715-International Diploma A3 V2 (1) .2

Element A3:
Identifying Hazards,
Assessing and
Evaluating Risk
International Diploma-A3
©C
 HSS Ltd 2007 Page 2 of 66
Sales Ref: sc/715/v2.1
Contents
Page No
Assessing and Evaluating Risk 5
Definitions 6
Hazard Identification 7
Who may be Harmed and in What Circumstances 8
Evaluating the Risks 9
Record the Significant Findings 13
Review 14
Task Analysis 15
Meep Analysis 16
Information Sources 17
Accident and Incident Data 20
Risk Rating 22
Principles and Techniques of Failure Tracing Methods 28
The Basic Concept of HAZOP 30
Relation to other Analysis Tools 42
Failure Modes Effects Analysis (FMEA) 44
Fault Tree Analysis 49
And/Or Gates 50
Numerical Evaluation of Fault Tree 52
Event Tree Analysis 56
References 64
Tables
Table 1: Risk Assessment Factor 11
Table 2: Action Required 11
Table 3: Risk Assessment Matrix 13
Table 4: Public Tolerance of Incidents 24
Table 5: Tolerability of Risk from Nuclear Power Stations, HSE 25
Table 6: A List of Guide Words 31
Table 7: Completed HAZOP Study Results 38 to 40
Table 8: Sample FMEA Worksheet for a Hydraulic System 47
Table 9: Sample FMEA Worksheet for a Hydraulic Pump 48
©C
Contents Cont’d
Figures
Figure 1: Flow Diagram Demonstrating Risk Management 5
Figure 2: Accident Triangles, HSG 65 21
Figure 3: Tolerability of Risk from Nuclear Power Stations, HSE 26
Figure 4: An Example of a Simple Flowsheet 35
Figure 5: Why do we Want to Apply Numerical Methods to Safety Problems? 43
Figure 6: Or Gate 50
Figure 7: And Gate 50
Figure 8: Example Fault Tree 51
Figure 9: Numerical Evaluation of Fault Tree (and Gate) 52
Figure 10: Numerical Evaluation of Fault Tree (or Gate) 53
Figure 11: Accident on a Roundabout 54
Figure 12: Example of a Fault Tree Numerical Analysis 55
Figure 13: Example Event Tree 58
Figure 14: Numerical Evaluation of an Event Tree 59
Figure 15: Worked Example Event Tree 60
Figure 16: Bow-Tie model 63
©C
Assessing and Evaluating Risk

Risk Management can be defined as
“….the eradication or minimisation of the adverse effects of ….risks to which an

organisation is exposed”.
(Ridley and Channing, 1999)
The following diagram demonstrates risk management as a flow diagram. See later
for further explanation of the terms used.
Figure 1: Flow diagram demonstrating risk management
The process of risk management is complex and contains a range of practices

leading to the control of all elements of risk in the workplace.
Risk assessment is the cornerstone for the management of health and safety at
work. A suitable and sufficient assessment requires that greater risks be given more
detailed assessments. Having identified the risks, the control measures must then
be compared with minimum acceptable standards.
Before discussing the process of assessing and evaluating risk there must first be
clarification on the key terminologies.
©C
Definitions
Hazard
The dictionary definition of hazard is “chance, risk, danger” and hazardous is “risky”
which is of little help in distinguishing between the terms hazard and risk for the
purpose of assessing and evaluating risk. For health and safety purposes the
definition of hazard is “the potential to cause harm”.
This is a very broad definition and in many ways can be interpreted to mean
anything. It would be helpful therefore to categorise hazards to make identification
easier. Hazards may be either:
 Physical e.g. machinery, electricity, heat, noise, gravity.
 Chemical e.g. water, acid, alkali, oils.
 Biological e.g. HIV virus, legionella, hepatitis virus (usually a disease causing
agent).
 Ergonomic e.g. physical stress, wrongly sited controls and indications.
 Psychological e.g. workload/pressure/hours of work, trauma.
Risk
Again from the normal use of the word i.e. the dictionary definition is “chance of
disaster or loss”. Clearly this implies a certain probability of occurrence or likelihood.
Again for the purpose of assessing and evaluating risk this must be clear and is
defined as “the probability of harm from a particular hazard being realised”.
For example noise is a hazard i.e. has the potential to cause harm. The risk is the
likelihood that it actually will cause harm. Clearly this is dependant on a number of
different factors (risk factors) such as how loud the noise is, how long an individual is
exposed to the noise, the frequency of the noise, the individuals’ personal
characteristics / predisposition to suffering with noise related effects, previous
exposure and so on.
Most people undertake risk assessment as a normal part of their every day lives.
Activities, such as crossing the road and driving to work, routinely call for a complex
and ongoing analysis of the hazards and risks involved in order to avoid damage and
injury. Therefore most people are able to recognise hazards as they develop and
take corrective action. People do, for a variety of reasons, have widely different
perceptions regarding risk and would find it difficult to apply their experience to formal
workplace risk assessments.
There are many variations on the risk assessment process; the following system is
based on the “5 Steps to Risk Assessment” IND (G) 163L published in the UK by
HSE.
©C
Risk Assessment Involves Five Steps:

 Look for and identify the hazards.
 Decide who might be harmed and in what circumstances.
 Evaluate the risks arising from the hazards and decide whether the existing
precautions are adequate or more should be done.
 Record the significant findings.
 Review the assessment if there is a significant change or evidence that the

original assessment was inadequate.
Hazard Identification
Hazard identification can be completed in a number of different ways. Proactively the
process can be completed through organised inspections, samples, surveys, tours
and reactively by examining injury / accident and ill-health reports.
Inspections: Strictly, safety inspections should be considered to be a monitoring tool

or technique rather than a hazard identification exercise. The reasons for avoiding
an over reliance on workplace inspections as a means of identifying hazards are:
For the purposes of risk assessment all hazards (i.e. anything with the potential to
cause harm) must be considered.
The purpose of an inspection is to identify hazards that are not controlled to an

acceptable standard at the time of the inspection. Hazards that appear to be well
controlled at that time will usually be ignored. This ‘Snapshot’ approach is not
sufficiently thorough to be relied upon for the purposes of risk assessment since the
control measures that were in place may not remain in place for long.
If for example, an inspection failed to identify any unsafe electrical equipment / wiring
it would not be listed as a hazard and might not be assessed. The use of electrical
equipment clearly needs to be assessed very thoroughly.
Psychological, biological and ergonomic hazards are not easy to identify by visual
inspection.
Visual inspections are poor at detecting unsafe acts, lack of training and inadequate
operating procedures, all of which are key issues in risk assessment.
Samples: This is a random sampling exercise in which observers follow a pre-

determined route usually at normal walking pace and note any omissions or non-
compliances. The number of non-compliance’s, etc. is counted to provide score of
the overall effectiveness of the safety performance. The technique has little scientific
validity (the observer’s attentiveness is sure to vary) but has the advantage of raising
the profile of the safety improvement effort.
©C
Surveys: As with building surveys, a safety survey is normally carried out by a

specialist who will either be focussing on specific topics (e.g. a survey of fire
precautions) or will be asked to report on the main strengths and weaknesses.
Detailed reports are normally produced as a result of surveys.
Tours: A safety tour is (usually) an unscheduled examination of the workplace to

assess whether or not acceptable standards of housekeeping, safe access, fire
precautions, etc…are being maintained. Some hazards may be identified but a tour
gives a general impression rather than a thorough analysis of hazards.
Injury and ill health Reports: Accident statistics can be a useful tool when
identifying risks which are not well controlled. When analysed the statistical
information can be manipulated to provide important causal leads on risk areas
where action should have been taken or indeed where the action taken is not
appropriate to minimise the risks. The organisation should have specific event
recording systems in place to ensure that all relevant data is gathered in sufficient
detail to facilitate proper analysis.
The primary purpose of risk assessment is to enable decisions to be made on the

need for action and on the priority of action, for example a hazard assessed as high
risk will require immediate action and perhaps considerable expenditure whereas a
low or negligible risk can be given a less pressing timescale for action and costs
expended may be limited. This is based on the ‘reasonably practicable’ principle. A
different approach will be necessary in the case of absolute legal requirements or
those qualified only by the word ‘practicable’.
Who May be Harmed and in What

Circumstances
In making an overall assessment of “risk”, it is necessary, through the art or science
of estimating (or guesstimating), to take account of the likelihood of harmful
circumstances happening and the severity of the injury that might result.
It is important to ensure that all groups of employees and others who might be
affected are considered, do not forget office staff, night cleaners, maintenance staff,
security guards, visitors, the general public. Specific action should be taken to
identify groups of employees who might be especially at risk, e.g. young persons,
new or inexperienced workers, those who work alone, any disabled staff or pregnant
workers. The assessment should be recorded, i.e. documented.
Account must also be taken of the presence of any risks to visitors, members of the
public and any one else who may be affected by the work activity.
©C
Evaluating the Risks

Risk assessment requires an evaluation of two principal factors:
 Likelihood – a subjective or objective evaluation of the probability of

occurrence; and
 Severity – the scale of the consequences of the occurrence.
Likelihood
This requires an assessment or evaluation of the likelihood (probability) of the hazard
resulting in a loss. Consideration will need to be given to the following:
 Where is the hazard?
 How many people are affected?
 How knowledgeable are they?
 How many times does the hazard occur (frequency)?
 What is the extent of possible exposure (duration, time, concentrations etc)?
Severity
This requires an assessment or evaluation of the possible outcome(s) if the hazard
was not sufficiently controlled and things went wrong.
This can be assessed by relating to accident statistics or common sense. In some

cases the information can be obtained from manufacturers' data, published guidance
or other published information.
In selecting the appropriate category it is important to be realistic. For example it is

remotely possible that someone tripping over a cable in an office may be killed, the
most probable result is bruising or at worst a fractured bone. If however the cable is
trailing across the top of a very busy stairs then a single death or even multiple
deaths could be a more appropriate assessment.
The judgement of risk rating may then be via qualitative means, which are based on
the experience and expertise of the assessor, semi-quantitative which provides a
crude scoring mechanism and allows the risks to be rated and prioritised. This
technique is particularly useful for justifying expenditure on risk control relative to
other risks and quantitative assessments from probability data.
©C
Risk rating using qualitative or semi-quantitative means is often referred to as

‘relativistic’ assessment since it is scored relative to other risks, whereas quantitative
assessments are often described as ‘probabilistic’ assessments.
Specific techniques such as Hazard and Operability (HAZOP) studies, Fault Tree
Analysis (FTA), Failures Modes and Effect Analysis (FMEA) and Event Tree Analysis
(ETA) can be used to determine the frequency of events occurring or the probability
that a particular event will occur. Probability theory is based on the scale that
extends from 0 – 1, where zero represents no occurrence and 1 represents a
certainty. Where the data is available for a series of linked events e.g. a flammable
gas release followed by an ignition source then the final probability of the last event
can be calculated.
In order to carry out these, advanced risk assessment techniques the numerical data
must be supplied.
Truly quantitative assessments based on the probabilities of events (such as the

failure of safety critical components, etc) are difficult to apply in most situations. This
is because the data needed to calculate probabilities is simply not available. Such
techniques are applied in high risk processes and industries such as nuclear
installations and in aviation for example.
A useful, although not wholly scientific, method of estimating likelihood and severity
can be useful when determining priority as regards health and safety effort. This
semi-quantitative approach is not absolutely essential and, even when it is used, it
should not mask the main purposes of the assessment as discussed earlier. There
are many versions of the technique, the following system is taken from the UK’s HSE
document Successful Health and Safety Management HSG 65.
The Likelihood of harm:
1) Low (where harm will seldom occur).
2) Medium (where harm will occur frequently).
3) High (where it is certain or near certain that harm will occur).
The Severity of harm:
1) Minor (for example, all other injuries including those where people
are off for periods of up to three days).
2) Medium (for example injuries where people may be off work for more
than three days).
3) Major (for example death or major injury as defined in RIDDOR).
©C
Severity of outcome
Minor (1) Medium (2) Major (3)
Likelihood of Low (1) 1 2 3

event
Medium (2) 2 4 6
High (3) 3 6 9
Table 1: Risk Assessment Factor
Multiply the Severity number by the Likelihood number to arrive at the risk factor for
each hazard. This produces a number on a scale of 1 to 9. Theses numbers provide
an indication of priority and the extent of the risk, the higher the number the greater
the priority and risk and therefore the more resources which may be needed to
control the risk.
As a rough guide:
6 or 9 is a high risk and may require the provision of considerable resources

involving special equipment, training, high levels of supervision, and
consideration of the most effective methods of eliminating or
controlling hazards (see principles of control).
2, 3 or 4 is a significant risk and will require an appropriate level of resources.
1 is a low risk but actions should still be taken to try to reduce these
risks further if possible within reasonable limits.
Table 2: Action Required
Note that this system provides an indication of risk only and is based on subjective
judgement therefore employers must satisfy themselves that the risk assessment and
the actions taken to deal with the hazards they have identified are adequate.
A more complicated technique will involve giving numerical ratings to a number of

factors such as the numbers of people exposed to hazards, and the number of times
a hazard has occurred. The number of times an accident has resulted from this type
of hazard in the past can also form part of the assessment.
Some ‘organisations’ are using a matrix similar to the one above but with four, or
more usually five, rows and columns for likelihood and severity.
©C
Alternative Risk Assessment Matrix

The purpose of the Risk Assessment Matrix (RAM) is to set objectives for actions.
Using the RAM, risk is classified by three characters:
 A measure of the likelihood of an event, scaled as A (low) to E (high).
 A measure of the consequence severity with that event, scaled as 1 (low) to 5

(high).
 The category of consequence: People (P), Asset (A), Environment (E) or

Reputation (R).
The intersection of the chosen column with the chosen row is the risk classification.
Incidents can have consequences in all four consequence categories. In fact, for the
same scenario, different classifications may apply to P, A, E, and R.
The overall risk of an incident is classified according to which of the consequences

has the highest rating.
The red coloured shading in the RAM represents the high risk area, yellow the
medium risk area and blue the low risk area. The level of risk then determines the
priority for action. With increasing risk the priority for action increases, with an
increasing call on resources and increasing management involvement.
When the RAM is applied to make judgements in the light of the agreed risk
tolerability criteria, the blue, yellow and red areas are normally set as follows:
Blue area: Manage for continuous improvement. Risk controls are specified in the
Health, Safety and Environment Management (HSEMS). The management of the
risk is within the accountability of the competent staff, using existing procedures,
budgets and resources.
Yellow area: Incorporate risk reduction measures to reduce the risk to a level which
is as low as reasonably practicable (ALARP). These risks are too serious to be left to
the standard procedures in the management system. Additional controls are
requires. Management starts to become involved more. The control level to be
reached is ALARP and this needs to be demonstrated in the HSEMS.
Red area: Tolerability of risk to be endorsed to the management. Additional controls

should be applied to show risks have been reduced to ALARP.
©C
Consequence Increasing Probability

A B C D E
severity People Assets Environ- Reputation Never Has Incident has Happened Happened
ment heard of occurred occurred in several several
in the in the Opco times a year times year
industry industry Opco location
0 No No No effect No impact
injury damage Low
1 Slight Slight Slight Slight
injury damage effect impact
2 Minor Minor Minor Limited
injury damage effect impact
3 Major Localised Localised Consider- Medium
injury damage effect able impact
4 Single Major Major National
fatality damage effect impact High
Risks
5 Multiple Extensive Massive Internation-
fatalities damage effect al impact
Table 3: Risk Assessment Matrix
Record the Significant Findings

The record should lead management to take the relevant actions to protect health
and safety. It should therefore be linked to other documents such as the health and
safety policy and may refer to procedures and health and safety arrangements. It
also forms the basis for the organisation’s action plan.
The records should therefore cover the following key points:
 Identify significant findings such as the hazards and the risks they present.
 Identify existing controls and the need for further controls as necessary.
 Identify the individuals affected which could include persons not directly under
the control of the employer, e.g. members of the public.
 Refer to other documents where appropriate, e.g. guidance, etc.
Remember that the format of the record is not laid down in law but it should not over
complicate the assessment nor trivialise the risks.
©C
Review
Assessments should be reviewed if:
 There is reason to suspect that it is no longer valid.
 There has been a significant change in the matters to which it relates.
Evidence of injuries, ill health or near misses would be among the reasons for
suspecting that an assessment may no longer be valid. Accident / incident
investigations should routinely consider whether or not the risk assessment needs to
be reviewed.
Some of the ‘significant changes’ that might require a review of the risk assessment
are:
 The workplace layout.
 Increased work throughput / rate.
 New process or plant which is not covered in the original assessment or

introduces a significant change to the working environment.
 The competence of the people carrying out the work.
 New legal requirements change in acceptable standards.
 New information about the hazards.
 Evidence that the original assessment is inadequate.
©C
Task Analysis
Job Safety Analysis
Job Safety Analysis (JSA) is a work study technique in which a task is carefully
observed and every detail recorded. The process is often used in conjunction with
the development of Safe Systems of Work, work instructions, safety training etc. The
method of working is then evaluated so as to identify hazards. An ‘ideal’ safe method
is then developed and implemented.
The process is as follows:
 Select the process to be studied. Priorities are often based on previous

accidents, etc.
 Record in detail how the job is done, the equipment and materials used and
any hazards involved. This is best done by observation and discussion with
those ‘job holders’ actually doing the job under review.
 Evaluate the risks involved in the activity (refer to accident records etc).
 Develop a safe system for carrying out the work. At this stage reference is
made to applicable standards, e.g. legislation, codes of practice.
 Implement the safe system.
 Maintain the system (by supervision, etc) and monitor those who carry out the
work to ensure that the system does not deteriorate.
Job Safety Analysis goes further than merely identifying hazards. As noted above, in
many ways ‘job safety analysis’ is similar to the risk assessment process. The
distinctive feature is the work study style observation of how the work is done
followed by careful evaluation to develop the ‘ideal’ system of work.
The information can be recorded on a chart or JSA worksheet, there is no predefined

format for the recording of JSA work but will be determined by the organisation
systems and the needs of the employer.
©C
MEEP Analysis
MEEP Approach
All risks arising from the work activity must be assessed.
The activity can be broken down into individual elements so that hazards – conditions
or actions, at each stage can be analysed.
The degree of detail of analysis should depend on the level of risk involved, but in
any case all components of the work should be included in the analysis.
A useful approach to ensuring the key areas are considered for analysis is to
consider the four main elements of the activity.
Materials
What materials does the activity have the potential to expose employees to and how
are they handled, mechanical or manual? Following consideration of this element
risks can be controlled.
Equipment & Plant

What is used? Is it suitable? Consider the design and ergonomic factors,
maintenance routines and statutory inspections where applicable, guarding
arrangements, isolation from energy sources and other hazards which the equipment
may produce such as noise and vibration.
Environment
Take into account the levels of lighting, heating, environmental noise, ventilation,
welfare facilities, etc. Does the condition of floors, seating, access to, egress from,
means of escape, layout and working space have an adverse effect on exposure to
risks? Remember that for outdoor activities the weather can change very quickly and
the hazards on a bright July morning are very different to a dark November
afternoon.
People
Consider who is involved and their levels of competence. Is there specific
information, training, instruction that is required and what level of supervision is
adequate for the task being analysed. Do particular disabilities, the presence of the
public or other persons have an effect on the activity and the level of risk involved.
Task analysis should then consider these points in adequate depth to ensure the
development of a safe system of work.
©C
Information Sources
When identifying hazards for the purpose of conducting risk assessments and
subsequent evaluation of the risks the employer must consider the source of data for
the evaluation which can of course be either internal to an organisation or external.
Internal Sources
 Health and safety practitioner (Advisor / Officer etc).
 Health and safety representative.
 Inspection reports.
 Accident records.
 Risk assessments.
 Plant registers.
 Safety committee minutes.
 Policies.
 Medical records.
 Company safety library.
©C
External Sources
 National Government Bodies, e.g. UK HSE.
 European Health and Safety Agency.
 International Labour Organisation.
 National Safety Organisations / Professional Institutions.
Suppliers / Manufacturers
 Suppliers of substances, plant, equipment, etc.
 Data sheets, manuals.
The Internet
A number of sites exist relating to health and safety including:
 www.chssgulf.com. (CHSS website); and www.hse.gov.uk (HSE website now

has a very useful search engine for access to on-line information).
Care must be taken when relying on data sourced from the internet since its use is
unregulated. This makes for a vast data source but untrustworthy sites are common
place.
Libraries
 International, European & British Standards
Consultants and Specialists

 CHSS.
©C
International Information Sources

The International Labour Organisation (ILO)
The International Labour Organisation is the United Nations (UN) specialised agency
which seeks the promotion of social justice and internationally recognised human and
labour rights. It was founded in 1919 and is the only surviving major creation of the
Treaty of Versailles which brought the League of Nations into being and it became
the first specialised agency of the UN in 1946.
The ILO formulates international labour standards in the form of Conventions and
Recommendations setting minimum standards of basic labour rights: freedom of
association, the right to organise, collective bargaining, abolition of forced labour,
equality of opportunity and treatment and other standards regulating conditions
across the entire spectrum of work related issues. It provides technical assistance
primarily in the fields of:
 Vocational training and vocational rehabilitation.
 Employment policy.
 Labour administration.
 Labour law and industrial relations.
 Working conditions.
 Management development.
 Co-operatives.
 Social security.
 Labour statistics and occupational safety and health.
It promotes the development of independent employers’ and workers’ organisations

and provides training and advisory services to those organisations. Within the UN
system, the ILO has a unique tripartite structure with workers and employers
participating as equal partners with governments.
In order to attain these objectives, the ILO assists members States as well as
employers’ and workers’ organisations in ratifying ILO Conventions and implementing
international labour standards. Since 1994, the ILO has been engaged in a process
of modernising and strengthening its labour standards system.
©C
European Agency for Safety at Work

The European Agency for Safety and Health at Work aims to make Europe’s
workplaces safer, healthier and more productive. The European Agency acts as a
catalyst for developing, collecting, analysing and disseminating information that
improves the state of occupational safety and health in Europe.
The Agency is also a tripartite European Union organisation and brings together
representatives from three key decision-making groups in each of the EU Member
States – governments, employers and workers’ organisations.
Located in Bilbao (Spain) the Agency has co-ordinated a network since 1997 with
Focal Points in each Member State of the Union.
The World Health Organisation (WHO)

The World Health Organisation, the United Nations specialised agency for health,
was established on 7 April 1948. WHO’s objective, as set out in its Constitution, is
the attainment by all peoples of the highest possible level of health. Health is defined
in WHO’s Constitution as a state of complete physical, mental and social well-being
and not merely the absence of disease or infirmity.
Accident and Incident Data

There is no definition of accident or incident in law however a useful definition is that
an accident is an unplanned, unwanted event which results in loss. In terms of
health and safety loss is usually regarded as personal injury. In a similar fashion
incident can be defined as an unplanned, unwanted event which had the potential to
result in loss but didn’t for some reason. That reason usually being chance.
A correlation exists between the severity of an outcome of an event and the

frequency of that event occurring. Subsequently there are more near misses than
there are minor injuries than there are major injuries than there are fatalities.
©C
Figure 2: Accident triangle, HSG 65
1 Major over 3 day

lost-time Injury
For every 7 Minor

7 Injuries
For every 189 non-

189 injury accidents
For example drivers of cars for the most part during their driving life will experience a
near miss, a fewer number will experience a collision, a fewer number still will
experience a major collision. The actual numbers and ratios involved are not
relevant however what is relevant is the figure of the relationship that there are a
greater number of minor events than there are major events.
Similarly if we take the view that an incident is the same as an accident without the
outcome of an injury then by reducing the number of near misses it follows that the
number of accidents and major accidents will be reduced. When gathering accident
and incident data for the purposes of monitoring risk control measures the employers
must be confident that the accidents and incidents are actually reported and that
unreporting of events is not commonplace within the workforce.
©C
Analysing Trends
By gathering accident and incident data over time an analysis can be performed
whereby the numbers of events are measured over that time period. Whether the
number of events actually increases or decreases will then give a measure of a trend
over the period of time. This trend time or trend analysis will now be subject to a
number of different influences. As mentioned earlier the influence of under reporting,
possibly even over reporting and of course the nature of the operation will influence
the figures that are actually reported. Consequently the trend may be influenced by
aspects other than the actual events themselves. Similarly where the amount of
work that an organisation carries out is reduced consequently the number of
undesirable events (accidents / incidents) will decrease regardless of any changes in
safety management practices.
Because the number of events recorded will be influenced by these other parameters
then the data recorded on the chart will include a number of peaks and troughs which
can make ‘spotting the trends’ difficult. In order to counter this difficulty, one method
of displaying the data will be by grouping the data recorded into for example quarterly
time spans. (See Element A2).
Risk Rating
Acceptability and Tolerability of Risk
The HSE have examined the concepts of acceptability and tolerability of risk in some
detail in their document Reducing Risks, Protecting People, 2001.
Acceptability does not necessarily mean tolerability. A dictionary definition of

“accept” includes “agree to”, whereas the dictionary definition of “tolerate” includes
“put up with”. Clearly agreeing to the presence of a particular risk and putting up with
a particular risk are different concepts.
Arguably acceptability relates to the willingness to accept the presence of a particular

risk to secure certain benefits to tolerate a risk implies the individuals who are at risk
do not regard the presence of the risk as being a fact of life or negligible but some
thing which needs to be regularly reviewed and controlled.
For example most people are undeterred from using the road and car as a means of
transport despite learning that over 5,000 people are killed each year by traffic in the
UK.
Similarly despite the fact that there is an average chance of 1 in 10,000 women of
dying as a result of childbirth people are not put off having children.
The view of risk varies significantly depending on whether the individuals are capable
of judging the extent of the hazard by experience or whether there is a lack of
understanding from the cause or the presence of the danger or whether there is a
©C
large dread factor in terms of the consequence of realising risks. A lack of

understanding therefore can lead to a lack of toleration as a result of dread.
In many circumstances the risk assessor looks at the hazard associated with a
situation or event, while the public may look at the outrage involved. This is not a
misperception of risk by either, simply a different way of defining a particular risk.
Perception of risk may be affected by factors such as:
 Who controls the risk.
 Risk transfer or substitution.
 Naturally occurring hazards.
 Risk familiarity / dread.
 Benefits to individual / society.
 The proximity of the risk.
 The level of technology required to control the risk.
 Confidence in control measures.
 Whether the alternatives are worse.
 Whether danger money is paid.
 Local or media interest.

Hazards giving rise to concerns can be put into two broad categories:
 Individual concerns or how individuals see the risk from a particular hazard
affecting them and things they value personally. This is not surprising since
one of the most important questions for individuals incurring a risk is how it
affects them, their family and things they value. Though they may be
prepared to engage voluntarily in activities that often involve high risks, as a
rule they are far less tolerant of risks imposed on them and over which they
have little control, unless they consider the risks as negligible. Moreover,
though they may be willing to live with a risk that they do not regard as
negligible, if it secures them or society certain benefits, they would want such
risks to be kept low and clearly controlled.
 Societal concerns or the risks or threats from hazards which impact on

society and which, if realised, could have adverse repercussions for the
institutions responsible for putting in place the provisions and arrangements
for protecting people, e.g. Parliament or the Government of the day. This
type of concern is often associated with hazards that give rise to risks which,
were they to materialise, could provoke a socio-political response, e.g. risk of
events causing widespread or large scale detriment or the occurrence of
multiple fatalities in a single event. Typical examples relate to nuclear power
generation, railway travel, or the genetic modification of organisms. Societal
concerns due to the occurrence of multiple fatalities in a single event is known
as societal risk. Societal risk is therefore a subset of societal concerns.
©C
Hazards giving rise to societal concerns share a number of common features. They
often give rise to risks which could cause multiple fatalities; where it is difficult for
people to estimate intuitively the actual threat; where exposure involves vulnerable
groups, e.g. children; where the risks and benefits tend to be unevenly distributed -
for example, between groups of people with the result that some people bear more of
the risks and others less, or through time so that less risk may be borne now and
more by some future generation. People are more averse to those risks and in such
cases are therefore more likely to insist on stringent Government regulation. The
opposite is true for hazards that are familiar, often taken voluntarily for a benefit, and
individual in their impact. These do not as a rule give rise to societal concerns.
Nevertheless, activities giving rise to such hazards (for example, bungee jumping)
are often regulated to ensure that people are not needlessly put at risk.
In dealing with societal risk the term outrage is often used to describe the public’s
reaction, based on a number of subjective, personal factors. These factors can be
summarised in a series of questions about the potential hazard.
To describe the outrage level, see what column these hazard criteria fit into: High
outrage or Low outrage
High Outrage Low Outrage

Coerced Voluntary
Industrial Natural
Exotic Familiar
Memorable Nondescript
Dreaded Not dreaded
An emergency Chronic
Not knowable Knowable
Controlled by others Controlled by the individual
Process is not responsive Process is responsive
Done by someone unknown or Done by someone trusted
not trusted
Table 4 Public tolerance of incidents
If the words in the first column best describe the hazard, then the public outrage is
likely to be high. Regardless of what the assessors believe, the public will perceive
the hazard as being associated with a high risk. If, however, the words in the second
column best describe the hazard, then the outrage is likely to be low.
Where risks aren’t so clearly defined, risk communication and consultation are
important.
©C
Radon provides a good example of a situation where the public has a low outrage
level where assessors consider that there is a high hazard level, while the Electro
Magnetic Flux controversy provides an example of high public outrage and current
low hazard estimates by assessors.
Levels of Fatal Risk

(average figures, approximated)
Per annum
1 in 100 Risk of death from five hours of solo rock climbing every
weekend.
1 in 1,000 Risk of death due to work in high risk groups within relatively risky
industries such as mining.
1 in 10,000 Risk of death in an accident at work in the very safest parts of
industry.
1 in 1 million General risk of death in a fire or explosion from gas at home.
1 in 10 million Risk of death by lightning.
Table 5: Tolerability of Risk from nuclear power stations, HSE
"To the extent that we give remote risks any thought at all we do so knowing that
each of us will ultimately die from some cause or other and that it could happen this
year or next in any case. In fact on average in Britain a man of twenty has roughly a
1 in 1,100 chance of dying within a year, while a man of forty the chance is around in
1 in 600. At sixty it is 1 in 65 for a man and 1 in 110 for a woman. Each particular
risk or cause of death is just one contributor to the overall risk we run."
HSE, 2004
As Low as is Reasonably Practical ALARP

"ALARP" is short for "as low as reasonably practical ". ALARP means that the level
of risk has been balanced against the resources (time, money and manpower)
necessary to combat the risk. Positive action is taken unless the cost of the action is
grossly disproportionate to the risk. A risk that is controlled to the ALARP standard
may be considered tolerable.
In essence, making sure a risk has been reduced ALARP is about weighing the risk
against the sacrifice needed to further reduce it. The decision is weighted in favour
of health and safety because the presumption is that the duty-holder should
implement the risk reduction measure. To avoid having to make this sacrifice, the
duty-holder must be able to show that it would be grossly disproportionate to the
benefits of risk reduction that would be achieved. Thus, the process is not one of
balancing the costs and benefits of the measures but, rather, of adopting measures
except where they are ruled out because they involve grossly disproportionate
sacrifices. Extreme examples might be:
 To spend £1m to prevent five staff suffering bruised knees is obviously

grossly disproportionate; but
©C
 To spend £1m to prevent a major explosion capable of killing 150 people is

obviously proportionate.
In reality many decisions about the risk and the controls that achieve ALARP are not
so obvious. Factors come into play such as ongoing costs set against remote
chances of one-off events, or daily expense and supervision time required to ensure
that, e.g. employees wear ear defenders set against a chance of developing hearing
loss at some time in the future. It requires judgement. There is no simple formula for
computing what is ALARP.
Figure 3: Tolerability of risk from nuclear power stations, HSE, 2001
©C
 HSS Ltd 2007
Unacce
Page 26 of 66
Boundary Between the ‘Broadly Acceptable’ and

‘Tolerable’ Regions for Risk Entailing Fatalities
The HSE believes that an individual risk of death of 1 in 1,000,000 (10-6) per annum
for both workers and the public corresponds to a very low level of risk and should be
used as a guideline for the boundary between the broadly acceptable and tolerable
regions. A residual risk of one in a million per year is extremely small when
compared to everyday levels of risk. Indeed many activities which people are
prepared to accept in their daily lives for the benefits they bring, for example, using
gas and electricity, or engaging in air travel, entail or exceed such levels of residual
risk. Moreover, many of the activities entailing such a low level of residual risk also
bring benefits that contribute to lowering the background level of risks. For example,
though electricity kills a number of people every year and entails an individual risk of
death in the region of one in a million per annum, it also saves many more lives, e.g.
by providing homes with light and heat, operating lifts, life support machines and
through a myriad of other uses.
Boundary Between the ‘Tolerable’ and ‘Unacceptable’

Regions for Risk Entailing Fatalities
The HSE does not have, for this boundary, a criterion for individual risk as widely
applicable as for the boundary between the broadly acceptable and tolerable regions.
This is because risks may be unacceptable on grounds of a high level of risk to an
exposed individual or because of the repercussions of an activity or event on wider
society.
Nevertheless the HSE suggested in their publication ‘The tolerability of risk from
nuclear power stations’, 1992, that an individual risk of death of 1 in 1,000 (10-3) per
annum should on its own represent the dividing line between what could be just
tolerable for any substantial category of workers for any large part of a working life,
and what is unacceptable for any but fairly exceptional groups.
For members of the public who have a risk imposed on them ‘in the wider interest of
society’ this limit is judged to be lower, at 1 in 10,000 (10-4) per annum.
The HSE suggest that these limits should be used with caution, because:
 Hazards that give rise to such levels of individual risks also give rise to
societal concerns and the latter often play a far greater role in deciding
whether a risk is unacceptable or not.
 The limits were derived for activities most difficult to control and reflect
agreements reached at international level. In practice most industries in the
UK do much better than that.
©C
Risks Giving Rise to Societal Concerns
Where societal concerns arise because of the risk of multiple fatalities occurring in
one event from a single major industrial activity the HSE propose that the risk of an
accident causing the death of 50 people or more in a single event should be
regarded as intolerable if the frequency is estimated to be more than 1 in 5,000 per
annum.
In the case of most housing developments, the HSE advises against granting
planning permission for any significant development where individual risk of death for
the hypothetical person is more than 10 in a million per year, and does not advise
against granting planning permission on safety grounds for developments where
such individual risk is less than 1 in a million per year. Different criteria are applied to
sensitive developments where those exposed to the risk are more vulnerable, e.g.
schools, hospitals or old people’s homes, or to industrial or leisure developments.
Principles and Techniques of Failure Tracing

Methods
Several formal methods of assessing risk and minimising the consequences have
developed such as:
 Hazard and Operability Studies; (HAZOP).
 Hazard Analysis (HAZAN).
 Fault Tree Analysis (FTA).
 Failure Modes and Effects Analysis (FMEA).
 Event Tree Analysis (ETA).
Hazard and Operability Studies

HAZOP (hazard and operability) studies are procedural tools designed to highlight
the deficiency and shortcomings in the design and operation of industrial plants.
HAZOP studies aim to identify hazards and operability problems in plants, which if
they were to occur, could reduce the plant's ability to achieve target productivity in a
safe manner. It was initially developed by Imperial Chemical Industries (ICI) Ltd for
improving the safety of their chemical plants. The procedure proved to be so
successful that it gained acceptance within industry as a useful tool for qualitative
hazard analysis. The technique is now widely used as a standard procedure for
safety assessment in the process, chemical, petroleum industries and many others.
©C
There are four primary reasons for carrying out a HAZOP on high risk plants:
 To protect workers / society.
 To reduce taxes.
 Legal requirement for suitable and sufficient risk assessment.
 Knowledge of plant.
The principle of reasonable practicability means to assess risk, and proportion new
measures of control to such assessments. This has led to a methodology of
quantified risk assessment which is an important element in producing a balanced
decision on the precautions to be applied to reduce the components of the overall
risk, particularly where major hazards are concerned, and for prioritising or targeting
control measures.
At the design stage, HAZOP will cost about 1.5 to 2% of the total project cost; for
existing plant the cost may be as high as 5% of the original cost. It is an expensive
process and it is important to consider whether the expense is necessary to complete
a 'suitable and sufficient risk assessment'.
©C
The Basic Concept of HAZOP

Key Definitions
Intention: how the plant is expected to perform.
Guide words: used to qualify or quantify intention in order to discover deviations.

(No, less, more, part of, as well as, reverse and other than).
Study nodes: locations on plant and instrumentation (P&I) drawings setting scope of
studies.
Deviations: departures from design intent.
Causes: reasons deviations might occur.
Consequences: results of deviations from design intent.
Parameters
These are departures from the intention which are discovered by systematically
applying the guidewords:
 Changes in quantity.
 Changes in chemical condition.
 Changes inside the vessel.
 Changes in physical condition.
 Start up / shutdown conditions.
 Emergency.
©C
Deviations / Simple Guidewords

These are simple words that further breakdown the parameters and are used to
qualify the intention in order to guide and stimulate the creative thinking process and
so discover deviations. A list of simplified guidewords is given below:
Table 6: List of guidewords
The questioning is focussed in turn on every part of the design. Each part is
subjected to a number of questions formulated around a number of guidewords,
which are derived from method study techniques. In effect, the guidewords are used
to ensure that the questions, which are posed to test the integrity of each part of the
design, will explore every conceivable way in which that design could deviate from
the design intention.
©C
Consequences and Causes

These are the resulting hazards of the deviations, should they occur, which can
cause damage, injury or loss. These are the reasons why deviations might occur.
Once a deviation has been shown to have a conceivable or realistic cause, it can be
treated as meaningful.
Existing Control
Like all base link assessments, existing controls should be documented in detail or
refereed to, e.g. standard operating conditions. When considering future upgrades,
changes etc.
Further Action
This should be detailed and numbered for easy reference. Once 'checking' items
have been eliminated the final document can be produced.
Application of HAZOP Studies

The HAZOP technique can be applied to new plants as well as existing plants, whole
plants or parts of the facilities, as required. HAZOP can also be applied at every
phase of project development, conceptual design and planning, detailed design,
construction, commissioning, and operation. Ideally, HAZOP should be conducted at
the design stage, as this allows design alterations with minimum additional costs.
However, it is also useful for upgrading plants.
Particular features of the HAZOP technique are the team approach and the key
definitions employed in the studies.
Team Approach
HAZOP utilises the collective effort of a multidisciplinary team to investigate possible
variations and deviations from the design intent. The team will be chaired by an
experienced facilitator who will guide and supervise the team throughout the study.
The team will possess a blend of expertise and skills reflecting the operational
requirements of the plant under investigation. A typical team will consist of a safety
engineer, process engineer, instrumentation engineer, electrical engineer, operation
engineer, and mechanical engineer. Other science and engineering disciplines may
be added to the team to suit the particular requirements of a specific plant.
There are ten stages in implementing a HAZOP study. These are described below.
©C
1. Define the objectives and scope of the study.
The objectives and scope of the study should be defined by management.

These will differ depending on the stage of a project/plant.
New Plant (conceptual stage):
 Check the safety of the proposed plant design.

 Develop a list of equipment specifications for vendors - selection of plant
location.
 Verification of the effectiveness of the safety systems in the proposed
plant.
Existing Plant
The study scope may include:
 Improve the safety of the existing plant.

 Check the viability of plant upgrading.
 Check the viability of process modifications.
 Loss prevention.
 Liability, insurability.
 Meeting revised safety and environmental regulations.
 The power.
 Human error.
 Effects of wind at average/maximum speeds.
 Software.
 Delivery of the wrong chemicals in the right containers.
 The effects of a major disaster on the plant, e.g. aeroplane crash.
 Quality issues.
2. Select the team leader (chairman and Secretary).
The team leader plays a vital role in the success of the HAZOP study. The
team leader should be an independent and experienced HAZOP facilitator
with knowledge of chemical engineering, e.g. valve actuation, etc. and
process design principles. The main task of the team leader is to identify
problems, define study nodes, guide the team members and maintain their
concentration on the tasks assigned to them. Prior to arranging meetings, the
team leader estimates the team-hours needed for the study, the schedules,
durations and the frequencies of the sessions. The team leader prepares a
plan for the sequence of the study based on how the plant is operated, to
ensure that the study is implemented methodically.
3. Select the team.
The rest of the team should be skilled engineers in the disciplines relevant to
the plant operation, and an experienced plant operator with detailed
knowledge of the process. The selection of the size and composition of the
team should ensure that the group approach is maintained and that the team
possesses the levels of knowledge necessary to ensure a complete study.
©C
For example, a team might include the following: design engineer, process
engineer, mechanical engineer, operation supervisor, instrument electrical
engineer, chemist, maintenance supervisor, and a safety engineer.
4. Define physical boundaries.
In their investigation, the team defines the physical boundaries of the systems
and equipment on which the HAZOP is carried out. The boundaries are
usually marked on P & I actuation drawings (plant and instrumentation) that
describe the overall layout of the plant, equipment, vessels, piping
instruments, valve types, and process parameters such as flow, temperature,
pressure, volume, etc.
5. Collect the data.
Typically, the data consists of line diagrams, process and Instrumentation

diagrams, flowsheets, plant layouts, isometrics and fabrication drawings, plant
operations instructions, instrument sequence control charts, logic diagrams,
and equipment manufacturers' manuals.
6. Process the Data.
This can vary from plant to plant. In continuous process plants the
processing of the data is minimal as the existing up-to-date flowsheets and P
& I diagrams usually contain enough information for the study. With batch
process plants, processing of the data is more expensive, mainly because of
the amount of manual operations involved.
7. Design review.
The team is assisted by a set of checklists and the P & I diagrams. The
checklists are applied at specific areas in the plant known as study nodes.
These nodes are points where the process parameters (pressure,
temperatures, flow, etc.) have a defined design intent. Between these nodes
are the plant components (pumps, vessels, heat exchangers, etc.) which can
cause changes in the parameters.
8. Record the results.
The recording process is a crucial part of the HAZOP study and it is important
that all ideas are recorded. The HAZOP form. This form is best filled in by an
experienced engineer who understands the discussions and records the
findings accurately.
9. Implement design modifications.
The team detects possible causes of the deviations and recommends

corrective actions. Corrective action may include design modifications, or the
implementation of additional safety features, for example resizing of
equipment, piping lines, installation of relief valves, new written procedures,
provision of PPE, information to contractors, and may also include many
checking actions to confirm the design intention or flow parameter, etc. The
team leader assigns the implementation of each corrective action to the
©C
relevant discipline specialist. Progress is monitored at the next meeting of the

team.
10. Reporting.
The final report is complied by the team leader for submission to the
management. The report should be concise and accurate in detail. The
report contains information about major deviations from design intent, details
of recommended design modifications, and capital expenditure needed for
implementation. All actions should be numbered for ease of reference.
Figure 4: An example of a simple flowsheet
Chemical A Valve
Valve Valve
Pump 1
Chemical B
Chemical C
Valve Valve
8
Pump 2
To Process
A Simple Example for a Continuous Plant
To illustrate the principles of the examination procedure, consider a plant in which

chemicals A and B react together to form a product C. Let us suppose that the
chemistry of the process is such that the concentration of the raw material B must
never exceed that of A otherwise an explosion may occur.
Referring to Figure 4 start with the pipeline extending from the suction side of the
pump which delivers raw material A to where it enters the reaction vessel.
The intention is partly described by the flowsheet and partly by the process control
requirements to transfer A at some specified rate. The first deviation is that obtained
by applying the guideword NOT, DON'T or NO to the intention. This is combined with
the intention to give:
©C
No Transfer of A
The flowsheet is then examined to establish the causes which might produce a
complete cessation of the flow of 'A'. These causes could be:
 Supply tank is empty; or
 Pump fails to turn due to:
 Mechanical failure.
 Electrical failure.
 Pump being switched off.
 Pipeline is fractured.
 Isolation valve is closed.
Clearly some at least of these are conceivable causes and so we can say that this is
a meaningful deviation.
Next we consider the consequences. Complete cessation of flow of 'A' would very
soon lead to an excess of 'B' over 'A' in the reaction vessel and consequently to a
risk of explosion. We have therefore discovered a hazard in the design and this is
noted for further consideration.
We now apply the next guideword which is MORE. The deviation is:
MORE 'A' is passed into the Reaction Vessel.
The cause would be that the characteristics of the pump might, under some
circumstances, produce excessive flow rate. If this cause is accepted as realistic, we
then consider the consequences.
 The reaction produces 'C' contaminated with an excess of 'A' which goes on
into the next stage of the process.
 The excess flow into the reaction vessel means that some will leave the
vessel by the overflow.
Clearly some at least of these are conceivable causes and so we can say that this is
a meaningful deviation.
We now apply the next guideword which is LESS. The deviation is:
LESS 'A' is passed into the Reaction Vessel.
The causes are a little different from those when the deviation was the complete
cessation of the flow of 'A'.
 The isolation valve is slightly closed.
 The pipeline is partly blocked.
 The pump fails to produce the full flow because:
 The impellors are eroded.

 The valves are worn, etc.
©C
The consequence is similar to no flow and so the potential hazard is of a possible

explosion.
AS WELL AS:
 The transfer of some component in addition to 'A'. A search of the flowsheet

in Figure 4 shows an additional line with an isolation valve on the pump
suction. If this valve were not shut, another component might be transferred
together with 'A'. This may cause a chemical reaction or dilute 'A'.
 The transfer of 'A' somewhere else in addition to its transfer to the reactor.
Inspection of the flowsheet shows this is possible. It could for example flow
up the line on the suction side of the pump; and
 The carrying out of another activity concurrently with the transfer. For
example, can 'A' boil or decompose in the pipelines or the pump?
PART OF:
The other related deviation is that which occurs when the design intention is
incompletely achieved. The guidewords are PART OF and the deviation PART OF
TRANSFER 'A'. This could mean:
 A component of 'A' is missing. Here a knowledge of the composition of 'A' is

required so the effects of the missing component can be assessed; or
 The omission of one or more reactors if the pump delivers 'A' to more than
one reactor.
The final two deviations are again qualitative, but one of the original design intention
is retained. The first of these is the opposite of the design intention.
Reverse:
The guideword is REVERSE and the deviation REVERSE TRANSFER OF 'A'. This
means flow from the reactor back through the pump. The flowsheet is examined to
see if this is possible and the consequences are assessed.
Other than:
Lastly, there is the complete substitution of the design intention by something else.
The guidewords are OTHER THAN and the deviation is OTHER THAN TRANSFER.
This could mean:
The transfer of a different material. The flowsheet is examined to see if this is

possible. Substitution could arise in a number of ways. For example, the wrong
material could be delivered or another material admitted via the T piece on the
suction side of the pump. Information would be gathered on possible materials and
their side affects; or a change in the implied destination, is transfer of 'A' somewhere
other than the reactor. Inspection of the flowsheet shows that this can happen via
the T piece. A change in the nature of the activity, for example can 'A' solidify
instead of being transferred.
©C
©C
©C
Table 7: Completed HAZOP study results
©C
When the pipeline which introduces raw material 'A' has been examined, it is marked
on the flowsheet as having been checked. The next part of the design is then
chosen for study and this could be the pipeline which introduces raw material 'B' into
the reaction vessel. This sequence is repeated for every apart of the design, each
line, the vessel auxiliaries such as stirrers, any services to this vessel such as the
provision of heating and cooling and the vessel itself. This particular approach is
sometimes called the 'line by line' method.
Only under exceptional circumstances is a written record made of every step of the
examination. It is more usual to carry out the steps mentally and verbally in
discussion and to write down only the potential hazards and their causes.
The proposed action is also noted if it can be agreed straight away. If there is some
doubt about the action or if further information is required, the matter must be brought
forward to a subsequent meeting.
Process Instructions for Batch Processes
When studying the a batch process plant, it is necessary to apply the guidewords to
the instructions, as well as the pipelines. For example, if an instruction states that 1
tonne of chemical 'A' has to be charged into a reactor; the team should consider
deviations such as:
 Don't charge 'A';
 Charge more 'A';
 Charge less 'A';
 Charge as well as 'A';
 Charge part of 'A' (if 'A' is a mixture);
 Charge other than 'A';
 Reverse charge 'A' (can flow occur from a reactor to 'A' container?) - this can
often be the most serious deviation;
 'A' is added too early;
 'A' is added too late
 'A' is added too quickly; and
 'A' is added too slowly.
©C
Relation to other Analysis Tools

HAZOP may be used in conjunction with other dependability analysis methods such
as Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA). The
combinations may be utilised in situations when:
 The HAZOP analysis clearly indicates that the performance of a particular

item of equipment is critical and needs to be examined in considerable depth.
The HAZOP may then be usefully complemented by a FMEA of that item of
equipment.
 Having examined single element/single characteristic deviations by HAZOP it

is decided to assess the effect of multiple deviations using FTA, or to quantify
the likelihood of the failures, again using FTA.
 HAZOP is essentially a system centred approach as opposed to FMEA which

is component centred. FMEA starts with a possible component failure and
then proceeds to investigate the consequences of this failure on the system
as a whole. Thus the investigation is unidirectional, from cause to
consequence. This is different from a HAZOP study which is concerned with
identifying the possible deviations from the design intent and then proceeds in
two directions, one to find the potential causes of the deviations and the other
to reduce is consequences.
Hazard Analysis (HAZAN)

Hazard Analysis (HAZAN) is a quantitative technique to obtain an understanding of
hazards in terms of:
 How often a hazard will manifest itself.
 With what consequences for people, process and plant.
HAZAN may form part of a wider study, e.g. HAZOP, and is used on selected parts of
a process, e.g. a safety relief valve. Quantitative data based on past experience is
the most important means of identifying hazards and assessing potential frequency,
e.g. safety relief valve failure; although for new processes and techniques
experiential data may be limited.
A thoroughly conducted HAZAN provides a sound quantitative basis for decisions on

risk reduction measures that it will be reasonable to take and is often used to justify
not making further expenditure on critical safety measures.
©C
Figure 5: Why do we want to apply numerical methods to safety problems?
The horizontal axis of Figure 5 shows expenditure on safety over and above that
necessary for a workable plant and the vertical axis shows the money back in return.
In the left-hand area safety is good business—by spending money on safety, apart
from preventing injuries and plant failure, more profit is made.
In the next region safety is poor business. Some money is returned for safety
expenditure, however not as much as possible, for example by investment in other
ways.
The third region is reached if money continues to be spent on safety, where safety is
bad business, but good humanity. Money is spent so that people do not get hurt,
however this reduces profitability.
In the final region expenditure on safety measures is so excessive that there is a

distinct risk of going out of business. The consequences of this are that products
become so expensive that no-one will buy them, the company becomes bankrupt,
jobs are lost and, possibly, the public is deprived of the benefits from the products.
A decision has to be made where to draw the line on safety expenditure. This can be
a qualitative judgement; however in the case of process plant this can be quantitative
using HAZAN.
While HAZOP is a technique that can be applied to every new design and major
modification, HAZAN is a selective technique. It is neither necessary nor possible to
quantify every hazard on every plant.
The term hazard analysis is used rather than risk analysis as HAZAN does more than
quantify the risk. When used with other techniques, especially fault trees, it
demonstrates how the hazard arises, which contributing factors are the most
important and the most effective ways of reducing risk. Most of all, it allows effective
allocation of resources.
©C
Failure Modes and Effects Analysis (FMEA)

Failure Modes and Effects Analysis (FMEA) is a qualitative structured method for
hazard identification. It is a simple method, that is easy to apply, yet it is a powerful
tool that can be used to improve the quality of products and processes. Furthermore,
its concept and schematic approach can be readily adapted by management to solve
problems that may arise with procedures within an organisation. The FMEA is a
preliminary failure analysis methodology, and as such it is widely used in a multitude
of applications related to safety, reliability, processes and product design,
development and quality of products and systems.
Applications of FMEA
The FMEA can be applied to engineering products, chemical processes,

manufacturing operations, human tasks, as well as procedures. A practical
application of FMEA would involve the completion of a worksheet in which the failure
modes of individual components, such as relays and switches, are identified.
These can then be evaluated (qualitative or quantitative) and risk priority codes
identified. A summary sheet can then be prepared in which failure modes are listed in
declining order of risk priority. The summary should also list the corrective measures
required to reduce the frequency of failure or to mitigate the consequences.
Corrective actions could include changes in design, procedures or organisational
arrangements.
FMEA can be used for single point failure modes but can be extended to cover
concurrent failure modes. It can be a costly and time consuming process but once
completed and documented it is valuable for future reviews and as a basis for other
risk assessment techniques such as HAZOP studies, Fault Tree Analysis and Event
Tree Analysis.
Information Needed for FMEA
To perform an FMEA, the analysis must be very familiar with the function(s) of the
part or the system - this is gained either from previous experience or from manuals
provided by the manufacturers. Most manufactures include lists of function(s) and
faults diagnosis in their operating and maintenance manuals.
An important part of FMEA is for the analyst to understand thoroughly what is meant
by a ‘failure mode’. A failure mode is a description or scenario of how systems,
equipment, part(s), and procedures could fail. This should include all possible modes
of failures, even if the likelihood of occurrence is small.
Considering the System or Component to be

Analysed
The technique requires a schematic approach, methodical planning and thorough
implementation. The analysis must be meticulous and critical enough to ensure that
all factors that can contribute to failures are considered. When applying FMEA to a
component or system, the analyst must understand the basics of the part's function,
©C
and be able to recognise changes that deviate and are not consistent with normal
operations.
©C
Before carrying out an FMEA, the entity under analysis must be defined. This could
be of any form and size, and ranges form a component element, a unit, or a sub-
system to a complex system. The selection of the entity and its size depends on the
intended purpose, scope and depth of the investigation.
For example, consider the case of a petrol engine for a motor car. The engine is
comprised of a fuel system, ignition system, cooling system, lubricating system, etc.
Each system can be broken down into its basic components, for example the fuel
system is comprised of a fuel pump, filter, pipings, carburettor, fuel tank, etc. The
ignition system is comprised of a battery, alternator, spark plugs, starter motor, fan
belt, wirings, etc. The cooling system is comprised of a fan, radiator, piping, water
reservoir, etc. The lubricating system is comprised of oil reservoir, oil pump, oil filter,
piping, etc.
Key Characteristics Indicating Failure
In the examination of a part or a process, a number of characteristics serve as focal

points when recognising and evaluating failure modes. These are loss of operational
function, distortion, discolouration, discontinuity, smell, changes in material'
properties, and foreign matter:
 Loss of operational function can easily be recognised, and can vary from
erratic performance to total breakdown.
 Distortion is defined as any change in the physical shape of a part, it can be

on a large scale, where changes in the physical dimensions of a part are
significant when compared to the nominal dimension of the part. Distortion on
a surface level can be evident in a number of forms such as smoothing or
polishing of the surface, the roughening of the surface, shallow grooving,
ripples, wrinkles, superficial pitting, etc.
 Discolouration is easy to detect, and is a good indicator of improper process

control, corrosion, and the infusion of foreign matters that have influence on
the functionality of the part or the process.
 Discontinuity is defined as any break or irregularity in the surface of a part.

On a large scale, discontinuity is evident by the absence of materials which
disappeared from the part or the system as failure debris. When damage to a
part is minor, discontinuity can appear as cracks, pits, delamination, spalling,
internal material defects such as voids and foreign matters in castings and
mouldings.
 Smell, or the presence of aroma or odour is an important factor when dealing

with rubber and plastic components and compounds. Unusual smell is often
an indication of damage caused by the chemical activity of the materials that
come into contact with the components.
 A change in material properties is defined as the loss or variation in the initial

characteristics of the material. Properties of materials include strength,
elasticity, plasticity, toughness, hardness, ductility, brittleness, and chemical
composition. Examples of changes in material properties are the charring of
©C
elastomers, the oxidation (rusting) of steel, and the formation of metallic salts
on plated parts.
©C
Foreign matter is any material that is not part of the original system. This includes all
debris and corrosive products found in a system. When present, foreign matter is
usually an indication of a failure in the system, and can provide useful background
information to identify a possible failure mode in the system or other related systems.
Implementation of Failure Modes and Effects Analysis

(FMEA)
There are five steps necessary to implement FMEA, which are:
 Identify failure modes;
 Analyse failure modes;
 Express failure modes;
 Decide on corrective actions; and
 Monitor progress.
FMEA is implemented by creating a list of all equipment and associated systems in

the plant. For each piece of equipment/system, all possible failure modes are
established.
For each failure mode, the analysis should identify both the immediate and expected
effects of the failure on other equipment and the process or system, the cause(s),
and the recommended remedial action(s). The modes of failure, the cause(s), and
the recommended remedial action(s) are recorded on a standard worksheet as
shown in Table 8.
Example
Consider the failure of a hydraulic system which is comprised of a pump, pump drive
motor, coupling, control valve, relief valve and piping. The hydraulic system delivers
water from a cooling tower to a process vessel. The failure of the system can be
either a total breakdown, where there is no flow, or an erratic performance, where the
system delivers the incorrect amount of water, i.e. either too little or too much water.
No water or little water will result in the overheating of the process fluid. Too much
water will result in a process fluid with undesirable low temperature with the
subsequent adverse effects on the process.
©C
Table 8: Sample FMEA worksheet for a hydraulic system
Depending on the required resolution of the FMEA, the hydraulic system can be
broken down into its basic units, such as pump, drive motor, coupling, piping, etc.
and the FMEA could be applied to each unit. Table 9 shows a sample FMEA
worksheet for a hydraulic pump.
©C
Table 9: Sample FMEA worksheet for a hydraulic pump
Benefits and Limitations
As has been demonstrated, FMEA is a useful qualitative tool for failure analysis and
identification and can be used extensively with other hazard identification techniques
such as HAZOP and fault tree analysis. However, FMEA does not give a ranking or
an indication of the severity of the failures and its application relies on the experience
of the analyst and his or her understanding of the system.
©C
Fault Tree Analysis (FTA)

FTA provides a systematic approach to the identification of the combination of
possible occurrences that could combine to produce an undesirable effect.
The possible combinations of occurrences once identified are displayed graphically in

a fault tree.
The frequency or probability of these occurrences can be estimated to enable a

quantitative analysis of the undesirable effects to be conducted.
FTA can be useful in identifying a list of potential failures.
How to carry out an FTA

It is essential to define the boundaries of the study to limit it to a manageable size. It
is important to select and define the 'top event'. This could typically be:
 Machine or process failure.
 Component failure.
 An accident.
 An explosion.
 A system failure.
The fault tree is then constructed downward from the top event. It will look like an
inverted tree, branching downwards rather than upwards.
The tree is constructed by identifying and correctly relating all events and
combinations and/or sequences of events that could result in the top event. These
are related through AND/OR gates.
©C
And / Or Gates
If a top event could only occur if both sub-event A and sub-event B occurred, this
would be represented using an AND gate as illustrated in Figure 6.
For example the top event could represent a person falling from a ladder, which
could be caused both by the person overreaching (sub-event A) and the ladder
slipping laterally (sub-event B).
Figure 6: And Gate
If a top event could only occur if either sub-event A or sub-event B occurred, this
would be represented using an OR gate as illustrated in Figure 7.
For example the top event could represent a fork-lift truck overturning, which could
be caused by either lateral (sub-event A) or longitudinal instability (sub-event B).
Figure 7: Or gate
Figure 8 demonstrates the construction of a fault tree for the top (undesired) event of
a fire in a multi-storey car park. Note that when a sub-event is not developed any
further the convention is to place it in a diamond shape rather than a rectangle, and
final or basic events are placed in a circle.
©C
Figure 8: Example Fault Tree
If the failure rate or probability of basic causes can be determined, often from
statistical analysis, then the following can be determined:
 How likely the top event occurs, i.e. the probability.
 How frequently the top event occurs, i.e. the frequency (failure rate).
©C
Numerical Evaluation of Fault Tree

1) For an ‘And’ Gate
For an And gate the probability of the top event occurring is calculated by multiplying
the probabilities of the causes, beginning at the lower level basic causes working up
to the top event.
If P1 = Probability of Basic Cause 1
and P2 = Probability of Basic Cause 2
and P = Probability of Top Event
Then P = P1 x P2
Figure 9: Numerical Evaluation of Fault Tree (AND Gate)
Note: For AND Gates multiply probabilities.
©C
2) For an ‘Or’ Gate
For an OR gate the probability of the top event occurring is calculated by adding the
probabilities of the causes, beginning at the lower level basic causes working up to
the top event.
If P1 = Probability of Basic Cause 1
and P2 = Probability of Basic Cause 2
and P = Probability of Top Event
Then P = P1 + P2
Figure 10: Numerical Evaluation of a Fault Tree (OR Gate)
Note: For OR Gates add probabilities.
Most fault trees will consist of a combination of OR and AND gates, which can be
analysed by starting at the lowest level and working up to the top event.
When using either AND or OR gates the frequency (f) of the top event is the
reciprocal of its probability (P).
f= 1
P
For example, if the probability of the top event was calculated to be 0.1 (10% chance
of occurrence per year), the frequency of occurrence would be the reciprocal of its
probability, which is once every 10 years. This frequency could then be compared
with tolerability of risk figures when deciding if the risk is ALARP.
Once the probability and frequency of the top event is calculated, a decision can then
be made as to whether these are tolerable. In order to reduce the probability, hence
frequency, of the top event risk reduction measures should be applied to the basic
causes. By reducing the probability of basic causes the probability of the top event is
reduced.
Example
Construct a Fault Tree for an accident occurring between a vehicle on the

roundabout in collision with a vehicle entering the roundabout.
©C
Figure 11: Accident on a Roundabout
©C
Figure 12: Example of a fault tree numerical analysis
Determine the probability of an Accident
Note: Probability P of vehicle "on roundabout" is 0.2
©C
Event Tree Analysis (ETA)

Event tree analysis is a forward thinking process, based on binary logic, in which an
event either has or has not happened or a component has or has not failed. It is
valuable in analysing the consequences arising from a failure or undesired event.
An event tree begins with an initiating event, such as component failure, increase in
temperature/pressure or a release of a hazardous substance. The consequences of
the event are followed through a series of possible paths. Each path is assigned a
probability of occurrence and the probability of the various possible outcomes can be
calculated.
In the following example fire protection is provided by the sprinkler system. A

detector will either detect the rise in temperature or it will not. If the detector
succeeds the control box will either work correctly or it will not - and so on. There is
only one branch in the tree that indicates that all the sub-systems have succeeded:
Procedures For Performing Event Tree Analysis

Four steps are necessary to perform ETA:
Step 1 Identify an initiating event of interest.
Step 2 Identify the safety functions designed to deal with the initiating event.
The safety functions (safety systems, procedures, operator actions, etc.) that
respond to the initiating event can be thought of as the plant’s defence against the
occurrence of the initiating event. These safety functions usually include:
 Safety systems that automatically respond to the initiating event, including

automatic shutdown systems.
 Alarms that alert the operator when the initiating event occurs.
 Operator actions.
The analyst should identify all system functions and their intended purpose for
mitigating the effects of the initiating event. The analyst should list the safety
functions in the order in which they are intended to occur.
Step 3 Construct the event tree. The event tree displays the logical progression
of an accident. The event tree begins with the initiating event and
proceeds through the successes and / or failures of the safety functions
that react to the initiating event. Only two possibilities are considered
when evaluating the response of the safety functions, that it is a success
or a failure. The success of a safety function is defined as its ability to
prevent the initiating event from progressing further, thus preventing an
accident. The failure of a safety function is defined as its inability to stop
the progression of an initiating event or alter its course so that the other
safety functions can respond to it.
©C
Step 4 Describe the resulting accident event sequences. The accident event
sequences represent a multitude of incidents that can result from the
initiating event. One or more of the sequences may represent in an
accident. The analyst defines the successes and failures in each resulting
sequence and compiles a description of its expected outcome.
The analyst then ranks the accidents based on the severity of their outcomes. If
enough data is available, the analyst can use probabilistic analysis to estimate
accident probabilities from event probabilities, and thus obtain additional information
for ranking the accidents. The structure of the event tree should clearly show the
development of the accident and help the analyst to define locations and establish
priorities where additional safety features might be installed to either prevent these
accidents or mitigate their effects.
Example
Consider a fire starting in a bedroom fitted with an automatic alarm system. It is

assumed that if the alarm sounds the occupants will respond to it and make good
their escape.
The first step is to identify the initiating event. In this example it is the fire and release
of smoke.
The second step is to identify the safety functions designed to deal with the initiating
event. In this example these are:
 A smoke detector.
 A fire alarm signal.
 A fire alarm sounder.
The third step is to construct an event tree. See Figure 12.
©C
Figure 13: Example Event Tree
Construction of the tree begins at the left hand side with the initiating event of
interest.
The next step is to insert the 1st safety function (smoke detector in this example).
Only two possibilities are considered, either success or failure of the safety function.
Usually success is denoted in an upward path and failure is denoted by a downward
path. Success leads on to the 2nd safety function and failure leads to an undesired
outcome. In this example success of the 1st safety function means that the smoke
detector works as designed.
The event now progresses to the 2nd safety function. Again only success and failure
of the safety function are considered. Success leads on to the 3rd safety function and
failure leads to an undesired outcome. In this example success of the 2nd safety
function means that the alarm signal works as designed.
The event now progresses to the 3rd safety function. Once again only success and
failure of the safety function are considered. Success leads on to the desired
outcome and failure leads to an undesired outcome. In this example success of the
3rd safety function means that the alarm sounder works, the occupants are warned
of the fire and they make good their escape.
In this example every undesired outcome is that the occupants of the room are not
warned of the fire, however, in some event trees as the event progresses there may
be different outcomes with differing hazard severities.
©C
Figure 14: Numerical Evaluation of an Event Tree
The frequency of the initiating event and the probabilities (or reliabilities) of the safety
functions need to be known, and are expressed as decimals, in order to calculate the
probabilities of the end events. So if the frequency (f) of the initiating event is once
every 200 years, it would be expressed as 0.005 (1 divided by 200) and if a
probability of success was 85%, it would be expressed as 0.85.
In Figure 13, in order to calculate the probability of the desired outcome (A), it is
necessary to follow the event from the left hand side to the right hand side of the
event tree, i.e. from the initiating event to A, multiplying the frequency (f) by each of
the included probabilities. Therefore the probability of A occurring (PA) is caused by f
AND P1 AND P3 AND P5, hence:
Probability of occupants being warned of fire PA = f x P1 x P3 x P5
The undesired outcome in Figure 14 can be caused by B OR C OR D, and is

calculated as the sum of PB + PC+ PD.
Initially, therefore, it is necessary to calculate PB, PC and PD individually. Again

following each event from left to right:
PB = f x P1 x P3 x P6
PC = f x P1 x P4
PD = f x P2
So the probability of occupants not being warned of fire = (f x P 1 x P3 x P6) + (f x P1 x

P4) + (f x P2)
What if the reliability of only one safety function ‘leg’ is known?
For each safety function the success and failure ‘legs’ are expressed as decimals
and their sum must equal 1. Consider the 1st safety function, the smoke detector in
Figure 14:
©C
P1 + P2 = 1
For example, if the smoke detector is 95% reliable, then it must be 5% unreliable
(0.95 + 0.05 = 1).
Note that the safety function can be human or component reliability.
Event Frequency
As with fault trees, the end event frequency is the reciprocal of the end event
probability. The units are the same as for the initiating event (f), e.g. years, months,
etc.
Worked Example
A mainframe computer suite has a protective system to mitigate the effects of fire.
The system design comprises a smoke detector connected by a power supply to a
mechanism for releasing carbon dioxide (CO2). It has been estimated that a fire will
occur once every five years (f=0.2/year). Reliability data for the system components
are as follows:
Component Reliability
Detector 0.9
Power Supply 0.99
CO2 release mechanism 0.95
Construct an event tree for the above scenario to estimate the frequency of an
uncontrolled fire in the computer suite.
The event tree would be constructed as follows:
Figure 15: Worked Example Event Tree
©C
The probability of an uncontrolled fire PUF in the mainframe computer suite is

determined as:
PUF = PB + PC+ PD.
PB = f x P1 x P3 x P6
PB = 0.2 x 0.9 x 0.99 x P6
P6 = 1 - P5 = 1 - 0.95 = 0.05, so
PB = 0.2 x 0.9 x 0.99 x 0.05
PB = 0.00891
PC = f x P1 x P4
PC = 0.2 x 0.9 x P4
P4 = 1 - P3 = 1 - 0.99 = 0.01, so
PC = 0.2 x 0.9 x 0.01
PC = 0.0018
PD = f x P2
PD = 0.2 x P2
P2 = 1 - P1 = 1 - 0.9 = 0.1, so
PD = 0.2 x 0.1
PD = 0.02
So the probability of an uncontrolled fire PUF = 0.00891 + 0.0018 + 0.02

PUF = 0.03071
To determine the frequency of an uncontrolled fire (fUF):

1
fUF =
PUF
1
fUF = = 32.56
0.03071
So the frequency of an uncontrolled fire in the mainframe computer suite is once

every 32.56 years.
©C
Summary
The use of quantitative risk analysis can be useful tool in allocating resource and
justifying decision making in relation to risk management.
The role of FTA and ETA as backward and forward looking techniques can considers
the risk elements throughout the lifecycle or within the potential and actual disaster
situations. The concept of backward and forward looking models can be described as
a “Bow-Tie” model where:
 The Bow-Tie model is a visual method of showing how the hazard(s)

becomes the top event. It shows the barriers in place to prevent progression
and the threats to those barriers.
 It is made up of a combination of a fault tree and event tree (QRA’s) looking

both backwards and forwards in time from an initiating event
 It shows the probability of the top event occurring (FTA) and escalation and
subsequent consequences from it (ETA).
 There are a range of tools including HAZAN, FMEA, HAZOP, etc. which can
be used to qualify and quantify those hazards and threats.
 It links the barriers and measures to reduce the chance of the top event
occurring and the consequences resulting from the top event.
 Results of Bow Tie models can be documented in and a full appreciation of

the risks and potential outcomes can be understood.
The figure below diagrammatically represents the Bow-Tie model:
©C
Figure 16: Bow-Tie model
Fault Tree Event Tree

Analysis Analysis
Consequenc
e
H Scenario
a
z Top
Consequenc
a Even e
r t
d Threat
Recover
Reduce Barriers or y Consequenc
l controls measure e
i s
k
Control (keep within control
Prepare for emergencies
limits)
e
l Mitigate consequences
i and
h re-instate (Reactive)
o
o
d
(Proactive)
©C
References
Successful Health and Safety Management HSG65, HSE, 2003, HMSO.
The Management of Health and Safety at Work Regulations 1999 Approved Code of
Practice and Guidance L21, HSC, 2000, HMSO.
Fault Tree Hand Book, US Nuclear Regulatory Commission, 1981.
HAZOP Guide to Best Practice, Chemical Industries Association, 2000, Institution of

Chemical Engineers.
Guidance on Risk Assessment at Work, European Commission, 1996,ECSC-EC-

EAEC.
Quantified Risk Assessment: Its’ input into decision making, HSE, 1994, HMSO.
The Tolerability of Risk from Nuclear Power Stations, HSE, 1992, HMSO.
5 Steps to Risk Assessment Case Studies HSG38, HSE, 1998, HMSO.
HSE 5 steps to risk assessment INDG163 (rev) HSE,1998, HMSO.
Reducing Risks Protecting People, HSE’s Decision Making Process, HSE, 2001,
HMSO.
Reducing Risks, Protecting People, HSE's decision making process, HSE, 2001,
HMSO.
©C

715-International Diploma A3 V2 (1) .2

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

715-International Diploma A3 V2 (1) .2

Загружено:

Авторское право:

Доступные форматы

Element A3:

Assessing and Evaluating Risk

“….the eradication or minimisation of the adverse effects of ….risks to which an

(Ridley and Channing, 1999)

Figure 1: Flow diagram demonstrating risk management

The process of risk management is complex and contains a range of practices

 Physical e.g. machinery, electricity, heat, noise, gravity.

 Chemical e.g. water, acid, alkali, oils.

 Ergonomic e.g. physical stress, wrongly sited controls and indications.

 Psychological e.g. workload/pressure/hours of work, trauma.

Risk Assessment Involves Five Steps:

 Decide who might be harmed and in what circumstances.

 Record the significant findings.

 Review the assessment if there is a significant change or evidence that the

Inspections: Strictly, safety inspections should be considered to be a monitoring tool

The purpose of an inspection is to identify hazards that are not controlled to an

Samples: This is a random sampling exercise in which observers follow a pre-

Surveys: As with building surveys, a safety survey is normally carried out by a

Tours: A safety tour is (usually) an unscheduled examination of the workplace to

The primary purpose of risk assessment is to enable decisions to be made on the

Who May be Harmed and in What

Evaluating the Risks

 Likelihood – a subjective or objective evaluation of the probability of

 Severity – the scale of the consequences of the occurrence.

 Where is the hazard?

 How many people are affected?

 How knowledgeable are they?

 How many times does the hazard occur (frequency)?

 What is the extent of possible exposure (duration, time, concentrations etc)?

This can be assessed by relating to accident statistics or common sense. In some

In selecting the appropriate category it is important to be realistic. For example it is

Risk rating using qualitative or semi-quantitative means is often referred to as

Truly quantitative assessments based on the probabilities of events (such as the

The Likelihood of harm:

1) Low (where harm will seldom occur).

2) Medium (where harm will occur frequently).

3) High (where it is certain or near certain that harm will occur).

The Severity of harm:

3) Major (for example death or major injury as defined in RIDDOR).

Minor (1) Medium (2) Major (3)

Likelihood of Low (1) 1 2 3

Table 1: Risk Assessment Factor

6 or 9 is a high risk and may require the provision of considerable resources

Table 2: Action Required

A more complicated technique will involve giving numerical ratings to a number of

Alternative Risk Assessment Matrix

Using the RAM, risk is classified by three characters:

 A measure of the likelihood of an event, scaled as A (low) to E (high).

 A measure of the consequence severity with that event, scaled as 1 (low) to 5

 The category of consequence: People (P), Asset (A), Environment (E) or

The overall risk of an incident is classified according to which of the consequences

Red area: Tolerability of risk to be endorsed to the management. Additional controls

Consequence Increasing Probability

Table 3: Risk Assessment Matrix

Record the Significant Findings

The records should therefore cover the following key points:

 Refer to other documents where appropriate, e.g. guidance, etc.

 There is reason to suspect that it is no longer valid.

 There has been a significant change in the matters to which it relates.

 The workplace layout.

 Increased work throughput / rate.

 New process or plant which is not covered in the original assessment or