Risk Assessment and Management
Total Page:16
File Type:pdf, Size:1020Kb
Theme Module - 11 Risk Assessment and Management Contents
1. What is Risk? - 2 2. Objective of risk assessment - 4 3. Risk assessment process - 6 4. Likelihood and consequences - 8 4.1. Estimating likelihood and consequences - 8 5. Risk Matrix - 12 6. Risk Management - 13 7. Application of risk assessment - 18 8. Chemical process hazard identification and risk analysis methods - 19 8.1. Checklist - 19 8.2. Safety Audit - 19 8.3. Hazard Indices - 19 8.4. Preliminary Process hazard Analysis - 20 8.5. Job Safety Analysis 8.65. Failure Modes and Effects Analysis (FMEA) - 21 8.76. Hazard and Operability Study (HAZOP) - 22 8.87. What if-Analysis - 24 8.98. Fault Tree Analysis (FTA) - 24 8.109. Event Tree Analysis (ETA) - 27 9 Risk Criteria in some countries - 27 10. Glossary - 30 11. References - 31
Risk can be defined as the combination of the probability of an event and its consequences. In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognised as being concerned with both positive and negative aspects of risk.
In the safety field, it is generally recognised that consequences are only negative and, therefore, the management of safety risk is focused on prevention and mitigation of harm.
1. What is Risk?
Risk is the likelihood that a harmful consequence (death, injury, loss or illness) might result when exposed to the hazard. It is represented as:-
Risk = consequence of impact x probability of occurrence
A consequence spectrum ‘C’ (or, risk picture) of an activity is a list of its all possible potential consequences and the associated probabilities ‘p’ (e.g. per year). Usually, only unwanted consequences are considered and it can be represented with all activities:
Equation 1 shows that risk can never be zero, a truth not always grasped by the general public or the news media. Hazards are always present within all industrial facilities and they always have undesirable consequences, and their likelihood of occurrence is always finite. The consequence and likelihood in terms can be reduced, but they can never be eliminated, as illustrated in Fig-1, in which both axes are approached asymptotically, i.e. they never reach zero. The only way to achieve a truly risk-free operation is to remove the hazards altogether (or, with respect to safety, to remove personnel from the site or stop the activity).
Fig-1 also shows that an inverse relationship generally exists between consequence and frequency. For example, a serious event such as the failure of a pressure vessel may occur only once every ten years, whereas simple trips and falls may occur weekly.
The total risk associated with a facility is obtained by calculating the risk value for each of the consequences, and then adding all the individual risk values together. The result of this exercise is sometimes plotted in an FN curve as shown in Fig-2 in which the ordinate represents the cumulative frequency (F) of fatalities or other serious events, and the abscissa represents the consequence term (usually expressed in terms of number of fatalities).
The values of F and N typically extend across several orders of magnitude. Both axes on an FN curve are logarithmic. (More sophisticated analysis will actually have a family of curves with roughly the same shape as each other.
The distribution of the curves represents the uncertainty associated with predicting the frequency of events.) The shape of the curve itself will vary according to the system being studied; frequently a straight line can be used. The degree of risk will depend upon the amount of exposure to the hazard associated with a consequence of an 10 event. For example, toxic chemicals are hazardous - they have the potential to harm health. But the level of risk depends on things such as: what is the density of population, what is the wind direction with respect to human settlements at the time of event, how much is present, how easy it is for toxic chemicals to interact with human bodies, how fast the toxicity depletes and how rapidly their potential for harm decreases, and how long some chemicals are toxic (e.g. arsenic and lead are toxic forever).
Therefore, a drum of toxic waste is hazardous, whether it is in a well-regulated disposal facility, or in the living room. But the level of risk would be very different in these two cases. Risk can be understood better in Fig-3 with the support of associated activities.
2. Objective of risk assessment The purpose of a risk assessment is to determine: whether there is any likelihood of a potentially hazardous situation causing death, injury, illness or disease to people in the workplace and neighbouring environment, . how severe that risk is. , whether the risk needs to be controlled and how urgently.
After assessing or evaluating the identified risks the next steps are: determine which ones are the most serious (i.e. those with greater likelihood and most severe consequences).), plan the actions needed to control the risks in order of priority, from most serious to least serious risks to life, property and environment.
Objectives of the systematic risk assessment may include: identification of all possible major accident scenarios identification of potential knock-on effect to and from adjoining plants on-site and off-site („”domino effects“) gaining a thorough understanding of the nature, causes, likelihood and consequences of these scenarios and to communicate these to the facility employees assessing the risks from potential major accidents against acceptable risk criteria identification and reliability assessment of existing critical safety equipment and procedures identification of possible risk reduction measures evaluating, selecting and implementing all reasonable risk reduction measures to reduce the risk to a level that is as low as reasonably practicable (ALARP) identifying employee training needs identifying the geographic area of the community to be consulted identifying critical safety management system components identifying critical emergency planning elements and identifying monitoring points, performance criteria and suitable measurement techniques to provide timely warning of safeguard inadequacies.
Risk assessment is important and relevant to the whole life cycle of a processing project. The risk increases with the inception of a project and remains prominent during the operation of the plant. The risk starts reducing with the decommissioning of the plant. The whole concept can be shown through Fig-4.
The life span of a process industry comprises a number of stages from conceptual design to decommissioning. Each stage of a plant may have hazards, some general and some stage specific. Hazard identification and risk analysis techniques that may be applied at different stages of a plant are given in Annexure 1.
3. Risk Assessment Process
For risk assessment it is essential to- define the context or and system and or project. It is done with the help of Process and Instrument Diagram (P and ID), Chemistry, Thermodynamics, Operating procedure, etc. identify activity/task/work area/personnel to be assessed.
The risk assessment process has the following five steps:-
Step 1: Identification of all hazards by: Observing, inspecting, investigating, communicating, consulting and documenting all the hazards identified. Experience, Checklists, PHA, What-if, HAZOP, FMEA, etc. are helpful here.
Step 2: Assessment of the risks of the identified hazards by: Assessing and prioritising the risks. Dealing with the highest priority risks first. Dealing with less risksfewer risks or least significant risks last. Assessment of risk is possible by knowing the likelihood and the consequence of the hazardous events. The tools like event tree/fault tree analysis and modelling are applied respectively. After knowing the risk, the risk is judged for acceptability, if risk is below the acceptable level or at par of the acceptable level, only then any further activities are recommended. If risk is above the acceptable level, then the whole system will be reviewed and after recommendation of appropriate control measures on reduction of the risk further activities will be carried on.
Step 3: Decision on measures to control the risks by: Elimination of the risk is the best and preferred way. If elimination of the risk is not possible, select these control measures in the following order of preference: i. substitution ii. isolation by engineering ways iii. minimisation by engineering means iv. application of administrative measures v. use of personal protective equipment (PPE) in addition you may consider(vi) transfer of risk by insurance or making strong partners.
Step 4: Implementation of appropriate control measures by: adequately controlling the risks not creating other risks allowing workers to do their work without undue discomfort or stress.
Step 5: Monitor the control measures and review the process: A: Monitor Have the control measures been implemented as intended? Are the control measures adequate? Did the implementation of control measures create other hazards or risks? B: Review Has anything changed over time since the risk assessment process was implemented? Is the control of risks still adequate? Was the risk management process conducted effectively? After review and monitoring if the risk is acceptable then one should carry out its activity otherwise revise all above five processes and continue and repeat till the risk is acceptable. The Fig-5 shows the risk assessment process.
4. Likelihood and consequences To assess the level of risk, the likelihood of an event occurring (will it happen or could it happen?) and the extent of the consequences that could result (if it does occur, how serious will the outcome be?) must be considered. Both factors are equally important in establishing the level of risk and it is not important which factor is considered first.
4.1 Estimating likelihood and consequences
When estimating the likelihood of occurrence of an event and the severity of the potential consequences, it is important for the person doing the risk assessment to refer to the following information: pastPast safety records, such as safety committee information. incidentIncident statistics in the workplace or the whole industry. practicePractice and relevant experience in the relevant organisation and others in the industry. manufacturer'sManufacturer’s data or information on proper use of machinery. relevantRelevant published literature such as trade magazines, research articles, safety bulletins, etc. marketMarket research such as industry development of new materials and equipment. theThe results of public consultation such as new public projects or institute information. economicEconomic, engineering or other models such as Quality Assurance (QA), Total Quality Management (TQM) or safety culture. specialistSpecialist and expert judgements such as safety consultants or case law decisions. otherOther codes of practice (e.g. Manual Tasks and SOPs).
A) Establishing likelihood The likelihood of an event occurring will depend on both the probability and frequency of exposure to a hazard. There may be a number of factors specific to the workplace that will influence the likelihood of an event occurring, such as: How, where and when people are exposed to the hazard. How exposure varies over time or by location. How people respond. How the climate influences the dispersion of the chemical. How the control system works. What is the level of awareness.awareness? What is the ratio of old vs. young men/women.women? Monitoring and enforcement of regulations. Likelihood is subject to the local geographical situation.
The following factors can affect the likelihood of an event or situation occurring: How often the task occurs: Generally, when the same critical task demands are repeated, the more likely an incident will occur. This includes the same or similar tasks occurring during the shift. For example, consider how often in a shift a worker carries a load; pushes a trolley; or uses a vibrating hand tool. How many people are exposed: Generally, greater the number of people exposed to the hazard, more likely an incident will occur. For example, three shifts of workers in a 24-hour distribution centre, operating morning, evening and night shifts, carrying out wholesale order make ups, could be exposed to manual tasks, noise and shiftwork hazards. Duration of exposure: Generally, longer a person is exposed to the hazard, the more likely an incident will occur. For example, consider a manufacturing worker who is exposed to an accumulative total of eight hours of industrial noise over a 10 hour shift. Quantities of materials or multiple exposure points involved: For example, an incident (such as an explosion) is more likely to occur as a result of a small amount of flammable liquid, such as petrol, in a container which allows room for expanding gases than from a full container of the liquid with no room for expanding gases; an item of plant may have a number of places with exposed moving parts that could injure a worker. Position of the hazard relative to workers and to other hazards: For example, workers working close to a noisy machine are more likely to suffer hearing loss than those working further away; certain chemicals, such as methylated spirits, may only represent a risk if they are located near a heat source. Skills and competence of persons exposed: Workers who are not trained in safe and efficient methods of work are more likely to be injured. For example, a worker who has not been trained in using a trolley may manually lift and carry loads over long distances; a worker who has not been trained in the safe operation of plant could increase the chance of human error leading to dangerous events and injury. Experience of persons exposed: For example, a worker with 20 years experience is less likely to make the same mistake and cause an incident than a worker with only two months experience. Adequate training and reasonable competence to do a task will reduce the likelihood of an incident. Any special characteristics of the people involved: For example, young workers have a lower level of maturity, which can increase the likelihood of them behaving in a way that is dangerous and risky. Further, young workers are still developing and are more likely to be injured when handling heavy loads due to their reduced capacities. Additionally, a pregnant woman and the developing foetus may be affected if exposed to chemicals, heavy loads or noise. Distractions: It is more likely that an incident will occur when a worker is not paying full attention to the task or their surroundings. For example, a worker listening to music through headphones increases the chance of being hit by vehicles at a construction site. Environmental conditions: For example, water in the vicinity of an electrical hazard. Repetition: When workers are consistently required to replicate tasks or components of tasks. For example, when a process task cycle is less than 30 seconds and is completed for more than one hour; or the process task cycle comprises more than 50 per cent of the total task time and is completed for more than one hour. Condition of equipment: The use of defective equipment is more likely to cause an incident. For example, when the tool rest of a bench grinder is not adjusted for the wear of the abrasive wheel rather than using one that is correctly adjusted. The judgement basis of effectiveness of existing control measures can be: Do the existing control measures represent good practices? Are the existing control measures preventing or minimising exposure to the risk? Do workers know about the existing control measures? Are the existing control measures being used or followed? Are there adequate systems or procedures in place in relation to the existing control measures? Is there adequate training and supervision in relation to the existing control measures? Is there adequate maintenance in relation to the existing control measures? Are the existing control measures easy to use and follow? Table - 1 provide information about the determination of likelihood.
(B) Establishing consequences The severity or range of the potential consequences resulting from an incident can be determined by a number of factors, such as: How much harm the hazard could do how many people it could affect? Whether the harm would be short or long term.
The following factors can affect the severity of consequences when an event or situation happens (see also ThemeModule-12 “Consequence Analysis: A Vital Need for Emergency Planning”): Potential for 'chain reaction': Where a hazard, if not eliminated, may evolve and compound into an even more dangerous situation. Concentrations of substances: For example, a minor injury might result because of a diluted chemical, while a fatality might result from a concentrated form of the same chemical.
Volumes of materials: For example, the potential consequences of a leak of a small amount of a particular chemical, such as ammonia, into the workplace may be relatively minor, compared with the potential consequences of the release of a large amount of the same chemical. Speeds of projectiles and moving parts: Generally, greater the speed at which projectile or part is moving, the more severe are the consequences of injury. Heights: The force with which a falling object hits a person (and hence the potential injury), will generally increase with the distance it falls. Similarly, a person will generally sustain greater injuries if falling from a great height. Position of the workers to the hazard: For example, workers working close to a noisy machine are likely to incur greater hearing damage than those working further away. Weights: For example, a worker will generally sustain a more severe injury from lifting material in 50 kg packages than from lifting the same material packaged in 30 kg lots. Table -2 shows the determination of consequence.
Forces and energy levels: For example, higher the voltage of electricity and the possibility of a high current flowing through a person, more severe the consequences are likely to be. 5. Risk Matrix Having determined consequence and frequency values to do with a particular hazard, the overall risk is determined using a third matrix such as that shown in Table 3, which shows four levels of risk.
The risk values will usually line up diagonally, with all the values in any one diagonal being the same. The meaning of the four colours in Table 3 is as follows:
A (Red) Very High This level of risk requires prompt action; money is no object, and the option of doing nothing is not an option. An 'A' risk is urgent. On an operating facility, management must implement Immediate Temporary Controls (ITC) while long-term solutions are being investigated. If effective ITCs cannot be found, then the operation must be stopped. During the design phases of a project immediate corrective action must be taken in response to an 'A' finding, regardless of the impact on the schedule and budget.
B (Orange) High Risk must be reduced, but there is time to conduct more detailed analysis and investigations. Remediation is expected within say 90 days. If the resolution is expected to take longer than this, an ITC must be put in place.
C (Yellow) Moderate The risk is significant. However, cost considerations can be factored into the final action taken, as can normal scheduling constraints such as the availability of spare parts or the timing of plant turnarounds. Resolution of the finding must occur within say 18 months. An ITC may or may not be required.
D (Green) Low Requires action but is of low importance. In spite of their low risk ranking, 'D' level risks must be resolved and recommendations implemented according to a schedule; they cannot be ignored. (Alternatively, some companies do allow very low ranked-risk findings to be ignored on the grounds that they are within the bounds of ALARP).
Risk Categories 5 types of risk categories have been identified:-
i. People Failure of staff to comply with the procedures whether with the intention to commit fraud, oversight or negligence. Non-familiarity of staff with the set guidelines and procedures. ii. Process Process failure. Inadequate controls in the operational processes. iii. System Failure of application system to meet user requirements. Absence of in-built control measures in the application system. iv. Management failure Failure of overall management system in absence of policies. Failure of overall management in absence of availability of finances. v. External Party / Event Imposition/changes of policies by government regulatory bodies. Unsatisfactory/Non-performance by out-sourced service providers. Intended damage to plant (e.g. terroristic act) . Force of nature (e.g. flooding) .
6. Risk Management
Risk analysis, evaluation and reduction/control make integrated components of risk management. Fig-6 shows a protocol of risk management. Risk evaluation must be a repeated process till it comes to the acceptable level. Risk can be judged qualitatively and quantitatively.
(A)Evaluation of risk It should be clear that no unique measure of risk exists. Many such measures have been proposed and are currently in use, each providing a different view on a particular situation. The main types of risks are:
Risk to personnel and public safety and health, Risk to the environment, Risk to economic concerns (costs and profits).
Regarding safety, health, and environment (SHE) aspects several generally accepted definitions and methods already exists.
The instructions were that the risk must never be in the 'intolerable' range. High risk scenarios are 'tolerable', but every effort must be made to reduce them to the 'broadly tolerable' (or acceptable) level.
(B) Risk Management Guidance The Fig-7 illustrates the steps involved in risk reduction to an acceptable level and has following vital components when risk is above acceptable level:- The treatment options include: Avoid the risk by deciding not to proceed with the project or activity. This may only occur within legislative requirements and business agreements. Reduce the likelihood of the occurrence. By review of engineering modifications, contract conditions, supervision, technical controls, compliance programs, procedure manuals, quality control manuals, training, etc. Reduce the consequence of the occurrence, e.g. contingency planning, fraud control planning, relocation of an activity or operation, etc. Transfer the risk to another party. E.g. use of contracts, insurance, partnerships, etc.
(C)Risk reduction at source of the hazard a. Elimination - Getting rid of a hazardous job, tool, process, machine or substance is perhaps the best way of protecting workers. For example, a salvage firm might decide to stop buying and cutting up scrapped bulk fuel tanks due to explosion hazards. b. Substitution - Sometimes doing the same work in a less hazardous way is possible. For example, a hazardous chemical can be replaced with a less hazardous one. Controls must protect workers from any new hazards that are created. c. Engineering modifications Redesign - Jobs and processes can be reworked to make them safer. For example, containers can be made easier to hold and lift. Isolation - If a hazard cannot be eliminated or replaced, it can some times be isolated, contained or otherwise kept away from workers. For example, an insulated and air-conditioned control room can protect operators from a toxic chemical. Automation - Dangerous processes can be automated or mechanised. For example, computer-controlled robots can handle spot welding operations in car plants. Care must be taken to protect workers from robotic hazards. Barriers - A hazard can be blocked before it reaches workers. For example, special curtains can prevent eye injuries from welding arc radiation. Proper equipment guarding will protect workers from contacting moving parts. Lockout systems can isolate energy sources during repair and maintenance. Usually, the further a control keeps a hazard away from workers, the more effective it is. Absorption - Baffles can block or absorb noise. Lockout systems can isolate energy sources during repair and maintenance. Usually, the further a control keeps a hazard away from workers, the more effective it is. Dilution - Some hazards can be diluted or dissipated. For example, ventilation systems can dilute toxic gases before they reach operators. d. Administrative controls Safe work procedures - Workers can be required to use standardised safety practices. The employer is expected to ensure that workers follow these practices. Work procedures must be periodically reviewed with workers and updated. Supervision and training Initial training on safe work procedures and refresher training should be offered. Appropriate supervision to assist workers in identifying possible hazards and evaluating work procedures. Job rotations and other procedures can reduce the time the workers are exposed to a hazard. For example, workers can be rotated through jobs requiring repetitive tendon and muscle movements to prevent cumulative trauma injuries. Noisy processes can be scheduled when no one is in the workplace. Housekeeping, repair and maintenance programs - Housekeeping includes cleaning, waste disposal and spill cleanup. Tools, equipment and machinery are less likely to cause injury if they are kept clean and well maintained. Hygiene - Hygiene practices can reduce the risk of toxic materials being absorbed by workers or carried home to their families. Street clothing should be kept in separate lockers to avoid being contaminated by work clothing. Eating areas must be segregated from toxic hazards. Eating should be forbidden in toxic work areas. Where applicable, workers should be required to shower and change clothes at the end of the shift. e. Risk Transfer The risk transfer can be undertaken in by obtaining indemnities from other parties for loss suffered by the industry. f. Monitor and Review Monitor and review the effectiveness and performance of the risk treatment options, strategies and the management system and changes which might affect it. Each step undertaken should be documented to enable effective monitoring and review. Risks and the effectiveness of treatment measures need to be monitored to ensure changing circumstances do not alter the risk priorities. Identification, assessment, and treatments must be reviewed to ensure the risks remain relevant and continue to be managed and that any new or emerging risks are identified and managed. If risk is not found to be reduced, then review the steps from ‘a’ to ‘e’ as discussed above. g. Risk Audits A rolling series of continuous self and third party audits and safety inspections, using checklists, analysis and positive feedback should be encouraged and must be a part of company policy. h. Communicate and consult Communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole. a A communication plan should be developed for internal and external stakeholders early in the planning process. cCommunication should be a two-way process involving consultation. Workers should be encouraged to report deficiencies and near misses
Management is responsible for identifying the existence of risk and undertaking the business of the company in a manner which ensures appropriate management of those risks. i. Performance Indicators The following are suggestive indicators: No severe insurable loss to disrupt the financial position. Risk management to be included in the business planning function. All new projects to be assessed for risk in accordance with these guidelines prior to initiation. Annual assessment of risks to be recorded and acted upon as detailed in the annual Risk Management and Audit Plan. No revenue loss or significant event to disrupt the company activity through improper conduct by staff.
In general, management is responsible for identifying the existence of risk and undertaking the business of the company in a manner which ensures appropriate management of those risks. The risk transfer can be undertaken in by obtaining indemnities from other parties for loss suffered by the industry. 7. Application of risk assessment
Risk assessment and management process is applied for future developmental processes and is recommended for future land use planning and other developmental activities. A widely accepted model is suggested in the Fig-8 so that damages in case of any accident or disaster can be minimised. 8. Chemical process hazard identification and risk analysis methods
8.1 Checklist
The checklist is generally a form for approval by various staff and management functions before a project can move from one stage to the next. It serves both as means of communication and as a form of control and can highlight lack of basic information or a situation that requires a detailed evaluation. Checklists are qualitative in nature; limited to the experience base of the author of the checklist, hence, should be audited and updated regularly. It is a widely used basic safety tool and can be applied at any stage of a project or plant development. Accordingly it is named as Process checklist, System checklist, Design checklist, etc. It can be applied at any stage of the project life cycle.
8.2 Safety Audit
It is an intensive plant inspection intended to identify the plant conditions or operating procedures that could lead to accidents or significant losses of life and property. It is used to ensure that the implemented safety / risk management programs meet the original expectations and standards. It is also called 'Safety review', 'Process review' and 'Loss prevention review'. In essence, safety audit is a critical appraisal of effectiveness of the existing safety programme in a plant.
The review looks for major hazardous situations and brings out the areas that need improvement. The steps for the identification process are : a) Obtaining response from plant on a pre-audit questionnaire; b) Preparation of checklist, inspection and interview plant personnel; and c) Preparation of safety audit report in the form of recommendations.
The results are qualitative in nature. While this technique is most commonly applied to operating plants, it is equally applicable to pilot plants, storage facilities or support functions. The periodicity of such studies depends on the risk involved in the process and the commitment of the management. In India the safety audit is done by Indian Standard BIS IS 14489 (1998).
8.3 Hazard Indices
Hazard indices can be used for relative ranking of process plants from the point of view of their hazard potentials. The most well known techniques are: DOW fire and explosion index, Mond fire, explosion and toxicity index and chemical exposure index. All these methods provide a direct and easy approach to a relative ranking of the risks in a process plant. The methods assign penalties and credits based on plant features. Penalties are assigned to process materials and conditions that can contribute to an accident. Credits are assigned to plant safety features that can mitigate the effects of an incident. Theses penalties and credits are combined to derive an index that is relative ranking of the plant risk.
8.4 Preliminary Process Hazard Analysis
It is used during the conceptual, early development, early design phase, of a plant. The method is intended for use only in the preliminary phase of plant development for cases where past experience provides little or no insight into potential safety problems, for example, a new plant with new process. Early identification of most of the hazards could possibly result in effective saving in cost that could otherwise result from major plant redesigns if hazards are discovered at a later stage. It is very useful for 'site selection'. It does not preclude the need for further hazard assessment; instead it is a precursor to subsequent hazard analysis. Items for consideration consist of meticulous preparation of lists of hazards. a) Raw materials, intermediates, by-products, final products; b) Plant equipment (high pressure systems); c) Interface among system components (material interactions, fire); d) Environment (earthquake, vibration, extreme temperature); and e) Operations (tests, maintenance and emergency procedure) and safety equipment.
Example : Toxic gas 'A' is one of the components used in process; causes for the dangers: a) The hazards due to storing the gas; b) Hazards from the excess gas after the sue; c) Lines supplying the gas 'A'; and d) Leakage during the receipt of the gas etc. The effects of these causes can be : a) Injury / Fatality to persons inside the plant or nearby areas, and b) Damage of property due to explosion. c) c) Environmental impacts. Safety measures / corrective actions provided to minimise effect: a) a) Whether less toxic material can be used; b) b) Minimising the inventory for the storage of the material; c) c) Procedure for safety storage of the gas with enclosure system; d) d) Provision of plant warning system; e) e) Training for operators; and f) f) Informing neighbouring localities about the toxic effect.
8.5 Job Safety Analysis (JSA) A JSA is a basic and low level risk assessment tool and sits above the individual, informal risk assessment tools. It is used for routine and non-routine job and task planning to help develop effective safe work expectations such as guidelines, procedures, standard work instructions (SWIs), job plans, review tasks and the level of risk where adequate procedures or SWIs are not available. The procedure of the JSA is 1. Break the job down into basic steps 2. Identify the hazards that are present in each of the steps, and 3. Develop controls for all hazards that have been identified For more details see ThemeModule-9 “Job Safety Analysis”.
8.65 Failure Modes and Effects Analysis (FMEA)
The method is a tabulation of system / plant equipment, their failure modes and each failure mode's effect on system/ plant. It is a description of how equipment fails (open, close, on, off, leaks, etc.) and the potential effects of each failure mode. The technique is oriented towards equipment rather than process parameters. FMEA identifies single failure modes that either directly result in or contribute significantly to an important accident. Human / operator errors are generally not examined in a FMEA; however, the effects of a mal-operation are usually described by an equipment failure mode. The technique is not efficient for identifying combinations of equipment failures that lead to accidents. A multi disciplinary team of professionals can perform FMEA. FMEA has following six main steps: a) Determining the level of resolution, b) Developing a consistent format, c) Defining the problem and the boundary conditions, d) Listing various failure modes, e) Each effects of the failure mode, and f) Completing the FMEA table.
The level of resolution depends on the requirement of the plant, namely 'plant level', system level' or in other words whether the study is for the whole plant or a portion of plant or a particular system or individual equipment. Marking the portion of study on the drawing can indicate the physical system boundaries and stating the operating conditions at the interface. Identification of the equipment is necessary to distinguish between two or more similar equipment by any number and description of the equipment is required to give brief details about process or system.
All the failure modes consistent with the equipment description are to be listed considering the equipment's normal operating conditions. Example of various failure modes of a normally operating pump is : g) a) Fails to open, fails to close when required, h) b) Transfers to a closed position, i) c) Valve body rupture, j) d) Leak of seal, and k) e) Leak of casing.
The effects for each failure modes, for example the effects of the 'fails to open condition for the pump' is are (a) loss of process fluid in a particular equipment, and (b) overheating of the equipment. The effect of pump seal leak is a spill in the area of the pump; if the fluid is flammable a fire could be expected, and so on.
The analyst may also note the expected response of any applicable safety system that could mitigate the effect. Example of the tabulated format may be :
8.76 Hazard and Operability Study (HAZOP)
The HAZOP study is made to identify hazards in a process plant and operability problems, which could compromise the plant's ability to achieve design intent. The approach taken is to form a multi-disciplinary team that works to identify hazards by searching for deviations from design intents. The following terms are sued for the process for analysis : a) Intentions - Intention defines how the plant is expected to operate, b) Deviations - These are departures from intentions, c) Causes - These are reasons why deviation might occur, and d) Consequence - Results of deviations that might occur.
The method uses guidewords, which are used to quantify or qualify the intention in order to guide and stimulate the hazard identification process. The guidewords are used to generate deviations from the design intent. The team then identifies cause and consequence of the deviations.
HAZOP guidewords and their meanings:
Guidewords Meaning
No Negation of Design Intent Less Quantitative Decrease More Quantitative Increase Part of Qualitative Decease As well as Qualitative Increase Reverse Logical Opposite to Intent Other than Complete Substitution
The HAZOP study requires that the plant be examined for every line. The method applies all the guidewords in turn and outcome is recorded for the deviation with its causes and consequences. Example : a) For a particular line; b) Taking any guide word for example 'No', c) Deviation in process parameters, namely flow / temperature, d) For each deviation the causes for such deviations, e) Consequence, etc. And f) Measures to rectify the root cause for deviation. The Fig-10 shows overall HAZOP process :
8.87 What-if Analysis
What-if-Analysis is used to conduct a thorough and systematic examination of a process or operation by asking questions that begins with What-if. The questioning usually starts at the input to the process and follows the flow of the process. Alternately the questions can centre on a particular consequence category, for example, personnel safety or public safety. The findings are usually accident event sequences. Effective application of the technique requires in-depth experience of plant operation.
Two types of boundaries that may be defined in a “What-if” study are: (a) Consequence category being investigated, and (b) Physical system boundary. The consequence categories are mainly: (a) public risk, (b) worker risk, and (c) economic risk, for specific plant. The purpose of physical boundaries is to keep the investigating team focused on a particular portion of a plant in which consequence of concern could occur. The typical information required for a What-if-analysis is: a) Operating conditions, physical and chemical properties of materials, equipment description; b) Plot Plan; c) Process and Instrumentation diagram of the plant including alarms, monitoring devices, gauges etc.; d) Responsibilities and the duties of the operating personnel, communication system etc., and e) Procedures for preventive maintenance, work permit system, for hazardous job, tackling emergency situations.
8.98 Fault Tree Analysis (FTA) Essentially the fault tree is a graphical representation of the inter relationship between equipment failures and a specific accident. The equipment faults and failures that are described in a fault tree can be grouped into three classes, namely:
a) Primary faults and failures attributed to the equipment and not to any other external cause or condition. b) Secondary faults and failures attributed to other external cause or conditions. c) Commands faults and failures attributed neither to equipment intended not to any external cause but due to some source of incorrect command. There are the following steps in performing the fault tree analysis: d) Problem definitions, e) Fault tree constructions, f) Fault tree solution (determining minimal cut sets) and minimal cut set ranking. a. Problem Definition
This consists of: (a) defining accident event: top event of the fault tree analysis, (b) defining analysis boundary including un- allowed events, existing events, systems physical boundary, level of resolution, and other assumptions. b. Fault Tree Construction
It begins with the top event and proceeds level by level using symbols namely “Or” “And” etc. until all the fault events have been developed to their basic contributing causes. c. Fault Tree Solution
The completed fault tree provides useful information by displaying the interactions of the equipment failures that could result in an accident. The matrix system of analysis gives the minimal cut sets, which are useful for ranking the ways in which accident may occur, and they allow quantification of the fault tree if appropriate failure data are available. d. Minimal Cut Set Ranking
'Minimal cut set analysis' is a mathematical technique for manipulating the logical structure of a fault tree to identify all combinations of basic events that result in occurrence of the top event. The ranking of minimal cut sets is the final step for the fault tree analysis procedure. The basic events called the 'cut set' are then reduced to identify those minimal cut sets which contain the minimal sets of events necessary and sufficient to cause the top event. Ranking may be based on number of basic events that are minimal cut set, for example, one event minimal cut is more important than two event minimal cut set; a two event cut set and as on. This is because of the chance of occurrence of one event is more than that of two events to occur. Moreover, the human error is ranked at top, then the active equipment failure, then passive equipment failure.
In Fig-11 the causes B1, B2, B3, B4 and B5 are the basic events, which can lead to top event T, which is “No light” in room on demand” and the mathematical expression for that top event is
T = G1 x G2 = (B1 +B2) x (B3+B4+B5) = B1B3 + B2B3 + B1B4 +B2B4 +B1B5 +B2B5 (6 minimal cut sets) Fig-11 Fault Tree for no light in room on demenddemand
This indicates the occurrence of either of basic events B1 or B2 along with occurrence of any of the basic events B3, B4 & B5 would lead to top event T.
8.109 Event Tree Analysis (ETA) ETA is a forward thinking process, begins with an initiating event and develops the following sequences of events that describe potential accidents accounting for: (i) successes, and (ii) failures of the available “safety function” as the accident progresses. The “safety function” includes operator response or safety system response to the initiating event. The general procedure for the event tree analysis has four major steps:
. Identifying an initiating event of interests, . Identifying safety functions designed to deal with the identifying event, . Constructions of the event tree and . Results of accident event sequence. Example : In the Fig-12 the escape of a person in a workplace has been shown along with the smoke detector, sprinkler system, alarm and exhaustist. The event trees are constructed for qualitative and quantitative assessment for proper functioning of fire detection, alarm function, sprinkler system working, etc.
Event tree can be helpful in assessing the impact after an consequence if the protection systems are not working.
9. Risk Criteria in some countries
Glossary
Control: An existing process, policy, device or practice that acts to minimise negative risk or enhance positive opportunities. review effective and appropriate. Control assessment: Systematic of processes to ensure that controls are still Event: Occurrence of a set of circumstances. particular Frequency: A measure of the umber of occurrences per unit of time. n Hazard: A source of potential harm or a situation with a potential to cause loss. Consequence: Outcome or impact of an event. Likelihood: A general description of probability or frequency. Loss: Any negative consequence or adverse effect, financial or otherwise. Monitor: To check, supervise, or record the progress of an activity or system on a regular basis to identify change. Residual risk: The remaining level of risk after risk treatment measures have been taken. Risk: The chance of something happening that will have an impact upon the Department's objectives. It is measured in terms of likelihood and consequence. Risk analysis: A systematic process to understand the nature of and to deduce the level of risk. Risk Criteria: Terms of reference by which significance of risk is assessed. Risk evaluation: Process of comparing the level of risk against the risk criteria. Risk Identification: The process of determining what, where, when, why and how something could happen. Risk Management: The culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects. Risk Management Process: The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk. Risk reduction: Actions taken to lessen the likelihood, negative consequence, or both, associated with a risk. Risk retention: Acceptance of the burden of loss, or benefit of gain from a particular risk. Risk transfer: Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Risk transfer can also refer to shifting a physical risk or part thereof elsewhere. Risk treatment: Process of selection and implementation of measures to modify risk. 11. References
1. Andereassen, M.; Bakken, B.; Danielsen, U.; Haanes, H.; Solum, G.; Stenssas, J.; Thon, H.; Wighus, R., (1992). Handbook for fire calculations and fire risk assessment in the process industry, Scandpower A/S.
2. Hazard Identification and Risk Analysis Code of Practice, BIS IS 15656: 2006, Bureau of Indian Standards, Gov. of India.
3. Khan, F.; Abbasi, S., (1998). MAXCRED-a new software package for rapid risk assessment in chemical process industries, Environ. Modell. Softw. 4. Khan, F.; Abbasi, S., (1999). HAZDIG: a new software package for assessing the risks of accidental release of toxic chemicals, J. Loss. Prevent. Proc.
5. Roberts, B., (1982). Thermal radiation hazards from release of LPG from pressurized storage, Fire Safety.
6. Simmons, J.; Erdmann, R.; Naft, B., (1973). The risk of catastrophic spill of toxic chemicals. Rep. UCLA- ENG-7425. Unv. of California, Los Angeles, California.
7. TNO (1990). Methods for the determination of the possible damage to humans and goods by the release of hazardous materials (Green Book). The HagueHague: Dutch Ministry Ministry of HousingHousing, Physical Planning and Environment.