Hazard Identification, Risk Assessment

& Determining Control

PEME Consultancy, Inc.

1
 Course Outline
 Objectives  The Process of Hazard
Identification, Risk
 Introduction to OH & S Assessment & Risk
Management System Control
 Key Elements of an
Effective OH & S  ”What If”
Management System  Checklists
 OH & S Planning
 ”What If”/Checklists
 Definition of Terms
 Sources of Hazards  Brainstorm
 Classification of Hazards  Task analysis
 Presentation of Previous  HAZOP
Accidents
 FMEA
 Process Hazard Analysis 2
 Course Outline
 Sample Hazard Identification on Forklift Battery
Charging
 Table Top Exercise #1-Hazard Identification
 Risk Analysis
 Quantitative and Qualitative
 Fault tree analysis
 Event tree analysis
 HAZOP
 Barrier Analysis
 Fish Bone Analysis
 Process Hazard Analysis 3
 Course Outline
 Risk Analysis
 Quantitative and Qualitative
 Fault Tree Analysis
 Event Tree Analysis
 Fault Hazard Analysis
 HAZOP
 Barrier Analysis [Bow-Tie]
 Cause and Effect Diagram [Ishikawa or Fish
Bone Analysis]

4
 Course Outline
 The Quantification of Risk
 Table 1-Consequence Levels
 Table 2-Likelyhood Levels
 Table 3-Risk Level Matrix
 Sample Risk Assessment on Forklift
Battery Charging
 Table Top Exercise #2-Risk Assessment

5
 Course Outline
 Hierarchy of Risk Controls
 Elimination of Risk

 Substitution

 Engineering Control

 Administrative Control

 Personal Protective Equipment

 Emergency Response

 Sample Risk Controls on Forklift Battery

Charging
 Table Top Exercise #3-Risk Control 6
INTRODUCTION
Participants’ Motivation
 You are
very lucky
one should
you have
an
employer
thinking of
your own
safety!
Come
home safe
everyday
mate!

Participants’ Motivation
 Who depends on you
to come home safe?

Participants’- Motivation
10
Life After Accident
Life After Accident

Lost time injury???!!!

 Objectives

 To identify different potential hazards in your

work area;
 To carry out risk assessments;
 To develop risk controls to prevent the
occurrence of any potential accident/ incident;
 To implement and follow up risk controls; and
 To review the effectiveness of risk controls.

13
Introduction to Effective OH&S
Management System

14
Key Elements of an Effective
OH&S Management System
Continual
Improvement

EHS Policy
Management
Review
Planning
Checking &
Corrective Implementation
Action & Operation

15
OH&S Planning

16
 Definition

 Hazard A source or a situation with a

potential for harm to human, property and
damage of environment or a combination of
these.

 Danger
Relative exposure to hazard.
17
 Definition
 Risk
A combination of likelihood of occurrence
and severity (consequence) of injury or
damage.

 Risk Assessment:
Can be defined as the systematic
identification of the hazards present in a
workplace.
18
 Definition
 Risk Factor Number (RFN)
Is generated from an assessment of the
likelihood and severity of injuries arising from a
hazard.

 Risk Residual Number (RRN)

A risk level number generated from an
assessment of the likelihood and severity
(consequence) of the injuries arising from a
hazard with mitigating controls in place.

19
 By-Product:
Sources of Hazards: • Airborne Contaminants
• Physical Hazards
• Other Form of Energies
• Other Associated Risks

Industrial Process
Incoming Delivery . . .

Input: Output:
• Raw Materials • Products
• Equipment/Tools • Services
• Energies
• Human Resources

Wastes:
• Hazardous Wastes
• Wastewater
• Other Wastes 20
Classification of Hazards

 Chemical
 Mechanical
 Electrical
 Physical
 Biological
 Ergonomics
 Psychosocial
21
 Classification of Hazards
Physical
•Noise Chemical
•Vibration •Solid-mineral dust & fume
•Pressure •Liquid-vapor & mist
•Radiation •Gas
•Heat
•Illumination
Mechanical
•Exposed Moving Parts
Psychosocial •Defective Machine
•Work Pressure •etc
•Stress Hazards
Electrical
•Exposed Live Parts
•Open Wiring
Ergonomic •Overloading
•Force •etc
•Repetition
•Posture Biological
•Animals & insects
•Plants
•Virus, Fungi, Bacteria, Molds
22
 . . . And
these hazards,
if not managed can
lead to accidents!
23
 THE WORK ACCIDENT

A Work Accident shall mean an

unplanned or unexpected occurrence
that results in personal injury, property
damage, work stoppage or interference
or combination thereof which arises out
of and in the course of employment.

24
 Kinds of Accidents

 Fatality or Death
 Lost Time Accident or Lost work day
 Restricted Work Cases or Light Duty
 Medical Treatment Cases
 First Aid Cases
 Major property damage
 Near-miss incidents with potential for serious
injury or major property damage

25
THE INCIDENT OR NEAR MISS

An Incident or Near Miss is an

unplanned or unexpected occurrence
that does not result in personal injury,
and property damage.

26
Definition of an Accident

27
Definition of an Incident

28
Another definition of an Incident

29
 Presentation
of Previous Accidents/Illnesses
at Various Locations

30
The Process of Hazard Identification, Risk
Assessment & Determining Control
Classify Activities
(Work, Product, Services)

Identify Hazards • ”What If”

• Checklists
Assess the Risks • ”What If”/Checklists
• Brainstorm
Likelihood Consequences • Task analysis
• HAZOP
Derive Risk Rating • FMEA
• Process Hazard Analysis
Determining Controls
Verify Effectiveness

Document Results
The Process of Hazard Identification, Risk
Assessment & Determining Control
Classify Activities
(Work, Product, Services)

Identify Hazards

Assess the Risks

Likelihood Consequences • Fault tree analysis

• Event tree analysis
• HAZOP
Derive Risk Rating • Barrier Analysis
• Fish Bone Analysis
Determining Controls
• Process Hazard Analysis
Verify Effectiveness

Document Results
The Process of Hazard Identification, Risk
Assessment & Determining Control
Classify Activities
(Work, Product, Services)

Identify Hazards

Assess the Risks

Likelihood Consequences

Derive Risk Rating

Determining Controls
Verify Effectiveness

Document Results
 Hazard Identification, Risk
Assessment & Determining Control
 Conceptually similar to environmental aspects
and impacts –target of management
program(s)
 Much more detailed than 14001 approach
 Assessment must address:
 routine and non-routine activities
 all personnel, including contractors and visitors
 facilities at the workplace, whether provided by the
organization or by others

34
 Hazard Identification, Risk
Assessment & Determining Control
 Methodology must be proactive
 in advance of process/equipment changes
 allow engineering of hazard controls during design
 implementation of controls as change occurs
 Success requires strong Management of
Change (MOC) procedure
 People are involved
 significant risks must be controlled
 individual behaviour is a significant factor
35
 For Table Top Exercises

Simplified HIRADC Form

Activity
Process Hazards Effects Existing L C RFN Level Future Controls RRN
Steps Controls
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards

37
 Classify Work Activities

Possible ways of classifying work activities

include:
 Geographical areas within/outside the organisation's
premises;
 Stages in the production process, or in the provision of a
service;
 Routine and non routine works; and
 Defined tasks (e.g. driving).
 Identify Hazards

 Chemical
 Mechanical
 Electrical
 Physical
 Biological
 Ergonomics
 Psychosocial
 Hazards Prompt-list

During work activities could the following

hazards exist?
 Slips/falls on the level.
 Falls of persons form heights.
 Falls of tools, materials, etc., from heights.
 Inadequate headroom.
 Hazards associated with manual lifting/handling of
tools, materials, etc..
 Hazards from plant and machinery associated with
assembly, commissioning, operation, maintenance,
modification, repair and dismantling.
 Hazards Prompt-list

 Vehicle hazards, covering both site transport, and

travel by road.
 Fire and explosion.
 Violence to staff.
 Substances that may be inhaled.
 Substances or agents that may damage the eye.
 Substances that may cause harm by coming into
contact with, or being absorbed through, the skin.
 Substances that may cause harm by being
ingested (i.e., entering the body via the mouth).
 Harmful energies (e.g., electricity, radiation, noise,
vibration).
 Hazards prompt-list

 Work-related upper limb disorders resulting

from frequently repeated tasks.
 Inadequate thermal environment, e.g. too
hot.
 Lighting levels.
 Slippery, uneven ground/surfaces.
 Inadequate guard rails or hand rails on
stairs.
 Contractors' activities.
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
WHAT-IF

43
 What If

 What if analysis is an early method of

identifying hazards
 Brainstorming approach that uses broad,
loosely structured questioning to postulate
potential upsets that may result in an incident
or system performance problems
 It can be used for almost every type of
analysis situation, especially those dominated
by relatively simple failure scenarios
44
 What If

 Normally the study leader will develop a list of

questions to consider at the study session
 This list needs to be developed before the
study session
 Further questions may be considered during
the session
 Checklists may be used to minimise the
likelihood of omitting some areas

45
 What If

Advantages
 Useful for hazard identification early in the process, such as when only
PFDs are available
 What If studies may also be more beneficial than HAZOPs where the
project being examined is not a typical steady state process, though
HAZOP methodologies do exist for batch and sequence processes

Disadvantages
 Inability to identify pre-release conditions
 Apparent lack of rigour
 Checklists are used extensively which can provide tunnel vision, thereby
running the risk of overlooking possible initiating events

46
 What If

 Experienced personnel brainstorming a

series of questions that begin, "What
if…?”

 Each question represents a potential

failure in the facility or misoperation of
the facility
 What If

 The response of the process and/or

operators is evaluated to determine if a
potential hazard can occur

 If so, the adequacy of existing

safeguards is weighed against the
probability and severity of the scenario
to determine whether modifications to
the system should be recommended
 What-If Question Areas
 Equipment failures
– What if … a valve leaks?
 Human error
– What if … operator fails to restart pump?
 External events
– What if … a very hard freeze persists?
 What-If – Summary
 Perhaps the most commonly used
method
 One of the least structured methods
 Can be used in a wide range of
circumstances
 Success highly dependent on experience of
the analysts
 Useful at any stage in the facility life cycle
 Useful when focusing on change review
 What If

Example of a What If report for a single assessed item

51
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
CHECKLIST

52
 Checklists

 Simple set of prompts or checklist questions to

assist in hazard identification
 Can be used in combination with any other
techniques, such as “What If”
 Can be developed progressively to capture
corporate learning of organisation
 Particularly useful in early analysis of change
within projects

53
 Checklists
Initiating General Causes Initiating Causes
Events
Overfills And Improper Operating Error
Spills Operation Inadequate / Incorrect Procedure
Failure To Follow Procedure
Outside Operating Envelope
Inadequate Training

Vessel/Tanker Corrosion Wet H2S Cracking

Shell Failure General Process
Cooling Water
Steam / Condensate
Service Water
Mechanical Missiles
Impact Crane
Vehicles
 Checklists
Advantages
 Highly valuable as a cross check review tool following
application of other techniques
 Useful as a shop floor tool to review continued compliance with
SMS

Disadvantages
 Tends to stifle creative thinking
 Used alone introduces the potential of limiting study to already
known hazards - no new hazard types are identified
 Checklists on their own will rarely be able to satisfy regulatory
requirements

55
 Checklist
 Consists of using a detailed list of
prepared questions about the design
and operation of the facility
 Questions are usually answered “Yes”
or “No”
 Used to identify common hazards
through compliance with established
practices and standards
Checklist Question Categories
 Causes of accidents
 Process equipment
 Human error
 External events
 Facility Functions
 Alarms, construction materials, control
systems, documentation and training,
instrumentation, piping, pumps, vessels,
etc.
 Checklist Questions
 Causes of accidents
 Is process equipment properly supported?
 Is equipment identified properly?
 Are the procedures complete?
 Is the system designed to withstand hurricane
winds?

 Facility Functions
 Is is possible to distinguish between different
alarms?
 Is pressure relief provided?
 Is the vessel free from external corrosion?
 Are sources of ignition controlled?
 Checklist – Summary
 The simplest of hazard analyses
 Easy-to-use; level of detail is adjustable
 Provides quick results; communicates
information well
 Effective way to account for ‘lessons
learned’
 NOT helpful in identifying new or
unrecognized hazards
 Limited to the expertise of its author(s)
 Checklist – Summary
 Should be prepared by experienced
engineers

 Its application requires knowledge of the

system/facility and its standard
operating procedures

 Should be audited and updated regularly

The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
WHAT-IF/CHECKLIST

61
What-If/Checklist
 A hybrid of the What-If and Checklist
methodologies

 Combines the brainstorming of What-If

method with the structured features of
Checklist method
What-If/Checklist – Steps
 Begin by answering a series of
previously-prepared ‘What-if’ questions

 During the exercise, brainstorming

produces additional questions to
complete the analysis of the process
under study
What-If/Checklist – Summary
 Encourages creative thinking (What-If) while
providing structure (Checklist)

 In theory, weaknesses of stand-alone

methods are eliminated and strengths
preserved – not easy to do in practice

 E.g.: when presented with a checklist, it is

typical human behavior to suspend creative
thinking
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
BRAINSTORM

65
 Brainstorm

 Team based exercise

 Based on the principle that several experts
with different backgrounds can interact and
identify more problems when working
together
 Can be applied with many other techniques
to vary the balance between free flowing
thought and structure
 Can be effective at identifying obscure
hazards which other techniques may miss
66
 Brainstorm
Advantages
 Useful starting point for many HAZID techniques to focus a
group‟s ideas, especially at the project‟s concept phase
 Facilitates active participation and input
 Allows employees experience to surface readily
 Enables “thinking outside the square”
 Very useful at early stages of a project or study

Disadvantages
 Less rigorous and systematic than other techniques
 High risk of missing hazards unless combined with other tools
 Caution required to avoid overlooking the detail
 Relies on experience and competency of facilitator
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
TASK ANALYSIS

68
 Task Analysis

 Technique which analyses human interactions with

the tasks they perform, the tools they use and the
plant, process or work environment
 Approach breaks down a task into individual steps
and analyses each step for the presence of potential
hazards
 Used widely to manage known injury related tasks in
workplace
 Excellent tool for hazard identification related to
human tasks

69
 Task Analysis

Disadvantages
 Does not address plant process deviations which are not related
to human interaction

Caution
 Relies on multi-disciplined input with specific input of person who
normally carries out the task
 Often assumed to be the only tool of hazard identification or risk
assessment, as it is used generally at the shop floor

70
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
HAZOP

71
 HAZOP

Hazard and Operability Analysis

 Identify hazards (safety, health,

environmental), and

 Problems which prevent efficient

operation
 HAZOP

 A HAZOP study is a widely used method for the identification of

hazards
 A HAZOP is a rigorous and highly structured hazard identification
tool
 It is normally applied when PFDs and P&IDs are available
 The plant/process under investigation is split into study nodes
and lines and equipment are reviewed on a node by node basis
 Guideword and deviation lists are applied to process parameters
to develop possible deviations from the design intent

HAZOP results in a very a systematic assessment of hazards

73
 HAZOP

Advantages
 Will identify hazards, and events leading to an accident, release or
other undesired event
 Systematic and rigorous process
 The systematic approach goes some way to ensuring all hazards are
considered

Disadvantages
 HAZOPs are most effective when conducted using P&IDs, though they
can be done with PFDs
 Requires significant resource commitment
 HAZOPs are time consuming
 The HAZOP process is quite monotonous and maintaining participant
interest can be a challenge
74
 HAZOP
1. Choose a vessel and describe intention
2. Choose and describe a flow path
3. Apply guideword to deviation
 Guidewords include NONE, MORE OF, LESS
OF, PART OF, MORE THAN, OTHER THAN,
REVERSE
 Deviations are expansions, such as NO
FLOW, MORE PRESSURE, LESS
TEMPERATURE, MORE PHASES THAN
(there should be)
 Example of HAZOP Matrix
Guide
word
No Low High Part of Also Other than Reverse

Process-
variable
No Low High Missing Wrong Reverse
Flow flow flow flow ingredients Impurities material flow

Low High Low High - -

Level Empty level level interface interface

Open to Low High - - -

Pressure atmosphere pressure pressure Vacuum

Temperature Low High - - - Auto

Freezing temp. temp. refrigeration

No Poor Excessive Irregular- Foaming - Phase

Agitation agitation mixing mixing mixing separation

No Slow "Runaway Partial Side Wrong Decom-

Reaction reaction reaction reaction" reaction reaction reaction position

Utility External External - - Start-up -

Other failure leak rupture Shutdown
Maintenance
HAZOP
 HAZOP
4. Can deviation initiate a hazard of
consequence?
5. Can failures causing deviation be identified?
6. Investigate detection and mitigation
systems
7. Identify recommendations
8. Document
9. Repeat 3-to-8, 2-to-8, and 1-to-8 until
complete
HAZOP
Loss of Containment
Deviations
 Pressure too high
 Pressure too low (vacuum)
 Temperature too high
 Temperature too low
 Deterioration of equipment
HAZOP’s Inherent
Assumptions
 Hazards are detectable by careful review

 Plants designed, built and run to appropriate

standards will not suffer catastrophic loss of
containment if ops stay within design parameters

 Hazards are controllable by a combination of

equipment, procedures which are Safety Critical

 HAZOP conducted with openness and good faith by

competent parties
 HAZOP – Pros and Cons
 Creative, open-ended
 Completeness – identifies all process hazards
 Rigorous, structured, yet versatile
 Identifies safety and operability issues

 Can be time-consuming (e.g., includes

operability)
 Relies on having right people in the room
 Does not distinguish between low probability,
high consequence events (and vice versa)
 HAZOP
Example of a HAZOP report for a single assessed item

83
The Process of Hazard Identification, Risk
Assessment & Determining Control

Identify Hazards
FMEA

84
 FMEA

 Objective is to systematically address all

possible failure modes and the associated
effects on a technical system
 The underlying equipment and components of
the system are analysed in order to eliminate,
mitigate or reduce the failure or the failure
effect
 Best suited for mechanical and electrical
hardware systems evaluations
85
 FMEA – Failure Modes, Effects Analysis

 Manual analysis to determine the

consequences of component, module or
subsystem failures

 Bottom-up analysis

 Consists of a spreadsheet where each failure

mode, possible causes, probability of
occurrence, consequences, and proposed
safeguards are noted.
 FMEA

Advantages
 Generally applied to solve a specific problem or set of problems
 FMEA was primarily considered to be a tool or process to assist
in designing a technical system to a higher level of reliability
 Designed correction or mitigation techniques can be
implemented so that failure possibilities can be eliminated or
minimized

Disadvantages
 It is very time consuming and needs specialist skills from
different backgrounds to obtain maximum effect
 Very hard to assess operational risks within an FMEA (like they
can be within a HAZOP or What if study)

87
FMEA – Failure Mode Keywords
• Rupture • Spurious start
• Crack • Loss of function
• Leak • High pressure
• Plugged • Low pressure
• Failure to open • High temperature
• Failure to close • Low temperature
• Failure to stop • Overfilling
• Failure to start • Hose bypass
• Failure to continue • Instrument bypassed
• Spurious stop
 FMEA

Item Failure mode Effect Cause of Control

failure

2
 FMEA

Example of an FMEA report for a single assessed item

Potential Potential Potential Comments Controls

Failure Mode Effects of Causes of
Failure Failure

Open indicator Wrong indication Wear and Commissioning The integrity of the
switch failed of valve back to tear and test position indicators for the
control system procedures must Diverter system equipment
causing possible ensure that all is critical to the logic of the
incorrect diverter control system.
controller action equipment It is recommended that the
to be taken indicators are position indicators are
correctly wired discretely function tested
to the diverter prior to commencement of
control system each program
 FMEA Example

FIGURE 12.1 91
FMEA Example

92
The Process of Hazard Identification, Risk
Assessment & Determining Control

HIRADC
Forklift Battery Charging

Process Hazard Identification

94
 HIRADC
Forklift Battery Charging
Process Hazards Effects Existing L C RFN Level Future Controls RRN
Steps Controls

Forklift Run over Crushing

parking at injury,
battery property
charging damage
station

Battery Manual & Crushing

dismantling, mechanical injury,
lifting using handling, property
overhead Electrical damage
crane and contact and
transferring electrical
to charging shock
station

Process Hazard Identification

 HIRADC
Forklift Battery Charging

Job Steps Hazards Effects Existing L C RFN Level Future Controls RRN
Controls
Battery Hydrogen Burn,
charging gas, fire,
sulfuric property
acid, damage,
electrical electrical
contact shock

Process Hazard Identification 96

 TABLE TOP EXERCISE #1
Process Hazard Identification

 Divide the participants into 4 groups.

 Group brainstorming, then select one

critical activity and identify the significant
hazards in your operational areas as part
of future planning.

 Select your best presenter and discuss.

97
The Process of Hazard Identification, Risk
Assessment & Determining Control
Classify Activities
(Work, Product, Services)

Identify Hazards

Assess the Risks

Likelihood Consequences • Fault tree analysis

• Event tree analysis
• HAZOP
Derive Risk Rating • Barrier Analysis
• Fish Bone Analysis
Determining Controls
• Process Hazard Analysis
Verify Effectiveness

Document Results
 Risk Assessment
Two techniques:
 Qualitative risk analysis
 Simpler
 Can be used when no precise information about
probabilities of risk is available
 Quantitative risk analysis
 More systematic
 Suitable for mathematical analysis
 Provide figures on the (economial) impact of risks
 Risk Assessment

Changing Conditions and Revising

Risk assessment should be seen as a

continuing process. Thus, the adequacy of
control measures should be subject to
continual review and revised if necessary.
 Some examples of real risks
Did you know:
 you should be more frightened of taking a bath than of
walking down a dark alleyway
 you should be more wary of yourself than of flying in a plane

Chances are your death will be by:

 being shot by a stranger...1 in 22,500
 drowning in the bath...1 in 17,500
 plane crash...1 in 800,000
 car accident...1 in 300
 suicide...1 in 160
 accidental fall...1 in 150
 cancer...1 in 4
 Qualitative vs. Quantitative
Risk Analysis
 Identify all hazards  Identify all hazards
 Select a small set of  Select a large set of scenarios
scenarios with the largest  Determine the expected
consequences frequency (likelihood) of all these
 Obtain some “feel” for the scenarios
likelihood of these scenarios  Determine the consequences of
 Determine the consequences all these scenarios
of these scenarios  Combine all these results (using
 Draw safety distances on a wind direction statistics, etc) and
map calculate Individual Risk around
the plant
 Draw Individual Risk on map and
compare with acceptance criteria
The Process of Hazard Identification, Risk
Assessment & Determining Control

QUALITITATIVE RISK
ASSESSMENT

103
 Qualitative=Consequence based:
advantages and disadvantages

 Analysis is (relatively) easy  Selection of scenarios and

and fast assessment of ”improbable = (?)
 Decision process is simple impossible” accidents is often tacit or
(either “safe” or “unsafe”) implicit.
 Results are easy to  Can give a wrong impression of
communicate (based on precision and safety
easy-to-understand accident  Use of “worst case” scenarios leads
scenarios) to conservative results (expensive for
society) (Results are determined by
the worst-case – but unlikely
accidents)
 Tendency to “forget” less severe
scenarios in risk control and safety
management
 Qualitative Risk Analysis
Three-step process:
 Define likelihood;
 Define consequence

 Establish Operational Risk Matrix

 The Quantification of Risk

 The risk associated with a hazard is a reflection

of the likelihood that the hazard will cause
harm and severity of that harm. That is

RISK = LIKELIHOOD X CONSEQUENCE

 Both likelihood and severity (consequence) can

be rated on next slides respectively.

106
The Process of Hazard Identification, Risk
Assessment & Determining Control

HIRADC
Forklift Battery Charging

Quantification of Risk

107
OPERATIONAL RISK MATRIX
 HIRARC
Forklift Battery Charging
Qualitative Risk Analysis

Process Hazards Effects Existing L C RFN Level Future Controls RRN

Steps Controls
Forklift Run over Crushing Trained and C 3 13 High
parking at injury, authorized
battery property operators - - - -
charging damage Delineated
station parking area
Stop engine and
park
Inspection
checklist

Battery Manual & Crushing Remove C 3 13 High

dismantling, mechanical injury, jewelleries
lifting using handling, property Use electrical
- - - -
overhead Electrical damage gloves while
crane and contact and dismantling
transferring electrical battery terminals - - - -
to charging shock Carry battery

station using overhead

hoist.
Inspection

checklist
 HIRADC
Forklift Battery Charging
Qualitative Risk Analysis

Process Hazards Effects Existing L C RFN Level Future Controls RRN

Steps Controls
Battery Hydrogen Burn, Use rubber C 4 18 High
charging gas, fire, gloves and
sulfuric property insulated tool - - - -
acid, damage, when opening
electrical electrical cap, face away
contact shock from the cell. - - - -
When adding

water, use
watering cans to
avoid contact
with acid and
battery terminals
Maintain

ventilation and
standby fire
extinguishers
Ensure an

eyewash station
is readily
available
112
 TABLE TOP EXERCISE #2
Risk Assessment

 Divide the participants into 4 groups.

 Group brainstorming, then assess the risk level

on the hazards that had been identified in table
top exercise #1 using the matrix provided by the
facilitator or the standard developed by your
company.

 Select your best presenter and discuss.

113
The Process of Hazard Identification, Risk
Assessment & Determining Control

QUANTITATIVE RISK
ASSESSMENT

114
 Quantitative Risk Assessment
Participants should be able to:
 Define quantitative risk analysis
 Recognize the steps involved in such a risk
analysis
 Determine Likelihood of Exploitation
 Identify Risk Exposure
 Compute Annual Loss Expectancy (ALE) or
Expected Monetary Value (EMV).

115
 Quantitative Risk Assessment

 Quantitative Risk Assessment is most commonly used

in the process industries to quantify the risks of
„major hazards‟.

 Quantitative Risk Assessment used in the offshore oil

and gas industries, the transport of hazardous
materials, the protection of the environment, mass
transportation (rail) and the nuclear industry.
 Quantitative=Risk based:
advantages and disadvantages
 Complete analysis, opportunity for  Expensive and
setting priorities, focus on most “risky” cumbersome analysis,
items. which requires expert
knowledge
 Transparent (for experts?), both
probabilities and consequences are  The ”probabilistic” element
included explicitly in the result is hard to
communicate
 Results can be compared with criteria
for risk acceptance  Result suggests large
accuracy, but it includes
 Results for different types of facilities
large uncertainty
can easily be compared
 The presence of accept
 Not dominated by a single accident
criteria (hard political
scenario – not sensitive for selection of
decision) is necessary
scenarios
beforehand
 Probabilistic Approach
 Quantifying risk through probability of
failure
 Hard to quantify probability of some
events
 Understand the data, the sources, & the
limitations
 Follow rules of probability
 Quantitative Risk Assessment
Calculating Safety Costs
 Tracking data costs
 System downtime (lost productivity)
 Equipment damage and replacement
 Accident clean-up
 Personnel injuries and death
 Annual Loss Expectancy (ALE) or Expected
Monetary Value (EMV).
 Cost-benefit analysis
 Quantitative Risk Assessment
 Difficult to obtain frequency of attacks using
statistical data. Why?
 Data is difficult to obtain & often inaccurate
 If automatic tracking is not feasible, expert
judgment is used to determine frequency
 Approaches
 Delphi Approach: Probability in terms of integers
(e.g. 1-10)
 Normalized: Probability in between 0 (not possible)
and 1 (certain)

121
 Quantitative Risk Assessment
Delphi Approach

Frequency Ratings
More than once a day 10
 Subjective probability
technique originally
Once a day 9 devised to deal with
Once every three days 8 public policy decisions
Once a week 7  Assumes experts can
Once in two weeks 6 make informed decisions
Once a month 5  Results from several
Once every four months 4 experts analyzed
Once a year 3  Estimates are revised
Once every three years 2 until consensus is
reached among experts
Less than once in three years 1
122
The Process of Hazard Identification, Risk
Assessment & Determining Control

QUANTITATIVE RISK
ASSESSMENT

123
 Quantitative Risk Analysis
Example #1: Gym Locker

Scenario: There is a gym locker used by its

members to store clothes and other
valuables. The lockers cannot be locked,
but locks can be purchased.
You need to determine:
1) Risk exposure for gym members
2) Controls to reduce risk

124
 Quantitative Risk Analysis
Example #1: Gym Locker
 Identify assets and determine value
 Clothes $50
 Wallet $100
 Glasses $100
 Sports equipment $30
 Driver’s license $20
 Car keys $100
 House keys $60
 Tapes and walkman $40
____
 Total Loss/week: $500
 Find vulnerability
 Theft
 Accidental loss
 Disclosure of information (e.g. read wallet)
125  Vandalism
 Quantitative Risk Analysis
Example #1: Gym Locker
 Estimate likelihood of exploitation
• 10 (more than once a day)
• 4 (once every four months)
• 9 (once a day)
• 3 (once a year)
• 7 (once a week)
• 2 (once every three years)
• 6 (once every two weeks)
• 1 (less than once every 3 years)
• 5 (once a month)
 For theft: estimated likelihood is 7
 Figure annual loss:
 ~$500 worth of loss each week
 ~52 weeks in a year
 ~$26,000 loss per year

126
 Quantitative Risk Analysis
Example #1: Gym Locker

 Determine cost of added security

 New lock $5
 Replacement for lost key $10
 On average members lose one key twice a month (24 times
per year)
 Estimate likelihood of exploitation under added security
 The new likelihood of theft could be estimated at a 4.
 Cost Benefit Analysis
 Revised Losses (including cost of controls) =
(500 * 4) + (15*24) = 2,360
 Net savings = 26,000 – 2,360 = $23,640
127
 Quantitative Risk Analysis
Example #2: Hard Drive Failure
 The chance of your hard drive failing is once every three years
 Probability = 1/3

 Intrinsic Cost
 $300 to buy new disk

 Hours of effort to reload OS and software

 10 hours

 Hours to re-key assignments from last backup

 4 hours

 Pay per hour of effort

 $10.00 per hour

 Total loss (risk impact)

 $300 + 10 x (10+4) = $440

 Annual Loss Expectancy (pa = per annum)

 (440 x 1/3)$pa = $147 pa
128
Quantitative Risk Analysis
Example #3: Virus Attack

 Situation: Virus Attack on same system

 You frequently swap files with other people, but
have no anti-virus software running.
 Assume an attack every 6 months (Probability = 2
per year)
 No need to buy a new disk
 Rebuild effort (10 + 4) hours
 Total loss = $10 x (10 + 4) = $140
 ALE = ($140 x 2) $pa = $280 pa
 Example No. 4

The Process of Hazard Identification, Risk

Assessment & Determining Control

QUANTITATIVE RISK
ASSESSMENT

130
Example No. 4
Example No. 4
Example No. 4
 Quantitative Risk Analysis
Summary
 Quantitative risk analysis involves statistical data and
numerical values and can be used to justify the
benefit of controls.
 While asset and vulnerability identification are the
same for qualitative and quantitative methods,
qualitative is more subjective and quantitative is more
absolute.
 Probabilities can be calculated in multiple ways. This
can be done using calculated values or the Delphi
Approach (1-10) and a Normalized Approach (1,0),
which are more subjective.

134
The Process of Hazard Identification, Risk
Assessment & Determining Control

Risk Assessment
FAULT TREE ANALYSIS

135
 Fault Tree Analysis
 Fault tree analysis is an effect and cause diagram that
uses standard symbols developed in the defense industry
and is used heavily in safety engineering. FTA is a
structured approach for analyzing the root causes of a
failure mode not yet fully understood.

 Note: FTA is an alternative to Ishikawa (Fish Bone)

Diagrams. Many feel that FTA is better suited to
understanding layers and relationships of causes of
equipment failures. However, if you still prefer fish bones
after trying FTA, there is no reason not to use them. The
goal always remains to use the most efficient method for
solving problems.
 Fault Tree Analysis
 Graphical representation of the logical structure displaying the relationship
between an undesired potential event (top event) and all its probable
causes
 top-down approach to failure analysis
 starting with a potential undesirable event - top event
 determining all the ways in which it can occur
 mitigation measures can be developed to minimize the probability of the
undesired event
 Fault Tree can help to:
 Quantifying probability of top event occurrence
 Evaluating proposed system architecture attributes
 Assessing design modifications and identify areas requiring attention
 Complying with qualitative and quantitative safety/reliability objectives
 Qualitatively illustrate failure condition classification of a top-level event
 Establishing maintenance tasks and intervals from safety/reliability
assessments
 Fault Tree Analysis
Advantages
 Quantitative - defines probabilities to each event which can be
used to calculate the probability of the top event
 Easy to read and understand hazard profile
 Easily expanded to bow tie diagram by addition of event tree

Disadvantages
 Need to have identified the top event first
 More difficult than other techniques to document
 Fault trees can become rather complex
 Time consuming approach
 Quantitative data needed to perform properly
138
 Understanding the Process
Outlet Valve
Relay
K1 Pressure
Switch
Relay S
K2 Pressure
Switch S1 Tank
Timer Relay

Motor
Pump
 Fault Tree Analysis
Symbols Review
 Square Describes the top and lower level
failures

 Or Gate Produces output (failure) if

one or more inputs exist

 And Gate Produces output (failure) if

and only if all inputs exist

 Circle Potential root failure which cannot be

broken down into lesser failures

 Diamond Potential failure which is not

analyzed for various reasons
Fault Tree Analysis
Symbols Review

And gate means

Failure
For this upper failure
to occur

All of these
failures must occur

Or gate means that

Failure
For this upper failure
to occur

Only one of these

failures must occur
 Establishing Fault Tree
Step 1 Identify Top Level Fault
Step 3 Link contributors to top by logic gates

Step 2 Brainstorm first level contributors

Step 5 Link contributors to upper level

by logic gates
basic event cannot be
broken down any further
Step 4 Brainstorm second level
contributors

Step 6 Repeat / continue for

each lower level failure event that is not
analyzed for various
reasons

(This page is taken from SVERDROP MANUAL - FTA and Risk Management by P.L. Clemens, 1992/1993, pg. 10 )
 FTA Do’s & Don'ts
 Do’s
 Start at the Top

 Think Categories

 Brainstorm, then organize

 Facilitate proper brainstorming

 Know when to stop

 Have action plans for all circles

 Check that branches terminate with a circle or diamond

 Revisit the FBD or FTA when new data is found

 Use yellow stickies to capture the brainstormed causes

 Don'ts
 Don’t get bogged down

 Don’t jump to solutions!

 Example Fault Tree Analysis
Lamp Does Not Light

Understanding the Process

Consider the simple circuit diagram shown below:
LAMP

POWER
UNIT

+ BATTERY
-
FUSE SWITCH

Example from Harms Ringdahl L (1995), Safety Analysis: Principals and Practice in
Occupational Safety, Elsevier Applied Science.
 Example Fault Tree Analysis
Lamp Does Not Light

The corresponding fault tree for the above circuit, with the top
event (or hazard) being the lamp not working is as follows:
Lamp does not
light

No current
through the lamp

Faulty No power supply

Lamp to the lamp

No power feed Broken circuit

Broken Defective Defective

No Power No Power
Circuit switch fuse
from battery from unit

Example from Harms Ringdahl L (1995), Safety Analysis: Principals and Practice in
Occupational Safety, Elsevier Applied Science.
 Example Fault Tree Analysis
Process vessel over pressured

Process
vessel over
pressured

AND

Pressure PSV does not

rises relieve

AND OR

Process Control Set point

pressure fails high Fouling inlet too high
rises or outlet
PSV too PSV stuck
small closed

146
Example Fault Tree Analysis
Pressurized Tank Explosion
Example Fault Tree Analysis
Smoke Detector

Inputs Process Outputs

Presence of smoke Detection of smoke Alarm signaling

Signal/power to
Smoke enters Battery powers control siren turns motor
through vent box, indicator light, and
smoke detector
Motor causes
Smoke enters siren to sound
ionization
chamber Smoke is ionized and
causes increase in
voltage Alarm signals

Signal sent from

smoke detector
triggers control box
circuit

Control Box sends

signal/power to siren
Example Fault Tree Analysis
Smoke Detector
Sample solution (incomplete)
FAILURE
Smoke Detector does not detect smoke

Smoke not Smoke not Alarm not

present in chamber detected sounding

Vent Ionization Defective No power No power Defective Defective No power

is blocked chamber Control box at control box at ionization ionization alarm at alarm
blocked chamber chamber

Dust
blockage Dust
blockage

Paint
blockage

Broken Defective Ionization Broken Defective

wire solder chamber wire solder
joint cracked joint

1 2 3 4 5 6 7
Sample Fault Tree Analysis
THEME DATA ROOT CAUSE Smoke Detector CONFIRM
SOLUTION STANDARDIZE REFLECT
Yes
RESULTS
No
Example Fault Tree Analysis
Barrel E No Flow
FIGURE 13.2 Fault
Example Gas Tree
valve fault tree
Analysis
Gas Valve Failure
151
The Process of Hazard Identification, Risk
Assessment & Determining Control

Risk Assessment
EVENT TREE ANALYSIS

152
 Event Tree Analysis
Event tree analysis evaluates potential accident
outcomes that might result following an
equipment failure or process upset known as an
initiating event. It is a “forward-thinking”
process, i.e. the analyst begins with an initiating
event and develops the following sequences of
events that describes potential accidents,
accounting for both the successes and failures
of the safety functions as the accident
progresses.
 Event Tree Analysis Guidelines

1. Identify an initiating event of interest.

2. Identify the safety functions designed
to deal with the initiating event.
3. Construct the event tree.
4. Describe the resulting accident event
sequences.
Example Event Tree Analysis
Step 1 Identify the initiating event
 system or equipment failure
 human error

 process upset

[Example]
“Loss of Cooling Water”
to an Oxidation Reactor
 Step 2 Identify the Safety Functions
Designed to Deal with the Initiating Event

• Safety system that automatically respond to

the initiating event.
• Alarms that alert the operator when the
initiating event occurs and operator actions
designed to be performed in response to
alarms or required by procedures.
• Barriers or Containment methods that are
intended to limit the effects of the initiating
event.
Step 2 Identify the Safety Functions
Designed to Deal with the Initiating Event
Example

 Oxidation reactor high temp. Alarm

alerts operator at temp T1.
 Operator reestablish cooling water flow
to the oxidation reactor.
 Automatic shutdown system stops
reaction at temp. T2. T2 > T1
These safety functions are listed in the
order in which they are intended to
occur.
Step 3: Construct the Event Tree
a. Enter the initiating event and safety functions.

Oxidation reactor Operator Automatic

SAFETY high temperature reestablishes shutdown system
FUNCTION alarm alerts cooling water flow stops reaction at
operator
to oxidation temperature T2
at temperature T1 reactor

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

FIRST STEP IN CONSTRUCTING EVENT TREE

 Step 3: Construct the Event Tree
b. Evaluate the safety functions.

Oxidation reactor Operator Automatic

SAFETY high temperature reestablishes shutdown system
FUNCTION alarm alerts cooling water flow stops reaction at
operator
to oxidation temperature T2
at temperature T1 reactor

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

Success

Failure
REPRESENTATION OF THE FIRST SAFETY FUNCTION
 Step 3: Construct the Event Tree
b) Evaluate the safety functions.

SAFETY Oxidation reactor Operator Automatic

FUNCTION high temperature reestablishes shutdown system
alarm alerts cooling water flow stops reaction at
operator
to oxidation temperature T2
at temperature T1 reactor

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

Success

If the safety function does not affect the course of

the accident, the accident path proceeds with no
Failure branch pt to the next safety function.
REPRESENTATION OF THE SECOND SAFETY FUNCTION
 Step 3: b. Evaluate safety functions.

Oxidation reactor Operator Automatic

SAFETY high temperature reestablishes shutdown system
FUNCTION alarm alerts cooling water flow stops reaction at
operator
to oxidation temperature T2
at temperature T1 reactor

INITIATING EVENT:
Loss of cooling water
to oxidation reactor

Success
Completed !

Failure
COMPLETED EVENT TREE
 Step 4: Describe the Accident Sequence
Oxidation reactor Operator Automatic
SAFETY high temperature reestablishes shutdown system
FUNCTION alarm alerts cooling water flow stops reaction at
operator
to oxidation temperature T2
at temperature T1 reactor

B C D
A Safe condition,
return to normal
operation
AC Safe condition,
process shutdown
INITIATING EVENT:
ACD Unsafe condition,
Loss of cooling water runaway reaction,
to oxidation reactor operator aware of
A problem
AB
Unstable condition,
process shutdown
ABD Unsafe condition,
runaway reaction,
Success operator unaware
of problem

Failure
ACCIDENT SEQUENCES
 Example Event Tree Analysis

Reactor Feed Cooling Coils

Cooling Water Out

Cooling
Water In

Reactor
TIC
Temperature
Controller TIA
Alarm Figure 11-8 Reactor with high
at Thermocouple temperature alarm and
T > TA High Temperature Alarm temperature controller.
 High Temp Operator Operator Operator
Safety Function:Alarm Alerts Notices Re-starts Shuts Down
Operator High Temp Cooling Reactor Result

Identifier: B C D E
Failures/Demand: 0.01 0.25 0.25 0.1

A Continue Operation
0.7425
AD Shut Down
0.99
0.2227
0.247 ADE Runaway
A 5 0.02475
AB Continue Operation
1 0.00562
5
ABD
Initiating Event: Shut Down
0.007 0.00168
Loss of Cooling 8
5 0.00187 ABDE Runaway
1 Occurrence/yr. 0.0001875
5
0.01 ABC Continue Operation
0.00187
5
ABCD
0.002 Shut Down
0.000562
5 5
0.000625 ABCDE Runaway
Shutdown = 0.2227 + 0.001688 + 0.005625 = 0.2250 occurrences/yr. 0.0000625
Runaway = 0.02475 + 0.0001875 + 0.0000625 = 0.02500 occurrences/yr.
Figure 11-9 Event tree for a loss of coolant accident for the reactor of Figure 11-8.
 Safety Function
0.01 Failures/Demand

Initiating Success of Safety Function

Event (1-0.01)*0.5 = 0.495 Occurrence/yr.
0.5 Occurrences/yr.

Failure of Safety Function

0.01*0.5 = 0.005 Occurrence/yr.

Figure 11-10 The computational sequence across a safety

function in an event tree.
 High Temp Operator Operator Operator Operator
Safety Function:Alarm Alerts Notices Re-starts Shuts Down Shuts Down
Operator High Temp Cooling Reactor Result
Identifier: B C D E F
Failures/Demand: 0.01 0.25 0.25 0.01 0.1
A
0.7425 Continue Operation
AD Shut Down
0.99 0.2450
ADE
0.002228 Shut Down
0.2475
ADEF
0.002475 0.0002475 Runaway
A AB
1 0.005625 Continue Operation
Initiating Event: ABD Shut Down
0.001856
Loss of Cooling 0.00750
ABDE
Shut Down
1 Occurrence/yr. 0.001875 0.00001688
ABDEF
0.00001875 0.00000187 Runaway
5
0.01 ABC
0.001875 Continue Operation
ABCD Shut Down
0.0006187
0.0025
ABCDE
0.00000563 Shut Down
0.000625
ABCDEF
0.00000675 0.00000062 Runaway
5
Shutdown = 0.2450 + 0.001856 + 0.00001688 + 0.0006187 = 0.2475 occurrences/yr.
Runaway = 0.0002475 + 0.000001875 + 0.000000625 = 0.0002500 occurrences/yr.
Figure 11-11 Event tree for the reactor of Figure 11-8. This includes a high temperature shutdown system.
The Process of Hazard Identification, Risk
Assessment & Determining Control

Risk Assessment
HAZOP

167
 The HAZOP Method
 HAZOP analysis is a systematic technique for identifying
hazards and operability problems throughout an entire
facility. It is particularly useful to identify unwanted hazards
designed into facilities due to lack of information, or
introduced into existing facilities due to changes in process
conditions or operating procedures.
 The objectives of a HAZOP study are to detect any
predictable deviation (undesirable event) in a process or a
system. This purpose is achieved by a systematic study of
the operations in each process phase.
 HAZOP Studies
 Hazard and Operability Studies
(HAZOP) have been used for many
years as a formal means for the review
of chemical process designs.
 A HAZOP study is a systematic search
for hazards which are defined as
deviations within these parameters
that may have dangerous
consequences.
 In the process industry, these
deviations concern process
parameters such as flow, temperature,
pressure etc.
 HAZOP Studies Requirements
1. Definition of the objectives and scope of the study,
e.g. hazards having only off-site impact or only on-
site impact, areas of the plant to be considered, etc.
2. Assembly of a HAZOP study team.
3. Collection of the required documentation, drawings
and process description.
4. Analysis of each major item of equipment, and all
supporting equipment, piping and instrumentation
5. Documentation of the consequences of any deviation
from normal and highlights of those which are
considered hazardous and credible.
 HAZOP Studies

 HAZOP is a team approach, involving a team of

people representing all different functions in a plant.
 They identify all the deviations by „brain-storming‟ to a
set of guide words which are applied to all parts of
the system.
 Guide Words

Early, late, Before, After - applied to batch or sequential operations

 Example of HAZOP Matrix
Guide
word
No Low High Part of Also Other than Reverse

Process-
variable
No Low High Missing Wrong Reverse
Flow flow flow flow ingredients Impurities material flow

Low High Low High - -

Level Empty interface interface
level level

Open to Low High - - -

Pressure atmosphere pressure pressure Vacuum

Temperature Low High - - - Auto

Freezing temp. temp. refrigeration

No Poor Excessive Irregular- Foaming - Phase

Agitation mixing mixing
agitation mixing separation

No Slow "Runaway Partial Side Wrong Decom-

Reaction reaction
reaction reaction reaction" reaction reaction position

Utility External External - - Start-up -

Other Shutdown
failure leak rupture
Maintenance
 HAZOP Studies

The process is as follows:

 The system is divided into suitable parts or sub-systems,
which are then analysed one at a time.
 For each sub-system each parameter (flow, temperature,
pressure, volume, viscosity etc.) that has an influence on it,
is noted.
 Guidewords are applied to each parameter in each
subsystem. The intention is to prompt creative discussion of
deviations and possible consequences
 For each significant deviation, possible causes are
identified.
 Example HAZOP Studies
Consider the simple process diagram below. It
represents a plant where substances A and B react with
each other to form a new substance C. If there is more
B than A there may be an explosion.

V3

V4
B
A
V2
V1
V5

A < B = Explosion C

Example from Harms Ringdahl L (1995), Safety Analysis: Principals and Practice in
Occupational Safety, Elsevier Applied Science.
 The HAZOP sheet for the section of the plant from A to C will be as
follows:
Guide Word Deviation Possible Causes Consequences Control Measures

NO, NOT No A Tank containing A is empty. Not enough A = Indicator for low
V1 or V2 closed. Explosion level.
Pump does not work. Monitoring of flow
Pipe broken
MORE Too much A Pump too high capacity C contaminated by Indicator for high
Opening of V1 or V2 is too A. Tank overfilled. level.
large. Monitoring of flow

LESS Not enough V1,V2 or pipe are partially Not enough A = See above
A blocked. Pump gives low flow or Explosion
runs for too short a time.

AS WELL AS Other V3 open – air sucked in Not enough A = Flow monitoring

substance Explosion based on weight

REVERSE Liquid Wrong connector to motor Not enough A = Flow monitoring

pumped Explosion
backwards A is contaminated

OTHER A boils in Temperature too high Not enough A = Temperature (and

THAN pump Explosion flow) monitoring.

Example from Harms Ringdahl L (1995), Safety Analysis: Principals and Practice in
Occupational Safety, Elsevier Applied Science.
The Process of Hazard Identification, Risk
Assessment & Determining Control

Risk Assessment

BARRIER ANALYSIS
[BOW-TIE]

177
 The Bow Tie Risk Analysis

 The Bow Tie method provides a very effective,

and proven, way of understanding, and
analyzing, the defenses in the Reason Model

 It is particularly useful in proactive accident

incident prevention, and the management of
safety within a system

178
 The Bow Tie Risk Analysis

 developed as a technique for developing

safety cases in the Oil and Gas industry

 by linking the hazards and the

consequences through a series of event
lines it is possible to develop a diagram
illustrating the routes to accidents

179
 The Bow Tie Risk Analysis
 preventive and recovery controls are
illustrated to show the fundamental
components of the safety management
system

 further understanding is gained by examining

the routes by which the controls can fail and
identifying the critical components of the
system that prevent these failures.
180
 The Bow Tie Risk Analysis

 designed for the management of risk rather

than the detailed quantitative assessment
of risk.

 provides a diagrammatic representation of

the relationship between the management
system and the hazards being managed.

181
 The Bow Tie Risk Analysis

 this is then used to identify the outcome of

any changes that might take place in the
management systems.

 the Bow Tie system is not designed to

identify hazards, but rather to illustrate the
physical and procedural controls that are in
place to manage hazards.

182
Basic Bow Tie Concept

183
Basic Bow Tie Concept

184
Bow Tie Checklist:
 Select a hazard
 Assign the Top Event for that hazard
 Identify:
- Threats
- Consequences
- Preventive Controls
- Recovery Controls
- Escalation Factors
- Escalation Controls
185
 Top Event must be assigned for the
hazard under consideration.

 The Top Event, is defined as: ‘The point at

which control of the hazard is lost’.
 It is important to define precisely what the
nature of the top event is in order that the
controls can be effectively placed as either
‘preventive’ or ‘recovery’ controls.

186
 Top Event must be assigned for the
hazard under consideration.

 In the case of the ‘toxic chemical’ hazard,

the top event would be a spillage of the
chemical.

 Because this is the point at which the

control of the situation is lost and any
further controls are only able to mitigate
the outcome of the event.

187
188
 Identify the threats for each hazard

 Threats represent the failure modes through

which the hazard can materialize

 They can be thought of as system or equipment

failure modes that would be identified through a
structured review process such as Failure
Modes and Effects Analysis (FMEA).

 Understanding of the threats is essential in order

to manage them effectively.
189
 Identify the threats for each hazard

 An agent acting to defeat the “protection”

of a hazard, and cause its release.

 What can release the hazard ?

190
Threats – toxic chemical hazard

 Corrosion of container

 Poor design of container

 Dropping of container from height

191
192
Identify the consequences for each hazard

 The ‘consequences’ are the final results

that could occur in the event of the entire
accident sequence being realized.

 The “Ultimate Price” paid in the form of one,

or all of:
- damage to environment,
- asset write off / shut down
- hospitalization / death,
- reputation and integrity loss
- increased insurance liabilities.
193
 Identify the consequences for each hazard

 that is, what will happen in an accident

resulting from a loss of control of a hazard,
that is a ‘top event’, and the failure of the
recovery controls

194
Consequences – toxic chemical hazard

 Death or injury from contact with

chemical

 Contamination of workplace

195
196
 Identify controls for each hazard

 the controls are the mechanisms or systems that

are in place:
-to prevent threats realizing the top event
(preventive controls) or,
-to recover control following the occurrence of
the top event (recovery controls) prior to one
of the potential consequences being realized.

 Controls may be equipment or procedural

systems and are required to act as
barriers, or defenses, to the event
sequences.
197
 Controls for toxic chemical hazard

Preventive Controls – before the top

event (spillage)

- maintenance program
- inspection schedule
- chemical handling procedures
- container transport procedures

198
Controls for toxic chemical hazard

Recovery Controls – after the top

event (spillage)
- neutralizing chemicals
- personal protective equipment
- emergency evacuation procedures
- water sprays

199
200
 Identify Escalation Factors:

 For each of the independent controls

possible escalation factors need to be
identified.

 These can be thought of as threats or

operational issues that could compromise
the effectiveness of the control they
affect.
- examples of escalation factors could be
‘Infrequent maintenance’ or ‘Incorrect
design standard’.
201
 Escalation factors for toxic chemical:
preventive controls

Preventive Control Escalation Factor

 maintenance program • lack of maintenance
 inspection schedule
• non compliance with
inspection schedule
 chemical handling
• procedures
 procedures misunderstood by
 container transport
workers
• non compliance with
 procedures
procedures

202
203
 Escalation factors for toxic chemical:
recovery controls

Recovery Control Escalation Factor

 neutralizing chemicals • chemicals time
 personal protective expired
 equipment (PPE) • PPE not fit for purpose
 emergency evacuation • procedures not known
 procedures
by workers
 water sprays
• spray nozzles blocked
205
 Escalation Controls
Identify Escalation Controls:
 In the same way as the escalation factors
are directly related to the recovery and
preventive controls, so the escalation
controls are directly relevant to a given
escalation factor.

 The escalation controls are typically

management procedures that are
designed to directly prevent the escalation
factors from affecting the performance of
the recovery and preventive controls
206
 Escalation controls for toxic chemical
preventive control escalation factors

Preventive Control Escalation Factor Escalation control

 maintenance • lack of maintenance • Regular maintenance
program • non compliance with audits
 inspection schedule • Regular
inspection schedule
 chemical handling audits/checking
procedures • Procedures
misunderstood by of compliance with
 container transport
workers inspection schedule
procedures
• non compliance with • Clarification of
procedures procedures in all
languages
• Regular training in
procedures
208
 Escalation factors for toxic chemical:
recovery control escalation factors

Recovery Control Escalation Factor Escalation control

• Neutralizing • chemicals time • regular
chemicals expired replacement
• Personal protective • PPE not fit for schedule
equipment purpose • ongoing review and
• Emergency • procedures not testing of PPE
evacuation known by workers • regular EP training
procedures • spray nozzles program
• Water sprays blocked • regular nozzle
cleaning program
210
211
Why is the Bow Tie a useful tool in
risk management?
 It concentrates our primary safety
management focus on the top event
rather than the consequence.

 This facilitates a more cost-effective allocation

of resources than would be gained by going
directly to the consequences, without going
via the intermediate step of the top event,
and identifying the various preventive and
recovery control pathways.
212
 Why is the Bow Tie a useful tool in risk
management?

 It is directly compatible with the

Reason Model, and provides a way of
better understanding the nature of
the defenses in a system

 Which is essential to effective

risk management

213
 The Bow Tie is a proactive risk
management tool

 If you have an accident/incident

associated with a particular hazard,
you should be able to go
immediately to your Bow Tie
Analysis for that hazard

 And determine which of your

preventive and recovery controls
were not effective
214
215
216
The Process of Hazard Identification, Risk
Assessment & Determining Control

Risk Assessment
CAUSE AND EFFECT DIAGRAM

217
 Cause and Effect Diagrams
Also known as Ishikawa or Fishbone

Testing Inadequate Project

Time Prioritization

Product
Delivered
Late

Personnel Materials Insufficient Bad Specs

Resources

Potential Causes Effect

 CAUSE AND EFFECT DIAGRAM

CAUSES ……..
Materials Root causes
Resources

. . . EFFECTS

Effect / /
Effect
problem
problem
statement
statement

Plant and
Machinery
Method and
Processes
Measurement
and Standards

The “cause and effect” or “Ishikawa” diagram

 CAUSE AND EFFECT DIAGRAM

TIP: Make sure everyone agrees on the problem statement.

Include as much information as possible on the "what,"
"where," "when," and "how much" of the problem. Use data
to specify the problem.
 CAUSE AND EFFECT DIAGRAM
Draw major cause categories or steps in the production or
service process. Connect them to the "backbone" of the
fishbone chart.
 CAUSE AND EFFECT DIAGRAM

Place the brainstormed or data-based causes in the

appropriate category.
 CAUSE AND EFFECT DIAGRAM

Ask repeatedly of each cause listed on the "bones”, Why

does it happen?"
 CAUSE AND EFFECT DIAGRAM

Hospital example . . . .
CAUSE AND EFFECT DIAGRAM

Table Top Exercise:

The Process of Hazard Identification, Risk
Assessment & Determining Control

HIRADC
Risk Controls

226
 Risk Control Measures
 Risk control is the measure, or measures, put
into place to reduce the risk to an acceptable
level.
 What constitutes an acceptable level must be
able to show that they have taken all relevant
factors into account, including, if appropriate,
the costs of different types of control
measures.
 This will normally require documentary
evidence that this has been done.
227
 Controlling Risk
 Risk Avoidance – This strategy involves a
conscious decision on the part of the organisation to
avoid completely a particular risk by discontinuing the
operation producing the risk e.g. the replacing a
hazardous chemical by one with less or no risk
potential.
 Risk Retention – The risk is retained in the
organisation where any consequent loss is financed
by the company. There are two aspects to consider
here, risk retention with knowledge and risk retention
without knowledge.
 Controlling Risk

 Risk Transfer – This refers to the legal

assignment of the costs of certain potential losses
from one party to another. The most common way is
by insurance.
 Risk Reduction – Here the risks are
systematically reduced through control measures,
according to the hierarchy of risk control described in
earlier sections.
 ALARP

 Legislation requires employers to reduce risks

to a level that is as low as is reasonably
practicable (sometimes abbreviated as
ALARP).
 To carry out a duty so far as is reasonably
practicable means that the degree of risk in a
particular activity or environment can be
balanced against the time, trouble, cost and
physical difficulty of taking measures to avoid
the risk.
 Hierarchy of Controls
Most effective

Eliminate

Substitute

Engineering

Admin
Training

PPE

Emergency Response Least effective

 Elimination of Risk
Work activity/process involve use of a hazardous
chemicals that is not essential, eliminate wherever
practicable.
 Using a physical process rather than a chemical
process to clean an object, eg. Ultrasonic
cleaning;
 Using clips, clamps or bolts instead of an
adhesive;
 Purchasing supplies of materials in already cut
and sized form rather than carrying out dust
producing cutting process on site.
232
 Substitution
Substitute of materials
Replacing a chlorinated degreasing solvent
with detergent;
Using a water based paint in place of an organic solvent
based paint;
Using a chemical in paste or pallet form rather than a
dusty powder;
Using a lead free solder paste rather than a lead based
solder.

233
 Substitution
Substitute of materials
Replacing a chlorinated degreasing solvent
with detergent;
Using a water based paint in place of an organic solvent
based paint;
Using a chemical in paste or pallet form rather than a
dusty powder;
Using a lead free solder paste rather than a lead based
solder.
Substitute of process or equipment
Brush application of paint rather than aerosol
application;
Dipping in a paint bath rather than spray painting. 234
 Engineering Control
Plant, process or equipment that minimize the generation of
hazardous substances, suppress or contain hazardous
substances or limit the area of contamination in the event of
spill or leak.
 Ventilation
 Ventilated booth for spray painting
 Robot welding
 Deadman switch attached to grinding machines and
abrasive blasting nozzle
 Automation of the removal of objects from degreasing
baths
 Closed reaction vessels
 LOTO, ELCB, GFCI, double insulated cables, etc. 235
 Ventilation
 General Ventilation
 General ventilation systems add or remove air
from work areas to keep the concentration of an
air contaminant below hazardous levels.
 This system uses natural convection through open
doors or windows, roof ventilators, and chimneys,
or air movement produced by fans or blowers.

 Local Exhaust Ventilation

 Local exhaust system captures the or contains
contaminants at their source before they escape
into the workroom environment.
 Local exhaust system remove the air contaminants
rather than just dilute them.
236
Parts of the Local Exhaust Ventilation
 Hoods into which the air contaminant is
drawn.
 Ducts for carrying the contaminated air into
a central point.
 An air cleaning device such as the dust
arrester for purifying the air before it is
discharged.
 A fan and motor to create the required
airflow through the system
 A stack to disperse remaining air
contaminants.
237
 Administrative Controls
 Rotation of personnel
 Limiting the time spent (of personnel) in the hazard areas
 Good housekeeping and maintenance including cleanliness
in the workplace, proper waste disposal and adequate
washing, toilet and eating facilities.
 Special control methods for specific hazards, such as
shielding, monitoring devices and continuous sampling
with preset alarms.
 Medical controls to detect evidence of absorption of toxic
materials.
 Training and education to supplement engineering
controls.
 Emergency response training and education. 238
 Limiting Operators’ Time
 Reduction of work periods is another
method of control in limited areas where
engineering control methods at the source
are not practical.
 Examples are:

- hot environments
- works done in compressed air
environment (decompression chambers)

239
Good Housekeeping & Maintenance
Good housekeeping plays a key role in the control of
occupational hazards:
 Remove dusts on the floor before it becomes airborne
by traffic, vibration, & random air currents.
 Immediate clean up of all the chemical spills.

 Deposit all solvent-soaked rags or absorbents in

airtight metal receptacles and remove daily to safe
location.
 Periodic shutdown of equipment for maintenance.
Provisions must be made for cleaning the equipment
and piping systems by flushing them with applicable
materials.
 Decontaminating equipment tools and PPE before
removing them from a work area.
240
 Shielding
 This is one of the best controls used to
reduce or eliminate exposures to
physical stresses such as heat and
ionizing radiation.

 Shielding can also be used in protecting

employees against exposure to radiant
heat sources.
241
 Personal Hygiene
Personal hygiene must be a very
important control measure when
workers are exposed to
contaminants:
 Provision of smoking,
washing and, eating facilities
 Provision of shower facilities
and change rooms for
changing work clothes to
street clothes
 Policy on no eating and
drinking in chemical facilities
 Posting of hazardous work
areas with caution and
warning signs 242
 Waste Disposal
 All hazardous wastes must be taken
with great care so as not to harm the
immediate environment where they are
generated.
 Containers of hazardous wastes must
be properly labeled and caution signs
must be posted in areas where they are
generated and stored.
 Disposal of hazardous wastes must be
only done by trained personnel. 243
 Medical Controls
Medical controls are an important part of an
occupational health control program:
 A medical control program can serve as a
verification of the engineering controls or other
control methods.
 A medical program should parallel the industrial
hygiene program.
 A physical examination of new employees should
include a thorough detailed history of previous
occupational exposures to chemical and physical
agents.
 The periodic medical examination is a monitoring
procedure supplementary to environmental
monitoring. 244
Spirometry is a test that can
help diagnose various lung
conditions, most commonly
COPD (Chronic Obstructive
Pulmonary Disease).

245
Audiometric Monitoring

246
 Training and Education
 Training and education are
required to supplement
engineering controls.
 Short courses on specific health
hazards must be developed in
order to help the workers
understand the hazards they
encounter in the workplace.
 Managers and supervisors must
be provided with their moral
and legal responsibilities in
controlling the exposures of
their workers.

247
Personal Protective Equipment

 Eye and face protection

 Respiratory protective devices
 Protective clothing/gloves
 Hearing protective devices
 Foot protection
 Head protection
 Tripods
 FBH & lifeline
 Miner’s lamp
 Protective creams and lotions
248
Welding helmets with filter plates are
intended to protect users from arc rays
and from weld sparks and spatters.

249
Dust, Mists & Fume Respirators

250
Air-Purifying Respirators

Half Mask, Cartridge Type

251
SARs - SCBA

252
SARS - EEBDs

253
Hand Gloves

254
Ear Plugs

255
Ear Pods

256
Ear Muffs

257
258
259
Head protection

Hazards:
- Flying objects
- Falling objects
- Impact against fixed objects

PPE:
- Hard hat (Helmet)
- Bump Cap

260
How Hard Hats Protect You
 A rigid shell that resists and
deflects blows to the head;
 Suspension system inside acts
as a shock absorber
 Some hats serve as an insulator
against electrical shocks
 Shields your scalp, face, neck,
and shoulders against splashes,
spills, and drips
 Some can be modified so you can
add face shields, goggles, hoods
or hearing protection 261
Tripods & Winches

262
Standard Full Body Harness
 Comply with ANSI
standard
 Lightweight 45mm
webbing and
aluminum buckles.
 Stainless steel D-
rings.
 Sliding D-Ring
configuration most
comfortable

263
Lanyards

264
Lifeline

265
 Inspection and Maintenance
o Proper inspection,
maintenance, and repair of
respiratory protective
equipment is mandatory to
ensure success of any
respiratory protection
program.
o All equipment must be
inspected periodically before
use and after each use.
o Respirator maintenance
should be performed regularly.

266
Inspection and Maintenance
267
Emergency Response

 Spill kits
 Body/eye showers
 Ambulance (with oxygen, stretcher, hospital
location map, driver, etc)
 Fire fighting equipment
 Emergency response card
 Central panel annunciator board
 CCTV
 Panic door
 Emergency rescue
268
The Process of Hazard Identification, Risk
Assessment & Determining Control

HIRADC
Forklift Battery Charging

Risk Controls

269
OPERATIONAL RISK MATRIX
 HIRARC
Forklift Battery Charging
Qualitative Risk Analysis

Process Hazards Effects Existing L C RFN Level Future Controls RRN

Steps Controls
Forklift Run over Crushing Trained and C 3 13 High Backing alarm 5
parking at injury, authorized Beacon light
battery property operators - - - - Chocks
charging damage Delineated
Use chocks
station parking area
Recertification of
Stop engine and
operator
park
Implement proper
Inspection
parking techniques
checklist
Preventive
maintenance
Battery Manual & Crushing Remove C 3 13 High Third party 5
dismantling, mechanical injury, jewelleries certificate of
lifting using handling, property Use electrical overhead crane &
- - - -
overhead Electrical damage gloves while lifting gears
crane and contact and dismantling Preventive
transferring electrical battery terminals - - - - maintenance
to charging shock Carry battery

station using overhead

hoist.
Inspection

checklist
 HIRADC
Forklift Battery Charging
Qualitative Risk Analysis

Process Hazards Effects Existing L C RFN Level Future Controls RRN

Steps Controls
Battery Hydrogen Burn, Use rubber C 4 18 High Work permit 5
charging gas, fire, gloves and system
sulfuric property insulated tool - - - - Mandatory no
acid, damage, when opening smoking
electrical electrical cap, face away Isolation &
contact shock from the cell. - - - -
shielding
When adding
General promotion
water, use
Disciplinary action
watering cans to
avoid contact
with acid and
battery terminals
Maintain

ventilation and
standby fire
extinguishers
Ensure an

eyewash station
is readily
available
274
 Coincident or Not ?
If,
ABC D EFGHI J K L M N O PQ R S T U V W X Y Z

Equals,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Then,
K+ N +O +W+ L +E+D+G+E
11 + 14 + 15 + 23 + 12 + 5 + 4 + 7 + 5 = 96%

H+A+R +D+W+ O+ R +K
8 + 1 + 18 + 4 + 23 + 15 + 18 + 11 = 98%

Both are important, but the total falls just short of 100%

But,
A+T +T + I+T + U +D+E
1 + 20 + 20 + 9 + 20 + 21 + 4 + 5 = 100%

Safety really is about attitude. Make 100% Safe Behavior your choice
both ON and OFF the job
 You can never implement an
effective safety program if

YOU
will not identify the hazards in your
work areas.

276
 Hazard Identification, Risk Assessment
& Determining Control

Thank you
and let us

“Make Safety a Way of Life On

and Off the Job”

PEME Consultancy, Inc.

277