Академический Документы
Профессиональный Документы
Культура Документы
Identifying Hazards,
Assessing and
Evaluating Risk
International Diploma-A3
©C
HSS Ltd 2007 Page 2 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Contents
Page No
Assessing and Evaluating Risk 5
Definitions 6
Hazard Identification 7
Who may be Harmed and in What Circumstances 8
Evaluating the Risks 9
Record the Significant Findings 13
Review 14
Task Analysis 15
Meep Analysis 16
Information Sources 17
Accident and Incident Data 20
Risk Rating 22
Principles and Techniques of Failure Tracing Methods 28
The Basic Concept of HAZOP 30
Relation to other Analysis Tools 42
Failure Modes Effects Analysis (FMEA) 44
Fault Tree Analysis 49
And/Or Gates 50
Numerical Evaluation of Fault Tree 52
Event Tree Analysis 56
References 64
Tables
Table 1: Risk Assessment Factor 11
Table 2: Action Required 11
Table 3: Risk Assessment Matrix 13
Table 4: Public Tolerance of Incidents 24
Table 5: Tolerability of Risk from Nuclear Power Stations, HSE 25
Table 6: A List of Guide Words 31
Table 7: Completed HAZOP Study Results 38 to 40
Table 8: Sample FMEA Worksheet for a Hydraulic System 47
Table 9: Sample FMEA Worksheet for a Hydraulic Pump 48
©C
HSS Ltd 2007 Page 3 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Contents Cont’d
Figures
Figure 1: Flow Diagram Demonstrating Risk Management 5
Figure 2: Accident Triangles, HSG 65 21
Figure 3: Tolerability of Risk from Nuclear Power Stations, HSE 26
Figure 4: An Example of a Simple Flowsheet 35
Figure 5: Why do we Want to Apply Numerical Methods to Safety Problems? 43
Figure 6: Or Gate 50
Figure 7: And Gate 50
Figure 8: Example Fault Tree 51
Figure 9: Numerical Evaluation of Fault Tree (and Gate) 52
Figure 10: Numerical Evaluation of Fault Tree (or Gate) 53
Figure 11: Accident on a Roundabout 54
Figure 12: Example of a Fault Tree Numerical Analysis 55
Figure 13: Example Event Tree 58
Figure 14: Numerical Evaluation of an Event Tree 59
Figure 15: Worked Example Event Tree 60
Figure 16: Bow-Tie model 63
©C
HSS Ltd 2007 Page 4 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The following diagram demonstrates risk management as a flow diagram. See later
for further explanation of the terms used.
Risk assessment is the cornerstone for the management of health and safety at
work. A suitable and sufficient assessment requires that greater risks be given more
detailed assessments. Having identified the risks, the control measures must then
be compared with minimum acceptable standards.
Before discussing the process of assessing and evaluating risk there must first be
clarification on the key terminologies.
©C
HSS Ltd 2007 Page 5 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Definitions
Hazard
The dictionary definition of hazard is “chance, risk, danger” and hazardous is “risky”
which is of little help in distinguishing between the terms hazard and risk for the
purpose of assessing and evaluating risk. For health and safety purposes the
definition of hazard is “the potential to cause harm”.
This is a very broad definition and in many ways can be interpreted to mean
anything. It would be helpful therefore to categorise hazards to make identification
easier. Hazards may be either:
Biological e.g. HIV virus, legionella, hepatitis virus (usually a disease causing
agent).
Risk
Again from the normal use of the word i.e. the dictionary definition is “chance of
disaster or loss”. Clearly this implies a certain probability of occurrence or likelihood.
Again for the purpose of assessing and evaluating risk this must be clear and is
defined as “the probability of harm from a particular hazard being realised”.
For example noise is a hazard i.e. has the potential to cause harm. The risk is the
likelihood that it actually will cause harm. Clearly this is dependant on a number of
different factors (risk factors) such as how loud the noise is, how long an individual is
exposed to the noise, the frequency of the noise, the individuals’ personal
characteristics / predisposition to suffering with noise related effects, previous
exposure and so on.
Most people undertake risk assessment as a normal part of their every day lives.
Activities, such as crossing the road and driving to work, routinely call for a complex
and ongoing analysis of the hazards and risks involved in order to avoid damage and
injury. Therefore most people are able to recognise hazards as they develop and
take corrective action. People do, for a variety of reasons, have widely different
perceptions regarding risk and would find it difficult to apply their experience to formal
workplace risk assessments.
There are many variations on the risk assessment process; the following system is
based on the “5 Steps to Risk Assessment” IND (G) 163L published in the UK by
HSE.
©C
HSS Ltd 2007 Page 6 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Evaluate the risks arising from the hazards and decide whether the existing
precautions are adequate or more should be done.
Hazard Identification
Hazard identification can be completed in a number of different ways. Proactively the
process can be completed through organised inspections, samples, surveys, tours
and reactively by examining injury / accident and ill-health reports.
For the purposes of risk assessment all hazards (i.e. anything with the potential to
cause harm) must be considered.
If for example, an inspection failed to identify any unsafe electrical equipment / wiring
it would not be listed as a hazard and might not be assessed. The use of electrical
equipment clearly needs to be assessed very thoroughly.
Psychological, biological and ergonomic hazards are not easy to identify by visual
inspection.
Visual inspections are poor at detecting unsafe acts, lack of training and inadequate
operating procedures, all of which are key issues in risk assessment.
©C
HSS Ltd 2007 Page 7 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Injury and ill health Reports: Accident statistics can be a useful tool when
identifying risks which are not well controlled. When analysed the statistical
information can be manipulated to provide important causal leads on risk areas
where action should have been taken or indeed where the action taken is not
appropriate to minimise the risks. The organisation should have specific event
recording systems in place to ensure that all relevant data is gathered in sufficient
detail to facilitate proper analysis.
It is important to ensure that all groups of employees and others who might be
affected are considered, do not forget office staff, night cleaners, maintenance staff,
security guards, visitors, the general public. Specific action should be taken to
identify groups of employees who might be especially at risk, e.g. young persons,
new or inexperienced workers, those who work alone, any disabled staff or pregnant
workers. The assessment should be recorded, i.e. documented.
Account must also be taken of the presence of any risks to visitors, members of the
public and any one else who may be affected by the work activity.
©C
HSS Ltd 2007 Page 8 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Likelihood
This requires an assessment or evaluation of the likelihood (probability) of the hazard
resulting in a loss. Consideration will need to be given to the following:
Severity
This requires an assessment or evaluation of the possible outcome(s) if the hazard
was not sufficiently controlled and things went wrong.
The judgement of risk rating may then be via qualitative means, which are based on
the experience and expertise of the assessor, semi-quantitative which provides a
crude scoring mechanism and allows the risks to be rated and prioritised. This
technique is particularly useful for justifying expenditure on risk control relative to
other risks and quantitative assessments from probability data.
©C
HSS Ltd 2007 Page 9 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Specific techniques such as Hazard and Operability (HAZOP) studies, Fault Tree
Analysis (FTA), Failures Modes and Effect Analysis (FMEA) and Event Tree Analysis
(ETA) can be used to determine the frequency of events occurring or the probability
that a particular event will occur. Probability theory is based on the scale that
extends from 0 – 1, where zero represents no occurrence and 1 represents a
certainty. Where the data is available for a series of linked events e.g. a flammable
gas release followed by an ignition source then the final probability of the last event
can be calculated.
In order to carry out these, advanced risk assessment techniques the numerical data
must be supplied.
A useful, although not wholly scientific, method of estimating likelihood and severity
can be useful when determining priority as regards health and safety effort. This
semi-quantitative approach is not absolutely essential and, even when it is used, it
should not mask the main purposes of the assessment as discussed earlier. There
are many versions of the technique, the following system is taken from the UK’s HSE
document Successful Health and Safety Management HSG 65.
1) Minor (for example, all other injuries including those where people
are off for periods of up to three days).
2) Medium (for example injuries where people may be off work for more
than three days).
©C
HSS Ltd 2007 Page 10 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Severity of outcome
High (3) 3 6 9
Multiply the Severity number by the Likelihood number to arrive at the risk factor for
each hazard. This produces a number on a scale of 1 to 9. Theses numbers provide
an indication of priority and the extent of the risk, the higher the number the greater
the priority and risk and therefore the more resources which may be needed to
control the risk.
As a rough guide:
1 is a low risk but actions should still be taken to try to reduce these
risks further if possible within reasonable limits.
Note that this system provides an indication of risk only and is based on subjective
judgement therefore employers must satisfy themselves that the risk assessment and
the actions taken to deal with the hazards they have identified are adequate.
Some ‘organisations’ are using a matrix similar to the one above but with four, or
more usually five, rows and columns for likelihood and severity.
©C
HSS Ltd 2007 Page 11 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The intersection of the chosen column with the chosen row is the risk classification.
Incidents can have consequences in all four consequence categories. In fact, for the
same scenario, different classifications may apply to P, A, E, and R.
The red coloured shading in the RAM represents the high risk area, yellow the
medium risk area and blue the low risk area. The level of risk then determines the
priority for action. With increasing risk the priority for action increases, with an
increasing call on resources and increasing management involvement.
When the RAM is applied to make judgements in the light of the agreed risk
tolerability criteria, the blue, yellow and red areas are normally set as follows:
Blue area: Manage for continuous improvement. Risk controls are specified in the
Health, Safety and Environment Management (HSEMS). The management of the
risk is within the accountability of the competent staff, using existing procedures,
budgets and resources.
Yellow area: Incorporate risk reduction measures to reduce the risk to a level which
is as low as reasonably practicable (ALARP). These risks are too serious to be left to
the standard procedures in the management system. Additional controls are
requires. Management starts to become involved more. The control level to be
reached is ALARP and this needs to be demonstrated in the HSEMS.
©C
HSS Ltd 2007 Page 12 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
severity People Assets Environ- Reputation Never Has Incident has Happened Happened
ment heard of occurred occurred in several several
in the in the Opco times a year times year
industry industry Opco location
0 No No No effect No impact
injury damage Low
1 Slight Slight Slight Slight
injury damage effect impact
2 Minor Minor Minor Limited
injury damage effect impact
3 Major Localised Localised Consider- Medium
injury damage effect able impact
4 Single Major Major National
fatality damage effect impact High
Risks
5 Multiple Extensive Massive Internation-
fatalities damage effect al impact
Identify significant findings such as the hazards and the risks they present.
Identify existing controls and the need for further controls as necessary.
Identify the individuals affected which could include persons not directly under
the control of the employer, e.g. members of the public.
Remember that the format of the record is not laid down in law but it should not over
complicate the assessment nor trivialise the risks.
©C
HSS Ltd 2007 Page 13 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Review
Assessments should be reviewed if:
Evidence of injuries, ill health or near misses would be among the reasons for
suspecting that an assessment may no longer be valid. Accident / incident
investigations should routinely consider whether or not the risk assessment needs to
be reviewed.
Some of the ‘significant changes’ that might require a review of the risk assessment
are:
©C
HSS Ltd 2007 Page 14 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Task Analysis
Job Safety Analysis
Job Safety Analysis (JSA) is a work study technique in which a task is carefully
observed and every detail recorded. The process is often used in conjunction with
the development of Safe Systems of Work, work instructions, safety training etc. The
method of working is then evaluated so as to identify hazards. An ‘ideal’ safe method
is then developed and implemented.
Record in detail how the job is done, the equipment and materials used and
any hazards involved. This is best done by observation and discussion with
those ‘job holders’ actually doing the job under review.
Evaluate the risks involved in the activity (refer to accident records etc).
Develop a safe system for carrying out the work. At this stage reference is
made to applicable standards, e.g. legislation, codes of practice.
Maintain the system (by supervision, etc) and monitor those who carry out the
work to ensure that the system does not deteriorate.
Job Safety Analysis goes further than merely identifying hazards. As noted above, in
many ways ‘job safety analysis’ is similar to the risk assessment process. The
distinctive feature is the work study style observation of how the work is done
followed by careful evaluation to develop the ‘ideal’ system of work.
©C
HSS Ltd 2007 Page 15 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
MEEP Analysis
MEEP Approach
All risks arising from the work activity must be assessed.
The activity can be broken down into individual elements so that hazards – conditions
or actions, at each stage can be analysed.
The degree of detail of analysis should depend on the level of risk involved, but in
any case all components of the work should be included in the analysis.
A useful approach to ensuring the key areas are considered for analysis is to
consider the four main elements of the activity.
Materials
What materials does the activity have the potential to expose employees to and how
are they handled, mechanical or manual? Following consideration of this element
risks can be controlled.
Environment
Take into account the levels of lighting, heating, environmental noise, ventilation,
welfare facilities, etc. Does the condition of floors, seating, access to, egress from,
means of escape, layout and working space have an adverse effect on exposure to
risks? Remember that for outdoor activities the weather can change very quickly and
the hazards on a bright July morning are very different to a dark November
afternoon.
People
Consider who is involved and their levels of competence. Is there specific
information, training, instruction that is required and what level of supervision is
adequate for the task being analysed. Do particular disabilities, the presence of the
public or other persons have an effect on the activity and the level of risk involved.
Task analysis should then consider these points in adequate depth to ensure the
development of a safe system of work.
©C
HSS Ltd 2007 Page 16 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Information Sources
When identifying hazards for the purpose of conducting risk assessments and
subsequent evaluation of the risks the employer must consider the source of data for
the evaluation which can of course be either internal to an organisation or external.
Internal Sources
Health and safety practitioner (Advisor / Officer etc).
Inspection reports.
Accident records.
Risk assessments.
Plant registers.
Policies.
Medical records.
©C
HSS Ltd 2007 Page 17 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
External Sources
National Government Bodies, e.g. UK HSE.
Suppliers / Manufacturers
Suppliers of substances, plant, equipment, etc.
The Internet
A number of sites exist relating to health and safety including:
Care must be taken when relying on data sourced from the internet since its use is
unregulated. This makes for a vast data source but untrustworthy sites are common
place.
Libraries
International, European & British Standards
©C
HSS Ltd 2007 Page 18 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The ILO formulates international labour standards in the form of Conventions and
Recommendations setting minimum standards of basic labour rights: freedom of
association, the right to organise, collective bargaining, abolition of forced labour,
equality of opportunity and treatment and other standards regulating conditions
across the entire spectrum of work related issues. It provides technical assistance
primarily in the fields of:
Employment policy.
Labour administration.
Working conditions.
Management development.
Co-operatives.
Social security.
In order to attain these objectives, the ILO assists members States as well as
employers’ and workers’ organisations in ratifying ILO Conventions and implementing
international labour standards. Since 1994, the ILO has been engaged in a process
of modernising and strengthening its labour standards system.
©C
HSS Ltd 2007 Page 19 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The Agency is also a tripartite European Union organisation and brings together
representatives from three key decision-making groups in each of the EU Member
States – governments, employers and workers’ organisations.
Located in Bilbao (Spain) the Agency has co-ordinated a network since 1997 with
Focal Points in each Member State of the Union.
©C
HSS Ltd 2007 Page 20 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
For example drivers of cars for the most part during their driving life will experience a
near miss, a fewer number will experience a collision, a fewer number still will
experience a major collision. The actual numbers and ratios involved are not
relevant however what is relevant is the figure of the relationship that there are a
greater number of minor events than there are major events.
Similarly if we take the view that an incident is the same as an accident without the
outcome of an injury then by reducing the number of near misses it follows that the
number of accidents and major accidents will be reduced. When gathering accident
and incident data for the purposes of monitoring risk control measures the employers
must be confident that the accidents and incidents are actually reported and that
unreporting of events is not commonplace within the workforce.
©C
HSS Ltd 2007 Page 21 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Analysing Trends
By gathering accident and incident data over time an analysis can be performed
whereby the numbers of events are measured over that time period. Whether the
number of events actually increases or decreases will then give a measure of a trend
over the period of time. This trend time or trend analysis will now be subject to a
number of different influences. As mentioned earlier the influence of under reporting,
possibly even over reporting and of course the nature of the operation will influence
the figures that are actually reported. Consequently the trend may be influenced by
aspects other than the actual events themselves. Similarly where the amount of
work that an organisation carries out is reduced consequently the number of
undesirable events (accidents / incidents) will decrease regardless of any changes in
safety management practices.
Because the number of events recorded will be influenced by these other parameters
then the data recorded on the chart will include a number of peaks and troughs which
can make ‘spotting the trends’ difficult. In order to counter this difficulty, one method
of displaying the data will be by grouping the data recorded into for example quarterly
time spans. (See Element A2).
Risk Rating
Acceptability and Tolerability of Risk
The HSE have examined the concepts of acceptability and tolerability of risk in some
detail in their document Reducing Risks, Protecting People, 2001.
For example most people are undeterred from using the road and car as a means of
transport despite learning that over 5,000 people are killed each year by traffic in the
UK.
Similarly despite the fact that there is an average chance of 1 in 10,000 women of
dying as a result of childbirth people are not put off having children.
The view of risk varies significantly depending on whether the individuals are capable
of judging the extent of the hazard by experience or whether there is a lack of
understanding from the cause or the presence of the danger or whether there is a
©C
HSS Ltd 2007 Page 22 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
In many circumstances the risk assessor looks at the hazard associated with a
situation or event, while the public may look at the outrage involved. This is not a
misperception of risk by either, simply a different way of defining a particular risk.
Individual concerns or how individuals see the risk from a particular hazard
affecting them and things they value personally. This is not surprising since
one of the most important questions for individuals incurring a risk is how it
affects them, their family and things they value. Though they may be
prepared to engage voluntarily in activities that often involve high risks, as a
rule they are far less tolerant of risks imposed on them and over which they
have little control, unless they consider the risks as negligible. Moreover,
though they may be willing to live with a risk that they do not regard as
negligible, if it secures them or society certain benefits, they would want such
risks to be kept low and clearly controlled.
©C
HSS Ltd 2007 Page 23 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Hazards giving rise to societal concerns share a number of common features. They
often give rise to risks which could cause multiple fatalities; where it is difficult for
people to estimate intuitively the actual threat; where exposure involves vulnerable
groups, e.g. children; where the risks and benefits tend to be unevenly distributed -
for example, between groups of people with the result that some people bear more of
the risks and others less, or through time so that less risk may be borne now and
more by some future generation. People are more averse to those risks and in such
cases are therefore more likely to insist on stringent Government regulation. The
opposite is true for hazards that are familiar, often taken voluntarily for a benefit, and
individual in their impact. These do not as a rule give rise to societal concerns.
Nevertheless, activities giving rise to such hazards (for example, bungee jumping)
are often regulated to ensure that people are not needlessly put at risk.
In dealing with societal risk the term outrage is often used to describe the public’s
reaction, based on a number of subjective, personal factors. These factors can be
summarised in a series of questions about the potential hazard.
To describe the outrage level, see what column these hazard criteria fit into: High
outrage or Low outrage
If the words in the first column best describe the hazard, then the public outrage is
likely to be high. Regardless of what the assessors believe, the public will perceive
the hazard as being associated with a high risk. If, however, the words in the second
column best describe the hazard, then the outrage is likely to be low.
Where risks aren’t so clearly defined, risk communication and consultation are
important.
©C
HSS Ltd 2007 Page 24 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Radon provides a good example of a situation where the public has a low outrage
level where assessors consider that there is a high hazard level, while the Electro
Magnetic Flux controversy provides an example of high public outrage and current
low hazard estimates by assessors.
"To the extent that we give remote risks any thought at all we do so knowing that
each of us will ultimately die from some cause or other and that it could happen this
year or next in any case. In fact on average in Britain a man of twenty has roughly a
1 in 1,100 chance of dying within a year, while a man of forty the chance is around in
1 in 600. At sixty it is 1 in 65 for a man and 1 in 110 for a woman. Each particular
risk or cause of death is just one contributor to the overall risk we run."
HSE, 2004
In essence, making sure a risk has been reduced ALARP is about weighing the risk
against the sacrifice needed to further reduce it. The decision is weighted in favour
of health and safety because the presumption is that the duty-holder should
implement the risk reduction measure. To avoid having to make this sacrifice, the
duty-holder must be able to show that it would be grossly disproportionate to the
benefits of risk reduction that would be achieved. Thus, the process is not one of
balancing the costs and benefits of the measures but, rather, of adopting measures
except where they are ruled out because they involve grossly disproportionate
sacrifices. Extreme examples might be:
©C
HSS Ltd 2007 Page 25 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
In reality many decisions about the risk and the controls that achieve ALARP are not
so obvious. Factors come into play such as ongoing costs set against remote
chances of one-off events, or daily expense and supervision time required to ensure
that, e.g. employees wear ear defenders set against a chance of developing hearing
loss at some time in the future. It requires judgement. There is no simple formula for
computing what is ALARP.
©C
HSS Ltd 2007
Unacce
Page 26 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Nevertheless the HSE suggested in their publication ‘The tolerability of risk from
nuclear power stations’, 1992, that an individual risk of death of 1 in 1,000 (10-3) per
annum should on its own represent the dividing line between what could be just
tolerable for any substantial category of workers for any large part of a working life,
and what is unacceptable for any but fairly exceptional groups.
For members of the public who have a risk imposed on them ‘in the wider interest of
society’ this limit is judged to be lower, at 1 in 10,000 (10-4) per annum.
The HSE suggest that these limits should be used with caution, because:
Hazards that give rise to such levels of individual risks also give rise to
societal concerns and the latter often play a far greater role in deciding
whether a risk is unacceptable or not.
The limits were derived for activities most difficult to control and reflect
agreements reached at international level. In practice most industries in the
UK do much better than that.
©C
HSS Ltd 2007 Page 27 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Where societal concerns arise because of the risk of multiple fatalities occurring in
one event from a single major industrial activity the HSE propose that the risk of an
accident causing the death of 50 people or more in a single event should be
regarded as intolerable if the frequency is estimated to be more than 1 in 5,000 per
annum.
In the case of most housing developments, the HSE advises against granting
planning permission for any significant development where individual risk of death for
the hypothetical person is more than 10 in a million per year, and does not advise
against granting planning permission on safety grounds for developments where
such individual risk is less than 1 in a million per year. Different criteria are applied to
sensitive developments where those exposed to the risk are more vulnerable, e.g.
schools, hospitals or old people’s homes, or to industrial or leisure developments.
©C
HSS Ltd 2007 Page 28 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
There are four primary reasons for carrying out a HAZOP on high risk plants:
To reduce taxes.
Knowledge of plant.
The principle of reasonable practicability means to assess risk, and proportion new
measures of control to such assessments. This has led to a methodology of
quantified risk assessment which is an important element in producing a balanced
decision on the precautions to be applied to reduce the components of the overall
risk, particularly where major hazards are concerned, and for prioritising or targeting
control measures.
At the design stage, HAZOP will cost about 1.5 to 2% of the total project cost; for
existing plant the cost may be as high as 5% of the original cost. It is an expensive
process and it is important to consider whether the expense is necessary to complete
a 'suitable and sufficient risk assessment'.
©C
HSS Ltd 2007 Page 29 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Study nodes: locations on plant and instrumentation (P&I) drawings setting scope of
studies.
Parameters
These are departures from the intention which are discovered by systematically
applying the guidewords:
Changes in quantity.
Emergency.
©C
HSS Ltd 2007 Page 30 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The questioning is focussed in turn on every part of the design. Each part is
subjected to a number of questions formulated around a number of guidewords,
which are derived from method study techniques. In effect, the guidewords are used
to ensure that the questions, which are posed to test the integrity of each part of the
design, will explore every conceivable way in which that design could deviate from
the design intention.
©C
HSS Ltd 2007 Page 31 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Existing Control
Like all base link assessments, existing controls should be documented in detail or
refereed to, e.g. standard operating conditions. When considering future upgrades,
changes etc.
Further Action
This should be detailed and numbered for easy reference. Once 'checking' items
have been eliminated the final document can be produced.
Particular features of the HAZOP technique are the team approach and the key
definitions employed in the studies.
Team Approach
HAZOP utilises the collective effort of a multidisciplinary team to investigate possible
variations and deviations from the design intent. The team will be chaired by an
experienced facilitator who will guide and supervise the team throughout the study.
The team will possess a blend of expertise and skills reflecting the operational
requirements of the plant under investigation. A typical team will consist of a safety
engineer, process engineer, instrumentation engineer, electrical engineer, operation
engineer, and mechanical engineer. Other science and engineering disciplines may
be added to the team to suit the particular requirements of a specific plant.
There are ten stages in implementing a HAZOP study. These are described below.
©C
HSS Ltd 2007 Page 32 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Existing Plant
The team leader plays a vital role in the success of the HAZOP study. The
team leader should be an independent and experienced HAZOP facilitator
with knowledge of chemical engineering, e.g. valve actuation, etc. and
process design principles. The main task of the team leader is to identify
problems, define study nodes, guide the team members and maintain their
concentration on the tasks assigned to them. Prior to arranging meetings, the
team leader estimates the team-hours needed for the study, the schedules,
durations and the frequencies of the sessions. The team leader prepares a
plan for the sequence of the study based on how the plant is operated, to
ensure that the study is implemented methodically.
The rest of the team should be skilled engineers in the disciplines relevant to
the plant operation, and an experienced plant operator with detailed
knowledge of the process. The selection of the size and composition of the
team should ensure that the group approach is maintained and that the team
possesses the levels of knowledge necessary to ensure a complete study.
©C
HSS Ltd 2007 Page 33 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
For example, a team might include the following: design engineer, process
engineer, mechanical engineer, operation supervisor, instrument electrical
engineer, chemist, maintenance supervisor, and a safety engineer.
In their investigation, the team defines the physical boundaries of the systems
and equipment on which the HAZOP is carried out. The boundaries are
usually marked on P & I actuation drawings (plant and instrumentation) that
describe the overall layout of the plant, equipment, vessels, piping
instruments, valve types, and process parameters such as flow, temperature,
pressure, volume, etc.
This can vary from plant to plant. In continuous process plants the
processing of the data is minimal as the existing up-to-date flowsheets and P
& I diagrams usually contain enough information for the study. With batch
process plants, processing of the data is more expensive, mainly because of
the amount of manual operations involved.
7. Design review.
The team is assisted by a set of checklists and the P & I diagrams. The
checklists are applied at specific areas in the plant known as study nodes.
These nodes are points where the process parameters (pressure,
temperatures, flow, etc.) have a defined design intent. Between these nodes
are the plant components (pumps, vessels, heat exchangers, etc.) which can
cause changes in the parameters.
The recording process is a crucial part of the HAZOP study and it is important
that all ideas are recorded. The HAZOP form. This form is best filled in by an
experienced engineer who understands the discussions and records the
findings accurately.
©C
HSS Ltd 2007 Page 34 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
10. Reporting.
The final report is complied by the team leader for submission to the
management. The report should be concise and accurate in detail. The
report contains information about major deviations from design intent, details
of recommended design modifications, and capital expenditure needed for
implementation. All actions should be numbered for ease of reference.
Chemical A Valve
Valve Valve
Pump 1
Chemical B
Chemical C
Valve Valve
8
Pump 2
To Process
Referring to Figure 4 start with the pipeline extending from the suction side of the
pump which delivers raw material A to where it enters the reaction vessel.
The intention is partly described by the flowsheet and partly by the process control
requirements to transfer A at some specified rate. The first deviation is that obtained
by applying the guideword NOT, DON'T or NO to the intention. This is combined with
the intention to give:
©C
HSS Ltd 2007 Page 35 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
No Transfer of A
The flowsheet is then examined to establish the causes which might produce a
complete cessation of the flow of 'A'. These causes could be:
Mechanical failure.
Electrical failure.
Pump being switched off.
Pipeline is fractured.
Isolation valve is closed.
Clearly some at least of these are conceivable causes and so we can say that this is
a meaningful deviation.
Next we consider the consequences. Complete cessation of flow of 'A' would very
soon lead to an excess of 'B' over 'A' in the reaction vessel and consequently to a
risk of explosion. We have therefore discovered a hazard in the design and this is
noted for further consideration.
We now apply the next guideword which is MORE. The deviation is:
MORE 'A' is passed into the Reaction Vessel.
The cause would be that the characteristics of the pump might, under some
circumstances, produce excessive flow rate. If this cause is accepted as realistic, we
then consider the consequences.
The reaction produces 'C' contaminated with an excess of 'A' which goes on
into the next stage of the process.
The excess flow into the reaction vessel means that some will leave the
vessel by the overflow.
Clearly some at least of these are conceivable causes and so we can say that this is
a meaningful deviation.
We now apply the next guideword which is LESS. The deviation is:
The causes are a little different from those when the deviation was the complete
cessation of the flow of 'A'.
©C
HSS Ltd 2007 Page 36 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
AS WELL AS:
The transfer of 'A' somewhere else in addition to its transfer to the reactor.
Inspection of the flowsheet shows this is possible. It could for example flow
up the line on the suction side of the pump; and
The carrying out of another activity concurrently with the transfer. For
example, can 'A' boil or decompose in the pipelines or the pump?
PART OF:
The other related deviation is that which occurs when the design intention is
incompletely achieved. The guidewords are PART OF and the deviation PART OF
TRANSFER 'A'. This could mean:
The omission of one or more reactors if the pump delivers 'A' to more than
one reactor.
The final two deviations are again qualitative, but one of the original design intention
is retained. The first of these is the opposite of the design intention.
Reverse:
The guideword is REVERSE and the deviation REVERSE TRANSFER OF 'A'. This
means flow from the reactor back through the pump. The flowsheet is examined to
see if this is possible and the consequences are assessed.
Other than:
Lastly, there is the complete substitution of the design intention by something else.
The guidewords are OTHER THAN and the deviation is OTHER THAN TRANSFER.
This could mean:
©C
HSS Ltd 2007 Page 37 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
©C
HSS Ltd 2007 Page 38 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
©C
HSS Ltd 2007 Page 39 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
©C
HSS Ltd 2007 Page 40 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
When the pipeline which introduces raw material 'A' has been examined, it is marked
on the flowsheet as having been checked. The next part of the design is then
chosen for study and this could be the pipeline which introduces raw material 'B' into
the reaction vessel. This sequence is repeated for every apart of the design, each
line, the vessel auxiliaries such as stirrers, any services to this vessel such as the
provision of heating and cooling and the vessel itself. This particular approach is
sometimes called the 'line by line' method.
Only under exceptional circumstances is a written record made of every step of the
examination. It is more usual to carry out the steps mentally and verbally in
discussion and to write down only the potential hazards and their causes.
The proposed action is also noted if it can be agreed straight away. If there is some
doubt about the action or if further information is required, the matter must be brought
forward to a subsequent meeting.
When studying the a batch process plant, it is necessary to apply the guidewords to
the instructions, as well as the pipelines. For example, if an instruction states that 1
tonne of chemical 'A' has to be charged into a reactor; the team should consider
deviations such as:
Reverse charge 'A' (can flow occur from a reactor to 'A' container?) - this can
often be the most serious deviation;
©C
HSS Ltd 2007 Page 41 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
HAZAN may form part of a wider study, e.g. HAZOP, and is used on selected parts of
a process, e.g. a safety relief valve. Quantitative data based on past experience is
the most important means of identifying hazards and assessing potential frequency,
e.g. safety relief valve failure; although for new processes and techniques
experiential data may be limited.
©C
HSS Ltd 2007 Page 42 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The horizontal axis of Figure 5 shows expenditure on safety over and above that
necessary for a workable plant and the vertical axis shows the money back in return.
In the left-hand area safety is good business—by spending money on safety, apart
from preventing injuries and plant failure, more profit is made.
In the next region safety is poor business. Some money is returned for safety
expenditure, however not as much as possible, for example by investment in other
ways.
The third region is reached if money continues to be spent on safety, where safety is
bad business, but good humanity. Money is spent so that people do not get hurt,
however this reduces profitability.
A decision has to be made where to draw the line on safety expenditure. This can be
a qualitative judgement; however in the case of process plant this can be quantitative
using HAZAN.
While HAZOP is a technique that can be applied to every new design and major
modification, HAZAN is a selective technique. It is neither necessary nor possible to
quantify every hazard on every plant.
The term hazard analysis is used rather than risk analysis as HAZAN does more than
quantify the risk. When used with other techniques, especially fault trees, it
demonstrates how the hazard arises, which contributing factors are the most
important and the most effective ways of reducing risk. Most of all, it allows effective
allocation of resources.
©C
HSS Ltd 2007 Page 43 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Applications of FMEA
These can then be evaluated (qualitative or quantitative) and risk priority codes
identified. A summary sheet can then be prepared in which failure modes are listed in
declining order of risk priority. The summary should also list the corrective measures
required to reduce the frequency of failure or to mitigate the consequences.
Corrective actions could include changes in design, procedures or organisational
arrangements.
FMEA can be used for single point failure modes but can be extended to cover
concurrent failure modes. It can be a costly and time consuming process but once
completed and documented it is valuable for future reviews and as a basis for other
risk assessment techniques such as HAZOP studies, Fault Tree Analysis and Event
Tree Analysis.
To perform an FMEA, the analysis must be very familiar with the function(s) of the
part or the system - this is gained either from previous experience or from manuals
provided by the manufacturers. Most manufactures include lists of function(s) and
faults diagnosis in their operating and maintenance manuals.
An important part of FMEA is for the analyst to understand thoroughly what is meant
by a ‘failure mode’. A failure mode is a description or scenario of how systems,
equipment, part(s), and procedures could fail. This should include all possible modes
of failures, even if the likelihood of occurrence is small.
©C
HSS Ltd 2007 Page 44 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
and be able to recognise changes that deviate and are not consistent with normal
operations.
©C
HSS Ltd 2007 Page 45 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Before carrying out an FMEA, the entity under analysis must be defined. This could
be of any form and size, and ranges form a component element, a unit, or a sub-
system to a complex system. The selection of the entity and its size depends on the
intended purpose, scope and depth of the investigation.
For example, consider the case of a petrol engine for a motor car. The engine is
comprised of a fuel system, ignition system, cooling system, lubricating system, etc.
Each system can be broken down into its basic components, for example the fuel
system is comprised of a fuel pump, filter, pipings, carburettor, fuel tank, etc. The
ignition system is comprised of a battery, alternator, spark plugs, starter motor, fan
belt, wirings, etc. The cooling system is comprised of a fan, radiator, piping, water
reservoir, etc. The lubricating system is comprised of oil reservoir, oil pump, oil filter,
piping, etc.
Loss of operational function can easily be recognised, and can vary from
erratic performance to total breakdown.
©C
HSS Ltd 2007 Page 46 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
elastomers, the oxidation (rusting) of steel, and the formation of metallic salts
on plated parts.
©C
HSS Ltd 2007 Page 47 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Foreign matter is any material that is not part of the original system. This includes all
debris and corrosive products found in a system. When present, foreign matter is
usually an indication of a failure in the system, and can provide useful background
information to identify a possible failure mode in the system or other related systems.
Monitor progress.
For each failure mode, the analysis should identify both the immediate and expected
effects of the failure on other equipment and the process or system, the cause(s),
and the recommended remedial action(s). The modes of failure, the cause(s), and
the recommended remedial action(s) are recorded on a standard worksheet as
shown in Table 8.
Example
Consider the failure of a hydraulic system which is comprised of a pump, pump drive
motor, coupling, control valve, relief valve and piping. The hydraulic system delivers
water from a cooling tower to a process vessel. The failure of the system can be
either a total breakdown, where there is no flow, or an erratic performance, where the
system delivers the incorrect amount of water, i.e. either too little or too much water.
No water or little water will result in the overheating of the process fluid. Too much
water will result in a process fluid with undesirable low temperature with the
subsequent adverse effects on the process.
©C
HSS Ltd 2007 Page 48 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Depending on the required resolution of the FMEA, the hydraulic system can be
broken down into its basic units, such as pump, drive motor, coupling, piping, etc.
and the FMEA could be applied to each unit. Table 9 shows a sample FMEA
worksheet for a hydraulic pump.
©C
HSS Ltd 2007 Page 49 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
As has been demonstrated, FMEA is a useful qualitative tool for failure analysis and
identification and can be used extensively with other hazard identification techniques
such as HAZOP and fault tree analysis. However, FMEA does not give a ranking or
an indication of the severity of the failures and its application relies on the experience
of the analyst and his or her understanding of the system.
©C
HSS Ltd 2007 Page 50 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Component failure.
An accident.
An explosion.
A system failure.
The fault tree is then constructed downward from the top event. It will look like an
inverted tree, branching downwards rather than upwards.
The tree is constructed by identifying and correctly relating all events and
combinations and/or sequences of events that could result in the top event. These
are related through AND/OR gates.
©C
HSS Ltd 2007 Page 51 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
And / Or Gates
If a top event could only occur if both sub-event A and sub-event B occurred, this
would be represented using an AND gate as illustrated in Figure 6.
For example the top event could represent a person falling from a ladder, which
could be caused both by the person overreaching (sub-event A) and the ladder
slipping laterally (sub-event B).
If a top event could only occur if either sub-event A or sub-event B occurred, this
would be represented using an OR gate as illustrated in Figure 7.
For example the top event could represent a fork-lift truck overturning, which could
be caused by either lateral (sub-event A) or longitudinal instability (sub-event B).
Figure 7: Or gate
Figure 8 demonstrates the construction of a fault tree for the top (undesired) event of
a fire in a multi-storey car park. Note that when a sub-event is not developed any
further the convention is to place it in a diamond shape rather than a rectangle, and
final or basic events are placed in a circle.
©C
HSS Ltd 2007 Page 52 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
If the failure rate or probability of basic causes can be determined, often from
statistical analysis, then the following can be determined:
How frequently the top event occurs, i.e. the frequency (failure rate).
©C
HSS Ltd 2007 Page 53 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
For an And gate the probability of the top event occurring is calculated by multiplying
the probabilities of the causes, beginning at the lower level basic causes working up
to the top event.
Then P = P1 x P2
©C
HSS Ltd 2007 Page 54 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
For an OR gate the probability of the top event occurring is calculated by adding the
probabilities of the causes, beginning at the lower level basic causes working up to
the top event.
Then P = P1 + P2
Most fault trees will consist of a combination of OR and AND gates, which can be
analysed by starting at the lowest level and working up to the top event.
When using either AND or OR gates the frequency (f) of the top event is the
reciprocal of its probability (P).
f= 1
P
For example, if the probability of the top event was calculated to be 0.1 (10% chance
of occurrence per year), the frequency of occurrence would be the reciprocal of its
probability, which is once every 10 years. This frequency could then be compared
with tolerability of risk figures when deciding if the risk is ALARP.
Once the probability and frequency of the top event is calculated, a decision can then
be made as to whether these are tolerable. In order to reduce the probability, hence
frequency, of the top event risk reduction measures should be applied to the basic
causes. By reducing the probability of basic causes the probability of the top event is
reduced.
Example
©C
HSS Ltd 2007 Page 55 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
©C
HSS Ltd 2007 Page 56 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
©C
HSS Ltd 2007 Page 57 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
An event tree begins with an initiating event, such as component failure, increase in
temperature/pressure or a release of a hazardous substance. The consequences of
the event are followed through a series of possible paths. Each path is assigned a
probability of occurrence and the probability of the various possible outcomes can be
calculated.
Step 2 Identify the safety functions designed to deal with the initiating event.
The safety functions (safety systems, procedures, operator actions, etc.) that
respond to the initiating event can be thought of as the plant’s defence against the
occurrence of the initiating event. These safety functions usually include:
Alarms that alert the operator when the initiating event occurs.
Operator actions.
The analyst should identify all system functions and their intended purpose for
mitigating the effects of the initiating event. The analyst should list the safety
functions in the order in which they are intended to occur.
Step 3 Construct the event tree. The event tree displays the logical progression
of an accident. The event tree begins with the initiating event and
proceeds through the successes and / or failures of the safety functions
that react to the initiating event. Only two possibilities are considered
when evaluating the response of the safety functions, that it is a success
or a failure. The success of a safety function is defined as its ability to
prevent the initiating event from progressing further, thus preventing an
accident. The failure of a safety function is defined as its inability to stop
the progression of an initiating event or alter its course so that the other
safety functions can respond to it.
©C
HSS Ltd 2007 Page 58 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Step 4 Describe the resulting accident event sequences. The accident event
sequences represent a multitude of incidents that can result from the
initiating event. One or more of the sequences may represent in an
accident. The analyst defines the successes and failures in each resulting
sequence and compiles a description of its expected outcome.
The analyst then ranks the accidents based on the severity of their outcomes. If
enough data is available, the analyst can use probabilistic analysis to estimate
accident probabilities from event probabilities, and thus obtain additional information
for ranking the accidents. The structure of the event tree should clearly show the
development of the accident and help the analyst to define locations and establish
priorities where additional safety features might be installed to either prevent these
accidents or mitigate their effects.
Example
The first step is to identify the initiating event. In this example it is the fire and release
of smoke.
The second step is to identify the safety functions designed to deal with the initiating
event. In this example these are:
A smoke detector.
©C
HSS Ltd 2007 Page 59 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Construction of the tree begins at the left hand side with the initiating event of
interest.
The next step is to insert the 1st safety function (smoke detector in this example).
Only two possibilities are considered, either success or failure of the safety function.
Usually success is denoted in an upward path and failure is denoted by a downward
path. Success leads on to the 2nd safety function and failure leads to an undesired
outcome. In this example success of the 1st safety function means that the smoke
detector works as designed.
The event now progresses to the 2nd safety function. Again only success and failure
of the safety function are considered. Success leads on to the 3rd safety function and
failure leads to an undesired outcome. In this example success of the 2nd safety
function means that the alarm signal works as designed.
The event now progresses to the 3rd safety function. Once again only success and
failure of the safety function are considered. Success leads on to the desired
outcome and failure leads to an undesired outcome. In this example success of the
3rd safety function means that the alarm sounder works, the occupants are warned
of the fire and they make good their escape.
In this example every undesired outcome is that the occupants of the room are not
warned of the fire, however, in some event trees as the event progresses there may
be different outcomes with differing hazard severities.
©C
HSS Ltd 2007 Page 60 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
The frequency of the initiating event and the probabilities (or reliabilities) of the safety
functions need to be known, and are expressed as decimals, in order to calculate the
probabilities of the end events. So if the frequency (f) of the initiating event is once
every 200 years, it would be expressed as 0.005 (1 divided by 200) and if a
probability of success was 85%, it would be expressed as 0.85.
In Figure 13, in order to calculate the probability of the desired outcome (A), it is
necessary to follow the event from the left hand side to the right hand side of the
event tree, i.e. from the initiating event to A, multiplying the frequency (f) by each of
the included probabilities. Therefore the probability of A occurring (PA) is caused by f
AND P1 AND P3 AND P5, hence:
PB = f x P1 x P3 x P6
PC = f x P1 x P4
PD = f x P2
For each safety function the success and failure ‘legs’ are expressed as decimals
and their sum must equal 1. Consider the 1st safety function, the smoke detector in
Figure 14:
©C
HSS Ltd 2007 Page 61 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
P1 + P2 = 1
For example, if the smoke detector is 95% reliable, then it must be 5% unreliable
(0.95 + 0.05 = 1).
Event Frequency
As with fault trees, the end event frequency is the reciprocal of the end event
probability. The units are the same as for the initiating event (f), e.g. years, months,
etc.
Worked Example
A mainframe computer suite has a protective system to mitigate the effects of fire.
The system design comprises a smoke detector connected by a power supply to a
mechanism for releasing carbon dioxide (CO2). It has been estimated that a fire will
occur once every five years (f=0.2/year). Reliability data for the system components
are as follows:
Component Reliability
Detector 0.9
Construct an event tree for the above scenario to estimate the frequency of an
uncontrolled fire in the computer suite.
©C
HSS Ltd 2007 Page 62 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
PB = f x P1 x P3 x P6
P6 = 1 - P5 = 1 - 0.95 = 0.05, so
PB = 0.00891
PC = f x P1 x P4
PC = 0.2 x 0.9 x P4
P4 = 1 - P3 = 1 - 0.99 = 0.01, so
PC = 0.0018
PD = f x P2
PD = 0.2 x P2
P2 = 1 - P1 = 1 - 0.9 = 0.1, so
PD = 0.2 x 0.1
PD = 0.02
1
fUF = = 32.56
0.03071
©C
HSS Ltd 2007 Page 63 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
Summary
The use of quantitative risk analysis can be useful tool in allocating resource and
justifying decision making in relation to risk management.
The role of FTA and ETA as backward and forward looking techniques can considers
the risk elements throughout the lifecycle or within the potential and actual disaster
situations. The concept of backward and forward looking models can be described as
a “Bow-Tie” model where:
It shows the probability of the top event occurring (FTA) and escalation and
subsequent consequences from it (ETA).
There are a range of tools including HAZAN, FMEA, HAZOP, etc. which can
be used to qualify and quantify those hazards and threats.
It links the barriers and measures to reduce the chance of the top event
occurring and the consequences resulting from the top event.
©C
HSS Ltd 2007 Page 64 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
(Proactive)
©C
HSS Ltd 2007 Page 65 of 66
Sales Ref: sc/715/v2.1
International Diploma-A3
References
Successful Health and Safety Management HSG65, HSE, 2003, HMSO.
The Management of Health and Safety at Work Regulations 1999 Approved Code of
Practice and Guidance L21, HSC, 2000, HMSO.
Quantified Risk Assessment: Its’ input into decision making, HSE, 1994, HMSO.
The Tolerability of Risk from Nuclear Power Stations, HSE, 1992, HMSO.
Reducing Risks Protecting People, HSE’s Decision Making Process, HSE, 2001,
HMSO.
Reducing Risks, Protecting People, HSE's decision making process, HSE, 2001,
HMSO.
©C
HSS Ltd 2007 Page 66 of 66
Sales Ref: sc/715/v2.1