the hazard identification and assessment process …€¦ · web viewslip, trip & falls slip /...

Safety Engineering Consultingwww.safetyengineeringconsulting.co.uk 30 years of Safety Engineering experience in the Defence industry+44 7801841806

The Hazard Identification & Risk Assessment Process

COMPILED BY E.J.Griffiths

1


2


Amendment Record

Issue # Date Amended By Remarks

1 06 Nov 2018

EJG Initial Issue

3


Glossary

Term Explanation

AA Acceptance Authority (Customer)

ALARP As Low As Reasonably Practicable

DE&S Defence Equipment and Support

DEF STAN Defence Standard

DShips Director Ships

HazID&A Hazard Identification and Assessment

HL Hazard Log

HSAW Health & Safety At Work

MoD Ministry of Defence

PPE Personnel Protective Equipment

RCM Risk Classification Matrix

RIDDOR Reporting of Injuries, Diseases & Dangerous Occurrences Regulations

RN Royal Navy

SC Safety Case

SCR Safety Case Report

SOP Standard Operating Procedure

SQEP Suitably Qualified and Experienced Personnel

SWIFT Structured What If Technique

TA Technical Authority (Design Authority)

UK United Kingdom

4


Definition of Terms

Term Definition

Accident An unintended event, or sequence of events, that causes harm.

ALARP As Low As Reasonably Practicable. A risk is ALARP when it has been demonstrated that the cost of any further Risk Reduction, where the cost includes the loss of defence capability as well as financial or other resource costs, is grossly disproportionate to the benefit obtained from that Risk Reduction.

Duty Holder A MoD person with specific responsibilities for the safety management of the system.

Event Sequence The progression of events that results in an accident.

Harm Death, physical injury or damage to the health of people.

Hazard A physical situation or state of a system, often following from some initiating event, that may lead to an accident.

Hazard Identification The process of identifying and listing the hazards and accidents associated with a system.

Hazard Identification and Assessment

The process of Hazard Identification plus the associated Hazard Risk Assessment

Hazard Log The continually updated record of the hazards, accident sequences and accidents associated with a system. It includes information documenting risk management for each hazard and accident.

Incident The occurrence of a Hazard that might have progressed to an accident, but did not.

Inherent Risk The exposure arising from a specific risk before any action has been taken to manage it. [JSP 430/JSP 892]

Intrinsic Risk The risk posed by a system independent of its interactions with other systems. [JSP 430]

Mitigation Strategy A measure that, when implemented, reduces risk.

Residual Risk The exposure arising from a specific risk after action has been taken to manage it, and assuming that the action is effective. [JSP 430]

Risk Combination of the likelihood of harm and the severity of that harm.

Risk Assessment The outcome of the Hazard Identification and Assessment process.

Risk Acceptance The systematic process by which relevant stakeholders agree that risks may be accepted.

Risk Estimation The systematic use of available information to estimate risk.

Risk and ALARP Evaluation

The systematic determination, on the basis of Tolerability Criteria, of whether a risk is broadly acceptable, tolerable or unacceptable and whether it is ALARP, or whether any further Risk Reduction is necessary.

Risk Management The systematic application of management policies, procedures and

5


Term Definition

practices to the tasks of Hazard Identification, Hazard Analysis, Risk Estimation, Risk and ALARP Evaluation, Risk Reduction and Risk Acceptance.

Risk Reduction The systematic process of reducing risk.

Safe Risk has been demonstrated to have been reduced to a level that is ALARP and broadly acceptable, or tolerable, and relevant prescriptive safety requirements have been met, for a system in a given application in a given operating environment.

Safety Case A structured argument, supported by a body of evidence that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given operating environment.

Safety Case Report A report that summarises the arguments and evidence of the Safety Case, and documents progress against the safety programme.

Safety Management Plan

A document that defines the strategy for addressing safety and documents the Safety Management System for a specific project.

Safety Management System

The organisational structure, processes, procedures and methodologies that enable the direction and control of the activities necessary to meet safety requirements and safety policy objectives.

Safety Programme The part of a Safety Management Plan that documents safety timescales, milestones and other date-related information.

Shall This expresses a requirement that is mandatory, in that failure to comply implies non-compliance with this framework. [BAE Systems NS PSMF]

Should This expresses a recommendation based on the judgement of experienced people, but where some discretion is appropriate. It is the preferred approach, which shall be deviated from only where there is a sound reason for doing so; any such reasoning shall be appropriately explained and recorded for audit, contractual or investigative purposes. [BAE Systems NS PSMF]

SQEP A Suitably Qualified and Experienced Person with experience, training, knowledge and/or other qualities appropriate to undertake the role. [Project definition]

System A combination, with defined boundaries, of elements that are used together in a defined operating environment to perform a given task or achieve a specific purpose. The elements may include personnel, procedures, materials, tools, equipment, facilities, services and/or software as appropriate.

Sub-System A system that is an element of another system.

6


1. IntroductionThe Hazard Identification and Assessment process employed by Safetyengineeringconsulting.co.uk is shown in the following paragraphs. It is a relatively standard Safety Engineering process that, together with the Hazard Assessment and Risk Classification Criteria, form the basis of the overall HazID&A activity.

2. Purposea) To identify the Safety Hazards and Accident Sequences

b) To determine the Severity and Probability - Initial Risk Classification - of the resulting accidents impacting on Personnel and the Environment

c) To identify safeguards (mitigations) which will eliminate or reduce the Severity or Probability of an Accident

d) To determine the Severity and Probability – Projected Risk Classification – following the application of the mitigations above

3. ScopeIncludes:

Hazards to Personnel (Ships Crew and Third Parties) & Environmental hazards (as appropriate).

Excludes:

Damage or loss of equipment where this does not affect safety to personnel.

Loss of capability where this does not directly affect safety to personnel.

Battle damage, war-fighting effectiveness, countermeasures.

Excludes training and shore side facilities.

4. Terminology Cause – An initiating event that may cause a Hazard

Hazard - A physical situation or state of a system, often following an initiating event, that may lead to an Accident.

Accident - An unintended event or sequence of events that causes harm.

Accident Sequence - The progression of events that results in an accident.

Risk - Combination of the likelihood and the severity of that harm.

Hazard Identification - The process of identifying and listing the hazards and accidents associated with Support activities

Risk Assessment - The systematic use of available information to classify a risk.

Mitigation - A measure that, when implemented, eliminates or reduces risk.

7


5. Process Overview

8


6. Structured What If Techniquea. The approach adopted for each review is to consider each element of the system and its operation in

turn and identify hazards. The “Structured What If Technique” (SWIFT) review process is a prompted brainstorming approach that uses guide words to highlight potential areas of concern, or likely types of failure which have the potential to pose a credible hazard to health and safety of persons, property or the environment.

b. SWIFT studies are undertaken by the application of a formal systematic and critical examination of the engineering intentions of a design. The potential for a hazardous condition is assessed and the mal-operation and/or mal-operations together with the consequences for the system and the impact with respect to interfaces are identified. This examination of the design is structured around a set of keywords, which ensures systematic coverage of potential problems whilst still allowing sufficient flexibility for an imaginative approach.

c. The study/meeting team considers whether there are any situations or initiating events that can lead to potentially hazardous conditions. This “brainstorming” approach is supported by a generic set of keywords to prompt discussion. Consideration can subsequently be given to the means of reducing or removing potential hazards or problems that have been identified.

d. SWIFT is a top down qualitative approach. The process is system orientated and a team of experienced experts is used to examine complete systems or major equipment items. The technique is effective because it generally avoids lengthy discussion of areas where the hazards are well understood or where prior analysis or operational experience has shown no hazards are known to exist. The effectiveness in identifying hazards comes from asking questions in a variety of important areas according to a structured approach.

e. Keywords To facilitate the meeting a set of keywords is used to prompt discussion. The high level keywords provided in table E-1 have been used to cover hazards that might be expected and to focus the discussion. These keywords are a generic list for the range of systems involved and are not exhaustive. Additional keywords are added during the meeting as necessary.

f. The approach adopted for each review is to consider each element of the system and its operation in turn and identify hazards. The “Structured What If Technique” (SWIFT) review process is a prompted brainstorming approach that uses guide words to highlight potential areas of concern, or likely types of failure which have the potential to pose a credible hazard to health and safety of persons, property or the environment.

g. SWIFT studies are undertaken by the application of a formal systematic and critical examination of the engineering intentions of a design. The potential for a hazardous condition is assessed and the mal-operation and/or mal-operations together with the consequences for the system and the impact with respect to interfaces are identified. This examination of the design is structured around a set of keywords, which ensures systematic coverage of potential problems whilst still allowing sufficient flexibility for an imaginative approach.

9


h. The study/meeting team considers whether there are any situations or initiating events that can lead to potentially hazardous conditions. This “brainstorming” approach is supported by a generic set of keywords to prompt discussion. Consideration can subsequently be given to the means of reducing or removing potential hazards or problems that have been identified.

i. SWIFT is a top down qualitative approach. The process is system orientated and a team of experienced experts is used to examine complete systems or major equipment items. The technique is effective because it generally avoids lengthy discussion of areas where the hazards are well understood or where prior analysis or operational experience has shown no hazards are known to exist. The effectiveness in identifying hazards comes from asking questions in a variety of important areas according to a structured approach.

j. Keywords To facilitate the meeting a set of keywords is used to prompt discussion. The high level keywords provided in table E-1 have been used to cover hazards that might be expected and to focus the discussion. These keywords are a generic list for the range of systems involved and are not exhaustive. Additional keywords are added during the meeting as necessary.

k. The discussion is allowed to flow as appropriate using the topic and guideword lists to check that a thorough consideration of safety has taken place. The objective is to identify (as far as reasonably practicable) all the hazards to personnel, the environment, the ship, the aircraft and sub-systems/equipment in all operation and standby modes.

l. HazID Meeting Agenda the format of each hazard Identification meeting comprises the following items.

System/sub-system overview

Hazard identification using SWIFT followed by event sequence and accident identification

Initial risk assessment

Proposals for mitigating risks to ALARP

m. Description of SWIFT Method All meeting attendees participate in a general discussion on the potential hazards and consequences. The following aspects should be considered during the initial discussion.

Previous incidents where known.

Perceived hazards, event sequence and potential severity. This process should also record pre-determined and known mitigations.

Engineering safeguards and operational procedures.

Platform integration issues.

Other comments.

Based on complexity overall, consideration of the system is broken down into suitable elements and the following process repeated for each sub-system.

10


n. The Chairman of the meeting prompts discussion on each topic, component or sub-system in the various operational modes by referring to the keyword checklist. He asks for input from the team members by “brainstorming” possible scenarios from the ideas that this produces. Once discussion is complete around a perceived hazard the discussion is recorded in the hazard log. The hazard identification process will then proceed to the next keyword considered to be appropriate for discussion. This process will continue until the key words have been exhausted.

o. Risk Assessment The hazards are subsequently assessed to establish a suitable risk class and measures are proposed to mitigate any risks to personnel, the environment or assets. Risk levels are assessed pre and post mitigation to allow a quantifiable definition of the level of safety incorporated into the equipment or system.

7. SWIFT Codewords

8.

11


9. Hazard / Risk Assumptions Made at the Initial Risk Classification The Ship is operated by the Royal Navy in accordance with RN standard procedures.

Systems / Equipment’s are installed, set to work, operated and maintained in accordance with Manufacturer’s instructions.

Systems / Equipment’s are operated in accordance with extant CCUs, CSES, declared operating limits etc.

Personnel receive suitable and sufficient information and training for the role that they will perform.

Personnel receive career training in their specialisation, however there is no platform specific training

NOTE: Experience, unless quantifiable as knowledge/training, is not a valid mitigation.

10. Hazard Hierarchy of Control

Eliminate – the safest control measure is to eliminate the hazard completely.

Reduce or Substitute – Do it less often, reduce the number of people who do it, use something else.

Isolate – physically separate the hazards from people.

Control – A safe system of work, procedures, training, supervision, safety devices and tools.

Personal Protective Equipment – Gloves, eye protection, respirators etc.

Discipline – Ensure that all controls are monitored, enforced and reviewed.

12


11. Suggested Hazard Severities

13


14


15


12. Hazard Catagorisation Examples

Hazard ConsequencePossible Pre-Mit RA

Sev Prob RAFirePersonnel subject to direct explosion & fire / fireball.

Personnel suffer the effects of explosion and fire

Death / Multiple deaths

Critical / Disastrous

Remote A

Personnel in close vicinity to fire / in same compartment.Flames / explosionPersonnel directly affected by fire.

Personnel suffer the effects of heat and smoke

Death / Multiple deaths /Major injuries(Depending on severity / localisation of fire)

Critical

Major

Remote

Remote

B

C

Personnel not in close proximity to fire / not in compartment, or minor fire / smoke generatedSecondary effects of fire (eg to fire fighting team)

Personnel suffer the effects of smoke and fumes.

Multiple marginal injuries

Marginal Occasional C

Flammable Fluid LeakRelease of flammable liquid – mist.Atomised fluid droplets.

Pressure of release – highQuantity released – lowFlammability - high

Personnel suffer the effects of explosion and fire

Death / Multiple deaths

Critical Remote B

Release of flammable liquid – drip.Small pool of liquid.

Pressure of release – lowQuantity released – lowFlammability - medium

Personnel suffer the effects of toxic fumes/ smoke, orPersonnel slip on fluid.

Marginal respirotary injury.

Marginal muculo-skeletal injury.(Recoverable RIDDOR)

Marginal Occasional C

16



Sev Prob RARelease of flammable liquid – flood.Large volume of liquid.

Pressure of release – lowQuantity released – highFlammability - low

Personnel suffer the effects of toxic fumes/ smoke, orPersonnel suffer the effects of contact of fluid with skin / eyes / ingestion.

Marginal respirotary injury.

Marginal dermatological / toxic injury

Marginal

Marginal

Occasional

Probable

C

B


Sev Prob RASlip, Trip & FallsSlip / trip / fall - MoB Person slips /

trips and falls overboard.

Death Critical Remote B

Slip / trip / fall – at height Person slips / trips and falls from height.

DeathMajor Injury

(Depending on ht)

CriticalMajor

RemoteOccasional

BB

Slip / trip / fall - general Person slips / trips and falls to deck.

Marginal injury Marginal Probable B

17


13. Risk Classification Matrix

The Risk Classification Matrix based on the D-Ships RCM is as shown below.

18


14. Risk Classification Criteria

Frequency Criteria

The following paraphrases text found in D Ships RCM:

“D Ships RCM addresses risks arising from a hazardous event, hence any data for occurrence of harm has to be factored in order to relate to a specific installation on a specific platform. This is done to ensure that the benefit of reducing the risk of harm from a hazard can be related to the sacrifice involved in implementing that measure in any analysis demonstrating the risk has been reduced to ALARP. The probability of occurrence of the harm should be estimated using past experience and precedent, analysis of quantified data or professional judgement of Suitably Qualified and Experienced Personnel (SQEP).

Note: the population of equipment that provided any evidence should be included so that the probability can be factored to give data per single equipment in a particular life cycle phase, circumstances of use, quantities, etc., related to the accident sequence of interest need to be considered”.

Severity Criteria

With reference to D Ships RCM, HSWA and R2P2, the focus is on ensuring that risks to the actual person are managed within tolerable limits, but this approach has limited usefulness for managing risks generally. D Ships output concerns risks to numbers of personnel arising from equipment or platforms (individual or group most at risk). Clearly, the focus of hazard analysis is on user exposure to the possibility of harm, hence risks identified during design, maintenance or use must be assessed for their potential once that capability is deployed. The safety argument needs to determine the severity and the probability of its occurrence, but as this is not directly related to specific individuals the concept of a hypothetical person is introduced.

The D-Ships RCM considers the concept of a “Directly Involved” group and the severity criteria are assessed against that group only. However in real life there is also the concept of an “Indirectly Involved” group, such as members of the general public not on board the Ship and also those who are not directly involved in a ship related shore based activity, persons such as these, should not be exposed to the highest level of risk and therefore have a reduced tolerability i.e. members of the public shall not be exposed to Class B Risks. Public perception is more risk averse than for any “Directly Involved” groups. Therefore, those risks involving those not directly involved (or as referred to in 00-56 Section 0.4 (a) as the ‘public’) shall be considered as a separate consequence derived from the same hazard, thereby allowing assessment of the ‘hypothetical individual’ in that group.

Those who are considered to be ‘indirectly involved’ are members of the general public not on board the Ship and also those who are not directly involved in a ship related shore based activity.

19


Material Loss, Failure & Damage

This can be considered to be either an availability, or a capability shortfall, a cost to repair, or a cost to replace issue. None of these is considered to be a quantitative product safety measure and cannot therefore be used to classify a risk. However, where the absence of an equipment or system, for whatever reason, can be demonstrated to be or lead to the realisation of a credible risk where the subsequent consequence is harm to people then it shall be assessed. Examples might include:

a) single point failure modes.b) prolonged absence.c) failure on demand.

The definitions for the severity of injury or illness shall be as defined in the D-Ships RCM

20


15. Accident Frequency Comments

21

Comments

A regular ship occurrance

More than once during the ships life = more than once in 30yrs

Equals once in 30 ship years

May occur once during the Fleet life

Unlikely to occur during the Fleet life

Suggest don’t use unless there is confidence that this will never happen


16. RIDDOR Injury Severity Definitions

The table below shows RIDDOR injury severity definitions (reproduced from D-Ships RCM).

SEVERITY OF INJURY OR ILLNESS EXAMPLES

Non-RIDDOR Minor injury requiring basic first aid treatment and not reportable under RIDDOR 95

Cuts Bruises Abrasions First degree burns – redness, sensitivity to the touch Minor electric shock not resulting in unconsciousness Chemical fume inhalation not resulting in unconsciousness.

Recoverable RIDDOR Injury that can be recovered from with medical treatment and recovery time, but which must be reported under RIDDOR 95

Fractures Sprains Major cuts requiring hospitalisation but recoverable Crush injuries requiring hospitalisation but recoverable Dislocation of the shoulder, hip, knee or spine not resulting in permanent disability Second degree burns – redness, blistering & acute pain Scalds Injury leading to hypothermia, heat-induced illness or unconsciousness or requiring resuscitation or admittance to sick-bay for more than 24 hours Injury resulting from an electric shock leading to unconsciousness or requiring resuscitation or admittance to sick-bay for more than 24 hours Chemical or hot metal burn to the eye or any penetrating injury to the eye not leading to permanent loss of sight Frostbite not leading to amputation. Food poisoning leading to admittance to sick-bay for more than 24 hours Smoke inhalation leading to admittance to sick-bay for more than 24 hours Minor hearing loss requiring hearing correction/Tinnitus (ringing in the ears) Minor exposure to RADHAZ above threshold level Unconsciousness caused by asphyxia or exposure to a harmful substance or biological agent Dermatitis Acute illness requiring medical treatment where there is reason to believe that this resulted from exposure to biological agent or its toxins or infected material.

Permanent RIDDOR Severe injury from which a full recovery is not possible and which must be reported under RIDDOR 95

Amputation Permanent loss of sight Third degree burns – damage to all layers of skin Major exposure to RADHAZ above threshold level Injury that will lead to permanent disability Permanent deafness Hepatitis Legionellosis.

22


17. Project Risk Tolerability

The table below gives Risk Tolerability parameters based on the D-Ships RCM.

RISK CLASS TYPE 26 PROJECT LEVEL OF RISK ACCEPTANCE

Class A

INTOLERABLE to the project. Cannot be tolerated unless there is an over-riding and exceptional operational military requirement for the associated capability. The exceptional requirement shall be justified by the customer (ODH) who shall authorise acceptance at an appropriate level. The risk is to have been demonstrated to be ALARP. It is unacceptable for personnel other than those who have specific duties which require them, to be exposed to these risks.

Class B

UNDESIRABLE - However, can be tolerated providing the risk has been demonstrated to be ALARP. It is unacceptable for personnel other than those who have specific duties which require them, to be exposed to these risks i.e. members of the public are not to be exposed to these risks.

Class C TOLERABLE - Can be tolerated providing the risk has been demonstrated to be ALARP.

Class DBROADLY ACCEPTABLE - Can be tolerated providing the justification for this risk level has been demonstrated and has been reduced as far as reasonably practicable. There is no requirement for further formal demonstration of ALARP.

Note that, compared to the D SHIPS RCM, these Tolerability Criteria include more stringent requirements for people who would not normally be exposed to the risk by the nature of their duties; it also includes more stringent requirements to provide justification for the Category D Risk Classification.

23


18. Risk Classification Criteria

The table below gives a visual representation of the Risk Classification criteria.

24


25


19. Risk Maturity Criteria

Suggested Hazard Maturity Levels Risk Status (RS) Check List / RemarksRisk Maturity/ Status

Definition

1. OPEN - Hazard Identified

Hazard identified.

2. OPEN – Initial RA

Consequence identified and Initial Risk Assessment (RA) populated.

3. OPEN - Projected RA

Mitigations/Controls identified and Projected RA made.

Further management activities may be required, so may not have a complete mitigation plan agreed.

4. OPEN - Mitigation Solution Agreed

Initial RA, Mitigations/Controls and Projected RA agreed by the MIFS Technical Authority (TA) and Approval Authority (AA).

RS 4 Checklist

5. OPEN – Mitigation Actioned

MIFS Specific Mitigation/Control evidence requirements and sources identified and agreed by the MIFS TA. (For Training mitigations, sufficient information must be provided to scope the work required to develop the mitigation in subsequent phases).

All mitigations must have agreed owners.

References to be provided for documentation detailing inclusion of Mitigation in Baseline design, and / or reference to EQI / change request. Traceable references should be provided – email messages are insufficient.Where design change is required, scope of change to be agreed between AA and TA.Where Mitigation is based on system specific training, guidance provided to Mitigation Owner (Training Provider) to reflect specific training required.

6. OPEN - Risk Agreed

Mitigations/Controls defined and method used for mitigation sign-off agreed by the MIFS AA and TA.

For MIFS specific Procedural mitigations, sufficient information must be provided to scope the work required to develop the mitigation in subsequent phases.

Draft ALARP statement prepared and agreed by MIFS TA and AA

Status of all live Risk Mitigations at “Evidence Requirements Agreed” or “Complete”.Where Mitigation is defined as “Procedural – RN Operational”, e.g. BR XXX, specific reference to document/section provided.Where Mitigation is defined as “Procedural – T26 Specific Operational”, the details of the required procedure/instruction/warning etc. shall be detailed in the Mitigation Solution.

26


Suggested Hazard Maturity Levels Risk Status (RS) Check List / RemarksRisk Maturity/ Status

Definition

7. OPEN - Proposed ALARP

All reasonably practicable Mitigations confirmed as in the design and mitigation evidence agreed.

Final Risk level agreed by MIFS TA and AA and ALARP statement updated as necessary.

ALARP statement authorised.

All Mitigations COMPLETE and Risk which has all associated Actions COMPLETE, ARCHIVED OR TRANSFERRED (if any) and all Assumptions ACCEPTED or ARCHIVED (if any).

8. OPEN – Endorsed ALARP

All reasonably practicable Mitigations implemented and Evidence confirmed.

Risk level endorsed

ALARP statement endorsed.9. ALARP Duty Holder (or delegated representative)

accepts that the Hazard is controlled and Risk is reduced to ALARP.

No future action necessary for Risk to remain ALARP and Tolerable, notwithstanding routine review.

27


20. Risk Status Definitions

Risk Status Description

OPEN – Proposed Archive

Risk which is to be Archived, pending formally agreement of justification by the TA and AA.

ARCHIVED – Designed out

Hazard eliminated by design change or through permanent solution.Archived risk must be endorsed by the TA and AA.

ARCHIVED –Duplicate

Superseded by a different Risk, or merged with an existing Risk or spurious entry/ mistaken entry. Duplicate Risk action must be endorsed by the TA and AA.

ARCHIVED – Material Loss or Damage

Risks which do not have a Personnel effect but are Equipment damage only.Material Loss / Damage Risk action must be endorsed by the TA and AA.It must be confirmed that the risk(s) is/are sufficiently covered in other Personnel tagged risks where and as appropriate.

ARCHIVED – Not Credible

Risk assessed as Not Credible and endorsed by the TA and AA.

OPEN – Proposed Transfer

Risk which is to be managed by an authority other than the system supplier, but have not been formally accepted.

TRANSFERRED A Transferred Risk is one which has been transferred to another Authority for management. A Transferred Risk must first be endorsed by the TA and AA for transfer and then accepted in writing by the receiving Authority.

ACTIONS TO REMAIN ALARP

Duty Holder (or delegated representative) has endorsed that the Hazard is controlled, risk reduced to ALARP and Tolerable through interim measures. Programme in place to implement further risk reduction over time.

All applicable Risks must have all actions at ARCHIVED, TRANSFERRED or CLOSED and all Assumptions at either ACCEPTED or ARCHIVED as appropriate.

28


21. Mitigation Types

Mitigation Type Definition

Design Physical (hardware) design requirementsFunctional Design Functional (software/firmware) design requirementsSafety Device Pressure relief valves, Emergency Stop systems, guards,

etc.Procedural – System / Equipment Specific Operational

Op-Stats, OEM Operating information, SOPs, EOP, Ships rounds, Tech Docs (IETP)

Procedural – System / Equipment Specific Maintenance

Periodic Maintenance (incl replacing lifed items) , Periodic Inspections, Ad-hoc maintenance, OEM maintenance information etc.

Procedural – Top-level Platform Operational, Service Regs

BRs etc.

Training - System / Equipment Specific

Specific / developed training (operational and maintenance)

Signs / Labels / Safety Markings Physical Signs and Labels and painted warningsMonitoring Systems (eg: Fire / Smoke / Atmospheric)

Specific monitoring for safety purposes

PPE PPE (Hard Hats, Safety Boots, Hearing Protection Headsets, Safety Glasses, Gloves, Harnesses etc.)

Other Inc. Spill Kits, Portable FFE, Health Monitoring

29


22. ALARP Statements

a) Draft ALARP Statement Suggested Format.

Hazard No

Hazard Description

ALARP statement

XExample of the general form (style/format)

Initial assessmentInitial identification and assessment of Hazard, including the Risk Assessment, which demonstrates the need for further mitigations. if relevant a statement outlining why the risk cannot be avoided (brief statement)

Summary of mitigations implementedA summary of mitigations taken to reduce risk - showing 'good practice' (industry standard, normal safety, etc) has been adopted.

Re-assessment of RiskReassessment of the hazard/risk post-mitigation to show Post Mitigation Safety Assessment (i.e. Risk Classification, Tolerability) and summary statement

Other Mitigations consideredSummary of mitigations rejected (succinct list of risk reduction options rejected and brief reason for rejection, including reference to cost-benefit analysis if cost is one of the reasons for rejecting the mitigation).

Legal/regulatory confirmation

Statement confirming compliance with Regulations and/or Legislation

Acceptance statementsGeneral statement that evidence of mitigations supports the claim that hazard/risk is Tolerable & ALARP.

Technical Authority statement: Statement of agreement that mitigations are sufficient and no more should be done to reduce riskApproval Authority statement: Statement of agreement that mitigations are sufficient and no more should be done to reduce risk

30


b) Demonstration of ALARP – MoD Guidance SRR Leaflet 5

31


32


c) ALARP – Class D Risks.

Residual Class D risks where the initial risk classification was also Class D are considered to be Broadly Acceptable and therefore a only simple standard ALARP statement is required:

Residual Class D risks where a risk reduction has been claimed (i.e. the initial risk classification was C or above) will require an ALARP statement proportionate to the risk reduction. An example is shown below:

33

• The risk was initially assessed as Class D which indicated that it was already considered Broadly Acceptable. • The mitigations put in place along with good practice and adherence to legal requirements have resulted in this risk being reduced so far as reasonably practicable and remains at Class D and Broadly Acceptable without any further demonstration of ALARP.Note: if there are no mitigations or applicable L&R seek guidance from the Safety Team

Risk ??? - Helicopter Handling System cable failure leading to injury from cable snapback

A. The risk was initially assessed as class C which indicated the need to determine if further risk reduction was possible. It was not possible to remove the Hazard as a cable based system is necessary to move the helicopter.

B. The towing cables are designed with a safety factor of 3 and the HHS continuously monitors cable tensions to ensure that they are not overloaded which along with regular inspections of cable condition to ensure that any cable damage is detected allowing cable replacement will minimise the risk of cable failure in use.

C. Users of the HHS are required to be trained to operate the equipment and to identify conditions where there may be excessive tensions in the cables. Standard RN practice is that only essential personnel are in the vicinity when aircraft movements are carried out.

D. No reasonably practicable mitigations were reviewed but have not implemented.E. All applicable Legal and Regulatory requirements are complied with.F. All identified mitigations and controls have been confirmed in place and are considered robust and

sufficient by the Aviation Safety WG and no reasonably practicable options to further reduce this risk have been identified. The risk reduction claimed is considered reasonable and the final risk, at Class D, lies within the Broadly Acceptable region of the T26 risk criteria, it therefore has been assessed by the Aviation Safety WG that this risk is ALARP without additional mitigation or further analysis necessary to substantiate this.


d) ALARP – Class C Risks.

Class C risks are considered to be Tolerable, however they still present an increased final risk and as such additional justification is required to demonstrate that the risk is ALARP.

Reasons for rejecting risk mitigations should be outlined and where cost is one of the factors for rejecting a mitigation a simple CBA should have been completed and referenced.

A final statement that all risk mitigation is in place and that it is not practicable to apply further risk mitigation and that the risk is ALARP as assessed by the appropriate TA.

High Severity Class C risks (Catastrophic and Disastrous) are considered to be Tolerable when ALARP, however they present an increased severity to a large number of people and as such additional justification may required to demonstrate that the risk is ALARP

Reasons for rejecting risk mitigations should be outlined and where cost is one of the factors for rejecting a mitigation a CBA should have been completed and referenced.

A final statement that all risk mitigation is in place and that it is not practicable to apply further risk mitigation and that the risk is ALARP as assessed by the appropriate TA PSWG and endorsed by the HRWG.

34

Risk ??? - Personnel come into contact with live electrical components and receive electric shock (Earth fault)

A. The risk was initially assessed as class B which while tolerable is undesirable and indicated the need to determine if further risk reduction was possible.

B. The electrical assemblies are designed such that exterior metal surfaces bonded to the ship structure to prevent them from becoming live under fault conditions and all enclosures are secured to prevent casual access to internal parts which may become live under fault conditions to minimise the risk of accidental contact. Should an earth fault occur the switchboards incorporate earth fault monitoring to provide warning of earth faults. The 230V circuits to user sockets incorporate RCCBs to trip in the event of an earth fault to minimise the risk of electric shock.

C. The design of all relevant assemblies comply with applicable T26 design rules and policies for earthing and bonding of electrical assemblies to ensure that while earth faults cannot be completely eliminated, the risk of harm to personnel is reduced SFAIRP. As is standard RN practice, all work on electrical systems is carried out by SQEP personnel which will minimise the risk of inadvertently introducing hazardous faults.

D. No reasonably practicable mitigations were not implemented.E. All applicable Legal and Regulatory requirements are complied with.F. All identified mitigations and controls have been confirmed in place and are

considered robust and sufficient by the P&P PSWG and no reasonably practicable options to further reduce this risk have been identified. The risk reduction claimed is considered reasonable and the final risk, at Class C, lies within the Tolerable region of the T26 risk criteria, it therefore has been assessed by the P&P PSWG that this risk is ALARP.


35

Risk ??? - Loss of ship structural integrity causing hull breach / loss of life

A. The risk was initially assessed as class A which is Intolerable and determined the need for further risk reduction to reduce the risk to Tolerable levels as a minimum.

B. The ship is designed, built and maintained through life to exceed minimum standards set by the Naval Authority Group (NAG) for Structure, Stability and Escape and Evacuation. In the event of loss of structural or watertight integrity these standards provide a proscribed minimum level of:

Structural Integrity

Watertight Integrity and Stability. Extensive sub-division of the ship and isolation of systems to control and limit progressive flooding and maintain the ship afloat and at a reasonable angle of heel and trim.

Sufficient time and resources to escape and evacuate personnel if the loss of structural and/or stability integrity is too great.

Guidance to the ship’s command and personnel as to how to operate the ship safely including in the event of damage.

In addition, the ship has a designed in level of survivability and recoverability required mainly for operational wartime requirements but also are applicable to the peacetime safety case. While immediate response to the incident must lie with the ship’s company additional support is available from shore based MoD Ship support, and may also be available from accompanying ships. The level of structural and stability integrity the ship can survive is driven by the level of damaged to be analysed. The principle method of doing was by use of damage templates proscribed in the relevant standards, but other realistic damage scenarios have been analysed to determine the ship’s response.

C. Design to the standards is evidenced by the Naval Authority Group (NAG) issuing periodic audit reports of the plan approval submissions for Naval Ship Safety Certificates for Structures, Buoyancy and Stability, and Escape and Evacuation. For structure the ship has been designed to LNSR, which meet the NSSC structural standards. The ship has been designed to meet Def Stan 02-900 for stability, including watertight integrity. The Escape and Evacuation standard is ????. The Ship’s material state will be monitored by the NAG during construction and through its service life to ensure it continues to meet the standards either directly (for Buoyancy and Stability) or by its appointed Responsible Organisation (RO), Lloyds Register, for Structures. The ship will be maintained “in Class” for Structure and also Escape and Evacuation TBC. These standards will be evidenced by the issue of NSSC with time limited endorsements for Structures, Buoyancy and Stability and Escape & Evacuation on completion of build and through the service life of the ship.

D. No reasonably practicable mitigations were not implemented.

E. All applicable Legal and Regulatory requirements are complied with.

F. All identified mitigations and controls have been confirmed in place and are considered robust and sufficient by the Platform (Naval Architecture) PSWG and no reasonably practicable options to further reduce this risk have been identified. The risk reduction claimed is considered reasonable and the final risk, at Class C, lies within the Tolerable region of the risk criteria, it therefore has been assessed by the (Naval Architecture) PSWG and endorsed by the HRWG that this risk is ALARP.


e) ALARP – Class B Risks.

While Tolerable when ALARP, Class B risks are considered to be undesirable. They present a significantly increased final risk and as such additional justification will be required to demonstrate that the risk is ALARP.

Reasons for rejecting risk mitigations should be outlined and where cost is one of the factors for rejecting a mitigation a substantive CBA should have been completed and referenced.

A reasoned argument that it is not practicable to apply further risk mitigation and that the risk is ALARP as assessed by the appropriate TA PSWG and endorsed by the PSEC.

f) Draft ALARP Statement.

The purpose of the draft ALARP statement is to provide the opportunity at an early stage to assure both the TA and AA that an ALARP statement can be prepared which, when all the mitigation is in place, will satisfy both parties.

The draft ALARP Statement defines the proposed final ALARP statement. It is draft on the basis that the mitigations are not implemented at this point in time and the

statement is NOT signed off. When the both the TA and AA agree that the draft ALARP statement provides a reasonable

justification that the risk will be ALARP with the proposed mitigation implemented, an agreement statement should be added on the first line of the Justification/ALARP statement field at the head of the statement.

Documentary evidence of TA/AA agreements should be included under the Hazard Log ALARP status field & the Risk Status field amended appropriately.

Agreement at this point does not prevent the ALARP statement being changed subsequently by mutual agreement.

36


g) HSE Guidance Cost Benefit / Gross Disproportionate Calculations.

A Cost-Benefit Analysis (CBA) is an economic evaluation in which all costs and consequences of a certain decision on a safety Risk are expressed in the same units, usually money. Such an analysis may be employed in relation to operational safety and to aid normative decisions about safety Risk reduction efforts. In essence, something is reasonably practicable unless its costs are grossly disproportionate to the benefits. A sensitivity analysis is usually required to support any conclusions suggesting that the costs are disproportionate to benefits of implementing a measure.

An example of a CBA is shown below:

37


COST BENEFIT ANALYSIS (CBA) EXAMPLE

A hazard exists that an amphibious platform’s davit could have a structural failure whilst lifting a landing craft could result in the consequence of 2 deaths. From D Ships RCM this means the consequence is Critical.

The annual frequency of occurrence of this accident is qualitative assessed as being no better than 1 in 10000 years but no worse than 1 in 1000 years (Probability of 0.001). From D Ships RCM this is Remote.

Therefore the Risk is Class B

The value to prevent 2 fatalities is determined to be – 2 x £2,000,000 = £4,000,000Based on the following table:

LEVEL OF HARM VPF / VFI

Individual Death from Industrial Disease e.g. Cancer (2 x VPF) £4,000,000

Individual Death Resulting from Accident (VPF) £2,000,000

Individual Permanent RIDDOR Injury (VPI) £229,291

Individual Recoverable RIDDOR Injury (VPI) £23,689

Individual Non-RIDDOR Injury (VPI) £2,099

Values of VPI have been scaled from DfT published figures for 2007 in TAG unit 3.4: The Safety Objective, Table 4a: Average value of prevention per road accident by severity and class of road: all hours. The scaling factor used is D Ships VPF/DfT VPF = £2,000,000 / £1,876,830 = 1.065627, Serious injury is set at £215,170 (assumed equivalent to permanent RIDDOR), slight injury is set at £22,230 (assumed equivalent to Recoverable RIDDOR) and damage only is set at £ 1,970 (assumed equivalent to Non-RIDDOR injury).

The host platform is assumed to have 20 more years of service left before disposal.The benefits of preventing this accident occurring can be assessed as follows:-

Annual cost‘Frequency’ x ‘value of preventing a fatality’0.001 x £4,000,000 = £4,000 per year of platform life

Or Lifetime cost‘Frequency’ x ‘value of preventing a fatality’ x lifetime0.001 x £4,000,000 x 20 years = £80,000

38


To rule out a control measure on the grounds that it is grossly disproportionate requires

Costs / Safety Benefits >= Disproportion Factor (DF)

which can also be written as

Costs => Disproportion Factor (DF) x Safety Benefits

For our class B risk the Gross Disproportion Factor to be used in any CBA is x 6 (see above figure)

Costs / Benefits >= DF >= £4000 x 6 = £24,0000 per annum

OR >= DF >= £80,000 x 6 = £480,000 one off cost

Therefore, any control measure that costs less than £24,000 per annum or less than £480,000 as a one off cost would be deemed to be “reasonably practicable”.

39


23. Hazard Log

Following the HazID&A process, a Hazard Log is produced for the Hazards raised against the subject system / equipment. The Hazard Log content and structure follows the template as shown.

a) Product Identification (Title, Part/ Serial No.);b) A Hazard Number;c) A Hazard Description;d) Causes;e) A sequence of events that creates a hazardous situation or Accident;f) Possible consequences to (Personnel/Environment/Equipment);g) Significance criteria used during hazard analysis (e.g. as in the Type 26 SEMP);h) Unmitigated Risk Classification (Frequency & Severity);i) Control and Mitigation Measures (Engineering & Management);j) Post Mitigated Risk (Frequency & Severity);k) Actions (Identifying Owner and Close Out Date);l) Risk Status;m) ALARP Statement (describes why the risk is considered to be ALARP);n) Endorsed by and Date endorsed;o) Related documents identifying built in Safeguards with evidence of achievement (e.g.

Drawings, O&M manuals, test forms & results);p) Assumptions/Comments.

The Hazard Log is a living document and in accordance with the SEMP the log will be maintained throughout the project and updated with the output from further reviews.

A template for a typical Hazard Log is shown below.

40


41


42

the hazard identification and assessment process …€¦ · web viewslip, trip & falls slip /...

Documents