Professional Documents
Culture Documents
Lecture Notes:: Risk Assessment & Risk Management
Lecture Notes:: Risk Assessment & Risk Management
for
LECTURE NOTES:
There are many different risk management techniques available depending on what type of
risk is being assessed, but they all are made up of a number of similar stages which are:
RISK MANAGEMENT
RISK REDUCTION
RISK ASSESSMENT
Activity Option Analysis Implementation
Characterisation
Monitoring
Hazard Identification
Decision Making Audit or Review
Risk Estimation
RISK EVALUATION
RISK ANALYSIS
1
From Cox S.J. & Tait R.S. (1991) Reliability, Safety and Risk Management. Butterworth
Heinemann
Lecture Notes: Topic 5 2
Risk Assessment & Risk Management
2.0 Risk Management in Legislation
Regulation 3(1) of the ‘Management of Health and Safety at Work Regulations 1992 states
that:-
a) The risks to the health and safety of his employees to which they
are exposed whilst they are at work.
The accompanying Approved Code of Practice (ACOP) does not specify a particular
approach to how a risk assessment is carried out but does set out some general principles
that should be followed.
For simple hazards a risk assessment can be a ‘very straightforward process based on
judgement requiring no specialist skills or complicated techniques.’ This approach is
commonly known as qualitative or subjective risk assessment.
At the other extreme, major hazards, such as those associated with complex chemical or
nuclear plants, may ‘warrant the need of such techniques as Quantitative Risk
Assessment.’ In Quantitative Risk Assessment (QRA) or Probabilistic Risk Assessment
(PRA) as it is sometimes known, a numerical estimate is made of the probability that a
defined harm will result from the occurrence of a particular event.
The Regulations state that the risk assessment procedure used in any circumstance should
be suitable and sufficient for the hazards and risks to which the workforce is exposed. A
suitable and sufficient assessment should:
enable the employer to identify and prioritise the measures that need to be taken to
comply with relevant statutory provision;
be appropriate to the nature of the work such that it remains vital for a reasonable
period of time.
Each of the three stages of risk management are discussed below, with particular respect
to health and safety risks.
Hazard Identification
Hazard :
The potential to cause harm. Harm including ill health and injury,
damage to property, plant, products or the environment, production
losses or increased liabilities.
Hazard identification is, in no doubt, the most important aspect of any risk assessment on
the basis of ‘ a hazard identified is a hazard controlled.’ There are many different ways of
identifying hazards, making it very much a discipline in its own right. Many different formal
methods have been developed over the last two decades. These are generally classed into
one of three categories:
Comparative Methods. e.g. checklists and audits. These were, in the past, treated as
safety reviews as they compared “what is” with “what should be”.
Fundamental Methods: e.g. Deviation Analysis, Hazard and Operability Studies, Energy
Analysis, Failure Modes & Effects Analysis. These are the formal investigative
techniques, many of which developed in the high technology industries, and are
structured for stimulating people to apply foresight in conjunction with their knowledge
by identifying hazards by asking “what-if” type questions.
Several of these more detailed hazard identification methods will be explained in more
detail later in this Section.
Risk
The likelihood that a specified undesired event will occur due to the
realisation of a hazard by, or during work activities or by the products
and services created by work activities.
In order to be able to assess and/or evaluate risk some degree of the risk should be
calculated. As risk is a function of the probability and consequence associated with a
hazard occurring, judgements are made on these two properties. Such judgements can be
qualitative or quantitative depending on the complexity of the operation that is being
examined.
2
HSE (1997), Successful Health & Safety Management, HS(G)65, HSE Books.
Lecture Notes: Topic 5 5
Risk Assessment & Risk Management
Hazard – the potential to cause harm will vary in severity. The likely effect of a hazard
may for example be rated:
1. Major
Death or major injury or illness causing long term disability
2. Serious
Injuries or illness causing short-term disability
3. Slight
All other injuries or illnesses
1. High
Where it is certain that harm will occur
2. Medium
Where harm will often occur
3. Low
Where harm will seldom occur
In this case risk can be defined as the combination of the severity of the harm with
the likelihood of its occurrence, or
This simple computation which gives a risk value of between 1 and 9 enables a
rough and ready comparison of risks. In this case the lower the number, the greater
the risk, and so prioritises the hazards so that control action can be targeted at
higher risks in the first instance.
Controlling Risk
Risk control strategies may be classified into one of four main areas: risk avoidance, risk
retention, risk transfer and risk reduction.3
Risk Avoidance – this strategy involves a conscious decision on the part of the
organisation to avoid completely a particular risk by discontinuing the operation
3
Bamber L (1999), Principals of the Management of Risk, in Ridley J & Channing J (ed) Safety at
Work,5th Edition, Butterworth Heinmann
Lecture Notes: Topic 5 6
Risk Assessment & Risk Management
producing the risk e.g. the replacing a hazardous chemical by one with less or no risk
potential.
Risk retention – The risk is retained in the organisation where any consequent loss is
financed by the company. There are two aspects to consider here, risk retention with
knowledge and risk retention without knowledge.
Without knowledge – this usually results from the lack of knowledge of the
existence of a risk or an omission to insure against it, and this usually arises
because the risks have not been either identified or fully evaluated.
Risk Transfer – this refers to the legal assignment of the costs of certain potential
losses from one party to another. The most common way is by insurance.
Risk Reduction – here the risks are systematically reduced through control measures,
according to the hierarchy of risk control described in earlier sections.
The majority of health and safety risks in the workplace are controlled through the
implementation of managerial/procedural and engineering controls which effectively either
eliminate or reduce the risk. This is undertaken according to the hierarchy of risk control
introduced earlier in the course.
Assessments of large scale complex hazard sites, such as those found in the process
and nuclear industries. These require quantitative risk assessments, involving
General assessments of the complete range of workplace risks – as required under the
Management of Health & Safety at Work Regulations, 1999. (covered in Section Five)
Risk Assessments required under specific legislation – for example for hazardous
substances (COSHH Regulations, 1998), Manual Handling (Manual Handling
Operations Regulations, 1992). (covered in the next Course Topic)
In quantitative (or probabilistic) risk assessment, numerical values of risk are calculated
and compared against some pre-set criteria. The probabilities and consequences are
assessed using statistical techniques and consequence evaluation methods.
QRA is most commonly used in the process industries to quantify the risks of ‘major
hazards’. A major hazard, as defined by the HSE (1988) 4as ‘any man made industrial
hazard that has the potential to cause large scale injury and loss of life from a single brief
event’.
In recent years significant increases in the use of QRA have taken place in the offshore oil
and gas industries, the transport of hazardous materials, the protection of the environment,
mass transportation (rail) and the nuclear industry.
There are a number of different ways of expressing and describing levels of risk calculated
in a QRA ranging from simple tables and expressions to complex graphs. When putting a
quantitative figure to a risk it is necessary to be clear as to whom or what group of people
the figure applies. It is normal to differentiate between individual and societal risk.
Frequently individual risk is estimated for a number of locations around a site so that ‘risk
contours’ can be plotted to give an indication of the geographical variations for individual
risk. An example of a risk contour is shown below (Nussey, 19956).
4
HSE (1988) The Tolerability of Risk from Nuclear Power Stations, HMSO.
5
IChemE (1992) Nomonclature on Risk Assessment in the Process Industries, IChemE, Rugby, UK
6
Nussey C (1995) Accidents Happen – How they can be avioded and the risks assessed. In
proceedings of the IBC Conference on Preventing & Managing Emergencies, London: IBC Technical
Services Ltd.
Lecture Notes: Topic 5 9
Risk Assessment & Risk Management
0.3*10-6/year
VILLAGE risk contour
10-5/year
risk contour
CHLORINE
INSTALLATION
1 km
The HSE (1988) concluded that ‘broadly, a risk of death of 1 in 1000 (1x10 -3) per annum is
about the most that is ordinarily accepted under modern conditions for workers in the UK
and it seems to be the dividing line between what is tolerable and what is intolerable’ . It
was also concluded that the tolerable risk level from a large scale industrial hazard ‘should
not be less than 10 times higher’. i.e. 1x10 –4.
Failure modes and effects analysis (FMEA) is used for the analysis of technical systems
and involves breaking the system down into as many components or sub-systems as
possible, and identifying ways that each element could fail, and its effects on the system.
The system is divided into sub systems that can be handled effectively.
A FMEA is typically documented in tabular format in which the table column headings show
its progressive development. A FMEA data sheet typically includes:-
For each component’s functions, every conceivable mode of failure is identified and
recorded. It is also common to rate the failure rate for each failure mode identified. This can
be done by using handbooks of failure rates data or by using subjective descriptors such as
‘probable’, ‘frequent’ etc.
The potential consequences for each failure must be identified along with its effects on
other equipment, components within the rest of the system;
The various possibilities for detection of the identified failures are then recorded. In some
cases sensors and alarms may be in place, in other cases failure is detected through
inspection, maintenance, or by human operation.
It is then necessary to record preventative measures that are in place or may be introduced
to correct the failure, reduce its failure rate or provide some adequate form of detection.
Hazard and Operability Studies (HAZOP) have been used for many years as a formal
means for the review of chemical process designs having been originally introduced by ICI.
It is based on the assumption that a system is safe when all the operating parameters are
in their normal states or at accepted values. A HAZOP study is a systematic search for
hazards which are defined as deviations within these parameters that may have dangerous
consequences. In the process industry, these deviations concern process parameters such
as flow, temperature, pressure etc.
HAZOP is a team approach, involving a team of people representing all different functions
in a plant. They identify all the deviations by ‘brain-storming’ to a set of guide words which
are applied to all parts of the system. They generate an extensive documentation of
potentially hazardous situations as well as operational concerns. The process is as follows:
The system is divided into suitable parts or sub-systems, which are then analysed
one at a time. In the case of a continuous process operation, the division is into
tanks, connecting pipes etc.
Guidewords are applied to each parameter in each subsystem. Due to the ‘team
approach’ that is used, the intention is to prompt creative discussion of deviations
and possible consequences (in terms of both hazards and operability problems).
Guideword Definitions
NO or NOT No part of the design intent occurs, such as no flow in a pipeline due to
blockage.
MORE or LESS A quantitative increase or decrease of some parameter, such as flow,
temperature etc.
AS WELL AS All the design intentions are fulfilled and something happens in
addition
PART OF Only part of the design intention is fulfilled
REVERSE The logical opposite of the design intention occurs
OTHER THAN Something completely different than attended occurs
Example7
Consider the simple process diagram below. It represents a plant where substances A and
B react with each other to form a new substance C. If there is more B than A there may be
an explosion.
V3
V4
B
A
V2
V1
V5
A < B = Explosion C
The HAZOP sheet for the section of the plant from A to C will look be as follows:
7
Harms Ringdahl L (1995), Safety Analysis: Principals and Practice in Occupational Safety, Elsevier
Applied Science.
Lecture Notes: Topic 5 13
Risk Assessment & Risk Management
Fault Tree Analysis
Fault tree analysis breaks down an accident hazard into its contributing factors and
investigates combinations of events and conditions that lead to the hazard (Suokas &
Rouhiainen, 1992). A fault tree is a diagram that displays the logical interrelationship
between the basic causes of the hazard.
Fault tree analysis can be simple or complex depending on the system in question.
Complex analysis involves the use of Boolean algebra to represent various failure states.
This is so that when probabilities are defined for each event, the overall probability can
easily be calculated throughout the diagram.
The first stage is to select the hazard or top event that is to be analysed. This event
should be well defined and not too broad, as it can result in a tree with many
different branches and sub-causes, making it time consuming and difficult to
analyse.
The tree is structured so that the hazard appears at the top. It is then necessary to
work downwards, firstly by identifying causes that directly contribute to this hazard.
The same technique is applied to all these causes, breaking them down into sub-
causes (or events) and repeated until the basic (or ‘root’) causes are identified.
When all the causes and sub-causes have been identified, the next stage is to
construct the fault tree. In designing the tree, a set of symbols, shown in table 3.8.
are used (after Daling & Geffen, 1983; Harms-Ringdahl, 1993). Two logical
operators, AND or OR gates are used to define the relationships between the
events and branches of the tree.
LAMP
POWER
UNIT
+ BATTERY
-
FUSE SWITCH
The corresponding fault tree for the above circuit, with the top event (or hazard) being the
lamp not working is as follows:
No current
through the lamp
BSI (1996) – BS8800: Guide to Occupational Health & Safety Management Systems
(Annex D)
The principal difference in these guides is the methodology for estimating risk. The
following steps have been taken from BS 8800.
Identify hazards
Determine risk
Identify Hazards: Identify all significant hazards relating to each work activity.
Considering who might be harmed and how.
Determine risk: make a subjective estimate of the risk associated with each hazard
assuming that planned or existing health and safety precautions are in place.
Assessors should also consider the effectiveness of the controls and the
consequences of their failure.
Decide is risk is tolerable: judge whether planned or existing OH&S precautions (if
any) are sufficient to keep the hazard under control and meet legal requirements.
Prepare a risk control plan (if necessary): prepare a plan to deal with any of the
issues found by the assessment to require attention. Organisations should ensure
that new and existing controls remain in place and are effective.
Review adequacy of action plan: re-assess risks on the basis of the revised controls
and check that risks will be tolerable.
To help with the process of identifying hazards it is useful to categorise hazards in different
ways, for example by topic, e.g.:
mechanical;
electrical;
radiation;
substances;
inadequate headroom;
violence to staff;
lighting levels;
contractors' activities.
Determine risk
The risk from the hazard should be determined by estimating the potential severity of harm
and the likelihood that harm will occur.
Severity of harm
Information obtained about work activities is a vital input to risk assessment. When seeking
to establish potential severity of harm, the following should also be considered:
- superficial injuries; minor cuts and bruises; eye irritation from dust;
2) harmful, e.g.
- deafness; dermatitis; asthma; work related upper limb disorders; ill-health leading
to permanent minor disability;
When seeking to establish likelihood of harm the adequacy of control measures already
implemented and complied with needs to be considered. Here legal requirements and
codes of practice are good guides covering controls of specific hazards. The following
issues should then typically be considered in addition to the work activity information:
These subjective risk estimations should normally take into account all the people exposed
to a hazard. Thus any given hazard is more serious if it affects a greater number of people.
But some of the larger risks may be associated with an occasional task carried out just by
one person, for example maintenance of inaccessible parts of lifting equipment.
Table 1 shows one simple method for estimating risk levels and for deciding whether risks
are tolerable. Risk are classified according to their estimated likelihood and potential
severity of harm. Some organisations may wish to develop more sophisticated
approaches, but this method is a reasonable starting point. Numbers may be used to
describe risks, instead of the terms 'moderate risk', 'substantial risk', etc. Using numbers
does not confer any greater accuracy to these estimates.
Risk categories shown for example in Table 1 form the basis for deciding whether improved
controls are required and the timescale for action. An approach, again suggested as a
starting point, is shown in table 2. Table 2 shows that control effort and urgency should be
proportional to risk.
what do people affected think about the need for, and practicality of, the revised
preventive measures?
will the revised controls be used in practice, and not ignored in the face of, for example,
pressures to get the job done?
Risk assessment should be seen as a continuing process. Thus, the adequacy of control
measures should be subject to continual review and revised if necessary. Similarly, if
conditions change to the extent that hazards and risks are significantly affected than risk
assessments should also be reviewed.
NOTE: Tolerable here, means that risk has been reduced to the lowest level that is
reasonably practicable.
MODERATE Efforts should be made to reduce the risk, but the costs of
prevention should b e carefully measured and limited. Risk
reduction measures should be implemented within a defined
time period.
SUBSTANTIAL Work should not be started until the risk has been reduced.
Considerable resources may have to be allocated to reduce the
risk. Where the risk involves work in progress, urgent action
should be taken.
INTOLERABLE Work should not be started or continued until the risk has been
reduced. If it is not possible to reduce risk even with unlimited
resources, work has to remain prohibited.