Contents Copyright © March, April 1996, February 1997, January 1998, April-July 1999, June 2000, January 2001, May 2001, February 2002, March 2004, April 2004. Risk & Reliability Associates Pty Ltd, Consulting Engineers. 5 Edition Cover by Peter Anderson 5 Edition Co-ordination and review by Kris Francis. th 5 Edition editing by Cherilyn Tillman and Bob Browning. Printed and Bound in Australia by Imscam Pty Ltd, Melbourne. This text is copyright. Apart from any fair dealing for the purpose of private study, research, criticism or review or as otherwise permitted under the Copyright Act, no part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, optic, mechanical, photocopying, recording or otherwise without the prior written permission from the publisher, Risk and Reliability Associates Pty Ltd. ISBN 0-9585241-3-0 RRP AUD $298.00 (including GST). Postage and handling extra.
th th

Published by: Risk & Reliability Associates Pty Ltd ACN: 072 114473 ABN: 98 072114473 Consulting Engineers Level 2 56 Hardware Lane MELBOURNE AUSTRALIA 3000 e-mail: web: fax: voice: http// +61 3 9670 5278 +61 3 9602 4747

Also in Sydney and Wellington.

This text is intended to provide general information concerning the concepts and applications of risk and reliability theory. The text is used by R2A in its training courses on risk and reliability assessment. The examples and templates are provided as examples of the analytical tools used in assessing and managing risk. They should not be used a substitute for obtaining professional advice or assistance. The authors accept no responsibility for any errors or omissions in the material, or for the results of any actions taken as a result of using these examples or templates.

Risk & Reliability Associates Pty Ltd


Contents R2A Document Control Risk & Reliability – An Introductory Text Edn. 1.0 2.0 3.0 3.1 3.2 3.3 4.0 5.0 Date 04/96 02/97 01/98 07/99 06/00 01/01 02/02 02/03/04 15/03/04 23/03/04 04/04/04 19/04/04 Section Issue/Nature of Revision First Edition Second Edition Third Edition Third Edition, Revised Third Edition, Second Revision Third Edition, Third Revision Fourth Edition Fifth Edition Typos and layout Chapter 16 & Index Chapters 17 & 18. Typos & Index Prepared: RMR RMR RMR RMR GEF LS GEF, CJT, RWB RMR, KJA, CJT, RWB RMR CJT, RWB RWB RWB Reviewed: KJA KJA


Contributors to earlier editions and revisions include: Teresa Alam John Bellhouse Keith Hart Matthew Lambert Simon Meiers Paul Rees PM Strickland.


vi vii


Risk & Reliability Associates Pty Ltd


1. 1.1 1.2 1.3 1.4 1.5 1.6 2. 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 3. 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 4. 4.1 4.2 4.3 4.4 4.5 4.6 4.7 5. 5.1 5.2 5.3 5.4 5.5 5.6 5.7 6. 6.1 6.2 6.3 6.4 6.5 6.6 INTRODUCTION TO RISK AND RELIABILITY CONCEPTS The Nature Risk Types of Risk Risk Management Evolution Historical Perspective of Risk Reliability Quality RISK PARADIGMS & MODELS The Rule of Law Insurance Asset Management Threats and Vulnerabilities Risk as Variance Best Practice Simulation Culture Paradigm Integration Risk Models RISK AND GOVERNANCE Risk Management’s Role in Good Governance Corporate Governance Systems Origins of the Good Governance Movement The Rise of the Risk Society Governance and Non-Financial Risk Public Sector Governance and Risk Risk and Corporate Citizenship Fallout Severity Basic Principles of Good Corporate Urban Governance LIABILITY Criminal vs Civil Standard Common Law Criteria On Juries and Justice Due Diligence Safety Cases Adversarial Legal System Contradictions Risk Auditing Systems CAUSATION Paradigms Biological Metaphors Discrete State Concepts Time Sequence Energy Damage Energy Damage Models Latent Conditions RISK CRITERIA Legal Criteria Individual Risk Criteria Societal Risk Criteria Environmental Risk Criteria Insurance Criteria Ethical Criteria 1.1






Risk & Reliability Associates Pty Ltd


4 7.1 9.7 11. 7.Contents PART 2 – TECHNIQUES 7. 9.3 12.2 10.2 12.5 8.4 12.1 9. 12.6 9.1 12.1 iv Risk & Reliability Associates Pty Ltd .7 10.4 9.1 8.1 12.4 10.5 9. 8.2 7.3 9. 11.1 10.1 11.4 TOP DOWN TECHNIQUES SWOT Assessments Upside and Downside Risk Vulnerability Assessments Enterprise Risk Profiling Project Risk Profiling RANKING TECHNIQUES Risk Registers Ranking Acute OH&S Hazards Ranking Property Loss Prevention Hazards Integrated Investment Ranking MODELLING TECHNIQUES Trees Blocks Integrated Presentation Models Common Cause Failures Human Error Rates Equipment Fault Rates System Safety Assurance BOTTOM UP TECHNIQUES RCM HazOps Common Mode Failures Risk Management and the Project Life Cycle QRA HACCP GENERATIVE TECHNIQUES James Reason et al Transparent Independent Rapid Risk Reporting Generative Interview Technique Generative Solutions Technique RISK & RELIABILITY MATHEMATICS Discrete Event Mathematics Breakdown Failure Mathematics State Theory Mathematics Fractional Dead Time Mathematics 7.2 9.1 7. 10.3 7.2 8.2 11.1 11.4 9.1 8.3 8.5 10.6 10.3 10.3 11.

13.1 16.7 13.9 13.1 14. APPLICATIONS AND CASE STUDIES 13.1 16.4 13.5 17.1 18.4 PROCESS INDUSTRY MODELLING Safety Cases Context (Top Down) Quantitative Risk Assessment (QRA) Fire Modelling Pool Fires Jet Flames Explosions Toxic Gas Clouds Fire Safety Studies Risk Criteria Used in Australia and New Zealand CRISIS MANAGEMENT Intention Lessons in Fallout Management Design Stage Case Studies Conclusion INDUSTRY BASED CASE STUDIES Airspace Risk Assessment Train Operations Rail Model Fire Risk Management (in buildings) Transmission Line Risk Management Bushfire Risk Management Tunnel Risk Management OCCUPATIONAL HEALTH & SAFETY Legislative Framework OH & S Risk Assessment Performance Indicators Information Structures Audit & Safety Management Systems FINANCIAL RISK Risk and Opportunity Terms Utility and Risk Models Market Risk Mathematics SECURITY Security and Risk Management Security Terms Basic Elements of Security Management The Terrorist Threat 13.4 17.8 13.5 13.Contents PART 3 – THEMES. 16.1 15.2 13.1 15.1 17.3 16.10 14.5 15.2 14.3 18.5 15.6 16.3 15. 17.1 13.1 18.2 17.2 15.4 15.2 16.2 18.1 17.4 16.3 17.5 18.4 14.3 13. 14. 15.1 Risk & Reliability Associates Pty Ltd v .6 13. 18.1 14.3 14.

And liability is increasingly ubiquitous. for example. The addition of Part 4 to the planned 6 Edition will address risks resulting from the rise of computer systems. Melbourne March 2004 vi Risk & Reliability Associates Pty Ltd . The recent spate of high profile. but work on the 6 edition is scheduled for later in 2004.Contents Preface to the 5th Edition This is the 5th Edition of Risk and Reliability . such risks can be managed. local and overseas corporate failures. in the context of human frailty.An Introductory Text. Part 3 comprises technical explanations of the practical applications of these concepts and techniques. Parts 1-2 are based on the very successful 2-day risk management short courses presented by R2A director Richard Robinson for EEA (Engineering Education Australia). Presently the Text has three parts. This course presently uses the th th 4 Edition as background reading. th R W Browning Hardware Lane. The evident vulnerabilities flowing from large-scale technology require scrutiny both from accidental and deliberate actions. and how. An integration of top down and bottom up risk management concepts and techniques as explained in Parts 1-2 becomes necessary to cope with the widening range and severity of modern risk. The evolving nature of risk and risk management in the contemporary globalising environment that is sometimes described as the Risk Society necessitates frequent revision and additions. has created unprecedented interest in corporate governance. R2A’s intention is to extend the Text to four parts so as to include material based on the System Safety Assurance Course presented by R2A Director Kevin Anderson for EEA. Risk and Reliability Associates Pty Ltd published the first edition of this Text in April 1998. Part 3 summarises published R2A practice experience.

As Low As Reasonably Practicable. An inspection or checking of methods of doing business. Common Mode Failures refer to the simultaneous failure of multiple components or systems due to a single. In engineering and commerce. insurance and loss control. for example. expansion and modification (Butterworths (1998). the advent of a third world war. Consequence/s The actual or potential degree of severity of loss or gain. Items underlined are referenced as a separate entry in the R2A dictionary. change in interest rates. typically a year. Australia). raw material sources and the like. Given the multi-disciplinary nature of risk management. Audit Audit Trail Availability Business Interruption Common Law Common Mode Failure Risk & Reliability Associates Pty Ltd vii .Contents A Short Dictionary of Risk & Reliability Terms and Acronyms The dictionary below defines the usage of key terms in the R2A Text. acronyms have been included rather than giving them a separate listing. interpretation. usually a capital cost item. different specialist groups often attribute different meanings to commonly used terms and different terms are often used for similar or near identical concepts. The ratio of the total system or entity ‘up time’ to system or entity elapsed time. otherwise any production or sales stoppage. For simplicity. The list is adapted from an earlier list presented in a paper by R M Robinson and D B L Viner (1983). In commercial terms it refers to threats whose occurrence would simultaneously affect multiple inputs to any equation. Accountability ALARA ALARP Algorithm Asset The property that ensures that the actions of an entity can be traced. The unwritten law derived from the traditional law of England as developed by judicial precedence. the latter being the sum of the total ‘up time’ and ‘down time’. It is therefore a function of reliability and repair time. As Low as Reasonably Achievable. Data collected and potentially used to facilitate an audit. In insurance terms. An explicit and finite step-by-step procedure for solving a problem or achieving a required end. In security. external cause such an earthquake or fire. normally. Butterworth. Concise Australian Legal Dictionary. usually refers to an item that if (accidentally) lost would cause a loss. It is used to distinguish discreet failures of individual components or systems due to a defect arising locally within that component or system. the loss of profits over a defined period.

GE5. 4 Edition. the quality of the environment in the short or long term. External Risk Reduction Facility. which combines the probability that the events will cause. Australia An event or continuing process. personal protective equipment is generally protection. Butterworth. which if realised. Practical Methods for Engineers.35-41).1. Procedures designed to minimise the severity of loss. For example. The same performance of a function by two or more independent and dissimilar means (of particular reference to software) (Smith D J (1993) Reliability. Australia). Due Diligence ERA ERRF Engineers Australia Environmental Hazard Environmental Risk EUC Event viii Risk & Reliability Associates Pty Ltd . that is. Norske Shell Exploration and Production). Controls can encompass both protection and precautions. th Maintainability and Risk. Engineering Those activities devoted to changing the material world to a desired state (Robinson Richard M (1981). A measure of potential threats to the environment. General Engineering Transactions. The trading name of The Institution of Engineers. Butterworth. dust masks. Butterworth Heinemann. Equipment Under Control. Norske Shell Exploration and Production). An Outline of the Philosophy of Engineering and its Consequences. The usual hierarchy of controls is: Elimination. or lead to degradation of the environment and the severity of that degradation Wright N H (1993). gloves etc Critical Control Point (CCP) Damage Control A point. No. (AS 4360:1999 Risk Management). that is. An incident or situation. hearing protectors. will lead to circumstances having a potential to degrade. Development of Environmental Risk Assessment (ERA) in Norway. removal of the hazard or risk Engineering controls. Development of Environmental Risk Assessment (ERA) in Norway. directly or indirectly. which occurs in a particular place during a particular interval of time. Australia). Concise Australian Legal Dictionary. It encompasses a large range of measures taken to reduce the likelihood and consequences of adverse outcomes. (Wright N H (1993). eliminated or reduced to acceptable levels. Environmental Risk Assessment. July 1981 pp. A minimum standard of behaviour involving a system which provides against contravention of relevant regulatory provisions and adequate supervision ensuring that the system is properly carried out (Butterworth (1998).Contents Controls The most common term used in safety and in this context means to hold in check or to restrain. Oxford). Engineers Australia. for example. Concise Australian Legal Dictionary. Vol. those that design out the hazard or reduce it Substitution of a less hazardous substance or equipment or process Administrative controls such as job rotation to reduce exposure time to the hazard Personal protective equipment. A statutory defence to a charge of causing or permitting environmental harm or pollution (Butterworth (1998). step or procedure at which control can be applied and a food safety hazard can be prevented.

Failure (risk) Failure (reliability) Fault FDT FMEA FMECA Frequency FTA Group Risk HACCP Hazard Hazard Identification HazOp HEART Risk & Reliability Associates Pty Ltd ix . Oxford). Fault Modes and Effects Analysis. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide). 4 Edition. Butterworth Heinemann. injury or damage) beyond a component or entity merely becoming unavailable to perform its function. A formal analysis of a process or plant by the application of guidewords. 4 Edition. resulting in unavailability. Fractional Dead Time (a form of unavailability). See Societal Risk Hazard and Critical Control Point analysis. which can give rise to a loss and used extensively by engineers and physical scientists. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide and AS 4360:1999 Risk Management). th Practical methods for Engineers. It can also be referred to as a ‘hazardous’ failure (Smith D J (1993) Reliability. These are displayed graphically. The inability of an entity to perform its required function. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide). Maintainability and Risk. Process of recognising that a hazard exists and defining its characteristics. See Fault. The rate at which something occurs per unit time. Effects and Criticality Analysis. Oxford). Human Error Assessment and Reduction Technique. A cessation of function that has consequences (usually meaning death. The fraction of any time period that a defence or control system is ‘dead’ (cannot operate correctly). A hazard identification and frequency analysis technique. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide). It is therefore a function of audit frequency and the time to revive/restore the control system. A source of potential harm or a situation with a potential to cause loss. To be compared to a vulnerability. It can also be referred to as a breakdown failure. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide). Fault Tree Analysis. Fault Modes. evaluating and controlling safety hazards in food processes. A source of potentially damaging energy. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide). which employs inductive reasoning to translate different initiating events into possible outcomes. Practical methods for th Engineers. These are displayed graphically. HAZard and OPerability study. Non-performance to some defined performance criterion (Smith D J (1993) Reliability. which starts with the undesired event and determines all the ways in which it could occur.Contents Event Tree Analysis A hazard identification and frequency analysis technique. Butterworth Heinemann. An approach of identifying. Maintainability and Risk. A situation that could occur during the lifetime of a product system or plant that has the potential for damage to the environment.

A failure which is not detected and/or enunciated when it occurs. Highly Protected Risk. models and working hypotheses which are intended to provide solutions rather than explain facts. A method of transferring risk by financial means. by incremental exploration using conceptual devices such as ideal types. which occurs in a particular place during a particular interval of time which should provide an alert to the risk management system. The Institution of Professional Engineers. Life cycle costing provides a method for determining the total cost of a system over its entire life cycle and is used to establish the cost effectiveness of alternative asset solutions. HPR HRA IChemE IPENZ Incident Individual Risk Insurance Integrity IRR JSA Latent Condition Liability Life Cycle Costing Likelihood Loss Loss Event x Risk & Reliability Associates Pty Ltd . Blanchard and Fabrycky nd (1990). A term to describe the probability or frequency of an occurrence. Prentice Hall). Butterworth. Human Reliability Assessment. This can be a failure of a control system or a near miss. harm. The Institution of Chemical Engineers (UK). or obligation (Butterworth (1998) Concise Australian Legal Dictionary. Job Safety Analysis. damage loss or breach of statute. legal or other damage which could occur due to a loss event. A person’s present or prospective legal responsibility. Any negative consequence. IChemE. 2 Edition. New Zealand An event or situation. Systems Engineering and Analysis. Prentice Hall. Prentice Hall International. Internal Rate of Return. A property of an object or data that has not been modified and is fit for the purpose for which it is to be used. It may lead to a claim and/or court proceedings. US engineering term used to describe a level of loss control excellence. The embarrassment. Australia). Systems Engineering. Warwickshire).Contents Heuristic Proceeding to a solution in the absence of an algorithm. Nomenclature for Hazard and Risk Assessment in the Process Industries. Rugby. injury. Cost effectiveness is defined as the ratio of systems effectiveness to life cycle cost (Blanchard (1991) Systems Engineering Management. financial or otherwise (AS 4360:1999 Risk Management) including death. financial loss. The frequency at which an individual may be expected to sustain a given level of harm from the realisation of specified hazards (Institution of Chemical Engineers (1985). duty. See occurrence. (SAE ARP 4781:1998 Guidelines and Methods for Conducting the Safety Assessment process on Civil Airborne Systems and Equipment). Aslaksen and Belcher (1992).

That risk thought by an individual or group to be present in a given situation (Institution of Chemical Engineers (1985). University of Chicago Press). allocate these requirements down to system elements. Warwickshire). (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide) MORT MTBF MTTF MTTR Occurrence P&ID Paradigm Management Oversight and Risk Tree. IChemE. 2 Edition. Rugby. action or system on a regular basis in order to identify change. A universally recognised knowledge system that for a time provides model problems and solutions to a community of practitioners (Kuhn T S (1970). A sequence of events leading to damage or injury. which uses a model of the system to evaluate variations in input conditions and assumptions. observe critically. Nomenclature for Hazard and Risk Assessment in the Process Industries. 2 Edition. The act of reducing the severity of the potential adverse outcome. Mean Time Between Failure.). sixth impression. that is due diligence. (AS 4360:1999 Risk Management) MDT Mitigation Monitor Monte-Carlo Simulation A frequency analysis technique. (Managing the Management Risk: New Approaches to Organisational Safety Chapter 1 of Reliability and Safety in Hazardous Work Systems: Approaches to Analysis and Design.). In the context of a Cause-consequence model. or record the progress of an activity. A number in a scale from 0 to 1 that expresses the likelihood that one event will succeed another (Institution of Chemical Engineers (1985). Prentice Hall International). elimination. In the risk context Reason (1993) has defined pathogens as analogous to latent failure in technical systems. Nomenclature for Hazard and Risk Assessment in the Process Industries. In the context of the types of controls listed above mitigation of risk could be achieved by any bar the first. Rugby. Mean Down Time. precautions act before the loss of control point. The likelihood of an event occurring. Systems Engineering and Analysis. Mean Time To Repair. IChemE. similar to resident pathogens in the human body. Process (or Piping) and Instrumentation Diagram. supervise. Pathogen Perceived Risk Precautions Probability Risk & Reliability Associates Pty Ltd xi . Warwickshire). enlarged. To check. that is. and predict and verify system maintainability performance nd (Blanchard and Fabrycky (1990). In the context of risk management precautions are the result of prudent foresight.Contents Maintainability The set of technical processes that apply maintainability theory to establish system maintainability requirements. Measures taken beforehand to ward off possible adverse events. nd The Structure of Scientific Revolutions. Mean Time To Failure.

Totality of characteristics of an entity that bear on its ability to satisfy stated and implied needs (AS/NZS 9000. or using statistical information from historical data from circumstances similar to existing or planned operations. A frequency analysis technique that creates a model of the system and its redundancies to evaluate the overall system reliability. The remaining level of (pure) risk after risk treatment measures have been taken. for a specified period of time (Smith David J (1993). Installation and Servicing). A systematic use of available information to determine how often specified events might occur and the magnitude of their consequences. The chance of something happening that will have an adverse impact upon objectives. A plot of likelihood vs consequence for a series of events. (AS 4360:1999 Risk Management) The potential realisation of the unwanted consequences of an event from which there is no prospect of gain. Oxford.Contents Protection Protection has many meanings. Reliability. allocate these requirements down to system elements. physical and financial assets of an organisation. risk deliberately undertaken for a perceived benefit. Reliability Block diagram. Quantified Risk Assessment. The estimation of a given risk by logical and analytical modelling techniques. Practical Methods for Engineers. The overall process of risk analysis and risk evaluation. Development.1:1994 Model for Quality Assurance in Design. Generally. Risk Adjusted Return On Capital. The set of technical processes that apply reliability theory to establish system reliability requirements. (AS 3931:1998 Risk Analysis of Technological Systems – Applications Guide) Reliability Centred Maintenance. Conformance to a set of requirements that. However in the context of risk management it is the state of being protected or something that protects or preservation from injury or harm. Production. (AS 4360:1999 Risk Management) The study of decisions subject to uncertain consequences. The probability that a device will satisfactorily perform a specified function. It is measured in terms of consequences and likelihood. Fourth Edition. service or product that is fit for its intended purpose. In the context of a cause-consequence model. Butterworth Heinemann. under given operating conditions. (AS 4360:1999 Risk Management) The human. results in an organisation. predict and verify system reliability performance and establish reliability growth programs (US MIL-HDBK-338-1A).). protection usually acts after the loss of control point such as much fire protection equipment. Restoration of a system to its desired state following a fault or failure. Maintainability and Risk. if met. QRA Quality RAROC RBD RCM Recovery Reliability Reliability Engineering Residual Risk Resource/s Risk Risk (Pure) Risk (Speculative) Risk Analysis Risk Assessment Risk Curve or Diagram xii Risk & Reliability Associates Pty Ltd .

Butterworth.Contents Risk Engineering Risk Evaluation The application of engineering techniques to the risk management process. An action or event that might prejudice any asset. Risk Financing Risk Identification Risk Management Safe SafetyMAP Security Sensitivity Analysis Severity Societal Risk Stakeholders Statute Law System Safety SRS THERP Threat Risk & Reliability Associates Pty Ltd xiii . The relationship between frequency and the number of people suffering from a specified level of harm in a given population from the realisation of specified hazards (Institution of Chemical Engineers (1985). Examines how the results of a calculation or model vary as individual assumptions are changed. Systems Engineering Management. The process used to determine risk management priorities by comparing the level of risk against predetermined standards. ignoring likelihood. The methods applied to fund risk treatment and the financial consequences of risk. Nomenclature for Hazard and Risk Assessment in the Process Industries. be affected by. IChemE. hazard or vulnerability. (AS 4360:1999 Risk Management). The measure of the absolute consequences of a loss. made by Parliament (Butterworth (1998) Concise Australian Legal Dictionary. directing and controlling the resources and activities of an organisation in order to minimise the adverse effects of accidental losses to that organisation at least possible cost (Head E L (1978). Law created by legislation. Australia) A set of technical processes that apply risk management theory to establish system safety requirements. (AS 4360:1999 Risk Management). confidentiality and integrity. Those people and organisations who may affect. The opposite of dangerous. Wiley Interscience. In insurance terms the absolute magnitude of the dollars associated with a single (potential) loss event. The Risk Management Process. These requirements are allocated down to the system elements. that is. Term coined by the Victorian WorkCover Authority. Warwickshire). Note: in some industries risk financing relates to the funding of the financial consequences of risk. An Anatomy of Risk. (AS 4360:1999 Risk Management) The observation and identification of new risk parameters (Rowe W D (1977). Safety Management Achievement Program. target risk levels or other criteria. The combination of availability. Technique for Human Error Rate Prediction. (AS 4360:1999 Risk Management) The process of planning. Page 8) An acceptably low or tolerable level of risk. or perceive themselves to be affected by. organising. Rugby. and predict and verify system safety performance and direct actions to prevent and/or reduce unacceptable levels of identified safety hazards (Blanchard B (1991). a decision or activity. why and how. New York). (AS 4360:1999 Risk Management). Wiley Interscience) Safety Related System. Sometimes referred to as Group Risk. The process of determining what can happen. The Risk & Insurance Management Society Incorporated New York.

Value At Risk. A weakness with regard to a threat. HMSO. A concept similar to that of Loss Expectancy. VAR Vulnerability Vulnerability Analysis xiv Risk & Reliability Associates Pty Ltd . The Tolerability of Risk From Nuclear Power Stations. but must be kept under review and reduced further still (Health and Safety Executive (1988). A method of 'completeness' checking for a defined scenario.Contents Tolerable Risk Risk that is not regarded as negligible or something that can be ignored. To be compared to a hazard. London).

The possible events or situations that pure risk poses are treated as hazards or vulnerabilities. 1. and what to do about it.2 Types of Risk Risk is generally divided into two broad types: Pure Risk and Speculative or Business Risk. and is treated as an opportunity. and the reliability and efficacy of their endeavours in the face of ever present uncertainty. If the likely consequences of a risk are considered to be always bad. one element that is common to all concepts of risk is the notion of uncertainty. business managers or ordinary individuals reflect human concern to improve safety and security. However. the concept of risk would be incomprehensible to them. the past may not reflect the future Disputes = prosperity Sign off is difficult Lacks knowledge of specialised disciplines Users of the term "Risk Management" (Adapted from Blombery. 1. 1982) Risk & Reliability Associates Pty Ltd 1. are vital human concerns. 1. there would be no risk. If the possible consequences of a risk are considered potentially desirable.Concepts 1.1 Introduction to Risk and Reliability Concepts The Nature of Risk Risk means different things to different people at different times. Decision-making processes whether of statutory regulators.1 . If immortal and omnipotent beings existed. risk is assessed according both to its estimated likelihood or probability (how often it is likely to occur) and the value of its estimated consequences (how desirable or undesirable its impact may be). that risk is designated as speculative or business risk. offering no prospect of gain. But in the world of finite beings. Risk.3 Risk Management Evolution USER Insurance Broker Insurance Company Safety Manager Risk Manager Line Manager Investment Manager Auditors Legal Advisors/Lawyers Board Members OBJECTIVES Maximise new clients Maximise profits Maximise underwriting profits Maximise safety budget Minimise loss Maximise corporate profits Meet production objectives Maximise profits Maximise investment returns Minimise Risk Confirm reality matches reports Manage (potential) conflicts Win court cases Maximise corporate profits Minimise personal liability LIMITATIONS Affordable services only Conflict of objectives Conflict of objectives Narrow approach Loss reduction may not be cost effective Lacks knowledge of specialised disciplines Not line management May not understand contribution of risk management to results Risk and profit do not directly accrue to adviser Historical analysis. If we knew what would happen next. it is designated pure risk. Consequently. court judges. all face uncertain. possibly precarious futures.

By providing clean water. The move derived largely from a marketing strategy to gain new clients. Note that at this time viruses and bacteria were not known. sale and use of dice completely suppressed. For example: 1. and That by the combinations of all these arrangements it is probable that the full insurable period of life indicated by the Swedish tables. manufacture. Sundays to be strictly observed. 1. odious gases. others outside the insurance industry took up the term.. (Dice factories turned to making rosary beads). For example. drinking or excesses'. Blombery (1982) suggests that the best way to avoid misinterpreting intentions is to examine what the main professional users of the term customarily imply when they refer to risk management. 1. 1996).2 Risk & Reliability Associates Pty Ltd . his concept was a flow on from the Crimean war and Florence Nightingale. Because the term risk management is used now in many different ways by different groups of professionals. by diminishing the existing charges attended on sickness and premature mortality. 1..1 The Plague When a society believes that the reason many are dying from the plague is because God is punishing people for their sins. The following illustrates some early attempts to control the plague (Nohl. 1926): SPEYER 1347 A strict prohibition against gambling in churchyards. cursing. which historically has been used by the insurance industry (Taylor. using it to serve various purposes. that “cleanliness is indeed next to Godliness” To quote from Chadwick's report: . In part.Concepts Several large international insurance brokers introduced both the concept and the term "risk management" into Australia in the 1970s. may be extended to the whole of the labouring classes. of supplies of water laid on in houses. which is a variation on the more traditional term and Loss Expectancy. confusion often arises as to what precisely is being referred to. COUNCIL OF TOURNAI All concubines to be expelled or married.4. if not solved. the problem would be contained. that is an increase of thirteen years at least.Public Health Reforms in the 1840s A particularly interesting risk management issue arose with the control of epidemics in the UK in the 1830s and 40s (Winslow 1967). it will manage the risk differently from a society that believes in viruses and bacteria. Chadwick's Report on the Sanitary Conditions of the Working Classes (1842) recognised that disease struck where there was work and urban congestion.4. and of means of improved cleansing would be a pecuniary gain. VAR (Value At Risk). Subsequently. developing a new lexicon in the process. NB: Recently the financial investment industry also adopted the concept.2 United Kingdom . we believe to be its cause.That the expense of public drainage. ROUEN (France) 1507 'No gambling. sanitation and reasonable housing. as shown in the table above. at different times. The then theory of contagion related to miasmas or clouds of noxious.4 Historical Perspectives of Risk What we think about risk and how we address it depends on the way we perceive that risk and what.

using hoses and sand buckets. The loss rate will therefore remain static over time with minimal influence from market forces. While the tripartite concept has driven traditional approaches to OH&S risk control processes. the emerging legal environment puts increasing emphasis on a fourth party. the good pay for the bad”. those who work there. Such an engineering-underwriter viewpoint contrasts dramatically with a wholly financial view of insurance. With a purely financial approach a burning building can be insured if sufficient premium is paid. cotton mills were a notorious source of fire and burned down regularly. arising from industry based insurance efforts started by Bismarck in the 1890s. With the Factory Mutual concept. 1.4. and taught his people how to respond to a fire appropriately.3 The 1840 North American Factory Mutual System In the early 1800s.4 Tripartite Risk Control Philosophies For Health and Safety policy particularly. This did not achieve the immediate acceptance and success one might expect in today’s more democratic society with greater capacity for public scrutiny. accountability. Zachariah Allen. 1. The general concept is that there are three key parties to the risk control process: those who own the industry. He then approached other owners who had built superior facilities and suggested that they pool the premiums they were paying to existing underwriters. and the government. and liability.Concepts Chadwick’s arguments to justify his risk management recommendations appealed to humanitarianpublic interest benefits as well as cost savings over time.5 Bipartite Philosophies An alternative is what might be called the bipartite approach apparently adopted by Germany. This was a great success and was the forerunner of the Factory Mutual System and the "Highly Protected Risk" (HPR) concept. Today. Stakeholders range from consumers of products such as food or pharmaceuticals to the public and communities disaffected by industrial pollution or corporate governance failures. He fire-isolated the cotton gins. following from the work of the Robens Committee (Creighton.3 . specifically that the industry guild exists. Risk & Reliability Associates Pty Ltd 1. which generated a significant amount of friction in a highly combustible medium. 1. provided massive construction. Each party is of equal status. a factory owner in the 1840s decided to build a superior mill. or did not agree that the very expensive fresh water and sewerage treatment was necessary or even effective. they could then pay back a profit after a few years. “No. The underwriter responded.4. that it functions to determine what the acceptable levels of risk are for that industry and to ensure that the consequences of this target are appropriately funded by industry based insurance. Attention is swinging to stakeholders. only those plants that meet certain minimum design and management system requirements can join the premium pool. The government’s role is confined to ensuring that the process occurs. Australia adopted the philosophies of the United Kingdom.4. As they should have fewer losses. A bipartite guild (berufsgenossenschaft) is established for appropriate industries. He then went to his existing underwriter and asked for a discount. This particularly applies to the development of codes of practice and regulations. 1996). A major part of the problem was the need to extract the cotton seeds from the cotton balls. passive smoking may be considered in this same context. There were many with vested interests that could not see.

The military has always had a very specific interest in this in both organisational and technological terms. World War 1 provided the impetus to the development of the aircraft and armoured vehicles and the beginning of increasingly capable military equipment. It evolved in the private airline industry primarily through the activities of the Maintenance Steering Group of the International Air Transport Association. regardless of whether it was exhibiting signs of wear or not. These are shown in the figure below.4 Risk & Reliability Associates Pty Ltd . The final report of the Maintenance Steering Group in 1980 titled MSG-3. The main concern of reliability-focussed professionals is to ensure that systems or system components work the first time they are required.Concepts 1. the use of sophisticated valve based electronic systems in the emerging fighter jet industry proved very unreliable in the 1950s. and every time thereafter.5 Reliability Reliability is a risk-related concept. The consequence of such beliefs was that equipment was taken out of service and maintained at particular intervals. Such systems often consumed enormous resources yet failed to deliver effective service to the customers. 1992). The beginnings of the 20th century arms race in Europe can be traced to the involvement of industrial technology in production of the HMS Warrior in 1861. actuarial studies of aircraft equipment failure data conducted in the early 1970s identified a more complex relationship between age and the probability of failure below. Failure Rate Time Infant Mortality Useful Life Wear Out Bathtub Failure Curve However. and a specific area of professional activity. reliability-focussed professionals saw system components as exhibiting a standard failure profile consisting of three separate characteristics: An infant mortality period due to quality of product failures. 1. 1.5.1 Failure Modes Until the mid 1970s. provided the backbone of the logic processes contained in the referenced texts and RCM analysis (Moubray. World War ll brought the development of electronics and a dramatic increase in the complexity of increasingly accurate and destructive weapons. A useful life period with only random stress related failures A wear out period due to increasingly rapid conditional deterioration resulting from use or environmental degradation. As might be expected.

This led to the idea that the maintenance regime ought to be based on the reliability of the components and the required level of availability of the system as a whole.Concepts Wear-in to Random Wear Out 4% Random then Wear Out 2% Steadily Increasing 5% Inceasing during Wear-in and then Random 7% 89% Random over measurable life 14 % Wear-in then Random 68% Failure Rate Curves Specifically.5 . Risk & Reliability Associates Pty Ltd 1. the bathtub curve was discovered to be one of the least common failure modes and that periodic maintenance increased the likelihood of failure.

matrix data-analysis.3.13 John Oakland (UK) Leadership is the key to business excellence and quality 1. 1.3. 1. He introduced the concept of “zero defects” within the framework of his “four quality absolutes”.3.Concepts 1.8 Genichi Taguchi (Japan) Restates the Japanese view of investing first and not last. 1.3. systemic/tree diagram. That is. Juran believes that senior management are largely responsible for quality with less than 20% of quality issues being due to workers. 1. quality circles and company wide quality control (CWCC) from top to bottom. Has an expanded form of the PDCA cycle. Cause and effect diagrams used extensively (see section 5. 1. Management is responsible for 94% of quality problems. He has a 6-tool process for quality improvement and advocates the use of simple statistical methods to identify problems and point to solutions. Although there are differences in approach there appear to be 6 common principles namely. KJ or affinity diagram.2 Joseph M Juran (US) Defines quality as fitness for use. management commitment. system based tools. the "PDCA Cycle" (Plan. Check. 1.4). process decision program chart. and arrow plan. prevention is better than inspection.3. Do. The objective of his approach is to reduce the variability by continuous improvement.4 William E Conway (US) Has similar beliefs to Deming and indicates that quality increases productivity and lowers costs. However.3. Act). matrix diagram.3. 1. quality teamwork in the workforce. quality improvements are not free.10 Armand V Feigenbaum (US) Holds that total quality management (TQM) is the way to completely manage an organisation. He includes tools like management by walking about (MBWA).9 Shigeo Shingo (Japan) Promoted just in time manufacturing and defects = 0 (Poka-Yoke).1 W Edwards Deming (US circa 1948) Defines quality as a predicable degree of uniformity and dependability at low cost and suited to the market.6 Shigeru Mizuno (Japan) Promoted 7 tools for quality management.3.7 Masaaki Imai (Japan) Kaizen process to develop logical systemic thinking.3. and customer focus.5 Kaoru Ishikawa (Japan circa 1949) Focussed on seven basic tools for quality improvement.3.3.3. 1.3 Phillip B Crosby (US) Believes that quality is conformance to requirements. 1. He has a 10-step process to quality improvement.6 Risk & Reliability Associates Pty Ltd . relations diagram. 1.3.6 Quality Davis (2001) reviews a large number of contributors to the quality movement. design should be superior.12 Claus Møller (Denmark) Personal quality is a central element of total quality with a focus on administrative improvement. 1. Like Deming.11 Tom Peters (US) He has a focus of leadership and customer satisfaction rather than management. 1. The cost of quality is the costs incurred due to nonconformance and therefore quality is free. measurement to determine current position and goals. 1.

2 Federation Press. Smith Anthony (1993). The Hafner Publishing Company. Objectives and Directions. Creighton W B (1996). pp15-19. The quality gurus: What have we learnt from them? Reprinted in Engineering World. George Allen & Unwin Ltd. Risk & Reliability Associates Pty Ltd 1. RCM II Reliability Centred Maintenance. Understanding Occupational Health and Safety in Victoria. Article in Financial Derivatives & Risk Management. READING Beck Ulrich (1986). Dr Elwyn C (2001). Monash University. 1. 1982. Risk Management Origins. The Risk Management Process. June 1996. Butterworth Heinemann Nohl J (1926). Marsh & McLennan Pty Ltd.39-48. Issue 6. Reliability Centred Maintenance. London. Vol. New York. National and Public Risk: Risk Control Strategy – Some Fundamentals. The Black Death. Paper presented at the ANZAAS Festival of Science. Proceedings of the Victorian Industrial Safety Convention. a Chronicle of Plague. Robinson R M. The particularly relevant chapter is Chapter XII.7 . the Great Sanitary Awakening. December 2001 / January 2002. New York. John (1992). Risk Management and the Australian Safety Practitioner. Reprinted 1998. London. Report on the Sanitary Condition of the Labouring Population of Great Britain. Davis. Taylor R T and W A MacDonald (1996). Chadwick E L (1842). Incorporated New York. pp.Concepts REFERENCES Blombery R I (1982). Australia. Head E L (1978). Translated © Sage Publications. London. The Future of Market Risk Management. The Conquest of Epidemic Disease. D B L Viner and M A Muspratt (1985). McGraw Hill. Melbourne. Presented to Both Houses of Parliament. Moubray. Risk Society: Towards a New Modernity. Page 8 The Risk & Insurance Management Society McCabe FM (1978). IFR Publishing Winslow C E A (1967). nd edition.

The development of biological. New paradigms based on more comprehensive or convincing theories may supersede older ones or exist co-jointly with them. As a consequence. Risk & Reliability Associates Pty Ltd 2. typified by engineering based Failure Modes.1 The Rule of Law When everything else fails. Perhaps this is why it works: both the political and judicial systems must simultaneously fail before social breakdown occurs. the ultimate appeal is generally to the rule of law. Effects and Criticality Analysis (FMECA). Asset based risk management. The weakness of the legal approach. Threat-based risk management typified by Strengths. once they are explained. systemic mutual feedback loop paradigms. The comparatively recent market based risk management. If the judiciary is independent of political and commercial interests of the day. asking lawyers which paradigm is applicable to ensure ‘due diligence’ generates a response that all paradigms. The following describes a number of the most common paradigms including some of the advantages and disadvantages of each: The paradigms are: i) ii) iii) The rule of law. certainly in an adversarial legal system. all the other paradigms represent methods of satisfying legal outcomes in the event of an adverse outcome. The diagram below shows a pathogen based cause-consequence diagram in a legal context.0 Risk Paradigms and Models Efforts to demonstrate how risk should best be managed have given rise to a number of risk management paradigms. The development of risk culture concepts including quality type approaches. 1970). are necessary. which uses the notion of the risk being equal to variance with an equivalent risk of gain as well as risk of loss. then an independent and potentially fair resolution of otherwise potentially catastrophic social dislocation can occur. The power of the legal approach is that it is time-tested and proven. 2. Traditional risk management historically typified by the Lloyds Insurance and the Factory Mutual Highly Protected Risk (HPR) approaches. In a very real sense. Hazard and Operability (HazOp) and Quantified Risk Assessment (QRA) 'bottom-up' approaches. with LOC indicating loss of control.1 . Weaknesses. iv) v) vi) vii) viii) Many proprietary risk management systems integrate several of these approaches. Solution-based ‘best practice’ risk management rather than hazard based risk management. Opportunities and Threats (SWOT) and vulnerability type 'top-down' analyses.Paradigms 2. practically manifested in hyper-reality computer based simulations. A paradigm is a universally recognised knowledge system that for a time provides model problems and solutions to a community of practitioners (after Kuhn. is that the courts remain courts of law rather than courts of justice.

One attempts to address such ‘knock on’ effects in HazOps by a series of general questions after the detailed review is completed.2 Insurance Based Risk Management The Lloyds Insurance and the Factory Mutual Highly Protected Risk (HPR) approaches historically typify this. Preventability and Reasonableness. FMECA and QRA have the same problems. where the Factory Mutual focus is on a target level of engineered and management excellence. This Rule of Law underpins the ALARP principle that risks shall be demonstrated to be “As Low As Reasonably Practicable”. The power of the process is the very tangible nature of history and in a sense the results represent the ultimate Darwinian ‘what if’ analysis. Forseeability. (i) (ii) (iii) (iv) Define WHAT we are talking about Identify what could go WRONG Control WHY it will not happen Assess balance of Precautions to the Consequences IF it did CAUSATION FORESEEABILITY PREVENTABILITY REASONABLENESS Common Law is covered in more depth in Chapter 4. Looking at past incidents and losses and comparing these to existing plants and facilities can make judgements made about risk. 2. HazOp and QRA 'bottom-up' approaches. It does not examine how a catastrophic failure elsewhere might affect this component or the others around it. Lloyds'. but it nevertheless remains difficult to use a HazOp to determine credible worst-case scenarios.3 Asset Based Risk Management Asset based risk management is typified by engineering based FMECA. has a financial focus. 2. A detailed assessment from individual components or sub-systems such as HazOp or FMECA examines how that component or sub-system can fail under normal operating conditions. Both consider empirical history to be the source of wisdom. The difference is that one approach. It also provides a focus for other risk management principles including "not less safe". Its weakness is that in the modern rapidly changing world empirical history has become an increasingly less certain method of predicting the future.2 Risk & Reliability Associates Pty Ltd .Paradigms WHAT Cradle WRONG WHY NOT Event Horizon WHAT IF Pathogens (Whole of Life) Hit LOC Miss Grave CAUSATION FORESEEABILITY Immune System PREVENTABILITY REASONABLENESS Pathogen Cause-Consequence Model in Legal Context In the common law tests of negligence the four key words are Causation. "continuous improvement" and "best practice”. 2. Any bottom up method has problems with common cause or common mode failures.

2. Threats Technical Community Political (change of government) Financial Natural Events Reputation xx x xxx x Critical Success Factors Operability xx x xxx xxx Staff xx xx x xxx x Sample Vulnerability Matrix Scores xxx xx x Critical potential vulnerability that must be addressed. The resulting risk registers are powerful decision making tools.3 .Paradigms The power of bottom up techniques lies in the detailed intense scrutiny of complex systems and the provision of closely coupled solutions to identified problems. Risk & Reliability Associates Pty Ltd 2. These methods mostly identify areas of general strategic concern rather than solutions to particular problems. External / Internal Factors Opportunities Threats Value Addeds Strategy Vulnerabilities Strengths Weaknesses Organisation Augmented SWOT Process Obviously the effort in this model is to ensure that ownership of the upside (value-addeds) is retained. and that ownership of the downside (liabilities) is avoided.4 Threats and Vulnerabilities Threat based risk management is typified by SWOT and vulnerability type 'top-down' analyses. Again this focuses on areas of concern rather than precise solutions. Minor potential vulnerability. Moderate potential vulnerability. A very simple example of a Threat and Vulnerability analysis is shown in the table below. Any proposed risk control solutions are focussed and specific. No noticeable vulnerability. or the risk of gain. The intersections of a threat with a "critical success factor" or "asset" are termed vulnerabilities. They can be easily considered for cost/benefit results. The SWOT analysis interpreted from a risk perspective provides insight into vulnerabilities or the risk of loss and value addeds. This is shown in the figure below.

The best practice risk management approach simply looks at all the good ideas other people in an industry use and see if there is any reason why such ideas ought not to be applied at your own site. In more general terms a hazard is a source of potential harm or a situation with a potential to cause loss. In health & safety.4 Risk & Reliability Associates Pty Ltd . risk is normally assumed to be symmetric. In this sense it is analogous to vulnerability. a hazard is defined as a source of potentially damaging energy. risk assessment.6 Best Practice So far all paradigms considered have been hazard based that is looking for problems and then solutions. In finance. Standard deviation deemed to equal risk Pure Risk Speculative Risk Rate of Return Standard Distribution showing the Mean and Variance However. this should really be known as the "boom/bust" model since. In the figure below this means starting on the right rather than at the top or the left. An alternative to this is solution based 'best practice' risk management.5 Risk as Variance The comparatively recent market based risk management stems from the notion of risk being equal to variance with an equivalent risk of gain as well as risk of loss (see figure below). mutual feedback loops are inevitable. but by making such an assumption many of the tools of statistics become available. Business risk is usually considered to be the sum of both pure risk and speculative risk. which is symmetric about its mean value. 2. 2. most notably the normal distribution. that is the potential impact of a threat upon an asset. if everyone uses the same model. which is the position adopted by most engineers and technologists. then self-dampening effects are likely. This is not absolutely true. Most risk systems like the Australian/New Zealand Risk Management Standard. This is the principal strength of the approach. control option development and then implementation.Paradigms 2. If pure risk only is assumed. from a systems engineering perspective at least. AS/NZS 4360:1999 suggest a process of hazard identification. which can give rise to a loss.

this requires fearsome computer power. For example. a chain reaction may result. In a sense. the force of the explosion and very many other factors. If the designer then told one to explode. Risk & Reliability Associates Pty Ltd 2. target levels of safety met or 'As Low As Reasonably Practicable' (ALARP) arguments fulfilled. That is. This would depend on separation distances. This amounts to modelling a complex system in a virtual reality environment and playing endless “what if” scenarios. the designer could ‘explode’ every vessel and keep adjusting the plant in small increments until the likelihood of secondary explosions is made vanishingly small.5 . TLS. ALARP. Common Law Due Diligence etc Actions and Residual Risk Allocation Best Practice Approaches (TLS = Target Level of Safety) The best practice approach is particularly powerful in a common law ‘due diligence’ sense.Paradigms Credible Hazards. which then respond accordingly. But if there were a simple solution to a trivial problem implemented at a competitor's facility then common law negligence could arise if something went wrong at the facility in question. The hazard assessment approach implies that statutes may be satisfied. But by resetting the computer simulation and exploding different vessels an evolutionary process of plant risk design can occur. If every component (or at least all those containing or controlling major energy sources) is identified and has its risk and reliability properties assigned to it then the designer can play ‘god’. The most practical manifestation of biological paradigms is in computer simulations. an extensive interpretation of nature and a belief that hyper-reality can come close to reality. A best practice process is one of the few approaches that target this difficulty. Obviously. 2. this is confirming the view that liability arises when there are unimplemented good ideas rather than the existence of hazards or vulnerabilities in themselves. suppose every vessel in the plant ‘knows’ what over temperature or overpressure it can withstand before rupture. oilrigs and process plants are generally modelled in 3D before construction so that designers and operators can ‘walk around them' and in many ways ‘try them out’. Vulnerabilities or Pathogens Hazard Assessment Assess Consequences Estimate Likelihoods Risk Control Options Mitigate Consequences Decrease Likelihood Judgements Statute. Continuing this example.7 Simulation Biological/Computer Simulation Paradigms are derived from the application of evolutionary concepts developed in virtual reality. and after having ruptured under such conditions can ‘project’ and ‘communicate’ its thermal and pressure energies to adjacent vessels.

However. He notes three types of risk culture: Pathological Culture Don't want to know Messengers are 'shot' Responsibility is shirked Failure is punished New ideas actively discouraged Bureaucratic Culture May not find out Messengers are listened to if they arrive Responsibility is compartmentalised Failures lead to local repairs New ideas often present new problems Generative Culture Actively seek it Messengers are trained and rewarded Responsibility is shared Failures lead to far reaching reforms New ideas are welcomed Three Risk Cultures after Reason (1997) To some extent.Paradigms 2.6 Risk & Reliability Associates Pty Ltd .8 Culture James Reason (1997) develops a cultural paradigm model in several ways (he is a psychologist by training). those dealing with technological risks have generally suffered a decline in influence as business risks and associated risk management techniques have come to the fore over the past ten years. Hazards Technological Risks Vulnerabilities Business Risks Pathogens Risk Culture Movement from Technological to Business to Risk Culture 2. Reason's Pathogen model is discussed in Chapter 5. culture has now been identified as central to effective risk management suggesting a new focus has been emerging in the last five years as shown in the figure below.

1 Safety Culture An interesting application of the cultural risk paradigm arises when considering safety in Australian industry. Risk & Reliability Associates Pty Ltd 2. 1997). difficulties can arise. “No”. on aircraft flight decks junior crew members feel able to speak up without loss of face to the senior crew or other repercussions.7 .Paradigms 2. A major study endeavouring to determine why Australia has a good commercial aviation safety record documented aspects of Australian culture that affect safety performance (Braithwaite et al. Australia Netherlands UK West Germany USA Italy Japan Canada Poland Pakistan Mexico Hong Kong Malaysia Egypt Singapore Indonesia Nepal China 0 25 50 75 Percentage 100 “No” Responses to the question "Would you help paint your manager's house?" Australians tend to be individualistic and to have a low “power-distance”. Australians have the highest likelihood (up to 95%) of any of the interviewed nations of saying. If a person being directed does not believe that the directive is either practical or safe. if they think an error has occurred. The graph below reflects the answers that staff gave to a request from their manager to help paint his house. For example. This facilitates initiation of effective additional checks. In industries with different management styles.8. They perceive a relatively flat power gradient between manager and subordinate. The person may do so without declaring his/her intention or discussing the intended change to procedures with management. That is. actions or instructions from others have a comparatively limited effect on the way in which they act. then that person will tend to assess the situation and do it his/her own way.

FMECA. Legal Actions Insurance Payments Courts IEC (AS) 61508 Pre-event Stategic Event Horizon Post-event Tactical An Integrated Risk Paradigm Framework The top left hand box shows those paradigms that would be expected to apply strategically at the higher levels of an organisation. The objective of risk management is to stay on the left hand side of the event horizon but a complete risk management framework must provide for the post-event scenarios.8 Risk & Reliability Associates Pty Ltd . Board and CEO (Policy) A B C D E 1 2 3 4 5 AS4360 Vulnerability Analyses. RCM. Availability Assessments. Crisis and Fallout Management Top Down Operations & Maintenance QRA.Paradigms 2. Job Safety Analysis. Audits. First Aid. On the right hand side are the tactical issues that are faced post-event. There are a number of risk techniques available but only three generic methods by which organisations can proceed with strategic tasks to address the concept of risk.9 Paradigm Integration The figure below describes an understanding of how the different paradigms presented in this section fit within a large organisation. 2. Underwriting Assessments. These are: i) ii) iii) Expert knowledge provided from experts. Cause Consequence Modelling etc Losses. HazOPs. literature and research Facilitated workshops of experts and interested parties Interviews with selected players. SWOT Analyses etc. Each of these methods has different strengths and weaknesses depending on the culture of the organisation and the nature of a particular task. Incidents and Breakdowns Fire Fighting. whilst those in the bottom left hand box could generally be applied at the operational level.

moot courts) Yes (Risk profiling sessions) Yes (HazOps.9 . which is logically prior to and supports the Business Case for an enterprise. is one interesting development. 8. 6. Asset based. 2. Risk culture concepts Yes (Interviews) Risk Management Paradigm . Yes (Interviews) Yes (Fact finding tours) Yes (Fact finding tours) Difficult 5. Risk & Reliability Associates Pty Ltd 2. 'bottomup' approaches Threat based 'topdown' approaches Business (upside AND downside) approaches Solution based ‘best practice’ approaches Simulation 4. FMECAs etc) Yes (SWOT & vulnerability) Difficult in isolation Difficult to be comprehensive Yes (Crisis simulations) Difficult Selective interviews Yes (Royal Commissions) Yes (especially moral risk) Difficult Yes (Legal opinions) Yes (Risk surveys.Paradigms The best methodologies to use in the implementation of each of the paradigms are illustrated in the following table: Technique>> Risk Management Paradigm 1. actuarial studies) Yes (QRA. availability & reliability audits) Difficult in isolation Yes (Actuarial studies) Difficult to be comprehensive Yes (Computer simulations) Yes (Quality audits) 3.Technique Matrix The concept of a Safety Case. Those techniques and paradigms highlighted in the table could be used in developing a safety case. The rule of law Insurance approaches Expert reviews Facilitated workshops Yes (Arbitration. 7.

Class Actions. the curve typically takes the form of a hyperbola as shown. However the other regions which deal with damage. events per kilometre. then the OH&S or personal injury area. One view is to suggest that failure to optimise the maintenance region can send an organisation broke. or days lost to the community.Paradigms 2. being the largest. events per passenger mile. This can be done in different ways depending on the industry or organisation that is being examined. Plotted on normal axes.10 Models 2. but failure to deal with the legal dimension can send directors to goal. Relative Likelihood Reliabilty Engineering FMECA and RCM Defence Industry Driven Risk Engineering HazOp and FTA Aerospace & Nuclear Industry driven Service Safety Breakdowns Public Crtiticism Protest Pickets Staff Complaints Personal Injury Product Boycott High technology and high hazard system failures. lives lost. A risk diagram is fundamentally a plot of the likelihood of events occurring against the severity of the outcomes.10. injury and death also have a legal dimension. The Maintenance region. 2. Market Collapse Industrial Stoppage Maintenance OH&S Fire & Explosion Catastrophic Relative Severity of Consequence Organisation Risk Diagram In organisational terms the risk diagram describes the relationship between the different technical and commercial areas of activity and the relationship between risk and reliability. or events per any frequency denominator) is plotted against consequence severity in down time. Certainly. therefore provides the greatest returns for good management and is the target of such programs as Reliability Centred Maintenance (RCM). Typically.1 Risk and Reliability Diagrams A particularly useful way of examining (pure) risk and reliability in an organisational sense is via a risk diagram. working days lost. both are important.10 Risk & Reliability Associates Pty Ltd . then the area under the graph represents the size of the economic loss. The frequency denominator (events per year. dollars. If the plot is likelihood against severity in dollars. then the fire and explosion zone and lastly the catastrophic event region. the greatest area is at the maintenance end.

it is about whole of life approach to management. from the first stirrings of a need to the final recycling of the disposed asset which ensure that an asset achieves the business objectives of: i) ii) iii) iv) Being safe for operators. plus the whole of life cost of operation and maintenance. For public authorities especially.2 Asset Management and the Costs of Ownership Asset management is more than ownership. This meant that collisions would inevitably occur unless some interposing system was installed.10. Such a practice has been soundly rejected in Australian jurisdictions. leaving the risk associated with that enterprise quarantined from the original business. For example.10. Achieving the above at minimum cost of ownership over its life. In some cases the largest component of the cost of ownership will be the whole of life cost of risk. The cost of ownership includes at least: a) b) c) The initial capital cost. Identification historical data (past experience) surveys workforce scientific literature Quantification likelihood of occurrence and severity of consequence Evaluation balance of advantages / disadvantages of running the risk with the advantages / disadvantages of controlling it Control risk retention risk reduction insurance risk transfer A Risk Management Process Model The identification phase parallels the common law aspects of foreseeability (see Chapter 4).Paradigms 2. plus the whole of life cost of risk (the cost of prevention plus the cost of loss). signalling on railways is a risk control measure to prevent trains from colliding. has been severely curtailed in Australia in recent times. This indeed was historically the case. 2. The reasons for the introduction of signalling systems was because eventually the train system became sufficiently complicated that perfect achievement of timetable was no longer possible. This concept is reflected in market risk terms. Not adversely impacting on environment during its use. users and the public. it is very common to have very large expenditures on risk control measures that are not identified specifically as part of the cost of ownership of the operating assets. Asset management is about all those actions. The option of risk transfer under Control. maintenance or disposal.3 Risk Management Process Model The Risk Management Process Model is one of the most commonly used risk management models and dates from the mid seventies. Providing the service for which it was procured. If all trains ran exactly on time and the timetable was perfect then there would be no red signals ever occurring in a train network. The cost of the signalling system should be included as part of the cost of ownership for the railways but identified as part of the preventive aspects of the cost of risk. Risk & Reliability Associates Pty Ltd 2.11 . accountability and demand management after the assets are in place. especially in banks as RAROC (Risk Adjusted Return On Capital). It used to be possible to sell a high risk portion of a business and then contract the service back.

which includes consideration of funding. For all other hazards develop and implement a specific management plan. Communicate and consult with both internal and external stakeholders at each stage of the risk management process and concerning the process as a whole. Establish the context Communicate & Consult Analyse risks Evaluate risks Assess risks Treat risks Risk Management Overview The main elements are in the form of an iterative process: a) b) c) d) e) f) g) Establish the Context . Analyse Risks .Paradigms The model in below is an overview from the Australian/New Zealand Standard. Communicate and Consult. 2. why and how hazards arise. This follows the process model. Risk assessment criteria and structure to be used should also be defined.Compare projected risk levels against criteria to determine acceptability or otherwise of each hazard and set risk priorities. Evaluate Risks . Identify Risks .Determine existing controls and establish the likelihood of the events and the severity of the consequence. AS4360: 1999.Monitor and review the performance of the risk management system and changes which might affect it.12 Risk & Reliability Associates Pty Ltd Monitor & Review Identify risks .Identify what.This step establishes the strategic.Accept and monitor low-priority hazards. For each stage of the process adequate records should be kept to satisfy an external audit. organisational and risk management context in which the rest of the process will take place. Treat Risks . Monitor and Review . Risk Management.

10. on whose advice line management may choose to rely on.5 A Facilities Management Model The facilities management model is favoured by organisations that have large volumes of occupied space. the legal responsibility for the management of risk is a line management function. most persons with the title of Risk Manager. It is generally considered idealised because whilst a company manager may indeed have the title of Risk Manager.10. are in fact internal risk advisors. at least. 2. namely its Board of Directors or equivalent.4 An Idealised Risk Management Structure The diagram below represents the way in which industry often establishes an idealised risk management structure. Risk Manager Pre-Event Security Manager Finance Manager Risk Engineer Public Affairs Ergonomist OSH&E Manager Damage Control Crisis Management Team (Media Relations) First Aid Fire Team Post-Event Medical Staff Insurance Legal Advisers An Idealised Risk Management Model In practice. for example universities and hotels.Paradigms 2. Legally.13 . the ultimate decision makers with regard to the levels of risk an organisation can accept will be ultimately its highest level of management. Facilities Management Risk Management Asset Management Space Management Facilities Management Model Risk & Reliability Associates Pty Ltd 2.

10. remove the brick Safety Teach people to work safely ie.10.14 Risk & Reliability Associates Pty Ltd .Paradigms 2.7 Process Model of Risk Management This model uses an underlying time sequence basis within a legal framework. subject to the constraint of matching legal expectations at all times. Risk Management Event Environmental Engineering Modify the work environment i. Asset Management Risk Management Resource Management Risk Engineering Insurance Operation Management Maintenance Management An Asset Management Model 2.6 An Asset Management Model The organisational model shown below has proved attractive to local government. lift their feet A brick Someone about to trip over a brick Rehabilitation Injury Recovery Insurance Courts Safe= Acceptable Risk Required feedback Process Model of Risk Management It also suggests that the purpose of risk management is to optimise the total costs of risk.e. 2.

Paradigms 2.10.8 Key Performance Areas Model The key performance model is a spin off of a recent business management refocus that all business activity should be measured by Key Performance Indicators (KPIs) measuring Key Performance Areas (KPAs). This can be represented in a number of ways, such as the one shown below.

Customer, Competition, Growth, Political Culture, Structure, Resoutces

Business/ External Environment


Selection, Training, Assessment, Retraining

Competent Staff Outcome World's Best Practice

Design, Procure, Constuct, Modify, Audit

Physical Configuration

Operations, Maintnance, Audits, Corrective Actions, Procedures

Operation & Maintenance Management Incident, Crisis & Emergency Planning

Plans, Resources, Rehabilitation, Support

Key Performance Areas Model 2.10.9 Risk Role Models Different elements of society play different risk management roles. Governments, for example are expected to have a major role in the management of public risk. This usually manifests itself as various forms of regulation over corporate risk and emergency response services, if required. Interestingly, depending on where organisations lie in the causal chain depends on how they regard the activities of the others and therefore the role each must play.

Corporate or Institutional Risk Management Indirect Government Control (Regulation)

Public Risk Management Direct Government Control Time

Corporate Hazard or Pathogen

Corporate Prevention Failure

Corporate Crisis Management Failure

Public Emergency Response Failure

Government Crisis Management Failure

Loss of Public Confidence. Change of Government.

Risk Roles Model From a government perspective, unmanaged corporate hazards represent a threat that must be addressed, usually by regulation and the provision of adequate emergency response and crisis management systems. From the corporations' perspective, governments and associated regulations represent disproportionate interference for possible consequences of matters that the corporations believe they have in hand already.

Risk & Reliability Associates Pty Ltd


Paradigms REFERENCES Braithwaite G, J P E Faulkner, R E Caves (1997). Latitude or Attitude? - Airline Safety in Australia. Paper presented at the 1997 National Conference of the Risk Engineering Society, Engineers Australia. Canberra. Kuhn T S (1970). The Structure of Scientific Revolutions, 2nd Edition, enlarged, sixth impression. University of Chicago Press. Reason J (1997). Managing the Risks of Organizational Accidents. Ashgate Publishing Limited. Standards Australia/Standards New Zealand (1999). Risk Management. Australian/New Zealand Standard AS/NZS 4360:1999. READING Standards Australia (1999). Functional Safety of electrical / electronic / programmable electronic safety related systems. Par 6.5: Examples of methods for the determination of safety integrity levels AS 61508.5 – 1999 / IEC 61508.5 – 1998.


Risk & Reliability Associates Pty Ltd



Governance and Risk
Risk Management’s Role in Good Governance

Over the last decade numerous international and national inter-governmental bodies have sought to promote good corporate governance. One element that all emphasise is that risk management is an integral part of good governance. For example, the Commonwealth Heads of Government meeting in Edinburgh in 1997 issued a Declaration whose purpose was “to promote excellence in corporate governance”. It set up the Commonwealth Association for Corporate Governance (CACG) which issued 15 Principles it considered “fundamental to a holistic approach to corporate governance”. In reference to Risk Management, CACG Principles state: “The board must identify key risk areas and key performance indicators of the business enterprise and monitor these factors. If its strategies and objectives are to have any relevance, the board must understand and fully appreciate the business risk issues and key performance indicators affecting the ability of the corporation to achieve its purpose. Generating economic profit so as to enhance shareholder value in the long term, by competing effectively, is the primary objective of a corporation and its board. The framework of good corporate governance practices in a corporation must be designed with this objective in mind, while fulfilling broader economic, social and other objectives in the environment and circumstances in which the corporation operates. These factors – business risk and key performance indicators - should be benchmarked against industry norms and best practice, so that the corporation’s performance can be effectively evaluated. Once established, the board must constantly monitor these indicators. Management must ensure that they fully and accurately report on them to the satisfaction of the board. The board, as emphasised throughout, has a critical role to play in ensuring that the business enterprise is directed towards achieving its primary economic objectives of profit and growth. It must, therefore, fully appreciate the key performance indicators of the corporation and respond to key risk areas when it deems it necessary to assure the long-term sustainable development of the corporation.” 3.2 Corporate Governance Systems

Corporate governance is the system by which an organisation is directed and controlled. Laws regulate only some aspects of corporate governance. In the main, directors and managers have only principles and guidelines to help them construct systems and maintain their currency. There is no single governance model that fits all types of organisations. 3.2.1 Governance Models

A number of generic models issued by international bodies and national standard setting councils are commonly available. For example, the Organisation for Economic and Cultural Development (OECD), the United Nations (UN), the Commonwealth Association for Corporate Governance (CACG), and the Council of Standards Australia. These generic models seek to enable users to appreciate and identify the wide range of concerns that good governance needs to cover.

Risk & Reliability Associates Pty Ltd


Paradigms Other relevant models, as well as regulations, codes of best practice, and government programs and policies also exist. Most focus on aspects of governance pertinent to the particular areas of authority or expertise of the issuing bodies. More often than not, these refer to financial risk. For example, national stock exchanges, chartered accountants, auditors, company secretaries and other finance-related professional groups. For example: ASX Corporate Governance Council: Principles of Good Corporate Governance and Best Practice Recommendations. IFSA Guidance Note No 2.00. Corporate Governance: A Guide for Fund Managers and Corporations. Australian National Audit Office 1999 9001 Quality Management Systems – Requirements Complaints Handling Risk Management Records Management Part 1: General Part 2: Guidelines Compliance Programs Good Governance Principles Fraud and Corruption Control Organisational Codes of Conduct Corporate Social Responsibility Whistleblower Protection Programs for Entities.

IFSA ANAO AS/NZS ISO AS/NZS 4269 AS/NZS 4360 AS/ISO 15489 AS/ISO 15489.1 AS/ISO 15489.2 AS 3806 AS 8000 AS 8001 AS 8002 AS 8003 AS 8004

State as well as national government laws, regulations and programs can also apply. In Victoria for example: Victorian Managed Insurance Authority Act 1996, Financial Management Act 1994, Victoria Government’s Management Reform Program Victorian Government policies associated with private-public sector service and infrastructure delivery such as Partnerships Victoria. 3.2.2 Key Governance Areas and Issues

The following table lists only some of the numerous issues and operational functions that an reasonably comprehensive corporate governance system should encompass: Accountability Transparency Code of conduct Good citizenship Social responsibility Shareholder rights Stakeholder identification Stakeholder liaison Corporate ethics Board charter Board protocol Authority delegation CEO remuneration Asset management Quality management Continuous improvement Best Practice Training OH&S Fraud and corruption control Complaint handling Compliance Due diligence Records management Internal reporting Security


Risk & Reliability Associates Pty Ltd

WorldCom accounted for more than $9 billion of false profits on its balance sheet. 3.4) states: “The stock market crash in 1987 and the subsequent collapse of many corporate entities around the world lead to urgent calls. In a number of cases (many still proceeding). It beat the previous year’s record of $259 billion. undetected or unexposed over lengthy periods of time even by those claiming to be professional financial watchdogs in the media. As the Australian Standard AS 8000-2003. 186 US companies involving $368 billion in assets went bust. accounting scandals were the order of the day.1 Stock Crashes and Mega-Corporation Collapses Underpinning the changes to the business vocabulary were efforts to reorientate corporate organisation and decision-making. neo-liberal economic policies generally associated with globalisation. causing severe damage to public as well as investor perceptions of corporate governance. But. When the term first came into business usage. international market economy. Australia had its counter part when a number of high profile companies including HIH and OneTel imploded.Governance 3. global efforts were developing to refit companies to cope with other new challenges. especially those posed by: the expanding. These scandals inflicted severe damage on employees and pension fund holders. increasingly competitive. Topping the list was WorldCom whose $104bn in assets made it the most expensive collapse in history.3. escalating liability litigation. With the benefit of hindsight the consensus of financial media was that to have such thunderous bankruptcies. the increasingly complex technology creating what some called the “risk society”.3 Origins of the Good Governance Movement The main challenge for those charged with designing or reviewing a corporate governance system is how to ensure the system recognises all the key aspects of the corporation’s objectives. Many involved criminal fraud. increasing concern and activism over environmental and public health issues.2 Other Contemporary Causal Factors At the same time. Risk & Reliability Associates Pty Ltd 3. it helps first to know why the recent global emphasis on governance came about. particularly from institutional shareholders. banking and investment advisory and audit houses. The corporate failures of year 2001 were mainly the result of debt problems resulting from poor appreciation and response to financial risk. In undertaking this task. Good Governance Principles (p. five of the 10 biggest corporate collapses on record pushed US corporate bankruptcies to new records for the second consecutive year. many took it to be merely another of those verbal fads that pop up from time to time – a fancy way of referring to governing or government. in the previous year. senior managers earned gaol sentences. 3. and. Such companies also had to have something sufficiently attractive about them that led creditors into foolishly or mistakenly extending them huge amounts of credit. companies had both to take on a huge amount of debt and either be badly or fraudulently run. structure and operation. context. What was the good governance movement a reaction to? What did it seek to avoid? What does it aim to achieve? Until the 1990s little if anything was heard in business circles of the term “governance”.3 . After the 1990’s stock market bubble burst. more recently new styles and severity of international terrorism. the de-regulatory. In 2002 alone. for the reform of corporate governance mechanisms”.3.

Competition and the profit-motive may drive some management to neglect consequences they think will not necessarily impact during their term of office. as well as benefits. disease. 3. ozone layer. 1986). and corporate good citizenship. to abolish scarcity of supply of human material needs. genetic engineering. When the nature of risk from new technology changes so that many risks remain latent and do not manifest themselves for years. The thrust of words like deregulation. if it will. and the collapses of HIH Insurance and Ansett Airlines. rain forest clearance in Brazil. It was a period in which liability litigation also proliferated. low productivity. international competitiveness. etc . Of necessity. the Longford gas disaster in Victoria. we also began to hear more of concepts like transparency. and we are on the cusp of an explosion in technological innovation in the life sciences and biotechnology”. social responsibility. risk increasingly emanates from man and his inventions. environmentalist and public safety terms like sustainability and the precautionary principle joined the verbal influx. as Ulrich Beck points out. technological systems are unleashing hazards and potential threats. legal liability and impending government regulation on default. But now. But even at less than universal dispersion of risk.and from scarcity . radio-active waste disposal. globalisation. sometimes for the worse . the economic and social impact of local incidents can be great.Paradigms The concept of governance came into fashion about the same time as a number of other new terms . etc. the failures of Sydney Water and Auckland Power. continuous improvement. New parameters of transparency and public "risk tolerability" will be forged not in the comfortable privacy of boardrooms but on the exposed public battlefields of political controversy. acid rain. forest fires in Indonesia and massive dam construction in China. the danger is that the incentives to control them can be weakened. best practice. for example. mostly confined to a limited urban area. The risk as well as the opportunities of much modern technology is limitless: nuclear fission.or at least new usages of terms. Soon. Early technology was designed largely to control the risks that sprang from nature . to an extent previously unknown. highly complex. technology. corporatisation. and due diligence helped swell the vocabulary of day-to-day corporate activity. even to state-of-the-art science at the time innovations are implemented.4 The Rise of the Risk Society The nature and extent of risks today are a far cry from those of the “satanic mills” of the first Industrial Revolution in the Nineteenth Century. Risk Society (Beck. Many emerging hazards are both unintended and unanticipated. limited distribution capacity. privatisation. and the public reactions all these developments engendered. Francis Fukuyama (1999) notes "it is science that drives the historical process. Consider. He uses the term "reflexive modernity" to warn of the catastrophic as well as the beneficial potential of the new technology. fire. The physical pollution and social harm associated with early technology was localised. Arguably. techno-scientific animal husbandry. These trends were part and counter-part of government deregulation. Increasingly sophisticated methods of risk identification. become clear only against the background of the new economic policy orthodoxy and changes in the international market and the global spread of new technology.4 Risk & Reliability Associates Pty Ltd .famine. some risks may lurk so deeply in new products or processes that they may be unknowable. global market orientation. pharmaceuticals and numerous other new processes and systems impact populations – often for the better. Risk extends to the planet itself: greenhouse. Later. risk management functions will be conducted increasingly in the glare of public scrutiny. stakeholder as well as shareholder interest. Some sociologists have called attention to the newly emerging conditions by using the term. food manufacture. business ethics. etc. The term draws attention to the fact that the new globalising.across continents and down generations. calculation and control will therefore be demanded of risk management. 3. Technological progress is also enabling the world. Concepts like duty of care.flood.

commenting on the good governance movement. risk management across the State public sector was “not yet an established or mature discipline”. “The proper governance of companies will become as crucial to the world economy as the proper governing of countries”. The report noted the effort to establish a formal and structured focus on risk across all industries and the integration of business risk with other more technical or financial risk assessment that began with first establishment of the Australian and New Zealand Standard. James D. Key drivers in that State included the Victorian Managed Insurance Authority Act 1996. AS/NZS 4360:1999 Risk Management in 1995. Nearly one third of all organisations were still not explicitly identifying and assessing their key risks. The same percentage believed that non-financial risk received only “anecdotal treatment in the boardroom” (Protiviti 2003). the Financial Management Act 1994.Governance The outbreaks of Mad Cow Disease and dioxin-contaminated food exports should be taken as just two of many warning signals that worse is to come unless risk management succeeds in keeping pace with the burgeoning risk society. Since then. the Auditor General found that in over three quarters of public sector organisations. Wolfensohn. declared the President of the World Bank.6. A McKinsey study of risk management practice in May 2002 covered 200 directors representing over 500 boards of major companies.6 3. 3. claimed that 65 percent of senior executives lacked “high confidence” in their risk management.1 Public Sector Governance and Risk Auditor General Victoria’s Audit Report The Auditor General Victoria’s performance audit report in March 2003. FEI reported that doubts persisted over the extent to which existing processes could be relied upon to identify all potentially significant business risks to their enterprises (Protiviti 2003). though not necessarily that suggested by the Standard. safeguard and plan for risk effectively enough. Risk & Reliability Associates Pty Ltd 3. the Victoria Government’s Management Reform Program and policies associated with private-public sector service and infrastructure delivery such as Partnerships Victoria. Nevertheless he concluded: Although more than 90 percent of the State’s public sector organisations examined and applied risk management processes “in some part of their business and services”.5 . 3. pressure has been maintained not just for best practice but also for continuous improvement in governance risk identification and management. for example. Research published by Financial Executives International in November 2001. “Managing Risk Across the Public Sector” aimed to “provide a timely assessment about risk management practices at individual agency and whole-of-government or State-sector levels”. The report found that the Victorian State public sector was increasingly applying a structured risk management approach. Thirty-six percent of the directors believed their boards did not understand their companys’ major risks. Approximately 40 percent believed they could not identify. Nor were they always reporting risk information to their key internal and external stakeholders. Boards/CEOs and executive management were directly involved and taking leadership roles regarding risk management.5 Governance and Non-Financial Risk One effect of the risk society and the corporate governance movement that gained momentum in the 1990s was to put greater emphasis on risk management. there are still hard yards to cover. However. Nevertheless.

UK Strategy Unit Study Britain’s Prime Minister. “Risk leadership.6. risk management by the UK government was still inadequate to the burgeoning challenge. and increased activism around specific risk issues. 3. . they did not all understand how their exposures would impact other agencies or the State as a whole. the private sector.2. What government needed to know was how to get “the right balance between innovation and change on the one hand. arguing that such processes were more effective at handling risks and winning public confidence than secrecy.6 Risk & Reliability Associates Pty Ltd . Blair described these as “radical”. with messages amplified by the news media. although improved. The likelihood therefore existed that significant State-sector risks were going undetected and under managed. [and] declining trust in institutions. Most agencies had no existing structure to share risk management best practice across the State-sector The practice was still prevalent of reviewing risk strategies and assessment as a separate annual exercise or through periodic Board presentations. declining deference. This was now “central to the business of good government”. Certain risk types could therefor go undetected at a State-sector level and the risk persisted that insufficient risk mitigation strategies could be implemented from a whole-of-state perspective. and avoidance of shocks and crises on the other”. and other experts and commentators”. While various entities might have an adequate view of their own risk exposures. the UK government had already made changes to its approach to risk. Tony Blair. especially political risk. He also pointed to the Civil Contingencies Secretariat whose aim was to improve the way the UK prepares for threats of serious disruption to the nation. Despite improvements across government. One of the Unit’s early conclusions was that it was not only the accelerating pace of change in science and technology and the greater connectedness of the world that was heightening the risk environment for government. - The Auditor General Victoria report advised that risk management should not be an annual or infrequent exercise. the Human Genetics Commission and the Monetary Policy Committee. 3. Blair instructed the Strategy Unit to draw on “good practice and thinking around the world .. and referred in particular to bodies like the UK Food Standards Agency. Blair admitted that risk management in the UK had been “found wanting in a number of recent policy failures and crises”. It needed to keep constantly under review where risk management should best sit. based on evidence”. Escalating risk.” The report concluded that. There was “a lack of clarity around the responsibility for the escalation of these risks and a lack of a full understanding of State-sector risks within portfolios”. He said these bodies illustrated the trend to “more open processes. And there should be reliable access to demonstrated risk management good practices in other public sector organisations as well as up-to-date information on key success factors or benchmarks. and how governments might better manage it. appetite and culture” should be monitored constantly.from across government.Paradigms Improvement was needed in the ability of organisations to identify their key state-sector risks. but should be imbedded into usual business processes. Is said. It should strive for continuous improvement through “good judgement supported by sound processes and systems”. recently directed his UK Strategy Unit to conduct an in depth study of modern risk.. was also due to “rising public expectations. Even prior to Blair’s directive to the Strategy Unit.

wider engagement of stakeholders and the public. planning and delivery)” “government should enhance its capacity to identify and handle strategic risks. to industrial processes or cloning methods. Those imposed on the public by individuals or businesses that necessitate government regulatory intervention. linked to the Spending Review. those arising from BSE. contingency planning and crisis management” “risk handling should be supported by best practice. guidance and skills development – organised around a risk ‘standard” “departments and agencies should make earning and maintaining public trust a priority in order to help them advise the public about risks they may face. with improved horizon scanning. “systematic. making key risk judgements. wider availability of choice and more use of “arm’s-length” bodies such as the Food Standards Agency to provide advice on risk decisions. risks of damage to government’s reputation in the eyes of stakeholders and the public that impact government’s ability to carry out its programs. safety risk issues. - - - The report recommended action in six main areas. For example. those “requiring governments and regulators to make judgements about the balance of benefit and risk across a huge range of technologies – from genetically modified food and drugs. for example. For example. projects going awry” including: manufactured risks. protest or failure of transport or IT networks. diseases carried by air travellers. direct threats. or the indirect impact of civil wars and famines. resilience building. and setting a culture which supports well judged risk taking and innovation” “the quality of risk handling across government should be improved through a two-year programme of change. That is. risks of infrastructure disruption from industrial action. Mumps and Rubella (MMR) vaccine. and such other issues of risk to the public regarding. explicit consideration of risk should be firmly embedded in government’s core decision-making processes (covering policy making. Risk & Reliability Associates Pty Ltd 3. For example. risks resulting from the increasing vulnerability of citizens to distant events.Governance On the changing nature and severity of risk it referred to “unforeseen events. those ranging from economic crises on the other side of the world to attacks on IT networks. risks to government from the transfer of risk. in capital projects and service delivery to the private sector. imposed risks. adventure holidays.7 . rail safety. programmes going wrong. For example. events of September 11 to the threat of chemical and biological attack. Underpinning principles for handling and communicating on risk to the public should be published for consultation” “ministers and senior officials should take a clear lead in handling risk in their departments – driving forward improvements. - - - The report said its recommendations aimed to enable confident decision taking on both risk and innovation in order to reduce waste and inefficiency and lead to fewer unanticipated problems and crises that may undermine confidence and trust. flooding. and clearly set in the context of public sector reform (the Departmental Change Programme)”. There should be more openness and transparency. the Measles.

like BSE or failed IT contracts. Shareholders are described now as only one among a number of stakeholder groups. We need to do more to anticipate risks. Where the market cannot provide sufficient cover and the consequences are unacceptable. customers. the corporate goal of maximising returns for shareholders is no longer acceptable as the magic ethical bullet that justifies any means.8 Risk & Reliability Associates Pty Ltd . The report noted. This licence is not only regulatory but embraces the corporation’s interaction with its shareholders and other stakeholders such as the communities in which it operates. and to ensure that risk management is an integral part of all delivery plans. The report recommended that governments aim to ensure that responsibility rests with those best placed to manage the risk. External as well as internal stakeholders are mentioned.number10. A case in point was the inability or unwillingness of airline companies after September 11 to bear the costs of enhanced airport and aircraft security.html).7 Risk and Corporate Citizenship Clearly. Where the consequences of a risk are too great for any one individual or business to bear. and any innovation brings risk as well as reward . and a widening sense of social responsibility is being encouraged. it believed the government should step in as insurer of last resort. but those outside among the public affected by corporate activities. that governments normally seek to ensure that those who impose risks on others bear the the priority must be to manage risks better. public opinion makers and pressure groups. 3.Paradigms Guideline principles were suggested to cover difficult areas. bankers and other suppliers of finance and credit. (The UK Strategy Unit’s report itself is available on http://www. But cases arise where responsibility cannot be attributed to any specific individual or Obviously. and that there is a proper balance between the responsibilities of government and the responsibilities of the individual”. While the board is accountable to the owners of the corporation (shareholders) for achieving the corporate objectives. its conduct in regard to factors such as business ethics and the environment for example may have an impact on legitimate societal interests (stakeholders) and thereby influence the reputation and long-term interests of the business enterprise. That is. Note the emphasis on stakeholders. for example. It said that this should include protecting minority interests by balancing risks between different groups. Note that the CACG’s reference to shareholder interest is restricted to the “legitimate” interests of shareholders. so that there are fewer unnecessary and costly crises. The CACG states: “Good corporate governance requires that the board must govern the corporation with integrity and enterprise in a manner which entrenches and enhances the licence it has to operate. this expands the area of risk that can now impact the business enterprise through its public image and civil liability. not just not only the jobs and working lives of the corporation’s employees are involved.” The wider social impact of corporate decisions is being recognised. 3. But we also need to be sure that innovations are not blocked by red tape and risk aversion. When the study was completed the UK Prime Minister introduced the report with a caution against the sort of unwarranted risk avoidance that results in unnecessary loss of promising opportunities: “All life involves some risk. the media. the Unit recommended that government should intervene to provide protection or to pool the risk. Government might also need to intervene where market provision is withdrawn in response to an external shock.

and its currency options desk was also halted for proprietary trading and corporate business.9 . It led to the sackings of four traders.04) Risk & Reliability Associates Pty Ltd 3. its shareholders and stakeholders.Governance Likewise the reference is not to vague. but also for individual managers.8 Fallout Severity In the contemporary climate failures of corporate governance can result in very public fallouts with severe consequences not only for the corporation." (ABC Radio National. and a change of chairman and chief executive. the law. and the bottom line.3. 3.3. back-office procedures had significant gaps. the bank was not able to use its own internal measure of market risk capital. executive risk committees were "particularly ineffective". management at the bank had turned "a blind eye" to known concerns. 24. 24. The regulator's report criticised what it called a culture where risk management controls were seen as "trip-wires to be negotiated rather than presenting any genuine constraint on risk-taking behaviour". John Curry. other executive departures. 2004. the Australian Prudential Regulation Authority's (APRA) review of the foreign currency trading scandal at the National Australia Bank became public. commented that it was “not sufficient for the audit committee to say that they didn't receive some of the information they should have received. CACG principles point to increasing recognition of the wider impact of corporate decisions on the community. Media reports highlighted that the NAB had to halt its latest share buy-back in order to lift its capital adequacy ratio. including the extent of social responsibility over and above an organisation’s obligation to shareholders.04) The APRA review said that there were: many missed opportunities to detect and close down the irregular currency options trades. The audit committee should have been out there asking questions and probing and finding out whether the systems were correct or not. ABC Radio National Report. The regulator says it frequently came across the phrase "profit is king" in its investigations. and the bank's board was not sufficiently pro-active on risk issues. (For example. Attention is focussing on how the corporation should relate to the community. In Australia this was most recently illustrated when on 24 March. The chairman of the Australian Shareholders Association. Irregular currency options trades had incurred losses of $360 million at the National Australia Bank. generalised industry standards and relevant statutory obligations but to keeping up with “best” business practice – a more specific and demanding term.

REFERENCES Fukuyama Francis. active and responsible capital providers. The Independent (16/6/99) Beck. effective legal and regulatory regimes. Companies should be prepared to face rigorous public probing during the “fallouts” that will certainly follow any such occurrences. Vol 1. UN agencies and numerous nongovernment bodies. more critical public scrutiny and reaction to actual or perceived corporate failure to live up the new standards of good governance. but for operational implementation: • • • • • • • • • sustainability subsidiarity equity efficiency transparency accountability civic engagement citizenship security. probity. Australian/New Zealand Standard AS/NZS 4360:1999. the Commonwealth Association for Corporate Governance (CACG) believes the following elements are essential: efficiency. Risk Management. SAGE publications. Professor of Public Policy. Ulrich (1992). In regard to good governance in general whether governmental quasi-governmental or corporate. a free and critical media.htm Protiviti’s The Bulletin. Given the efforts by the Commonwealth Heads of Government. READING 3. George Mason University.Towards a New Modernity. reasonably competitive markets. Issue 7.9 Basic Principles of Good Corporate Urban Governance It is also worth noting that an inter-agency grouping is seeking to get the UN General Assembly to adopt the following principles for good urban governance.combinet. Commonwealth Association of Corporate Governance’s (CACG’s) 15 Principles. 06/2003. it is reasonable to anticipate sharper. Risk Society .10 Risk & Reliability Associates Pty Ltd . higher levels of conduct by professions and professionals.Paradigms 3. The campaign proposes the following concepts as goals not merely for rhetorical declarations. Standards Australia/Standards New Zealand (1999).

In some jurisdictions the concept of industrial manslaughter for workplace fatalities has been introduced because of the difficulty of proof beyond reasonable doubt. Risk & Reliability Associates Pty Ltd 4.Liability 4. Australian OH & S legislation is based on the U.K. Liability The law is much too important to be left up to lawyers. In Victorian law the relevant mens rea for manslaughter is gross or criminal negligence. the duties of employers are qualified by “so far as practicable” with “practicable” being defined as having regard to: a) the severity of the hazard or risk in question b) the state of knowledge about that hazard or risk and the ways of removing or mitigating that hazard or risk c) the availability and suitability of ways to remove or mitigate that hazard or risk d) the cost of removing or mitigating the hazard or risk. 2003 outlines the offences and penalties for environmental crimes in Victoria and those under OH & S legislation take a similar approach.1 . There are also some difficulties in determining which individuals represent the mind of the corporation. Each Australian state has its own OH & S and Environmental legislation but whilst all are very similar there are some subtle differences as to the extent of the duties. As yet no successful convictions have been obtained in Australia because the individuals charged must be shown to have mens rea or a guilty mind. the authorities have brought charges of manslaughter under the Crimes Act. In the 1985 Victorian OHS Act. for example. and can lead to the significant costs associated with common law claims. that is. law made by or modified by the judiciary. Common law is the product of societal values over centuries and evolved in the English courts. 4. injured workers receive compensation for the impacts of injury without having to take action against the employer in the courts. This is considerably heavier than the civil standard. Statutory offences require that the case against the accused be proved 'beyond reasonable doubt'. The paper by Gumley. Statute law specifies penalties for breaches. Failure to do so may be negligent. They determine whether to prosecute for breach of statutory duty. 4. In common law the case must be proved “on the balance of probabilities”. Roben’s type legislation and is derived from the common law duty of care concept (Creighton 1996). In some cases of workplace deaths. and can also lead to statutory penalties for ‘responsible’ individuals if the responsible government authority decides to act. the organisers of any public event have a duty of care to all those involved in or potentially impacted by the event.1 Statute vs Civil Law Civil or common law is law derived from actual cases. Australian aphorism. Statute law is law passed by Acts of parliament. One party claiming damages from another brings civil cases under common law. i. However apart from a much reduced number of workplace injury cases the common law duty of care of one person to another is invoked in many aspects of modern life. particularly the duty of employers towards their employees. This law takes the form of Acts and Regulations made under an Act. It is the common law duty of owners and occupiers of premises to ensure they are safe for members of the public who have access.2 Common Law Criteria Common law actions as a result of workplace injury have largely been supplanted by Workers compensation systems. Government departments and statutory authorities are responsible for the enforcement of statute law. For example.e.

Liability To be found guilty of negligence, the answers to all four of the questions posed below, on the balance of probabilities, needs to be “Yes”. These are termed the four common law tests of negligence. A. CAUSATION Did the injury or damage occur because of the 'unsafe' matter on which the claim of negligence is based? FORESEEABILITY Did you know or ought you to have known... ? Could this have been foreseen...? (Prior incidents, complaints, wide or common knowledge, or expert advice) PREVENTABILITY Is there a practical way or alternative to how things were done? (Design or removal; administration and training). REASONABLENESS Was the balance of the significance of the risk vs the effort required to reduce it reasonable?




Note that: • approved or common practice may or may not be reasonable. • compliance with regulations and codes of practice is a starting point, not a goal. For example BS 5760 : Part 12 : 1993 (page iii) states, Compliance with a British Standard does not of itself confer immunity from legal obligations. • the occupier/employer must be practically able to undertake the change. • expense alone is not a factor, nor is practical inconvenience • the creation of other risks by the change needs to be considered. • individual susceptibility needs to be considered. Because of the considerable volume of case law available to the judiciary, the application of the common law tests of negligence also provide much of the basis for decisions relating to cases of offences under OH & S and Environmental law. These tests of negligence require expert evidence; lawyers cannot decide them. Most common law cases never reach court because the lawyers settle out of court. If there is no evidence of significance that would lead a judge or a jury to derive a “no” answer to any of the four tests above, the lawyers for the defendant can only accept defeat and settle for a relatively large sum. 4.3 On Juries and Justice

With regard to common law actions for negligence described above, a jury sometimes determines the balance of probabilities. It seems that juries can be affected by the horror of the injuries and other matters so that even if the assessment might be less than 50% in favour of the plaintiff, the jury will still find in the plaintiff’s favour. But juries are complex. For an extreme example consider the following case from a sitting of the District Court, composed of the presiding Judge and Jury in Dubbo, NSW. (As quoted by the Hon. James Muirhead QC in Discharge the Jury? Menzies School of Health Research, 1989). The accused, a local man, was charged with cattle stealing. Apparently the evidence that he had stolen the cattle was overwhelming. The local jury having considered their verdict returned to court. When asked for their verdict the foreman replied, 'We find the defendant not guilty if he returns the cows.' The Judge was furious. He vigorously reminded the jury of their oaths to 'bring in a true verdict according to the evidence', declined to record their verdict and sent them back to the jury room to reconsider the verdict. The jury retired briefly and returned with a defiant air. When asked if they had reconsidered their verdict the foreman said 'Yes, we have. We find the accused not guilty and he can keep the cows.


Risk & Reliability Associates Pty Ltd

Liability There are several points about the adversarial system that need to be remembered. It is first and foremost a court of law. As Engineers Australia notes in the brochure Are You at Risk (1990): Adversarial courts are not about the dispensing justice, they are about winning actions. In this context, the advocates are not concerned with presenting the court with all the information that might be relevant to the case. Quite the reverse, each seeks to exclude information considered to be unhelpful to their side's position. The idea is that the truth lies somewhere between the competing positions of the advocates. Further, courts do not deal in facts, they deal in opinions. Again from Are You at Risk : What is a fact? Is it what actually happened between Sensible and Smart? Most emphatically not. At best, it is only what the trial court - the trial judge or jury - thinks happened. What the trial court thinks happened may, however, be hopelessly incorrect. But that does not matter - legally speaking. That is, in court, the laws of man take precedence over the laws of nature. 4.4 Due Diligence

The primary defence against negligence claims is due diligence. This really means that a reasonable person (in the eyes of the court and with the advantage of 20:20 hindsight) in the same position would have undertaken certain procedures and processes to ensure whatever it is that did happen, on the balance of probabilities, shouldn't have occurred. This is probably best represented by the diagram below (adapted from Sappideen and Stillman 1995).

Magnitude of Risk Probability of Occurence Severity of Harm

Expense Difiiculty and Inconvenience Utility of Conduct

How Would a Reasonable Defendant Respond to the Foreseeable Risk? The overall situation is perhaps best summarised by Chief Justice Gibbs of the High Court of Australia: Where it is possible to guard against a foreseeable risk, which, though perhaps not great, nevertheless cannot be called remote or fanciful, by adopting a means, which involves little difficulty or expense, the failure to adopt such means will in general be negligent.
Turner v. The State of South Australia (1982) (High Court of Australia before Gibbs CJ, Murphy, Brennan, Deane and Dawson JJ).

Risk & Reliability Associates Pty Ltd


Liability The balance is the hard part. It is hard for outsiders to know the true extent of the resources (financial, administrative and/or staff) ultimately available to an organisation. This means external assessment as to the correctness of the “balance” is difficult and something an individual organisation must do internally. The legislated hierarchical order of risk control solutions is: i) ii) iii) iv) Elimination or Removal (100% effective) Design or engineering (typically 90% effective) Administration (typically 50% effective) Training (typically 30% effective).

Another way of expressing the courts’ reluctance to rely on training and administrative controls is to see it in the context of a cause-consequence model. A concept diagram is shown below:
Falling objects on construction site Threat PPE Hardhat Loss Loss of Control Incident

Precaution Failure Kickrails to restrain small objects

Near Miss

Concept Cause-Consequence Model Primary controls include kickboards on platforms to prevent objects from being dislodged and falling in the first place. Note that personal protective equipment (in this case a hard hat) improves the probability of a near miss but that the system was out of control already once an object had started to fall. This needs to be taken into consideration when assessing the balance noted above. Specifically, it is imprudent, and indeed unlawful, to rely on administrative and training solutions when a design solution, on balance is available.


Risk & Reliability Associates Pty Ltd

Liability 4.5 Safety Cases

Safety Cases provide for a very interesting perspective in the liability context. Historically they were developed to optimise safety performance. There are parallels to a Business Case, which is usually drawn up to convince a financier that a business is viable (Redmill et al., 1997). The object is to ensure that all significant factors affecting the business have been identified and that appropriate measures are in place to maximise the positive factors and minimise the negative ones. It is usually the responsibility of the highest levels of management of the organisation. Accordingly, responsibility for the failure of a business usually rests there too. A Safety Case is intended to provide the same assurance with respect to the safety of a system or complex. Again it is primarily the responsibility of the operating company, at its highest levels.

Safety Audit

Safety Management System


Business Management System

Financial Audit

Middle Management

Business Units
Idealised Safety Case Structure Safety Cases are in effect reasoned (legal) arguments that all significant hazards have been identified, properly managed and are ‘safe’. Once established, it typically manifests itself as a contract between an organisation and a regulator that permits the organisation to operate within defined limits in accordance with documented procedures. Compliance failure is a breach of contract. If damage to third parties, or death and injury occur due to such breaches then serious liabilities arise. Because of this, the adversarial legal process seems to have converted the concept to a liability management device. This is discussed further in the next section. Quality type processes are good to ensure compliance with the contract. However they are less effective in establishing the Safety Case initially, or in the argument for its subsequent redevelopment. Risk analysis is essential for the Safety Case’s initial development and continuing validity.

Risk & Reliability Associates Pty Ltd


Passing a potential safety case via two sets of lawyers in the loop shown below changes its nature from being a wholly technical statement of safety by technical persons to a liability management device. "What do you mean you didn't think it could happen. there appear to be some profound contradictions being created in risk control and the adversarial legal system.7 Risk Auditing Systems Risk auditing rating systems like Victorian Government’s SafetyMAP. This liability impact has had a great effect on the development of safety cases. if a policy or system of management created the circumstances leading to the failure. 4. time & people Safety Case Development Loop Secondly. The Victorian Major Hazards legislation. Otherwise the responsibility (and liability) cannot be restored to those higher management echelons. the notion of a statute is that it represents a law that a citizen can choose to obey or not (we have free will).6 Risk & Reliability Associates Pty Ltd . It is also interesting to note that for senior management and board members at least. Whilst they may provide indications as to the overall heath of risk control systems. they are not a direct defence against liability arising from a particular accident even if perfect scores had been consistently attained by the participating organisation. very rarely is not relevant. Firstly. meaning the individual did not really understand the risk framework being imposed. otherwise he can find himself being charged with a crime. a substantial development. To paraphrase a judge in NSW. A soldier is trained to obey orders it is part of his work culture but he needs to have knowledge of societal law and mores as well. the NSCA’s 5 star system or Det Norske Veritas’s International Safety Rating System are also interesting in this context. for example. The parallel is to a soldier being commanded to perform crime. 1993) does not appear to create liabilities for the policy or strategic decision makers. 4. If a serious loss event can credibly occur (in legal terms it is possible) then it must be managed. then a very difficult contradiction occurs. there are seven dead". If it is not obeyed then a penalty will be imposed. liability management is identical to consequence management.Liability 4. the emerging view that risk control failures arise from systemic (being strategic or policy) errors (Reason. Ignorance is no excuse. He has to know when to refuse an illegal command. $. Board Policy Corporate legal sign off In house legal advice Middle management assessement and attempted feedback Requested resources. indicates that the chief executive officer or the most senior officer resident in the state of Victoria shall sign off the safety case. That individual has to have knowledge mastery of the total social/legal/technical risk control system in which he or she works so that potential problems can be demonstrated to those same policy makers in ways the policy makers cannot legally avoid. The fact that it occurs very. Frequency and therefore risk management is not really an issue. Rather it imposes the responsibility to be diligent (with all the subsequent liability) on those who actually have to implement such policies. However.6 Adversarial Legal System Contradictions Arising from the above review.

Discharge the Jury? Menzies School of Health Research. Turner v. Understanding Occupational Health and Safety Now in Victoria. Corporate Misconduct ezine: http://www. Managing the Management Risk: New Approaches to Organisation Safety . Reprinted 1994. Oxford. Redmill. Environmental Crimes: Offences and Penalties in Victoria. Hawthorn.asp Engineers Australia (1990). Victoria. Risk & Reliability Associates Pty Ltd 4. (1989) Reason J (1993). East Sussex. Enterprise Care. High Court of Australia before Gibbs CJ. Engineers & Professional Negligence. Lawrence Erlbaum Associates Ltd. READING Smith Damien J (1986). 1st Floor. ISBN 0-86377-309-5. Deane and Dawson JJ). Felix and Jane Rajan (1997).Liability REFERENCES Creighton W B (1996). 21 Burwood Road. Engineers Australia Pty Limited. Negligence and Tort. Crows Nest. Brennan. Muirhead J. CCH Australia. The State of South Australia (1982).7 . Chapter 1 of Reliability and Safety in Hazardous Work Systems: Approaches to Analysis and Design. Liability for Electrical Accidents: Risk. Gumley W (2003). Are You at Risk? Canberra.lawbookco. Eds I Wilpert et al. 3122. ButterworthHeinemann. Human Factors in Safety Critical Systems. ISBN 0 646 09785 7. Sappideen C and R H Stillman (1995).com. Sydney. Sydney.

1 . 1972). The natural material world on the other hand tends to be considered as deterministic or probabilistic in nature and subject to natural laws. Once the accident rate drops to the same as all other cars the engineer might expect an immediate drop in the premiums. whether or not we are aware of the fact. then what one does to prosper and minimise risk will differ from the actions of those who believe in a more humanistic view of human behaviour and responsibility. In business terms for example. if one believes that people are dying from the plague because of selective retribution from God for past sins. Risk & Reliability Associates Pty Ltd 5. Some of the views in the table are prior to current modern views regarding community consultation especially for environmental risk assessment where community consultation is a prime source for legitimacy. If so. It is therefore culture. The way in which we believe things occur determines how we will respond and attempt to manage them. But the impact of our philosophies upon our actions and our lives is often devastating. time and place specific. which believes in germ theory. This creates some profound contradictions.1 Paradigms Paradigms (Kuhn 1970). underwriters usually have a probabilistic view on the universe. or weltanschauung. Now consider the insurers. Suppose that a certain class of car was having more accidents than most. Alternate names given to describe these different views of how things happen include worldviews. then the way this risk is managed will be different from that for a society. But if the engineers themselves are predictable. That is. underwriters tend to have a probabilistic view of things. Engineers believe they can change the future using materials and systems that behave predictably. There are some interesting management shifts occurring. If this is true. This makes it necessary to try to improve our philosophies. from the engineer's perspective. However. are fundamental issues. the causal effect between malfunctioning brakes and accidents had been established and the problem solved. Causation We all have our philosophies. Maruyama (1974) describes three simplified ‘pure’ paradigms or structures of reasoning shown below. An engineer investigating this might conclude that it was due to malfunctioning brakes. or a set of concepts shared by a community of scientists or scholars. a product recall would be made and the problem fixed. not a causal one. and our philosophies are not worth very much. The premiums will almost certainly be averaged over several years and drop progressively. the world is often regarded as a wholly commercial place with everyone acting in a self-interested manner. would be closed.Causation 5. not abruptly. Consider a simple example by comparing the views of some insurance authorities with those of risk engineers. That is. How can someone be convicted of a crime if his or her behaviour was predetermined by his or her situation and circumstances? 5. A month or two might go by to ensure that the accident frequency really did go down abruptly (a step function) and if so the matter. Risk analysis in many ways is an examination of our philosophies or prejudices using processes that can withstand judicial scrutiny. (Paraphrased from Karl Popper. They will have increased premiums for this class of car once the accident rate increased. As mentioned in Chapter 1. can their actions be similarly predetermined? Our courts have similar problems.

poorly informed. contextual analysis. Decaying universe Individualistic Decentralisation Anarchistic Nominalism Isolationist Haphazard Freedom of religion Do your own thing Inductive.Causation It appears that a shift has occurred from paradigm 1 to paradigm 3 in the last 25 years. (1) Unidirectional Causal Paradigm Traditional 'cause and effect' model Past and future inferable form (2) Random Process Paradigm Thermodynamics. Changeable categories depending on situation. blueprint must contain more information than the finished product. empirical Atomistic Why bother to learn beyond ones own interest. axiomatic Categorical Believe in one truth. network analysis. Non-redundant complexity can be generated without pre-established blueprint.2 Risk & Reliability Associates Pty Ltd . What does it do to me? Limited categories for own use Egocentric (3) Mutual Causal Paradigm Post-Shannon information theory. Differences must be traced to conditions producing them. 'Impact' analysis Pre-set categories used for all situations Ignorant. essential in determining relevance Generated by community people. Relational. Look for feedback loops for selfcancellation or self-reinforcement. Network analysis instead of tracing of the difference back to initial conditions in such cases. Most direct source of information. limited in scope By 'experts'. Classificational. Science: Information: Cosmology: Social organisation: Social policy: Ideology: Philosophy: Ethics: Aesthetics: Religion Decision process: Logic: Perception: Knowledge: Predetermined universe Hierarchical Homogenistic Authoritarian Universalism Competitive Unity by similarity and repetition Monotheism Dictatorship. they will agree. taxonomic Dissimilar results must have been caused by dissimilar conditions. Self-generating and selforganising universe Non-hierarchical interactionist Heterogenistic coordination Cooperative Network Symbiotic Harmony of diversity Polytheism harmonism Elimination of hardship on any individual Complementary Contextual Polyocular. must learn different views and to take them into consideration. Statistical There is a probability distribution. Information can be generated. Dissimilar results may come from similar conditions due to mutually amplifying network. If the people are informed. Shannon's information theory Information decays and gets lost. majority rule or consensus Deductive. lacking expertise. articulate in their own view. find out probability distribution. either keep community people uninformed. or inform them in such a way that they will agree Methodology : Research hypothesis and strategy: Assessment: Analysis: Community people viewed as: Planning: Laissez-faire Three 'Pure' Paradigms after Marayama (1974) 5.

The establishment of diagnostic organisational signs will give general indications of the health of the high-hazard technical system. Fallible decisions Latent failures (high level decision makers) Latent failures (line management) Line management deficiencies Preconditions Latent failures (preconditions) for unsafe acts Unsafe acts Active failures (productive activities) Failed or absent defences Active and latent failures (defences) Accident Reason’s Resident Pathogen Metaphor Model Such a view leads to a number of views about accident causation: a) b) c) d) e) f) g) h) Accident likelihood is a function of the number of pathogens within the system. as in the case of the human body. And. The higher a person’s position within the decision making structure of a system. Risk & Reliability Associates Pty Ltd 5. Resident pathogens can be identified pro-actively.3 .Causation 5. the more pathogens it will contain. to overcome the immune system and produce disease. which combine with local triggering factors. Like cancers and cardiovascular disorders.1 Biological Metaphors Reason's Pathogens James Reason’s (1993) resident pathogen model of how things go wrong is described in the figure below. less well-defended systems need fewer pathogens to bring about an accident.2 5. no technical system can ever be entirely free of pathogens. they occur as a result of the adverse conjunction of several factors. The more complex and opaque the system. The idea is that latent failures in technical systems are analogous to resident pathogens in the human body. each necessary but none sufficient to breach the defences alone. life stresses or toxic chemicals. Simpler.2. Neutralising pathogens (latent failures) are likely to have more and wider ranging safety benefits than those directed at minimising active failures. Local triggers are hard to anticipate. accidents in defended systems do not arise from single causes. the greater the opportunity to spawn pathogens. for example. Rather.

In practice this boils down to modelling a complex system in a virtual reality environment and playing endless “what if” scenarios. Obviously. which you may be. rather blindly climbing deforming fitness landscapes. Block diagrams and other graphical methods can be used to illustrate the system. 5. organismic business.3 Dawkins' NeoDarwinism In the context of modelling complex technological systems. road traffic modelling for designing road traffic control and simulation modelling of nuclear explosions.2. to track the moving peaks. It is the time the system is in each state and the likelihood of transiting between states. failure or change in one state or condition is independent of the other. If so.4 Risk & Reliability Associates Pty Ltd . these require fearsome computer power and an extensive interpretation of nature.2. Once established. An example was discussed in Section 2. Landscapes in short are part of the search for excellence . Tracking peaks on deforming landscapes is central to survival.2 Kauffmans' Complexity Kauffmans’ view (1995) is interesting in terms of organizational behavior. Accounting System Auditing System A Redundant Accounting System There are three possible states: State (0) State (1) State (2) Both systems operating One system operating Both systems failed 5.3 Discrete State Concepts State models are based on the notion that any system with different ways and combinations of achieving similar outcomes can be described by a number of distinct. That is. cells and CEOs. then the problems confronted by an organization cellular. The one immediately below depicts a redundant accounting system to ensure that correct accounts are kept. Other examples.the best compromises we can attain. We may have our intentions. but we remain blind watchmakers. Richard Dawkins’ computer based artificial selection (his Biomorphs) provides some fertile parallels for risk and reliability engineers (Dawkins 1986 and 1998). The sequence to achieving each state may not be important per in niches created by other organizations. We are all. more familiar with are Flight simulators for aircraft pilot training. independent states. is preeminently how to evolve on its deforming landscape. The last of these has been influential in convincing governments to sign nuclear test ban treaties. 5. governmental or otherwise . mutually exclusive. And. a belief that hyper-reality can come close to reality.Causation 5. any of the defined operating states can be attained.

The courts reflect this in the form of a chronology of events leading up to the "crime". Ignoring partial states can render the analysis difficult. static sparks. how likely the fire is to develop (the inception risk) and how severe the consequences (the propagation risk) are likely to be. wiring. The conceptual problem with the technique is defining all the possible system states. the time sequence is defined by a list of events described in words down a page. It can get very complex very rapidly. such as fire in a building as shown below. etc Ignition Fire Development Fire reaches Smoke significant. etc. Firewalls. For lawyers. For engineers it is usually an arrow of time going from left to right across a page. welding. the restoration rate of the other may also be different.4 Time Sequence One of the central concepts of causation is conjunction in time and space.Causation The likelihood of failure of the second system once the first system has failed may well be different to the likelihood of failure when both systems are operating. It has the same two parts of the risk equation. etc Rate of fire growth. 5. Other probability distributions can be used with more difficulty. Space separation Evacuation and Brigade response can commence Generalised Time Sequence Model for Fire Risk & Reliability Associates Pty Ltd 5. Inception Risk Propagation Risk Smoke Loss Expectancy Thermal Loss Expectancy Maximum Forseeable Loss Supporting Conditions Housekeeping. Depending on which system has failed.5 . Detection detectable size Alert staff. This general idea can easily be extended to most events. The time sequence below for fire in a building was developed to satisfy underwriting concepts. dust control. Smoke detectors Thermal Detection Sprinklers and/or foam Passive fire control Burnout Time Smoking. Ignition Smoke Flame Flashover Escalation Burnout Time Time Sequence Model of Fire Having developed such a simple model it can be extended. These three states and transitions can be represented in different ways. such as in the following figure: 1st system fails 2nd system fails 0 1 2 1st system restored State Transition Diagram Markov chain analysis is the most common form of state analysis technique as it assumes a constant failure rate and restoration rates. spill systems. combustible loading. construction. storage arrangements.

shown below. avariciousness and the like. stubbornness. Accident 5. Heinrich's domino model of causation (derived in the 1940s) has a particular focus (Heinrich. 5. being hit etc). This supports the modern thrust in legislation and views such as those expressed by Kletz (1985) in his text. 2. Then injuries will result. 1. That is: 1. Fault of Person 3. Accidents will occur (falls of persons. 4. excitability and inconsiderateness constitute proximate reasons for committing unsafe acts or permitting the existence of physical hazards. nervousness. Inherited or acquired faults of a person including recklessness. 1959). Ancestry and Social Environment 2. The point of his model is that if one link in the domino can be removed (domino 3) then the chain will be broken. 5. Kletz notes that saying that accidents are the result of human failings may or may not be true.6 Risk & Reliability Associates Pty Ltd . but it is certainly not helpful in risk control terms. People are born with and/or are socialised to develop faulty personal characteristics such as recklessness. Unsafe acts or performance will occur. An Engineer’s View of Human Error. Unsafe act or/ unsafe mechanical or physical condition 1 2 3 4. Injury 4 5 Removal of middle domino breaks the chain Heinrich's Domino Model Such a model suggests that accidents are ultimately derived from an individual’s ancestry and social environment.Causation Note that the fire development or growth rate is not linear once flaming has commenced as shown in the following figure: Very Rapid Fire Growth Smoke Flame Time Representative Fire Curve Different analysts have developed different time sequence models for different problems at different times. violent temper. 3.

1985). The words appearing at the tips of the main branches are causes or so called ‘cause factors’. Risk & Reliability Associates Pty Ltd 5. shown below are another form of time sequence model often used by quality control advisers. Material Machine Measurement Quality characteristics Effect Milieu Man Cause Factors Process Method Characteristics Ishikawa 'Fishbone' Diagram Ishikawa also refers to them as ‘cause and effect’ diagrams (Ishikawa. The arrows indicate that in principle multiple pathways can lead from one element to the other.7 . where direct radiation.Causation Rowe’s Risk Estimation Model. This is particularly appropriate for some large chemical incidents and nuclear reactors. radioactive dust fallout and entrainment in the food chain can all provide cumulative doses to the exposed group. Causative event The causative event is the beginning in time of an activity Outcome(s) The final result of an activity initiated by a causative event Exposure(s) The condition of being vulnerable in some degree to a particular outcome of an activity. The effect is found at the right hand end. The minor branches are inputs to the cause factors or sub-causes. A risk agent is a person or group of persons who evaluate directly the consequences of a risk to which they are the subject. (see figure below) is directed at hazards with multiple pathways to damage situations (Rowe. 1977). if that outcome Consequence types The impact to a risk agent of exposure to a risky event Consequence values The importance of a risk agent subjectively attaches to the undesirability of a specific risk consequence Rowe's Risk Estimation Model Ishikawa (1985) ‘Fishbone’ diagrams. The object of the exercise is to improve the quality characteristics by identifying the most important cause factors and adjusting them appropriately. Each pathway can have a probability associated with its occurrence. for example. The collection of these ‘cause factors’ is a process.

the authors considered the situation of an electrician who received an electric shock whilst on top of a ladder. virus. counteract damage (fire sprinklers) Optimise repair (rehabilitation) Risk & Reliability Associates Pty Ltd . Energy damage models are particularly effective in establishing control options. potential and/or kinetic energy. (conjunction in time and space) provides a simple basis for determining vulnerabilities in a complex system. kinetic energy is proportional to the square of the speed of a vehicle. explosion toxic effects corrosive effects infections.Causation 5. flames ambient condition fire. bacteria. rather it is the potential energy of the person who trips. This sometimes seems trivial but in one expert witness case. the nature of the energy release provides insight into control options. it is observed that injury damage and ill health are the result of the loss of control of damaging energies.8 Prevent marshalling of energy (don’t climb to a height} Reduce energy marshalled (reduce speed) Separate in time and space (install road traffic signals) Prevent the release of energy (fit guard rails) Separate by a barrier (install guards) Modify release rate of energy (reduce slope) Strengthen structure (fire proof buildings) Modify surface impact (remove sharp edges) Detect. The electric shock represents only a possible reason for the fall and not the primary hazard source. Secondly. for example.6 Energy Damage Models Energy damage concepts define a hazard as the source of energy. establishing where energy can be released to affect people. etc purposeful (attacks) and inadvertent gravitational. suggests 10 generic counter strategies: i) ii) iii) iv) v) vi) vii) viii) ix) x) 5. for example. Firstly. External Energies Potential Energies Kinetic Energy 'Flowing' Mechanical Energy Acoustic and other Vibrating Energy Electrical Energy Ionising Radiation Thermal Radiation Chemical Energy Micro-biological Muscular Energy Internal Energies Whole or Part-Body Mass Energy Muscular Energy gravitational structural strain compressed fluids linear and rotational motion mechanical power in machinery noise and mechanical vibration electrical potential energy (volts) electric-. He subsequently fell and hit his head on the concrete floor resulting in serious injury. For example. parasites.magnetic radiation electrostatic charge nuclear particles and radiation solids. Haddon (1973).5 Energy Damage From an engineering perspective. The hazard in this case was the gravitational potential energy that was released during the fall that could have been controlled by wearing a hard hat. So a brick on the floor is not a hazard in itself. fluids. overuse and postural energy levels Damaging Energies 5. Such a concept has a number of useful consequences. A list of damaging energies is shown below. for example: walking/running or swinging/moving the limbs overload. Going twice as fast means that 4 times the energy would be released on impact.

The machine can be replaced by a less noisy device or the noise could be reduced at its source by acoustic dampening on the machine. are: i) ii) iii) iv) v) Control the existence or amount of energy. 1991) shows possible hazard control mechanisms in terms of recipient effects. the machine and the recipient could be separated by the installation of an acoustic hood over the machine. Hazard control mechanism Recipient's boundary hazard Space transfer mechanism recipient Extended Energy Damage Model The types of risk control measures. or the recipient’s damage threshold could be artificially raised by the provision of hearing protection. Separate the hazard and the recipient.9 . which are evident from this model. This can perhaps be best explained by considering someone exposed to a noisy machine.Causation These 10 strategies provide a hierarchy of control and an opportunity to recognise additional essential factors as shown below: Time Zones Predisposing Conditions Situation Normal Moving out of control Out of Control Damage Repair Haddon's Strategies Prevent marshalling energy (don't climb to a height) Separate in time or space (install road traffic signals) Separate by a barrier (install gurardrails) Strenthen structure (fire proof buildings) Detect. Maintain the reliability of the hazard control mechanism. Risk & Reliability Associates Pty Ltd 5. Raise the damage threshold of the recipient. Remove or reduce the need for the space transfer mechanism. The figure below of the extended energy damage model (Viner. counteract damage (fire sprinklers) Optimise repair (rehabilitation) Reduce Energy marshalled (reduce speed) Prevent release of energy (fit guardrails) Modify rate or release of energy (reduce slope) Modify surface impacted (remove sharp edges) Strategy for Management of Energy Exchanges The energy damage concept can be represented in different ways.

7 Conditions and Failures A latent failure (a failure which is not detected and/or enunciated when it occurs) will disable protective mechanisms or reduce safety margins thereby increasing the risk associated with hazards due to subsequent conditions or failures. Appendix D) The notion of latent conditions has re-emerged in causation recently. at least in complex systems. Fire investigators will investigate the cause and may conclude that it started in some wiring due to a short circuit. it would be best to eliminate the source of energy.2 Sufficient Conditions For an incident to occur there must also be sufficient conditions. for example. there has to be sufficient nearby combustibles in an appropriate configuration with an adequate supply of air (oxygen) to cause a fire. Threat Loss of Control Precaution Failure Incidents Near Miss Loss Concept Cause-Consequence Diagram It is always better to control a hazard before loss of control point rather than respond during or after the event. which can be used to explore the concept: Suppose that a fire has started in a house. do not constitute hazards (that is. that is. The next best alternative would be to control the hazard. by installing automatic sprinklers. Whilst we may consider that in many circumstances. by using non-combustible materials. The least desirable (although sometimes necessary) option is to rely on human response. which occurs after the outbreak of fire. which is extinguished before it consumes the house completely. 5. 5. In this case. From this definition a short circuit is not a necessary condition for a house fire as hot oil fires on stoves and children playing with matches are other well-known domestic fire sources. by themselves they have no effect which would make them noticeable.1 Necessary Conditions A necessary condition is a positive condition that must be present for the incident to occur. In the example of a house fire. Usually latent failures affect only functions which are not relied upon in normal operation. Unless such loss of control incidents are recorded and investigated the system is heading for a fall. largely as a result of James Reason’s (1997) promotion of latent conditions. this is not a simple concept. by definition). Latent failures. (SAE ARP 4761.10 Risk & Reliability Associates Pty Ltd . the Loss of Control point is actually the incident. by themselves. J L Mackie (1965) outlines a situation. Lawyers are far more prone to sign off on a management strategy that suggests that the dangerous situation will be prevented rather than relying on a rapid response strategy. after the loss of control of the latent chemical energy stored in the structure. However.7.7. an incident occurs when there is a loss. necessary conditions include combustible materials and an ignition source. For example. but which provide fail-safe coverage and/or protection against abnormal conditions. the vulnerability or hazard. otherwise they would not be latent. 5. that is. 5. Consider the hazard of fire in a building.Causation Energy damage concepts are particularly useful for constructing cause-consequence models in assisting in the determination of the loss of control point.

especially if it is deemed to include all aspects of human behaviour in the context of underlying cultural. To establish what might be practicable.Causation 5. possibly negative and necessary not but sufficient.5 controlled the situation beyond reasonable doubt? or. 5.7. Effects and Criticality Analysis). or the absence of a micro-meteorite that would have crashed through the area just as the fire was about to start. latent conditions would be controllable.4 Controllable Conditions What the fire investigators may be attempting to do is to describe those conditions that they believe should have been considered controllable. For example: * * * * a correctly sized fuse (which would have prevented the short circuit in the first place).11 . social and economic circumstances. In this sense. some form of probability test seems to be applied.3 Negative Conditions Negative conditions are the absence of certain conditions causing a fire. a latent condition waits until a particular pattern of circumstances arises enabling a catastrophe. So. negative conditions are problematic because they can include a vast array of unpredictable 'what if' possibilities. or the absence of a nearby automatic sprinkler which would have minimised the fire. controlled the situation on the balance of probabilities? Latent Conditions The notion of latent conditions seems to rest around some form of failure that is not apparent when it occurs. like a software error.7. similar to a hidden or concealed failure in FMECA (Fault Modes. This is in some ways problematic since establishing all the relevant conditions can be a very difficult task. or the failure to enclose the cable in metal pipe to shield it from combustibles. Risk & Reliability Associates Pty Ltd 5. Obviously. If a negative condition were removed would it have: * * 5. The legal tests of causation appear to be relevant.7.

12 Risk & Reliability Associates Pty Ltd . Rowe W D (1977). Ashgate Publishing Limited. McGraw Hill Books. Managing the Management Risk: New Approaches to Organisation Safety Chapter 1 of Reliability and Safety in Hazardous Work Systems: Approaches to Analysis and Design. Reprinted as Chapter I of Causation and Conditionals edited by Ernest Sosa. Reason J (1997). An Engineer’s View of Human Error. Journal Trauma. London. Translated by David J Lu. Viner D B L (1991). Kaoru (1985). Eds I Wilpert et al. Penguin Books Edition 1996. No. Haddon W (1973). enlarged. VRJ Information Systems. pp. Reason J (1993). pages 321-331. Causes and Conditions. Wiley Interscience. ISBN 0 646 02009 9 5. sixth impression. 2nd Edition. Aerospace Recommended Practice. Oxford University Press (1975). Melbourne. Cybernetica. Number 4. IChemE. Maruyama M (1974). The Blind Watchmaker (1986. Revised Edition 1979. SAE ARP 4761:1996 Guidelines and Methods for Conducting the Safety Assessment process on Civil Airborne Systems and Equipment. Oxford University Press) are also worth reading. ISBN 0-86377-309-5. Heinrich H W (1959). Penguin Books. Ishikawa. Oxford Readings in Philosophy. pp 245-64 and 261-4. 4th Ed. Kauffman. New York. Clarendon Press. The Structure of Scientific Revolutions. His earlier works. Energy Damage and the Ten Countermeasure Strategies. Penguin Books) and The Selfish Gene (1976.Causation REFERENCES Dawkins Richard (1998). American Philosophical Quarterly. University of Chicago Press. Oxford. Stuart (1995). At Home in the Universe. Popper K R (1972). East Sussex.4 (October 1965). Climbing Mount Improbable. Kuhn T S (1970). 136-156. Paraphrase is from Chapter 2. Society of Automotive Engineers. Managing the Risks of Organisational Accidents. Lawrence Erlbaum Associates Ltd. Accident Analysis and Risk Control. What is Total Quality Control? Prentice-Hall. pp 15-38. Mackie J L (1965). Volume 13. (Quote is from page 247) Kletz T A (1985). Paradigmatology and its Application to Cross-Disciplinary Cross-Professional and Cross-Cultural Communications. An Anatomy of Risk. 2.2. The Search for Laws of Self Organisation and Complexity. Objective Knowledge: An Evolutionary Approach. New York. Industrial Accident Prevention.

5 1. business and occasionally individuals to determine whether a risk is acceptable. Many countries in the world maintain databases on causes of death to their citizens. Over any period of time. They are very interested in where nuclear risk is perceived to lie.Risk lihood rity I1 0 2 0 I2 I3 I4 I5 I6 I7 I8 I9 I10 I11 : Ij ∑Ij 0 0 0 52 1 0 2 0 0 0 0 0 1 0 3 50 2 13 260 1500 0. Risk & Reliability Associates Pty Ltd 6.1 Legal Criteria A robust form of measurement can be devised around legal criteria as discussed in Chapter 4.1 2 0.5 6 45 100 3 0 4 0 0 0 0 0 45 0 CLAIMS JUDICIAL PROCEEDINGS LikeSeve.003 3 50 2 13 260 1500 0.Event Management >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Concept Hazard Register The above table suggests why such an approach could be considered. Risk Criteria Risk criteria are used as a decision-making yardstick by governmental agencies. tolerable or unacceptable.001 0. However.1 INCIDENTS AND OCCURRENCES LikeSeve. That is.6 8. These can be analysed. These tables are basically a statement of what a particular community seems to have historically accepted as ‘reasonable’.45 0.2 Individual Risk Criteria If a single severity of outcome is being considered then very often probability criteria can be used as the basis to benchmark risk.Risk LikeSeve.06 30 0. there are obviously other dimensions to managing risk like this.65 0. what we as a society are willing to live with. This ought to be a small subset of the set of all hazards and incidents.3 0.5 6 45 100 0 3 0 2 0 0 0 0 0 45 0 0 50 J2 J3 J4 J5 J6 J7 J8 J9 J10 J11 : Jj ∑Jj 0 0 0 47 0 0 1 0 0 0 0 0 1 0 3 50 2 13 260 1500 0.5 6 45 100 0 0 2 0 0 0 0 0 45 0 H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 H11 : Hi ∑Hi C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 : Cj ∑Cj Event Horizon <<<<<<Pre-Event Control / Post . 6.5 0 51.1 . the number of actions taken by various environmental and occupational health and safety enforcement agencies against an organisation or perhaps the number of days directors might spend in jail might be considered. The numbers for the NSW figures were prepared by ANSTO (Australian Nuclear Science and Technology Organisation). HAZARDS LikeSeve. most hazards will not result in incidents and of the incidents that do occur only a few will give rise to claims.2 0. So only if a company was both naive and immoral would it attempt to manage risk by trying to identify and manage only those hazards which it thought might lead to incidents that could end up giving rise to prosecution or a common law claim. For example.6 2.5 0.5 0. Nuclear authorities usually undertake such studies.23 0.Risk lihood rity 0.005 0.01 0.45 6.Risk lihood rity lihood rity 0 2 0 J1 0 2 0 1 0 1 0 0 0 0 0 1 0 0 3 50 2 13 260 1500 0. Most of the costs will manifest in those claims that make it to court.2 0.5 0.5 6 60 100 1 0.025 0. Unless one is clairvoyant it is not possible to know which hazards definitely will lead to court cases and which ones will not. A typical result is shown on the following page.05 0. 6.Risk Criteria 6.

2 Risk & Reliability Associates Pty Ltd .001 6.1 0. That is. all effects 2. once in every ten million years. all cancers 3.1 10 3 3 2 0. for an individual. the chances.Risk Criteria From such lists various authorities suggest acceptable frequencies of death for individuals in critical exposed groups. on average. These numbers are in chances per million per year. Risks to Individuals in NSW and Australia as a Whole. lung cancers Drinking alcohol (average for all drinkers) all effects alcoholism and alcoholic cirrhosis Swimming Playing rugby football Owning firearms Transportation Risks (average to travellers) Travelling by motor vehicle Travelling by train Travelling by aeroplane accidents Risks averaged over the whole population Cancers from all causes  total  lung Air pollution from burning coal to generate electricity Being at home-accidents at home Accident falls Pedestrians being struck by motor vehicles Homicide Accidental Poisoning • total • venomous animals and plants Fires and accidental burns Electrocution (non-industrial) Falling objects Therapeutic use of drugs Cataclysmic storms and storm floods Lightning Strikes Meteorite strikes Risks to Individuals in New South Wales (from NSW Department of Planning.2 0. Voluntary Risks (average to those who take the risk) Smoking (20 cigarettes/day) 1.07-300 110 60 35 20 18 0. Australian Nuclear Science and Technology Organisation. of being struck and killed by lightning in NSW is one in ten million per year or alternatively. 1990) Source: Edited from D J Higson. July 1989 Chances of fatality per million person years 5000 2000 1000 380 115 50 30 30 145 30 10 1800 380 0.

000 per year). In the range between these two figures cost benefit studies to reduce the risk to as low as reasonably practicable is appropriate Risk Categories Levels of Risk Acceptability Typical Quantification Values I Intolerable. it must be kept under review and reduced still further to the negligible level if and when this becomes practical. risk cannot be justified except in extraordinary circumstances 10 -4 per year II Undesirable.Risk Criteria Such data can also be represented in a triangle type diagram. then it is probably so low that we don't expect anyone to do anything about it.3 . but that if it about as likely as being struck by lightning (about one chance in 10 million per year). The Victorian WorkCover Authority. sometimes referred to as "the dagger diagram". To tolerate risk means that risk is not regarded as negligible. it seems that if we believe something is more dangerous than driving a car then the risk is unacceptable (about one chance in 10. In simple terms. Risk & Reliability Associates Pty Ltd 6. The key element is the process by which it is demonstrated that all practicable measures have been taken to reduce risk levels to a minimum. Rather. A summary of criteria used in Australia and New Zealand is described in Chapter 13. tolerable only if reduction is impractical or if cost is grossly disproportionate to the improvement gained Car Accident Death Rate 10 -5 III Tolerable if the cost of reduction would exceed the improvement gained 10 -6 IV Broadly Acceptable Negligible risk per year Limit for WA EPA per year Objective for NSW DoP 10-7 per year V Acceptable Trivial risk Lightning Strike Death Rate Objective for Vic VWA Risk Levels for Individuals in a Critically Exposed Group Diagram (without quantification) appears in IEC 61508 as figure B1 Many organisations are now emphasising the risk criteria of tolerance rather than acceptance. the NSW Department of Planning and the Western Australian Environmental Protection Authority (EPA) have defined individual risk levels. The two key levels seem to lie around road death statistics and the chances of being struck by lightning. Other Australian States tend to utilise one or other of these criteria when assessing individual and/or societal risk. meaning that it can be ignored. Process Industry.

child care facilities. 10 -3 Netherland Unacceptable Limit -4 10 Frequency of N or 10-5 more fatalities per year -6 10 -7 ALARP (As low as reasonbly practicable) 10 -8 10 Netherland Acceptable Limit 1 10 100 1000 Number of Fatalities (N) Societal Risk Criteria as reported by the NSW Department of Planning (1990) There also appear to be occasions dealing with very severe events where the consequence of the outcome is deemed to be so high that it is just politically unacceptable.3 Societal Risk Criteria As the severity of the event increases. hotels. The table below summaries the criteria for the individual fatality risk for new installations. 6. the NSW Department of Planning has published an advisory paper "Risk Criteria for Land Use Safety Planning" (June 1992) that outlines the criteria by which the acceptability of risks associated with potentially hazardous developments will be assessed. tourist resorts Commercial developments including retail centres. In many countries this seems to amount to a one hundred-fold decrease in the likelihood of the event for a ten-fold increase in the severity of the consequence measured in fatalities. This is presented as a F-N plot. Again these are described in more detail in Chapter 13.4 Risk & Reliability Associates Pty Ltd . we appear to become more risk averse. it appears the community has a much greater aversion to multiple fatality incidents. which indicates the cumulative frequency (F) of killing 'n' or more people (N). schools. Authors such as Wiggins (1984) in the USA have noted that the dollars Congress spends per life saved for a coalmine disaster or aircraft collision is much higher than the dollars spent to save a life on the road. offices and entertainment centres Sporting complexes and active open spaces Industrial Individual Fatality Risk-New Installations 6. Societal risk criteria have been proposed by a number of authorities including the Victorian WorkCover Authority and the NSW Department of Planning.0 x 10 pa -6 5 x 10 pa 10 x 10 pa -6 50 x 10 pa -6 Land Use Hospitals. Particularly. This is shown in the Netherlands criteria below. Societal risk analysis combines the consequence and likelihood information with population information. once the death threshold is passed. motels. Risk Level -6 0.Risk Criteria For example. old age housing Residential.5 x 10 pa -6 1.

and have the potential to bio-accumulate should be avoided.4.4 Environmental Risk Criteria Unlike OH&S risk assessment in which all evaluations have a common denominator. temporal etc) the ecosystem has inherent or built-in variability and recoverability cause and effect relationships are often difficult to measure interdependency exists between different eco-sub-systems acceptability of risks to the environmental resources is dependent on human values. There is currently a set of draft criteria issued by the Victorian WorkCover Authority (VWA). namely “human exposure”. discharge will cause irreversible net change the relative scale of the environmental impact must be considered in all environmental dimensions (spatial. the societal risk level is acceptable. Risk should be "as low as reasonably practicable" (ALARP). which is used by Government Authorities involved in Land Use Planning. 6.1 Wright's Criteria Wright (1993) describes several factors which need to be recognised. regardless of the perceived value of the activity. 10 -2 Risk Unacceptable 10 -3 Frequency of N or -4 10 more fatalities per year -5 10 -6 10 -7 10 Risk Acceptable but remedial measures desirable Risk Negligible 1 10 100 1000 Number of Fatalities (N) Victorian Societal Risk Criteria 6. October 1997. open and dynamic the time-scale to cause measurable impact or recovery from impacts may be longer than human life persistent materials which are bio-available. societal risk criteria for public safety relating to hazardous industries have not been formally established and publicised in Victoria. some risk reducing measures may be required. * * * * * * * * ecosystems are complex.5 Risk & Reliability Associates Pty Ltd . The document establishes criteria for societal risk in the form of a log-log F-N plot that results in two parallel lines defining three zones: a) b) c) above the acceptable limit the societal risk level is not tolerable between the acceptable and negligible limits the societal risk level is acceptable but if the perceived benefits gained by the activity are not high enough. “Risk Sensitivity Analysis for the Altona Petrochemical Complex and Environs”.Risk Criteria For example. below the negligible limit. 6. This criterion was used as part of the Technica Ltd. environmental risk assessment has a much broader and complex scope with a substantial increase in the number of uncertainty characteristics.

but not irreversible. for example. Resources not impaired. Very Serious Serious Moderate Not detectable Environmental Consequences In the context of a risk diagram: Frequency per year 1 -1 10 10 Likelihood -2 Accidental and Intermittent Release Intolerable Risk Level "As Low As Reasonably Practicable" (ALARP) Region -3 10 -4 10 -5 10 -6 10 Negligible Risk Level Design/Operation Risk Level Not Detectable Moderate Serious Very Serious Catastrophic Consequence Risk Levels for Accidental Releases to the Environment 6. Alteration or disturbance within natural viability. Effects can be transmitted. Recovery in 50 years. Effects can be transmitted. not accumulating. can accumulate. not accumulating. interact to cause damage. Recovery < 5 years. Loss of sustainability of selected resources. Loss of sustainability of most resources. Life cycle of species impaired. Effects not transmitted. Recovery in 10 years.6 Risk & Reliability Associates Pty Ltd . Temporary alteration or disturbance beyond natural viability. Effects confined < 5000 m2.Risk Criteria There is also the problem of synergistic effects. No recovery. Resources temporarily affected. This means. Area affected 100 km2 Alteration to one or more eco-systems or component levels. Alternation/disturbance of a component of an eco-system. not accumulating or impairment. Loss of resources but sustainability unaffected. Effects not transmitted. Wright also suggests that it is possible to calculate the likelihood and size of accidental or intermittent releases and then make a judgement on what the consequences of such releases would be. that two chemicals which are individually inert in the environment. The table of consequences is shown below: Consequence Type Catastrophic Description Irreversible alteration to one or more eco-systems or several component levels. Area affected 50 km2. can accumulate.

2 Inter-governmental Agreement on the Environment (Feb 1992) The 'Precautionary Principle' has been adopted by the Inter-governmental Agreement on the Environment (1992) between the Commonwealth and the States as a cornerstone of Australian environmental policy. the residual powers remain with the states.5 Insurance Criteria Depending on the nature of the event. This principle apparently had its origins in Germany's democratic socialist movement in the 1930's and gained acceptance through the 1970's and early 1980's as a powerful corporate governance tool. In the application of the precautionary principle.7 . The significance of an intergovernmental agreement relates to the Australian constitution and that the original six Australian states existed before federation. Relative Likelihood of Consequence Public Liability Uninsured Workers Compensation Property Insurance Re-insurance Maintenance OH&S Fire & Explosion Catastrophic Relative Severity of Consequence Risk Diagram Showing Some Insurance Regimes Risk & Reliability Associates Pty Ltd 6.Risk Criteria 6. and an assessment of the risk-weighted consequences of various options. public and private decisions should be guided by: (i) (ii) careful evaluation to avoid. The principle expressed in the IGAE is: Where there are threats of serious or irreversible environmental damage. serious or irreversible damage to the environment. the insurance approach can provide certain benchmarks or criteria. lack of full scientific certainty should not be used as a reason for postponing measures to prevent environmental degradation. significantly reducing the instances of imprudent business practices and adding strength to the world's rapidly developing securities' markets. Unless the constitution specifically provides for powers being exercised by the federal government.4. 6. So in order to obtain a consistent national outcome for matters that lie outside the constitution an intergovernmental agreement must be obtained. wherever practicable.

Once a company has established an underwriting tradition it is difficult to change the definitions without seriously complicating the individual underwriters’ attitudes and that of the re-insurers towards the underwriters. The point to note is that the law is second on the list. The reason for this plethora appears primarily to derive from the history of the organisations using them.6 Ethical Criteria The Codes of Ethics of most professional societies contain certain performance criteria. then he or she is on their own. In the case of workers’ compensation insurance. there appears to be an observable trend with loss estimates that the more conservative the underwriter the more severe the loss estimate criteria will be. and that the statement in italics is quite clear that if a registrant fails to adhere to the code.8 Risk & Reliability Associates Pty Ltd .Risk Criteria There are presently about thirteen different definitions of property loss expectancy used throughout the world. professional responsibility — exercise reasonable professional skill and care law — know about and comply with the law conduct — act in accordance with codes of conduct approach — take a systematic approach to risk issues judgement — use professional judgement and experience communication — communicate within your organisation management — contribute effectively to corporate risk management evaluation — assess the risk implications of alternatives professional development — keep up to date by seeking education and training public awareness — encourage public understanding of risk issues. This is particularly noticeable with re-insurers' definitions. almost all Australian jurisdictions have different criteria for claim thresholds. ix. vii. v. 6. Registrants should be aware that non-compliance with the provisions of this code might be relevant when considering professional disciplinary matters although adherence to this code will be regarded as demonstrating good practice. iv. Perhaps not unnaturally. 6. which could provide the best protection against such action. While a failure to adhere to the provision of this code by an individual registrant may not necessarily amount to negligence or a breach of an applied contractual term by that registrant. viii. The UK Engineering Council adopted in 1993 the following statement that Engineers Australia (1993) picked up in a more diluted form. vi. each with subtle definitions and variations. ii. iii. which could lead to disciplinary proceedings. The small print on the back of the UK brochure stated: The Engineering Council expects registrants to adhere to good engineering practice wherever and whenever possible and considers that this code of professional practice will assist registrants in achieving this standard. which are supposed to apply to the members. such failure may be evidence of an infringement of the Council’s rules of conduct. x. The ten-point code on professional practice on risk issues is: i.

Sydney (1989). Risk Criteria for Land Use Safety Planning. The Engineering Council of the United Kingdom (1993). Fernandes-Russell. Canberra.2 (Interim July 1988) Wiggins J H (1984). Proceedings of the Annual Conference. HMSO. Societal Risk Estimates from Historical Data for UK and Worldwide Events Research Report No. Intergovernmental Agreement on the Environment. HMSO. Engineers Australia. Technica Ltd (1997). Australian Nuclear Science and Technology Organisation. Health and Safety Commission. Nuclear Safety. IEC-61508-5 Functional Safety Systems of electrical/electronic/programmable electronic safety-related systems. Hazardous Industry Planning Advisory Paper No. No. Higson D J (1989). Risk Sensitivity Analysis for the Altona Petrochemical Complex and Environs. 2. Risk & Reliability Associates Pty Ltd 6. UK. Muspratt M A & R M Robinson (1991). Code of Good Practice for Dealing with Risk. Volume 31. Proceedings of Victoria Division. Nuclear Safety Assessment Criteria. Engineers Australia (1993). April/June 1990. Public Works Department. 2nd Edition. Ethics and their Environment. International Standard on Functional Safety. Major Hazard Aspects of the Transport of Dangerous Substances. Butterworth. Total Asset Management Manual . 3. The University of Sydney. Nuclear Safety Bureau. NSW Department of Planning (1990 and 1992). NSB Report 2/1989. Environmental Risk Assessment Unit. Health and Safety Executive. UK (3 Volumes). Development of Environmental Risk Assessment (ERA) in Norway. No. Risk Analysis in Public Policy. July 1998. Wright N H (1993).Heinemann Ltd. READING Engineers Australia (1990). Loss Prevention in the Process Industries. NSW Department of Planning. 4. Are You at Risk? Engineers Australia. 3.9 .Risk Management. Lees F P (1995).. Warren Centre for Advanced Engineering (1986). Risk Assessment and Management: Offsite Individual Risk from Hazardous Industrial plants. Dealing with Risk. Canberra. Engineers Australia. UK (1991). UK (1988). Western Australia EPA document: Guidance for the Assessment of Environmental Factors. NSW Government (1993). Risk Engineering Symposium 1984: Engineering to avoid Business Interruption. Hobart. pp 173-186. Norske Shell Exploration and Production. Major Industrial Hazards. November 1993. Report and Appendices of the Advisory Committee on Dangerous Substances London.Risk Criteria REFERENCES Commonwealth of Australia (1992). The Tolerability of Risk from Nuclear Power Stations. University of East Anglia Norwich. London. Engineers Australia. School of Environmental Sciences.Part 5 Examples of methods for the determination of safety integrity levels. Oxford. Delia (1988). Higson D J (1990). Risks to Individuals in New South Wales and in Australia as a Whole. Environmental Risk Impact Assessment Guidelines Hazardous Industry Planning Advisory Paper No.

Take the crude example of a traumatic leg injury. Saving the leg is possible but with an increased risk of gangrene. Which procedure should be adopted? If a downside risk assessment only were considered then the leg would almost certainly be amputated.Top Down Techniques 7.4. Opportunities and Threats) from the commercial sector.5. External / Internal Factors Opportunities Threats Value Addeds Strategy Vulnerabilities Strengths Weaknesses Organisation Augmented SWOT Process 7. 7. The best immediate course of action (COA) might be very chancy but could reduce the conflict to days rather than years. Military decisions also have this two-sided element.2.2 Clinical and Military Risk Decisions Different clinical procedures can also entail a mix of risk outcomes. Amputation will almost certainly save the life of the patient but at a price of reduced mobility.1 Business Risk Market risk is an obvious form of business risk with both upside (speculative) and downside (pure) risk implications. That is. Ranking combinations of upside and down side risk is covered in Section 8. Risk & Reliability Associates Pty Ltd 7. The risk analysis generally focuses on those issues which will prevent the assumed upside benefits from being achieved.3. 7. In this case the upside risk is assumed in the proposal.1 .2.0 Top Down Techniques This chapter focuses on the top down view of downside risk or vulnerabilities. Conceptually the two overlap as shown in the augmented diagram below. Is it better to take the chance or to play it ‘safe’ and prolong the conflict? 7. it is a downside risk assessment process from an assumed upside risk position. Vulnerability techniques derived from the military intelligence community and SWOT (Strengths.1 SWOT Assessments The SWOT analysis interpreted from a risk perspective provides insight into Liabilities as established by Vulnerabilities (the risk of loss).2 Upside and Downside Risk It should be noted that many risk decisions have simultaneous upside and downside risk elements. and Rewards identified by Value Adding (the risk of gain). Further discussion on the upside risk or value addeds is contained in Chapter 3. 7. Integrated Investment Ranking. Weaknesses.3 Project Risk Decisions Project risk provides another interesting insight. Two high level or top down techniques appear common. Risk and Opportunity.2. Project Risk Profiling. This is discussed further in Section 7.

This prevents the misapplication of resources to something that was really only a threat and not a vulnerability. Training) Risk Avoidance Risk Transfer Risk Acceptance Generalised Vulnerability Assessment Technique It is important that the identified threats are credible. Only the assessed vulnerabilities then have control efforts directed at them. The central concept is to define the assets of the business and all the possible threats to them. corporate image to pollution. explosion Natural hazards (rain. and all the primary credible threats identified then no unexpected vulnerabilities should impact the organisation. if all the critical success factors for an enterprise are declared. For example one would not list “earthquake” as a credible threat in a region. For example. public affairs risk analysts. 7.g. product to contamination) Personal (e. personnel to injury/vehicle accident. product fault.) Critical plant failure Failure of a major supplier Sabotage. acts of aggression Vulnerabilities (Assets exposed to Threats) Physical (e. The threats are then systematically matched against the assets to see which is vulnerable to each threat.g. fraud and corruption). Assets (Critical Success Factors) Public image and confidence Capability to perform an organisation’s function Physical resources and facilities Personnel resources Customer loyalty Threats Smoke. Nor would terrorism normally be a credible threat to the building of a new production facility for jam in a rural location. However. if one credible vulnerability is overlooked then an unexpected event can occur ‘out of the blue’. discrimination. snow. which is not in an earthquake region.3 Vulnerability Assessments The diagram below outlines a generic vulnerability assessment technique that is used very widely to assess and propose appropriate solutions to risks that affect most organisations. The power of the vulnerability technique lies in its potential to provide a completeness check. equipment to sabotage. earthquake etc.g.2 Risk & Reliability Associates Pty Ltd .g. buildings vulnerable to fire. chemical exposure.Top Down Techniques 7. Administration. terrorism) Public Relations (e. assets to currency. Financial (e. money to theft. fire. strategic planners. project managers as well as risk engineers. market or interest rate changes) Management Strategies Risk Control (Design. This technique is something that is used by military intelligence. wind. The organisation’s Critical Success Factors can also be considered to be the organisation’s assets.

typically around 10% of the intersections of a typical asset/threat matrix. Risk & Reliability Associates Pty Ltd 7.Top Down Techniques The vulnerability process can also be shown as a simple flow chart.3. the actual number of critical vulnerabilities is usually quite small. Critical vulnerabilities are explained further in Section 7. Vulnerability Assessment Process The power of the process rests on the fact that whilst there may be a large number of identified assets to be protected against a large number of threats. The weakness of the technique is that it often identifies areas of strategic concern rather than particular risk issues and precautions.3 .5.

comprises the steps of: • • • Threats Vulnerabilities Impacts 7. Should such premiums provide funds for physical protection. . More insurance required? Threats identified. Step 3 entitled. air conditioning . Implementation End Flow Chart of the Asset and Threat Technique Applied to Computer Risk Assessment The vulnerability approach is used in the Information Security Standard AS/NZS 4444. fire. sabotage .4 Risk & Reliability Associates Pty Ltd . . water damage. power failure. power supplies. . Undertake a Risk Assessment. accounting . . Increased insurance Yes Is protection commensurate with insured levels? Vulnerable? Do threats expose vital points ? No No Is protection adequate and appropriate? Yes Cost effective recommendations? Business Interruption Insurance largely ineffective. .2:2000. Define disaster period? Is insurance enough to cover cost of outside operations. processors.Top Down Techniques The figure below shows the vulnerability technique as a flow chart for computer risk assessment. replacement of equipment and non-essential services? Vital points identified. . Objectives of the Organisation No Is the computing facility essential to the maintenance of the objectives? Yes What parts are essential? Payroll. Yes Can these essential services be done elsewhere? No Adequate protection against disaster possibilities essential.

Risk & Reliability Associates Pty Ltd 7. the Australian Risk Management Standard (AS 4360:1999) lists possible areas of impact as: a) b) c) d) e) f) g) h) i) j) Asset and resource base of the organisation. It is very difficult to undertake a risk analysis if the organisation concerned cannot clearly state its business at the outset. Revenue and entitlements Costs of activities. There are various ways that a vulnerability assessment can be made including desktop studies. Carparks Computers & Software Trained Operators Dependency Tree Diagram of an Airline Each of these sub-assets could then be examined for their vulnerability to each of the listed threats.5 . Flying Paying Passengers Serviceable Aircraft Trained Aircrew Passengers Serviceable Airports Reservation Systems Passenger Terminals Trains. goodwill. including personnel. All these approaches assume that the analyst has a clear view of what the business of the organisation actually is. both direct and indirect People Community Performance Timing and schedule of activities The environment Intangibles. The example below sets out the key assets from the viewpoint of an airline that perceives its business to be that of moving paying passengers by air. quality of life Organisational behaviour Dependency trees can also be used for such an assessment. For example. hiring specialist consultants or combinations of these. workshops.Top Down Techniques 7. something that is not always easily achieved. such as reputation.1 Assets Lists are the most common way of establishing assets.3. Taxis.

The security appropriate to bomb threats. for example.Top Down Techniques 7. after identification and assessment of assets. as used in this section.6 Risk & Reliability Associates Pty Ltd . The issue to be considered is: what particular credible threats exist or could arise to the identified assets and which of these threats are significant? A sample Threat Checklist is shown below. Threats to Treasury & Finance Credit squeezes Liquidity issues Customer payment defaults Exchange fluctuations Funding sources failure Interest rate fluctuations Threats to Assets Fire Earthquake Flood Explosion Critical plant failure Malicious damage Threats of Business Interruption Industrial action Political/Civil upheaval Picketing/Demonstrations/Boycott Bomb Threat Bomb "Hoax" Malicious Damage/Sabotage Threats to Information Industrial Espionage Takeover Sabotage of data Threats to Company Reputation Scandal (eg. business or political) Product Fault or Contamination Environmental pollution Threats to Company's Competitive Edge Professional incompetence Failure to best practice Failure to continuously improve Poor public image Threats to Product Product Extortion Collusive Theft Pilferage Contamination Threats to Staff Discrimination OH&S injury Harassment Threats from Staff Pilferage Theft Fraud Malicious Damage Threats to Cash Robbery Burglary Military Threats Sniper fire Small arms fire Machine gun fire RPG or mortar attack Artillery attack Missile attack Thermonuclear A Sample Threat Checklist 7. is obviously different to that required regarding product extortion. frauds. Threat. refers to any occurrence or activity that could destroy a business asset or reduce its value or business effectiveness.3.2 Threats The second task. (Where some disciplines use the term threat in this way. is identification and assessment of threats to these assets. others would prefer to use terms like hazard or risk) The type and degree of protection required for different assets will depend on the nature and likelihood of the threat and how vulnerable that asset is to those threats.

This weakness may be intrinsic in the asset. or to use such retained funds to diversify the income stream.3. This is discussed further in Section 3. Commercial vulnerabilities are often characterised by an inability to purchase insurance against them. For example. even less if it is covered by insurance. public relations fallouts. members of the public. Business impact should include human cost. How much would the counter-measure cost to implement and maintain? How much risk reduction would this achieve? How does this compare with the maximum foreseeable loss that could result if the measure was not introduced and threats succeeded? Such an approach can direct attention to revenue concentration for example. dollar values will be put on such things. It is the overall cost to the company if threats succeed. Product is more vulnerable to theft and fraud if the stock control and accounting systems are dominated by the requirements of the sales department to the detriment of accurate and timely accounting. (Although in legal cases where injured parties sue for damages due to negligence.not just loss measurable in dollars. or disaster recovery is more vulnerable to adverse business impact if certain threats materialise. anguish.3 Risk and Opportunity. and the like. that is. Proper assessment of potential business impact is essential in determining the cost-benefit of proposed counter-measures. and associated families would experience . Or the weakness may be due to the location of the asset.7 . To ensure a steady dividend stream it may be desirable to retain profits to offset against the possible loss of income. Or the weakness may be due to inadequate or inappropriate risk management. Good corporate citizens and managers should be motivated by normal human values. anxiety. The key issues are to establish the nature of the perceived vulnerability quantified in terms of possible dollar impact and return period. 7.3 Vulnerabilities A vulnerability is a weakness with respect to a threat. Consequential damage includes such things as: • business interruption • loss of market share or competitive edge • fines due to incidental pollution resulting from fire. an Australian company in the Middle East is more vulnerable to terrorism than one in Iceland.Top Down Techniques 7. suffering. or malicious damage Risk & Reliability Associates Pty Ltd 7. a US multinational company is probably more vulnerable to politically motivated attacks than a Swiss company. Many organisations create a Group Risk Profile. it may only cost thousands of dollars to replace a contaminated product. stress.4 Business Impact Business impact is a form of risk characterisation particularly persuasive in assessing commercial risk. NB: Vulnerability is used alternatively to refer to the extent of exposure of business or asset to a risk. off balance sheet strategy performance and operational performance together with procedures for their day-to-day management. a company with no contingency planning for crisis management. This provides consideration of the major recognised balance sheet. For example. For example.3.) It is necessary also to consider consequential or indirect costs as well as direct costs. Any business that obtains more than 25% of its income from a single source or contract can be subject to major profit fluctuations if that source abruptly stopped. Confidential information on a meeting room blackboard in an office with some public access is more vulnerable than when it is in a locked cabinet in a manager's private office or a secure registry. For example. But the loss of market share and business reputation may be far more important. not just "economic rationalism". The quantification of commercial vulnerabilities is necessarily less ‘scientific’ as human nature appears to much greater significance. which staff. explosion.

media / public Sometimes security itself can be the cause of poor staff and union relations if it is inappropriate. Obviously insurance and finance/accounting departments need to be involved. senior decision makers and the courts require a demonstration that all practicable reasonable precautions are in place. but so too. 7.6 Workshops One of the most successful methods of obtaining consensus on the relative importance of vulnerabilities. As an Australian judge has been reported as noting to the engineers after a recent train incident: “What do you mean you did not think it could happen.8 Risk & Reliability Associates Pty Ltd . can appropriate control options be identified and appraised. government. 7. after the event. A manager cannot do it effectively without the assistance of other managers of specialist functions. A common example is the inept use of baggage inspections or searches as a counter-measure against pilferage. There are various possibilities but a common approach is a two-stage workshop shown below.3. neighbourhood. in many cases. Risk is not strictly relevant since. there are seven dead”.3. personnel. vulnerabilities. The underlying issue is that if something untoward occurs the courts immediately look to establish (with the advantage of 20:20 hindsight) what precaution/s that should have been implemented weren’t. or insensitively implemented. threats. Virtually all other functions are involved in assessing business impact in relation to one or other of the company's assets. industrial relations. It has happened. unions. do production/operations. and legal departments. establishing control options and creating an action list is to use an asset and threat matrix in a workshop with relevant managers.5 Control Only when risk has been identified and prioritised by assessing assets.Top Down Techniques Consequential damage can result also if a breach of security causes such things as: • strikes • legal liability • government regulation • deterioration in relations with staff. 7. characterising risk. Asset ID Credible Threats Credible Vulnerabilities Stage 1 Criticality Assessment Stage 2 Critical Credible Vulnerabilities Statutory and Regulatory Compliance Common Law "Due Diligence" Investment Payback Criteria Insurance Criteria Possible Precautions Risk Analysis Recommendations and/or Residual Risk Allocation Vulnerability Workshop Process As discussed in the Liability chapter (Chapter 4). Assessing business impact is a collective task. public and media relations. marketing. likelihood is not relevant. and potential business impact.

xxx xx x va Critical potential vulnerability that must be (seen to be) addressed Moderate potential vulnerability Minor potential vulnerability No detectable change Possible value adding Criticality Scoring System If this is correctly done then around 10% or so of the cells will have three x’s. The next section considers risk characterisation in greater detail. the assets and threats of concern to the organisation are developed into a matrix form. This is the Pareto principle. How risky a situation is before the event is not germane. Typically 80% to 90% of the risk comes from 10% to 20% of the vulnerabilities. then further analysis is often not required. 7.Top Down Techniques Hence the notion of risk is really only used to test the value of the precaution it is claimed ought to have been in place.3. Provided there are cogent arguments explaining why all critical vulnerabilities are being managed. Dealing with these to 10 to 20% is the primary purpose of the analysis. Operability xx x xxx xxx Staff xx xx x xx xx LIKELIHOOD Almost Certain x x x x x x x A Likely B H H M H L L L 1 Possible Unlikel C D E Rare E E H E E M H E E L M H E L M H H 2 Moderat E Insignifican Minor 3 Major Catastrophic 4 5 CONSEQUENCE 5 x 5 Risk Characterisation Matrix Showing “xxx’ Criticality Consequence Values Risk & Reliability Associates Pty Ltd 7. at least from a liability perspective. In a sense the critical vulnerabilities are the top consequence scores in a risk characterisation matrix as shown below. A very simple example result from a first stage is shown in below.9 . ASSETS > THREATS Technical Failure Community Issues Political (change of government) Credit Squeeze Flood Reputation xx x xxx x Sample Vulnerability Matrix Many analyses in fact stop at the criticality stage. A preliminary criticality determination is made using the values in the table below.7 Criticality Assessment One of the simplest ways to address this is to undertake a preliminary criticality analysis. Prior to the Stage 2 workshop.

Top Down Techniques However critical vulnerabilities (xxx) can be analysed further in a number of ways. Profiling enterprise risk using the risk matrix approach is very popular and is described further in ensuing sections. This depends on the nature of the analysis. political involvement’s) Extortion Picketing/demonstrations Pilferage and Theft Industrial espionage Storm (wind. lightning. landslides) Discrimination Electrical Assault Noise and Vibration Defamation Totals 5 6 9 9 9 7 9 8 9 9 9 6 3 10 9 8 4 2 2 0 3 0 2 0 138 8 5 10 6 5 6 10 6 10 10 10 9 2 0 5 2 5 5 2 0 1 0 2 0 119 5 5 5 3 3 3 7 5 5 5 5 1 4 0 5 3 3 1 6 4 4 5 3 2 92 9 4 10 5 4 4 0 7 0 0 0 0 4 0 0 5 0 5 0 0 0 0 0 0 57 2 5 2 2 2 2 2 1 2 2 2 1 2 6 2 1 2 1 2 6 2 4 0 2 55 8 4 0 10 10 0 0 0 0 0 0 0 2 8 0 1 0 0 0 0 0 0 0 0 43 0 3 0 0 0 5 0 0 0 0 0 8 2 0 0 0 4 2 0 0 0 0 0 0 24 0 4 0 0 0 2 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 0 0 0 12 37 36 36 35 33 29 28 27 26 26 26 25 25 24 21 20 18 16 12 10 10 9 7 4 540 Reputation Comp Edge Staff Operability Public Env/ Habitat Information Bldg/ Facility Totals Sample Vulnerability Matrix of a Business 7. goods releases) Spill Malicious damage and contamination Biomechanical (incl personal injury) Scandal (eg. The sum of the scores in the rows indicates the belief as to the most serious threats the organisation faces. A sample vulnerability matrix for a business is shown below. hail. frauds. ASSETS >>> THREATS Chemical (fire. In this case scores are out of 10. However other techniques can be used depending on the nature of the issue. The sum of the scores in the columns indicates the best collective belief of that organisation as to the key assets that are most susceptible to possible threats. explosion. floods) Contamination Harassment Alcohol/drugs Suborning of staff for fraud or collusive theft Bomb (threats) and hoaxes Gravitational (falls. The highest individual scores represent critical areas of vulnerability that should be addressed.10 Risk & Reliability Associates Pty Ltd . dang. fires. poisons) Bomb Statutory non-compliance Pollution (oil spills. falling objects.

K. LIKELIHOOD Almost Certain A B C D E Likely Possible H H E E E M H H E E L M H E E L L 1 E = extreme risk. Other systems use a 1 to 5 category for both likelihood and consequence. The use of logarithmic scales seems to resolve a number issues since this ensures that lines of constant risk are created which makes such presentation tools more intuitive and user friendly.11 . each number represents a change in the order of magnitude if the scales are log log in nature. manage by routine procedures Unlikely Rare L L Minor M H E M H H Moderate Insignificant 2 3 Major Catastrophic 4 5 CONSEQUENCE Example of Risk Definition and Classification (after AS 4360:1999) Three methods of risk presentation are possible and are shown below. immediate attention required H = high risk. both revised versions of earlier standards). the top score is 25 for both systems. senior management attention required M = moderate risk. The Australian Standard matrix at the top of the page does not appear to be based on either the hyperbolic or the linear system. Such a matrix can be greater or less than 5x5 matrix on either scale. Ministry of Defence. The first is a linear risk profile concept.3. 7x5 is common for very large organisations and 4x3 or 2x2 for small projects.8 Risk Characterisation A risk characterisation matrix framework is a very common approach such as that described in Appendix E of the Risk Management standard (AS/NZS4360:1999) and shown below. S. That is. This appears to have been adapted from earlier military work (U. The second is hyperbolic in nature with the product of the two values being used.Top Down Techniques 7. However the linear system indicates exactly where the risk lies since a unique number describes each point on the chart. 3 value scores 13 in the linear system but 9 in the hyperbolic system thereby deeming it much less important and therefore demanding less organisation control effort. That is. management responsibility must be specified L = low risk. but a vulnerability with a 3.1996 and U. 5 15 10 19 14 9 22 24 25 5 4 5 10 15 20 16 12 8 25 20 15 10 5 4 Likelihood 3 6 7 8 9 10 4 Likelihood 3 18 13 8 4 3 3 21 17 12 7 44 23 20 16 11 5 5 4 3 2 1 1 8 6 4 2 12 9 6 3 3 5 4 6 5 7 6 5 4 8 7 6 5 9 8 7 6 5 6 3 1 Likelihood 3 2 2 1 5 2 2 2 2 1 2 1 11 4 2 2 2 1 4 4 5 5 11 2 3 3 44 Consequence Severity Consequence Severity Consequence Severity Risk Assessment Charts The hyperbolic ranking system provides for a much greater scatter between identified vulnerabilities. Risk & Reliability Associates Pty Ltd 7. less time and money will produce substantially greater results. This may make the third most mathematically pure but appears to be the least common. The third in effect sums the numbers as logarithms. Department of Defence. That is. 2000.

JSA QRA etc. However.000 loss is probably devastating for most domestic situations. 7. RCM requirements and OH&S issues can compete for scarce capital. How can an organisation come to grips with such issues without an overall top down risk framework? Enterprise Risk Management Business Context Top down Low level top down or High level bottom up System Sub-system Context FMECA. Assembly Bottom up Component Enterprise Risk Framework The above enterprise risk framework diagram describes one understanding. when the risk assessment of the environmental group competes with the risk assessment of the HazOp group and the JSA group for resources a very difficult situation can arise. This is appears necessary when there are competing risk agendas and limited capital available.12 Risk & Reliability Associates Pty Ltd . Catastrophic may be $1 billion for some companies whereas a $100. An example of a consequence table is shown the table below.1 Determining Risk Matrix Values One simple method for developing the consequence values of the matrix is to consider a loss that would prove catastrophic to the organisation and stepping back in order of magnitude changes from catastrophic to noticeable. Note also that loss of reputation and other intangibles account for the vast majority of loss. HazOp. environmental issues. For example. The loss values can vary for different organisations. This is different for different organisations. When activities are undertaken bottom up. not just directly measurable items.Top Down Techniques 7. 7. The table should reflect the full range of loss values. each specialist group comes to an internalised understanding of what is important to the organisation. The critical aspect is the range of the consequences.4. underwriting requirements.4 Enterprise Risk Profiling Ultimately there must be an enterprise view of how identified risk issues should be characterised. A high level business risk framework can normalise the value systems of the competing groups saving considerable time and much frustration.

for example: Almost Certain Likely Some Chance Unlikely Rare Once per year Once in 10 years Once in 100 years Once in 1.000 $100.000 Breach of Statutory EPA Regulations $10 M Successful prosecution for breach of privacy $100 M Widespread access to confidential records Breach of statutory.Top Down Techniques Consequence Rating>> Critical Success Factors Reputation & Competitive Edge 1 Noticeable 2 Important 3 Serious 4 Major 5 Catastrophic Magistrate's Court Action Serious complaint Local Press County Court Action Adverse ministerial comment in State Parliament State Press Supreme Court Action Adverse ministerial comment in Federal Parliament $1 M Isolated release of private information Isolated database hacking EPA Fine National Press Court of Appeals of a Supreme Court OR Federal Court Action International Press High Court Action Financial Performance Compliance.000 years Typical Likelihood Values for an Organisation The use of combined logarithmic values for each scale provides for lines of constant risk. Corporate Governance & Information $10. regulatory or contractual obligations Ongoing and extensive database hacking or fraud 10 deaths Massive industrial disputes Loss of a major infrastructure facility due to earthquake.13 . etc Occupational Health & Safety and Environment Minor injury Temporary serious injury Permanent serious injury or disability Ongoing staff harassment or abuse Minor structural damage 1 death Significant structural damage due to fire etc Sample Consequence Table Likelihood for an organisation is usually done on a frequency basis. Risk & Reliability Associates Pty Ltd 7.000 years Once in 10.

Due Diligence. An immediate payback can then be visually seen. or regulator. Class I (intolerable – except in extraordinary circumstances) Class II (undesirable – unless risk reduction is impracticable or the cost of reduction would exceed the improvement gained) Class III (tolerable – if the cost of risk reduction would exceed the improvement gained) Class IV (broadly acceptable – negligible risk) Class V (acceptable – trivial risk) Class I is broadly equivalent to the ‘Extreme’ category in the Australian Standard. judge or jury.Top Down Techniques Each critical vulnerability can then be placed on the risk matrix as shown below. IV. whether it be shareholders. But a process like this makes it transparent to any whom wish to know. the final decision for action is individual to an organisation.4. The categories given in AS(IEC) 61508:2000 are instructive. LIKELIHOOD Almost Certain A B C D E Likely Some Chance Unlikely Rare H M L L L 7 H H M L L 2 5 E 1 H H M M 3 4 E E E H H 6 E E E E H Catastrophic Noticeable 1 Important 2 Serious 3 Major 4 5 CONSEQUENCE Sample Risk Profile One of the simplest approaches is to place a dot on the current risk position as shown above and another on the revised location after proposed the risk control is in place. ‘Moderate’ or ‘Low’ using the Australian Standard risk terminology. 7. As noted in section 4. or V. Class III is equivalent to the ‘Moderate’ category whilst the remaining two classes equate to the ‘Low’ category. The summary of all the dots on the matrix is in fact the unmitigated risk profile for the subject organisation. Hence all residual risks should be Class III. Class II is broadly equivalent to the ‘High’ category. LIKELIHOOD Almost Certain A B Likely Some Chance C D E H H E E E M H H E E L M H E E 1R 6R 4R Unlikely Rare L L 7R 3R L L Important 2R M H E M H H 5R Noticeable 1 2 Serious 3 Major 4 Catastrophic 5 CONSEQUENCE Sample Residual Risk Profile Residual risks (those that remain after risk mitigation) can and should be classified.14 Risk & Reliability Associates Pty Ltd . that is. as shown below.

5 Project Risk Profiling Projects to have an interesting conceptual risk profile. That is. Flow Chart for Project Vulnerability Assessment Risk & Reliability Associates Pty Ltd 7. it is a downside risk assessment process from an assumed upside risk position.Top Down Techniques 7. Again the vulnerability approach can be used as shown below. The upside risk position is assumed in the proposal.15 . The risk analysis generally focuses on those issues which will prevent the assumed upside benefits from being achieved.

That is. The average wet weather loss expectancy is then 3 days for the project. likelihood is usually done on a probability rather than a frequency basis since the likelihood is related to the project which may extend over many years. 7.Top Down Techniques The analysis can be done at any stage in the project’s life cycle depending on the project’s nature. For a project. the loss events do not overlap. Chapman and Ward. Project Delivery Financial Performance Occupational Health & Safety Environmental Consequence Rating 1% time overrun 1% budget over-run Minor injury 3% time over-run 3% budget overrun Temporary serious injury EPA Reportable incident 2 Important 10% time over-run 10% budget overrun Permanent serious injury or disability 3 Serious 30% time over-run 30% budget over-run 1 death 100% time over-run 100% budget over-run Multiple deaths Major spill or bushfire 5 Catastrophic 1 Noticeable 4 Major Typical Consequence Values for a Project If the project delays and costs can be usefully characterised then contingency sums and delays can be estimated. Such a life cycle is shown below. For example. 1997) If done on a 5x5 matrix. This can be simply done by calculating the loss expectancy of the residual risks and then summing these. Such an approach assumes that each risk being considered is discrete. wet weather is estimated at a 50% chance of 6 days. risk characterisation requires further consideration.16 Risk & Reliability Associates Pty Ltd . STAGES OF THE PLC Conceive Design Plan Allocate Execute Deliver Review Support ROLES FOR RISK ANALYSIS Identifying stakeholders and their expectations Identifying appropriate performance objectives Setting performance criteria Assessing the likely cost of a design Identifying and allowing for regulatory constraints Determining appropriate levels of contingency funds and resources Evaluating alternative procurement strategies Determining appropriate risk sharing arrangements Identifying remaining execution risks Assessing implications of changes to design or plan Identifying risks to delivery Assessing feasibility of meeting performance criteria Assessing effectiveness of risk management strategies Identifying of realised risks and effective responses Identifying extent of failure liabilities Assessing profitability of the project Applications of Risk Management in the Project Life Cycle (adapted from Project Risk Management. for example: Almost Certain Likely Some Chance Unlikely Rare 100% chance of occurrence during the project 30% chance of occurrence during the project 10% chance of occurrence during the project 3% chance of occurrence during the project 1% chance of occurrence during the project Typical Likelihood Values for a Project To ensure lines of constant risk the consequence scale thus also needs to be (semi) logarithmic.

Risk Management. 10 February 2000. Safety Management Requirements for Defence Systems. Standards Australia. Australian/New Zealand Standard AS/NZS 4444. Robinson Richard M. John Wiley and Sons. UK.17 .2:2000. Standards Australia/Standards New Zealand (2000). Standards Australia/Standards New Zealand (1999). Risk & Reliability Associates Pty Ltd 7. MIL-STD-882D. Kevin J Anderson (2003).Top Down Techniques REFERENCES Chapman C and Ward S (1997) Project Risk Management. Australian/New Zealand Standard AS/NZS 4360:1999. pp 149-158. Ministry of Defence (UK). Defence Standard 00-56(PART 1)/Issue 2. Functional Safety of Electrical/ Electronic / Programmable Electronic Safety-related Systems. John Wiley & Sons. Chichester. Department of Defense (USA). READING Grey Stephen (1995). ISBN 1 901808 22 X. Part 1: Requirements. Information Security Management. Table is from page 27. 13 December 1997. University of Dundee. Australian Risk Management Standard (AS 4360:1999) Standards Australia/International Electrotechnical Commission AS/IEC 61508:2000.K. Proceedings of the Fifth International Conference on Safety in Road and Rail Tunnels. Practical Risk Assessment for Project Management. Lessons from Cause-Consequence Modelling for Tunnel Emergency Planning. Gaye E Francis. Chichester U. Standard Practice for System Safety.

they have many similarities especially in the methods of risk characterisation. This process is also described in detail in Chapter 10. the process requires that a detailed functional statement of a contract. and the benefits of corrective action can be easily seen. as they would be conducted by the insurance industry. 8.1 Vulnerability Registers A Vulnerability Register is derived from a top down process. but directed at reliability rather than risk issues. HazOp. the process requires that critical success factors be identified for an enterprise (the assets). or “common mode” failures. These focus on Property Loss matters.3. which can have serious liability implications.1.4 Hazard (OH&S) Registers The focus of such studies is obviously human safety and can incorporate a number of the Vulnerability and HazOp techniques. Risk & Reliability Associates Pty Ltd 8.3 FMECA Registers A FMECA (Failure Modes. 8.1.1. Common risk registers include Vulnerability. 8. which result from simultaneous failures.2 HazOp Risk Registers A HazOp (Hazard and Operability) risk register is derived form a bottom up process.5 Property Loss Prevention Registers Property Loss Prevention Registers are also described in Section 8. If so. typically based around assessments. The primary weakness is that it may fail to spot problems. FMECA and Property Loss Prevention. Assets that are vulnerable to threats can have a risk characterisation (business impact assessment) made to establish priorities. 8.3 of this chapter. Vulnerability Assessments. Bottom Up Techniques. The primary weakness of such an approach is that the identified vulnerabilities can be merely areas of concern and insufficiently precise to ensure that action can be targeted effectively. Accordingly.Ranking Techniques 8. Effects and Criticality Analysis) is another form of bottom up risk assessment.1 Ranking Techniques Risk Registers A Risk Register is an action list of identified problems ranked by risk criteria. A list of potential threats is then developed. Bottom Up Techniques. They all have a common purpose: to establish tactical and strategic weaknesses so that they can be managed before they manifest themselves as real pain to an organisation. 8. project or process be available. although in practice HazOp and FMECA seem to be pretty much interchangeable. The primary benefit of such a process is that real resources are only spent on vulnerabilities rather than threats. In summary. very similar to HazOps. Hazard (OH&S). Each functional element is examined using a series of predetermined guidewords to see if its failure will cause problems.1 .1.1. It is described in detail in Chapter 10. The nature of a register varies according to the techniques by which the problems were identified and the manner of the risk characterisation. In summary. It is described in detail in Chapter 7. The principal benefit of a HazOp process is that it is very specific. action is proposed. 8. so called "common cause".

can be expressed as the product of the two. 8. the probable risk control effectiveness of the proposed recommendation and an estimate of its cost. 8.1 Lines of Constant Risk 1x10 -3 Lines of Constant Risk 1x10 Likelihood of Occurrence 1x10 -4 Higher Risk (Dangerous) -5 Lower Risk (Safe) 0. On average it does appear that for a tenfold decrease in likelihood there is a tenfold increase in severity for pure risk events. To achieve such a result requires that for each identified hazard an appropriate recommendation is made and the following parameters determined: • • • • the likelihood of the event occurring.Ranking Techniques 8.2 Risk & Reliability Associates Pty Ltd . This means that if it can be shown that the injury severity can be decreased by a factor of ten then its likelihood can be increased by a similar factor and vice versa without changing the overall risk.1 1 10 Severity of Consequence 100 1x10 -6 Lines of Constant Risk If such a concept is adopted then a simple spreadsheet risk assessment and solution ranking method can be developed. On log-log paper this is a line of constant risk.2 Ranking Acute OH&S Hazards Organisationally risk normally follows a hyperbolic profile. all other aspects being equal.2. This is based on the notion that risk is a function of both severity and frequency and. This concept is shown on a log-log graph as a line at 45 deg and is represented below. Such a view is consistent with the accident risk triangle espoused by Bird and Heinrich. the anticipated most probable of severity outcome for that occurrence.

That is: Likelihood = Exposure x Probability of injury where and Exposure is the number of trials per time period Probability is a number between 0 and 1. This can also be done in a spreadsheet form. Proposed Measure Provide foam padding Likelihood per year 1 Consequence Severity 25 Control Effectiveness 90% Control Cost $ 100 Risk Reduction Rating 22. consider a tripping hazard due to wrinkled carpet. How many times in a working day does a typical employee step over the carpet? How many employees typically do this? How many days does a typical employee work? The product of all these numbers will give a first approximation as to the number of trials per annum. The product of the likelihood of the event occurring per annum and the expected severity of the outcome measures absolute risk. Greatest risk reduction per dollar spent is calculated by the formula: Likelihood x Severity x Percentage risk control Total capital cost of recommendation If historical data on injury frequencies and severity is not available then a risk estimation can still be made for any hazard by developing exposure data.5 Spreadsheet Risk Calculator Absolute severity is the greatest expected measure of consequence for a particular hazard in whatever units are being used.3 .2 Spreadsheet based Acute Hazard Quantification Provided an assessment of the likelihood and consequence severity of a hazard can be made then a simple spreadsheet risk calculator can be devised as shown below. Trials per time unit per person 2 Time units pa 240 People per shift 10 Shifts 2 Trials pa 9.Ranking Techniques 8.2. For example.600 Probability of injury per trial -4 1 x 10 Likelihood of injury pa 1 Quantifying Exposure and Likelihood Risk & Reliability Associates Pty Ltd 8.

a.) (days lost) 0.) (%) (p.a.a.a. Provide foam 0.) per trial measure per person p. 1 Trials per Time Proposed People Exposure Probability control time unit units Shifts per shift (trials p.8.0001 10 9600 2 2 240 for head bump potential Sample Spreadsheet Hazard Register Risk & Reliability Associates Pty Ltd .96 100 25 24 90 21.6 1 Ranking Techniques Item No.4 Control Severity Injury Control Payback Rank Risk (days effectiveness Priority frequency rating cost ($) score Order lost p.

Exposure (Time Units p.000.5 .000001 = = = = = = = 1/1 1/10 1/100 1/1.00001 0.000+ 100% 90% 50% 30% Helpful Ranking Figures Risk & Reliability Associates Pty Ltd 8.Ranking Techniques A table of helpful figures is provided to facilitate risk ranking.01 0.1 0.a.000 24000 per year 2000 per year 240 per year 48 per year 11 per year 1 per year Days Lost 0.000 1/1.) Constant (every 5 working minutes) Hours (typical working hours) Days (working days per year) Weeks (typical working weeks) Months Years Reasonable Severity Potential (after Viner 1991) Medical and Temporary Partial Incapacity (Hit thumb with a hammer) Temporary Total Incapacity (Unconscious) Permanent Partial Incapacity (Maiming) Permanent Total Incapacity/Death Multiple (typical 3) Deaths Probability of Injury per Trial Certain Imminent Probable Likely Unexpected Remote 1 in a million 10-0 10-1 10-2 10-3 10-4 10-5 10-6 = = = = = = = 1 0.5 25 275 6000 18000 Recommendation Effectiveness (Anticipated Risk Reduction) Total removal Design Administration Training Recommendation Cost Maintenance Budget Item Annual Budget Item Capital Works Item $100 $1.000 1/10.000 1/100.000 $10.0001 0.001 0.

0.a. they are not true for individual risks.048 pa. Whilst such lines may be true on average for all risks.a.a.000 $100. 0. 0. 0.000048 p. Likelihood is on a probability basis and would need to be multiplied by the number of trials to obtain the actual expected number of expected injuries.000.000. 0. 0.0048 p.000.000+ Property (dollars) $1. It is almost certainly not a line of constant risk. It is therefore prudent to characterise the most probable consequence severity first and then to characterise the likelihood of the occurrence of that consequence severity. 0.a. the risk of tripping on a footpath is more likely to cause injury than death whereas the risk associated with falling off a high rise building is far more likely to cause death than injury.2 p. 11 p.Ranking Techniques These figures can be extended to the below. 0.000 2.a. The object is to ensure that the worst point on the risk curve for an individual risk is chosen for characterisation.a. 0. 1/10.000 $100. 0.24 p.5 25 275 (1 death ) 6.000. Adapting the figures above to the nearest order of magnitude provides the following scales.000 Environmental Regulatory/Media Local media (non-metropolitan) Local media (metropolitan) National media.a.0001 p.a.00011 p.a.a.2. 0.000001 p. They are drawn as though on log-log graph paper so that a 45 degree line would represent a line of constant risk. 48 p.3 Precautionary Ranking Note Care should be used when selecting a point on a line of constant risk as a system of risk characterisation.000 $10. 0. The first provides for a rapid calculation of expected accident frequency. Severity Noticeable Important Serious Severe Critical Catastrophic OH&S (days lost) 0.0024 p.000 1 in 1.a. 0.a. 1 p.a. Figures to Calculate Expected Accident Frequency The second table provides for a typical first order correlation between injury severity.a. 1 day lost 10 days lost 100 days lost 1. For example.011 p.24 p.000 p.a. there is a unique risk curve for each hazard.a.a. loss expectancy and public response in the form of environmental.000 1 in 100.a.a. 0.024 p.a. Probability 1/100 24 p. They are very subjective risk curves based on the experience of the authors. 2. 1/100.000 $1.000.000 Probable Likely Unexpected Remote 1 in a million Likelihood Scale 8.000 $10.a. 240 p. 0.00001 p.a.0011 p.a.024 p.a. 0.000 (3 deaths) 18.000 (3+ deaths) 18.000 p. 0.002 p.a.001 p. regulatory and media impact. 2 p.000011 p.00048 p.a. 0.a. Exposure 24. 0. A sample list of possible risk curves follows.00024 p.000 0.02 p.4 p.000 1 in 10.6 Risk & Reliability Associates Pty Ltd .000 0.000 days lost Medical and Temporary Partial Incapacity Temporary Total Incapacity (Unconscious) Permanent Partial Incapacity (Maiming) Permanent Total Incapacity/Death Multiple Deaths Consequence Scale 1 in 100 1 in 1. local regulation National media & regulation Int’l media & national regulation Estimated Expected Severity 8.a.000 days lost 10. Consequence is represented as days lost. That is. 1/1.a.

000 Remote 1 in 1.000 1 in a million 1 10 Temporary Total Incapacity 100 Permanent Partial Incapacity 1.7 .000 1 in a million 1 10 Temporary Total Incapacity 100 Permanent Partial Incapacity 1.Ranking Techniques 1 in 100 Probable 1 in 1.000 Multiple Deaths Medical and Temporary Partial Incapacity Risk Curve for Trip on Paving Hazard 1 in 100 Probable 1 in 1.000 Unexpected 1 in 100.000 Likely 1 in 10.000 Multiple Deaths Medical and Temporary Partial Incapacity Risk Curve for High Voltage Electrocution Hazard Sample Possible Risk Curves of Particular Hazards Risk & Reliability Associates Pty Ltd 8.000 Permanent Total Incapacity /Death 10.000 Unexpected 1 in 100.000.000 1 in a million 1 10 Temporary Total Incapacity 100 Permanent Partial Incapacity 1.000 Multiple Deaths Medical and Temporary Partial Incapacity Risk Curve for Manual Handling Hazard 1 in 100 Probable 1 in 1.000 Likely 1 in 10.000 Unexpected 1 in 100.000 Permanent Total Incapacity /Death 10.000 Permanent Total Incapacity /Death 10.000 Remote 1 in 1.000 Likely 1 in Remote 1 in 1.

Paint the edge brightly 2. greatest risk reduction per dollar spent Absolute severity reflects the need to ensure that anything with (multiple) death potentials has been seriously considered. for all foreseeable conditions) Risk 23 143 Severity 25 6000 Cost 100 1000 Payback 207 143 264 275 1000 132 1031 275 5000 103 2639 275 20000 92 26 275 1000 13 7 25 1000 6 Sample Hazard Register Sorted by Greatest Risk Reduction per Dollar spent (Payback Score) 8. Discontinue the use of the blow down gun in favour of a suitable vacuum cleaner. So if an expensive solution has been proposed when a cheaper one was available then due diligence may not have been satisfied. This imposes severe back strain problems. 3. Jumping out of truck holding goods. Any slack in the chain would enable the trailer/ramp to separate. a proper access ladder or complete hand railing.. Controls Provide foam padding in addition to the stripe indicating surface. Mark a "no walking" area. The results of such work can be represented by tabular outputs such as that shown below. Provide a large non-slip step down. This really requires a redesign of the loading operation in this area to conform to AS1657. The spreadsheet calculator described will score badly risk control solutions that are expensive and/or inefficient. The stairway of Building 1 has slippery surfaces. This is difficult to effectively achieve. mechanical damage potential and eye injury to personnel. Remove flexible air hose. Provide induction and training. Resurface the stairs with a non slip surface. The ramp safety chain fastening appears inadequate. The dock should be guarded against fall potentials when not actually in use. The platforms by the discharge chute do not have kick boards.Ranking Techniques In the authors' experience the most appropriate order in which to consider such matters are: * * * absolute severity absolute risk. desirably 0.5. 2. 1. Statement of Risk Head bump potential exists at the end of the conveyor Use of blow down gun on conveyor provides for embolisms.8 Risk & Reliability Associates Pty Ltd .4 min. Provide a small raised wooden edging. Minimum options are: 1. (coefficient of friction 0. Provide a welded stanchion down to bumper level so that the chain is horizontal and slack is minimised.

Emergency procedures. Transportation. 6.9 . 6. Chemical purchasing procedure 2.2. Design or Physical Control (engineering) 3.4 Process Review Reviewing the process: i) ii) iii) iv) v) vi) Simultaneously identify the hazard and a possible solution Select a realistic maximum injury severity for that hazard Assess exposure and probability per trial to determine the frequency sensible for that consequence severity Conduct a reality check. Training (Work Method Controls) (personnel) 5. Awareness of emergency procedures. Provision of personal protective equipment. Provision of storage facilities 2.corrosive properties 1. Change rooms and Procedural Controls 1. handling and storage practices. 1. Chemical register. Maintenance of equipment. Splash and leak proof containers. 3. use and care of personal protective equipment.toxic properties Engineering Controls 1. Ventilation equipment 3. Chemical purchasing procedure. Training in the selection.asphyxiant properties 1. CHEMICAL EXPOSURE . PPE (Personnel Protective Equipment) Effectiveness 100% 90% 50% 30% 20% Some examples of the above categories are given in the table below: Occurrence Type CHEMICAL EXPOSURE . Training in the selection. Atmosphere assessment equipment 2. Maintenance of equipment. 2. risk reduction and ranking. 6. 3. 3. Ventilation systems. Equipment Maintenance Personnel Controls 1. 2 Information on toxic properties and routes of ingestion. 2. 5. 4.Transportation. Information on toxic properties and routes of ingestion 1. 8. Emergency procedures 1. Provision of personal 4. CHEMICAL EXPOSURE .2. Design for containment 2. Chemical register. use and care of personal protective equipment. Work Permit systems 2. Removal or Elimination 2. 2. Provision of showers and eye washes. Maintenance of equipment 7. Administrative Control (procedural) 4. 1. Chemical register. 2. handling and storage practices. Provision of personal protective equipment 4. Examples of Risk Control Measures Risk & Reliability Associates Pty Ltd 8. showers etc. 2. Provision of Containers 1. 5. "Is that frequency sensible for that consequence severity?" Select solution's control cost and risk control effectiveness. Medical monitoring programs 5.Ranking Techniques 8. Awareness of emergency procedures. 3.5 Risk Control Measures There are five general categories for risk control: and explosion effects CHEMICAL EXPOSURE . 2. Awareness of hazardous properties. Emergency procedures 1. Harnesses and air supply equipment 1 Awareness of hazardous properties. handling and storage practices. Calculate risk. Transportation. Chemical purchasing procedure.

(∆ Annual Loss Expectancy .) = 3. (pa) Hot Spot Freq.7 years to pay back. if the projected cost of the event is $1m and it occurs once every 10 years then $100.Maintenance Cost p. This will reduce the annual loss expectancy by 90% from $30.000. For example.a. (pa) Total Event.000 per year should be set aside to pay for the cost of loss.000 per year. Maint. there will be a saving in the cost of ownership of $27.000 3. if a risk control option can be implemented then it should reduce either the likelihood or the severity of the loss event substantially. That is how much money would need to be put aside each year to pay for the cost of loss if no insurance were purchased.) 8.a.000.01 100 2. Backg'd Event Freq. The existing sprinkler system was designed for solid pile storage. The new conveyor system shields the overhead sprinklers and a new row is required under it. This follows from the Loss Rate Concept (Browning R L 1980). Loss Expectancy Post.000 1.000 ($27.Ranking Techniques 8. Cost $ pa Rec.000 27.$100 p.000 3.000 pa . The key concept is the total cost of risk.3 Ranking Property Loss Prevention Hazards An example of a property hazard risk calculator is given in the figure below. perhaps 90%. However.000 per year.000 3.000 it will nominally take 3. Capital Cost $ Rec. Effectiveness % Pre. Thus if the cost of the improvement is $100. The formula is: Payback Period (Years) = So in the above case: Payback Period (Years) = $100. It is a direct measure of the risk of the event. Loss Expectancy ∆ Annual Loss Expectancy Payback Period (years) 100.7 Property Loss Payback Calculator The definitions for each of the items above follow on the next page. Freq. Rec.01 0.10 Risk & Reliability Associates Pty Ltd . (pa) Years Between Events Asset Damage $ Business Interruption $ Severity (PD + BI) $ 0. It is inadequate for multiple row rack storage and in-rack sprinklers or a very serious increase in overhead sprinklers protection would be required.000 100 90 30. That is.7 years Recommendation Cost .000. Property Loss Prevention Program Major Recommendation Register Recommendation No:1 Date: Monday 15 March 1996 Recommendation: Installing in-rack sprinklers in the multiple row racks in the raw materials warehouse and under the finished goods conveyor is required to make the sprinkler protection effective.000 per year to $3. Rec. For property damage the product of the likelihood of the loss event and its expected frequency is the annual loss expectancy.000 Rec.

and Post Recommendation Loss Expectancy This is equal to: Recommendation Cost (∆ Annual Loss Expectancy . This needs to include any potential losses associated with the proposed solutions. For example. background frequency. This is the revised annual loss expectancy after the recommendation has been implemented. Effectiveness % Pre-Rec. which does not seem to be important for projects that have a payback of 3 years or less. An estimate of the expected loss of profits.) Years Between Events Asset Damage Business Interruption Severity (PD + BI) Rec. This is the annual loss expectancy and is the product of the Total Event Frequency and the Severity. An estimate of the expected property damage.) This excludes any discounted cash flow considerations.11 .a. It can be either a frequency reduction or a severity reduction or both. It is the Pre-Recommendation Loss Expectancy reduced by the Recommendation Effectiveness.Maintenance Cost p.) Total Event Freq. Cost $ Rec.Ranking Techniques 8. Loss Expectancy ∆ Annual Loss Expectancy Payback Period (years) Risk & Reliability Associates Pty Ltd 8. (p.1 Property Loss Calculator-Definition of Terms This is the expected fire frequency associated with the event.a.a. This is the difference between the Pre. an internal petrol bowser The sum of Background and Hot Spot Frequency The reciprocal of Total Event Frequency. Maint. An estimate of the control effectiveness of the proposed risk control solution. (p.a. Loss Expectancy Post-Rec. An estimate of the cost of maintaining the recommendation per year.3. in-rack sprinklers might be struck once a year by forklifts causing $10. a fire in a warehouse This is an assessment of unusual items which add a particular event frequency beyond the normal. For example. The sum of Asset Damage and Business Interruption.) Hot Spot Freq. For example. (p.000 damage on each occasion. Backg'd Event Freq.

Rank projects to provide the maximum rate of return. • • • Establish a balanced investment program. In our experience. directors do not respond to computer screens. Corporate Morale. But projects which improve reliability or reduce risk can provide for superior investment. determining dollar benefits for the issues of Public Relations.12 Risk & Reliability Associates Pty Ltd . However. A spreadsheet example of a possible layout is included at the conclusion of this chapter 8. determining dollar values for Commercial Benefits and Maintenance Savings are relatively straightforward. Image Moral Value Reduction in Reduction in Risk Risk (Loss Expectancy Expectancy) Calculated as Investment Ratio or Years Payback Value Benefit Model Of the four forms of benefit identified in the figure above. that is financially based. Results of any investment assessment must be presented in ways that senior management can understand. The Benefits arising from a Solution to a Perceived Problem are: Savings in Maintenance Costs Commercial Benefits PR. and on clean crisp pieces of paper. A concept model is shown below. Such a payback assessment system should also. Assess the cost of providing a specified level of service. an integrated assessment process is needed.Ranking Techniques 8.4 Integrated Investment Ranking Capital investment proposals are often focused on new projects or schemes. To properly assess and compare different capital works projects. senior managers. Image and Reduction in Loss Expectancy is more complex.

000 $45.454 pa This is for a photograph Risk & Reliability Associates Pty Ltd 8.350 $157.000) pa $500 pa $99.000 $14. This means that any transformer that leaks will release oil directly to the creek.13 .500 $86.59 yrs A problem exists with a lack of oil traps on the storm water drains. The proposal is to install oil traps on each sub-station Investment Overview Cost Design Labour Materials Contingency Total Cost $12.954 pa $99.Ranking Techniques New Company Pty Ltd Project Investment Summary Project Description Years Payback: 1.850 Return Commercial Return Maintenance Saving PR Benefit Risk Saving Total Return (Summary over) $0 pa ($1.

000 99. ($1.000 per year to maintain.50 $0 $0 $5.95% Public Relations Benefits p.Ranking Techniques Commercial Return No commercial prospects noted.000 $2.954 p. Risk Saving Calculation Event Frequency per year Years between events Consequence Severity Asset Damage Business Interruptions Clean Up Cost Legal Cost Fines Management Stress Cost Public Relations Damage Total Severity Project Effectiveness 2.000 pa or $100. say 10 hours out of 8760 hours per year. $ 0 p. Risk Saving $ 99.10 8760 99. Maintenance Saving Will cost $1. Effectiveness: The only time when the oil traps won't work is during a raging storm.000 $3.a.000 $50.Comments Total cost to the organisation is 2 x $50.95% Small benefit to locals but no real positives 8. Project Effectiveness = = 8760 .a.000 pa.000 $30.00 0.a.000 $10.000) p.14 Risk & Reliability Associates Pty Ltd . PR Damage equals the cost to restore the Organisation's real name.a.

Washington. Viner D B L (1991). CompRail ‘92 Conference. Oxford. Table is on page 132. 2nd Edition. Risk & Reliability Associates Pty Ltd 8. J R Kennedy and T Beattie (1995). Robinson R M. Accident Analysis and Risk Control. Loss Prevention in the Process Industries. USA. Robinson R M and D Hyland (1992). Marcel Dekker. (3 Volumes). Lees F P (1995). Melbourne. Ranking of Infrastructure Renewals Taking into Account the Business Requirements of the Railway. Risk Based Investment Ranking. The Loss Rate Concept in Safety Engineering. VRJ Information Systems. ISBN 0 646 02009 9. Butterworth-Heinemann Ltd. UK.15 . Browning R L (1980).Ranking Techniques READING Anderson K J.

a.) per person p.a.) lost) (%) 0.0001 0. Proposed control measure Provide foam for head bump potential Trials per Time People Exposure time unit units Shifts per shift (trials p.) (p.6 1 .a.a.96 25 24 90 Control Payback Rank Priority cost ($) score Order 1 100 21.Item No. 2 240 10 2 9600 Injury Severity Control Probability Risk (days frequency rating (days effectiveness per trial lost p.

Modelling Techniques There are variety of analytical methods for risk and reliability modelling of the pure risk of technical systems documented in a range of standards and codes. The integrated presentation diagrams. analytical technical people generally prefer to use trees and block diagrams for the initial analysis at least. are generally more palatable to the public and the courts as they provide the most pictorial representation of the subject. as the name suggests.1 . which in this day and age appears to be a substantive component of any significant infrastructure control system.Modelling Techniques 9. A summary of the mathematics required to support these pure risk-modelling techniques is contained in Chapter 12. Trees Fault Trees Success Trees Event Trees (Consequence Trees) Dependency Trees Blocks Reliability Block Diagrams Dependence Block Diagrams Blocks vs Trees Integrated Presentation Diagrams Cause-Consequence Diagrams Threat-Barrier Diagrams Venn (‘Swiss Cheese’) Diagrams List of Modelling Techniques and Presentation Methods The choice mostly relates to the nature of the problem under investigation and the requirements of the audience to whom the analysis is being addressed. They are especially applicable to analysis of computer systems (functional safety assessment). Risk & Reliability Associates Pty Ltd 9. This chapter also contains a summary of the mathematics used for modelling market (speculative) risk. The ones that the authors have used successfully are shown below and will be discussed in this chapter. However.

a. Fuse Failure 2 x 10 OR -3 p. OR Power Failure 1 p. Quantify in probability and frequency terms the likelihood of ii) and iii). p. That is. Because of the logical hierarchy of the items. Bulb Burnt Out 2 p.a. both trees lead to the same general conclusion if the top event is similarly defined. Traditionally these have been drawn top-down and therefore the undesired event known as the "top event". it can be seen as a form of time sequence going from the bottom towards the top of the page. Determine the overall risk by aggregating all the known quantified hazards.002 p. From the risk engineer’s perspective. what independent things must conspire together to bring about an event. A 'Fault' Tree The fault tree leads to the conclusion that to minimise the likelihood of light failure. 9. (in the vast majority of instances).a. A “fault” tree is effectively a statement of what events have to conspire together to bring about an undesired outcome. or failure (risk). what are the possible outcomes? The general structure of such models was established in 1975 with the publication of the US Reactor Safety Study known as WASH-1400 and formally entitled: An Assessment of Accident Risks in the US Commercial Nuclear Power Stations (Reason. That is. perhaps its availability.1 Fault Trees The time sequence concept can be extended in several different ways using probabilistic concepts.1. The success tree in Section 9. its success objective. and having occurred. the reliability engineer has a distinct advantage. minimising the likelihood of bulb burnout provides the greatest contribution.a. the outcome of the success tree. Light Fails 3.1. the "top event" is defined in terms of what makes the system operate to its specification. Incorrectly Set Power Surge 1 x 10 -3 1 x 10 -3 p. The failures are all grouped together and contained in the idea of "unavailability" irrespective of whether the failure is due to a breakdown failure. The difficulty is in determining the input numbers and ensuring that there are no common inputs or process that are affected simultaneously by one external factor.Modelling Techniques 9.a.a. 9. 1990).2 Risk & Reliability Associates Pty Ltd .2 indicates that to maximise light availability it is most effective to improve bulb operability than any other aspect. Establish the possible sequence of events that could result from such occurrences (event trees). The basic steps are: i) ii) iii) iv) v) Identify sources of potential hazard Identify the events that could initiate such a hazard occurring (fault trees).1 Trees The heart of decision trees is the assumption that truly independent variables contribute to occurrences and outcomes.

reliability engineers conceptually prefer "success" tree analysis to "fault" tree analysis. Outcome Frequencies An 'Event' (or 'Outcome') Tree Risk & Reliability Associates Pty Ltd 9.9488 & Power Available 0.3 . No 0.9999 & Fuse Operational 0.a.05 0.a.1.Modelling Techniques 9.95 & Correctly Set 0.95 Yes Fire Start Frequency Sprinklers Effective? 5 large fires p. These traditionally have also been drawn top-down although in this case the time arrow would be moving from the top of the page towards the bottom of the page as shown below.a.3 Event Trees (Consequence Trees) An event tree is a similar device except that it answers the questions associated with a particular event occurring with several possible outcomes.1. 100 fires p. 95 controlled fires p. The concept is similar but the Boolean mathematics in the construction of the tree is reversed ('or' gates become 'and' gates) because of this focus on availability (the desired outcome) rather than the fault (the undesired outcome).9998 & Fuse Available 0. Reconsidering the light bulb fault tree example: Light Available 0.2 Success Trees It seems that because of this.9999 Power Available A 'Success' Tree 9.999 & Bulb Operational 0.

9.1. A dependency tree for an airline business is shown below. taxis. carparks Computers & Software Trained Operators Airline Dependency Tree Such dependency trees appear to be particularly useful for critical infrastructure assessments using the threat and vulnerability technique (Chapter 7. The likelihood of achieving the top objective could be assessed from the reliability of simultaneously achieving each of the sub-objectives. something most of the other techniques fail to achieve. Flying paying passengers Serviceable Aircraft Trained Aircrew Passengers Servicable Airports Reservations Systems Passenger Terminals Trains.4 Risk & Reliability Associates Pty Ltd .4 Dependency Trees The block diagram technique is powerful because it agglomerates all the detailed failure or reliability data into a single communicative overview at a system level.Modelling Techniques 9.3).

The block diagram technique is powerful because it agglomerates all the detailed reliability data into a single communicative overview at the system level.1 Blocks Reliability Block Diagrams Block diagrams are a simple way of representing complex systems diagrammatically. series.Modelling Techniques 9. something most of the other techniques fail to achieve. Risk & Reliability Associates Pty Ltd 9. For reliability work the representation will depend on the definition of success or failure (usually in terms of availability) adopted for the system. parallel (active redundant). m out of n units and cold standby. These are shown below: A Series System B Output S Output T Parallel or Active Redundant System X Y Z Two Out of Three System Output P Q Cold Standby Output Each block could be further reduced to other block diagrams. They can be used for both risk and reliability studies. (This is definitely art and not science). The key concept is to divide the system or process under consideration into sub-systems that are independent of each other and which all the interested parties can pictorially see and agree represents the system as a whole.5 .2 9. It is absolutely critical that as many interested parties as possible participate and sign off the block diagram as any modelling done is on the basis that the block diagram is an accurate representation of reality for the particular study sign off the block diagram.2. There are four basic configurations (BS 5760: Part 2:1994) namely. If it has multiple definitions (usually associated with alternate operating modes) separate diagrams may be required for each.

The figure below shows the equivalent dependence diagram for the RBD in section 9.2.6 Risk & Reliability Associates Pty Ltd .2. Failure A & Failure B Failure C Failure D & Failure E Sample Fault Tree Failure G (Failure D & E) Failure F (Failure A & B) or Failure H (Failure F. Success A Success C Success B Success D Outcome Success E Sample Reliability Block Diagram This can be redrawn as a fault tree. The advantage of fault trees is the mathematical convenience of modelling a large number of inputs using. the dependence diagram represents the cut set of a fault tree. spreadsheets. generally known as dependence diagrams (SAE ARP 4761). Just like fault trees have a logical opposite in success trees.2. The choice between the two techniques (or the use of both) depends on the scope of the analysis and presentation needs. in fact. a success block diagram. 9.3 Blocks vs Trees Block diagrams and success trees (and therefore fault trees) are interchangeable mathematically.Modelling Techniques 9.2 Dependence Block Diagrams A reliability block diagram is. It describes what elements have to work in order to get a successful output. In fact. there are also fault block diagrams. for example. Failure A Failure B Failure C Failure D Failure E Sample Dependence Diagram Dependence diagrams are particularly useful for analysing fault trees and checking both the logic and mathematics since they can easily be drawn on a spreadsheet. The advantage of block diagrams is the simplicity of high-level presentations. the cut set being the set of all ways the top event in the fault tree will be true. C or G) 9.3 with all relevant failure paths.

it could be anywhere along the chain. For level crossings it is the point at which the vehicle approaching the level crossing has inadequate stopping distance. decent air whenever they are occupied. probably revolves around confined spaces. more elegantly. the flashover may not occur with fatal results to the occupants. either by eliminating the threat or enhancing the precautions. Otherwise they would be considered a confined space. Risk & Reliability Associates Pty Ltd 9. For example.1). It is always better to prevent the problem.7 . with regards to airspace collision risk it is the point at which the two aircraft collision envelopes overlap.3. There are several arguments for this.4. In theory at least. in an analysis for an electrical authority with high voltage transmission lines the point of loss of control of energy was when someone or something penetrated the flashover envelope of the high voltage conductor (Chapter 15.3 9. than to try to recover the situation after control is lost. they become so close that the pilots cannot avoid each other. Vulnerability Manifest Threat Hit & Failed Precaution Fault Trees Loss of Control Miss Event Trees Concept 'Cause Consequence' Diagram In a complex situation a major difficulty is usually encountered in selecting the precise point of the loss of control event in such a cause consequence diagram. even during a fire/smoke incident. 1991) and to say that the event is the point at which control of the potentially damaging energy is lost. That is.4). This has been tested with numerous lawyers by R 2A on many occasions. A useful solution to this difficulty for a risk engineer is to use an energy damage model approach (Viner. The tunnels should only have sweet. It is possible they might be insulated from the road or it may be a very dry day and the actual envelope is a little smaller than usual. they have lost control of their kinetic energy (Chapter 15. The loss of control point is not always totally obvious. despite having entered this region with a fishing pole on the back of a vehicle. In fact the collision envelope is large compared to the aircraft.Modelling Techniques 9. For example. 1995). To fully describe a cause-consequence model requires 3 parameters. Due Diligence. It is just that the pilots have lost control over the outcome. a cause-consequence diagram (Lees. The simplest. It does not mean that they will collide. An example of a cause-consequence diagram for an inadequate stopping distance for a level crossing can be seen below. That is. The loss of control point for fire in a tunnel appears to be that fire size which overwhelms the usual air handling system (Chapter 15. the loss of control point is very important legally. As emphasised in Chapter 4. Emergency ventilation to prevent a situation becoming a confined space is an attempt to restore control and acts after the event. legally. precaution failure probability and the hit and miss balance (degree of vulnerability).1 Integrated Presentation Models Cause-Consequence Models Fault and event trees can be put together as shown below as a combined fault and event tree or. threat likelihood.6).

(It is necessary to include four cells for a particular item so that the line can come from the centre).10E-07 Road/Braking system fails 1. 9.99 1. That is. the balance of the significance of the risk verses the effort required to reduce it.89E-05 2. Train not heard Collision? Severe? 0. This actually parallels the OHS hierarchy of controls: elimination/engineering.00E-06 Yes 0.01 Extension? 1. the lawyers/courts always focus on the prevention side first.00E-01 Yes Train not seen 1.Modelling Techniques In terms of due diligence. Everyone can use them and share the model. Spreadsheets have become ubiquitous.10E-05 No Conditional Cause-Consequence diagram for an inadequate stopping distance for a level crossing t Advance crossing warning failure Train detection failure Driver fails to actuate brakes LOC stopping distance inadequate Stopping system fails Scrunch Deaths/injury/damage Coroner's inquiry Cause Consequence Diagram of a Level Crossing One of the primary advantages of cause-consequence models is that they can readily be prepared on spreadsheets with the border tool drawing the lines. Trying to restore control after the event is always difficult. Viable in this sense seems to mean the common law test of negligence.87E-06 dysfunctional 1. administration and PPE (personal protective equipment).1 Vehicle deaths? 1.9 Near miss Check Sum: 1. Cause-consequence models invariably demonstrate that control before the loss of control point is the only way to reliably prevent large scale multiple life loss scenarios when large energies and many people are involved. at least three assessment levels of precautions need to be considered: i) ii) iii) Not less safe – comparison with the current situation Best practice .8 Risk & Reliability Associates Pty Ltd . The latter can only be adopted if the other options are not viable. in ensuring no loss of control.00E-02 and Failure to 0.89E-08 detect train 1.10E-05 Stopping distance inadequate 2.00E-05 0.1 No 2. In practice.10E-05 0.what other organisations and comparable industries do to manage similar threats As low as reasonable practicable .00E-03 Car driver 1.10E-06 Loss of Control Injury/ Damage or Vehicle deaths 1.00E-05 0.89E-06 Crossing Lights not seen or Failure to apply brakes Hit 2.9 Train deaths 1.the balance of the significance of an additional precaution of defined safety integrity level versus its cost (a legally difficult process).

Manual Fire Control Deaths. They can be particularly useful in showing barriers that have effects on multiple threats such as that shown for the tunnel case study (Chapter 15. Fire in Heavy Commercial Vehicle Fire in vehicle in stalled traffic greater than 5 MW.6) below. threat barrier diagrams are another representation of causeconsequence models.9 . injury and damage Fire in Car Loss of Control DG Fire Auto Deluge System Emergency Ventilation Emergency Evacuation Traffic Congestion Control Prohibited vehicle enforcement Sample Threat Barrier Diagram for Fire in a Road Tunnel 9. These are expanded in more detail in Chapter 12.3.3. as drawn on a drafting package. James Reason’s use of this model type has provided the name “Swiss Cheese”.2 Threat Barrier Diagrams From the authors’ perspective.3 Venn (Swiss Cheese) Diagrams Venn diagram models are graphical representations of AND and OR gates. Mathematics. Traffic Density Radar Option Separation/ Segregation See and Avoid Near Miss Mid Air Collision Venn Diagram Model of the Series of Failures Required for a Mid-Air Collision Risk & Reliability Associates Pty Ltd 9.Modelling Techniques 9.

for example. If a single outside process can affect two inputs simultaneously then the model is compromised by what is termed a common mode or cause failure.003 0. Responding after major accident .after several hours Human Error Rates (Source: US Atomic Energy Commission Reactor Safety Study.01 0.01 9. The following figures stem from the failure rate of humans performing different tasks from the 1975 US Nuclear Reactor Safety Study. 9.4 Common Mode and Cause Failures The validity of any of these models rests on the independence of the inputs and failure mechanisms. This includes air and sea pilots. Numerous techniques including HEART (Human Error Assessment and Reduction Technique) and THERP (Technique for Human Error Rate Prediction) are described by Villemeur (1992) and Kirwan (1995) and recent publications by Leveson (1995). There are differences between errors of commission and errors of omission but the figures below have proven remarkably robust accurate for work undertaken by R2A. maintenance) Check List Inspection Walk Around Inspection High Stress Operations.5 1 0.Modelling Techniques 9. especially with diverse redundant systems. Lees (1995) and Swain (1983). Smith D (1993) makes a distinction between the two. The hardware may be diverse and the software written by different contractors using alternate software.after five minutes . 1975) Probability of Error per Task 0. a fire or corruption.1 0. car and train drivers and industrial situations generally. Common cause refers matters like a misspecification for software.001 0.5 Human Error Rates Key references in the field of human reliability assessment (HRA) include the seminal US Nuclear Reactor Safety Study (1975). which can be important. Type of Activity Critical Routine Task (tank isolation) Non-Critical Routine Task (misreading temperature data) Non Routine Operations (start up. A Common Mode Failure occurs because of a simultaneous failure of both systems due to an external agency.1 0.after thirty minutes .9 0. But the built in error will be reliably repeated by both systems. Each must be completely independent of all the others.10 Risk & Reliability Associates Pty Ltd . Common mode usually refers to a fire or power outage that can simultaneously damage both systems. Storey (1996) and Redmill (1997) also draw attention to the subject.first five minutes . a common cause failure. Common Mode Failures Common Cause Failures Accounting System Inputs Outputs Auditing System A Redundant System A Common Cause Failure is when both the systems fail because of a flawed input that each of the diverse systems processes incorrectly.

Based on successful testing of some 529 combinations of the software interlocking rules. not in themselves critical. failure probability per demand is 3/529=5.11 . at 95% confidence.001 0. checklist errors are notorious (1 in 10) and even critical tasks can evince error rates of 1 in 1000.01 0.Modelling Techniques Smith D (1993) summarises various sources.0001 0. recent Watchdog monitoring of several thousand train orders found a handful of mistakes.06 0.5 A coarse summary has it that human errors in trained tasks occur typically at the rate of 1 in 100 per demand. The following is an extract from this reference.001 0.1 0.0005 0.6 in1000. but suggesting a human error probability of 2 in 1000.00001 0. Type of Activity Simplest Possible Task Overfill Bath Fail to isolate supply (electrical work) Fail to notice major cross roads Routine Simple Task Read checklist or digital display wrongly Set switch (multiposition) wrongly Routine Task with Care Needed Fail to reset valve after some related task Dial 10 digits wrongly Complicated Non-routine Task Fail to recognise incorrect status in roving inspection Fail to notice wrong position on valves Human Error Rates (Source: Smith DJ 1993) Probability of Error per Task 0. according to Annex L of IEC 61508. Risk & Reliability Associates Pty Ltd 9. For example.

1993) 9. system interactions and maintenance regimes.42 Typical Component Breakdown Failure Rates Smith D (1993) summarises various sources of failure rates.42 28. Item Alarm Siren Alternator Computer-PLC Detectors-smoke-ionisation Motor-electrical-ac Transformers->415V VDU Lower 1 1 20 2 1 0.Modelling Techniques 9. He provides up to three figures.27 11.000 250. 9. The following is an extract from this reference. Item People Mechanical systems Electrical systems Failure Rates -2 10 per operation -3 10 per operation -4 10 per operation Generic Failure Rates 9.8 System Safety Assurance System safety assurance is a large domain and the subject of separate R2A writings and courses.12 Risk & Reliability Associates Pty Ltd .000 100.000 100.000 F/Million Hrs Life (yrs) Motor Gearbox Clutch Bearings Belts Tensioners 10 10 10 4 8 10 11.7 Generic Failure Rates Generic failure rates are useful for various forms of preliminary analysis.42 11.42 11. If there is only one figure it means his sources are in good agreement.000 100. certain elements are presented for introductory purposes. Two or three numbers means a scatter. For example. Item MTBF Mean Time Between Failures (Hrs) 100.000 125.6 Equipment Fault (Breakdown Failure) Rates The following table provides a list of typical breakdown failure rates for mechanical parts from work done by the authors. Much of the modelling described above is used for functional safety assessment pursuant to IEC61508:1998 (aka AS61508:2000). Nevertheless. It is emphasised that the data can vary according to operating environments.4 10 Failure Rates per million hours Most Upper 6 20 9 50 6 5 20 1 7 200 500 General Breakdown Failures Rates (Source: Smith DJ.54 14.

Military standards and specifications are out (except with a waiver) and commercial practices are in. For example. Up to up to up to up to up to up to up to up to up to 30 1 5 10 30 45 1 2 10 secs downtime pa min downtime pa mins downtime pa mins downtime pa mins downtime pa mins downtime pa hr downtime pa hrs downtime pa hrs downtime pa is is is is is is is is is 99.988584% 99.8.9. via Factory Mutual Safety integrity level Low demand mode of operation (Average probability of failure to perform its designed function on demand) –5 –4 ≥ 10 to < 10 –4 –3 ≥ 10 to < 10 –3 –2 ≥ 10 to < 10 –2 –1 ≥ 10 to < 10 Table of SIL Values 9.6.885845% availability pa availability pa availability pa availability pa availability pa availability pa availability pa availability pa availability pa or “6 nines” or “5 nines” or “4 nines” or “3 nines” Summary of Availability Numbers 9.1 Nines The table below summarises the different terminology sometimes used to describe availability.999049% 99.8.977169% 99. The table below is adapted from IEC 61508-1:7.991438% 99.2 SIL (Safety and Integrity Level) SIL is a measure of the probability that the safety related system will fail dangerous.3 COTS & SOUP High demand or continuous mode of operation (Probability of a dangerous failure per hour) –9 –8 ≥ 10 to < 10 –8 –7 ≥ 10 to < 10 –7 –6 ≥ 10 to < 10 –6 –5 ≥ 10 to < 10 4 3 2 1 High reliability is most simply and economically achieved by parallel low reliability systems.99% O Parallel Active Redundant Systems As a result. Risk & Reliability Associates Pty Ltd 9. A very simple example is shown in the figure below.994292% 99. a US Secretary of Defence (William Perry) memorandum officially changed the way the military develops and acquires systems.998097% 99. 99% X Y 99% 99. in June 1994.999905% 99.8. The value of SIL ranges from 1 (the lowest) to 4 (the highest).Modelling Techniques 9.13 .2. no longer are the commercial and military industrial approaches distinct. nondevelopmental items (NDI). and software of unknown pedigree (SOUP) but now military use of commercial designs is required.999810% 99. For years the military has had its advocates for the use of commercial off-the-shelf (COTS) equipment.

Fourth Edition. Maintainability and Risk. Oxford. Also know as AS61508:2000. (MIL-STD-2173AS ). Safety-Critical Computer Systems. Butterworth Heinemann. READING Department of Defence (USA) (1984). Loss Prevention in the Process Industries. Equipment and Components. Reliability Prediction of Electronic Equipment (MIL-HDBK-217). RCM II Reliability Centred Maintenance. Functional Safety of Safety Related Systems and Components. Practical Methods for Engineers. Norway: DNV Technica Standards Australia/Standards New Zealand (1998). London. VRJ Delphi 1991. Reliability Centred Maintenance Requirements of Naval Aircraft. Society of Automative Engineers. Leveson Nancy G (1995) Safeware .Heinemann Ltd. Reliability. Reason J (1990). Addison-Wesley. Moubray. A Procedure for Conducting a Human Reliability Analysis for Nuclear Power Plants. Perry William as quoted by Preston R. Human Factors in Safety-Critical Systems. Australian/New Zealand Standard AS/NZS 3931:1998. Washington DC. Weapons Systems and Support Equipment. 1995) Storey Neil (1996). Addison-Wesley. Risk Analysis of Technological Systems Applications Guide. Redmill Felix and Jane Rajan (editors 1997). US Atomic Energy Commission Reactor Safety Study (1975). (SAE ARP 4761. UK. Bart in Reliability Toolkit: Commercial Practices Edition. Washington DC. Accident Analysis and Risk Control. John (1992). NY. Human Error. Department of Defence (USA). Smith David J (1993). Reliability Analysis Center and Rome Laboratory. Guidelines and Methods for Conducting the Safety Assessment Process on Civil airborne Systems and Equipment. Factory Mutual Research Approval Guide (2001). Reliability of Systems. Taylor & Francis. (MIL-HDBK-338-1A). John Wiley & Sons. 9. A Guide to Practical Human Reliability Assessment. Hovik. (3 Volumes). Butterworth Heinemann. Swain Alan D and Bell Barbara Jean (1983). Oxford. International Electrotechnical Commission (1998). Functional Safety of Electronic/Programmable Electronic Safety Related Systems. Department of Defence (USA) (1986). Electronic Reliability Design Handbook. Cambridge University Press. Part 2: Guide to the Assessment of Reliability (BS 5760: Part 2). 2nd Edition. Viner Derek (1991). Villemeur Alain (1992). Butterworth Heinemannn Participating OREDA Companies. Butterworth. Kirwin Barry (1994).Modelling Techniques REFERENCES British Standards Institution (1994). MacDiarmid and John J. Reliability.14 Risk & Reliability Associates Pty Ltd . Washington DC. Off-shore Reliability Handbook (OREDA).System Safety and Computers. Maintainability and Safety Assessment. Chapter 4. Lees F P (1995).

Risk & Reliability Associates Pty Ltd 10. that is. Bottom Up Techniques Generically.Bottom Up Techniques 10. one piece at a time. those who have to live on a day-to-day basis with the plant or process. bottom up techniques examine how an element can fail and then assesses the impact of this on the system as a whole. The general layout for such an assessment is sketched below. often outside consultants. Different bottom up techniques divide the system under consideration differently and may consider different failure types depending on the purpose of the analysis. The facility. Problems identified by the group are discussed and consensus achieved as to the significance and the best solution.1 . process or contract is then examined in a structured manner. Whiteboard Facilitator Analysts Computer Projector Laptop O/H Screen Technical Secretary Typical Analysis Facility Layout The analysts are usually the designers and the (proposed) operators or maintainers. Action is documented on the spot by the technical secretary with all those present signing off on it at that time. The most common approach is to gather relevant experts in a room and use a process to obtain group consensus as to the seriousness of a problem and what should be done about it. The facilitator and secretary are usually external to both these groups. This is to minimise potential bias.

1. System Description & Block Diagram Fault Modes Effects (and Criticality) Conclusion & Recommendation Fault Modes. if the System Description is done to an individual component level. Typically the systems breakdown for most reliability analysis is to four levels as shown in below: System Sub Systems Assemblies Components (Parts) Typical System Breakdown 10. However. extraordinarily detailed analysis will ensue. FMECA and RCM 10.2 Risk & Reliability Associates Pty Ltd . Effects and Criticality Approach The detail of the analysis depends on the level to which the system is reduced in the System Description and Block Diagram.1 FMEA. If the plant is considered as several large subsystems then the results will be quite coarse.1 FMEA and FMECA Fault (failure) modes and effects analysis (FMEA) and fault modes. The process is divided into four key parts as shown below. effects and criticality analysis (FMECA) are similar in nature except the criticality of a failure mode in FMECA is used as a ranking tool for each failure mode.Bottom Up Techniques 10.

MIL-SD-1629A (US Military Standard pages 101-105): • premature operation • failure to operate at a prescribed time • intermittent operation • failure to cease operation at the prescribed time • loss of output or failure during operation • degraded output or operational capability • other unique failure condition based on system characteristics and operational requirements or constraints A more typical list is: Delayed operation Erratic operation Erroneous indication Erroneous input Erroneous output External leakage Fails closed Fails open Fails to close Fails to open Fails to start Fails to stop Fails to switch False actuation Inadvertent operation Intermittent operation Internal leakage Leakage (electrical) Loss of input Loss of output Open circuit Out of tolerance (high) Out of tolerance (low) Physical binding or jamming Premature operation Restricted flow Short circuit Structural failure Vibration Generic Fault Modes for FMEA and FMECA The failure effect of each mode of fault by each component or sub-system is then considered. a detailed understanding of the system can be achieved. product quality variations. In terms of establishing criticality. It is of particular concern with protective devices that do not fail safe. customer service implications) economic (fault mode with increased costs only) By considering each component or sub-assembly and how it might achieve the fault mode described. This is common with redundant systems where the loss of the one unit could remain undetected until the second fails.Bottom Up Techniques Several authorities provide for lists of failure modes to be considered for each component or subsystem. Risk & Reliability Associates Pty Ltd 10. For example. especially if the effect will be concealed or hidden from the operators. the effects are usually considered as being in four categories whose priorities are in the listed order: * * * * safety (fault mode with possible death or injury effects) environmental (fault mode with unacceptable environmental effects) service (fault mode with operational effects such as production interruptions.3 . and the consequences of such fault.

what are the functions and associated performance criteria (accept/reject boundaries) of each asset in its operating context. what action should be taken if effective tasks cannot be identified. functional group) Push-Button (PB) Push-Button (PB) Fault (Failure) Modes The PB is stuck The PB contact remains stuck The relay contact remains open The relay contact remains stuck The fuse does not melt Possible Causes Effects on System (and criticality if desired) Loss of system function: the motor does not operate The motor operates too long: hence a motor short circuit. Component.Bottom Up Techniques A summary of the sort of results obtainable from such a study is shown in the table below. 10. It evolved in the private airline industry primarily through the activities of the Maintenance Steering Group of the International Air Transport Association. which leads to a high electric current and to a melting of the fuse Loss of system function: the motor does not operate The motor operates too long: hence a motor short circuit.4 Risk & Reliability Associates Pty Ltd . such as aircraft and military combat equipment. It can therefore be particularly detailed and is normally applied to very high valued systems where failure (breakdown) causes major difficulties.2 RCM The purpose of Reliability Centred Maintenance (RCM) is to establish the nature and frequency of maintenance tasks to ensure a target (optimum) level of reliability at best cost. which leads to a high electric current and a melting of the fuse In the case of a short circuit. The final report of the Maintenance Steering Group in 1980 titled MSG-3. what is the outcome and impact (criticality) of each fault (effect). what maintenance tasks can be applied to prevent each fault (preventive maintenance). 10. the fuse will not open the circuit Relay Primary (mechanical) fault Primary (mechanical) fault The operator fails to release the PB (human error) Primary(mechanical) fault A high current passes through the contact The operator overrated the fuse (human error) Fuse FMEA Table of Results FMEA and FMECA are normally bottom up processes that look at how component parts can affect the larger systems as defined in the system description and block diagram. (item. in what manner does it cease to fulfil its listed functions (fault mode). what failure mechanism causes each loss of function (failure cause or fault). provided the backbone of the logic processes contained in the referenced texts and RCM analysis (Moubray 1992). The RCM process asks eight basic questions: i) ii) iii) iv) v) vi) vii) which assets (significant items) are to be subject to the analysis process. The main point of the RCM analysis is to select which maintenance regime is most appropriate.

A wear out period due to increasingly rapid conditional deterioration resulting from use or environmental degradation. This led to the idea that the maintenance regime ought to be based on the reliability of the components and the required level of availability of the system as a whole. Failure Rate Time Infant Mortality Useful Life Wear Out Bathtub Fault Rate However. The consequence of such beliefs was that equipment was taken out of service and maintained at particular intervals.5 . Wear-in to Random Wear Out 4% Random then Wear Out 2% Steadily Increasing 5% Inceasing during Wear-in and then Random 7% 89% Random over measurable life 14 % Wear-in then Random 68% Fault Rate Curve Specifically. Risk & Reliability Associates Pty Ltd 10. whether it was exhibiting signs of wear or not. An infant mortality period due to quality of product faults. A useful life period with only random stress related faults. the bathtub curve was discovered to be one of the least common fault modes and that periodic maintenance increased the likelihood of fault. This is shown in the figure below. actuarial studies of aircraft equipment fault data conducted in the early 1970s identified a more complex relationship between age and the probability of fault (Moubray 1992).Bottom Up Techniques Until the mid 1970s items were seen as exhibiting a standard fault profile consisting of three separate characteristics.

The technique seems to work because the key parties to the process are present: the designers and operators. typically those who designed and those who must operate it conducts it. which suggest deviations from the normal operating conditions. It is an audit of the completed part of a design.6 Risk & Reliability Associates Pty Ltd . 10. Traditionally the HazOp procedure examines process equipment on a system-by-system basis. The essential features of a HazOp study are: * * * * It is systematic and detailed.Bottom Up Techniques The figure below indicates the overall process: Collect System Information Present Data Select component/assembly/sub-system Identify function Identify Failure Modes and Effects Yes Assess Criticality Concealed or Evident Safety or Environmental or Service or Economic? Redesign? Maintenance Plan RCM Analysis Flow Chart Note that a concealed fault mode is of major significance when assessing criticality. reviewing the process parameters using a checklist of guidewords.3 HazOps The Hazard and Operability (HazOp) Study technique was originally pioneered in the chemical industry (Tweeddale 1992). It concentrates on exploring the consequences of deviations from the usual operating conditions. the builders and maintainers or the contractor and contractee. It has since been adapted into a wide range of industries. If it is deemed to be of inconvenience then it is addressed by the workshop on the spot and a solution proposed for action. As can be seen. as are the circumstances that might bring it about. The consequences of a variation are assessed. A team who know most about the project or facility. the process is really a FMECA with a focus on maintenance outcomes. 10. A series of guidewords is repeatedly used to ensure consistency and repeatability.

. (speed.. such as start-up. vibration etc). part of . They can be defined using the following conceptual deviations (Tweeddale 1992): * * * * * * * * * * too much of .. Select a line Move on to next deviation Select deviation eg more flow No Is more flow possible? Yes Is it hazardous or does it prevent effecient operation? Yes No Consider other causes of more flow Consider and specify mechanisms for identification of deviation No Will the operator know there is more flow? Yes What change in plant or methods will prevent the deviation or make it less likely or protect against consequences? Consider other changes or agree to accept hazard Is the change likely to be cost effective? Yes No Agree change(s) and who is responsible for action Follow up to see action has been taken HazOp Flow Process Risk & Reliability Associates Pty Ltd 10. (reverse direction). low rate operation. wrong sequence).(whatever else can happen apart from normal operation. wrong component).. elapsed time. load. load... not enough of ... load. vibration etc). distance. level. distance. shut down. testing etc).. alternative mode of operation. poor performance of .. wrong setting of points etc). ( normal duty. vibration etc). distance.. elapsed time. elapsed time. (speed... (too high or low. (to left or right. uprating. (wrong composition... (starting or stopping too early or too late. wrong timing of .. level.Bottom Up Techniques The guidewords are tailored to suit the particular industry. opposite of . maintenance etc). too far or too short). wrong direction of . level.. other than . none of .7 . wrong location of . (speed....

I wish we had thought of that before we got into this thing”. Toxicity. high. This reduces the likelihood of subsequent accusations and conspiracy theories. reverse. but it has proved itself superior to one or two individuals from the contracting organisations sitting in different rooms trying to crystal ball the future and include it in the contract conditions. low high. Such hazards. Commissioning. phase high. Shutdown. Obviously the HazOp technique described here may not predict all possible problems. 10. Those who have watched various contracts coming unravelled will have noted the oft expressed sentiment that. Testing. The typical guidewords used are: Flow: Level: Temperature: Pressure: Reaction rate: Quality: Physical Damage: Control: Protection: leak. especially for a project that is large or unique in nature. a further list of overview guidewords can then be applied. Electrical Safety.3.2 HazOps Applied to Contracts Most breakdowns in a contracting out relationship arise from a lack of understanding of what elements of the relationship were truly important and susceptible to unrecognised threats.3. side reactions. Start-up.8 Risk & Reliability Associates Pty Ltd . inspection and testing impact.Bottom Up Techniques 10. Breakdown. low high. 10. low. testing After these key deviations have been applied to the P& IDs. vibration response speed. and vacuum fast. Fire & Explosion. impurities. slow concentration. dropping. Environmental Control. Actual assessment figures can be included on a HazOp Item Data Sheet. can be determined before the contract is entered into using a modified HazOp technique. however. Output or Throughput and Efficiency. Such data can be exported to spreadsheet reports for listing and ranking. It also has the added effect of ensuring the “win-win” nature of any contract as both parties to the contact are assessing the potential difficulties and mutually agreeing on solutions. independence. cross-contamination. erosion etc). Services Needed (compressed air and the like). These include: Materials of Construction (corrosion. Access. Safety Equipment. low.1 Process Industry HazOps The chemical process industry usually focuses on the process and instrumentation drawings (P&IDs). “Gee.

Select a key contract function Select threat e.9 . key contractor staff absence Move on to next deviation No Can it occur? Yes Is it hazardous or does it prevent efficient operation? Yes No Consider other critical contract staff absence Will change in contract advise of this? No Will the company know the absence has occurred? What change in contractor methods will prevent the deviation or make it less likely or protect against consequences? Consider other changes or agree to accept hazard Is the cost of the change justified? No Yes Agree to change(s) Agree who is responsible for action Follow up to see action has been taken HazOp Procedure Applied to Contracts Risk & Reliability Associates Pty Ltd 10. the process is shown below with a sample HazOp Item Data Sheet following.g.Bottom Up Techniques In flow chart terms.

5 pa Consequence severity $10.10 Risk & Reliability Associates Pty Ltd .35pm Design Engineer Maintenance Engineer Contractor Scribe/Secretary: Fred Gatt.92 yrs Sign Off Responsible Person: Design Engineer Follow up action: Price B/U machine. Price back up machine.900 pa $5.67. Choose between increasing contract price to have stand-by staff available or buy new parallel production equipment Payback assessment as for back up machine By: Maintenance Engineer Status: Comments: Further work required HazOp Item Data Sheet 10. Rev 4. request contractor price to guarantee staff availability Date: 15 March 1996 Action Review contractor backup staff arrangements.450 pa 0.000) pa $500 pa $4.000 pa ($1.Bottom Up Techniques R2A Hazard Item Data Sheet Identified Problem Location Client: New Company Project: VIP Product Line Location: 3 stand press Drawing number: 736.000 Solution effectiveness 99% Risk Saving $4. 12/05/00 Title: Hazard Item No 23 Present 14 March 1996 2. R2A Facilitator/Chairman: Richard Robinson.000 $1.900 pa Proposal cost Commercial return Maintenance saving PR/Morale Benefit Risk Saving Total Investment payback Period $5. R2A Nature of Problem Guide word: Production line maintenance Threat deviation: Key maintenance contractor staff unavailability Possible Causes: Illness Consequences: Production interruptions due to slow inexperienced maintenance staff Preliminary Solution Payback Assessment Event Frequency 0.

This arises because the process is bottom up rather than top down. 5% RCM Reliability Focus 0. This is obviously the worst possible time to discover the fault. the different power supply devices would have been fire isolated from each other so that a fire in one or a gas explosion in the hall could not expose the others and knock out all power supplies. It does not examine how a catastrophic failure elsewhere might affect this component or the others around it. but it nevertheless remains difficult to use a HazOp to determine credible worst-case scenarios.0001% (10 ) region in the diagram. perhaps once in a hundred years. the two parties are communicating directly and the lawyers are documenters. An automatic sprinkler system. However. lawyers represent a most interesting form of common mode failure. for example will only be called upon to operate quite rarely.4 Common Mode Failures Bottom up techniques have difficulties with common cause and mode failures. That is. as the reliability designer intended. Risk & Reliability Associates Pty Ltd 10. A detailed assessment from individual components or subsystems such as HazOp or FMECA examines how that component or sub-system can fail under normal operating conditions. Sprinklers systems are therefore quite tough. An RCM analysis will suggest that it requires little or no maintenance to remain in an effective operating condition. This provided for a common mode risk failure. Applying reliability analysis to failure (risk) problems can be a difficult concept since the intellectual focus of the group is different. a critical facility was recently built with two power grid connections. Such ‘knock on’ effects are attempted to be addressed in HazOps by a series of general questions after the detailed review is completed. The second diagram indicates the approach that seems to be much more effective. The diagram below shows two arrangements. Unless tested. in effect passing pieces of paper under the door to each other. Nevertheless. what should be done to plant and equipment to ensure optimal availability and service at best cost. Examining systems designed to deal with common mode failures with RCM techniques is difficult too. injury and death and -4 consequential problems including legal implications. From observation of the difficulties associated with a number of outsourcing contracts it appears difficult for Party 1 and Party 2 to have a clear and complete understanding of each others position when lawyers act as advocates.00001 % Risk focus (10E-5) 95% existing availability Reliability vs Risk For example. they are checked regularly. such a condition may well remain hidden until the sprinklers are called upon to act during a fire. to ensure that the fractional dead time becomes trivial (the time it is out of service). If a risk engineer had been involved in the design process. a massive common mode failure for all the equipment in the fire-affected area will be occurring. But when it is required. The first represents the lawyers acting as advocates whilst in the second. all this gear was put in a single machine hall and thus subject to a single fire event. In the context of outsourcing. Risk analysis is targeted at minimising damage.11 . Sprinklers are in fact subject to latent failures such as stones in the piping or a restriction in the water supply. this is why reliability people are optimists and risk people pessimists.Bottom Up Techniques 10. Power supply reliability was very high from a breakdown failure perspective. Reliability analysis is conceptually focused at minimising breakdown failures to the 5% section shown in the diagram below. In a sense. a gas turbine generator and several diesel generators any one of which was capable of running the entire plant. that is the 0.

This process can be conducted before a project is commenced as a form of completeness check. Job Safety Assessment (JSA) and HazOp studies can be used to identify specific project risks.12 Risk & Reliability Associates Pty Ltd . JSA etc Bottom up analysis Operation and Maintenance Vulnerability Assessments Top down analysis Functional Definition/ Specification Commissioning Risk Techniques in Project Management A pre-planning approach uses top down analysis such as vulnerability assessments to identify possible risks facing a project and/or the organisation in general. procurement and construction solutions can be implemented.FMECAs. Contract Management Pre-Planning Roll-out. risk management forms part of the project management process. (assets coinciding with a threat) are documented and addressed appropriately with a risk reduction solution in mind. This can be represented by the figure below. It is here that engineering. transition or project management HazOps. 10. Bottom up analysis techniques such as Quantified Risk Assessment (QRA). QRA.5 Risk Management and the Project Life Cycle The role and way in which risk management is considered in a project life cycle varies depending on the stage it is at. Once the project has been commissioned.Bottom Up Techniques Party 1 Lawyer 1 Lawyer 2 Party 2 Lawyers acting as advocates Party 1 Party 2 Lawyer 1 Lawyer 2 Lawyers acting as documenters 10. Vulnerabilities identified.

It was apparently developed by NASA in the 1960's to help prevent food poisoning in astronauts.Bottom Up Techniques Risk management processes should be ongoing to be effective. It is used to develop and maintain a system. It then goes on to establish how. HACCP can be used both as corrective and preventative risk management options. A critical control point is defined as any point or procedure in a specific food system where loss of control may result in an unacceptable health risk. 6.6 Hazard and Critical Control Point (HACCP) Analysis HACCP is a systematic. evaluating and controlling safety hazards in a food process. which minimises the risk of contaminants. Identify hazards Determine the critical control points Determine the critical limits for each control point Monitor the critical limits Identify corrective action procedures (corrective action requests or CARs) Establish records and control sheets Verify the HACCP plan Risk & Reliability Associates Pty Ltd 10. 2. 10. Whereas a control point is a point where loss of control may result in failure to meet (non-critical) quality specifications. Once the project is completed risk management is incorporated into the project's operation and maintenance procedures. 7. In many ways it appears as a top down vulnerability technique applied at a very low level in the sense that it identifies who is to be protected and from what. 4. Risks are identified and a management option is selected and implemented to control the risk. Periodic assessments of the project need to be conducted to keep the risk management status current and upto-date. However.13 . the aim is to prevent hazards at the earliest possible point in the food chain. organised approach to identifying. 3. HACCP involves the identification of acceptable risk standards appropriate to different types of food hazards and the procedures to ensure that the risks are kept within the limits set by those standards. Food safety risk can be divided into the following three categories: Microbiological Risks Escheria Coli Salmonella Listeria Monocytogenes Staphylococcus Clostridium Botulinum Chemical Risks Pesticide and herbicide residues Cleaning chemicals Heavy metal residues Allergens Physical Risks Glass Plastic Metal Wood etc There are seven principles to the HACCP technique: 1. 5. This can be done using either top down or bottom up methods or a combination of the two.

Department of Urban Affairs and Planning (1995). Fourth Edition. Chemical Industries Association (1977). Systems Engineering and Analysis. London. IChemE. Cheaper. IChemE. Department of Defense (USA) (1984). 8 Hazard and Operability Studies. Reliability. Effects and Criticality Analysis. RCM II Reliability Centred Maintenance. (MIL-STD-2173AS ). Butterworth Heinemann. John Wiley & Sons. Practical Methods for Engineers. Butterworth Heinemann Tweeddale Mark (2003).14 Risk & Reliability Associates Pty Ltd . Washington DC. (1990). Smith David J (1993). Washington DC. Weapons Systems and Support Equipment.Bottom Up Techniques REFERENCES Department of Defence (USA). Wiley Interscience. IChemE. HAZOP Guidelines. (MILSTD. Oxford. Villemeur Alain (1992). Washington DC. Blanchard and Fabrycky. Systems Engineering Management. McGraw Hill. Hazardous Industry Planning Advisory Paper No. (3 Volumes) Reason J (1990). An Engineer's View of Human Error. HAZOP & HAZAN Notes on the Identification and Assessment of Hazards. Reliability. Kletz T A (1985). Maintainability and Risk. 10. (MIL-HDBK-338-1A). Washington DC. Moubray. London. Human Error. A Guide to Hazard and Operability Studies. Managing Risk and Reliability of Process Plants. Reliability of Systems. Kletz T A (1985). Butterworth-Heinemann Ltd. Cambridge University Press. Safer Plants or Wealth and Safety at Work . Reliability Centred Maintenance Requirements of Naval Aircraft. Kletz T A (1986). READING British Standards Institution (1994). Lees F P (1995). 2nd Edition. Electronic Reliability Design Handbook. A Procedure for a Failure Mode. Reliability Prediction of Electronic Equipment (MIL-HDBK-217). 2nd Edition. Department of Defense (USA) (1986). Equipment and Components. Maintainability and Safety Assessment. Gulf Professional Publishing which is a imprint of Elsevier Science (USA). John (1992). Prentice Hall International. Loss Prevention in the Process Industries.1629A). UK. Smith Anthony (1993) Reliability Centred Maintenance. Oxford. Department of Defense (USA). London. Part 2: Guide to the Assessment of Reliability (BS 5760: Part 2) Blanchard B (1991).

safety data collection /analysis but local repair only Repair / some proactivity wide range of auditing but "technocratic" remedial measures Reform / generative aware that engineering. In 1993 he suggested a 7-point rating scale for overall organizational risk control: i) ii) iii) iv) v) vi) vii) Pathological barest minimum industry safety practices Pathological / low reactivity one step ahead of regulators. Generative Risk Techniques ‘Generative’ technique is a term adopted from James Reason’s work in the risk area (Reason. selection. 11. 1993). Measures include quantified individual risk and societal risk. In a legal sense it provides assurance after the event that no one can say. Counter measures are engineered into the system using devices such as HazOps.9) it generally refers to the ‘selective interview’ column. unsafe act auditing. Audit systems can often be seen to favour one or more of these models. looking for better Truly generative proactive measures in place.Generative Techniques 11. safety measures under continuous review.1 .1 James Reason et al James Reason is an English psychologist who has written extensively on risk. still afraid of the hazards. some concern re adverse trends Worried / reactive anxious about a run of incidents or accidents Repair /routine sensitive to events. Human error is a consequence and not a cause. Risk & Reliability Associates Pty Ltd 11. ‘I knew that but nobody listened’. Countermeasures aim at an 'informed culture'. training not enough. The most widely used counter measures are 'fear appeal'. It has much to do with morale and the willingness of people to constructively speak up and for the organisation to respond positively. The Engineering Model The Engineering Model is system based and quantified where possible. FMECA's etc. Reason (1997) noted three types of risk models: The Person Model The Person Model is exemplified by the traditional occupational safety approach. Safety may be measured as quality. In terms of the paradigm model in this text (Section 2. The main emphasis are upon individual unsafe acts and personal injury accidents. new procedures. range of diagnostic/remedial measures being considered. not complacent or self-congratulatory. The Organisational Model The Organisational Model is allied to crisis management. training and selection. It is usually policed by safety departments.

System induced error. a just culture. an informed culture = a safety culture. workable. Negligent error. 1 Diminishing culpability 0 A decision tree for determining the culpability of unsafe acts 11.2 Risk & Reliability Associates Pty Ltd . damage etc. System induced violation. It has the following components: a reporting culture. Blameless error. each having particular characteristics: Pathological Culture Don’t want to know Messengers are 'shot' on arrival Responsibility is shirked Failure is punished or concealed New ideas actively discouraged Bureaucratic Culture May not find out Messengers are listened to if they arrive Responsibility is compartmentalised Failures lead to local repairs New ideas often present new problems Generative Culture Actively seek it Messengers are trained and rewarded Responsibility is shared Failures lead to far reaching reforms New ideas are welcomed For Reason. malevolent. A Reporting Culture Disincentives • Extra work • Scepticism that anything constructive to prevent it will happen • A desire to forget all about it • Lack of trust and • Fear of reprisals Incentives • Indemnity against disciplinary proceedings • Confidentiality or de-identification • The separation of the agency or department collecting and analysing reports from those bodies with the authority to institute disciplinary proceedings and impose sanctions • Rapid. useful.Generative Techniques Reason also notes three types of culture. selection processes and expertise available and present? No Yes No No No Is there a history of unsafe acts? Yes Yes Were the consequen ces as intended? Were procedures available. accessible and intelligible feedback to the reporting community • Ease of making a report A Just Culture Were the actions as intended? No Were safe operating procedures knowingy violated? Yes No Was adequate training. a flexible culture and a learning culture. Reckless violation. intelligible and correct? Yes Yes Sabotage.

heeding.. diagnosing) Creating (imagining. ensuring. doing. and an increasing centralization of authority thereby precipitating considerable informal resistance and dissent The Vicious Circle the culture carefully notes what informal activity that a centralized information system encourages among the decentralized units is of most value to customers and formalizes these into its regular operations.. Charles Hampden-Turner (1990) has a notion of virtuous and vicious circles. designing. planning) Acting (implementing. the culture promotes an extreme formality and a tendency for units to decentralize and deviate with the result that.3 . tracking) Reflecting (analysing. shown below. attending. interpreting... testing) Reason is not the only author to notice the importance of culture. The Virtuous Circle Risk & Reliability Associates Pty Ltd 11.Generative Techniques A Flexible Culture • • • A culture that favours face-to-face communication Work groups made up of divergent people (with shared values and assumptions) Able to shift from centralised control to decentralised mode in which the guidance of local operations depends largely on the professionalism of the first-line supervisors A Learning Culture • • • • Observing (noticing.

Generative Techniques 11. some are firmly grounded with direct responsibility for production and maintenance. one last risk communication system can be invoked. The report is sent electronically to all managers and board members weekly. It does not appear to be abused since false alarms are personally damaging and not repeated. Typically this is by email to a central coordinator. and. (Enquiries should be positive and indicate future directions whereas audits are usually negative and suggest what ought not to be done). line management systems have repeatedly failed to address. near miss / unsafe conditions and systemic failure. Such a process is peculiarly open and powerful since it is routinely steps outside normal day-to-day line management decision-making and real alerts are gratefully acknowledged. All employees should be able to access the RAG report to flag emergency risks. If the emerging risk is ongoing. A review and/or investigation is then conducted to examine the extent of the problem resulting in the problem being actioned and moved to either the Amber (under review) or Green (fixed) section.3 Generative Interview Techniques This is a top down enquiry and judgement of unique organisations rather than a bottom up audit for deficiencies and castigation of variations for like organisations. independent-of-line-management rapid risk reporting systems. A number of organisations have noted that just before something really serious happens someone somewhere in the organisation develops premonition which if promptly reported can prevent a disaster. The object is to delve sufficiently until evidence to sustain a judgement is transparently available to those who are concerned. Such systems have two prime aims: i) To enable rapid reporting of matters like critical near misses that give individual employees a ‘chill”. 11. day to day. For example. Others work at the community interface surface with responsibilities that extend deep into the organisation as well as high into the community. To deal with issues that normal. ii) One common approach is a weekly Red. Community Interface Surface Pathogens Corporate Ocean Vulnerabilities Hazards Grass Roots Interview Depth 11. For example. Rather than let frustrated employees develop hidden independent fixes outside of the ken of line management which can easily create latent conditions. remote monitoring systems that persistently fail despite the IT department’s recurring efforts to sustain them. then the risk should be transferred from the RAG report to the usual risk register database for ongoing monitoring. Amber. Once it is Green it is deleted. Green (RAG) report. The diagram below shows a stylised picture of the ‘corporate soup’.4 Risk & Reliability Associates Pty Ltd .2 Transparent Independent Rapid Risk Reporting A number of organisations have developed transparent. Individuals have different levels of responsibility. If a critical issue is identified that requires immediate attention then it is entered into the RAG report and identified as a 'red' risk.

1 D.5 B. If a commonality of problems and. This is really a best practice focus by identifying success factors (what is being done well) and how this can be extended. concerns etc). What is risk? (pure/business/speculative).4 A. Is your culture risk pro-active? Does your section have a clear understanding of the organisation's aims? Do your people have a clear understanding of your section's aims? Do you feel there is a good active knowledge of past organisation risk failures? What are you measures of risk performance? Do you receive management feedback on risk performance? WHAT RISK INFORMATION SYSTEMS ARE IN PLACE? This is to test not only the types of risk information collected.4 C.Generative Techniques The idea is that a team interviews recognised 'good players' at each level of the organisation.2 B. educational and constructive.1 C.6 C.2 C. WHAT IS UNDERSTOOD BY RISK AND RISK MANAGEMENT? The purpose of the section is to obtain the interviewee's initial perception on risk management in the organisation.1 A. solutions are identified consistently from individuals at all levels then adopting such solutions would be fast and reliable.3 B.6 B. C. What specific risk skills have you and/or your people been trained in? What makes you believe that when a (potential) emergency occurs your people will respond well? Have you or others attended courses in risk management? Do you have knowledge of the following techniques? Do you have knowledge of the following codes and standards? Do you have access to and does your staff use the library of past incidents? WHAT IS THE PRESENT RISK/SAFETY CULTURE? This section reflects the issue that systems must match cultures for optimum results. Risk & Reliability Associates Pty Ltd 11. A. What risk management approaches do you currently use? How effective do you believe your risk management systems are? Are you familiar with the requirements of AS/NZ 4360? WHAT RISK/DEPENDABILITY/ASSURANCE MEASURES AND TECHNIQUES ARE IN USE? This section tests knowledge of formal risk related processes. What is risk management? (AS 4360 vs other concepts like assurance. Other positive feedback loops should be created too.2 D.6 D. The following questionnaire has been used as a general basis for such an interview process.2 A.3 C. It also embodies the recognition that all organisations are unique and that there are different ways of achieving success.4 E. B. SAMPLE GENERATIVE INTERVIEW GUIDE OVERVIEW A. quality etc) What risks are relevant to you? (Types.5 .5 A. The process should be stimulating. more particularly.3 D.1 B. Good ideas from other parts of the organisation ought to be explained and views as to the desirability of implementation in other places sought. but also how it is used and the overall integration of these systems.5 C.4 B. What are your claims management/insurance/legal response systems? How does your OSH&E function operate? How does the internal audit system function? Is the whole of life cost of risk available in the organisation information and planning systems? WHAT CHANGES WOULD YOU SUGGEST FOR RISK MANAGEMENT? This section is particularly focussed at what positive things could be done to enhance risk management in the subject organisation.3 A. D.

This prompted speculation as to the best early detection system. Corporate Culture. Reason J (1997). agreeable and interesting for the crew. Managing the Management Risk: New Approaches to Organisation Safety Chapter 1 of Reliability and Safety in Hazardous Work Systems: Approaches to Analysis and Design. a change in the sound pattern or altered vibrations can also provide early alert. READING Reason J (1990). The engine room staff actually acted as environmental monitoring devices. But it was also noted that fires in manned engine rooms were generally detected early and managed quickly. For the next few months they fiddled and then returned to advise that which worked well on their ship. In addition to sight and smell.Generative Techniques 11. vibration monitors (torsional and longitudinal). Hutchinson Business Books Limited. This potentially included sniffers. East Sussex. Lawrence Erlbaum Associates Ltd. Basically the two ships chief engineers were each given a budget to buy detection equipment. Human Error. Great Britain. A Fire Risk Assessment. Such a review concluded (amongst other matters) that stopping all fires from starting is very difficult indeed. This was seen to be cheaper than hiring engineering consultants or researchers to attempt to determine a solution. Eds I Wilpert et al. which might or might not operate in a harsh marine environment. Ashgate Publishing Limited. and how they should be controlled. R Robinson and D McCann (2002). ISBN 0-86377-309-5. Paper presented at the Pacific 2002 Conference. try them and see which work. It was also constructive. From Vicious to Virtuous Circles. No crisp answer was available. Such detection occurred via human sensory detection. 2002). Cambridge University Press.4 Generative Solutions Technique Hazard based approaches to risk focus on identifying problems. In view of this a generative solutions approach was recommended. That is. but this would commit the organisation to an endless series of irresolvable “what if” problems and possibly an untested technology thereby sapping organisational resources and enthusiasm generally. Reason J (1993). 11. Sydney. A top down threat and vulnerability approach was initially adopted to determine primary issues with regards to potential fires with unmanned engine rooms for the “Taiko” and “Kakariki” following from fires in the “Westralia” and “Helix”. sound and noise analysers and the like. Kneller A. REFERENCES Hampden-Turner C (1990). Another approach is just to put up solutions. Managing the Risks of Organizational Accidents.6 Risk & Reliability Associates Pty Ltd . It was also noted that the ships (marine) engineers received the greatest respect and pleasure from fixing problems and that if they had spare time at sea. Such an approach was used to develop the “best way forward” for Silver Fern Shipping (Kneller at al. Concepts such as ALARP (as low as reasonably practicable) are often used. early detection was achieved by more than just typical fire detection systems. cameras (thermal imaging & others). Darling Harbour. there seemed to be an uncontrollable urge to 'fiddle' with things. Much expensive research could be undertaken.

1 . Pr(A) Pr(B) Pr(A) x Pr(B) Probability of Occurrence of at Least One of Two Independent Events The total probability of at least one of the two independent events occurring simultaneously equals the combined area of the overlapping circles. Risk & Reliability Associates Pty Ltd 12.75 (or 75%) This can also be shown as a Venn diagram.1 Discrete Event Mathematics Both risk and reliability engineers require an appreciation of how the probabilistic outcome of different independent events can be added together.Mathematics 12. So for the example above if each unit has a 50% chance of operating in the next hour then there will be a 75% of at least one operating in the next hour. The overall probability of at least one of two mutually independent systems operating successfully for a particular period of time can be shown as a form of a block diagram. Financial (market risk) mathematics which has both upside and downside components are described in Chapter 17. 12. Risk and Reliability Mathematics This section is devoted to pure risk mathematics as used for technical and safety risk. below. both units are operating but only one needs to operate for success) Note that a probability is a pure number between 0 and 1.5 (or 50%) then Pr(A) or Pr(B) = 0. Pr(A) plus Pr(B) less Pr(A) x Pr(B).5. That is: if Pr(A) = Pr(B) = 0. that is. that is: Pr(A) or Pr(B) Pr(A or B) = Pr(A) + Pr (B) . This can be shown in several ways.Pr(A)*Pr(B) Active Redundant System Block Diagram (That is.

{(1 .Mathematics 12. the probability of occurrence of system success of all three independent components operating can be shown as: Pr(A) Success Pr(B) Success Pr(C) Success Probability of Success of a Parallel Operating Pr(Success) = 1 – {[1 – Prs(A)] x [1 – Prs (B)] x [1 – Prs (C)]} Again. 12. the probability of failure of this system can then be described as.Prf (B)) x (1 .2 Risk & Reliability Associates Pty Ltd .Pr (success) Pr (failure) = 1 .Prf (C))} 12.1 Systems in Series For a series block diagram shown below. Pr(Failure) = 1 .1.Pr(Success) Pr(Failure) = Prf(A) x Prf (B) x Prf (C) The mathematical equivalence of these formulae should be noted.2 Systems in Parallel For a parallel block diagram.Prf (A)) x (1 .1. the probability of occurrence of system success of all three independent components operating can be shown as: Pr(A) Pr(B) Pr(C) PR(Success) = Prs(A) x Prs (B) x Prs (C) where Prs (x) is the probability of success of the component Probability of Success of a Series Operating The probability of failure of this system can then be described as: Pr (failure) = 1 . shown below.

Mathematics 12. To get around this. that is. Usually the problem in question applies to a particular project. the term "likelihood" is used as a general term in this text to describe a probability or a frequency or a combination of both. The relationships between probability of failure and success for OR and AND systems are shown in below. This means it has a "probability" (a pure number between 0 and 1) of occurrence for that project rather than any time basis.3 . this may not be so.3 Fault Trees & Block Diagrams Most risk and reliability analysis activity is done on an events per period (usually a month or a year). a frequency basis. Pr(A) Fails Pr(B) Fails A Fails "Swiss Cheese" B Fails Fault Tree OR Gate OR Pr(A) Success PR(B) Success Pr(B) Success Series Block Pr(A) Fails A Fails B Fails Pr(B) Fails Fault Tree AND Gate "Swiss Cheese" & Pr(A) Success Pr(B) Success Parallel Blocks Venn. For project management. Fault Tree & Block Diagram Comparisons Traffic Density Radar Option Separation/ Segregation See and Avoid Near Miss Mid Air Collision Series of Failure Required for a Mid Air Collision to Occur (after Reason) Risk & Reliability Associates Pty Ltd 12.1.

the average time the system is in a down state. that is.718218…(a constant) For example. the average up time. Mathematically at least. if λ = 0. it suggests that risk is a simplification of reliability. the reliability formula reduces to: r = e = 0.4 Risk & Reliability Associates Pty Ltd .01 per hour (1 per 100 hours) and t = 10 hours then R = 0.t -t/MTBF R is reliability t is mission time in hours λ = 1/MTBF and is the (average) failure rate per hour MTBF is mean time between breakdown failures in hours e = 2. the average time to restore the system to the up state. MDT or Mean Down Time.368. MTTR or Mean Time To Repair.9.2 Breakdown Failure Mathematics Reliability is inextricably entwined with availability. If availability is thought of in terms of a repairable system being “up” and “down” then a number of concepts and terms can be simply defined.e -λt -6 -7 -1 For t = 1 and λ very small (around 10 and 10 ) then: λ≈ 1-e -λt This is the point at which the reliability engineer’s fault rate becomes equivalent to the risk engineer’s failure frequency. This predicts that 37% of the population will survive until the MTBF. For a system where the breakdown failure rate is constant with respect to time (or random). that is. the calculation of reliability is: where R=eλ =e . Note that unreliability = 1. Unreliability (1 year) = λ per year 12. Up state (acceptable) Up Down state (unacceptable) Down Time Time interval = t Two State Availability Concept The time in the up state is related to reliability and the time to repair in the down state. that is. it has a 90% chance of operating continuously for that 10 hour period. MTBF or Mean Time Between Failure.Mathematics 12. Where the mission time equals the MTBF. That is.

A B Multi State System One reason for this type of modelling is to take into account the decrease in reliability due to solo operation.988584% 99.Both units A & B cease to operate.999810% 99.One unit.994292% 99. The diagrams can be represented in different ways too. log normal and Weibull failure probabilities.977169% 99. each with respectively increasing analysis complexity. A and B below. (S1+1 to Sn -1). That is.999049% 99. These states can include degradation.998097% 99. This system can be in one of three possible states at any given time: S1 .3 State Theory Mathematics State theory analysis considers the ‘states’ in which a system can exist. maintenance and repair.885845% availability pa or availability pa availability pa or availability pa availability pa availability pa or availability pa availability pa availability pa or "6 nines" "5 nines" "4 nines" "3 nines" Summary of Availability Numbers 12. The modelling is done by considering the system in its ‘perfect’ state (S1) and defining all the other states in between. The simplest type is Markov analysis which assumes that these systems have a constant breakdown and repair rate. which are identical and have the same failure rate and repair rate. A or B. Consider the two units. Breakdown and repair rates can have exponential.Mathematics The table below summarises the different terminology sometimes used to describe availability.Both units A & B are operating S2 . the load on the second unit may be greater than when both are operating implying that the breakdown rate of the system is higher once the first unit has failed. Monte Carlo simulation techniques are often necessary for models using the other breakdown failure distributions. Risk & Reliability Associates Pty Ltd 12. to failure (Sn). up to up to up to up to up to up to up to up to up to 30 1 5 10 30 45 1 2 10 secs downtime pa min downtime pa mins downtime pa mins downtime pa mins downtime pa mins downtime pa hr downtime pa hrs downtime pa hrs downtime pa is is is is is is is is is 99. An example of a multi-state system is shown below.5 .999905% 99. has ceased to operate but the other is still functioning S3 .991438% 99.

Bearing is in good working order S2 .0203 -6 0. where: Active Redundancy . S3) can be reached in various ways.000 hrs 12.015.two identical units: MTTF = 3λ + µ 2 2λ or µ 2 2λ if µ >> λ λ = 1/MTBF and is the (average) failure rate per hour µ = 1/MTTR and is the (average) repair rate per hour This equation is reached by doing an analysis of the system considering the probability of each state at any given time and then developing and solving a set of differential equations.Bearing is degenerating (increased vibration) S3 .1 Markov Analysis Consider a single unit which has three states such as a ball bearing: S1 .Bearing has failed A & B Operating A or B Failed S1 S2 S3 Component State Diagram The last two states (S2. Using the above multi state system and assuming the units are electrical generators with failure rates of -4 -2 1 x 10 per hr (100 failures per million hours) and repair rates of 2 x 10 repairs per hr (50 hrs (ave) per repair).Mathematics Sy stem States S1 S2 S3 A & B Failed Time Multi State System State Diagram 12.6 Risk & Reliability Associates Pty Ltd .02 x 10 = 1. If this system was in active redundancy then: MTTF = 3λ + µ 2 2λ 3 x 10 + 2 x 10 -4 2 2 x (10 ) -4 -2 MTTF = = 0.3. either by wearing out normally and leading to failure if not replaced (S1 to S2 to S3) or a catastrophic breakdown of the bearing due to the propagation of a hairline crack (S1 to S3). The system MTTF rate for an active redundancy system is shown in the equation below.

Mathematics 12.760 hours). Mean Time Between Hazard = 1/(0. then the minimum Mean Time Between Hazard is probably prudent design assumption.1 chances p. we could say it fails mid term between testing periods. The probability of the uncontrolled hazard (hence. using the worst-case scenario for FDT produces a minimum MTBH. For the above example. the FDT would be one half week plus one hour (85 hours per 8.03856. In practice however. If the building typically experiences a fire once every 10 years (or. It is referred to as FDT because the failure of the equipment itself does not pose a threat until there is a realisation of another hazard.760 hours). Assuming one equipment failure on average per year gives a maximum FDT of 0. or 0.030 years Which calculation is a closer approximation to reality depends on the failure curve after testing. the MTBH is 518 years (1/0.0097) = 1.001928 chances p. Similarly. as the time between checks is usually much greater than the time required to repair the equipment.001928). If the system was checked once every year. equipment averaging 2 failures per year has a FDT of 0. It should be noted that the MTBF is characteristic of the equipment item. it would have a MTBH of 10 years. as an average. with the above example having a MTBF of 1 year.).0097. if the system fails randomly then.1 × 0.7 .01928 = 0. a fire detection system that is checked weekly and takes one hour to repair has a maximum dead time of one week and one hour. MTBF is the reciprocal of the equipment failure rate. These examples show the importance of checking equipment regularly. such as fire. 0.a. The occurrence of equipment failure can be estimated as the Mean Time Between Failure (MTBF).) & CONTROL DEAD (FDT) UNCONTROLLED HAZARD AND Gate Argument For example. Risk & Reliability Associates Pty Ltd 12. then the probability of an undetected fire is: 0. the overall failure rate) can be determined through a simple AND gate argument: HAZARD (Chances p. Analogous to this is the Mean Time Between Hazard (MTBH).a. and is independent of the frequency of testing.a.01928 (169 hours per 8. Given the reciprocal relationship between MTBH and FDT.4 Fractional Dead Time Mathematics Fractional Dead Time (FDT) is the fraction of time that the equipment is dead (cannot operate properly). In our example. That is.1 × 0. which is the reciprocal of the probability of the overall hazard (fire with no detection). if failure is most likely to occur immediately after the equipment goes on line after testing (often the case) rather than randomly.

The Reliability. Villemeur Alain (1992). UK. John Wiley & Sons. Taylor & Francis. Butterworth Heinemann. Practical Methods for Engineers. Butterworth Heinemann. Pinkney etc (1989).Proceedings of the 2nd Conference International Conference. RCM II Reliability Centred Maintenance. Fourth Edition.8 Risk & Reliability Associates Pty Ltd . London. 12. Reliability of Fire Protection and Detection Systems. Availability & Productiveness of Systems. Smith David J (1993). Loss Prevention in the Process Industries. John (1992). Introduction to Mechanical Reliability: A Designers Approach. Moubray. McGraw Hill. Hemisphere Publishing Corporation. Oxford. Reliability. New York.Mathematics READINGS Finucane. Oxford. Chapman & Hall. Lees F P (1995). Vinogradov Oleg (1991). Fire Safety Engineering . 2nd Edition. Sherwin & Bossche (1993). (3 Volumes). Maintainability and Risk. Butterworth-Heinemann Ltd. A Guide to Practical Human Reliability Assessment. Maintainability and Safety Assessment. London. Reliability. Smith Anthony (1993) Reliability Centred Maintenance. Kirwin Barry (1994).

or death and injury occur due to such breaches then serious liabilities arise. A safety case is intended to provide the same assurance with respect to the safety of a system or facility. which are usually drawn up to convince a financier that a business is viable (Redmill). The Victorian major hazards legislation. the process of managing safety. What constitutes a safety case varies from industry to industry. Risk & Reliability Associates Pty Ltd 13. a safety case effectively manifests itself as a contract between an organisation and a regulator that permits the organisation to operate within defined limits in accordance with documented procedures. requires that the CEO or the most senior company officer resident in the State of Victoria sign off the safety case. Again it is primarily the responsibility of the operating company. The paradigm discussion from Chapter 2 is relevant. Based on a number of presentations made to various lawyers. The object of a business case is to ensure that all significant factors affecting the business have been identified and that appropriate measures are in place to maximise the positive factors and minimise the negative ones. Board Safety Audit Safety Management System CEO Business Management System Financial Audit Middle Management Business Units Idealised Safety Case Structure Once established. responsibility for failure of the business usually rests there too. at its highest levels. This means that an overriding consideration is that any safety case work be to the satisfaction of legal counsel.1 Process Industry Modelling Safety Cases With large and complex plants. An initial context definition is essential. This is difficult if the safety task is assigned to technical 'experts' in isolation. Because of this. health and environmental issues requires a formal management system.Process Industry and Consequence Modelling 13. for example. Compliance failure is a breach of contract. it appears to the authors that the legal system has converted the safety case concept to a liability management device. 13. There are parallels to business cases. those techniques and paradigms highlighted in the following table at least can be used in developing a safety case. If damage to third parties. It is usually the responsibility of the highest levels of management within the organisation. The formal approach adopted is usually referred to as a safety management system (SMS). An argument or case that the operation of a facility is performed with acceptable risks is often termed a safety case. Accordingly.1 .

This chapter will consider the ways in which the safety case arguments are developed in the process industries.1 Vulnerability Workshops Top down techniques are generically described in Chapter 7.2 Risk & Reliability Associates Pty Ltd . availability & reliability audits) Difficult in isolation Yes (Actuarial studies) Difficult to be comprehensive Yes (Computer simulations) Yes (Quality audits) Facilitated workshops Yes (Arbitration. It is also important to note that various state legislation call up the term 'safety case' especially in regard to major hazard industries.2.2 Context (Top Down) There are a number of methods by which the context and the depth of the technical study required can be assessed and explained.Technique Matrix Each of the approaches in the cells above has particular strengths and weaknesses. This tends to focus on the worst possible outcomes irrespective of the cause or relative likelihood of such problems. The rule of law 1. systemic mutual feedback loop paradigms Risk culture concepts Expert reviews Yes (Legal opinions) Yes (Risk surveys. moot courts) Yes (Risk profiling sessions) Yes (HazOps. actuarial studies) Yes (QRA.Process Industry and Consequence Modelling Technique>> Risk Management Paradigm 0. 'bottom-up' approaches Threat based 'topdown' approaches Business (upside AND downside) approaches Solution based ‘best practice’ approaches Biological. 6. They include asset and threat assessments such as those used by military intelligence and other authorities. smaller facilities may choose to undertake a similar process but use a different term to avoid legal entanglements. They can be combined in different ways. 7. the mainstay of safety cases in the process industry to date. Because of this. Insurance approaches Asset based. 2. 4. especially with regard to quantitative risk assessment (QRA). 13. The key hazards are identified using a consequence assessment based on an Asset and Threat (or vulnerability) technique in a workshop with key design team personnel. FMECAs etc) Yes (SWOT & vulnerability) Difficult in isolation Difficult to be comprehensive Yes (Crisis simulations) Difficult Selective interviews Yes (Royal Commissions) Yes (especially moral risk) Difficult 3. 5. 13. Yes (Interviews) Yes (Fact finding tours) Yes (Fact finding tours) Difficult Yes (Interviews) Risk Management Paradigm . 13.

Emergency Planning Threat and Vulnerability Approach Depending on the outcome.Manual Handling . explosion. 13. wind. collapsing structure. falling objects. trucks.Control Measures .Representative Scenario Identification . It suggests that the following types and combinations of risk assessments be considered: • • • A broad qualitative hazard analysis. or A quantitative risk assessment Risk & Reliability Associates Pty Ltd 13.Preventative Measures . employees and contractors. The main asset groups usually include: • • • • People (especially off site persons like pedestrians.Process Industry and Consequence Modelling Basically. floods) Phase 1 Context Definition & Legal Sign Off Vulnerability (Context) Workshop .2. the wider community.Safety Management System . people in vehicles. and visitors. neighbours. dam failure) Environmental (including storm.Protection Measures . for example: • • • • Chemical Energy (including fire. the main assets are defined and then all the possible threats to them identified.Model Scenario Impacts . The concept is that a hazard exists when an asset is actually vulnerable to a threat.2 Tiered Approach A three-stage process. BLEVE. of Planning HIPAP 2) OH&S . projectiles due to exploding 200 l drums etc) Potential Energy (including landslides. hail.Corporate Legal Sign off Phase 2 Technical Study Safety Case (WorkCover Regulations) Fire Safety Study (NSW Dept. consistent with the National Code of Practice for the Control of Major Hazard Facilities (NOHSC:2016:1996) provides a tiered approach for a risk review.High Consequence .3 . A semi-quantitative hazard consequence evaluation to determine hazard effects.Completeness Check .Group Session .Machine Guarding . emergency services) Environment (habitat) Operability (business continuity) Property (third party and company property) Threats are typically energy based in the first instance. the need for further detailed studies can be decided.Capability of Resources . toxic cloud. lighting. vapour cloud explosion) Kinetic Energy (including impact of cars.Best Available Knowledge .Low Frequency .

Zonal Vulnerability Analyses Consequence Analysis Consequence Classification Likelihood Assessment (Qualitative) EXCEEDS LEVEL II Criteria CONDUCT QUANTITIVE RISK ASSESSMENT QRA Cause Consequence Modelling (Quantitative) Escalation & Propagation Scenario Assessment HIGH LEVEL REVIEW OF ACTIVITY WITH RELEVANT PUBLIC AUTHORITY YES EXCEEDS LEVEL III Criteria MANAGE RESIDUAL RISK IEC 61508 Criteria Multilevel Risk Review The National Code of Practice for the Control of Major Hazard Facilities gives an example of the Multilevel Risk Review Process used by Dow Chemical Limited (adapted by R2A). methodology and criteria for levels I. 13. which is shown below. III with relevant public authority Checklists 'What if' Analysis Reactive Chemicals Review Consolidated Audit Technology Review Insurance Inspections IDENTIFY OPPORTUNITIES TO REDUCE RISK AND REVISE SYSTEM CONDUCT PRELIMINARY HAZARD ANALYSIS EXCEEDS LEVEL 1 Criteria CONDUCT RISK EVALUATION HazOps. The tiered approach of the multilevel risk review is structured so that if the preliminary studies do not find that there are significant offsite risks.Process Industry and Consequence Modelling RISK REVIEW METHODS DEFINE SCOPE OF RISK REVIEW Determine proposed risk review process. FMECAs. then detailed studies such as quantitative risk assessments may not be necessary.4 Risk & Reliability Associates Pty Ltd . II. A similar approach is followed in the New South Wales Department of Urban Affairs and Planning's "Multi-Level Risk Assessment" guidelines (1997).

Known hazards include a relief valve fire on the tank itself.1 Concept The figure below summarises an individual risk plotting process. the likelihood of killing an individual standing at that spot continuously for one year is known. Risk & Reliability Associates Pty Ltd 13.3.3 Quantitative Risk Assessment (QRA) 13. the so called “tethered person”. This is a preliminary individual risk diagram of a LPG tank at a service station. So if the sum of all the event frequencies per year is calculated at a point. a relief valve fire on the truck that fills it.Process Industry and Consequence Modelling 13. Individual risk is the risk that an individual would face from a facility if they remained fixed at one spot 24 hours a day 365.5 . This effectively relates to an individual such as a toddler or elderly adult who has limited mobility and may be expected to be present at a residential location for much of the time. Chances in a million per year Events and Frequencies Tank Relief Valve Fire (17x10 -6 pa) Tanker Relief Valve Fire (10x10 -6pa) Major Leak Fire (7x10 -6 pa) Tank Rupture Explosion (3x10 -6 pa) 40 30 20 10 0 Risk = 3 x 10 pa Risk = 10 x 10 pa Risk = 20 x 10 pa Risk =37 x 10 -6 -6 -6 -6 pa Site Boundary Individual risk plot for a LPG Tank (plan is a 10m grid) The likelihood of each event occurring is shown in chances per year.25 days per year. Each has a different likelihood of occurrence and a different consequence severity as well as a different location and hazard radius. Each circle represents the region in which an unprotected standing person is likely to be killed if a particular event eventuates. Having added up the cumulative risk at different locations. it is then possible to plot iso-risk contours and compare these to the land use planning criteria described later in this chapter to determine the acceptability/unacceptability of the facility or operation in question. major leak valve fires and a tank rupture with resulting vapour cloud explosion.

equipment and operations that have the potential to do harm are identified.6 Risk & Reliability Associates Pty Ltd . The number of discrete groups used to classify potential releases is dependent on the sensitivity of the overall risk results to this grouping. The process of how the failure rate of various components is aggregated into an overall failure rate is shown in the next figure. such as pinhole. Chief amongst these are: Top Down * Threat and Vulnerability Assessments (can be done on a geographic or zonal basis). Some of these techniques are discussed in Chapters 7. For example. There are a number of generic techniques that can be used to perform a well documented and systematic threat (hazard) identification. Hence the most common failure modes are various hole sizes producing different sized leaks.2 Credible Threat (Hazard) Identification Credible threat (hazard) identification is the stage where materials. as at this point there is the chance that no harm will eventuate. and rupture. the nature of available historical failure rate data.Process Industry and Consequence Modelling The generic steps for the QRA procedure for the risk assessment process hazards are: a) b) c) d) e) Context and Scope Credible Threat (Hazard) Identification Likelihood Assessment Consequence Assessment Risk Assessment (combining c & d) The five key stages of the QRA process are expanded in the following sections. all components contributing to each failure mode are identified. Hazards can have a variable number of potential failure modes. Potential Failure Components Piping Flanges Valves etc OR Hazardous Event Failure Mode Minor Leak Time Fault tree showing logical combination of component failures 13. typically a leak. * Tiered Approach (Section 13.3. 9 and 10. In order to deal with this the failure modes (hole sizes) of the equipment making up the hazard are broadly categorised in a number of discrete groups. hole. With the failure modes of a hazard categorised.2) Bottom Up * Fault Mode Effects & Criticality Analyses (FMECA) * Hazard and Operability Studies (HazOps) 13. For the process industries the initial incident usually involves a loss of containment of some sort.3 Likelihood Assessment When all threats (hazards) have been identified the frequency of their occurrence is estimated.2.3. R2A like to use the term “Hazardous Event” for the initial incident. 13. Threats can include the storage or processing of hazardous substances and operations where error can result in the release of hazardous material or damaging energy. usually by consideration of relevant historical data. piping sections have an infinite spectrum of potential hole sizes and resultant release rates. and the need to constrain the analysis from becoming overly complex.

which is one of the failure modes of the hazard in question. 13.3 Likelihood Assessment. the next stage of the analysis is to determine the range of possible outcomes for each failure mode.Process Industry and Consequence Modelling The process described here has been systematically expressed as the R2A computer based system of work as follows. pumps. • • Process and instrumentation diagrams (P&IDs) are imported as images into the R2A system. Intelligent computer 'objects' representing all valves. Threat (Hazard) Components Piping Flanges Valves etc OR Hazardous Event Failure Mode (Loss of Control) Intermediate Events Yes Minor Leak Yes No No Rapid Isolation? Large release Medium release Outcomes Small release Delayed Isolation? Time Cause Consequence Diagram The intermediate events that can cause a permutation of outcomes can be release intervention strategies such as: * * automatic detection and isolation equipment. It includes the fault tree as well as an event tree and hence becomes a cause-consequence diagram. ignition of flammable material). flanges.7 Risk & Reliability Associates Pty Ltd . high obstacle density providing the potential for the detonation of a release. with each fragmentation representing an intermediate event such as early ignition of a flammable release. manual detection and isolation equipment.3. Each isolated section is aware of failure items associated with it. and on the potential for event escalation (for example.3. pipework etc are overlaid on the P&ID. The tree branches. A useful method for representing the time sequence of events and the possible outcomes following a release is an event (outcome) tree analysis. or factors effecting the nature of a release such as: * * * early or delayed ignition of flammable releases. rainout of a two phase release. Each branch is assigned a probability. with the ends of the tree representing the probabilistic distribution of all potential outcomes. vessels. The event tree starts at the hazardous event. Up to 4 hole sizes are selected to represent the spectrum of failure hole sizes possible for the process section under consideration. Thus the failure rates for the range of hole sizes deemed appropriate for the section can be aggregated. These (potential) failure items are linked to a failure rate database. 13. The figure below shows an extension of the fault tree shown in section 13. presence of bunding or drainage for liquid releases. Identified hazards are separated into isolatable sections containing common failure modes (pipes or vessels).4 Consequence Assessment Incident Outcome Determination Having established the range of failure modes to be considered for each hazard. This is dependent on the existence and implementation of mitigation measures (automatic or manual detection & isolation).

fractional dead time analysis can provide conditional probabilities that the equipment is in a failed state when called upon (refer section 12. a dose response relationship is required. and determining the time order of these events with certainty becomes impossible. For intervention and detection equipment that fails in a hidden manner. The severity of impact that can result from these consequence scenarios can be quantified in terms of: * * * * Heat Radiation for Fireballs. which means another performance measure can be included in the risk model. Probit equations are particularly useful for heat radiation or toxic releases. The modelling of the impact of accidental releases of hazardous materials is an extensive subject. For a complex and congested plant. the analysis can also demonstrate how the performance of mitigation and control equipment will affect the overall risk result. Fractional dead time is dependent on the testing period of the equipment. As timing can also affect the size of a release. Pool Fires and Jet Fires. where a sustained low level exposure can be equally as fatal as an instantaneous high level exposure. Explosion Overpressure for Vapour Cloud Explosions. Y=5 corresponds to a 50% chance of fatality). and in a specific time order. and a variance of 1 (for example. For a simple plant where the number of possible intermediate events will be small. Flammable Concentrations for Flash Fires & Toxic Load or dose for Toxic clouds. Probit Equations To quantify the risk of fatality or injury following a hazardous release. choosing a fixed time order is reasonable. Scenarios resultant from a flammable release that have an impact include: * * * * * * Fireballs or BLEVEs (Boiling Liquid Expanding Vapour Cloud Explosions) Flash Fires Vapour Cloud Explosions Pool Fires Jet Fires Projectiles (especially 200 l drums of flammable liquid). In order to determine the extent of the impact of the consequence scenarios a model or combination of models is required for each type of consequence.8 Risk & Reliability Associates Pty Ltd .Process Industry and Consequence Modelling Each of the intermediate events is predetermined to occur at a nominated time. In these cases more complex models are required which consider all possible permutations of the time order of intermediate events. Probit equations for exposure to thermal radiation and toxic gas are expanded later in the chapter. Probit equations are usually written in the form: Y = A+ Bln(hazardous load) The probit. 13. the number of intermediate events will be large. The conditional probability of intervention strategies can be determined from reliability data of the components making up the system. Y is a random variable with a mean of 5. discussed briefly in this chapter. Impact Quantification Event trees establish the size of potential releases and their probabilistic consequence scenarios. Using event trees to show the time order of potential intermediate events following an initial release is a useful way of exploring the range of possible outcomes.4). with changes to the time order influencing the potential outcomes. Releases of toxic materials can have wide ranging impacts as toxic clouds.

some of the more common are: * * * * Individual Risk. and it is displayed as a 2 dimensional plot over a locality plan as contours of iso-risk.5 Risk Assessment Risks to the life and safety of people on and off site can be measured in a number of ways. as if there have been 10 fatalities there has also been 9. Individual risk and societal risk are discussed in Chapter 6. 10 -3 Netherland Unacceptable Limit 10 -4 Frequency of N or more fatalities per year 10 -5 10 -6 10 -7 -8 10 1 Netherland Acceptable Limit 10 100 1000 Number of Fatalities (N) Societal Risk Plot (or FN Curve) Risk & Reliability Associates Pty Ltd 13. The figure below shows a simplified example of a societal risk plot. Individual risk is the risk that an individual would face from a facility if they remained fixed at one spot 24 hours a day 365.Process Industry and Consequence Modelling 13. 7 etc. but may be at an unacceptable level for 10 fatalities. and Other Criteria.25 days per year. This is represented as a curve on log axes. For example a hazard may have an acceptable level of risk for just one fatality.9 . 8. Potential Loss of Life (PLL). The figure below shows a simplified example of an individual risk plot. for example TLS (Target Level of Safety) for rare maintenance events).3. usually chances per million per year. as it may be assumed that some individuals have the potential to only be present periodically. Societal or Group Risk. Its value is a frequency of fatality. The curve is cumulative in terms of frequency. The fact that the values are for fixed targets is not always made clear. Societal risk is designed to display how risks vary with changing levels of severity. -7 1 x 10 -6 1 x 10 1 x 10 -5 Site Boundary Simplified Individual Risk Plot (numbers are fatality frequency per year) Societal Risk is a measure of the frequency (F) of fatalities of various numbers (N) of the community for a particular hazard. which is called an FN curve.

than in a major city street. Often an analyst is forced to use failure data for 30 year old facilities simply because it is widely accepted in the field as being the most reliable. However. In practice. it does not address the public and hence the regulator’s concern of the level of risk a facility presents beyond its site boundary. 13. foreseeability. preventability and reasonableness. in particular for pipeline failure rates. the use of alternative failure rate data and consequence models can also provide different results for analyses conducted on the same plant. third party pipeline damage is far more likely in a rural area.3. For example. The result is a single number. A major limitation of quantitative risk assessment (QRA) is that it relies on the application of generic data where no specific data is available. year to year operating mode. The common law criteria are final arbiters. some form of Not Less Safe (NLS) or common law criterion is often applied. However. This allows a comparison against regulatory risk criteria and facilitates the assessment of available risk control options. Whilst relative risk may be useful for designers to choose an optimum design. "Is there any practicable good precaution. A possible answer is that whilst it is not an exact description of reality. The QRA and the application of the Individual and Societal Risk criteria then become the base case to which any special process such as construction may be compared. Not Reproducible There are arguments that the results of QRA are best used to compare the relative safety of different systems and not look at the absolute magnitude of the risk in relation to risk criteria. the risks associated with construction and commissioning provide for possible increased risk at that particular time.10 Risk & Reliability Associates Pty Ltd . 13. societal risk (and hence potential loss of life) is more flexible in terms of the habits of the population. This is basically the sum of the product of each FN pair. which extend beyond all of the above and directly address causation. Failure rates also do not take into account land use. Traditionally QRA for the petroleum and chemical industry is required to produce results as both individual risk and societal risk plots. It often deals with absurdly small numbers and statistics. which should be applied?" This tests to see if there is a simple risk control available at minimal cost that should be applied irrespective of any formal QRA type criteria.6 QRA Difficulties Unreality Quantitative risk analysis is all about finding out what things must conspire together to bring about a serious problem. or the possibility that local systems are superior to world standard. Whereas individual risk uses the "tethered person" approach. it can be the best available to date so that until another better method is developed it should be used to demonstrate due diligence. "What should be done during these potentially higher risk periods to ensure that the risk to people (the public and workers) remains not greater than the risk during normal operation". The NLS criterion is essentially a question of the form. Factors such as variable population densities during the day and protective measures installed can be taken into account when determining the number of fatalities. This does not take into consideration improvements in manufacturing and monitoring standards. which represents the expected number of fatalities per year.Process Industry and Consequence Modelling The data from a societal risk plot can also be used to determine the PLL (probable life loss). They really considers the question. and suggesting that such items be the primary focus of risk management. Standardised failure data and methodologies would also address some of the differences between QRA results that can arise between studies carried out by different analysts on similar facilities. assessing which of these has the greatest importance in the hazard. One important factor in the outcome is the failure data used. Annualising these risks in the QRA may not be wholly relevant since the precautions that are taken during normal operation may be expected to be different during construction. Typically a QRA uses a facility’s stable. which can often lead observers to question the validity of the approach. whereas more modern data is less certain.

with view factors (F) and atmospheric transmissivity (τ) used to determine the proportion of the heat incident at a specific location: 2 I = τ F × SEP Finite element analysis breaks the surface of a flame and the target down into a number of planar surfaces. 13.Process Industry and Consequence Modelling QRA is a methodology widely used in the process industry.3. An average radiative heat flux is assigned to the surface (SEP). Multilevel risk reduction ideas are being used as previously described in Section 13. so as to provide decision makers with the best possible information at the time the decision is made.4 Fire Modelling 13.2. A more transparent approach seeks to exemplify the source. Regulatory authorities are increasingly adopting these to reduce the cost burden on industry.2.1 Finite Element Modelling Thermal impacts are quantified in terms of radiative heat flux (kW/m ). and can often be contained within the site boundaries. which is the main form of damaging energy. where risk is localised. provided there in no direct flame impingement. Expense The expense of QRA is also of concern. range and application of assumptions. and aggregates the heat flux contribution from all fire elements on all receptor elements: Finite Element Calculation of a Tank on Fire Risk & Reliability Associates Pty Ltd 13. The models used to calculate heat flux represent the flame as a solid surface that is treated as a grey body radiator. "Black box" QRA approaches contain value judgements that are not made explicit and that the wide range of parameters is beset by uncertainty.4. 13.11 .

Process Industry and Consequence Modelling 13. the elements cannot “see” one another. The view factor between two differential elements can be expressed as: Fd1 −d 2 = cos β1 cos β 2 πr 2 View Factors 2.2 View Factors For each element receiving radiation. Lynch and Breeding (See Lees 1996) determines a probit value. Typically. 90 seconds exposure to a heat flux level of 12. Morbid statistics for lethality resulting from heat radiation do exist.6 kW/m 23 kW/m 2 35 kW/m 2 Effect Received from the sun at noon in summer Minimum to cause pain after 1 minute Will cause pain in 15-20 seconds and injury after 30 seconds’ exposure * Significant chance of fatality for extended exposure. Heat Radiation Values (after HIPAP No 4:1992) 2.4. * Cellulosic material will pilot ignite within one minute’s exposure.12 Risk & Reliability Associates Pty Ltd . which can cause failure.3 Effects of Thermal Radiation In order to predict the number of fatalities resulting from jet fires impacts. * Spontaneous ignition of wood after long exposure.6kW/m2 results in a fatality probability of around 50%.4. The normal vectors to the elements and the line form angles β1 and β2. and the view factor is zero. primarily coming from measurements from WW2 and military research. a relationship is required between heat radiation and fatalities. A combination of the significant levels of heat radiation follows according to the sources quoted by Lees (1996): Heat Radiation 2 1. and the exposure time t (seconds). or greater than 90°.1 kW/m 2 4. * Thin steel with insulation on the side away from the fire may reach thermal stress level high enough to cause structural failure. * Unprotected steel will reach thermal stress temperatures.2 kW/m 2 2. The model proposed by Eisenberg.4.4 Thermal Radiation Fatality Probits 2 Thermal dose is typically expressed as a combination of the thermal radiation intensity I (W/m ). * Significant chance of fatality for people exposed instantaneously. and then uses a correlation between burn depth and mortality determined by Hymes (See Lees 1996). If either of these angles is equal to. The model proposed by Lees relates thermal load to burn depth.7 kW/m 2 12. which is a normally distributed variable with mean 5 and variance 1 (so a value of 5 represents a 50% chance of fatality). * Likely fatality for extended exposure and chance of fatality for instantaneous exposure. 13. a live can be drawn to each element emitting radiation.

dragged pool diameter and flame length are dependant of the properties of the material (mass burning rate. For pool fires the flame can be represented as a tilted cylinder.Process Industry and Consequence Modelling 13.5 Pool Fires In order to calculate the heat radiated from a fire. 2 2 with soot having a SEP of around 20kW/m . The parameters used to define the flame shape for the case of a tilted cylinder are presented in the figure below. Pool diameter is often based on physical constraints such as bund dimensions. Flame height is only constrained in particular scenarios such as tunnel fires. Smoke and soot particles also reduce the surface emissive power of pool fires. and on environmental factors (wind speed.13 . Experimental data indicates that larger pool fires have a lower surface emissive power. humidity). and clean flame around 140kW/m . vapour density). Typical averaged 2 SEPs are in the order of 25-90kW/m . air temperature. Numerous models are available based on experimental observations for a large range of materials and pool sizes.1 Flame Dimensions The physical dimensions of pool fires including flame tilt.2 Surface Emissive Power The surface emissive pool diameter and physical properties of the burning product.5.5. it is first necessary to determine the size and shape of the flame. due in part to a loss in combustion efficiency in larger fires. R2A use the following correlations available from the SFPE Handbook of Fire Protection Engineering (1995): Flame Tilt: Dragged Diameter: Flame Length: 13. American Gas Association Welker & Sliepcevich Thomas Equation Risk & Reliability Associates Pty Ltd 13. Flame Tilt Flame Flame Length θ Pool Diameter Dragged Diameter Parameters Defining Pool Fire Shape 13.

tilt. but as hole sizes approach the pipeline diameter the calculation begins to over predict the release rates.Process Industry and Consequence Modelling 13.1 Release Rates Gaseous release rates are calculated using an analytical solution assuming adiabatic flow of gas leaving an orifice. which is the maximum possible velocity in the pipe. The model developed by G. The following graph shows how the release rate drops as a function of pipeline length for a 100mm diameter pipeline rupture at transmission pressure: 30 25 Release rate (kg/s) 20 15 10 5 0 0 200 400 600 800 1000 Distance along pipeline (m) 13.A.14 Risk & Reliability Associates Pty Ltd . The calculation used gives a good estimation for the release rate of a gas leaving an orifice. the gas exits the pipeline at greater than atmospheric pressure.6 Jet Flames Jet fires can liberate large amounts of energy. According to Chamberlain a release rate of 100kg/s over a few seconds would produce a flame about 65m long in moderate winds and release some 5000MW of combustive power which is more than two and a half times the output of Loy Yang power station. and continues to expand downstream of the release. Chamberlain (1987). frustum length. base width & tip width: Jet Flame Frustum 13. Under choked flow. of Shell assumes that the surface of the flame can be treated as a frustum for the purpose of calculating the Surface Emissivity Power (SEP). For full bore ruptures.6. The dimensions of the flame can be defined in terms of the flame lift-off. length. This makes the analysis somewhat conservative. Different relationships are used if the flow is "choked" (critical) or "un-choked" (subcritical). choked flow occurs when sonic velocity is achieved.

the scaled distance (z) is determined. and is usually determined from a graph based on empirical studies.7 Explosions 2 The energy released in an explosion is normally due to stored chemical energy. and can be determined from the following expression: Fr=0. For a particular criterion. fluid expansion energy or vessel strain energy. For all explosion types. 13.11 Typically the emissivities of jet flames are in the order of 100-400kW/m .2 Surface Emissive Power The net heat release rate of a flame. University of Sydney.1 Scaled Distance 1 3 The scaling is a function of the overpressure.Process Industry and Consequence Modelling 13.7.15 .00323u) + 0. sourced from the 2 report UK Advisory Committee on Major Hazards: 900 800 700 Scaled Distance 600 500 400 300 200 100 0 0 10 20 30 40 50 60 70 OverpRessure (kPa) Risk & Reliability Associates Pty Ltd 13. The following chart for vapour cloud explosions is based on the equation in "Major nd Industrial Hazards technical papers" from the Warren Centre. and the rate of gas release (kg/s).6.21 exp(-0. The fraction of the total heat that is radiated is a function of the gas jet velocity (u). and an equivalent number of tonnes of TNT (W). which can then be used to find the actual distance (r) to the overpressure using the following formula: 2 r = zW 13. owing to the more efficient combustion as a result of turbulent gas flow. Q (kW) is simply the product of the heat of combustion (∆H c) of the gas (kJ/kg). Jet flames have a much higher surface emissive power than pool fires. the energy released is equal to the work done by the expansion of gas from its initial to its final state: W = − ∫1 PdV The effects of an explosion are determined using a scaling law.

Some Effects of Explosion Overpressure (after HIPAP No 4:1992) 13. The table below outlines factors used to determine atmospheric stability: 13. and the surface area of the pool (which can be limited by bunding). and residual energy in air also occurring. * 50% chance of fatality for a person in a building and 15% chance of fatality for a person in the open. Sudden releases of liquefied gas tend to result in result in a large initial cloud due to aerosol particles and flashing liquid.1 Release Type The manner in which a material is released will have a large bearing on the toxic cloud footprint. 13. For vapour cloud explosions.5 psi) 7 kPa (1 psi) 14 kPa (2 psi) 21 kPa (3 psi) 35 kPa (5 psi) 70 kPa (10 psi) Effect * 90% glass breakage. * Threshold for lung damage. * 20% chance of fatality to a person in a building.7. 13. * Probability of injury is 10%. Pasquill stability is determined based on the wind speed and solar radiation levels (or at night. potential energy in products. Continuous releases will take longer to achieve a maximum cloud size. For an equivalent release rate. No fatality. high pressure causes forced mixing of air and gas. This is influenced by factors such as heat transfer from the ground. a yield factor is applied. resulting in a long narrow plume. 13. In determining the equivalent mass of TNT. energy release is based on complete combustion of the explosive material. * Complete demolition of house. * House uninhabitable and badly cracked.2 TNT Equivalence The equivalent quantity of TNT is calculated based on a heat of combustion of 4600kJ/kg. which will rapidly drop back to a steady state size. 1-10% of the available energy of an explosion is in the blast wave.3 Effects of Explosive Overpressure The following table outlines the typical observable effects of explosive overpressures.7.8.2 Meteorological Data Atmospheric stability characterises the conditions of convective heat and mass transfer within the atmospheric boundary layer. Typically.16 Risk & Reliability Associates Pty Ltd . which is often the same size as the steady state cloud formed by a sudden release. Explosion Overpressure 3. Energy in the blast wave of an explosion is generally a small fraction of that theoretically available. solar radiation levels. and disperse from the toxic gas cloud. * No fatality and very low probability of injury. The yield of the Flixborough explosion in which 30-40 metric tonnes of cyclohexane were released was estimated to be 4-5%. For gaseous releases.8. Major factors affecting the impact of such releases are discussed below.Process Industry and Consequence Modelling 13. low pressure scenarios are likely to have more far reaching impacts. * Damage to internal partitions and joinery can be repaired. cloud cover).8 Toxic Gas Clouds Many calculation intensive computer programs exist to determine the toxic "footprint" as a function of time in the event of a release of a heavier than air toxic gas. * 100% chance of fatality for a person in a building or in the open. This will influence both the rate at which liquid chlorine will evaporate from a pool. with kinetic energy of shrapnel. * Reinforced structures distort. Lower pressure releases tend to be wider as natural dispersion is more influential. The steady state cloud size is limited by the rate of mass transport from the liquid pool.5 kPa (0.

Process Industry and Consequence Modelling

Wind Speed (m/s) <2 2-3 3-5 5-6 >6

Day Solar Radiation Strong Moderate Slight A A-B B A-B B-C C B B-C C C C-D D C D D

Cloud <0.5 F F E D D

Night Cover Fraction 0.5-0.8 >0.8 E D-E E D-E D D D D D D

Atmospheric Stability 13.8.3 Surface Roughness Effective surface roughness (in metres) characterises the ground conditions over which a plume will travel. Surface roughness generally varies between 0.005 and 1.5m, with the lower end representing a surface such as a spill over water, and the upper end forested or built up urban areas. Increased surface roughness reduces the impact area of toxic clouds. 13.8.4 Probit Relationships Probit equations for toxic exposure take that same form as that for heat radiation exposure used by Eisenberg, Lynch and Breeding: Y = A+ Bln(toxic load) Toxic load or dose are interchangeable terms for the integration over time (t) of the concentration of a toxic substance (C), raised to a power termed the dose exponent (n).

toxic load = ∫ C n dt
The dose exponent has the effect of placing greater emphasis on acute exposures (high concentration over a short time) than chronic exposure (low concentration over a sustained period). Toxic load is expressed in terms of concentration (in ppm) with respect to time (minutes). Typical probit equation constants for chlorine exposure (sourced from Lees) are:
Probit Equation Eisenberg, Breeding & Lynch Perry & Articola Rijnmond ten Berge & van Heemst Withers & Lees (Standard Population) Withers & Lees (Vulnerable Population) A -17.1 -36.45 -11.4 5.04 -8.29 -6.61 B 1.69 3.13 0.82 0.5 0.92 0.92 n 2.75 2.64 2.75 2.75 2 2

Representative Probit Equation Constants 13.9 Fire Safety Studies

A fire safety study is a useful tool for a systematic review of an existing or planned fire prevention and protection system. It represents what would be done in the event that the risk prevention system breaks down and contingency plans are invoked. In the sense of the risk management matrix, it is a combination of best practice and simulation. From the point of an attending fire brigade, it does not have a likelihood component in the sense that the event would be assumed to be happening. That is, the brigades would only be required to attend because the undesired event is underway.

Risk & Reliability Associates Pty Ltd


Process Industry and Consequence Modelling The structure used to perform Fire Safety Studies is often that adopted by the NSW Department of Planning in its Advisory Paper No 2. “Fire Safety Study Guidelines”, namely: • • • • • • identify fire hazards (this stage may already have been completed if a top down context study has been completed) determine the credible fire scenarios from identified hazards determine preventive measures to minimise the possibility of fire model the potential impacts of identified scenarios quantify the fire protection resources required to manage the identified scenarios model the capability of proposed or installed fire protection systems capability to provide these resources

This approach is performance based although relevant codes and standards are still used for guidance. Adopted references include the NFPA (National Fire Protection Association of the USA) Codes, and Australian Standards including AS 1940 “Storage and Handling of Flammable and Combustible Liquids”. A range of fire models can be used to estimate flame impacts, usually pool fire and jet fire models. These include the use of finite element 3D modelling. An example of an R2A model used to determine the radiation impact from a high pressure gas line in a city fire is shown in figure below. This is available for viewing on the R2A website ( Once the consequences of a fire have been determined, the level of protection required for adjacent facilities and the requirements to extinguish the fire can be ascertained. This is typically done using a combination of thermal response models, code requirements and experience.

3D View of a High Pressure Gas Jet Fire in a City Block 13.10 Risk Criteria used in Australia and New Zealand

Individual and societal risk criteria have been defined by the Victorian WorkCover Authority, the NSW Department of Planning and the Western Australian Environmental Protection Authority (EPA). Other Australian States and New Zealand authorities tend to utilise a combination of these criteria when assessing individual and/or societal risk. It is important to note that such regulatory compliance does not appear to satisfy common law criteria. Even if in the ‘acceptable’ region any cost effective precaution that reduces risk further needs to be considered. This issue is expanded further in Chapter 4, Liability.


Risk & Reliability Associates Pty Ltd

Process Industry and Consequence Modelling 13.10.1 Victorian Risk Criteria Individual and societal risk criteria for public safety relating to hazardous industries have not been formally established and publicised in Victoria. There is currently a set of draft criteria issued by the Victorian WorkCover Authority (VWA), which is used by Government Authorities involved in Land Use Planning. This criteria was used as part of the Technica Ltd, “Risk Sensitivity Analysis for the Altona Petrochemical Complex and Environs”, October 1997. The following tables outline the risk criteria for individual fatality risk for both new and existing installations.
Risk Level -5 >10 pa -5 -7 10 to 10 pa <10 pa

Actions Must not be exceeded at the plant boundary All practicable risk reduction measure to be taken. No residential development applicable to new developments. Acceptable

Individual Fatality Risk - New Installations
Risk Level -5 >10 pa -5 -7 10 to 10 pa <10 pa

Actions Must not be exceeded at the plant boundary. All practicable risk reduction measures to be taken but restrictions on residential development applicable to new developments. Acceptable

Individual Fatality Risk - Existing Installations The document also establishes criteria for societal risk. Societal risk analysis combines the consequence and likelihood information with population information. This is presented as a F-N plot, which indicates the cumulative frequency (F) of killing 'n' or more people (N). A log-log F-N plot results in two parallel lines which defines three zones. a) b) c) above the acceptable limit the societal risk level is not tolerable between the acceptable and negligible limits the societal risk level is acceptable but if the perceived benefits gained by the activity are not high enough, some risk reducing measures may be required. Risk should be "as low as reasonably practicable" (ALARP). below the negligible limit, the societal risk level is acceptable, regardless of the perceived value of the activity.
10-2 Risk Unacceptable

10 -3

Frequency of N or more fatalities per year

10-4 Risk Acceptable but remedial measure desirable Risk Negligible 10-7 1 10 100 1000 Number of Fatalities (N)

-5 10



Victorian Societal Risk Criteria

Risk & Reliability Associates Pty Ltd


Process Industry and Consequence Modelling 13.10.2 NSW Department of Planning The NSW Department of Planning has published an advisory paper "Risk Criteria for Land Use Safety Planning" (June 1992) that outlines the criteria by which the acceptability of risks associated with potentially hazardous developments will be assessed. The table below summaries the criteria for the individual fatality risk for new installations. Risk Level -6 0.5 x 10 pa 1.0 x 10 pa -6 5 x 10 pa 10 x 10 pa -6 50 x 10 pa
-6 -6

Land Use Hospitals, schools, child care facilities, old age housing Residential, hotels, motels, tourist resorts Commercial developments including retail centres, offices and entertainment centres Sporting complexes and active open spaces Industrial

Individual Fatality Risk-New Installations The NSW Department of Planning also puts forward risk criteria for property damage and inter-plant -5 propagation. They recommend that risk no greater than 5 x 10 pa for levels of: • • 23 kW/m of radiative heat flux; and 14 kPa of explosive overpressure should be experienced at an adjacent site.

Societal risk is also addressed. It outlines two components of the societal risk concept, namely the number of people exposed to the levels of risk and that society is more averse to incidents that involve multiple fatalities or injuries than to the same number of deaths or injuries occurring through a large number of smaller incidents.
10 -3 Netherland Unacceptable Limit

-4 10

Frequency -5 10 of N or more fatalities per year -6 10

-7 10

-8 10

Netherland Acceptable Limit 1 10 100 1000

Number of Fatalities (N)

NSW (Netherlands) F-N Curve The department then explains that societal risk criteria F-N curves should be used cautiously. This is also the R2A experience. They provide insight into the matter under investigation and a view as to the effectiveness of proposed precautions. But as noted at the commencement of this section, compliance is not sufficient to satisfy common law criteria. Even if in the acceptable region any cost effective precaution that reduces risk further will need to be considered.


Risk & Reliability Associates Pty Ltd

A risk level in "sensitive developments". A risk level for any non-industrial activity located in buffer zones between industrial facilities and residential zones of ten in a million per year or less. is so small as to be acceptable to the Environmental Protection Authority.10. Risk & Reliability Associates Pty Ltd 13. such as garden areas and car parks. Risk Assessment and Management: Offsite Individual Risk from Hazardous Industrial Plants. such as hospitals. of one half in a million per year or less is so small as to be acceptable to the EPA. retail centres and showrooms located in buffer zones between industrial facilities and residential zones. No. NZ 1998) for land use safety planning appears to be the same as the New South Wales risk criteria for land use (Department of Planning.Process Industry and Consequence Modelling 13.9.10. the risk level can exceed the risk level of one half in a million per year up to a maximum of one in a million per year. In the case of risk generators within the grounds of the "sensitive developments" necessary for the amenity of the residents.3 Western Australia EPA Criteria In the document "Guidance for the Assessment of Environmental Factors. child care facilities and aged care housing developments.4 Risk Criteria in New Zealand The risk criteria used in New Zealand (Auckland City Council. is so small as to be acceptable to the Environmental Protection Authority. c) Risk levels from industrial facilities should not exceed a target of fifty in a million per year at the site boundary for each individual industry. and the cumulative risk level imposed upon an industry should not exceed a target of one hundred in a million per year. A risk level for commercial developments. of five in a million per year or less. is so small as to be acceptable to the EPA.21 . the Western Australia EPA has set out the following criteria for individual fatality risk. including offices. schools. a) b) A risk level in residential zones of one in a million per year or less.2. for areas that are intermittently occupied. d) e) 13. 2 (Interim July 1998)". Sydney 1990) which are listed in Section 13.

P (1996) Loss Prevention in the Process Industries – hazard Identification. Felix and Jane Rajan (1997).22 Risk & Reliability Associates Pty Ltd . Guidelines for Hazard Analysis. (1987). NSW Department of Planning. 2 (Interim July 1998) Worksafe Australia (1996). Prepared for ACC and Victorian Government. Hazardous Industry Planning Advisory Paper No. The National Code of Practice for the Control of Major Hazard Facilities [NOHSC:2016] 1996.3 Environmental Risk Impact Assessment Guidelines (1993) . Redmill. Hazardous Industry Planning Advisory Paper No.6 (1992).Process Industry and Consequence Modelling REFERENCES Auckland City Council. October 1997. Risk Sensitivity Analysis for the Altona Petrochemical Complex and Environs. NSW Department of Planning. Risk Assessment and Management: Offsite Individual Risk from Hazardous Industrial Plants. (1997). Hazardous Industry Planning Advisory Paper No. Fire Safety Study Guidelines. 65. Hazardous Industry Planning Advisory Paper No. Risk Assessment. Western Australia EPA (July 1998). NSW Department of Planning. Assessment and Control. No. Standards Australia. New Zealand (1998). Lees F. Auckland Western Reclamation Area Land Use Safety Study. SFPE Handbook of Fire Protection Engineering (1995). Oxford. Guidance for the Assessment of Environmental Factors. 13. Storage and Handling of Flammable and Combustible Liquids. Chamberlain G.2 (1993). Chem Eng Res Des Vol. Human Factors in Safety Critical Systems. NSW Department of Urban Affairs and Planning’s Multi-Level Risk Assessment guidelines (1997) NSW Department of Planning. July 1987 DNV Technica Ltd. Developments In Design Methods for Predicting Thermal Radiation from Flares. Risk Criteria for Land Use Safety Planning. Australian Standard AS 1940:1993.A.4 (1992). Society of Fire Protection Engineers. ButterworthHeineman.

Chen. Butterworth-Heinemann Ltd. Trans IChemE. The Esso Longford Gas Plant Accident. Revision 04. Richardson & Saville (1992). 72(B3) (1994).1" Barry Thomas F(1995). July-August 1995 "Gas pipeline incidents: 1970-1992. Sir Daryl Dawson. Johnson AD. Gulf Professional Publishing. Oxford. “Numerical Simulation of Full Bore Ruptures of Pipelines Containing Perfect Gases” Trans IChemE. Difficulties with Quantifying Risk. Chamberlain GA (1987).1992”. Part B.1-1997 "Pipelines-Gas and liquid petroleum. (3 Volumes) Miller Peter (1996). Managing Risk and Reliability of Process Plants.65. Vol. “A Model for Predicting the Thermal Radiation Hazards from Large-scale Horizontally Released Natural Gas Jet Fires”. 1996 European Gas Pipeline Incident Data Group (EGPIDG)“Gas pipeline incidents: 1970 . Chairman and Brian J Brooks. IChemE. Kletz T A (1986). July-August 1995. A report of the European Gas Pipeline Incident Data Group" The Longford Royal Commission Report (1999).23 . May 1992. Brightwell HM. Report No 11. Det Norske Veritas (USA) Inc (1999). an imprint of Elsevier Science (USA). Pipes & Pipelines International. Loss Prevention in the Process Industries. Part 1: Design and Construction" Australian Standards HB105-1998 "Guide to pipeline risk assessment in accordance with AS 2885. An Introduction to Quantitative Risk Assessment in Chemical Process Industries. Risk & Reliability Associates Pty Ltd 13. Pipeline Operators Group Database (1971-1995) Pipes & Pipelines International. E & P Forum "Risk Assessment Data Directory". Miller’s Tales. Tweeddale Mark (2003).Process Industry and Consequence Modelling READING Australian Standard 2885. SPFE Handbook of Fire Protection Engineering. Commissioner. and Cresley AJ (1994). "API Committee on Refinery Equipment BRD on Risk Based Inspection". 2nd Edition. Engineers Australia May 1996.8/250 October 1996. June 1999. Vol 70. London. Chem Eng Res Des. as quoted in "E&P Forum QRA Data Directory". HAZOP & HAZAN Notes on the Identification and Assessment of Hazards. 2nd Edition. Lees F P (1995). Section 5 Chapter 12. UK. Section 9. Published by the Government Printer for the State of Victoria. 1995. “Developments in Design Methods for Predicting Thermal Radiation Flares”.

By trust is meant public acceptance that: corporate management is acting in good faith. This is not the easiest thing to do. every aspect of a company’s activity that could expose the enterprise to significant risk should be known. the public can accept management claims without undue suspicion. and risk management as optimal as best practice will allow. more so if not well handled. in industrial disputes. In other words. this section will make a number of assertions regarding crisis management. but it sharpens the competitive edge. is securing and maintaining public trust and confidence. Instead. political or public relations fallout is only one aspect of risk comprehensive enough. hopefully before they eventuate . Risk management concern is mainly with those negative. now have to operate. One thing. but it is one of the most important. it can accept the corporation’s stated agendas as its real agendas. Spotting and assessing risks that may result in crises with legal. The first of these assertions refers to the most important guideline in managing fallout. or responses to a negative – that is a decision not to do something. cost overruns or bankruptcy due to inadequate financial management or criminal fraud. Risk & Reliability Associates Pty Ltd 14. and these agendas are public interest as well as special interest agendas. safety or environmental effects.1 . engineering failures. sometimes unexpected reactions that can threaten the corporate image. challenges to a corporate project at the proposal stage. the intention is to skip the customary introductory points about the need for contingency planning for crisis or incident management. “Fallouts” refer to the various sorts of external reactions and business consequences that may follow corporate decisions and activities. The range of relevant risks matches the wide variety of fallout possibilities. or a failure to perform as expected. and will always remain about. is certain. and/or in the courts and the legislature. Efforts made to achieve this goal rarely fail to pay off. Effective risk management not only avoids or reduces losses. One thing that managing fallout is always about.Crisis Management 14. The assertions also aim to prompt consideration of whether existing systems for managing risk within readers’ organisations are appropriate to cope with the rapidly changing social. backed by illustrative examples and case studies. public and private bodies. assessed and managed to best effect. Crisis Management Ideally. political and international public environments in which both corporations and government. how to identify risks and prepare to manage them. perceptions by influential elements in the community that a corporation’s priorities or values clash with the public interest. Good governance requires that risk identification be comprehensive.1 Intention As this chapter mostly addresses those already involved and experienced in many aspects of coping with risk. the range and possibilities of fallouts are fairly limitless – both in respect of their causes and the way they unfold. legal. doubt. Total success may be more an aspiration than a reality. Fallouts can be fought out in the media. Fallout crises may be triggered by events such as: accidents. in protest actions. 14. however. The aim is to help readers check whether their current thinking on risk – that is. or cynicism. and other such events that have adverse health.

But this does not undermine the basic democratic legitimacy of these public interrogations and their social utility. In the end the outcome will boil down essentially to what the facts are. refers to ability. From September 11 to Bali. or mischievously provoked. Often this involves saying or inferring that critics are acting for reasons of special interest. and professionalism of management to get jobs done properly – i. diligence. Nevertheless. or is it to cut cost in line with some political agenda. who can be most believed? Rough and tumble working out of public accountability is an essential feature of the democratic process. on the other hand. the professional integrity and proficiency of managements. is the dominant and only aim to improve the quality and availability of services to the public. or to cater only for some special interest? Trust relates to corporate ethics and social responsibility. and with the end product delivering what earlier promotion led the public and/or consumers to expect. safety or the environment. More often than not.2 Risk & Reliability Associates Pty Ltd . Local and international media deliver almost daily free and detailed lessons in fallout management and mismanagement. Throughout all this coverage. Confidence. on budget. accusatory and insulting. fallouts involve legitimate and desirable public interest probing into how matters affecting the public or some significant section of the public. we have little excuse for not all becoming experts on the risk of fallout and its management. or when products are perceived to disaffect public health. 14.2 Lessons in Fallout Management Given the current political and business environment. this does not reduce the importance of accountability and transparency in a democracy. daily news headlines have been on little else. most recently of all. or out of sheer “agin-thegovernment” bloody-mindedness. Criticism may be unnecessarily abrasive. Managing fallout always remains a battle for public credibility between managements and their critics. safely. stress is clearly on trust and confidence . Public suspicions may sometimes be unfounded. HIH. What is the truth. political parties. from Enron and Arthur Anderson to OneTel. 14. A common temptation in managing fallout is to fall back on accusing the media. to the accuracy and political use of intelligence to justify the pre-emptive war on Iraq. unresentful. Presumption of innocence until proven guilty is not a prominent feature of media trials. or activist groups of unwarranted interference and trouble-making. and. efficiently.especially when public services or key infrastructure development or redevelopment are involved. another tutorial in the dos and don’ts of fallout management or mismanagement. Quite often the manner of questioning is unnecessarily shrill and abrasive. or some other essential public service.that is. law enforcement. on the credibility and competence. and/or by special interest and ideological preferences of one sort or another. education. are being conducted. the battle is still about re-assuring or reearning public trust and confidence. Confidence: This refers to public confidence in the competence.e. Most people are more confident in those managerial spokespersons who manage to respond in a workmanlike. No matter whether this is the case – as it sometimes is – or not. and National Australia Bank. to the challenging of church managements over the handling of child abuse cases. from the Tampa and “children overboard” controversies. Ansett. or at least. It will remain an ever-present occupational hazard of management . when it comes to changes (say) in health.Security & Crisis Management For example. Obviously some fallout questioning is motivated by partisan political opportunism. fact-focussed. ideological opposition. Every day brings a fresh instalment. on time. up-front way to media questioning even when that questioning is at its most deliberately provocative.

Not the most jolly and comfortable part. and the techniques that succeed or fail to manage them effectively. Even when the process is misused and Rafferty’s Rules apply.4 Case Studies Before proceeding to two specific case studies of contrasting fallout technique. Should combat or communication. be foremost in one’s approach to fallout management? The following two case studies may help readers decide between the two approaches. Trying to re-write. 14. fact or spin.3 .e. as we well know. Even statements and directions that seem perfectly clear and simple can be badly misunderstood. The dynamics exposed so starkly in these examples highlight the basics of risk management: i. political and special interest groups many of which. 14. it is more likely to super heat the frying fat. but an inevitable part. after the fact. The design stage is when the risks of proposed policies and projects should be comprehensively explored. But they have the advantage of being widely applicable. are more than capable of vigorous and practised response. But this enhances rather than limits the lessons they carry for smaller scale enterprises. explanation or avoidance. avoidance or obfuscation. the sorts of issues they raise. This exploration should include how. It is at the design stage that we should explore how proposed decisions might be misunderstood or challenged. Both cases involved global product recalls. it is useful to repeat a little more bluntly the key point that has been made so far. the origin of fallouts. As Arthur Anderson discovered. One clear lesson is that what management does. if necessary. during the fallout is obviously limited by what they did or didn’t do before the fallout.3 Design Stage Managing fallout effectively obviously begins at the design stage. In these times when political and PR minders and spin doctors seem to abound. Both are classical illustrations of good and woeful fallout management. Not only in terms of the likely and possible impact on the public in general. Training is seen too much in terms of preparation to do battle with hostile. Also how projects can be unambiguously explained and communicated to watchful and potentially critical elements of the general public. but also on particular community. unfair and tricky adversaries only . the importance of prior risk identification. Fallout management.Crisis Management The ability of some spokespersons to do this seems to come when they accept that public accountability is an essential and proper part of their job. more benefit accrues overall to the corporate image through frank and willing engagement with the public than through resentful reluctance. public interrogation and response. openness or secrecy. when unintended consequences may have manifested themselves. is a legitimate and desirable aspect of democratic accountability. re-interpret or shred history after the event has limited success. decisions can be justified later. Risk & Reliability Associates Pty Ltd 14. or can do. Some see fallout management largely in terms of merely training spokesmen in PR and political minder-style techniques for media appearance. The fallout cases selected for mention so far have been particularly dramatic and occurring at the highest national and international levels.the negative approach rather than a positive bid to win public trust and confidence. there is a danger that managers will be tempted to think cynically of the fallout process.

One claim was that contamination was confined to the US shipment. Media focus on the Perrier story intensified. During the course of the fallout it was revealed that not only did the benzene come from the natural spring source in France. Tylenol Now let’s contrast the Perrier outcome with Proctor and Gamble’s handling of the Tylenol incident. These claims were later shown by the media to be false or mistaken. organic sort of lifestyle image. By the end of the fallout and for a long time afterwards. Neither was it calorie or sodium free. using advanced technology. Perrier’s fallout was triggered when a US health authority. many thought the company should have known.Security & Crisis Management Perrier One recall was by Perrier of its mineral water in 1990. Perrier claimed that the mineral water was pure at its natural source – that it was naturally sparkling. what was in its product. and that it was calorie and sodium free. Brand loyalty of its consumers was decimated. but also that the water was not naturally sparkling as it was in the bottled product. Perrier’s image was built around promotional slogans like "It's Perfect. transparency. When the extortion threat was first brought to the company’s attention through the media. There was obviously little anticipatory risk management and little or no coordination between risk management and Perrier’s marketing consultants. Among the public. 14.plans thought out in the calm times before any crisis occurred. few saw the corporation’s image in terms of competence. Benzene is considered potential carcinogenic. ignoring or concealing so many potentially explosive risk factors in it’s marketing. Another was that the benzene came from bottle cleaning. Many consumers obviously saw Perrier as the fashionable drink of choice for those wishing to display a health-conscious. When a criminal extortionist poisoned Proctor and Gamble’s Tylenol tablets. By overlooking. Proctor and Gamble had previous assessed the risk and had contingency plans in place . Note that in the Perrier case no one was injured and probably no one’s health was really damaged. Perrier was inviting disaster. The company’s image was also adversely affected by that fact that at no time during the fallout did the company apologise to its customers or express concern. detected benzene in a shipment of Perrier water from France. Its eventual retractions were regarded as forced confessions. The other was the recall by Proctor and Gamble in 1986 of its pain relieving Tylenol pain tablets. Ultimate stock market and other business losses exceeded their value many times over. Credibility went to the media for dragging the facts out of the Perrier spokespersons. it's Perrier" and words like "Natural" and "Pure" and “Health”. several consumers died. As a result. credibility. The company got no credit for finally admitting these facts. Company spokesmen gave the impression that they regarded public questioning as something of an unwarranted impertinence. and good governance.4 Risk & Reliability Associates Pty Ltd . The investigative spotlight extended to Perrier’s promotional marketing. but the concentrations involved were small – on a borderline above US but below WHO standards. The concentration was allowable under World Health Organisation standards but not under US standards. Re-establishing the corporate image was a slow and painful task. perhaps did know. The value of the mineral water product lay in lifestyle image. however. 160 million bottles of Perrier eventually had to withdrawn and disposed of. Different Perrier spokesmen in the US and France started making factual assertions to the media before the company had established the facts. This immediately set back the company’s credibility and aroused the media’s blood scent.

Crisis Management It was the corporation’s CEO, not a low ranking staffer, who immediately appeared as spokesperson. He went straight on the nation’s leading media interview show. First, he declared the company’s concern for its customers. He said the company’s first priority was public safety. He said a global recall was already in motion. He announced that 24-hour, toll free, multiply phone-in lines had been set up to handle all inquires and problems. All phone-in staff were fully trained and kept up-to-date by progress briefings The CEO admitted that in hindsight the product would have been more secure if it had had tamperevident packaging. This would be corrected. He was the company’s only media spokesman on the issue. He refused to hazard guesses when asked factual questions about which he was uncertain. He explained why the facts were not yet clear and what was being done to establish them. Willing transparency, demonstrable competence and public interest priorities were the qualities that won the corporation the public’s trust and confidence. In contrast to Perrier, Proctor and Gamble emerged from its fallout with an enhanced rather than a splattered public image. In a short time, the value of its shares and its product market leadership went back to pre-incident levels. 14.5 Conclusion

Unlike the positive focus required of the enterprising movers and shakers vital to corporate energy and achievement, risk management has the job of looking at the grey sky scenarios - not just the sunny blue ones. It is right and proper for mainstream managers to keep their hearts and eyes on new fields of conquest. It is the risk management function to spot and mention the minefields that may slow or even prevent them reaching their goal. The current state of corporate credibility with much of the public is somewhat damaged. This has occurred at the very time that governments and others are putting pressure on corporations to expand good governance. These two trends comprise a sort of pincer movement, creating a fairly rugged environment in which to manage.

Risk & Reliability Associates Pty Ltd


Security & Crisis Management REFERENCES When the Bubble Burst, The Economist, 3 August 1991. Article on the Perrier incident. Gideon Haigh (1991). The Business of Managing Crises. The Age. 15 August 1991. Summary article including a review of the Tylenol incident. Gideon Haigh (1991). Ignorance is not Bliss in Crisis Management. The Age, 16 August 1991. Article on the Perrier incident. READING David Elias (1997). Arnott’s Agenda. Textbook case was the template for food threat. The Age. 22 February 1997. p A20.
th nd th th rd

Murray Mottram (1995). Going, Going, Gone. The Sunday Age (6 August 1995). Article on the Iron Baron incident.


Risk & Reliability Associates Pty Ltd

Case Studies


Industry Based Case Studies
Airspace Risk Assessment

An Airspace Risk Model (ARM) was developed to address the risks of various airspace classifications for Airservices Australia, in particular those in isolated areas (Jones et al). Initially this model was used to determine the level of risk for both the current and proposed methods of operating in Australian airspace. The critical event as defined by the airspace risk model is the ‘near miss’. This is considered to have occurred when two or more aircrafts come within the defined horizontal (1 Nm) and vertical (500 feet) limits without being aware of the other’s presence. By defining this as the critical event it is assumed that the loss of control of the situation is identified as the point at which movement of the control surfaces of an aircraft at risk would not have any significant effect by the time the collision point was passed; that is that no matter what the actions of the pilots were at this point the results would still be ruled by luck. This is deemed to have occurred 12 seconds before any near miss / collision. The cause/consequence diagram is centred on this critical event from which the consequences flow from left to right. Time is also considered as always progressing from left to right across the page. The figure on the next page shows this cause/consequence diagram. Event diagrams were developed to show the sequence of events that lead to the critical event in the cause/consequence diagram: * * * * Traffic Alert not received Aircraft cannot receive call Considered action fails Evasive action fails.

The event diagram for the “Traffic Alert not received” is shown below. An event diagram was also developed for the other three events.

Aircraft cannot recieve call

or ATS alert fails

Traffic Alert not received

& Traffic alert not provided

No alert from other aircraft

Event Diagram for Traffic Alert not received Once all these event diagrams had been developed and verified the model needed to be quantified by the panel of operational research personnel (who also referred to various surveys and publications). Once this was done the values were inserted into the model and solved using methods outlined in Chapter 9 of this text. The results showed that the model was quite sensitive in some areas, which required further investigation. This quantified risk analysis approach (cause-consequence modelling) can be calibrated to give an assessment of the existing risk of the particular system under study. By testing such models against both the available data and the experiences of senior management and the technical personnel in the industry concerned, it is ensured that the model accurately reflects the best available information and knowledge at the time it is used to make decisions regarding risk acceptance and risk reduction, if required.

Risk & Reliability Associates Pty Ltd


Collision? Aircraft Loss? Populous area? Yes Aircraft loss & 0.01 collateral damage 3.60 E-16 Yes Aircraft Loss 0.90 3.60 E-14 Yes 0.01 Collision 4.00 E-14 No Slight damage 0.10 Fly away 4.0 E-15 No Null No Aircraft loss 0.99 only 3.56 E-15 & 1st aircraft fails to avoid 2nd aircraft 2.00 E-06 Loss of Control of & aircraft energy Envelopes overlap. Aircraft collision 4.00 E-12 & 2nd aircraft fails to avoid 1st aircraft 2.00 E-06 Critical Loss of Control Event 0 seconds Immediate outcome? +10 seconds Aircraft loss? +30 second Collateral damage? +3 minutes

Case Studies

ATC Separation inapplicable

1.00 E+00

1st Aircraft

5 minute response. Considered action fails from page xx 2A 2.00 E-03

1st Aircraft 1 minute response. Avasive action fails from page xx 2B 1.00 E-03

2nd Aircraft

1 minute response. Avasive action fails from page xx 3B 1.00 E-03

2nd Aircraft

Cause-Consequence Model for Enroute Airspace Collision Risk

5 minute response. Considered action fails from page xx 3A 2.00 E-03

Risk & Reliability Associates Pty Ltd

ATC Separation

Considered action 5 minutes

Evasion Action 1 minute

-6 0.-5 SECTION OCCURRENCE FREQUENCY ( per annum) Head On No Yes No No Yes No Yes No Yes No No No Yes Yes No No No No No Yes Yes No No No Line Case 0.2 Train Operations Rail Model Risk analysis is being used by NSW CityRail to rank infrastructure renewals in a way that ensures that work.42. Section data Analyst LINE First 17/1/92 2:06 PM Last Prev Next Show Item Calculate Line Code Enter Cancel Kevin Anderson Main SECTION Fingerme to Hurtledown LINE HAZARDS & CONTROLS Wrong side failure probability Visibility failure probability SECTION DETAILS Autocalc 7. The information required is that which would enable the estimation of the likely frequency of occurrence of a train collision on a particular section of the track.3 .1472 0.14.1 11 11 .-5 1.1 11 10 Section Based Data Sheet for the Estimation of Railway Collision Risk Data (illustrative purposes only) The data in this sheet is then used in the Fault and Event Tree (cause-consequence model) for the Loss of Train Energy that calculates the probability of the possible outcomes.42.-6 1.27. Risk & Reliability Associates Pty Ltd 15. With respect to this.Case Studies 15. This would also allow management to assess the cost of providing a specific level of service and safety. management can then identify and eliminate safety and service risks by doing specific projects. This is shown in the figure below. which is done.5.79. This is done by obtaining specifications on the acceptable ranges of quality of service from assets. The data sheet designed for this input data is shown below.34 Track CONDITIONAL PROBABILITY Head On A B C Rear On Signals No Run 1 w/o ATP Main TRAIN CONTROLS TRAIN Driver 2 DeadMan Vigilance AWS ATS ATP Model Case A B C D D 2.-9 Automatic warning system (AWS) No Mechanical trainstop/trip (ATS) No Electronic transponder (ATP) Model Case Line Case 14 63 Points 30 Interlocking 2 Train stops 5 Length 9.1 240 258 . of which the lower bounds are considered unambiguously safe for all possible levels of operation.-5 0.-6 2.5.79.-6 1.1 84 84 . or alternatively the levels that can be provided with the funding available.87.27. will have a significant impact on the business (Anderson et al 1992).8084 Main Model Case Rear On Run 1 w/o ATP TOTAL EXPOSURE A % late upWk dnWk B C D Run 1 w/o ATP .6611 0.-8 7.-5 1.

4 Risk & Reliability Associates Pty Ltd .Case Studies 15.

An initial assessment of almost half the campus building floor areas was done concentrating on the adequacy of the following systems: • • • • • • • • emergency procedures alert and communication systems exits exit signs and emergency lighting smoke control systems air handling systems fire penetrations inspections testing and maintenance fire detection and control systems This assessment revealed considerable life safety problems. work priorities and work completed to be available to management. This method would also ensure the limited pool of funds was used effectively. which would enable accurate assessment of deficiencies. 15. that is the maximisation of the risk reduction per dollar spent. The authors provided advice regarding the establishment and ongoing use of a Fire Risk Management Information System. Due to this the costs of fire risk management was then translated into the optimisation of the total costs of risk.3 Fire Risk Management (in buildings) Monash University owns or occupies many different types of buildings from multi storey high-rise buildings to low-level sprawling buildings of varying ages. Each one of these has a different level of fire protection.5 . ‘an acceptable level of risk’ and ‘duty of care’ as defined by the Victorian Occupiers Liability Act (1983) and the Victorian Occupational Health and Safety Act (1985). which would require large amounts of funds to correct. corrective costs. Valley Hieghts Blaxland Warrmoo Springwood Faulconbridge Emu Plains Lapstone Glenbrook Blackheath Mt Victoria Medlow Bath Katoomba Leura Wentworth Falls Bullaburra Linden Hazelbrook Lawson Woodford Newness Junction Bell Zig Zag Tunnel Edgecombe Oakley Park Lithgow Bowenfels A Computer based Network Layout to which the Section Data is linked This allows the entire system to be managed on a single sheet with a juxtaposition of data that is highly relevant to the task of determining the relative importance of different line and train controls.Case Studies This data sheet is in the background of the layout below. Risk & Reliability Associates Pty Ltd 15. This was done with respect to safety.

This model was used to emphasise the time of occurrence of various conditions and related to the risk control measures. Office Occupancy 3. which relate to the items being: • • • not installed installed but not maintained installed and maintained Data files containing the above probabilities are used to calculate each building’s risk of multiple deaths.inspection and testing) is also included. Overall the following steps were followed. Applicable financial data (including the cost of maintenance . can also be viewed. With respect to this project the calculated level of acceptable risk was defined as one or more fatalities with a frequency of one (or less) in a million per year. If the calculated risk were greater than this value then risk reduction measures would be deemed necessary. A user-friendly interface that has all the relevant calculators in the background was developed on a Macintosh computer using “SuperCard” software. Particular building in their current state of life safety risk. There are fifteen factors that affect the probability of escape (shown in the fault tree). which can be put out with an extinguisher and does not require fire brigade response. is not considered in this type of analysis. Produce hierarchical list of risk reduction measures to be undertaken and the corresponding reduction in risk. which can be used to achieve specific risk levels. This routine provides a hierarchical list of risk reduction measures to be undertaken and the corresponding reduction in risk. A time sequence fire model was used to analyse the event/consequence model. Risk & Reliability Associates Pty Ltd 15. An acceptable level of risk can be determined by analysing existing risks. These include: − − − − smoke detection occupant response fire rating of doors. this tree describes the failures or faults that have to occur before the top event of this tree eventuates. which are familiar to and accepted by the public. Develop a fault tree for the system. Laboratory Occupancy Each of these occupancies has different parameters. i) ii) iii) iv) v) vi) Analysis of current life safety equipment. A smaller fire. which relates directly to the level of success of escape from a burning building.6 .Case Studies An unacceptable level of risk is reached when the risk of fatality is assessed to be too high. walls etc. This allows the user to look at any of the building categories listed above. Definition of the ‘level of acceptable risk’ and the number of fire starts per year. A fire risk optimisation model was then used to rank the buildings in descending order of risk. sprinkler system operation (where installed) A fault tree was then developed to describe the system. which affect the result of the fault tree. Each of these factors has three possible probabilities. Calculate the building’s risk of multiple deaths with the system in its current state. This type of modelling is described in greater detail in Chapter 9 of this text To add to the complexity of the analysis the buildings were also classed as one of four different occupancies: 1. Rank the buildings in descending order of risk. A summary of hazards and involuntary risks resulting from voluntary and involuntary activities are shown and discussed in Chapter 9 of this text. The frequency of larger fires is then determined and any parameters that would aid in early detection are considered. Residential Occupancy 2. Public Occupancy 4.

These lines were built before the establishment of industry based guidelines.55 m 4.2 m 5. best industry practice or guidelines. This is preferable. but the risk is deemed acceptable provided the appropriate preventative control measures are put in place.3 m+0. the following conductor “risk” thresholds can be established. which ranked the lines according to the severity of the breach of clearance according to the statutory minimum clearance obligation of 5. to reduce the amount of overall expenditure.4 Transmission Line Risk Management Over 30% of the transmission lines used in Tasmania are 50 years old or more. equipment and environment.3 m are over dimensioned and require statutory approval before movement can commence.Case Studies 15. to determine the consequences of these hazards and to compare these risk levels with acceptable risk exposure levels documented by legislation.5 m =5.55m.2m.25m and flashover distance for 220kV is 0. The other techniques used to rank hazards and solutions were to quantify the level of risk exposure to people. (this is greater for other categories). Flashover distance for lightning strike (about 500kV) is 1. A1 A2 B0 B1 B2 4. The four main parameters of the risk model were: • • • • identification of critically exposed groups classification of credible hazards development of cause/consequence diagrams to determine what events have conspired together to cause loss of control of conductor energy under consideration. and determining acceptable risk criteria 15. In the case of deferral the likelihood of an unwanted event occurring is increased.3 m+0.7 Risk & Reliability Associates Pty Ltd . as the cost of fixing all infringements would cost tens of millions in capital expenditure over a number of years. Also a number of these lines were built across what were remote areas.55 m =4. Flashover distance for 110kV is 0.75 m =6. Vehicles over 4. The Australian bridge overpass design height is 5. As a result of this many of these lines do not meet the clearance requirements outlined by the Electricity Supply of Australia (ESAA).05 m 110 kV flashover threshold for maximum dimensioned vehicles 220 kV flashover threshold for maximum dimensioned vehicles Lightning (500 kV) flashover threshold for maximum dimensioned vehicles (ESAA Guideline for 110kV non traversable) 110 kV flashover threshold for over dimensioned vehicles that fit under bridges 220 kV flashover threshold for over dimensioned vehicles that fit under bridges (ESAA Guideline for 220kV non traversable) 15.5 m+0. This was done with the use of a risk-ranking model. but due to new roads being built and greater access to these areas by the general public via off road vehicles.5 m+0.3 m+1. For this reason greater clearances to comply with the ESAA guidelines are required and hence may pose a danger to the community and environment in their current state.5 m above roads.85 m =5. Thus for traversable areas. This model also aided management in deciding whether expenditure on refurbishment or development projects could be minimised or deferred.25 m 4. and to optimise operations whilst also limiting their legal liability.1 Risk Criteria The rationale for ground to conductor clearances prescribed by the ESAA Guidelines could not be established.5 m. This method was chosen to assist the Company in obtaining the greatest risk reduction per dollar spent.55 m =4. so the following analysis was made. Tasmania has adopted Risk Management techniques as an essential part of the Asset Management of the transmission system (Houbaer and Seddon 1995). Transend Networks Pty Ltd.25 m 5.4.

7 m 7.2 Process The Transmission Line Risk Management System is a PC based desktop colour publishing solution to assessing and managing span-based hazards. 15.6m for 220 kV conductors or 9.8 Risk & Reliability Associates Pty Ltd . The prime focus is on direct flashover hazards to the public.4. scenic views encouraging low flying pilots) needs to be assessed and noted on the register page. but the field operative should try to consider if any other hazards to any other exposed group exist.7m for 110 kV conductors and 7. 5. abseiling and others. If a procedural solution is adopted (for rare excessive conductor sags) during extreme weather/load conditions then this needs to be formally documented and implemented. (ESAA Guideline for 110 kV traversable).5 m Lightning (500 kV) flashover threshold for over dimensioned vehicles that fit under bridges. The original design data is transferred to an Excel Spreadsheet format on disk. Some Field Verification of the original design data occurs as required. taking into account factors like land use.2.3 Field Inspection . Infringing spans (generally less than 6. (ESAA Guideline for 220 kV traversable). This information is then transferred to the TLRMS PC and analysed. hang gliders. The single 'help’ page lists the possible hazards considered by the original expert team.Case Studies C1 C2 C1 15. for example. conductor crossings and the various infringements determined above.Best Available Data Established Based on the results of the above. road and rail crossings. 15.2 Desk Top Risk Assessment This considers each span. is the same as the ESAA Guidelines for 110 kV.2 m =6. The operational steps are: 15. The process was developed with the support of the HEC solicitor. suspect spans are inspected in the field using specially developed single A4 Register pages. A Register of Offending Spans is then printed by Transmission Number Line and Core Temperature.4.4.4 Final Assessment and Action a) If the span data is correct then the proposed (infringement) control option/s needs to be selected and costed and marked on the register page. If a physical change is implemented then the design data needs to be altered and the TLRMS item re-run. If the ground or conductor profiles are incorrect then the TLCAD data needs to be corrected and the above two stages repeated. The control option data is then inserted into the TLRMS PC and the risk and control data options exported to an Excel spreadsheet. This data is then ranked by: Worst Electricity Supply Association of Australia (CB1) infringement per span Worst Electricity Supply Association of Australia (CB1) infringement per linear metre Greatest hazard reduction per dollar spent for design controls e) f) Action budgets are formulated and plans made. Regular training and/or drills will be required. It must be done by someone knowledgeable with the conductor and its environs. c) d) 15.4.2. b) Special hazards related to special critical groups (for example.5 m+1.1 Preliminary PC Based Risk Assessment using Original Design Data A preliminary computer based assessment is made using the original data used in the design of the transmission line.5m over public roads) for alternative conductor core temperatures (typically 49°C and 75°C) are determined.

is the worst-case scenario. adequate water supplies and access roads. iii) iv) 15. in particular lives.5 Bushfire Risk Management The need for risk management or the reduction of loss control in bushfire prone areas is discussed at length in a paper written by the authors after the devastating Ash Wednesday bushfires (Anderson and Robinson 1984). the minimum loss situation.1 Assets The main assets that need to be protected are lives. property and areas of particular environmental/habitat significance. (also referred to as ‘Normal Loss Expectancy’).Case Studies 15.3 Asset Exposure Obviously as the fire reaches and grows beyond the controllable stage the options for fire retardation decrease and the losses increase significantly. Risk & Reliability Associates Pty Ltd 15. which assumes no loss of life and minimal loss of property. The maximum loss situation.2 Threat Assessment To assess the threat to an asset an estimation of the type. 15.5. Concentrating on prevention measures within the ambit of local councils. This will include both active and passive management items such as the application of planning controls and standards for road access and water supply reticulation reliability. property (residential. Identifying assets also identifies where fire protection needs to be concentrated. This exposure increases with the decrease of housing density and increases with the lack of clearings. This would be based on history and Rural Land Mapping (which includes an assessment of fire hazard). The main objectives of such a bushfire risk management system would include: i) ii) Relating the costs of various bushfire protection methods to the vulnerability of threatened assets. commercial and municipal) and areas of high environmental/habitat quality. The probability of fire is dependent upon the supporting environmental conditions such as wind. There are generally three stages of fire growth that can be directly related to asset loss. Documenting methods of environmental management towards an optimum level of bushfire prevention and safety. temperature and combustible loading. Determining an appropriate balance between environmental conservation and fire hazard reduction practices. severity and frequency of hazards needs to be made. 15.5.5. (also referred to as the Maximum Foreseeable Loss). Obviously any information available on past incidents will be useful to this assessment. Fire inception phase which there is very little loss.9 . is defined as the largest loss expected under normal circumstances.

or radio time for warning through fire danger period Evacuation of residents to town. no loss of life. in gutters and ensure fire fighting eqipment is kept for households in isolated areas Make cleared areas available Once the fire is at a size it can be easily detected. Complete evacuation to town and clean up groups may be sent out after critical period to save houses. which are both passive and active. should be fire proof to an appropriate level Fire crews maintaining communication links to HQ's and obtaining information on water supplies etc. loop roads for 2 way access to all areas. some loss of life to fire fighters but minimised with better equipment. knowledge of fire situation and behaviour Fire crews in fire resistant tankers Emergency water supplies operated by diesel pumps (say underground tanks) No one way roads. .15. Some examples are shown in the table below. siren) to alert to evacuation to town.10 LIVES Rural Not at Risk Not at Risk Control Public access to habitat areas. this would act as firebreak.use a helicopter on days of total fire ban) Once the fire has been detected. Not at Risk Rural residents evacuation to towns (elderly . Critical buildings could be placed in park area. children ). Emergency water supplies. Some loss of houses. some may remain to protect houses. in the case where only minimal areas could be cleared the evacuation center should be double bricked and sprinklered via underground piping or alternatively the evacuation could be underground. Infra red fire towers minimise detection time Increased surveillance particularly on days of high fire danger (e.g .4 Protection Measures In the initial stages of the fire. were then proposed for both the Normal and Maximum Foreseeable Loss expectancy. Urban buildings protected as part of protection of critical areas. Prevention Measures Applicable At Various Stages of A Bushfire Risk & Reliability Associates Pty Ltd Fire developed to the uncontrolled stage. Not at Risk Enforce the clearing around houses. Overall community info. system (eg. Protection measures. Not at Risk Control burning off through enforcement Clear roadsides as part of regular works program Once the fire has started to develop. If possible ground crews dispatched to work on most significant areas. Experienced fire crews to do maintenance/ clearing in significant aras. (say sufficient) Protected by golf course on the north side of the township.5. No further protection possible Case Studies ASSET FIRE STAGE>> PROPERTY Urban 15. urban fringe buildings outside of protected area may be at risk. Patrol areas in high fire risk areas Firebreaks around habitat if minimal disturbance to occur within areas Water Supplies in habitat area or nearby areas or provide an area for animal evacuation Infra red fire towers SIGNIFICANT HABITAT/ ENVIRONMENT CRITICAL FACILITIES & SERVICES Not at Risk Population density ensures detection in which case they should be made fire resistant If public in isolated areas public knowledge of fire danger days important Population density ensures detection in towns Water pumps etc.

This means that it is the change of the tunnel environment by the fire that creates the loss of control. small contractors.6. A very reduced sample for a tunnel is shown in the table below. Risk & Reliability Associates Pty Ltd 15. In a tunnel this is potentially far more problematic because of the contained environment. The tunnels should only have sweet. Emergency ventilation to prevent a situation becoming a confined space is an attempt to restore control and acts after the event. Even an unmanaged 5 MW fire can create substantial problems for persons remote from the fire unless special precautions are taken.1 Loss of Control Point The loss of control point appears to be that fire which overwhelms the usual air handling system. decent air whenever they are occupied. The figure below shows a preliminary cause-consequence model for a fire in a heavy commercial vehicle (HCV) in stalled traffic in a long two-tunnel system using longitudinal emergency ventilation (jet fans). even during a fire/smoke incident. There are several arguments for this. Including Elderly. people who Breakdown behave erratically services x x xx xx x x x xx Emergency Local Habitat/ InfraServices Residents Environment structure & Fire brigade. Otherwise they would be considered a confined space.6 Tunnel Risk Management The following is summarised from Robinson. On an open freeway a fire is mostly an isolated event since the heat and smoke goes up and exposed persons (beyond those trapped in the vehicle/s) basically stay away from the inferno until the brigade arrives or the fire burns out. Air quality Third Party ambulance & police x xxx x x x Threats Motorcycle breakdown Passenger car breakdown Bus Breakdown HCV load fire stationary vehicle in free flowing traffic HCV vehicle fire burning vehicle in stationary traffic Injury/entrapment accident .all lanes blocked Pedestrians in Tunnel on walkway Cyclist in Tunnel xxx xxx xxx x x x xx x x - - - xx x xx x x x x x x - - - Sample Vulnerability Table HCV (heavy commercial vehicle) fire especially in stationary traffic appears as critical (xxx) for three exposed groups and is analysed further.all lanes blocked Fatal accident . Assets>> Travelling Public Operator Staff Including Disabled. The simplest. Francis & Anderson (2003). An initial vulnerability assessment was conducted as a completeness check to test for issues to be addressed. legally.Case Studies 15. probably revolves around confined spaces. 15. children.11 .

Other than the lane restriction and the possibility of collision. As suggested in the diagram above.0001 pa Smoke/fire overwhelms usual air handling systems 5+ MW Fire? 0.12 Risk & Reliability Associates Pty Ltd .Case Studies Threat controls Dangerous goods restrictions Non combustible vehicles Threat Fire in HCV in stalled traffic 0.00005 pa 0. Preliminary Cause-Consequence Model for HCV Fire in a Tunnel in Stalled Traffic Another way to think of this relates to different size fires in the tunnel. the driver pulls over and a passing truck driver stops and extinguishes the fire with a fire extinguisher. from the point of view of the tunnel environment. there is a certain size fire that will disrupt the air flow. It is likely to be more severe in the tunnel where vehicles travel downhill. However. Bouyancy Effect of Hot Combustion Gases Jet Fans and Piston Effect Fire in Downward Facing Tunnel Since tunnels can slope.01 pa Loss of Control (Manifest Threat) Precautions Automatic fire control 0. cars travel in different directions and hot air rises. 15. place remote persons at risk and thus bring about the need to impose emergency measures including an emergency ventilation system and the like.5 Near Miss (Null outcome) 0. deluge systems Fire Brigades Reponse Emergency evacuation systems Jet fans 0.01 Vulnerability Controls Stalled traffic minimisation Manual efforts.5 Hit Potential injuries and deaths 0. the fire loss of control point for two tunnels is potentially different. fire in the down tunnel is far more likely to produce turbulence and mixing. there has been no loss of control since the smoke and heat will have been dissipated in the overall tunnel air movement (piston effect of cars and the jet fans etc). Suppose that a car engine catches on fire. This appears to be the loss of control point.00005 pa Usual ventilation/air handling Early automatic fire control including sprinklers/deluge systems Storm drainage deals with spilt fuel fire etc.

6. Jones K.A case study at Monash University. Obviously it is necessary to acknowledge and verify the reliability of the actual automatic systems that are proposed. reduce vulnerability by ensuring no one is present during a fire (minimal stalled cars) and the provision of emergency response. CompRail ‘92 Conference. Small fires in any vehicle may occur once every two months. A further consideration is the size of the uncontrolled fires. expensive. ISBN 1 901808 22 X. pp 149-158.3 Precautions Secondly. Robinson Richard M. Tasmania. (Reprint No. C Tillman and R Robinson (1989). The lawyers (and regulators to whom such arguments have been presented) have always confirmed that precautions implemented before the loss of control point are the best place for the precautionary dollar. 10190/1985 (Reprint No. Now incorporated as the Part IIA of the Wrongs Act (1958) as amended in 1989. K Anderson. This makes the use of the longitudinal (jet fan) emergency mode problematic since it would blow smoke over one column of stopped traffic hampering evacuation. Jarman M. Risk Management of Transmission Line Clearances in the HydroElectric Commission of Tasmania. NSCA Convention. Washington. Act No. If the environment can be designed to manage. 5. threat reduction. 15.6. for example.6. A Proposal for the Development of a Strategy Role in Bushfire Loss Reduction. Victorian Occupational Health & Safety Act (1985). Proceedings of the Fifth International Conference on Safety in Road and Rail Tunnels. Complex systems require commensurate safety assurance. Automatic activation is probably required to achieve such reliability. especially when a sensible pre-loss of control point precaution was available. in this case reduce the source of fire. 17 November 1998). for example.13 .4 Vulnerability Reduction And thirdly. Monash Univ. in a heavy commercial vehicle. Victorian Occupiers Liability Act (1983). with stalled traffic and longitudinal emergency ventilation.2 Threat Reduction Firstly. University of Dundee. precautions such as deluge systems that can control fire before the normal air handling system is overloaded (small fires are safe fires). ICAO Review of the General Concept of Separation Panel (RGCSP). Engineers Australia Local Government Conference. Melbourne. a heavy commercial vehicle fire will expose a large number of people who would have to evacuate through a smoky environment on foot. W Ely and R Phillips (1995). such as through obtaining a Safety Integrity Level (SIL) pursuant to the Functional Safety Standard IEC (AS) 61508. say once per 10 years and in stalled traffic say once in 100 years. Risk & Reliability Associates Pty Ltd 15. Gold Coast. combustible trucks with large combustible loads. In legal terms this may be considered to be beyond reasonable doubt? 15. Anderson K J. Hydro-Electric Commission. The critical scenario is high congestion with stalled traffic meaning there are stopped vehicles both before and after the fire. Australia. Management of Building Fire Risks through quantified Risk Assessment Techniques. 15. Houbaer R and M Seddon (1995).Case Studies There are three primary risk control regions. hard to model and unpredictable emergency measures invoked after the loss of control point attempting to bring a situation back under control are legally difficult to defend. ventilation and evacuation systems. 6. very difficult. To reliably achieve this is very. Gaye E Francis. R M Robinson and D J Hyland (1992). That is. the proposed deluge system could be relied upon to control the fire 99% of the occasions on which it is called upon to act. Complex. Kevin J Anderson (2003). Lessons from Cause-Consequence Modelling for Tunnel Emergency Planning. say a 5 MW fire and. 15 January 1992). Application of Risk Analysis to Airspace Planning. Ranking of Infrastructure Renewals Taking into Account the Business Requirements of the Railway. REFERENCES Anderson K J and R M Robinson (1984).

The other problem with the Common Law system.1 History Early Occupational Health & Safety legislation followed on the heels of the industrial revolution and was generally very proscriptive and detailed and was largely aimed at factories and shops. 1972). Consequently in the early 1970’s the British Government established a Committee of Inquiry. This meant the injured employee had to prove that on the balance of probablilities the employer had been negligent. chaired by Lord Robens. These had their origin not in the UK but in Germany in the th 19 century. Such people may be contractors. Because of this Workers Compensation legislation in Australia places an emphasis on the rehabilitation of injured workers. Prior to the establishment of Workers Compensation schemes in Australia. In other words they have the responsibility of making and enforcing the OH&S laws in the form of Acts and Regulations. 16. is that it takes many years for a Common Law claim to be decided and in the meantime there is an incentive in the form of increased damages for workers remain injured ie it is counter–productive in terms of rehabilitation. to review OH & S in the UK. the only avenue for injured workers to recover costs associated with their injury was to sue their employer under Common Law.1.1 Occupational Health & Safety Legislative Framework 16. was extremely influential in the reform of OH & S in the UK. Risk & Reliability Associates Pty Ltd 16. which came to be known as the Robens Report.Occupational Health & Safety 16.2 Acts. but also in Australia. The main objectives of OH & S legislation are to ensure safety. suppliers or manufacturers. In the 1960’s it was becoming increasingly obvious that proscriptive legislation could not keep pace with social. Plant regulations. However many of the OH & S Acts extend the duty to persons at the workplace other than the employees. These Acts establish the structure and define the responsibilities for achieving this goal. In some States and Territories there are OH & S Regulations which deal with a large number of hazards and issues. The Regulations specify in more detail the steps that must be taken to control specific hazards and by whom. Attempts at doing so had resulted in a huge volume of sometimes complex and rigid regulations. health and welfare of people at work and to eliminate risks to health and safety from the workplace. The other development during last century was the establishment in some countries including Australia of Workers compensation systems and laws. For many injured employees taking legal action was beyond their financial means and even if they could afford it they risked having court costs awarded against them if they failed to prove negligence. Asbestos regulations. Hence it was often not worth taking this risk if the amount of potential damages was not much greater than the court costs. All Australian States and Territories followed in the footsteps of the UK during the 1970’s and 80’s in a total overhaul of their OH & S legislation and regulatory framework.1 . The report of this review (Robens. Each State and Territory has an OHS Act which sets out the general requirements for ensuring safe and healthy workplaces. by their acts or omissions. Regulations and Codes of Practice In Australia Occupational Health & Safety is regulated by the States and Territories. They define the government bodies responsible for OH&S as well as specifying the duty of care required by employers. economic and technological change. In some states Regulations may be supported by Codes of Practice. on workplace health & safety. Canada and many other countries. which is why some States have removed or reduced the rights of workers to sue under Common Law. Hence retailers have a duty towards customers on their premises and Educational Institutions have a duty to their students. 16. employees and others who may have an impact. Regulations can be made to support the OHS Act. These are basically practical “how to comply” documents with a lot of useful advice on assessment and control. whereas in some jurisdictions the regulations are hazard specific eg Noise regulations. This is simply a reinforcement of the Common Law Duty of Care. designers.1.

Some are safety related such as those dealing with fire safety and emergency standards and many others contain some health & safety provisions. Standards produced by Standards Australia and other organisations provide technical and design advice. employee unions and employer organisations.Occupational Health & Safety 16. compliance is generally not mandatory unless the document is called up by an Act or a Regulation. 16. 1995). that is.2 Risk & Reliability Associates Pty Ltd . standards and guidance notes in the public domain. These are adopted into their legislation by the States/Territories or called up by them is the case for the National Standards for Atmospheric Contaminants in the Occupational Environment (NOHSC.1. There are also many other codes. The legal framework is represented in the figure below: Legal Framework 16. Compliance is desirable unless another solution or precaution achieves an equal or better outcome. some produced by authorities such as NOHSC and other by bodies such as professional and industry associations.4 Compliance Compliance with Acts and Regulations is mandatory whereas with all the other types of document mentioned above. However Codes and Australian Standards can be used as evidence in court to demonstrate what could have been done.3 Standards and Guidance Documents The National Occupational Health & Safety Commission (NOHSC) draws up National Standards in consultation with State/Territory Health & Safety Authorities.1. a form of best practice.

16. “Practicable” is defined (Occupational Health & Safety Act. A Prohibition Notice requires work to cease until specified remedies have been implemented. the question of which employees if any could be deemed to also be “the employer” generally causes more anxiety. because the hazard or vulnerability has not been properly defined. There have not been many cases where middle or lower managers or supervisors have been prosecuted for OH & S breaches but it would appear that for this to occur the manager must have knowingly issued instructions or omitted to take action that s/he knew was in violation of company policy or OH & S requirements.7 Definition of Employer Whilst all employees are in no doubt as to this status under OH & S legislation. The interpretation that is now generally applied is that anyone in a management or supervisory role. In some states there is no such qualification so that the duty imposed is absolute. in other words that s/he knowingly by act or omission put others at risk.5 Extent of General Duties The wording of the General Duties of Care in Australian OH & S legislation varies between jurisdictions. (b) the state of knowledge about that hazard or risk and any ways of removing or mitigating that hazard or risk.1. In most instances the risk assessment methodology used is the risk matrix approach from the Australian Risk Management Standard although this Standard presents the matrix as one of several methods that can be used.6 Penalties and Interventions Breaches of OH & S legislation can result in fines being imposed. 16. Risk & Reliability Associates Pty Ltd 16. 16. For example in Victoria employers must provide a safe and healthy work environment “so far as is practicable”. The matrix approach has already been described in Chapter 7. An Improvement Notice requires an employer to take specified actions within a stipulated time period. But the legislation provides for inspectors and in some states other parties.5.3 . risk assessment and risk control must be undertaken.1. whereas in South Australia the extent of the duties are “so far as is reasonably practicable”. lead to efforts and expenditure being targeted inappropriately. Furthermore the estimation of consequence or likelihood is often attempted using the qualitative scales given in the Standard and this then becomes a very subjective process. and (d) the cost of removing or mitigating that hazard or risk. In general the extent of the duties appears to the Common Law Duty of Care in all Australian jurisdictions however there are significant differences between jurisdictions when it comes to regulations and this can cause added complexity for companies operating across borders. However to date there is no evidence that these differences have lead to a higher compliance standard being enforced in one State than in another. It is important to be aware of the rights and powers conferred on certain types of individual under OH & S legislation as hindering these people or failing to respond to notices is usually also an offence. In our experience risk assessments are often worthless or worse. such as Health & Safety Representatives. that is anyone who is involved in the management of others.2 OH & S Risk Assessment Most Australian legislation specifies that a process of hazard identification.1.Occupational Health & Safety 16. In the OH & S context hazards are usually categorised using the energy-based classification described in Section 5. generally through proceedings in a Magistrates Court. could be an “employer”. to issue Improvement Notices or Prohibition Notices. (c) the availability and suitability of ways to remove or mitigate the hazard or risk. 1985) as having regard to: (a) the severity of the hazard or risk in question.

16.4 Risk & Reliability Associates Pty Ltd .3. These measures can be per period (per day. this is only statistically significant if the exposed population is of a reasonable size. month or year) for an organisation or for a particular contract or project. The authors’ belief is that the best use of resources if frequently obtained by ignoring the risk assessment stage and going straight to the identification of risk mitigating controls/precautions. For example. which must be documented to prove that they have been. oxygen monitoring and alarms). backup ventilation. Elimination Substitution Engineering controls Administrative controls Personal protective equipment and clothing There are small variations to this in other states/territories. a risk assessment of liquid nitrogen use in a laboratory dealt with the risk of liquid nitrogen burns but it did not deal with the risk of asphyxiation because presumably controls were believed more than adequate as they were of best practice standard (good ventilation. this can result in an extremely large list of controls that need to be implemented. 4. 24hr monitoring of ventilation. Because of the legislative requirement to carry out risk assessments.1 Fatality Risk A common form of assessing fatality risk is: Fatality Risk from an activity = Number of deaths per annum from that activity Exposed Population Obviously.3 Performance Indicators There are a number of possible performance measures available to assess risk and reliability. severity and frequency of occurrence). Statutory breaches (number and severity).Occupational Health & Safety Sometimes where there are several vulnerabilities from the one hazard a critical vulnerability can be overlooked. In effect all the controls failed to one degree or another and a worker died. Dollars (gained or lost). In hindsight it would have been better to focus risk management resources on those that had the potential for greatest consequence. 2. 16. 2002). A number of the more commonly used formulations follow. 16. which for inhalation exposures amounts to exposure assessment. 5. 3. The legislation requires that risk control must be based upon the Hierarchy of Controls which is defined in Victoria as being in the order of most to least preferred: 1. Ramachandran (1995) summarises the five methods his research shows are used to value human life. The concept of control banding is an attempt at shifting the emphasis onto controls rather than risk assessment by simplifying the risk assessment. week. attempts are made to assess the value of human life in financial terms. Sometimes if the number of lives at risk can be assessed. Commonly used ones are based around: − − − − − − Fatalities (total number and frequency of occurrence). Injuries (total number. Availability (% time operating). Days gained or delayed (especially for projects and contracts). It is interesting to note that this concept has now being adopted in the UK and elsewhere with respect to substances where inhalation exposure is one of the main risks (IOHA.

1-1990. Court Awards This involves the awards given to the heirs of the deceased person. would be on high frequency. the primary focus of regulators and the courts. It reflects the notion of “consumer sovereignty”. This is a form of self valuation but has constraints in that what one person thinks their life is worth and what they can actually afford may be quite different. It favours the higher paid over lower the paid. Livelihood Approach This is not altogether different to the output approach. this compares to a debilitating back injury extending over several years (which would be bought to account each year) and from which a complete recovery was made. This gives a relatively small value to a human life. The figure below represents four work injuries that occurred over three years. with the days lost being shown in the light grey hatching. Risk & Reliability Associates Pty Ltd 16. Schematic of Four Injuries that Occurred over Three Years A consequence of the “cash flow” approach is that a death is measured as a loss of one man year. This does not seem to have been hugely successful. Even if actual days lost (per million hours worked) is used as a measure of risk. This approach to value life rests on the principle that living is generally an enjoyable experience for which people are willing to sacrifice other activities such as consumption.3. The LTFIR is calculated by the number of incidents where more than a day was lost in a given period per million hours worked. Each has a different duration as shown.Occupational Health & Safety i) Gross Output This examines the gross output based on goods and services that a person can produce if not deprived. of the opportunity to do so. Insurance Method This uses the value of life insurance policies purchased by individuals. Incident 2 was carried over from 2001/02 and incident 4 was carried over into 2003/04 and extended the whole year and beyond. how much people are willing to pay to feel safe. Consider for example the use of a measure called the Lost Time Frequency Injury Rate (LTIFR) for OH&S performance described in the Australian Standard AS 1885. low frequency events.5 . This means that the focus of companies that use a concept like the Lost Time Frequency Injury Rate or any “cash flow” basis of risk accounting. by death.2 Lost Time Frequency Injury Rates There have been attempts to reduce injury statistics to single numbers to compare the performance of organisations. rather than high severity (fatality). something like accident 4. assigns value in direct proportion to income. care needs to be taken with a “cash flow” view compared to an “accruals” view. This also gives a relatively small value to a human life. low severity events. The diagram indicates that there were three incidents in the year 2002/03. That is. For example. which is regarded as a ridiculously low value. The Lost Time Injury Rate (LTIR) is defined as the occurrence of lost time injuries per 100 workers. ii) iii) iv) v) 16. Willingness to pay.

16. using a cash flow basis for injury measurement seems curious. and the one which the whole organisation is usually trained to understand. So in the case above the 2002/2003 year has only two incidents that actually occurred in it (labeled 3 and 4). Incidents and Risk The relationship between hazards (vulnerabilities) and incidents requires clarification. However. It is always better to focus on preventing hazards rather than managing incidents from a control viewpoint. Beyond Lost Time Injuries. hence { Hi } ≠ { Ij } For every Ij there is a particular Hi. 16. Hi = Particular or specific hazard {Hi} = Set of all known hazards Ij = Particular or specific incident {Ij} = Set of all known incidents (for i = 1 to n hazards) (for j = 1 to m hazards) n is much larger than m. A detailed discussion of this sort of problem and other difficulties associated with the use of existing injury indicators is contained in WorkSafe Australia (1994) documents entitled Positive Performance Indicators. 16. but not vice versa. the days incurred extend into 2004. Frequency Ij Hi Severity Relationship of Incidents to Hazards or Vulnerabilities A pictorial representation on a risk curve is shown in the figure above.4 Information Structures This section actually addresses a larger risk management domain than OH & S but this seems to be the context in which it is most frequently raised.4.6 Risk & Reliability Associates Pty Ltd .Occupational Health & Safety An alternative proposal is for an accruals basis using days lost.1 Hazards (Vulnerabilities). The set of all possible incidents is in fact identical to the set of all hazards except that over a particular time period most have a null rather than actual outcome. Since an accruals basis of accounting is the one most organisations use. This perhaps can be best explained as follows. The whole of this amount would be bought to account in the 2002/03 year and 2003/04 would be deemed to have no injuries. Note that the focus of risk management should be on the set of all hazards.

Risk lihood rity 0. HAZARDS LikeSeve.Occupational Health & Safety For example. I2.5 6 45 100 0 3 0 2 0 0 0 0 0 45 0 0 50 J2 J3 J4 J5 J6 J7 J8 J9 J10 J11 : Jj ∑Jj 0 0 0 47 0 0 1 0 0 0 0 0 1 0 3 50 2 13 260 1500 0.Risk LikeSeve. H3 .5 6 60 100 1 0. if a company were exposed to i hazards in a defined period. since only three of the incidents do not have a null outcome it would be better represented as {Ij} = {I2.1. I10}. In fact.}.. if it occurs..23 0.5 6 45 100 0 0 2 0 0 0 0 0 45 0 H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 H11 : Hi ∑Hi C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 : Cj ∑Cj Event Horizon <<<<<<Pre-Event Control / Post . i j Risk & Reliability Associates Pty Ltd 16. . H2.Risk lihood rity I1 0 2 0 I2 I3 I4 I5 I6 I7 I8 I9 I10 I11 : Ij ∑Ij 0 0 0 52 1 0 2 0 0 0 0 0 1 0 3 50 2 13 260 1500 0. although only two of the potential hazards actually caused the incidents. if there are a statistically large enough number of hazards then the sum of the probabilised outcome of the hazard set should be equal to the sum of the actual incidents experienced.65 0.Event Management >>>>>>>>>>>>>>>>>>>>>> Concept Hazard (or Vulnerability) Register In this particular example the total risk due to the hazards is 51.6 8. That is.7 .Risk lihood rity lihood rity 0 2 0 J1 0 2 0 1 0 1 0 0 0 0 0 1 0 0 3 50 2 13 260 1500 0. . This means that with a large amount of data over a long period of time it is possible to determine the probable risk loss. how likely it is of occurring and how many days are lost. say a year.001 0. I3. then the set of hazards {Hi} would be represented as {H1.45 0. }.5 0 51.01 0. The incidents that are recorded show that fifty two days were lost.1 2 0. If we then look at data for a particular year there might have been only three actual incidents.3 0.005 0.05 0.2 0.1 INCIDENTS AND OCCURRENCES LikeSeve.. I4. for example. The risk associated with each hazard and incident is the product of likelihood and severity.45 6. The table below sets this out using some hypothetical figures. I4. which represents a theoretical loss of fifty one days. I5.5 1.5 0. H5. based on the following formula: Σ0 Risk { Hi } = Σ0 Risk { Ij } The focus is then on reducing the probable risk amount that in turn will reduce the actual risk loss due to incidents occurring..06 30 0. These could be represented by {Ij} = {I1.6 2. Note that the null incidents are also shown.5 0. In the case of an incident the ‘likelihood’ of occurrence will be 1 for an incident that has occurred and 0 for one that hasn’t occurred. H4.5 0.5 6 45 100 3 0 4 0 0 0 0 0 45 0 CLAIMS JUDICIAL PROCEEDINGS LikeSeve.025 0.2 0. However.003 3 50 2 13 260 1500 0.

4. 16.consequence terms it means incidents are all those items shown in the larger shaded area below. The authors believe any control system failures ought to be recorded as a significant increase in these are indicative of the health or otherwise of the control system. 1 Ockham's Razor.Occupational Health & Safety 16. Hazards Loss of Control Control System Failure Loss Incidents Near Miss Concept Cause-Consequence Diagram for Information Framework In practice the documentation process outlined in the following figure is needed. a coordinated risk information system needs to be available. In cause . no loss) Losses Death Injury Medical cost Damage Statutory Breach Claims (Insurable losses) Courts Time Hazards Control System Failures Risk Control Management Efforts Risk Management Information System Hazard (Risk)s Information Framework There can be discussion about the desirability of including control system failures in Incidents. In information terms for risk management this can mean: Hazards Incidents Loss of Control (Near Misses. The usual formulation of the principle of ontological economy attributed to William of Ockham is: Entia non sunt multiplicanda praeter necessitatem or Entities are not to be multiplied beyond necessity. incidents. In terms of a strategic risk management control system.8 Risk & Reliability Associates Pty Ltd . Broadly this means. especially if there were other parallel control systems in place which prevented the loss of control so that a near miss occurred or the hazard did not occur whilst the control system was not operational. near misses and control system failures are effectively recorded. unpredicted hazards or vulnerabilities.2 Coordinated Information To ensure that the information regarding losses. There are several possible good solutions to the 1 naming issues so the principle of “Ockham’s Razor” has been applied. choose the simplest answer unless a reason to select a more complex one is discovered. names need to be given to different parts so that it is clear to everyone what is being discussed. This may be part of other information systems but its definition needs to be independently developed to support the predicted credible loss scenarios (especially legal and insurance details) and identify in a timely manner any emerging.

Occupational Health & Safety Fire Model etc. which can be done at any time.4. Collision Model Review by Period Likelihood 100 (p.9 . 16. Then and only then can a review by period have meaning. Note that this does not exclude once off studies over any of the boundaries. Obviously a sudden increase in main line breaks is of considerably greater concern than a similar increase on rarely used sidings. and how the information flows occur. be it a remote siding or a busy main line with many high speed passenger trains. Risk & Reliability Associates Pty Ltd 16. To obtain this understanding requires a co-ordination review that reclassifies. the authors have noted many cases where an incident such as a broken rail is given the same rating irrespective of the location.Summary etc. Board and CEO (Policy) Vulnerability Analysis SWOT Analysis Underwriting Assessment Availability Assessment Crisis Management Top Down Review Co-ordination Operations & Maintenance Feedback Control QRA Hazops RCM Job Safety Analysis (JSA) Detectability Reliability Maintainability Cause-Consequence Modelling etc Pre-event Strategic Event Tactical Reporting Losses Incidents & Breakdowns Fire Fighting First Aid Bottom Up Judicial Actions Insurance Payments Post-Event An Integrated Concept of Risk & Reliability Information Management Interestingly. For example. on the basis of current operation. the process of risk related information management does seem to need the loop shown in the circle above.a) 10 1 Loss Calculator Vulnerability Register Co-ordination Incident ProForma analysis Date Event Type Damage 1 10 100 10000 Consequence '000$ Event Lookup Tables Location Exchange Treasury Collision Production Dang.3 An Integrated Concept of Risk & Reliability Information Management The figure below describes an understanding of how the different processes and techniques described in this text fit within a large organisation. Goods Shipping OHS &E summary report Fire Model etc Summary Collision Model Feedback by Event Type Hazard Control Incident Loss Null Reporting by Region per Period recommendation advice Cause-consequence Models incorporating energy-damage and time-sequence analysis concepts Strategic Information System A key element is the need to assess the significance of each incident by co-ordinator/s. the risk associated with each event.

10 Risk & Reliability Associates Pty Ltd .5 Audit & Safety Management Systems There has been a continuing desire to develop systems that can provide advice as to the overall effectiveness of risk control systems. does not assure compliance with statutory obligations nor does it preclude any action by a statutory body. this system is based on the concept of ensuring that the process (the presence and effectiveness of management systems) is well and that therefore the proper results will follow. integrated health and safety management system. whether recognised by formal certification or other means. 16. 2. Interestingly. 5. The danger with such a system is that OH & S resources become focussed on preparing documentation rather than action and prevention. These have manifested themselves in various auditing and scoring systems. 4. 3. However. as the Victorian WorkCover Authority notes: However conformance to SafetyMAP criteria. It has five elements: 1.1 SafetyMAP The Victorian WorkCover Authority has developed a health and safety audit system whose purpose is to enable an organisation to: a) b) c) d) Measure the performance of its health and safety program Implement a cycle of continual improvement Introduce recognised bench marking standards for health and safety Gain recognition for its health & safety management standards. Advanced Level Certification requires all 125 applicable SafetyMAP audit criteria to be in place. The Victorian WorkCover Authority states that these criteria have been selected as encompassing the building blocks for an effective.5. 16.Occupational Health & Safety 16. Health and safety policy Planning Implementation Measurement and evaluation Management review Initial Level Certification requires an organisation to satisfy the requirements of 82 SafetyMAP audit criteria.

Inadequate Progamme 2. Personal communications 16.5. Emergency preparedness 8. Leadership and Administration 2. Lack of Control Basic Causes Personal Factors Job Factors Immediate Causes Incident Loss 1. 2.2 ISRS (International Safety Rating System) This has been developed in various guises in different parts of the world. Engineering and change management 15. 3.Inadequate Programme Standards 3. Jr’s (1976) Atlanta based International Loss Control Institute’s program. 4. Materials and services management 20 Off-the-job safety ISRS Program Elements Like the other audit systems.Inadequate Substance Compliance Standards People Property Process Environment Quality The DNV Loss Causation Model The key program elements and points score/weighting are given in the table below. An audit system can indicate the health of the proactive loss control management systems. 1996) who appear to have purchased the Frank E Bird.Occupational Health & Safety 16.11 . Planned inspections and maintenance 4. Personal protective equipment 12.Inadequate Compliance Standards Substandard Acts and Conditions 1. Losses are ultimately due to a lack of effective management systems. Proactively managing loss is much better than reacting to events. Safety is good for business and profits. Hiring and placement 19. The program is based on several key propositions: 1. Rules and work permits 9. Task observation 7. Points 1310 700 690 650 605 450 700 615 550 700 380 700 700 670 490 450 380 405 615 240 Risk & Reliability Associates Pty Ltd 16. Group communications 17. The following figure shows the time sequence model adopted. scoring a perfect 10 out of 10 does not mean that all legal duties have been met. Recognition levels are scored out of 10. Health and hygiene control 13. Leadership training 3. Critical task analysis and maintenance 5. Accident/incident investigation 6. General promotion 18. ISRS Program Elements 1. System evaluation 14. Knowledge and skill training 11. Inadequate Programme Contact 2. Accidents/incident analysis 10. Inadequate with Program Standards Energy or 3. The manifestation described here is that by Det Norske Veritas (UK.

This shows path of action which starts with a manager deciding to observe an employee. Management is directly accountable for preventing injuries and occupational illnesses.Occupational Health & Safety 16. DECIDE REPORT STOP STOP . Safety audits must be conducted. the system has various degrees of success attributed to it. as well as incidents with the potential for injury. for Safety ACT OBSERVE • Safety Observation Cycle The procedure to be used can be seen in the Safety Observation Cycle in the figure above. STOP is based on a series of Safety Principles noted below: • • • • • • • • • • • All injuries and occupational illnesses can be prevented. particularly noting how the employee does or does not adhere to safe working practices. Safe work practices should be reinforced and all unsafe acts and unsafe conditions must be corrected promptly. 16. Safety off the job is an important element of the overall safety effort. Certainly.3 The DuPont Safety Training Observation Program (STOP) System STOP was developed by DuPont to provide a behaviour based observation program that may be used to improve safety in any organisation. It is not really an audit system as such although the authors' have observed it being used in this capacity. Training is an essential element for safe workplaces. The manager then needs to approach the employee and discuss their working practices reinforcing the safe ones as well as addressing the unsafe. People are the most critical element in the success of a safety and health program. It is essential to investigate injuries and occupational illnesses. Conversely. In an Australian cultural context.5. the authors' have noted that if it becomes known as the 'dob-a-mate' technique then it seems to be a cultural anathema and failure. Safety is everyone's responsibility.. This system is designed to be used by management at all levels. Preventing injuries and occupational illnesses is good business. The manager must then stop and watch the employee carry out their job. The manager then needs to report the situation appropriately to their superiors. if it becomes a 'look-after-your-mate' process then it seems to have a good chance of being effective.. Safety is a condition of employment.12 Risk & Reliability Associates Pty Ltd .

2. A star grading is awarded after each annual grading audit to record an organisation's standard of achievement in implementing best practice levels of risk management. It also provides organisations with a framework for improvement and quantitative measurement of OHS performance. The categories are as follows: 1. safety and environmental risk management are normally based on continuous improvement above the legal statutory minimum obligations up to international "best practice". 5. Policy. "The organisation's standards of health.5. Improved employee involvement The NSCA 5-Star System states the following in terms of legal obligations. International recognition 4. 4. Respectively. Organisation & Program Management Management of Health & Safety Risks Control of Specific Work Risks Working Environment Emergency Preparedness & Management There are 5 star gradings: zero to five.Occupational Health & Safety 16. A One Star grading means that the organisation's OHS system is better than approximately 50% of other organisations. Grading Audits are conducted within an organisation on an annual basis and assessed according to Key Elements. A better measurement of performance 2. NSCA 5Star System (Version 2) assists an organisation define its own standards based on its corporate structure. Star Grading 0 Star 1 Star 2 Star 3 Star 4 Star 5 Star KES% 00-49 50-59 60-69 70-79 80-89 90-100 The Benefits of using the NSCA 5-Star Health & Safety Management System are described as: 1. a Five Star grading means that the organisation is in the top 2-5%. The Key Element Score (KES) and the Injury & Illness Statistics Index (IISI) are then used to assess the current state of an organisation and allocate a Star Grading. The system uses 60 key elements considered to be comprehensive and exhaustive set of risk management components for any organisation in any aspect of business.13 . Improved management skills and communication 5. or unacceptably low or non existent.4 NSCA 5-Star Health & Safety Management System The NSCA 5-Star Health & Safety Management System was developed by the National Safety Council of Australia to identify the elements of a complete OH&S program. 3. Independent assessment 3. Where national/international standards are incomplete. These 60 Key Elements are grouped into 5 categories in the NSCA system." Risk & Reliability Associates Pty Ltd 16.

Issues. National occupational Health and Safety Commission. 5-Star Health and Safety Management System. Part 1 . Robens. Beyond Lost Time Injuries. Chapter 8. National Safety Council of Australia. Australian/New Zealand Standard AS/NZS 4360:1999. WorkSafe Australia (National Health and Safety Commission) (1994) Positive Performance Indicators. International Occupational Hygiene Association. Canberra Ramachandran G (1995).gov. DuPont STOP for safety system (supervision) © 1986. Society of Fire Protection Engineers Handbook (1995). 16. DuPont Safety and Environmental Management Services. Revised 1992 and 1995 IOHA (2002) Report of the International Control Banding Workshop.Occupational Health & Safety REFERENCES Bird Frank E. London 2002. International Loss Control Institute.nohsc. Risk Management. A Guide to Occupational Health and Safety Management Systems.Practical provides a lot of useful information as well as providing links to all the State/Territory Authority web sites. Part 2 . WorkSafe Australia (National Health and Safety Commission) (1994). 5. Act No. Version 2 (1995).14 Risk & Reliability Associates Pty Ltd . Report. READING The NOHSC web site (http://www. London Standards Australia/Standards New Zealand (1999). ISBN 0 644 35267 1 © The Commonwealth of Australia. Jr (1974). Value of Human Life. NOHSC (1995) National standards for Atmospheric Contaminants in the Occupational Environment. Victorian Occupational Health & Safety Act (1985). HMSO. NOHSC:3008. Beyond Lost Time Injuries. SafetyMAP (4th Edition). USA. Georgia. 10190/1985 (Reprint No. Society of Fire Protection Engineers. Boston. © The Commonwealth of Australia. Positive Performance Indicators. ISBN 0 644 35266 3. Management Guide to Loss Control. Lord (1972) Committee on Health and Safety at Work. November 1998) Victorian WorkCover Authority (2002). Section 5.

how much money they raise and how they invest it (Browning. rather than let the company remain subject to market forces and let it go belly up. “…that using derivatives destroys shareholder value through the costs of dealing. they do not have to report to the US government who these investors are. Essentially what is happening is that the profits associated with the hedge funds are retained by the funds but the risks associated with their operation are being shared by the global community. Provided there are less than 100 investors. Further. In doing so. monitoring the transactions. 1998). It arose because the Long Term Capital Management (LTCM) a US based hedge fund went to the wall. (Smithson 1997). and management time. Financial Risk The good news is that risk can have its speculative as well as negative aspects. they appear to be creating a new lexicon. this has not gone unnoticed. However. Based on perusal of US magazines like Risk and Financial Derivatives and Risk Management there are remarkable pockets of extraordinary sophisticated statistical modelling occurring. Obviously. They insert this in various markets acquiring around $10 trillion worth of exposures. To put this in perspective. such activities impose risk on others. the bigger the comparative advantage they gain. US Hedge funds reportedly manage up to $1 trillion US dollars. not the advisors or managers. That is. that the costs of managing risk can exceed the reduction in the costs-of-risk. most (up to 90%) of it borrowed. 1997). In part it is trying to ask the question: “How much has been earned for the risks that have been taken?” The problem of advisors and managers taking extreme chances with someone else’s money is always real. the GNP of the US is reported to be about $7 trillion.Financial Risk 17. Risk & Reliability Associates Pty Ltd 17.2 Hedge Funds In September 1998 the world came. These are obviously designed to take the costs-of-risk into account in terms of the financial institution’s business. 17. it seems that despite having (or perhaps because of it) Nobel Prize winning economists on staff. The idea was to prevent a domino effect that might fatally destabilise a weakened global market. with the US Federal Reserve leading. These hedge funds are secretive things. The more successful companies become at identifying and managing risk. everyone profits from such extreme risk taking (blue sky) but if matters sour it is the shareholders and investors that lose money. “within a whisker of meltdown” (David Thomas 1999).1 . Basically. 17. the US financial community and Wall Street Authorities provided enough capital (US$3. There are editorials reporting that some managers feel. By September 1999. it had lost about 90% of its capital.” (Cooper. If everything goes well. This approach contrasts vigorously with the approach taken by the IMF and the US with Asian and Latin American debtor countries. It can offer business opportunities. But whether this is truly cost effective is difficult for an outsider to know. Terms currently used include: VAR EAR Value at Risk Earnings at Risk Raroc Risk adjusted return on capital Rorac Return on risk adjusted capital Rarorac Risk adjusted return on risk-adjusted capital Economic Capital = credit risk capital + market risk capital + operational risk capital.65 billion) for the hedge fund to be salvaged.1 Terms Banks and large-scale financial institutions have only comparatively recently started to focus on riskadjusted return measures on capital rather than purely a return on asset or book equity. LTCM punted and lost.

has mentioned in a speech in March 1999 that the global overhaul in finance had to. they are playing what is called in the statistics literature a negative sum game. So risk in market terms can be adverse (pure risk) or beneficial (speculative risk). This is not absolutely true. relative to its cost. And how should such general uncertainty in accounts be portrayed? How can all this be made transparent to investors and customers? 17.2 Risk & Reliability Associates Pty Ltd . The risk function of the gamblers is not symmetric. which in real life is often not quantified or even quantifiable at all. Those who gamble say at a casino or in tattslotto are willing to lose a small. that is. The dominant methodology begins with book-keeping and subjects these to a series of adjustments governed by precise rules. Of course. the Australian Treasurer. Peter Costello. Many articles point out (Smithson 1997). To quote the Treasurer. since they accept a small loss in the hope of a large gain. in finance risk is normally assumed to be symmetric. but by making such an assumption many of the tools of statistics become available. market valuations of derivatives and the risks they are used to manage. Standard deviation deemed to equal risk Pure Risk Speculative Risk Rate of Return Rate of Return 17. These assumptions are extremely important to bear in mind. which is symmetric about its mean value.Financial Risk For example. 17. They are certain to lose in the long run. “Vested interests in the international financial sector who benefit from the international community’s sharing of their risks (but not their profits) will resist the necessary evolution in the international financial architecture”. in finance things are quantified. address the need for better supervision of the highly leveraged international investors. Tim Colebatch (The Age) reviewing the Treasurer's presentation to the Asia Pacific Economic Summit (Sept 2000) notes that the Treasurer states that there is still no agreement on reforms such as requiring hedge funds in capital markets to disclose their operations. This may not have changed much in recent times. Rationally. Looking to an uncertain future. and the performance of the market. individuals are often characterised as being either risk averse or risk takers. the major challenge will be in accounting. read the interests of Wall Street. In common parlance an individuals’ utility is the gain or usefulness one obtains from a certain course of action. As the journalist Alan Wood noted at the time (The Australian).3 Utility and Risk The financial economics literature always starts by discussing the concept of utility. This is backward looking at a stable past. is very difficult. and so certain simplifying assumptions must be made. given equal probabilities risk averseness is the norm. otherwise the casino could not pay all it’s operational costs and return a profit to its owners. Individual preferences are very diverse.4 Models Markets go up and down. amongst other things. However. From observation and experience it would seem most investors have a greater preference for not losing money rather than gaining it. the essence of risk. such as hedge funds. since the ultimate conclusions one comes to are highly influenced by these fundamental assumptions. most notably the normal distribution. or often cumulatively not so small amount of money. But most models assume that financial risk is symmetric. in the hope of making a large gain. for vested interests.

returns to members. described in the Risk magazine special supplement). accumulations of risk. That element of risk. The risk of being in the market per se cannot be eliminated (indeed it is the source of the reward).4.5 Market Risk Mathematics. optimal portfolios can be built.25-30 is usually more than adequate and even 10 may not be far off. Australian equities. if interest rates rise a bank will find problems in all aspects of its book: real estate. (Of course. re-insurance and claims reserving Superannuation and Funds Management: asset allocation. For example. of course. i. value at risk (VAR) across the business. international equities and so on. events will tend to affect different assets in often similar ways. (There are. Risk & Reliability Associates Pty Ltd 17. requires just such a system of correlation’s and matrices as described above. (The terms risk. not just for funds management.2 Asset Allocation Securities can be categorised into asset classes (in an intuitive sense) which have like characteristics. 17. for example. That component which remains (the core risk for being in the market) is called systematic. catastrophes. introduced by J P Morgan. The index for an asset class and its standard deviation (= risk) is effectively the minimum risk for that asset class. by knowing the correlations between asset classes. derivatives. In Australia we use: All Ordinaries Index Commonwealth Bank Bond Index (All Maturities) Morgan Stanley Capital International Index Australian Equities Fixed Interest International Equities The above principles are used to build suitable portfolios of assets. that is. A plot of these points is known as the efficient frontier. volatility and standard deviation of returns tend to be used synonymously) Distribution. Thus by analysing a bank into it’s component assets and liabilities one can derive a single estimate of how much a firm could lose due to the price volatility of the instruments it holds. that is.4. Banking: risk assessment. 17. guaranteeing. Standard deviation or its volatility. ii iii. For example. which are hybrid or intermediate in nature).3 Value at Risk (VAR) The risk in any business can be assessed in just the same way. That is. This enables some formal definitions. Given that returns to assets are clearly not independent statistical principles are again used. stock prices are log-normally distributed In the finance sector there are a wide number of uses to which the above principles can be put: Life Insurance: matching of assets and liabilities and solvency margins General Insurance: business risk. The general approach to dealing with portfolios of assets or liabilities is the same. Indices are used to represent price movements in the asset classes as a whole. which can be eliminated by diversification. fixed interest securities. minimum returns. This methodology. is called diversifiable or unsystematic. Since financial market returns are ultimately dependent upon the economy. this can be achieved with a relatively small number of securities .3 . there are competing methodologies of risk assessment. 17. Mean = 'average' = a measure of central tendency or average return on the asset. This is covered in further detail in section 12. risk is assumed symmetric and investors are risk neutral. business or other loans. Hence there is a limit to the reduction in variance. securities. which can be achieved in practice.1 Diversification: Systematic and Unsystematic Risk Within an asset class most securities are highly correlated. In practice.4.Financial Risk So for practical reasons it is assumed that mean and standard deviation are the appropriate measures for the return and risk respectively. the appropriate asset mix that gives the best possible return can be determined for a given level of risk.

iii. an interesting and perhaps optimistic assumption.  n Standard deviation S =  ∑ ri − r  i= 1 ( ) 2  pi   1 2 is a measure of the risk of an investment or its volatility. (The terms risk. respectively.3 respectively.5 Market Risk Mathematics In finance.0.1. A company needs to estimate current levels of profit. It may not be true. 17.4 Risk & Reliability Associates Pty Ltd ( ) . σ 2 the standard normal distribution. These obligations may not arise for many years. but by making such an assumption many of the tools of statistics become available.4 Solvency Risk Both general and life insurance companies need to maintain prudent levels of reserves to cope with fluctuations in the business. market risk analysts are defining risk as a simultaneous combination of pure and speculative risk. Similarly: ( ) Δ % pt ~ N µ . 17. That is. This enables some formal definitions.4. In taking such a position. stock prices are log-normally distributed that is: ln pt ~ N µ . Distribution. risk is normally assumed to be symmetric. but leave behind sufficient reserves to meet obligations as they arise. By analysing their assets and liabilities they can assess this particular measure of risk because the resulting portfolio of assets and liabilities (by assumption) follows a normal distribution. risk is assumed symmetric and investors are risk neutral. 17. that is. Also of use are the skewness and kurtosis (3rd and 4th moments about the mean).Financial Risk 17. So for practical reasons it is assumed that mean and standard deviation are the appropriate measures for the return and risk respectively. the likelihood of loss is the same as the likelihood of gain. Standard deviation deemed to equal risk Pure Risk Speculative Risk Average Rate of Return Standard Deviation Showing the Mean and Variance i. ii.5 Claims Reserving The process of measuring outstanding liabilities is called claims reserving. They set their solvency levels so as to be able to meet all eventualities to a certain level of probability. as in diseases like asbestosis. For example. For the standard normal these are 0. which is symmetric about its mean value. By putting together the risks from the separate lines of business one can assess risk for the company as a whole.4. σ 2 which is the more usual way of expressing this fact. volatility and standard deviation of returns tend to be used synonymously). as a measure of central tendency or average return (r) on the asset. which are measures of the symmetry of the distribution and its “peakedness”. most notably the normal distribution. Mean = average” = r = “ n ∑r i= 1 i pi where pi = prob (ri ) of occurrence.

. the need arises to consider what happens when two securities or assets (X and Y) are combined in a simple portfolio.. Y )= Note that : 1 (x x )(y i − y ) = E (( X − µ x )(Y − µ)) n∑ i Var (X )= cov (X . Correlation and the Correlation Coefficient Given any two series X = {x 1 . Since financial market returns are ultimately dependent upon the economy. events will tend to affect different assets in often similar ways. business or other loans. x n } Y = {y1 . or the degree to which the series rise or fall together. .. which has a value between +1 or perfect correlation and -1 or perfect inverse correlation:- ρ X . Y ) σ XσY Since market risk analysts use the standard deviation as a measure of risk. A measure of this is the covariance. Securities are after all only financial claims on assets in the real economy.Financial Risk (that is. In general it is assumed that the securities are not independent and that the price changes will in fact be correlated.1 The Two Variable Case cov (X . Y) = var (X )+ var (Y )+ 2 ρ =σ In general: 2 X (var (X )var (Y ) + σ + 2ρ σ X σ Y 2 Y var (aX + bY )= a 2 σ 2 + b 2 σ 2 + 2 ρ a b σ X σ Y X Y and E (aX + bY ) = aE (X )+ b E ( ) Y Risk & Reliability Associates Pty Ltd 17. and it is defined to be: cov ( X . For example.5. . X )= E (X − µ )2 = σ X 2 The correlation coefficient between two series is the standardised variate.  p  ln t  = ln pt − ln p t−1 )  p t− 1  In the finance sector there are a wide number of uses to which the above principles can be put.5 . y n }it is of considerable interest to estimate any linkages between the two time series.. Thus: var (X + Y )= E (( X + Y)− (µ X + µ Y )) = E (X − µ X 2 Y 2 2 [ ) + (Y − µ )] = E ( X − µ ) + 2 (X − µ )(Y − µ )+ (Y − µ ) ] ( = E ( X − µ ) + E (Y − µ ) + 2 E (X − µ )(Y − µ )) ( 2 2 X X Y Y 2 2 X Y X Y = var (X )+ var (Y )+ 2 cov (X .. Given that returns to assets are clearly not independent..Y = 12. real estate. if interest rates rise a bank will find problems in all aspects of its book. statistical principles are again used.

σ 2 n . this mean that every asset or security behaves independently of the other and it is possible to eliminate all risk. In each variance cell in the matrix we have (1/N) x variance and in each covariance cell we have (1/N) x covariance.6 Risk & Reliability Associates Pty Ltd . Xn . The above may be extended by noting: n If S n = X 1 + . However this rarely occurs in a given market or industry as assets or securities are affected by similar factors. The above process may then be used to combine assets in such a way as to achieve a minimum variance or risk. . 2 2 2 2 2 17. If the average covariance is zero. . .2 . X j . . This residual is the market risk..j and noting that cov (X X )= cov (X X ). . The proportion invested in each asset is 1/N. X i ) the 2nd term being all possible combinations of X i . it becomes apparent from the above matrix that the number of covariances far out-number the number of variances. The average covariance is the lowest level of risk than can be achieved by diversification. then there are i j j i n(n − 1)  n n! pairs =   =  2 (n − 2)! 2! 2 This can be put in matrix form (the variance .1 X2 σ 2 1.5.+ X n = ∑ X i i =1 h X i not independent and var (X i )= σ 2 i Then var (S n )= ∑ σ 2 + 2 ∑ cov (X i .n Note: the leading diagonal being the variances and the matrix itself being symmetrical about the leading diagonal.1 σ 2 2 . . In optimising the risk of a portfolio of securities or assets. . .. . . To simplify matters. Real Assets Real world portfolios consist of many securities (within an asset class) and indeed many potential asset classes (each with n securities).1 .covariance matrix) X1 X2 Xn X1 σ 2 1. . This process is known as mean-variance optimisation. User friendly computer packages exist to remove the heavy computations. for example by choosing assets that have a low or negative correlation with each other. i i =1 i.Financial Risk 12. let us assume we are dealing with a portfolio of N assets of securities.2 Extension to n securities : Real Portfolios. Portfolio variance = N x (1/N) x average variance + (N -N) (1/N) x average covariance = (1/N) average variance + (1-1/N) average covariance As N increases. the portfolio variance approaches the average covariance. σ 2 n .

The Age . pages 6 and 7. Firmwide Risk Management . Smithson.. Harper Collins. Tyrone Po and John Rozario (1997) Capital Budgeting. David (1999). Volume 10/No 6/June 1997. READING Francis. As quoted in two articles in the Weekend Australian. 1998. March 27-28.Good Weekend February 6. D. Volume 10/No 6/June 1997. The Importance of the Asset Allocation Decision. 5th Edition. New York. Ezra. 1999. Nightmare on Wall Street. Paul-Choudhury. 1999 Cooper Graham. Chris R. (1994) Investment: Concepts Analysis Strategy. one each by Ian Henderson and Alan Wood. Colebatch Tim. See p.7 . Radcliffe. London.A Special Supplement to Risk. John H. October 17. The Age. Editorial. Hedge Fund Fears Come Years too Late. Financial Analysts Journal 65-72.Don and Ilkiw. New York. (July-August 1991).Financial Risk REFERENCES Fukuyama Francis. page 5.. Jack Clark (1991) Investments: Analysis and Management. The Independent (16/6/99) Browning Bob (1998). Professor of Public Policy. Risk Magazine. Risk Magazine. Reform. Article in Risk Magazine.170 for a discussion of alternatives both symmetric and asymmetric. Sumit et al (July 1996). Costello. George Mason University. September 27. Thomas. McGraw Hill. Risk & Reliability Associates Pty Ltd 17. Hensel. Peter (Australian Treasurer) (1999). Robert C. Article in News Weekly. 4th Edition. Charles.

national identity and political profile of companies. few if any enterprises are immune from security risk of some sort. The key steps after the threat assessment are common to both security and general risk management functions. appropriate crisis management. This occurs mainly for reasons of confidentiality. The cause of damaging events may be different in the security context. the tourist industry has been directly affected by attacks on hotels and resorts. Persons . Most if not all of the above steps that follow the threat assessment will or should have been performed in the course of previous risk management. and the way in which criminal networks are globalising. to petty vandalism.0 Security The international reach and severity of contemporary terrorism. principally by the way threat environments raise costs and impact stock and product markets. nor acts of god . 18. Even companies that are not the direct targets of terrorist or criminal intentions can be indirectly affected by attacks on others. Nevertheless. or dysfunctional systemic causes. One or more of the new security threats is affecting businesses across the board. have raised the importance of security within risk management and good governance. For example. Threats range from mega-corporate bankruptcies as a result of management-auditor malfeasance. fire. in particular. what are the likely methods of attack? Once the threat assessment is made. public as well as corporate enterprises need to exercise security cognisance and apply the appropriate type and degree of security risk management in regard to this widening range of threats. and loss will also have been identified.1 . business impact costs. Security is obviously more relevant to some enterprises than others. Consequently. Public infrastructure management. Intelligence enables persons to discern what protective systems are in place and devise ways to defeat them. mis-operation. In most business and other organisations security is separated and often isolated as a management function. to industrial espionage. Persons are not only capable of acts of ill will. flood. and so on. Does a threat actually exist? Do any politically or criminally motivated actions pose a significant risk to the enterprise in question? If so. The cost of exporting certain goods to US markets has been affected by delays and costs caused by stringent new border crossing custom requirements. computer hacking and viruses. as will resilience.1 Security and Risk Management The security function is required to cope with aspects of risk that differentiate it from other risk management functions.create security threats. then most of the regular processes and techniques of risk management kick in. the first priority and unavoidable task in the security process is to assess the threat. Whether directly attacked or not. Those assets vital to the conduct and success of the enterprise will already have been identified. recovery plans. to electronic and credit card fraud. especially “white collar” crime. System vulnerability to failure of systems due to explosion. is currently beset with the need to reassess security in the light of new terrorist threats. However. security remains in essence a risk management function requiring coordination and integration into the overall management system and a key consideration in good governance. but the effects and responses are mainly replicated in the other areas of risk management. natural. the increasingly sophisticated modus operandi of much modern crime.not systems. Risk & Reliability Associates Pty Ltd 18. but also have intelligence.Security 18. nor components. Generally the most relevant factors in assessing the vulnerability of companies to terrorist and/or criminal threats are the location. But it has also been indirectly affected by the attacks on airlines on which the tourist market depends. Meeting the costs of sometimes substantial enhancement of security impacts the user-payers as well as the owners of infrastructure. together with the nature of their operations and products. The chief of these is that security threats spring from deliberate intention rather than from accidental.

dysfunction. as used. and other crowded locations . in the sentences.. compared with “The firm is vulnerable to currency fluctuations”. or. “The threat of burglary is a constant concern of many householders. “The firm’s vulnerability to currency fluctuations could be in the order of millions of dollars”. Security Vulnerability This refers to a weakness or susceptibility of something (a potential target) to a security threat. Security risk emanates from individual or agencies with will and intelligence. as used. are especially vulnerable as they are largely unprotectable”. or harm by natural. “Democracies provide countless soft targets for terrorists. Security Management This refers to managing the risk of deliberate intention and attempts to cause harm and/or inflict loss. Vulnerabilities. in the sentences “The threat of terrorism is being taken more seriously in Europe after the carnage in Madrid .2 Risk & Reliability Associates Pty Ltd . eg. For example. For example.. or.3 Basic Elements of Security Management The central considerations in the design or review of a security system is to identify and assess the following elements: Assets. Business Impact and Counter Measures.2 Security Terms Because security personnel use certain terms differently to other risk management professionals. rather than its susceptibility to that risk. Security Threats This refers to a generic risk or hazard of a security nature. The choice of elements is determined by the logic of the flow chart below: ASSET Yes Valuable? Yes No END Threatened? Yes No END Vulnerable? Yes No END Adverse business impact? Yes No END Cost effective counter measures? Yes No END ACTION 18.” Security references are generally to “the threat of. not to “a threat” (as in “Company X received a bomb threat”). it involves the potential to detect and defeat controls designed to preventing loss. accidental or deliberate causes. Consequently. it is appropriate to begin with a definition of three terms basic to security management.Concepts 18. Non-security risk professionals often use the term vulnerability to indicate the extent of exposure of an organisation to some risk. “The inadequately trained and equipped Iraqi police are particularly vulnerable to terrorist attack”. Threats. Shopping centres.for example. 18. railway stations.’. for example.

Proposal Model The following suggests the basic elements of a generic model for a risk control proposal: Risk control measure A is proposed It is designed to protect assets B and C. credit rating. etc. morale. The cost of implementation of the measure is $P. many of the more important are non-material assets. insurance and other relevant personnel A Risk Control Format 18. marketing.3. regulatory agencies.Security No security risk exists.. those assets are threatened and are vulnerable to those threats. is estimated to be in the region $K-$L. The chart below includes a number of asset categories as a partial guide to asset identification.1 Assets The first task in the security management process is to identify comprehensively all the significant assets of the organisation. health and safety. if these threats eventuate. which are at risk from threats D. The risk reduction from counter-measure A will produce an estimated cost-benefit in the order of $. industrial relations electronic data in transmission. Business impact assessment was made and/or checked out with functional managers: production. equipment. Naturally every organisation’s list will be somewhat different and be more comprehensive. and cost-effective. competitive edge-comparative advantage. appropriate counter. retention.. information in the possession of staff. the public. This includes identifying the relative importance of various types of asset to the viability and success of the organisation. legal.3 . products. industrial relations. E and F which are assessed as having the likelihood of occurrence G and H due to existing vulnerabilities I and J. There are also the human factors M and N to consider. finance.. and have significant business impact to warrant the above responses. The business impact (severity). motivation of staff. government. and significant business impact would result if the threats eventuated. Assessment Status The assessment is that the above threats exist.measure options can be identified. nor is expense on counter-measures warranted unless the organisation in question has valuable assets. maintenance approximately $Q per year.. • • • • • • • • • • • • • company reputation with consumers. plant. intellectual property market sensitive information Accounting and auditing integrity Good governance State of OH&S Position regarding legal liability Risk & Reliability Associates Pty Ltd 18. Not all assets are material assets such as capital. etc. are sufficiently likely to occur. loyalty..

4 Risk & Reliability Associates Pty Ltd . waste.payments stock control Raw Material Storage Production continuity. desirable stock control Finished Goods Product Warehouse Outward Goods accounting and stock control Wholesaler/retailer Public Arena Consumer reputation market share liability extortion regulation Asset Survey by Workflow Staff Security Safe workplace Assault Harassment Discrimination Traffic control Car parks Change rooms Consumer Security Product liability Contamination Product Extortion Public Security Pollution Toxic emissions Fires Explosions Asset Survey by Legal Issues Competitive Marketing Customer lists Formulae Processes Price Sensitive Property buying Takeovers Personnel Medical records Salaries Form of Information Hardcopy Electronic email Mail Voice Location of Information IT centre Laptops Desktops Board reports Consultants Government Sales staff Asset Survey by Information 18. quality control. formulae unaccountable. Inward Goods Orders .Concepts The three charts below indicate ways of ensuring that the asset survey is complete. and that no assets are over-looked that would cause the organisation significant harm if lost or impaired.Goods (quantity & quality) accounts .

The consultation of others is particularly important in this regard. if any. Remember that it is futile to include threats. and which are significant? A sample Threat Checklist is shown below. warehouse. Cash Robbery Burglary Drug abuse. Consultation with at least functional managers and staff. (financial auditors. safety.3. The security appropriate to bomb threats. personnel. financial. bomb.gambling Sovereign Risk Nationalisation Military Threats Coups Civil disturbance Civil war A Sample Threat Checklist It is important to check and review assessments.Security 18.2 Threats The second task. frauds. armed robbery. public relations. The type and degree of protection required for different assets will depend on the nature. business or political) Product Fault or Contamination Environmental pollution Non-compliance Threats to Company's Competitive Edge Professional incompetence Failure to best practice Failure to continuously improve Poor public image Threats to Product Product Extortion Collusive Theft Pilferage Contamination Threats to Staff Discrimination OH&S injury Harassment Threats from Staff Pilferage Theft Fraud Malicious Damage Threats to Equipment. legal. crime prevention. likelihood. The issue to be considered at this stage is: What particular threats. and severity of the threat. after identification and assessment of assets. fraud squads) is desirable. liability lawyers etc) might also be consulted. for example. industrial relations. exist to the identified assets. Relevant private services. is obviously different to if the threat was product extortion or industrial espionage. for example. Risk & Reliability Associates Pty Ltd 18. stock control in addition to specialist police services (for example. which are not credible.5 . risk engineers. security. Threats to Treasury & Finance Credit squeezes Liquidity issues Customer payment defaults Exchange fluctuations Funding sources failure Interest rate fluctuations Threats to Assets Fire Earthquake Flood Explosion Critical plant failure Malicious damage Threats of Business Interruption Industrial action Political/Civil upheaval Picketing/Demonstrations/Boycott Bomb Threat Bomb "Hoax" Malicious Damage/Sabotage Threats to Information Industrial Espionage Takeover Sabotage of data Threats to Company Reputation Scandal (eg. is identification and assessment of threats to these assets.

3 Vulnerability Vulnerability is a weakness or susceptibility of an asset with respect to a threat. industrial. and with no pre-prepared disaster recovery plan/guidelines may be more vulnerable to adverse business impact if certain threats materialise. people try other brands and change brand loyalties) Information • Price and competition sensitive information exists? • Competitors exist? • Unscrupulous competitors exist? • Environmentalist or consumerist critics exist? • Political and/or industrial militant critics exist? • Data is inadequately backed up? • Some managers refuse to take risk seriously and manage it professionally. This weakness may be intrinsic to the asset. Or the weakness may be due to the location of the asset. which could be stopped by picketing? • Cash flow interruptions through product recall due to contamination or extortion could prove financially difficult for the company? Business Reputation • Removal of product from sales for a period could affect long-term market share? (That is. easily disposable. A company with no contingency planning for serious security and other incidents. and employees' car park is unlit and close to rear doors of product warehouse which is poorly supervised. For example.Concepts 8. Or the weakness may be due to inadequate or inappropriate protection against known threats. investment and audit systems are dominated by the requirements of the sales and marketing department to the detriment of accurate and timely accounting. a multinational company in the Middle East may be more vulnerable to terrorism than one in Iceland. a plant with poor personnel. Business Continuity • Production dependent on on-going supplies of raw materials. For example. and training procedures? Poor personnel relations / supervision Disgruntled employees. For example. Plant • • Staff • • • • • Product • • • Production equipment.6 Risk & Reliability Associates Pty Ltd . a US multinational company is more vulnerable to politically motivated attacks than a Swiss company. highly desirable. A financial company is more vulnerable to theft and fraud if the accounting. exemployees. checking. A company with a Board practicing inadequate or inappropriate corporate governance is more vulnerable to costly scandal than one maintaining best practice and continuous improvement. which is easily damaged and slow to be replaced? Inadequate access control? Inappropriate intruder detection? Inadequate personnel selection. and public relations may be more vulnerable to malicious damage than one with good relations. audit and risk management.3. Table of Vulnerabilities 18. subject to access during night shifts. contractors? Isolated female staff working at night? Badly lit car parks? Stock control system will not warn reliably and in good time that a loss trend has emerged? Product loss is put down to unexplained "shrinkage" or inaccurate stocktaking or accounting? Product is small. Confidential information on a meeting room blackboard in an office with some public access is more vulnerable than when it is in a locked cabinet in a manager's private office or a secure registry. A sample list of vulnerabilities is shown below.

Business impact is the overall consequences for an organisation if threats succeed. explosion. How much would the counter-measure cost to implement and maintain? How much risk reduction would this achieve? How does this compare with the maximum foreseeable loss that could result if the measure was not introduced and threats succeeded? Risk & Reliability Associates Pty Ltd 18. If this vital point is easily damaged (due to accessibility or fragility). anguish. is any part or feature of an asset (For example. the fourth task is to assess the business impact if various threats were to eventuate.not just loss measurable in dollars. industrial relations. to restore to proper operation. that is. marketing. The key issues are to establish the nature of the perceived vulnerability quantified in terms of possible dollar impact and return period. Business impact assessments are similar to.4 Business Impact Having identified and assessed an organisation’s assets. members of the public. neighbourhood. and legal departments. communications or information system) that is essential to its continuing operation or integrity. which staff. and the like. anxiety. in many cases.Security Vital or Key Points The concept of vital points (sometimes also referred to as key points) is important to vulnerability assessment and prioritisation. assessed. Business impact is a form of risk characterisation particularly persuasive in assessing commercial risk. significant threats to them and whether they are vulnerability to those threats. and business reputation may be far more important. Virtually all other functions are involved in assessing business impact in relation to one or other of the company's assets. A common example is the inept use of baggage inspections or searches as a counter-measure against terrorism. or malicious damage Consequential damage can result also if a breach of security causes such things as: • strikes • legal liability • government regulation • deterioration in relations with staff.3. It is the overall cost to the company if threats succeed. brand loyalty. and associated families would experience . media / public Sometimes security itself can be the cause of poor staff and union relations if it is inappropriate. government. plant. Consequential damage includes such things as: • business interruption • loss of market share or competitive edge • fines due to incidental pollution resulting from fire. but not identical with risk management severity measurements. for any reason. Assessing business impact is a collective task. It is necessary also to consider consequential or indirect costs as well as direct costs. it becomes all the more vital to reduce its vulnerability. A vital or key point of any asset from the security viewpoint. even less if it is covered by insurance. Business impact should include human cost. do production/operations. it may only cost thousands of dollars to replace a contaminated product. Good corporate citizens and managers are motivated by normal human values. But the loss of market share. For example. stress. Proper assessment of potential business impact is essential in determining the cost-benefit of proposed counter-measures. A manager cannot do it effectively without the assistance of other managers of specialist functions.7 . 18. and related can the appropriate priorities of a security system be correctly determined. public and media relations. personnel. or insensitivity implemented. unions. and would be difficult. but so too. not just the “bottom line” or “Profit is King” attitudes. Obviously insurance and finance/accounting departments need to be involved. suffering. Only when the four elements are identified. equipment.

This is illustrated in the ‘onion’ diagram below. contracting out) secure back-up (for example. fraud. research or confidential information storage or processing departments. industrial. or haphazard variations in security standards within the one organisation. insurance. Any selection of physical and non-material measures does not constitute an effective security system unless these measures are coordinated so as to complement each other in the furtherance of the organisation’s goal and objectives. It is important that the security function should not be compartmentalised so as to allow demarcation gaps. etc.) personnel.8 Risk & Reliability Associates Pty Ltd . and other physical barriers signage guards. lessen vulnerability and reduce potential business impact comprise both material and non-material measures. neighbours. deliberate and coordinated measure applied to vital points within an organisation. Testing protective security How well a vital point is protected can be highlighted for review by applying what some call the “onion test”. The security principle illustrated by the onion test is that the degree of protection is indicated by the number of protective layers that surround a vital point. pre-warning of crime. raising security consciousness and motivation) contingency planning crisis management (damage/business impact control) avoidance (giving up activities if they are too risky compared with the possible profit. patrols Many possible control options are non-physical. unionists. it is possible to consider what cost-effective counter-measure options exist to avoid or reduce the cost of risk.--relocating activities to safer areas) transference of risk (that is.5 Counter Measures When identification and assessment of assets. be appropriate when it is a considered. data and equipment back-up and offsite secure storage) payroll techniques (for example. reducing risk from disgruntled staff. activist groups) training (that is. safes.3. For example. payment by cheque or bank deposit) law enforcement and security liaison arrangements effective monitoring performance indicators for timely warning of loss trends. Inner barriers aim to delay the intruder to facilitate timely intervention. locks. and potential business impact is complete. In high security situations. capacity to get timely warning that losses are occurring through theft. Counter-measures to avoid or deter security threats. contrasting security arrangements. 18. however. Zoning of security standards and control levels can. threats. Material measures – or physical security – include such things as: access control systems intruder detection and alarm systems perimeter fences. terror or other relevant trends) accounting and inventory control techniques (that is. vulnerabilities.Concepts 18. pilferage. and public relations techniques (that is. an initial barrier and intruder detection should operate at the external perimeter so as to warn security monitors in time to respond before an intruder reaches the core of the concentric circles surrounding the vital point. For example: credible threat intelligence (that is.

4. Terrorism has already and will continue to increase certain costs of business. including compliance costs in regard to increasing anti-terrorist regulation (For example. For xample. and civil disturbances. entertainment and tourist hotel areas. few if any will avoid being affected indirectly. war.4 The Terrorist Threat Contemporary terrorism has put increased emphasis on the security function in general and on certain elements of that function in particular: 18.4. Risk & Reliability Associates Pty Ltd 18.3 Range and Applicability The threat now has a global reach with attacks ranging from Moscow to Bali.Security PHYSICAL SECURITY Patrols Fencing Security lighting Door. from New York to Madrid.1 Severity The severity of the terrorist threat has increased. window locks Intruder detection Secure room Security monitor Valuable asset Contingency plan Security management Staff security awareness Accounting system Inventory system Personnel selection MANAGERIAL SECURITY “Onion” Test of Vulnerability Resources can be used more effectively if it possible to concentrate protection around vital points within an establishment rather than seek to protect everything within a location equally by often futile efforts to seal off the whole establishment at the outer perimeter. container export to the US market) possible delays and uncertainties regarding to “just-in-time” manufacturing delivery systems delays and interference with executive travel accidental involvement in counter-terrorist investigations (For example. 18. For example. unwitting involvement in terrorist money laundering and funding operations) unanticipated economic and/or market fluctuations in various parts of the world due to terrorist incidents. 18.2 New Modus Operandi Terrorists can combine primary and secondary targets.9 . as exemplified in the World Trade Centre. Bali and Madrid incidents. Although most business operations will never become the primary or secondary targets of the new terrorism.4. as in the highjack of airliners and their weaponisation into missiles to attack the primary targets – the Twin Towers and the Pentagon. Currently favoured targets are highly vulnerable crowded public areas such as transport stations. 18.

3 2. Adversarial Legal System Airspace Risk Assessment Asset Management Audit Systems Australian Risk Criteria Availability Beck. Peter (Australian Treasurer) 3. 7.11 9.1 6.2.8 Costello.4 3.6 Juran J M Juries and Justice Kauffman R Key Performance Areas Kletz T Kuhn T 1.10 8.7.10-11 Causation 5. Incidents and Risk HazOps HazOp Risk Registers Haddon W Heinrich H W Human Error Rates Page 9.10 15.2 Chapman and Ward 7.3-16 4.1.6-10 8.14.4 1.11 Ishikawa Fishbone Diagram 5.6 10.6 10.1.4 Information Security 7.4 3.12 6.4 3.11 Costs of Ownership 3.13 Creighton W B 1. 16. Generative Techniques Group/Societal Risk Criteria HACCP Analysis Hazard (OH&S) Registers Hazards.11 Conditions and Failures 5.6. International Safety Rating System 3.6 Individual Fatality Risk 6.4 1.8 5.8-10 6.2-5 Industry Based Risk Assessment 15.6 Dawkins Richard Demming W E Discrete Event Mathematics Discrete State Concepts Diversification Due Diligence Det Norske Veritas DuPont STOP System Energy Damage Energy Damage Models Environmental Risk Criteria 5. 18. 5.8.4 1.12 5.6 13.1-2 Common Mode Failures 10.10 7.2-3 15.7 Equipment Breakdown Failure Rates Ethical Criteria Event Trees Facilities Management Factory Mutual System Failure Modes Failure Rates Fatality Risk Fault Trees and Block Diagrams Fault Trees and Success Trees Feigenbaum A Fire Safety Studies Fire Risk Management (in buildings) FMEA.10 Integrated Investment Ranking 8.3 3.1 5.3 1.18 9.2 Insurance Criteria 6. 16.6 Coordinated Information 16.2-4 Control 7.6-10 Information Measures 16.7 11.12 16.15-16 Conway W E 1.3 9.3 4. 9.6 2.1 Criminal Matters v's Civil Standards 4. 3.3.1 8.17 1.10 Integrated Information Management 16.6 10.17 Imai M 1.3 2.17-18 15.1 Risk & Reliability Associates Pty Ltd I . 11. 4.2-3 1.Index INDEX Entries in italics type indicate other referenced writers.6 Information Structures 16.4.1-7 Cause-Consequence Modelling 4.6 1.5 9.8 5.1 2.7-10 Chadwick E L 1.16 Claims Reserving 9.1 Crosby P 1.12 4.13 8.1 12. 9.1-15 12.6 9.6 4.19 5.1 13.11 16.15 COTS 9.6. U Best Practice Risk Management Bipartite Philosophies Biological Metaphors Block Diagrams Block vs Trees Blombery Dr Ron Bottom Up Techniques Breakdown Failure Mathematics Browning R W Browning R L Bushfire Risk Management Business Impact Page 4.1 Information Systems 16.1 5.2 5.22 Common Cause and Mode Failures 9. FMECA FMECA Registers Fractional Dead Time Mathematics. 2.10-11 Context–Process Industry Risk Assessment 13.6 Insurance based Risk Management 2.13 3.5.12 Intergovernmental Environment Agreement 6.3 9.2 Individual Risk Levels 6.1 16.7-9 Idealised Risk Management Structure 3.7 Ishikawa K 1. 5.6 12.10 Common Law Criteria 4.2 8.4 12.

2 Lees F P Legal Criteria Liability Liability & Consequence Management Lost Time Frequency Injury Rates Market Risk Market Risk Mathematics Market Risk Models Markov Analysis Maruyama M Mizuno S Modelling Techniques Moubray J Møller C New Zealand Risk Criteria Nohl J NSCA 5-Star NSW Department of Planning Oakland J Ockham’s Razor OH&S Hazard Ranking OH&S Hazard Registers Organisational Models Paradigms Paradigms Integration Pathogen Metaphor Model Payback Assessments Peters T Popper K R Probability Criteria Process Industry Risk Assessments Process Risk Management Project Risk Process Model Property Loss Prevention Registers Property Loss Prevention Ranking Public Risk Quality Quantitative Risk Analysis (QRA) Ranking Techniques RCM Taguchi G 1.20 1.18. 7.5 3.2-4.1 4.8 5.6 5.1 Risk Assessments 7.1 13.8 6.2 7.5 9.1 Train Operations Rail Model 15.5 2.3.1 7.3.2 Terrorism 18.10 17.7 2.1.3 6. 7.7 UK Health & Safety Executive Utility and Risk Value at Risk Victorian Risk Criteria Viner D B L Vulnerabilities Vulnerability Assessments Vulnerability Registers Vulnerability Workshops 6.19 5.10-11 3.6.6 9.11-12 12.15 8.1 2.4 Reason James 0.4.4 3. 7.18-21 Risk of Financial Loss or Gain 3.12-14 1.1 Risk Management Risk Management Overview Risk Management Process Models Risk Management & Project Life Cycle Risk Management Structure Risk Profiling Risk Registers Risk & Reliability Diagrams Risk & Reliability Mathematics Risk Role Models Rowe W D Rule of Law Safety Cases Safety Culture Safety Integrity Level (SIL) SafetyMAP Severity Criteria Shingo S Simulation Smith D J Societal Risk Criteria Solution Based Risk Management Solvency Risk SOUP State Theory Mathematics STOP System (duPont) Success Trees SWOT Assessments Systems in Series Systems in Parallel page 1. 5.5 Threats 4.6 Risk Characterisation 7.15.1 1. 10.14 8.9 Time Sequence 5.1-5.3 2.16 3. 3.1 2.6 5. 7. 9.13 12.2 12.6 Risk Criteria 6.16 7.6 11.4.1 3.13 9. 18.2 16.9.1 4.1 8.1 6.18 1.13 6.5 1.1 3.11 8.5. 7. 13.2-4.2 8.14.14 2.9 Top Down Context 13.15 Rise of the Risk Society 1.3 8.10.10 6.2.19 1.14 12.3 Transmission Line Risk Management 15.4 2.11-16 Risk Assessment in the Process Industry 13.13 16.15 7.6.4 1.8-10.6 Taylor R T 1.9 Redmill Felix 3.6 16.4 1.3 Tweeddale H M 10.11 Risk Culture 2.5 Western Australia EPA Risk Criteria Wiggins J H Winslow C E A Workshops Wright J H II Risk & Reliability Associates Pty Ltd .7 6.4 Residual Risk 9.1 3.6 2. 3.19 5.6 16.15 7. 18.13 13.5 7.1.6 8.12 9.5 Reliability 1.6 2.8 8.2 Top down Techniques 7.1 Risk as Variance 2.10 3. 13.1 4.11 6. 13.4.2 1.8 6. 18.4.4 Risk Auditing Systems 4. 18.1 3.4.Index page 9.1 3.8 3.7 7. 7.7 9.8 Risk 1.7 Tripartite Risk Control Philosophies 1.5 16.18 2.6 13.

Sign up to vote on this title
UsefulNot useful