theme - 11 risk assessment and management
TRANSCRIPT
NO
VEM
BER 2
010 5.0
3-0
015-2
010
For further information Contact:
Paryavaran Parisar,E-5, Arera Colony, PB No. 563,Bhopal-462 016 MP (India),Fon +91-755-2466715, 2461538, 2461348, Fax +91-755-2466653 [email protected]
Disaster Management Institute
International Weiterbildung und Entwicklung gGmbHCapacity Building International, GermanyFriedrich-Ebert-Allee 4053113 BonnFon +49 228 4460-0Fax +49 228 4460-1766www.inwent.org
InWEnt -
Theme - 11
Risk Assessment and Management
RiskAssessment and Management
Technicalelements
Environmentalelements
Humanelements
Socio-politicalelements
Financialelements
Risk-BasedRegulations
Risk-BasedDesign
Risk-BasedOperation
gtz-ASEMThe Advisory Services in Environmental Management (ASEM) Programme, is a joint programme of the German Technical Cooperation (GTZ) and the Indian Ministry of Environment and Forests (MoEF). The German Federal Ministry for Economic Cooperation and Development (BMZ) supports several environment related projects in India through GTZ. ASEM focuses on seven major thrust areas -Sustainable Industrial Development, Sustainable Urban Development, Sustainable Consumption and Consumer Protection, Sustainable Environmental Governance and the cross cutting areas. Climate Change and Human Resource Development. Public PrivatePartnership (PPP) project with Indian and German companies contribute towards identified project activities. Detailed Information can be explored using our WEB sites:
www.asemindia.comwww.hrdp-net.in
InWEnt - Qualified to Shape the FutureInWEnt - Capacity Building International, Germany, is a non-profit organisation with worldwide operations dedicated to human resource development, advanced training, and dialogue. Our capacity building programmes are directed at experts and executives from politics, administration, the business community, and civil society. We are commissioned by the German federal government to assist with the implementation of the Millennium Development Goals of the United Nations. in addition, we provide the German business sector with support for public private partnership projects. Through exchange programmes, InWEnt also offers young people from Germany the opportunity to gain professional experience abroad.
Detailed Information can be explored using our WEB sites:www.inwent.org
Disaster Management Institute(DMI) BhopalThe Disaster Management Institute (DMI) was set up in 1987 by the Government of Madhya Pradesh (GoMP) as an autonomous organization in the aftermath of the industrial disaster in Bhopal.Since inception, DMI has built vast experience in preparation of both On-site and Off-site Emergency Management Plans, Safety Audit, Risk Analysis and Risk Assessment, Hazard and Operability Studies (HAZOP), etc.The National Disaster Management Authority (NDMA) constituted under the chairmanship of the Prime Minister selected DMI as a member of the Core Groupfor preparation of the National Disaster Management Guidelines- Chemical Disaster.It is a matter of pride that NDMA has selected DMI for conducting Mock Exercises onchemical (industrial) Disaster Management at key industrial locations in the country.The Ministry of Environment and Forests, InWEnt and gtz-ASEM Germany have recognized DMI as a Nodal Training Institutes for capacity building in industrial DisasterRisk Management.
www.HRDP-iDRM.in
MoEFThe Ministry of Environment & Forests (MoEF) is the nodal agency in the administrativestructure of the Central Government for the planning, promotion, coordination andoverseeing the implementation of India’s environmental and forestry policies and programmes.The Ministry also serves as the nodal agency in the country for the United Nations Environment Programme (UNEP), South Asia Co-operative Environment Programme (SACEP), International Centre for Integrated Mountain Development (ICIMOD) and for the follow-up of the United Nations Conference on Environment and Development (UNCED). The Ministry is also entrusted with issues relating to multilateral bodies suchas the Commission on Sustainable Development (CSD), Global Environment Facility (GEF) and of regional bodies like Economic and Social Council for Asia and Pacific(ESCAP) and South Asian Association for Regional Co-operation (SAARC) on matters pertaining to the environment.
FEDERAL REPUBLICOF GERMANY
COOPERATIONREPUBLIC OF
INDIA
FEDERAL REPUBLICOF GERMANY
COOPERATIONREPUBLIC OF
INDIA
Capacity Building InternationaleGermany
in ent
DisclaimerThough all care has been taken while researching and compiling thecontents provided in this booklet. DMI-InWEnt-gtz-ASEM accept noliability for its correctness.The reader is advised to confirm specifications and health hazardsdescribed in the booklet before taking any steps, suitability of actionrequires verifications through other sources also.Information provided here does not constitute an endorsement orrecommendation.
Chief Editor
Editors
Support
Published under
InWEnt
Disaster Management Institute
GTZ ASEMAdvisory Service in Environmental Management
Praveen Garg, IAS, Executive Director, DMI, Bhopal, India
Dr. Rakesh Dubey, Director, DMI, Bhopal, IndiaFlorian Bemmerlein-Lux, Sr. Advisor, InWEnt, Germany
Sudheer Dwivedi, Dy. Director, DMI, Bhopal, IndiaDr. Asit Patra, Asstt. Director, DMI, Bhopal, IndiaNeeraj Pandey, Content Manager, InWEnt IndiaAmit Kumar Dadhich, Content Manager, InWEnt IndiaHuda Khan, Content Manager, InWEnt India
InWEnt-gtz-ASEM Capacity Development Programme for industrial Disaster Risk Management (iDRM)
Edition 1, 2010
International Weiterbildung und Entwicklung gGmbHCapacity Building International, Germany Division for Environment, Energy and WaterLützowufer 6-9, 10785 Berlin, GermanyDr. Christina KamlagePhone +49 30 [email protected] MallingerPhone +49 30 [email protected]
Paryavaran Parisar, E-5, Arera Colony, PB No. 563Bhopal-462 016 MP (India),Fon +91-755-2466715, 2461538, 2461348, Fax +91-755-2466653 www.hrdp-iDRM.in
A-33, Gulmohar Park, New Delhi 110049Fon +91-11-26528840Fax +91-11-26537673www.asemindia.com
Imprint
Contents
1.
2.
3.
4.
4.1.
5.
6.
7.
8.1.
8.2.
8.3.
8.4.
8.5.
8.6.
8.7.
8.8.
.
. Glossary
. References
What is Risk?
Objective of risk assessment
Risk assessment process
Likelihood and consequences
Estimating likelihood and consequences
Risk Matrix
Risk Management
Application of risk assessment
8. Chemical process hazard identification and risk analysis
methods
Checklist
Hazard Indices
Preliminary Process hazard Analysis
Failure Modes and Effects Analysis (FMEA)
Hazard and Operability Study (HAZOP)
What if-Analysis
Fault Tree Analysis (FTA)
8.9. Event Tree Analysis (ETA)
9 Risk Criteria in some countries
10
11
Safety Audit
- 2
- 6
- 8
- 8
- 12
- 13
- 18
- 4
- 19
- 19
- 19
- 19
- 20
- 21
- 22
- 24
- 24
- 27
- 27
- 30
- 31
1
1. What is Risk?
Risk is the likelihood that a harmful consequence (death, injury, loss or illness) might result when exposed to the hazard. It is represented as:-
Risk = consequence of impact x probability of occurrence
A consequence spectrum ‘C’ (or, risk picture) of an activity is a list of its all possible potential consequences and the associated probabilities ‘p’ (e.g. per year). Usually, onlyunwanted consequences are considered and it can be represented with all activities:
Activity
C1
C2
C3
Ck
Risk for above activity is defined as
------Equation 1Risk=C1p1+C2p2+....+Ckpk = Cipi
Risk can be defined as the combination of the probability of an event and its consequences. In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognised as being concerned with both positive and negative aspects of risk.
In the safety field, it is generally recognised that consequences are only negative and, therefore, the management of safety risk is focused on prevention and mitigation of harm.
Equation 1 shows that risk can never be zero, a truth not always grasped by the general public or the news media. Hazards are always present within all industrial facilities and they always have undesirable consequences, and their likelihood of occurrence is always finite. The consequence and likelihood in terms can be reduced, but they can never be eliminated, as illustrated in Fig-1, in which both axes are approached
1
2
3
K
2
asymptotically, i.e. they never reach zero. The only way to achieve a truly risk-free operation is to remove the hazards altogether (or, with respect to safety, to remove personnel from the site or stop the activity).
Fig-1 also shows that an inverse relationship generally exists between consequence and frequency. For example, a serious event such as the failure of a pressure vessel may occur only once every ten years, whereas simple trips and falls may occur weekly.
The total risk associated with a facility is obtained by calculating the risk value for each of the consequences, and then adding all the individual risk values together. The result of this exercise is sometimes plotted in an FN curve as shown in Fig-2 in which the ordinate represents the cumulative frequency (F) of fatalities or other serious events, and the abscissa represents the consequence term (usually expressed in terms of number of fatalities).
The values of F and N typically extend across several orders of magnitude. Both axes onan FN curve are logarithmic. (More sophisticated analysis will actually have a family of curves with roughly the same shape as each other. The distribution of the curves represents the uncertainty associated with predicting the frequency of events.) The shape of the curve itself will vary according to the system being studied; frequently a straight line can be used.
The degree of risk will depend upon the amount of exposure to the hazard associated with a consequence of an event. For example, toxic chemicals are hazardous - they have the potential to harm health. But the level of risk depends on things such as:
what is the density of population, what is the wind direction with respect to human settlements at the time of event,
Likelihood
Consequence
Fig-1 Likelihood vs. Consequence
Fig-2 Representative FN Curve
1 10 100 1000
10
10
10
10
10
-2
-4
-6
-10
-12
Fatalities
Freq
uen
cy
3
how much is present, how easy it is for toxic chemicals to interact with human bodies, how fast the toxicity depletes and how rapidly their potential for harm decreases, and how long some chemicals are toxic (e.g. arsenic and lead are toxic forever).
Therefore, a drum of toxic waste is hazardous, whether it is in a well-regulated disposal facility, or in the living room. But the level of risk would be very different in these two cases. Risk can be understood better in Fig-3 with the support of associated activities.
RiskUnderstanding
RiskUnderstanding
What cango wrong?
How likely isit to occur?
What impactis possible?
-Historicalexperience
-Analyticalmethods
-Knowledgeand experience
-Socio-politicalbackground
Foundation for risk assessment
Fig-3 Foundations of risk management
2. Objective of risk assessment
The purpose of a risk assessment is to determine: whether there is any likelihood of a potentially hazardous situation causing death, injury, illness or disease to people in the workplace and neighbouring environment. how severe that risk is. whether the risk needs to be controlled and how urgently.
After assessing or evaluating the identified risks the next steps are: determine which ones are the most serious (i.e. those with greater likelihood and most severe consequences). plan the actions needed to control the risks in order of priority, from most serious to least serious risks to life, property and environment.
4
Risk assessment is important and relevant to the whole life cycle of a processing project. The risk increases with the inception of a project and remains prominent during the operation of the plant. The risk starts reducing with the decommissioning of the plant. The whole concept can be shown through Fig-4.
Risk
Start-up
ConceptualDesignResearch
andDevelopment
RoutineOperation,
Modifications,and Expansions
DetailedEngineering
New ProjectDemolition
RecordsDestroyed
Decommissioning
Process life Cycle
New Project ExistingFacility
Shutdownand Facility
Removal
RecordsRetentionRequired
Fig-4 Risk in project life cycle
identification of all possible major accident scenariosidentification of potential knock-on effect to and from adjoining plants on-site and off-sitegaining a thorough understanding of the nature, causes, likelihood and consequences of these scenarios and to communicate these to the facility employees assessing the risks from potential major accidents against acceptable risk criteriaidentification and reliability assessment of existing critical safety equipment and proceduresidentification of possible risk reduction measuresevaluating, selecting and implementing all reasonable risk reduction measures to reduce the risk to a level that is as low as reasonably practicable (ALARP)identifying employee training needsidentifying the geographic area of the community to be consultedidentifying critical safety management system componentsidentifying critical emergency planning elements andidentifying monitoring points, performance criteria and suitable measurement techniques to provide timely warning of safeguard inadequacies.
Objectives of the systematic risk assessment may include:
5
The life span of a process industry comprises a number of stages from conceptual design to decommissioning. Each stage of a plant may have hazards, some general and some stage specific. Hazard identification and risk analysis techniques that may be applied at different stages of a plant are given in Annexure 1.
For risk assessment it is essential to--define the context or and system and or project. It is done with the help of Process and Instrument Diagram (P and ID), Chemistry, Thermodynamics, Operating procedure, etc. -identify activity/task/work area/personnel to be assessed. `
The risk assessment process has the following five steps:-
Step 1: Identification of all hazards by: -observing, inspecting, investigating, communicating, consulting and documenting all the hazards identified. Experience, Checklists, PHA, What-if, HAZOP, FMEA, etc. are helpful here.
Step 2: Assessment of the risks of the identified hazards by: -assessing and prioritising the risks. -dealing with the highest priority risks first. -dealing with less risks or least significant risks last.-assessment of risk is possible by knowing the likelihood and the consequence of the hazardous events. The tools like event tree/fault tree analysis and modelling are applied respectively. After knowing the risk, the risk is judged for acceptability, if risk is below the acceptable level or at par of the acceptable level, only then any further activities are recommended. If risk is above the acceptable level, then the whole system will be reviewed and after recommendation of appropriate control measures on reduction of the risk further activities will be carried on. Step 3: Decision on measures to control the risks by: -Elimination of the risk is the best and preferred way. If elimination of the risk is not possible, select these control measures in the following order of preference: (i) substitution (ii) isolation by engineering ways (iii) minimisation by engineering means (iv) application of administrative measures (v) use of personal protective equipment (PPE) (vi) transfer of risk by insurance or making strong partners.
3. Risk Assessment Process
6
Step 4: Implementation of appropriate control measures by: -adequately controlling the risks -not creating other risks -allowing workers to do their work without undue discomfort or stress.
Step 5: Monitor the control measures and review the process: A: Monitor -Have the control measures been implemented as intended? -Are the control measures adequate? -Did the implementation of control measures create other hazards or risks?
B: Review -Has anything changed over time since the risk assessment process was implemented? -Is the control of risks still adequate? -Was the risk management process conducted effectively? After review and monitoring if the risk is acceptable then one should carry out its activity otherwise revise all above five processes and continue and repeat till the risk is
acceptable. The Fig-5 shows the risk assessment process.
Fig-5 Risk assessment (RA) process
6. Risk Estimation7. Acceptable Risk criteria
Standards, Company Policies
5. Estimate Consequences 5. Estimate Frequencies
ExperienceHistoryEffect ModelsDamage Models
ExperienceHistoryFault tree analysisEvent tree analysis
Process Diagram (PFD, P and ID),Chemistry, Thermodynamics,Operating procedure, etc.
Experience, Checklist, PHA,What if, HAZOP and FMEA.
List of Enumerated Incidents,List of selected Incidents,Incident outcomes, etc.
2. Describe System
3. Identify Hazards
4. Enumeration andSelection of Incident
1. Define Objectives,Depth and Goal of RA
8. Risk acceptance as per need
Stop
Rev
iew
ris
k as
sess
men
t
Decision for acceptance
No Yes
7
4. Likelihood and consequences
4.1 Estimating likelihood and consequences
To assess the level of risk, the likelihood of an event occurring (will it happen or could it happen?) and the extent of the consequences that could result (if it does occur, how serious will the outcome be?) must be considered. Both factors are equally important in establishing the level of risk and it is not important which factor is considered first.
When estimating the likelihood of occurrence of an event and the severity of the potential consequences, it is important for the person doing the risk assessment to refer to the following information: past safety records, such as safety committee information. incident statistics in the workplace or the whole industry. practice and relevant experience in the relevant organisation and others in the industry. manufacturer's data or information on proper use of machinery. relevant published literature such as trade magazines, research articles, safety bulletins, etc. market research such as industry development of new materials and equipment. the results of public consultation such as new public projects or institute information. economic, engineering or other models such as Quality Assurance (QA), Total Quality Management (TQM) or safety culture. specialist and expert judgements such as safety consultants or case law decisions. other codes of practice (e.g. Manual Tasks and SOPs).
(A) Establishing likelihood
The likelihood of an event occurring will depend on both the probability and frequency of exposure to a hazard. There may be a number of factors specific to the workplace that will influence the likelihood of an event occurring, such as: how, where and when people are exposed to the hazard. how exposure varies over time or by location. how people respond. how the climate influences the dispersion of the chemical. how the control system works. what is the level of awareness. what is the ratio of old vs young men/women. monitoring and enforcement of regulations.
Likelihood is subject to the local geographical situation.
8
The following factors can affect the likelihood of an event or situation occurring: How often the task occurs: Generally, when the same critical task demands are repeated, the more likely an incident will occur. This includes the same or similar tasks occurring during the shift. For example, consider how often in a shift a worker carries a load; pushes a trolley; or uses a vibrating hand tool. How many people are exposed: Generally, greater the number of people exposed to the hazard, more likely an incident will occur. For example, three shifts of workers in a 24-hour distribution centre, operating morning, evening and night shifts, carrying out wholesale order make ups, could be exposed to manual tasks, noise and shiftwork hazards. Duration of exposure: Generally, longer a person is exposed to the hazard, the more likely an incident will occur. For example, consider a manufacturing worker who is exposed to an accumulative total of eight hours of industrial noise over a 10 hour shift. Quantities of materials or multiple exposure points involved: For example, an incident (such as an explosion) is more likely to occur as a result of a small amount of flammable liquid, such as petrol, in a container which allows room for expanding gases than from a full container of the liquid with no room for expanding gases; an item of plant may have a number of places with exposed moving parts that could injure a worker. Position of the hazard relative to workers and to other hazards: For example, workers working close to a noisy machine are more likely to suffer hearing loss than those working further away; certain chemicals, such as methylated spirits, may only represent a risk if they are located near a heat source. Skills and competence of persons exposed: Workers who are not trained in safe and efficient methods of work are more likely to be injured. For example, a worker who has not been trained in using a trolley may manually lift and carry loads over long distances; a worker who has not been trained in the safe operation of plant could increase the chance of human error leading to dangerous events and injury. Experience of persons exposed: For example, a worker with 20 years experience is less likely to make the same mistake and cause an incident than a worker with only two months experience. Adequate training and reasonable competence to do a task will reduce the likelihood of an incident. Any special characteristics of the people involved: For example, young workers have a lower level of maturity, which can increase the likelihood of them behaving in a way that is dangerous and risky. Further, young workers are still developing and are more likely to be injured when handling heavy loads due to their reduced capacities. Additionally, a pregnant woman and the developing foetus may be affected if exposed to chemicals, heavy loads or noise. Distractions: It is more likely that an incident will occur when a worker is not paying full attention to the task or their surroundings. For example, a worker
9
listening to music through headphones increases the chance of being hit by vehicles at a construction site. Environmental conditions: For example, water in the vicinity of an electrical hazard. Repetition: When workers are consistently required to replicate tasks or components of tasks. For example, when a process task cycle is less than 30 seconds and is completed for more than one hour; or the process task cycle comprises more than 50 per cent of the total task time and is completed for more than one hour. Condition of equipment: The use of defective equipment is more likely to cause an incident. For example, when the tool rest of a bench grinder is not adjusted for the wear of the abrasive wheel rather than using one that is correctly adjusted. The judgement basis of effectiveness of existing control measures can be: -Do the existing control measures represent good practices? -Are the existing control measures preventing or minimising exposure to the risk? -Do workers know about the existing control measures? -Are the existing control measures being used or followed? -Are there adequate systems or procedures in place in relation to the existing control measures? -Is there adequate training and supervision in relation to the existing control measures? -Is there adequate maintenance in relation to the existing control measures? -Are the existing control measures easy to use and follow? Table - 1 provide information about the determination of likelihood.
(B) Establishing consequences
The severity or range of the potential consequences resulting from an incident can be determined by a number of factors, such as: how much harm the hazard could do how many people it could affect whether the harm would be short or long term.
A Almost certain Happens often More than 1 event per month
B Likely More than 1 event per yearCould easily happen
C Possible Could happen and has occurred here or elsewhere
1 event per 1 to 10 year
E Less than 1 event per 100 yearConceivable but only in extreme circumstances
Rare
D 1 event per 10 to 100 year (e.g. Within a single mine life)
Hasn’t happened yet but couldUnlikely
Rating Frequency Description Frequency example
DETERMINE LIKELIHOOD
Table-1
10
The following factors can affect the severity of consequences when an event or situation happens: Potential for 'chain reaction': Where a hazard, if not eliminated, may evolve and compound into an even more dangerous situation. Concentrations of substances: For example, a minor injury might result because of a diluted chemical, while a fatality might result from a concentrated form of the same chemical. Volumes of materials: For example, the potential consequences of a leak of a small amount of a particular chemical, such as ammonia, into the workplace may be relatively minor, compared with the potential consequences of the release of a large amount of the same chemical. Speeds of projectiles and moving parts: Generally, greater the speed at which projectile or part is moving, the more severe are the consequences of injury. Heights: The force with which a falling object hits a person (and hence the potential injury), will generally increase with the distance it falls. Similarly, a person will generally sustain greater injuries if falling from a great height. Position of the workers to the hazard: For example, workers working close to a noisy machine are likely to incur greater hearing damage than those working further away. Weights: For example, a worker will generally sustain a more severe injury from lifting material in 50 kg packages than from lifting the same material packaged in 30 kg lots.Table -2 shows the determination of consequence.
DETERMINE CONSEQUENCE
Low/Insignificant
Minor/short term injury
Low financial loss Limited damage to minimal area of low significance
Minor Medium financial loss
Reversible Disability or impairment
Minor effect on biological or physical environment
Moderate High financial lossModerate irreversible disability
Moderate short term effects but not affecting eco-system
Major Major financial lossSingle fatality Serious medium term environmental effects
Catastrophic MaximumFinancial loss
Multiple fatality and/or significantirreversible effects
Serious long term environmental damage
Consequence Injury Property damage or process loss
Environmental Impact
Table-2
11
The risk values will usually line up diagonally, with all the values in any one diagonal being the same.
The meaning of the four colours in Table 3 is as follows: A (Red) Very High This level of risk requires prompt action; money is no object, and the option of doingnothing is not an option. An 'A' risk is urgent. On an operating facility, management must implement Immediate Temporary Controls (ITC) while long-term solutions are being investigated. If effective ITCs cannot be found, then the operation must bestopped. During the design phases of a project immediate corrective action must be taken in response to an 'A' finding, regardless of the impact on the schedule and budget. B (Orange) High Risk must be reduced, but there is time to conduct more detailed analysis and investigations. Remediation is expected within say 90 days. If the resolution is expected
A Happens often\almost certain High High Extreme Extreme Extreme
B Could easily happen\likely Moderate High High Extreme Extreml
C Could happen and has occurred here or elsewhere\possible
Low Moderate High Extreme Extreml
D Hasn’t happened yet but could\unlikely
Low Low Moderate High Extreme
E Conceivable but only in extreme circumstances\rare
Low Low Moderate High High
Low Minor Moderate Major Critical
Probability Factor Consequence severity
DETERMINE RISK
Table-3
Forces and energy levels: For example, higher the voltage of electricity and the possibility of a high current flowing through a person, more severe the consequences are likely to be.
Having determined consequence and frequency values to do with a particular hazard, the overall risk is determined using a third matrix such as that shown in Table 3, whichshows four levels of risk.
5. Risk Matrix
12
to take longer than this, an ITC must be put in place. C (Yellow) Moderate The risk is significant. However, cost considerations can be factored into the final action taken, as can normal scheduling constraints such as the availability of spare parts or the timing of plant turnarounds. Resolution of the finding must occur within say 18 months. An ITC may or may not be required.
D (Green) Low Requires action but is of low importance. In spite of their low risk ranking, 'D' level risks must be resolved and recommendations implemented according to a schedule; they cannot be ignored. (Alternatively, some companies do allow very low ranked-riskfindings to be ignored on the grounds that they are within the bounds of ALARP).
Risk Categories 5 types of risk categories have been identified:- (i) People -Failure of staff to comply with the procedures whether with the intention to commit fraud, oversight or negligence. -Non-familiarity of staff with the set guidelines and procedures. (ii) Process -Process failure. -Inadequate controls in the operational processes. (iii) System -Failure of application system to meet user requirements. -Absence of in-built control measures in the application system. (iv) Management failure - Failure of overall management system in absence of policies. -Failure of overall management in absence of availability of finances. (v) External Party / Event -Imposition/changes of policies by government regulatory bodies. -Unsatisfactory/Non-performance by out-sourced service providers.
Risk analysis, evaluation and reduction/control make integrated components of risk management. Fig-6 shows a protocol of risk management. Risk evaluation must be a repeated process till it comes to the acceptable level.
Risk can be judged qualitatively and quantitatively.
6. Risk Management
13
(A)Evaluation of riskIt should be clear that no unique measure of risk exists. Many such measures have beenproposed and are currently in use, each providing a different view on a particular situation. The main types of risks are:
Risk to personnel and public safety and health, Risk to the environment, Risk to economic concerns (costs and profits).
Regarding safety, health, and environment (SHE) aspects several generally accepted definitions and methods already exists.
Fig-6 Risk management
Risk management
Risk assessment
Risk analysis
-Scop definition-Hazard identification-Risk estimation
Risk reduction/control
-Decision making-Implementation-Monitoring
Risk evaluation
-Risk tolerability decisions-Analysis of options
14
The instructions were that the risk must never be in the 'intolerable' range. High risk scenarios are 'tolerable', but every effort must be made to reduce them to the 'broadly tolerable' level.
(B) Risk Management GuidanceThe Fig-7 illustrates the steps involved in risk reduction to an acceptable level and has following vital components when risk is above acceptable level:-The treatment options include:
Avoid the risk by deciding not to proceed with the project or activity. This may only occur within legislative requirements and business agreements.
Reduce the likelihood of the occurrence. By review of engineering modifications, contract conditions, supervision, technical controls, compliance programs, procedure manuals, quality control manuals, training, etc.
Reduce the consequence of the occurrence, e.g. contingency planning, fraud control planning, relocation of an activity or operation, etc.
Transfer the risk to another party. E.g. use of contracts, insurance, partnerships, etc.
(C)Risk reduction at source of the hazard
a. Elimination - Getting rid of a hazardous job, tool, process, machine or substanceis perhaps the best way of protecting workers. For example, a salvage firm might decide to stop buying and cutting up scrapped bulk fuel tanks due to explosion hazards.
STEPS
CONSIDER HAZARDS UNTIL GOALS ARE MET
APPLY PROCEDURAL SAFEGUARDS
APPLY ACTIVE SAFEGUARDS
APPLY PASSIVE SAFEGUARDS
REDUCE LIKLIHOOD
REDUCE SEVERITY
AVOID HAZARDS
STOP
YesNo
Rev
iew
Fig-7 Risk management guidance
15
b. Substitution - Sometimes doing the same work in a less hazardous way is possible.For example, a hazardous chemical can be replaced with a less hazardous one. Controls must protect workers from any new hazards that are created.
c. Engineering modifications Redesign - Jobs and processes can be reworked to make them safer. For example, containers can be made easier to hold and lift. Isolation - If a hazard cannot be eliminated or replaced, it can some times be isolated, contained or otherwise kept away from workers. For example, an insulated and air-conditioned control room can protect operators from a toxic chemical. Automation - Dangerous processes can be automated or mechanised. For example, computer-controlled robots can handle spot welding operations in car plants. Care must be taken to protect workers from robotic hazards. Barriers - A hazard can be blocked before it reaches workers. For example, special curtains can prevent eye injuries from welding arc radiation. Proper equipment guarding will protect workers from contacting moving parts. Absorption - Baffles can block or absorb noise. Lockout systems can isolate energy sources during repair and maintenance. Usually, the further a control keeps a hazard away from workers, the more effective it is. Dilution - Some hazards can be diluted or dissipated. For example, ventilation systems can dilute toxic gases before they reach operators.
d. Administrative controls Safe work procedures - Workers can be required to use standardised safety practices. The employer is expected to ensure that workers follow these practices. Work procedures must be periodically reviewed with workers and updated. Supervision and training Initial training on safe work procedures and refresher training should be offered. Appropriate supervision to assist workers in identifying possible hazards and evaluating work procedures. Job rotations and other procedures can reduce the time the workers are exposed to a hazard. For example, workers can be rotated through jobs requiring repetitive tendon and muscle movements to prevent cumulative trauma injuries. Noisy processes can be scheduled when no one is in the workplace. Housekeeping, repair and maintenance programs - Housekeeping includes cleaning, waste disposal and spill cleanup. Tools, equipment and machinery are less likely to cause injury if they are kept clean and well maintained. Hygiene - Hygiene practices can reduce the risk of toxic materials being absorbed by workers or carried home to their families. Street clothing should be kept in separate lockers to avoid being contaminated by work clothing. Eating areas must be segregated from toxic hazards. Eating should be forbidden in toxic work areas. Where applicable, workers should be required to shower and change clothes at the end of the shift.
16
e. Risk Transfer The risk transfer can be undertaken in by obtaining indemnities from other parties for loss suffered by the industry.
f. Monitor and ReviewMonitor and review the effectiveness and performance of the risk treatment options, strategies and the management system and changes which might affect it. Each step undertaken should be documented to enable effective monitoring and review. Risks and the effectiveness of treatment measures need to be monitored to ensure changing circumstances do not alter the risk priorities. Identification, assessment, and treatments must be reviewed to ensure the risks remain relevant and continue to be managed and that any new or emerging risks are identified and managed. If risk is not found to be reduced, then review the steps from ‘a’ to ‘e’ as discussed above.
g. Risk AuditsA rolling series of continuous self and third party audits and safety inspections, using checklists, analysis and positive feedback should be encouraged and must be a part of company policy.
h. Communicate and consultCommunicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole. a communication plan should be developed for internal and external stakeholders early in the planning process. communication should be a two-way process involving consultation.
Management is responsible for identifying the existence of risk and undertaking the business of the company in a manner which ensures appropriate management of those risks.
i. Performance IndicatorsThe following are suggestive indicators: -No severe insurable loss to disrupt the financial position.-Risk management to be included in the business planning function.-All new projects to be assessed for risk in accordance with these guidelines prior to initiation.-Annual assessment of risks to be recorded and acted upon as detailed in the annual Risk Management and Audit Plan.-No revenue loss or significant event to disrupt the company activity through improper conduct by staff.
17 18
Risk assessment and management process is applied for future developmental processes and is recommended for future landuse planning and other developmental activities. A widely accepted model is suggested in the Fig-8 so that damages in case of any accident or disaster can be minimised.
7. Application of risk assessment
The popular activities according to risk can be summarised in Fig-9.
High risk
Low risk
Severity (log scale)
Freq
uen
cy (
log
scal
e)
1
- Traffic accidents- Occupational accidents, etc
2
- Air trafic accident- Railway accident- Major industrial accident
3
- Nuclear accident- Catastrophies
Fig-9 Activities according to risk
Fig-8 Allowable land uses
Risk source
No otherland use
All other uses including institutions,high-density residential, etc.
CommercialOffices,low-density residential
Manufacturing,warehouses,open space
(parkland, golf courses, etc.)
10 in a million 1 in a million100 in a million
10-5 10-610-4( ) ( ) ( )
8. Chemical process hazard identification and risk analysis methods
8.1 Checklist
8.3 Hazard Indices
The checklist is generally a form for approval by various staff and management functions before a project can move from one stage to the next. It serves both as means of communication and as a form of control and can highlight lack of basic information or a situation that requires a detailed evaluation. Checklists are qualitative in nature; limited to the experience base of the author of the checklist, hence, should be audited and updated regularly. It is a widely used basic safety tool and can be applied at any stage of a project or plant development. Accordingly it is named as Process checklist, System checklist, Design checklist, etc. It can be applied at any stage of the project life cycle.
It is an intensive plant inspection intended to identify the plant conditions or operating procedures that could lead to accidents or significant losses of life and property. It is used to ensure that the implemented safety / risk management programs meet the original expectations and standards. It is also called 'Safety review', 'Process review' and 'Loss prevention review'. In essence, safety audit is a critical appraisal of effectiveness of the existing safety programme in a plant.
The review looks for major hazardous situations and brings out the areas that need improvement. The steps for the identification process are : a) Obtaining response from plant on a pre-audit questionnaire; b) Preparation of checklist, inspection and interview plant personnel; and c) Preparation of safety audit report in the form of recommendations.
The results are qualitative in nature. While this technique is most commonly applied to operating plants, it is equally applicable to pilot plants, storage facilities or support functions. The periodicity of such studies depends on the risk involved in the process and the commitment of the management. In India the safety audit is done by Indian Standard BIS IS 14489 (1998).
Hazard indices can be used for relative ranking of process plants from the point of view of their hazard potentials. The most well known techniques are, DOW fire and explosion index, Mond fire, explosion and toxicity index and chemical exposure index. All these
8.2 Safety Audit
19
methods provide a direct and easy approach to a relative ranking of the risks in a process plant. The methods assign penalties and credits based on plant feature. Penalties are assigned to process materials and conditions that can contribute to an accident. Credits are assigned to plant safety features that can mitigate the effects of an incident. Theses penalties and credits are combined to derive an index that is relative ranking of the plant risk.
It is used during the conceptual, early development, early design phase, of a plant. The method is intended for use only in the preliminary phase of plant development for cases where past experience provides little or no insight into potential safety problems, for example, a new plant with new process. Early identification of most of the hazards could possibly result in effective saving in cost that could otherwise result from major plant redesigns if hazards are discovered at a later stage. It is very useful for 'site selection'. It does not preclude the need for further hazard assessment; instead it is a precursor to subsequent hazard analysis. Items for consideration consist of meticulous preparation of lists of hazards. a) Raw materials, intermediates, by-products, final products; b) Plant equipment (high pressure systems); c) Interface among system components (material interactions, fire); d) Environment (earthquake, vibration, extreme temperature); and e) Operations (tests, maintenance and emergency procedure) and safety equipment.
Example :
Toxic gas 'A' is one of the components used in process; causes for the dangers:
a) The hazards due to storing the gas; b) Hazards from the excess gas after the sue; c) Lines supplying the gas 'A'; and d) Leakage during the receipt of the gas etc.
The effects of these causes can be :
a) Injury / Fatality to persons inside the plant or nearby areas, and b) Damage of property due to explosion. c) Environmental impacts.
Safety measures / corrective actions provided to minimise effect:
a) Whether less toxic material can be used; b) Minimising the inventory for the storage of the material;
8.4 Preliminary Process hazard Analysis
20
c) Procedure for safety storage of the gas with enclosure system; d) Provision of plant warning system; e) Training for operators; and f) Informing neighbouring localities about the toxic effect.
The method is a tabulation of system / plant equipment, their failure modes and each failure mode's effect on system/ plant. It is a description of how equipment fails (open, close, on, off, leaks, etc.) and the potential effects of each failure mode. The technique is oriented towards equipment rather than process parameters. FMEA identifies single failure modes that either directly result in or contribute significantly to an important accident. Human / operator errors are generally not examined in a FMEA; however, the effects of a mal-operation are usually described by an equipment failure mode. The technique is not efficient for identifying combinations of equipment failures that lead to accidents. A multi disciplinary team of professionals can perform FMEA.
FMEA has following six main steps: a) Determining the level of resolution, b) Developing a consistent format, c) Defining the problem and the boundary conditions, d) Listing various failure modes, e) Each effects of the failure mode, and f) Completing the FMEA table.
The level of resolution depends on the requirement of the plant, namely 'plant level', system level' or in other words whether the study is for the whole plant or a portion of plant or a particular system or individual equipment. Marking the portion of study on the drawing can indicate the physical system boundaries and stating the operating conditions at the interface. Identification of the equipment is necessary to distinguish between two or more similar equipment by any number and description of the equipment is required to give brief details about process or system.
All the failure modes consistent with the equipment description are to be listed considering the equipment's normal operating conditions.
Example of various failure modes of a normally operating pump is : a) Fails to open, fails to close when required, b) Transfers to a closed position, c) Valve body rupture, d) Leak of seal, and e) Leak of casing.
8.5 Failure Modes and Effects Analysis (FMEA)
21
The effects for each failure modes, for example the effects of the 'fails to open condition for the pump' is (a) loss of process fluid in a particular equipment, and (b) overheating of the equipment. The effect of pump seal leak is a spill in the area of the pump; if the fluid is flammable a fire could be expected, and so on.
The analyst may also note the expected response of any applicable safety system that could mitigate the effect.
Example of the tabulated format may be :
Plant:Date:System:
8.6 Hazard and Operability Study (HAZOP)
The HAZOP study is made to identify hazards in a process plant and operability problems, which could compromise the plant's ability to achieve design intent. The approach taken is to form a multi-disciplinary team that works to identify hazards by searching for deviations from design intents. The following terms are sued for the process for analysis :
a) Intentions - Intention defines how the plant is expected to operate, b) Deviations - These are departures from intentions, c) Causes - These are reasons why deviation might occur, and d) Consequence - Results of deviations that might occur.
The method uses guidewords, which are used to quantify or qualify the intention in order to guide and stimulate the hazard identification process. The guidewords are used to generate deviations from the design intent. The team then identifies cause and consequence of the deviations.
HAZOP guidewords and their meanings:
Occ
urr
enceItem or
ProcessStep
PotentialFailureMode
PotentialEffect(s)of Failure
PotentialCause(s)
RecommendedAction
“After”ActionTaken
Responsibilityand
Target Date
CurrentControls
Sev
erit
y
Sev
erit
y
ACCEPT
ED
RIS
K
RIS
K
Occ
urr
ence
22
The HAZOP study requires that the plant be examined for every line. The method appliesall the guidewords in turn and outcome is recorded for the deviation with its causes and consequences.
Example :
a) For a particular line; b) Taking any guide word for example 'No', c) Deviation in process parameters, namely flow / temperature, d) For each deviation the causes for such deviations, e) Consequence, etc. And f) Measures to rectify the root cause for deviation.
The Fig-10 shows overall HAZOP process :
Meaning
Negation of Design IntentQuantitative DecreaseQuantitative IncreaseQualitative DeceaseQualitative IncreaseLogical Opposite to IntentComplete Substitution
Guidewords
NoLessMorePart of As well asReverseOther than
Scenario table
Documentation Follow-upHAZOPTeam
Review
HAZOPTeam
Review -Further evaluation of selected scenarios (e.g. Using LOPA)-Management response to findings/recommendations-Completion of action items-Completion of actions to affected employees
Attitude
Preparation
Knowledgeexperience
Managementcommitment
Meetingleadership
Team’sHAZOPexperince
Informationfor study (Pand Ids,PFDs, SOPs, etc.)
Design intent
Intention Deviation Consequence Safeguards Action
Fig-10 HAZOP process
23
8.7 What-if Analysis
8.8 Fault Tree Analysis (FTA)
What-if-Analysis is used to conduct a thorough and systematic examination of a process or operation by asking questions that begins with What-if. The questioning usually starts at the input to the process and follows the flow of the process. Alternately the questions can centre on a particular consequence category, for example, personnel safety or public safety. The findings are usually accident event sequences.Effective application of the technique requires in-depth experience of plant operation.
Two types of boundaries that may be defined in a “What-if” study are: (a) Consequence category being investigated, and (b) Physical system boundary. The consequence categories are mainly: (a) public risk, (b) worker risk, and (c) economic risk, for specific plant. The purpose of physical boundaries is to keep the investigating team focused on a particular portion of a plant in which consequence of concern could occur. The typical information required for a What-if-analysis is:
a) Operating conditions, physical and chemical properties of materials, equipment description; b) Plot Plan; c) Process and Instrumentation diagram of the plant including alarms, monitoring devices, gauges etc.; d) Responsibilities and the duties of the operating personnel, communication system etc., and e) Procedures for preventive maintenance, work permit system, for hazardous job, tackling emergency situations.
Essentially the fault tree is a graphical representation of the inter relationship between equipment failures and a specific accident. The equipment faults and failures that are described in a fault tree can be grouped into three classes, namely:
a) Primary faults and failures attributed to the equipment and not to any other external cause or condition. b) Secondary faults and failures attributed to other external cause or conditions. c) Commands faults and failures attributed neither to equipment intended not to any external cause but due to some source of incorrect command.
There are the following steps in performing the fault tree analysis:
a) Problem definitions, b) Fault tree constructions, c) Fault tree solution (determining minimal cut sets) and minimal cut set ranking.
24
a. Problem Definition
This consists of: (a) defining accident event: top event of the fault tree analysis, (b) defining analysis boundary including un-allowed events, existing events, systems physical boundary, level of resolution, and other assumptions.
b. Fault Tree Construction
It begins with the top event and proceeds level by level using symbols namely “Or”“And” etc. until all the fault events have been developed to their basic contributing causes.
c. Fault Tree Solution
The completed fault tree provides useful information by displaying the interactions of the equipment failures that could result in an accident. The matrix system of analysis gives the minimal cut sets, which are useful for ranking the ways in which accident may occur, and they allow quantification of the fault tree if appropriate failure data are available.
d. Minimal Cut Set Ranking
'Minimal cut set analysis' is a mathematical technique for manipulating the logical structure of a fault tree to identify all combinations of basic events that result in occurrence of the top event. The ranking of minimal cut sets is the final step for the fault tree analysis procedure. The basic events called the 'cut set' are then reduced to identify those minimal cut sets which contain the minimal sets of events necessary and sufficient to cause the top event. Ranking may be based on number of basic events that are minimal cut set, for example, one event minimal cut is more important than two event minimal cut set; a two event cut set and as on. This is because of the chance of occurrence of one event is more than that of two events to occur. Moreover, the human error is ranked at top, then the active equipment failure, then passive equipment failure.
In Fig-11 the causes B1, B2, B3, B4 and B5 are the basic events, which can lead to top event T, which is “No light” in room on demand” and the mathematical expression for that top event is
T = G1 x G2 = (B1 +B2) x (B3+B4+B5) = B1B3 + B2B3 + B1B4 +B2B4 +B1B5 +B2B5 (6 minimal cut sets)
25
This indicates the occurrence of either of basic events B1 or B2 along with occurrence of any of the basic events B3, B4 & B5 would lead to top event T.
Fig-11 Fault Tree for no light in room on demend
And
No Light in Room onDemand T
No Light in Room onDemand T
No Artificial Light G 2
No Artificial Light G 2
No Natural Light G 1
No Natural Light G 1
NoPowerSupply
B 3
Fault InElectricCircuit
B 5
LightBulb
Failure B 4
Or
Heavy CloudCoverB 2
Night TimeNo Light
B 1
Or
26
8.9 Event Tree Analysis (ETA)
9. Risk Criteria in some countries
ETA is a forward thinking process, begins with an initiating event and develops the following sequences of events that describe potential accidents accounting for: (i) successes, and (ii) failures of the available “safety function” as the accident progresses. The “safety function” includes operator response or safety system response to the initiating event. The general procedure for the event tree analysis has four major steps :
a) Identifying an initiating event of interests, b) Identifying safety functions designed to deal with the identifying event,c) Constructions of the event tree and d) Results of accident event sequence.
Example :
In the Fig-12 the escape of a person in a workplace has been shown along with the smoke detector, sprinkler system, alarm and exist. The event trees are constructed for qualitative and quantitative assessment for proper functioning of fire detection, alarm function, sprinkler system working, etc.
Event tree can be helpful in assessing the impact after an consequence if the protection systems are not working.
Authority and Application Maximum Tolerable Risk (Per Year)Negligible Risk (Per Year)
1.0E-6 1.0E- 8
1.0E -5 1.0E - 8
1.0E-4 1.0E 6
1.0E-5 1.0E- 6
1.0E-4 1.0E-6
3 X 1.0E -6 3 X 1.0E -7
1.0E -5 Not used
VROM, The Netherlands (New)
VROM, The Netherlands (existing)
HSE, UK (Existing hazardous industry
HSE, UK (new nuclear power station)
HSE, UK (Substance transport)
HSE, UK (New housing near plants)
Hong Kong Government (New Plants)
27
ALARMSPRINKLER SYSTEMSMOKE
DETECTOR
EXITFIRE
Fig-12 Event tree for a fire
Y
N
Y
N
Y
N
Y
N
InitiatingEvent
ResultentEvent
Limited Damage
Limited DamageWet People
Extensive DamagePeople Escape
Possible FatalitiesExtensive Damage
Fire Detected? Fire Alarm Works?
Fire Starts
Sprinkler Works?
Y-YESN-NO
Y
N
Y
NY
N
Loss/Damage
Fire Contained
Fire Controlled
Multiple Fatalities
Fire Starts
InitiatingEvent
Fire SpreadsQuickly?
Sprinkler Fails To Works?
People CannotEscape?
ResultentEvent
Scenario
1
2
3
4
P=0.5
P=0.5
P=0.3
P=0.7
P=0.1
P=0.9Y-YESN-NO
28
Annexure 1Plant stages vis a- vis Hazard identification and hazard analysis techniques
1. Pre-design a) Hazard indices b) Preliminary hazard analysis c) What if-analysis d) Checklists
2. Design / modification a) Process design checks and use of checklist b) HAZOP studies c) Failure modes and effects analysis d) What-if-analysis e) Fault tree analysis f) Event tree analysis
3. Construction a) Check list b) What-if-analysis
4. Commissioning a) Check list b) Plant safety audits c) What-if-analysis
5. Operation and maintenance a) Plant safety audits b) What-if-analysis c) Check list
6. Decommissioning / shutdown a) Check list b) What-if-analysis
Hazard Identification / Hazard Analysis Techniques
Sl. No. Project Stage
29
10. Glossary
Control:
Control assessment:
Event:Frequency:Hazard:Consequence:Likelihood:Loss:Monitor:
Residual risk:
Risk:
Risk analysis:
Risk Criteria:Risk evaluation:Risk Identification:
Risk Management:
Risk Management Process:
Risk reduction:
Risk retention:
Risk transfer:
Risk treatment:
An existing process, policy, device or practice that acts to minimise negative risk or enhance positive opportunities.
Systematic review of processes to ensure that controls are still effective and appropriate.
Occurrence of a particular set of circumstances. A measure of the number of occurrences per unit of time.
A source of potential harm or a situation with a potential to cause loss. Outcome or impact of an event.
A general description of probability or frequency. Any negative consequence or adverse effect, financial or otherwise.
To check, supervise, or record the progress of an activity or system on a regular basis to identify change.
The remaining level of risk after risk treatment measures have been taken.
The chance of something happening that will have an impact upon the Department's objectives. It is measured in terms of likelihood and consequence.
A systematic process to understand the nature of and to deduce the level of risk.
Terms of reference by which significance of risk is assessed. Process of comparing the level of risk against the risk criteria.
The process of determining what, where, when, why and how something could happen.
The culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.
The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Actions taken to lessen the likelihood, negative consequence, or both,associated with a risk.
Acceptance of the burden of loss, or benefit of gain from a particular risk.
Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Risk transfer can also refer to shifting a physical risk or part thereof elsewhere.
Process of selection and implementation of measures to modify risk.
30
32
Notes
31
11. References
1. Andereassen, M.; Bakken, B.; Danielsen, U.; Haanes, H.; Solum, G.; Stenssas, J.; Thon, H.; Wighus, R., (1992). Handbook for fire calculations and fire risk assessment in the process industry, Scandpower A/S.
2. Hazard Identification and Risk Analysis Code of Practice, BIS IS 15656: 2006, Bureau of Indian Standards, Govt of India.
3. Khan, F.; Abbasi, S., (1998). MAXCRED-a new software package for rapid risk assessment in chemical process industries, Environ. Modell. Softw..
4. Khan, F.; Abbasi, S., (1999). HAZDIG: a new software package for assessing the risks of accidental release of toxic chemicals, J. Loss. Prevent. Proc.
5. Roberts, B., (1982). Thermal radiation hazards from release of LPG from pressurized storage, Fire Safety J.
6. Simmons, J.; Erdmann, R.; Naft, B., (1973). The risk of catastrophic spill of toxic chemicals. Rep. UCLA-ENG-7425. Unv. of California, Los Angeles, California.
7. TNO (1990). Methods for the determination of the possible damage to humans and goods by the release of hazardous materials (Green Book). The hague: Dutch ministry of housing, Physical Planning and Environment.