets and P & I diagrams usually contain enough information for the study. This form is best filled in by an experienced engineer who understands the discussions and records the findings accurately. provision of PPE. With batch process plants. installation of relief valves. a team might include the following: design engineer. chemist. plant operations instructions.) which can cause changes in the parameters. The boundaries are usually marked on P & I actuation drawings (plant and instrumentation) that describe the overall layout of the plant. 4. the data consists of line diagrams. 9. pressure. valve types. These nodes are points where the process parameters (pressure. operation supervisor. processing of the data is more expensive. mainly because of the amount of manual operations involved.1 . piping lines. instrument sequence control charts. plant layouts. for example resizing of equipment. new written procedures. mechanical engineer. 5. piping instruments. temperatures. The team leader assigns the implementation of each corrective action to the © CHSS Ltd 2007 Page 34 of 66 Sales Ref: sc/715/v2. 8.
Reporting.International Diploma-A3 relevant discipline specialist. All actions should be numbered for ease of reference. Referring to Figure 4 start with the pipeline extending from the suction side of the pump which delivers raw material A to where it enters the reaction vessel.1 . The final report is complied by the team leader for submission to the management. 10. Figure 4: An example of a simple flowsheet Valve Valve Valve Chemical A Pump 1 Chemical B Chemical C Valve Valve 8 Pump 2 To Process A Simple Example for a Continuous Plant To illustrate the principles of the examination procedure. Progress is monitored at the next meeting of the team. The intention is partly described by the flowsheet and partly by the process control requirements to transfer A at some specified rate. consider a plant in which chemicals A and B react together to form a product C. Let us suppose that the chemistry of the process is such that the concentration of the raw material B must never exceed that of A otherwise an explosion may occur. This is combined with the intention to give: © CHSS Ltd 2007 Page 35 of 66 Sales Ref: sc/715/v2. The report contains information about major deviations from design intent. details of recommended design modifications. The first deviation is that obtained by applying the guideword NOT. The report should be concise and accurate in detail. and capital expenditure needed for implementation. DON'T or NO to the intention.
Clearly some at least of these are conceivable causes and so we can say that this is a meaningful deviation. we then consider the consequences. The pump fails to produce the full flow because: The impellors are eroded. Electrical failure. Isolation valve is closed. Clearly some at least of these are conceivable causes and so we can say that this is a meaningful deviation. etc. These causes could be: Supply tank is empty. Pump being switched off.International Diploma-A3 No Transfer of A The flowsheet is then examined to establish the causes which might produce a complete cessation of the flow of 'A'. Page 36 of 66 Sales Ref: sc/715/v2. Pipeline is fractured. The causes are a little different from those when the deviation was the complete cessation of the flow of 'A'. The excess flow into the reaction vessel means that some will leave the vessel by the overflow. The reaction produces 'C' contaminated with an excess of 'A' which goes on into the next stage of the process. The valves are worn. The isolation valve is slightly closed. The deviation is: MORE 'A' is passed into the Reaction Vessel. produce excessive flow rate. We now apply the next guideword which is LESS. Next we consider the consequences.1 © CHSS Ltd 2007 . We have therefore discovered a hazard in the design and this is noted for further consideration. The cause would be that the characteristics of the pump might. or Pump fails to turn due to: Mechanical failure. The pipeline is partly blocked. The deviation is: LESS 'A' is passed into the Reaction Vessel. If this cause is accepted as realistic. under some circumstances. We now apply the next guideword which is MORE. Complete cessation of flow of 'A' would very soon lead to an excess of 'B' over 'A' in the reaction vessel and consequently to a risk of explosion.
Other than: Lastly. The transfer of 'A' somewhere else in addition to its transfer to the reactor. This may cause a chemical reaction or dilute 'A'. © CHSS Ltd 2007 Page 37 of 66 Sales Ref: sc/715/v2. The flowsheet is examined to see if this is possible. can 'A' boil or decompose in the pipelines or the pump? For PART OF: The other related deviation is that which occurs when the design intention is incompletely achieved. or The omission of one or more reactors if the pump delivers 'A' to more than one reactor. Inspection of the flowsheet shows that this can happen via the T piece. Information would be gathered on possible materials and their side affects. for example can 'A' solidify instead of being transferred. Here a knowledge of the composition of 'A' is required so the effects of the missing component can be assessed. The first of these is the opposite of the design intention. but one of the original design intention is retained. This means flow from the reactor back through the pump. A search of the flowsheet in Figure 4 shows an additional line with an isolation valve on the pump suction. the wrong material could be delivered or another material admitted via the T piece on the suction side of the pump. For example. there is the complete substitution of the design intention by something else. The flowsheet is examined to see if this is possible and the consequences are assessed. If this valve were not shut. A change in the nature of the activity. or a change in the implied destination. and The carrying out of another activity concurrently with the transfer. Inspection of the flowsheet shows this is possible. another component might be transferred together with 'A'.1 . The guidewords are OTHER THAN and the deviation is OTHER THAN TRANSFER.International Diploma-A3 The consequence is similar to no flow and so the potential hazard is of a possible explosion. example. AS WELL AS: The transfer of some component in addition to 'A'. is transfer of 'A' somewhere other than the reactor. It could for example flow up the line on the suction side of the pump. The guidewords are PART OF and the deviation PART OF TRANSFER 'A'. The final two deviations are again qualitative. Substitution could arise in a number of ways. This could mean: A component of 'A' is missing. This could mean: The transfer of a different material. Reverse: The guideword is REVERSE and the deviation REVERSE TRANSFER OF 'A'.
International Diploma-A3 © CHSS Ltd 2007 Page 38 of 66 Sales Ref: sc/715/v2.1 .
1 .International Diploma-A3 © CHSS Ltd 2007 Page 39 of 66 Sales Ref: sc/715/v2.
International Diploma-A3 Table 7: Completed HAZOP study results © CHSS Ltd 2007 Page 40 of 66 Sales Ref: sc/715/v2.1 .
'A' is added too late 'A' is added too quickly. it is necessary to apply the guidewords to the instructions. it is marked on the flowsheet as having been checked. the matter must be brought forward to a subsequent meeting. Charge as well as 'A'. Charge more 'A'. the vessel auxiliaries such as stirrers. This particular approach is sometimes called the 'line by line' method. each line. For example. 'A' is added too early. the team should consider deviations such as: Don't charge 'A'.this can often be the most serious deviation. if an instruction states that 1 tonne of chemical 'A' has to be charged into a reactor. The proposed action is also noted if it can be agreed straight away. The next part of the design is then chosen for study and this could be the pipeline which introduces raw material 'B' into the reaction vessel. and 'A' is added too slowly.1 . as well as the pipelines. If there is some doubt about the action or if further information is required. Process Instructions for Batch Processes When studying the a batch process plant. It is more usual to carry out the steps mentally and verbally in discussion and to write down only the potential hazards and their causes.International Diploma-A3 When the pipeline which introduces raw material 'A' has been examined. Only under exceptional circumstances is a written record made of every step of the examination. Reverse charge 'A' (can flow occur from a reactor to 'A' container?) . any services to this vessel such as the provision of heating and cooling and the vessel itself. © CHSS Ltd 2007 Page 41 of 66 Sales Ref: sc/715/v2. Charge other than 'A'. Charge part of 'A' (if 'A' is a mixture). This sequence is repeated for every apart of the design. Charge less 'A'.
HAZOP is essentially a system centred approach as opposed to FMEA which is component centred. safety relief valve failure. Thus the investigation is unidirectional. one to find the potential causes of the deviations and the other to reduce is consequences. e. Quantitative data based on past experience is the most important means of identifying hazards and assessing potential frequency. The combinations may be utilised in situations when: The HAZOP analysis clearly indicates that the performance of a particular item of equipment is critical and needs to be examined in considerable depth. This is different from a HAZOP study which is concerned with identifying the possible deviations from the design intent and then proceeds in two directions. although for new processes and techniques experiential data may be limited. a safety relief valve. © CHSS Ltd 2007 Page 42 of 66 Sales Ref: sc/715/v2. HAZOP. HAZAN may form part of a wider study. The HAZOP may then be usefully complemented by a FMEA of that item of equipment. and is used on selected parts of a process.International Diploma-A3 Relation to other Analysis Tools HAZOP may be used in conjunction with other dependability analysis methods such as Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA). With what consequences for people.g.1 . or to quantify the likelihood of the failures. FMEA starts with a possible component failure and then proceeds to investigate the consequences of this failure on the system as a whole. Hazard Analysis (HAZAN) Hazard Analysis (HAZAN) is a quantitative technique to obtain an understanding of hazards in terms of: How often a hazard will manifest itself. Having examined single element/single characteristic deviations by HAZOP it is decided to assess the effect of multiple deviations using FTA. from cause to consequence. e. A thoroughly conducted HAZAN provides a sound quantitative basis for decisions on risk reduction measures that it will be reasonable to take and is often used to justify not making further expenditure on critical safety measures. again using FTA.g. e.g. process and plant.
Some money is returned for safety expenditure. This can be a qualitative judgement. It is neither necessary nor possible to quantify every hazard on every plant. but good humanity. HAZAN is a selective technique. especially fault trees. the public is deprived of the benefits from the products. When used with other techniques. it allows effective allocation of resources. In the final region expenditure on safety measures is so excessive that there is a distinct risk of going out of business. Money is spent so that people do not get hurt.International Diploma-A3 Figure 5: Why do we want to apply numerical methods to safety problems? The horizontal axis of Figure 5 shows expenditure on safety over and above that necessary for a workable plant and the vertical axis shows the money back in return. for example by investment in other ways. © CHSS Ltd 2007 Page 43 of 66 Sales Ref: sc/715/v2. A decision has to be made where to draw the line on safety expenditure. While HAZOP is a technique that can be applied to every new design and major modification. The third region is reached if money continues to be spent on safety. In the left-hand area safety is good business—by spending money on safety. In the next region safety is poor business. however in the case of process plant this can be quantitative using HAZAN. Most of all. The term hazard analysis is used rather than risk analysis as HAZAN does more than quantify the risk. the company becomes bankrupt. apart from preventing injuries and plant failure. it demonstrates how the hazard arises. which contributing factors are the most important and the most effective ways of reducing risk. possibly. however not as much as possible. The consequences of this are that products become so expensive that no-one will buy them. jobs are lost and. more profit is made. where safety is bad business. however this reduces profitability.1 .
and as such it is widely used in a multitude of applications related to safety. the analyst must understand the basics of the part's function. Fault Tree Analysis and Event Tree Analysis. chemical processes. its concept and schematic approach can be readily adapted by management to solve problems that may arise with procedures within an organisation. Information Needed for FMEA To perform an FMEA. Corrective actions could include changes in design. such as relays and switches. When applying FMEA to a component or system. © CHSS Ltd 2007 Page 44 of 66 Sales Ref: sc/715/v2. as well as procedures. the analysis must be very familiar with the function(s) of the part or the system . Furthermore. A failure mode is a description or scenario of how systems. part(s). These can then be evaluated (qualitative or quantitative) and risk priority codes identified. processes and product design. yet it is a powerful tool that can be used to improve the quality of products and processes. manufacturing operations. A practical application of FMEA would involve the completion of a worksheet in which the failure modes of individual components. Considering Analysed the System or Component to be The technique requires a schematic approach. methodical planning and thorough implementation. and procedures could fail.International Diploma-A3 Failure Modes and Effects Analysis (FMEA) Failure Modes and Effects Analysis (FMEA) is a qualitative structured method for hazard identification. It is a simple method. procedures or organisational arrangements. This should include all possible modes of failures. It can be a costly and time consuming process but once completed and documented it is valuable for future reviews and as a basis for other risk assessment techniques such as HAZOP studies. equipment. human tasks. Most manufactures include lists of function(s) and faults diagnosis in their operating and maintenance manuals.1 . Applications of FMEA The FMEA can be applied to engineering products. development and quality of products and systems. The FMEA is a preliminary failure analysis methodology. The analysis must be meticulous and critical enough to ensure that all factors that can contribute to failures are considered. A summary sheet can then be prepared in which failure modes are listed in declining order of risk priority. are identified. FMEA can be used for single point failure modes but can be extended to cover concurrent failure modes. An important part of FMEA is for the analyst to understand thoroughly what is meant by a ‘failure mode’. The summary should also list the corrective measures required to reduce the frequency of failure or to mitigate the consequences. even if the likelihood of occurrence is small.this is gained either from previous experience or from manuals provided by the manufacturers. that is easy to apply. reliability.
© CHSS Ltd 2007 Page 45 of 66 Sales Ref: sc/715/v2.International Diploma-A3 and be able to recognise changes that deviate and are not consistent with normal operations.1 .
wrinkles. starter motor. fuel tank. delamination. wirings. or the presence of aroma or odour is an important factor when dealing with rubber and plastic components and compounds. Discontinuity is defined as any break or irregularity in the surface of a part. pipings.1 . toughness. discontinuity is evident by the absence of materials which disappeared from the part or the system as failure debris. and foreign matter: Loss of operational function can easily be recognised. discolouration. smell. where changes in the physical dimensions of a part are significant when compared to the nominal dimension of the part. and chemical composition. shallow grooving. or a subsystem to a complex system. scope and depth of the investigation. When damage to a part is minor. discontinuity can appear as cracks. internal material defects such as voids and foreign matters in castings and mouldings. and can vary from erratic performance to total breakdown. Unusual smell is often an indication of damage caused by the chemical activity of the materials that come into contact with the components. Properties of materials include strength. it can be on a large scale. filter. This could be of any form and size. The lubricating system is comprised of oil reservoir. piping. etc. corrosion. spalling. the roughening of the surface. and is a good indicator of improper process control. Smell. Distortion on a surface level can be evident in a number of forms such as smoothing or polishing of the surface. A change in material properties is defined as the loss or variation in the initial characteristics of the material. ductility. a number of characteristics serve as focal points when recognising and evaluating failure modes. etc. piping. consider the case of a petrol engine for a motor car. for example the fuel system is comprised of a fuel pump. oil filter. ripples. a unit. the entity under analysis must be defined.International Diploma-A3 Before carrying out an FMEA. Each system can be broken down into its basic components. hardness. plasticity. pits. These are loss of operational function. changes in material' properties. Key Characteristics Indicating Failure In the examination of a part or a process. The selection of the entity and its size depends on the intended purpose. The ignition system is comprised of a battery. brittleness. cooling system. water reservoir. elasticity. radiator. etc. alternator. Discolouration is easy to detect. distortion. Examples of changes in material properties are the charring of © CHSS Ltd 2007 Page 46 of 66 Sales Ref: sc/715/v2. fan belt. The cooling system is comprised of a fan. and ranges form a component element. The engine is comprised of a fuel system. etc. spark plugs. On a large scale. etc. superficial pitting. etc. ignition system. carburettor. oil pump. lubricating system. Distortion is defined as any change in the physical shape of a part. For example. and the infusion of foreign matters that have influence on the functionality of the part or the process. discontinuity.
the oxidation (rusting) of steel.1 . and the formation of metallic salts on plated parts. © CHSS Ltd 2007 Page 47 of 66 Sales Ref: sc/715/v2.International Diploma-A3 elastomers.
© CHSS Ltd 2007 Page 48 of 66 Sales Ref: sc/715/v2. Analyse failure modes. control valve.e. which are: Identify failure modes. For each failure mode. The hydraulic system delivers water from a cooling tower to a process vessel. Express failure modes. Implementation of Failure Modes and Effects Analysis (FMEA) There are five steps necessary to implement FMEA. No water or little water will result in the overheating of the process fluid. and the recommended remedial action(s). When present. either too little or too much water. pump drive motor. Example Consider the failure of a hydraulic system which is comprised of a pump. coupling. FMEA is implemented by creating a list of all equipment and associated systems in the plant. where the system delivers the incorrect amount of water. foreign matter is usually an indication of a failure in the system. where there is no flow. and Monitor progress. the analysis should identify both the immediate and expected effects of the failure on other equipment and the process or system. i. Too much water will result in a process fluid with undesirable low temperature with the subsequent adverse effects on the process. and the recommended remedial action(s) are recorded on a standard worksheet as shown in Table 8. For each piece of equipment/system.1 . and can provide useful background information to identify a possible failure mode in the system or other related systems. This includes all debris and corrosive products found in a system. or an erratic performance.International Diploma-A3 Foreign matter is any material that is not part of the original system. The failure of the system can be either a total breakdown. all possible failure modes are established. the cause(s). Decide on corrective actions. the cause(s). The modes of failure. relief valve and piping.
drive motor. © CHSS Ltd 2007 Page 49 of 66 Sales Ref: sc/715/v2.International Diploma-A3 Table 8: Sample FMEA worksheet for a hydraulic system Depending on the required resolution of the FMEA. coupling. Table 9 shows a sample FMEA worksheet for a hydraulic pump.1 . such as pump. and the FMEA could be applied to each unit. piping. etc. the hydraulic system can be broken down into its basic units.
However. FMEA is a useful qualitative tool for failure analysis and identification and can be used extensively with other hazard identification techniques such as HAZOP and fault tree analysis.1 . FMEA does not give a ranking or an indication of the severity of the failures and its application relies on the experience of the analyst and his or her understanding of the system.International Diploma-A3 Table 9: Sample FMEA worksheet for a hydraulic pump Benefits and Limitations As has been demonstrated. © CHSS Ltd 2007 Page 50 of 66 Sales Ref: sc/715/v2.
International Diploma-A3 Fault Tree Analysis (FTA) FTA provides a systematic approach to the identification of the combination of possible occurrences that could combine to produce an undesirable effect.1 . This could typically be: Machine or process failure. The fault tree is then constructed downward from the top event. branching downwards rather than upwards. © CHSS Ltd 2007 Page 51 of 66 Sales Ref: sc/715/v2. FTA can be useful in identifying a list of potential failures. It will look like an inverted tree. An accident. Component failure. It is important to select and define the 'top event'. The tree is constructed by identifying and correctly relating all events and combinations and/or sequences of events that could result in the top event. An explosion. The frequency or probability of these occurrences can be estimated to enable a quantitative analysis of the undesirable effects to be conducted. The possible combinations of occurrences once identified are displayed graphically in a fault tree. These are related through AND/OR gates. A system failure. How to carry out an FTA It is essential to define the boundaries of the study to limit it to a manageable size.
and final or basic events are placed in a circle. which could be caused by either lateral (sub-event A) or longitudinal instability (sub-event B). Figure 6: And Gate If a top event could only occur if either sub-event A or sub-event B occurred. Note that when a sub-event is not developed any further the convention is to place it in a diamond shape rather than a rectangle. For example the top event could represent a fork-lift truck overturning.1 . Figure 7: Or gate Figure 8 demonstrates the construction of a fault tree for the top (undesired) event of a fire in a multi-storey car park. For example the top event could represent a person falling from a ladder.International Diploma-A3 And / Or Gates If a top event could only occur if both sub-event A and sub-event B occurred. this would be represented using an OR gate as illustrated in Figure 7. © CHSS Ltd 2007 Page 52 of 66 Sales Ref: sc/715/v2. this would be represented using an AND gate as illustrated in Figure 6. which could be caused both by the person overreaching (sub-event A) and the ladder slipping laterally (sub-event B).
1 . then the following can be determined: How likely the top event occurs. How frequently the top event occurs. the frequency (failure rate).e. the probability. often from statistical analysis. © CHSS Ltd 2007 Page 53 of 66 Sales Ref: sc/715/v2. i.e.International Diploma-A3 Figure 8: Example Fault Tree If the failure rate or probability of basic causes can be determined. i.
1 . If P1 and P2 and P Then P = Probability of Basic Cause 1 = Probability of Basic Cause 2 = Probability of Top Event = P1 x P2 Figure 9: Numerical Evaluation of Fault Tree (AND Gate) Note: For AND Gates multiply probabilities. © CHSS Ltd 2007 Page 54 of 66 Sales Ref: sc/715/v2.International Diploma-A3 Numerical Evaluation of Fault Tree 1) For an ‘And’ Gate For an And gate the probability of the top event occurring is calculated by multiplying the probabilities of the causes. beginning at the lower level basic causes working up to the top event.
if the probability of the top event was calculated to be 0. If P1 and P2 and P Then P = Probability of Basic Cause 1 = Probability of Basic Cause 2 = Probability of Top Event = P1 + P2 Figure 10: Numerical Evaluation of a Fault Tree (OR Gate) Note: For OR Gates add probabilities. f= 1 P For example. which can be analysed by starting at the lowest level and working up to the top event. which is once every 10 years. the frequency of occurrence would be the reciprocal of its probability.1 .1 (10% chance of occurrence per year). In order to reduce the probability. By reducing the probability of basic causes the probability of the top event is reduced.International Diploma-A3 2) For an ‘Or’ Gate For an OR gate the probability of the top event occurring is calculated by adding the probabilities of the causes. Example Construct a Fault Tree for an accident occurring between a vehicle on the roundabout in collision with a vehicle entering the roundabout. Most fault trees will consist of a combination of OR and AND gates. When using either AND or OR gates the frequency (f) of the top event is the reciprocal of its probability (P). Once the probability and frequency of the top event is calculated. This frequency could then be compared with tolerability of risk figures when deciding if the risk is ALARP. hence frequency. of the top event risk reduction measures should be applied to the basic causes. © CHSS Ltd 2007 Page 55 of 66 Sales Ref: sc/715/v2. beginning at the lower level basic causes working up to the top event. a decision can then be made as to whether these are tolerable.
1 .International Diploma-A3 Figure 11: Accident on a Roundabout © CHSS Ltd 2007 Page 56 of 66 Sales Ref: sc/715/v2.
2 © CHSS Ltd 2007 Page 57 of 66 Sales Ref: sc/715/v2.International Diploma-A3 Figure 12: Example of a fault tree numerical analysis Determine the probability of an Accident Note: Probability P of vehicle "on roundabout" is 0.1 .
The consequences of the event are followed through a series of possible paths.1 . © CHSS Ltd 2007 Page 58 of 66 Sales Ref: sc/715/v2.International Diploma-A3 Event Tree Analysis (ETA) Event tree analysis is a forward thinking process. Identify the safety functions designed to deal with the initiating event. etc. including automatic shutdown systems. that it is a success or a failure. These safety functions usually include: Safety systems that automatically respond to the initiating event.and so on. The safety functions (safety systems. in which an event either has or has not happened or a component has or has not failed. based on binary logic. Operator actions. increase in temperature/pressure or a release of a hazardous substance. The analyst should identify all system functions and their intended purpose for mitigating the effects of the initiating event.) that respond to the initiating event can be thought of as the plant’s defence against the occurrence of the initiating event. It is valuable in analysing the consequences arising from a failure or undesired event. The analyst should list the safety functions in the order in which they are intended to occur. The event tree begins with the initiating event and proceeds through the successes and / or failures of the safety functions that react to the initiating event. There is only one branch in the tree that indicates that all the sub-systems have succeeded: Procedures For Performing Event Tree Analysis Four steps are necessary to perform ETA: Step 1 Step 2 Identify an initiating event of interest. Each path is assigned a probability of occurrence and the probability of the various possible outcomes can be calculated. Alarms that alert the operator when the initiating event occurs. thus preventing an accident. The success of a safety function is defined as its ability to prevent the initiating event from progressing further. such as component failure. The failure of a safety function is defined as its inability to stop the progression of an initiating event or alter its course so that the other safety functions can respond to it. Only two possibilities are considered when evaluating the response of the safety functions. In the following example fire protection is provided by the sprinkler system. If the detector succeeds the control box will either work correctly or it will not . An event tree begins with an initiating event. A detector will either detect the rise in temperature or it will not. Step 3 Construct the event tree. operator actions. procedures. The event tree displays the logical progression of an accident.
The analyst defines the successes and failures in each resulting sequence and compiles a description of its expected outcome. A fire alarm signal. The second step is to identify the safety functions designed to deal with the initiating event. © CHSS Ltd 2007 Page 59 of 66 Sales Ref: sc/715/v2. The third step is to construct an event tree.International Diploma-A3 Step 4 Describe the resulting accident event sequences. It is assumed that if the alarm sounds the occupants will respond to it and make good their escape. The analyst then ranks the accidents based on the severity of their outcomes. Example Consider a fire starting in a bedroom fitted with an automatic alarm system. A fire alarm sounder. If enough data is available. In this example these are: A smoke detector. the analyst can use probabilistic analysis to estimate accident probabilities from event probabilities. In this example it is the fire and release of smoke.1 . The accident event sequences represent a multitude of incidents that can result from the initiating event. One or more of the sequences may represent in an accident. The first step is to identify the initiating event. and thus obtain additional information for ranking the accidents. The structure of the event tree should clearly show the development of the accident and help the analyst to define locations and establish priorities where additional safety features might be installed to either prevent these accidents or mitigate their effects. See Figure 12.
however. Once again only success and failure of the safety function are considered. either success or failure of the safety function. Success leads on to the 2nd safety function and failure leads to an undesired outcome. In this example success of the 2nd safety function means that the alarm signal works as designed. Only two possibilities are considered. The event now progresses to the 2nd safety function. In this example success of the 1st safety function means that the smoke detector works as designed. Usually success is denoted in an upward path and failure is denoted by a downward path. In this example every undesired outcome is that the occupants of the room are not warned of the fire.International Diploma-A3 Figure 13: Example Event Tree Construction of the tree begins at the left hand side with the initiating event of interest. © CHSS Ltd 2007 Page 60 of 66 Sales Ref: sc/715/v2. The next step is to insert the 1st safety function (smoke detector in this example). Success leads on to the 3rd safety function and failure leads to an undesired outcome.1 . in some event trees as the event progresses there may be different outcomes with differing hazard severities. The event now progresses to the 3rd safety function. In this example success of the 3rd safety function means that the alarm sounder works. the occupants are warned of the fire and they make good their escape. Success leads on to the desired outcome and failure leads to an undesired outcome. Again only success and failure of the safety function are considered.
e.005 (1 divided by 200) and if a probability of success was 85%. Consider the 1st safety function. i.85. it is necessary to calculate PB. it would be expressed as 0. PC and PD individually. and are expressed as decimals. Again following each event from left to right: PB = f x P1 x P3 x P6 PC = f x P1 x P4 PD = f x P2 So the probability of occupants not being warned of fire = (f x P 1 x P3 x P6) + (f x P1 x P4) + (f x P2) What if the reliability of only one safety function ‘leg’ is known? For each safety function the success and failure ‘legs’ are expressed as decimals and their sum must equal 1.1 . Initially. multiplying the frequency (f) by each of the included probabilities. In Figure 13. Therefore the probability of A occurring (PA) is caused by f AND P1 AND P3 AND P5. So if the frequency (f) of the initiating event is once every 200 years. it is necessary to follow the event from the left hand side to the right hand side of the event tree. it would be expressed as 0. and is calculated as the sum of PB + PC+ PD. hence: Probability of occupants being warned of fire PA = f x P1 x P3 x P5 The undesired outcome in Figure 14 can be caused by B OR C OR D. the smoke detector in Figure 14: © CHSS Ltd 2007 Page 61 of 66 Sales Ref: sc/715/v2. in order to calculate the probabilities of the end events.International Diploma-A3 Figure 14: Numerical Evaluation of an Event Tree The frequency of the initiating event and the probabilities (or reliabilities) of the safety functions need to be known. therefore. in order to calculate the probability of the desired outcome (A). from the initiating event to A.
the end event frequency is the reciprocal of the end event probability.05 = 1).1 . then it must be 5% unreliable (0.2/year). Event Frequency As with fault trees.95 Construct an event tree for the above scenario to estimate the frequency of an uncontrolled fire in the computer suite. months. The units are the same as for the initiating event (f). years. Reliability data for the system components are as follows: Component Detector Power Supply CO2 release mechanism Reliability 0. e.95 + 0. Note that the safety function can be human or component reliability. The system design comprises a smoke detector connected by a power supply to a mechanism for releasing carbon dioxide (CO2).g. It has been estimated that a fire will occur once every five years (f=0. etc.99 0. Worked Example A mainframe computer suite has a protective system to mitigate the effects of fire. if the smoke detector is 95% reliable.International Diploma-A3 P1 + P2 = 1 For example.9 0. The event tree would be constructed as follows: Figure 15: Worked Example Event Tree © CHSS Ltd 2007 Page 62 of 66 Sales Ref: sc/715/v2.
02 So the probability of an uncontrolled fire PUF = 0.9 x P4 P4 = 1 .00891 PC = f x P1 x P4 PC = 0.P5 = 1 .01.95 = 0.2 x 0.0018 + 0.02 PUF = 0.2 x P2 P2 = 1 .05. PB = f x P1 x P3 x P6 PB = 0.1.56 years.1 .P1 = 1 .0.99 = 0.9 x 0.2 x 0.01 PC = 0.9 x 0.9 x 0.0018 PD = f x P2 PD = 0.9 = 0.00891 + 0.05 PB = 0.99 x 0.03071 To determine the frequency of an uncontrolled fire (fUF): 1 fUF = PUF 1 fUF = 0.56 © CHSS Ltd 2007 Page 63 of 66 Sales Ref: sc/715/v2. so PB = 0.0.International Diploma-A3 The probability of an uncontrolled fire PUF in the mainframe computer suite is determined as: PUF = PB + PC+ PD.P3 = 1 .2 x 0. so PD = 0.2 x 0.99 x P6 P6 = 1 .0.1 PD = 0.03071 So the frequency of an uncontrolled fire in the mainframe computer suite is once every 32. so PC = 0.2 x 0. = 32.
It is made up of a combination of a fault tree and event tree (QRA’s) looking both backwards and forwards in time from an initiating event It shows the probability of the top event occurring (FTA) and escalation and subsequent consequences from it (ETA). etc. HAZOP.1 . The figure below diagrammatically represents the Bow-Tie model: © CHSS Ltd 2007 Page 64 of 66 Sales Ref: sc/715/v2. It shows the barriers in place to prevent progression and the threats to those barriers.International Diploma-A3 Summary The use of quantitative risk analysis can be useful tool in allocating resource and justifying decision making in relation to risk management. It links the barriers and measures to reduce the chance of the top event occurring and the consequences resulting from the top event. The role of FTA and ETA as backward and forward looking techniques can considers the risk elements throughout the lifecycle or within the potential and actual disaster situations. which can be used to qualify and quantify those hazards and threats. Results of Bow Tie models can be documented in and a full appreciation of the risks and potential outcomes can be understood. There are a range of tools including HAZAN. FMEA. The concept of backward and forward looking models can be described as a “Bow-Tie” model where: The Bow-Tie model is a visual method of showing how the hazard(s) becomes the top event.
1 .International Diploma-A3 Figure 16: Bow-Tie model Fault Tree Analysis Event Tree Analysis Scenario Consequenc e H a z a r d Reduce Top Even t Threat Barriers or controls Recover y measure s Consequenc e l i Control (keep within control k limits) e l i h o o d (Proactive) Consequenc e Prepare for emergencies Mitigate consequences and re-instate (Reactive) © CHSS Ltd 2007 Page 65 of 66 Sales Ref: sc/715/v2.
HSE. HMSO. Fault Tree Hand Book.1 . HMSO.ECSC-ECEAEC. HMSO. HSC. 2003. Institution of Chemical Engineers. HSE. 1998. 1992. HSE. HSE’s Decision Making Process. European Commission. Guidance on Risk Assessment at Work.1998. HAZOP Guide to Best Practice. Chemical Industries Association. HSE.International Diploma-A3 References Successful Health and Safety Management HSG65. HMSO. 1994. 1981. HSE's decision making process. The Tolerability of Risk from Nuclear Power Stations. HMSO. Reducing Risks Protecting People. 2001. HMSO. © CHSS Ltd 2007 Page 66 of 66 Sales Ref: sc/715/v2. 2001. HMSO. The Management of Health and Safety at Work Regulations 1999 Approved Code of Practice and Guidance L21. Protecting People. 2000. US Nuclear Regulatory Commission. HSE. 2000. Quantified Risk Assessment: Its’ input into decision making. 1996. 5 Steps to Risk Assessment Case Studies HSG38. Reducing Risks. HSE. HMSO. HSE 5 steps to risk assessment INDG163 (rev) HSE.