Enhancing Risk Perception

in Engineering Education

DG Education & Culture

Tempus CD-JEP 30095/2002

Enhancing Risk Perception in Engineering Education

Institut National
Polytechnique de
Lorraine France

Institut National de cole Nationale Department of

lEnvironnement
Earth Science,
Suprieure
Industriel et des
dIngnieurs de University of
Risques
Florence, Italy
Bourges
France
France

Basics of Risk Management

Compiled by Project Risk Team Member
Dr. Alim Hashem El Sayed
JEP 30095
December 2005

Acknowledgement
This introductory manuscript is planned for initiating undergraduate
engineering students on the principles and basics of risk assessment.

The manuscript is divided into six chapters: chapters 1 & 2 are basic
definitions. The author, Dr. Abdel Alim \hashem, and Risk Project Team
are indebted to Dr. Yasser El Shayeb, Assisstant Professor, Mining,
Petroleum and Metallurgical Engineering Department, CUFE for
supplying the main material for Chapters 3 and 4. Chapters 5 and 6 are
succinctness compiled from references cited at the end of the manuscript.

Purpose
The purpose of this course is to provide the students with a structured
system for identifying hazard, assessing risks associated with those
hazards, putting measures to control the unacceptable risks and to
review the control measures to ensure they are effective and have not
introduced new hazards. This called Risk Management Process

Objectives
1. Assess and analysis risk in oil and gas production operations.
2. Discuss the advantages, limitations and range of applicability of
each hazard analysis method so that its selection and integration
into the overall process is fully understood presenting a generic
overview on the hazard identification.
3. HAZOP analysis and its identification.
4. Learn the basic vocabulary unique to the hazard and operability in
industrial plants.
5. Raise general awareness of the need to apply hazard
identifications technique, HAZOP.
6. Share knowledge and experiences on HAZOP related issues in
different industrial plant.
7. Enable students to understand the impacts of industry activities on
the HSE to discuss on professional level the best practical
solutions and make/advise on well informed decisions for industry
activities.
8. Help participants to judge the HSE consequences of, and advise
on mitigating measures, for industry activities.

Table of Contents
Purpose ................................................................................................................................3
Objectives.............................................................................................................................3
Table of Contents.................................................................................................................4
List of Figures......................................................................................................................7
List of Tables .......................................................................................................................8
Chapter 1: Risk Definition and Accident Theory...............................................................9
1.1 Definitions ...................................................................................................................9
1.2 Basics of Risk Assessment .........................................................................................12
1.2.1 Risk assessment process ......................................................................................13
1.3 Accident Theory ........................................................................................................15
1.3.1 Single factor theory.............................................................................................17
1.3.2 Multiple factors theory ........................................................................................17
1.3.3 Domino effect theory ..........................................................................................18
1.3.4 Energy transfer theory.........................................................................................19
1.3.5 The Symptoms versus Causes theory ...............................................................20
1.4 Structure of Accidents................................................................................................20
1.5 The Role of Human Error in Accidents ......................................................................21
1.5.1 The traditional concept of human error................................................................21
1.5.2 Classification of human errors.............................................................................22
1.5.3 Classifying active failures ...................................................................................23
1.5.4 Latent failures .....................................................................................................25
1.5.5 Strategies for reducing human error.....................................................................26
1.5.6 Actions for overcoming active failures ................................................................26
1.6 Reasons for Preventing Accidents ..............................................................................28
1.6.1 Moral ..................................................................................................................28
1.6.2 Costs ...................................................................................................................28
1.6.3 Legislation ..........................................................................................................30
1.5.4 Accident trends ...................................................................................................31
1.7 Summary ...................................................................................................................31
Chapter 2: Importance of Risk Management..................................................................33
2.1 Importance.................................................................................................................33
2.2 Principle of Risk Management ...................................................................................33
2.3 Hazard Identifications ................................................................................................33
2.3.1 Previous accident reports.....................................................................................34
2.3.2 Physical inspection of the workplace...................................................................34
2.3.3 Brainstorming .....................................................................................................38
2.3.4 Knowledge of employees ....................................................................................39
2.3.5 Trade journals .....................................................................................................39
2.3.6 OSHA (Occupational Safety & Hazard Administration) publication and safety
alerts ............................................................................................................................43
2.3.7 Manufacturers instruction books..........................................................................46
2.3.8 Sample inspection worksheet ..............................................................................46
2.4 Risk Examples in Pictures..........................................................................................48
2.5 Common Risks Associated with New Project.............................................................54
2.5.1 Staff risks............................................................................................................55
2.5.2 Equipment risks ..................................................................................................55
4

2.5.3 Client risks ..........................................................................................................55

2.5.4 Scope risks ..........................................................................................................55
2.5.5 Technology risks .................................................................................................56
2.5.6 Delivery risks......................................................................................................56
2.5.7 Physical risks ......................................................................................................56
2.5.8 Political risks ......................................................................................................56
2.5.9 Financial risks .....................................................................................................56
2.5.10 Environmental risks ..........................................................................................57
Chapter 3 Identification of Risks ......................................................................................58
3.1 Preliminary Risk Analysis (PRA)...............................................................................59
3.2 Failure Modes, Effect and Criticality Analysis (FMECA) ..........................................60
3.2.1 Objectives and domains of applications ...............................................................60
3.2.2 Preparation for the study and the methodology of analysis ..................................61
3.3 HAZOP .....................................................................................................................63
3.3.1 What is HAZOP? ................................................................................................63
3.3.2 When is a HAZOP Carried Out? .........................................................................66
3.3.3 Some Points to Watch during HAZOP ................................................................66
3.4 What is Risk Assessment?..........................................................................................67
3.4.1 Likelihood...........................................................................................................68
3.4.2 Consequences......................................................................................................70
3.4.3 Risk matrix .........................................................................................................72
3.4.5 Risk management worksheets..............................................................................73
3.5 Risk Control ..............................................................................................................74
3.5.1 Hierarchy of control ............................................................................................75
3.5.2 Elimination .........................................................................................................75
3.5.3 Substitution.........................................................................................................76
3.5.4 Separation ...........................................................................................................76
3.5.5 Administration ....................................................................................................76
3.5.6 Personal protective equipment (PPE)...................................................................77
3.6 Apply Hierarchy of Control .......................................................................................79
3.7 Monitoring and Review .............................................................................................80
3.8 Conclusion.................................................................................................................80
Chapter 4 Methods of System Analysis ............................................................................82
4.1 Introduction ...............................................................................................................82
4.2 Markov Chains ..........................................................................................................82
4.2.1 Presentation of the Process ..................................................................................83
4.3 PETRI Network .........................................................................................................85
4.4 Simulation, (The Monte Carlo Technique) .................................................................87
4.5 Fault Trees.................................................................................................................88
4.5.1 The construction of the tree. ................................................................................88
4.6 Critical Analysis of System (Simulation) ...................................................................89
4.6.1 Example 1: simulation of a CPM network ...........................................................89
4.6.2 Results ................................................................................................................92
Chapter 5: The Process of Fire Risk Management ..........................................................93
5.1 Methodology of Hazard Identification........................................................................93
5.2 Fire Risk Assessment .................................................................................................94
5.2.1 The primary steps in fire risk assessment include: ...............................................94
5.2.2 Type of risk assessment.......................................................................................95
5.2.3 Risk management ................................................................................................95
5

5.2.4 Risk management for handling fire risk exposure ................................................96

5.2.5 Cost /benefit analysis ..........................................................................................96
5.2.6 Development and monitoring of loss control program .........................................96
5.2.7 Fire prevention....................................................................................................97
Chapter 6: Summary of Risk Assessment Steps in Workplace .......................................98
6.1 Step 1: Look for The Hazards ....................................................................................99
6.2 Step 2: Decide Who Might Be Harmed, and How ......................................................99
6.3 Step 3: Evaluate The Risks And Decide Whether Existing Precautions Are Adequate or
More Should Be Done. ....................................................................................................99
6.4 Step 4: Record Your Findings ..................................................................................101
6.5 Step 5: Review Your Assessment and Revise It If Necessary ...................................101
Acronyms .........................................................................................................................102
Appendices.......................................................................................................................104
Appendix 1: Some Important Pieces of Health and Safety Legislation ...........................104
A.1.1 Besides the Health and Safety at Work Act itself, the following apply across the
full range of workplaces:............................................................................................104
A.1.2 specific regulations cover particular areas, as asbestos and lead,.......................105

List of Figures
Figure 1: Elements of risk assessment..................................................................................12
Figure 2: Risk assessment process .......................................................................................14
Figure 3: Risk assessment methods......................................................................................14
Figure 4: Gas pipeline fire ...................................................................................................15
Figure 5: Human Fall from a ship ........................................................................................16
Figure 6: Fire in an offshore oil and gas production platform ...............................................16
Figure 7: Causes of workplace fatalities...............................................................................16
Figure 8: Domino theory illustration....................................................................................18
Figure 9: Structure of accident.............................................................................................20
Figure 10: Classification of human failure ...........................................................................24
Figure 11: Cost of accidents in USA....................................................................................29
Figure 12: Insurance and accident costs ..............................................................................30
Figure 13: Slipping or tripping at work................................................................................48
Figure 14: Getting into contact with hazardous material (asbestos, fumes, etc. )...................49
Figure 15: Performing work at height ..................................................................................49
Figure 16: Handling, transporting or supporting loads while suffering from sprains, strains, or
pains....................................................................................................................................49
Figure 17: Having long exposure to computers or other display screen equipment ...............50
Figure 18: Working at a noisy place: causes hearing loss or deafness...................................50
Figure 19: Predictable or unpredictable, controlled or uncontrolled risk associated with
natural or climate phenomena. .............................................................................................50
Figure 20: Being exposed to vibration .................................................................................51
Figure 21: Getting hurt by electricity ...................................................................................52
Figure 22: Neglecting maintenance or doing unsafe maintenance work................................52
Figure 23: Improper selection of work equipment................................................................53
Figure 24: Risks resulting from transport, road traffic, road conditions ................................53
Figure 25: Risk associated with pressure systems ................................................................53
Figure 26: Risks resulting from fire or explosions or use or storage of explosive materials or
chemicals ............................................................................................................................54
Figure 27: Feeling stressed by work.....................................................................................54
Figure 28: Identification and analysis of risk .......................................................................58
Figure 29: Preparation of the analysis ..................................................................................62
Figure 30: Flow chart of the method HAZOP ......................................................................65
Figure 31: Five degree probability (likelihood) scale ...........................................................69
Figure 32: Four degree probability (likelihood) scale ...........................................................69
Figure 33: Five degree consequences (severity) scale ..........................................................71
Figure 34: Four degree consequences (severity) scale ..........................................................72
Figure 35: 9X9 risk matrix..................................................................................................73
Figure 36: Risk matrix after applying preventive measures ..................................................75
Figure 37: Stochastic Processes ...........................................................................................83
Figure 38: Parallel system of two components .....................................................................83
Figure 39: Graphical Presentation of the System..................................................................85
Figure 40: PETRI networks .................................................................................................86
Figure 41: Network model of the Project .............................................................................90
Figure 42: Final critical paths for the network......................................................................92
Figure 43: Hazard identification ..........................................................................................93
7

List of Tables

Table 1: Inspection report ....................................................................................................37

Table 2: Sample inspection worksheet .................................................................................47
Table 3: Sample inspection of pizza shop ............................................................................48
Table 4: Maximum daily duration per day for sound levels ..................................................51
Table 5: Action and corresponding sound level....................................................................52
Table 6: Some of the physical risks originats from work operations ....................................57
Table 7: PRA......................................................................................................................59
Table 8: Deviation generated by each guide word................................................................64
Table 9: HAZOP ................................................................................................................67
Table 10: Risk matrix based on consequences and likelihood ..............................................72
Table 11: Example of risk management worksheet ..............................................................74
Table 12: Protective requirement for eye, head, and foot/toe................................................77
Table 13: Protective requirement for hand, hearing and respiratory......................................78
Table 14: Different states of the system. ..............................................................................84
Table 15: Random observations ...........................................................................................91
Table 16: Critical Index of activities (activities with * means that it was on the Critical Path
in this sample). ....................................................................................................................91

Chapter 1: Risk Definition and Accident Theory

1.1 Definitions
The term risk is used in a variety of ways in everyday speech. It is
frequently to refer to activities such as rock-climbing or day-trading
stocks as risky; or discuss risk of getting the flu this coming winter. In
the case of rock-climbing and day-trading, risky is used to mean
hazardous or dangerous. In the latter reference, risk refers to the
probability of a defined outcome (the chance of contracting the flu).
Before beginning a discussion of risk assessment, it is important to
provide a clear definition of the term risk and some of the other
terminology used in the risk assessment field.
For the purposes of this course, discussion will be limited to the risk of
unintended incidents occurring which may threaten the safety of
individuals, the environment or a facilitys physical assets. In this setting,
a number of terms have to be defined:
Hazards or Threats: are conditions which exist and may
potentially lead to an undesirable event.
Controls: are the measures taken to prevent hazards from
causing undesirable events. Controls can be physical (safety
shutdowns, redundant controls, conservative designs, etc.),
procedural (written operating procedures), and can address
human factors (employee selection, training, supervision).
Health: Acute and chronic ill health caused by physical, chemical
or biological agents as well as adverse effects on mental health.
Event: is an occurrence that has an associated outcome. There
are typically a number of potential outcomes from any one initial
event which may range in severity from trivial to catastrophic,
depending upon other conditions and add-on events.
Risk: is composed of two elements, frequency and consequence.
Risk is defined as the product of the frequency with which an event

is anticipated to occur and the consequence of the events

outcome.
Risk = Frequency Consequence
Frequency or likelihood or probability: The frequency of a
potential undesirable event is expressed as events per unit time,
usually per year. The frequency should be determined from
historical data if a significant number of events have occurred in
the past. Often, however, risk analyses focus on events with more
severe consequences (and low frequencies) for which little
historical data exist. In such cases, the event frequency is
calculated using risk assessment models.
Consequence or severity or gravity: can be expressed as the
number of people affected (injured or killed), property damaged,
amount of spill, area affected, outage time, mission delay, dollars
lost, etc. Regardless of the measure chosen, the consequences
are expressed per event. Thus the above equation has the units
events/year times consequences/event, which equals
consequences/year, the most typical quantitative risk measure.
Hazard Effect
The consequences, which could result from a hazard being realized
Types of hazards: Biological hazards
Bacteria
Environmental
Wastes &Toxic gases
Social and Loss of Image
Loss of image of department or organization as a result of conditions
and hazards contained in the building
Human
Irresponsible behaviors, being careless
Managerial
Loss of control
Electrical
Eclectic shock could lead to fire, explosion, equipment failure, and
people fatalities
Mechanical
Mechanical failure could lead to equipment damage
10

 Radiation
Radioactive hazards
Radiation hazards may emanate from the use of mobile phones and
interference with lab equipment!
Chemical
Flammable and toxic materials could lead to chemical hazards.
Infrastructural
Short windows, broken glass, lift problems.
Economical
Any shortage in the faculty budget could lead to economical hazard
Fire/Explosion
Any source of fire plus oxygen could lead to big losses.
Natural
Any natural situation a such as flood, hurricanes, earthquake,
landslide
Risk Matrix: Represents the relation between the probability and the
severity
The Residual Risk: The residual risk after Appling the method which
reduce the hazard
Significant: Indicates that a Hazard or a Risk is anything other than
trivial. A significant risk is one which requires some form of positive
safeguard to eliminate it or reduce it to an acceptable level.
Task: An individual work assignment carried out by one or more
persons.
Risks arise from the interaction of people, equipment, materials and the
work environment. For the purposes of this practice, they can be
described as follows:
Task-related
Effect, caused by the activities of people in the workplace
Inherent
It is an effect associated with the design of the workplace, its
equipment and its location.
Process-related:
Effect, arising from the process being carried out, the properties
of the fluid and the process condition
11

 Safety Measures
A precautionary measures which prevents or reduces a risk.
Safety measures can be classified as physical, procedural,
human, time-related or contingency.

1.2 Basics of Risk Assessment

Risk assessment is the process of gathering data and synthesizing
information to develop an understanding of the risk of a particular
enterprise. To gain an understanding of the risk of an operation, one
must answer the following three questions:
1. What can go wrong?
2. How likely is it?
3. What are the impacts?
Qualitative answers to one or more of these questions are often
sufficient for making good decisions. However, as managers seek more
detailed cost/benefit information upon which to base their decisions, they
may wish to use quantitative risk assessment (QRA) methods. Both
qualitative and quantitative methods are discussed in this document.
Figure 1 below illustrates the elements of Risk Assessment.

Figure 1: Elements of risk assessment

More details about the tools and methods available for conducting risk
assessments, considerations for setting up an assessment, information
about relevant regulatory requirements and examples of risk
12

assessment applications will be provided. Before initiating a risk

assessment, all parties involved should have a common understanding
of the goals of the exercise, the methods to be used, the resources
required, and how the results will be applied.

1.2.1 Risk assessment process

To use a systematic method to determine risk levels, the Risk
Assessment Process is applied. This process consists of four basic
steps:
1.
2.
3.
4.

Hazard Identification
Frequency Assessment
Consequence Assessment, and
Risk Evaluation

The level of information needed to make a decision varies widely. In

some cases, after identifying the hazards, qualitative methods of
assessing frequency and consequence are satisfactory to enable the
risk evaluation. In other cases, a more detailed quantitative analysis is
required. The Risk Assessment Process is illustrated in Figure 2, and
the results possible from qualitative and quantitative approaches are
described. There are many different analysis techniques and models
that have been developed to aid in conducting risk assessments. Some
of these methods are summarized in Figure 3. A key to any successful
risk analysis is choosing the right method (or combination of methods)
for the situation at hand. For each step of the Risk Assessment Process,
this part provides a brief introduction to some of the analysis methods
available and suggests risk analysis approaches to support different
types of decision making within the maritime and offshore industries. For
more information on applying a particular method or tool, the following
chapters will identify clearly the steps followed for risk assessment. It
should be noted that some of these methods (or slight variations) can be
used for more than one step in the risk assessment process. For
example, every tree analysis can be used for frequency assessment as
well as for consequence assessment. Figure 3 lists the methods only
under the most common step to avoid repetitions.

13

Figure 2: Risk assessment process

Figure 3: Risk assessment methods

14

1.3 Accident Theory

The increasing size and complexity of industrial processes creates
increased scope for major disasters, leading to greatly increased public
concern about industrial safety. The last two decades have seen a
series of such disasters both world-wide (e.g. Bhopal, Seveso, and
Cheroybl) and the UK (e.g. Clapham Junction, Kings Cross, Piper
Alpha, Herald of Free Enterprise, Ladbrock Grove, Paddington) and in
Egypt (e.g. Salim Furry, Upper Egypt Train).
In the UK, the 1990 Labor Force Survey stated that there were an
estimated 1.6 million accidents at work where 750,000 people suffered ill
health caused or made worse by working conditions. In all 30 million
working days were lost in which 20,000 people were forced to give up
work.
It is estimated that each year there are 3 million fatalities resulting from
accidents or poisoning, the majority of which occur in under developing
countries. Occupational accidents, defined as those accidents that occur
at the place of work, are also of major concern. Each year 180,000
people are killed as a result of accidents at work, whilst 110 million are
injured (Harms Ringdahl, 1992).
According to data collected in 1988 (Hoyos & Zimolong, 1988), in the
USA a fatal accident occurs every 6 minutes, a fatal occupational injury
occurs every 46 minutes and a work accident that results in an injury
occurs every 17 seconds. In 1992, more then 86,000 people died in the
US. The following figures show some accidents and workplace fatalities.

Figure 4: Gas pipeline fire

15

Figure 5: Human Fall from a ship

Figure 6: Fire in an offshore oil and gas production platform

Airplanes
5%

Stuck by M oving
Falling or
Stationary Obje cts
19%

Caught betw een

Objects/Equipm ent
5%

Heart
Attacks/Strick es
13%

M otor Vehicles
34%
M iscellaneous
11%

Slips and Falls

8%
Gunshot Wounds
5%

Figure 7: Causes of workplace fatalities

16

There are some theories concerning the causes of accidents to give us

an insight into how we should approach the task of risk management.

1.3.1 Single factor theory

This theory stems from the assumption that an accident is a result of a
single cause. If this single cause can be identified and eliminated, the
accident will not be repeated. People who have even the most basic of
risk training do not accept this theory.
Example: A person in a hurry walks through a poorly lit area and trips
over a piece of wood.
Single Factor Theory Solution: Remove the offending piece of wood to
solve the problem.
Reality: Accidents always have more than one contributing factor

1.3.2 Multiple factors theory

It says that an accident occurs when a number of factors act together to
cause an accident. This and similar ideas are favored by most
experienced risk participations
Example: A person in a hurry walks through a poorly lit area and trips
over a piece of wood.
Multiple Factors Theory Solution: this theory would require answers to
such question as:
Was there a necessity for the person to walk in that area or was there a
safer route?
If the person was not in a hurry, would he have been more aware of their
surroundings and avoided the wood?
If the area were better lit, would the person have avoided the wood?
Could the wood have been removed?

17

The answer of these questions shows that not only the person is
responsible for the accident.

1.3.3 Domino effect theory

According to W.H. Heinrich (1931), who developed the so-called domino
theory, 88% of all accidents are caused by unsafe acts of people, 10%
by unsafe actions and 2% by acts of God. He proposed a five-factor
accident sequence in which each factor would actuate the next step in
the manner of toppling dominoes lined up in a row. The sequence of
accident factors is as follows:
1. Ancestry and social environment: Those conditions that make us
take or accept risk.
2. Worker fault or Undesirable Human Trait: Anger, careless,
tiredness, lack of understanding, un-attention.
3. Unsafe act or condition together with mechanical and physical
hazard: Poor planning, unsafe equipment, hazardous environment.
4. Accident: The accident occurs when the above events conspire
(combine) to cause something to go wrong.
5. Damage or injury: Injury occurs when the person sustains
damage.

Figure 8: Domino theory illustration

Often accidents occur without injury and they are referred to as near
misses. All too often, these near misses are ignored until, figuratively
speaking, the last domino is knocked over and the injury occurs.
In the same way that the removal of a single domino in the row would
interrupt the sequence of toppling, Heinrich suggested that removal of
one of the factors would prevent the accident and resultant injury; with
18

the key domino to be removed from the sequence being number 3.

Although Heinrich provided no data for his theory, it nonetheless
represents a useful point to start discussion and a foundation for future
research.
The domino theory has its merits but may be too limited to consistently
reflect reality. A more accurate picture of reality may gain by combining
the elements of the Multiple Factors Theory and the Domino Effect.

1.3.4 Energy transfer theory

It states that accidents are more likely to happen at or during a transfer
of energy. The rate of energy release is important because the greater
the rate of release the greater the potential for damage. It should be
noted that this concept of identifying hazards is very limited and not
dissimilar to the Single Factor theory. Factors other than energy release
are important.
Those who accept the energy transfer theory put forward the claim that a
worker incurs injury or equipment suffers damage through a change of
energy, and that for every change of energy there is a source, a path
and a receiver. This theory is useful for determining injury causation and
evaluating energy hazards and control methodology. Strategies can be
developed which are preventive, limiting or ameliorating with respect to
the energy transfer. Control of energy transfer at the source can be
achieved by the following means:

Elimination of the source

Changes made to the design or specification of elements of the
work station
Preventive maintenance.

The path of energy transfer can be modified by:

Enclosure of the path

Installation of barriers
Installation of absorbers
Positioning of isolators.

The receiver of energy transfer can be assisted by adopting the following

measures:

Limitation of exposure
Use of personal protective equipment
19

1.3.5 The Symptoms versus Causes theory

The symptoms versus causes theory is not so much a theory as an
admonition to be heeded if accident causation is to be understood.
Usually, when investigating accidents, we tend to fasten upon the
obvious causes of the accident to the neglect of the root causes. Unsafe
acts and unsafe conditions are the symptomsthe proximate causes
and not the root causes of the accident.

1.4 Structure of Accidents

The belief that accidents are caused and can be prevented makes it
imperative for us to study those factors which are likely to favor the
occurrence of accidents. By studying such factors, the root causes of
accidents can be isolated and necessary steps can be taken to prevent
the recurrence of the accidents. These root causes of accidents can be
grouped as immediate and contributing. The immediate causes are
unsafe acts of the worker and unsafe working conditions. The
contributing causes could be management-related factors, the
environment and the physical and mental condition of the worker. A
combination of causes must converge in order to result in an accident.

Figure 9: Structure of accident

20

1.5 The Role of Human Error in Accidents

Although the role that human error plays in accident causation has been
accepted for many years, it is only recently that a lot of concerted effort
has been put into detailed research into human error in accidents.
Beyond the technical issues two common points emerged strongly from
the inquiries into these accidents, which are:
The influence of human error in the chain of events leading to the
accident;
Failures in the management and organization of safety.
People can cause or contribute to accidents (or mitigate the
consequences) in a number of ways through a failure a person can
directly cause an accident. However, people tend not to make such
errors deliberately. We are often set up to fail by the way that our
brain processes information by our training, through the design of
equipment and procedures and even through the culture of the
organization that we work for.
People can make disastrous decisions even when they are aware of
the risks. We can also misinterpret a situation and act inappropriately
as a result. Both of these can lead to the escalation of an incident.
On the other hand we can intervene to stop potential accidents. Many
companies have their own anecdotes about recovery from a potential
incident through the timely actions of individuals. Mitigation of the
possible effects of an incident can result from human resourcefulness
and ingenuity.
The degree of loss of life can be reduced by the emergency response
of operators and crew. Emergency planning and response including
appropriate training can significantly improve rescue situations.
1.5.1 The traditional concept of human error
Traditionally the promotion of safety has been largely reactive,
concentrating on accident investigation with the primary aim of avoiding
repeat events. In part this arose from too simple an approach to
accident causation based on the apparent importance placed on the
concept of a single primary cause; either an unsafe act or an unsafe
condition (as a result of the domino theory). If the former were the case,
responsibility was clear and blame could be apportioned. If the latter was
the case then a technical solution could be sought. In part this also
21

arose from the fact that a reactive approach, based on a single primary
cause was also an easy approach to handle.
Taking a blame approach to human error in accidents provides little of
use in terms of future accident prevention. For example, if one made a
mistake which resulted in an accident and we work on the basis of a
blame approach then there are only three options available to us:
We accept that human error is inevitable, shrug weir shoulders, tell
him to be a bit more careful and carry on as before with weir fingers
crossed.
Alternatively, we can say as he was responsible, we should discipline
him, perhaps even sack him.
The third option is a half-way house whereby we give him the benefit
of the doubt and decide that he might need retraining. However, if all
we have found out about the accident was that he was the cause
we have learnt nothing new on which to base the retraining. We will
almost certainly therefore be reduced to repeating the training which
we know has already failed!
Unfortunately this is a pretty reasonable description of the approach to
human error in accidents that has existed in most industrial
organizations for years. If accidents are to be prevented in the future it
is no use whatsoever to blame people for their mistakes unless we
have a detailed understanding of what caused the mistakes. Only by
understanding all the issues which have caused (or could cause) an
accident can we identify the way to prevent future accidents
1.5.2 Classification of human errors
The term human error is wide and can include a great variety of human
behaviour. Therefore, in attempting to define human error, different
classification systems have been developed to describe their nature.
Identifying why these errors occur will ultimately assist in reducing the
likelihood of such errors occurring.
The distinction between the hands on operator errors and those made
by other aspects of the organization has been described as active and
latent failures.
Active Failures have an immediate consequence and are usually made
by front-line people such as drivers, control room and machine

22

operators. These immediately proceed, and are the direct cause, of the
accident.
Latent failures are those aspects of the organization which can
immediately predispose active failures. Common examples of latent
failures include (HSE, 1999):
Poor design of plant and equipment;
Ineffective training;
Inadequate supervision;
Ineffective communications; and
Uncertainties in roles and responsibilities.

Latent failures are crucially important to accident prevention for two

reasons:
1. If they are not resolved, the probability of repeat (or similar)
accidents remains high regardless of what other action is taken;
2. As one latent failure often influences several potential errors,
removing latent failures can be a very cost-effective route to
accident prevention.
1.5.3 Classifying active failures
The classification of active failures distinguishes between intentional and
unintentional error. Intentional errors are described as violations, whilst
unintentional errors are classified as either slips/lapses or mistakes.
These types of human failure are shown in the diagram below (HSE,
1999), Figure 10:

23

Human Failures
Violations

Human Errors

Routine

Mistakes

Skill-based errors

Situational

Rule-based

Slips of action

Exceptional

Knowledge-based

Lapses of memory

Figure 10: Classification of human failure

Slips and Lapses: These occur in routine tasks with operators who
know the process well and are experienced in their work:
They are action errors which occur whilst the task is being carried out;
They often involved missing a step out of a sequence or getting steps
in the wrong order and frequently arise from a lapse of attention;
Operating the wrong control through a lapse in attention or
accidentally selecting the wrong gear are typical examples.
Mistakes: These are inadvertent errors and occur when the elements of
a task are being considered by the operator.
They are decisions that are subsequently found to be wrong, although at
the time the operator would have believed them to be correct. There are
two types of mistake (HSE, 1999), rule based and knowledge based:
Rule based mistakes occur when the operation in hand is governed
by a series of rules. The error occurs when an in appropriate action is
tied to a particular event
Knowledge based errors occur in entirely novel situations when you
are beyond your skills, beyond the provision of the rules and you
have to rely entirely on adapting your basic knowledge and
experience to deal with a new problem.
24

Violations are any deliberate deviation from the rules, procedures,

instructions and regulations, which are deemed necessary for the safe or
efficient operation and maintenance of plant or equipment. Breaches in
these rules could be accidental/unintentional or deliberate.
Violations occur for many reasons, and are seldom willful acts of
sabotage or vandalism. The majority stem from a genuine desire to
perform work satisfactorily given the constraints and expectations that
exist. Violations are divided into three categories: routine, situational and
exceptional (HSE, 1999).
Routine Violations are ones where breaking the rule or procedure has
become the normal way of working. The violating behavior is normally
automatic and unconscious but the violation is recognized as such, by
the individual(s) if questioned. This can be due to cutting corners, saving
time. or be due to a belief that the rules are no longer applicable.
Situational Violations occur because of limitations in the employees
immediate work space or environment. These include the design and
condition of the work area, time pressure, number of staff, supervision,
equipment availability, and design and factors outside the organizations
control, such as weather and time of day. These violations often occur
when a rule is impossible or extremely difficult to work to in a particular
situation.
Exceptional Violations are violations that are rare and happen only in
particular circumstances, often when something goes wrong. They occur
to a large extent at the knowledge based level. The individual in
attempting to solve a novel problem violates a rule to achieve the
desired goal.
1.5.4 Latent failures
Latent failures are the factors or circumstances within an organization
which increase the likelihood of active failures. Consider some examples
of latent failures in relation to the example accidents given earlier:
The latent failures Kings Cross Underground Station Fire here included:
While several minor escalator fires had occurred previously and had
been investigated, apparently no one in the organization seriously
considered the fact that a major escalator fire was a possibility consequently, as the inquiry states, little effective action had been taken
25

on the warnings provided by the minor fires. Similarly the inquiry also
reported that there were serious flaws in the managerial and
organizational responsibilities and accountability for safety with virtually
all aspects of the organization thinking passenger safety was some one
elses responsibility.
The existence of these, and other similar, latent failures within the
London Underground operation significantly increased the probability of
a major escalator fire, with hindsight it was almost a matter of when
rather than whether. It is also apparent, as suggested above, that unless
the
remedial
action
taken
encompassed
these
organizational/management latent failures, that a repeat event was likely
for, quite simply, the major influencing factors would have remained in
place to predispose a similar event.

1.5.5 Strategies for reducing human error

Reducing human error involves far more than taking disciplinary action
against an individual. There are a range of measures which are more
effective controls including the design of the equipment, job, procedures
and training.
1.5.6 Actions for overcoming active failures
1.5.6.1 Slips and lapses
Design improvement is the most effective route for eliminating the cause
of this type of human error. For example, typical problems with controls
and displays that cause this type of error include:
Switches which are too close and can be inadvertently switched on or
off;
Displays which force the user to bend or stretch to read them
properly;
Critical displays not in the operators field of view;
Poorly designed gauges;
Displays which are cluttered with non-essential information and are
difficult to read.

26

1.5.6.2 Mistakes
Training, for individuals and teams, is the most effective way for
reducing mistake type human errors. The risk of this type of human error
will be decreased if the trainee understands the need for and benefits
from safe plans and actions rather than simply being able to recite the
steps parrot fashion. Training should be based on defined training needs
and objectives, and it should be evaluated to see if it has had the
desired improvement in performance.
1.5.6.2 Violations
There is no single best avenue for reducing the potential for deliberate
deviations from safe rules and procedures. The avenues for reducing the
probability of violations should be considered in terms of those which
reduce an individual's motivation to violate. These include:
Under-estimation of the risk
Real or perceived pressure from the boss t adopt poor work practices;
Pressure from work-mates to adopt their poor working practices;
Cutting corners to save time and effort
1.5.6.3 Addressing Latent Failures
The organization must create an environment which:
Reduces the benefit to an individual from violating rules.
Reduces the risk of an operator making slips/lapses and mistakes.
This can be done by identifying and addressing latent failures.
Examples of latent failures include:
Poor design of plant and equipment;
Impractical procedures,
Ineffective training;
Inadequate supervision;
Ineffective communications; and
Uncertainties in roles and responsibilities.
27

One of the principal ways of systematically doing this is through a health

and safety management system. This is the subject of the next topic
area in this course.

1.6 Reasons for Preventing Accidents

There are three main reasons for preventing accidents and ill-health,
these are moral/humane, cost and legislation.
1.6.1 Moral
No-body comes to work to get injured or to become ill. No-one likes
getting injured or seeing their colleagues or friends injured in accidents.
Nothing is more important than the humane aspects of accidental loss:
injury, pain, sorrow, anguish, loss of body particles or functions,
occupational illness, disability and death. Employers and employees
have a moral responsibility to prevent accidents and ill-health at work.

1.6.2 Costs
Whether or not people are hurt, accidents do cost organizations money
and the actual injury or illness costs represent only a small part of the
total. A recent study by the HSE has shown that for every 1 of insured
costs (i.e. the actual cost of the injury or illness in terms of medical costs
or compensation costs) the uninsured (or hidden costs) varied between
8 and 36. This has been traditionally depicted as an iceberg as the
largest part of an iceberg is hidden under the sea
Even a simple or minor accident can be expensive. Some of the costs
associated with accidents can be quickly identified such as medical
treatment, lost wages and decreased productivity. These easilyidentified expenses are often known as the "direct" costs associated with
accidents. Less evident expenses associated with accidents are known
as "indirect" or "hidden" costs and can be several times greater than the
value of the direct costs. Listed below are just a few of the hidden costs
associated with most accident.
1. The expense and time of finding a temporary replacement for the
injured worker,
2. Time used by other employees to assist the injured worker,

28

3. Time used by supervision to investigate the mishap, preparation of

accident reports and adjustments made to work schedules,
4. Property damage to tools, materials and equipment,
5. Delays in accomplishment of work task by a group.
Indirect cost exists, varies greatly from case to case, and is often difficult
to quantify. The main point to remember is that accidents are much more
costly than just the basic or direct costs.

Indirect Losses
15%

Wages Loss
26%

Fire Losses
6%

Property Damages
18%
Insurance
Adminstration
19%

Medical Expenses
16%

Figure 11: Cost of accidents in USA

Whether or not people are hurt, accidents do cost organizations money
and the actual injury or illness costs represent only a small part of the
total. A recent study by the HSE has shown that for every 1 of insured
costs (i.e. the actual cost of the injury or illness in terms of medical costs
or compensation costs) the uninsured (or hidden costs) varied between
8 and 36, Figure 12. This has been traditionally depicted as an
iceberg as the largest part of an iceberg is hidden under the sea.
In October 1999 the HSE published new data on the costs to the UK of
workplace accidents and work related ill-health in 1995/96 which
estimated that:
The costs to employers are estimated between 35 billion and 73
billion a year (between 4% and 8% of all gross company trading
profits).
Work related accidents & Illnesses cost between 2.1% and 2.6%
of the Gross Domestic Product each year equivalent to between
14.5 and 18.1 billion.
29

In su r a n ce C o sts

8-36

C o ve rin g In ju ry,
he alth , d a m ag e

ill

U n in su re d C o sts
P ro d uc t an d m a terial
d am a g e.
P la nt & b u ild in g d a m a g e
T oo l & e q uip m e nt d am ag e.
L e ga l co sts
E x p en d iture o n e m er gen c y
su p p lie s.
C learin g site
P ro d uc tio n d e la ys
O v ertim e w o rking a nd
te m p o rary lab o u r
In ve stig a tio n tim e.
S up e rv iso rs tim e d iv erte d
C lerica l effo rt.
F ine s
L o ss o f
ex p ertise/e x p erien ce

Figure 12: Insurance and accident costs

1.6.3 Legislation
Organizations have a legal obligation to prevent accidents and ill-health.
Health and Safety Legislation in the UK consists of a number of Acts that
are supported by subordinate legislation in the form of Regulations.
The principal act is the Health and Safety at Work Act. This Act sets in
place a system based on self-regulation with the responsibility for
accident control placed on those who create the risks in the first
instance. It also allows for the progressive replacement of existing safety
law so that the general duties set in the act could be backed by
Regulations, setting goals and standards for specific hazards and
industries. Any breach of this statutory duty can result in criminal
proceedings.

30

1.5.4 Accident trends

Fatals The three most common causes of fatalities to employees
were falls from height, being struck by a moving vehicle, and being
struck by a falling object. However, the causes varied from sector to
sector. In construction, most deaths were caused by falls from height
(46%). In manufacturing and the service sector, falls from height
accounted for 20% and 16% of deaths respectively. Within the
service sector, 40% of all deaths were caused by being struck by
moving vehicles, up 33% the previous year.
Non Fatal Major Injuries The four most common causes of major
injuries to all employees were slips, trips and falls, falls from a height,
being struck by a moving or falling object, and being injured whilst
handling, lifting or carrying. HSE figures mention that an estimated
591 major injuries were caused by violence at work, this is a
reduction from the previous years number (680) but still represents 2
per cent of all major injuries experience by employees.
+3 day Injuries Lifting, handling or carrying, slips, trips or falls, and
being struck by a moving or falling object were the three most likely
ways in which employees were likely to sustain over three day
injuries. These figures also pick up the number of injuries caused by
violence in the workplace (4335) which is down on the previous year.
Ill-health The most prevalent forms of work related ill-health in the
UK are:
Musculoskeletal disorders an estimated 1.2 million people
were affected in 1995 (including back-problems & RSI)
Stress an estimated 0.5 people were affected in 1995.
Both these conditions accounted for over three-quarters of people
suffering from an illness caused by their work. A significant number of
people were suffering from a lower respiratory illness, including asthma
(an estimated 200,000) and ear conditions, including deafness (an
estimated 170,000) which were caused by their work.

1.7 Summary
Accident causation is very complex and must be understood adequately
in order to improve accident prevention. Since safety lacks a theoretical
base, it cannot be regarded as being a science yet. This fact should not

31

discourage us, as most of the scientific disciplinesmathematics,

statistics and so onpassed through a similarly tentative phase at one
time or the other. Accident causation study holds great promise for those
who are interested in developing the pertinent theory. At present,
theories of accident causation are conceptual in nature and, as such, are
of limited use in preventing and controlling accidents. With such a
diversity of theories, it will not be difficult to understand that there does
not existed one single theory that is considered right or correct and is
universally accepted. These theories are nonetheless necessary, but not
sufficient, for developing a frame of reference for understanding accident
occurrences.

32

Chapter 2: Importance of Risk Management

2.1 Importance
The absence of accidents does not necessarily mean there are no
hazards.
It also does not mean that there is no hazard. A risk
management process must be adopted and repeated at regular
intervals. We often find that hazards with devastating consequences are
not addressed until an accident has occurred.
A risk management process should adapted and repeated at regular
interval to ensure that all hazards have been identified, the risks
assessed and adequate measures to control those risks are in place.
Initiation of a risk management program is clearly the responsibility of
management whilst the employees role is one of support and
assistance.

2.2 Principle of Risk Management

A Hazard: Is defined as anything that may cause harm, injury, or ill
health to a person, or economic loss of a property
Risk: is the chance, high or low, that someone will be harmed by a
hazard. Some countries impose that business having five or more
persons has safety policy statement. The following is an example of
statement
Controlling danger at work is not different from tracking any other task:
training personnel, being proactive (premising), recognizing the problem,
knowing enough about it, deciding what to do, and putting the solution
into place is a guarantees for minimizing risks.

2.3 Hazard Identifications

It is the first step in the risk management process. Only people with a
through knowledge of the area, process or machine under review should
33

carry out a hazard identification survey. The person delegated the task
of hazard identification should explore the many sources of information
available for identifying hazards within the area of their inquiry. These
may include any of the following:

2.3.1 Previous accident reports

Review the history of the area review. Any accident or near misses
should be carefully investigated. At this stage it is worth sorting all the
accidents and near misses information into a number of categories.
Typically these categories heading could be:
Location
Machine
Person
Age of person
Time of day
Day of week
Part of body
Severity of injury
Occupation
Identifying a trend of accidents in any of the above areas may assist the
investigator identify the possible hazard.

2.3.2 Physical inspection of the workplace

A physical examination of the workplace requires an inquiring mind,
lateral thinking, and the ability to be remaining open minded. It is of little
use to look at a particular area and, in a perfunctory manner, declare it
to be hazard free.
2.3.2.1 Guidelines
Employees and supervisors are responsible for day-to-day workplace
inspections to identify and eliminate occupational hazards. Everyone
must be vigilant for physical deficiencies in the workplace and for unsafe
work practices. If workplace parties relegate their inspection
responsibilities entirely to the local joint health and safety committee,
then the internal responsibility system will be undermined and problems
will not be resolved effectively.

34

2.3.2.2 Types of safety inspections

There are several types of workplace inspections essential for due
diligence. Daily walkabouts or continuous inspections are performed
by employees and supervisors to check for obvious hazards. These
inspections must be conducted daily because hazards and unsafe
conditions are continuously created (i.e. equipment is changed, work
spaces are rearranged, parts become worn, new processes are
introduced). Incidents resulting in injury often occur after something has
been changed. Spot inspections and job observations are performed by
supervisors to ensure safe work practices. Specialized inspections
include pre-operational checks and critical parts inspections in
equipment. Comprehensive planned inspections are performed monthly
by departmental (local) safety committee members to audit the
effectiveness of the aforementioned inspection efforts.
Written
inspection reports serve as valuable confirmation of due diligence, that
the University is taking every precaution reasonable to protect
employees and students. Inspection reports may be audited by the
Ministry of Labor.
2.3.2.2 Safety committee inspections
Workplace inspections by Joint Health and Safety Committee personnel
are prescribed by the Occupational Health and Safety Act to help ensure
that the internal responsibility system is alive and functioning to
maintain safety as a priority. Committee inspections should identify
safety concerns that have not been resolved by employees and
supervisors. They provide an opportunity to commend employees and
supervisors for successful safety efforts. Inspections also confirm that
hazard controls are effective and operational.
The Occupational Health and Safety Act requires that Committee
inspections be conducted monthly. If this is not practical, then the
workplace shall be inspected yearly with part of the workplace being
inspected monthly according to a written schedule determined by the
local safety committee.
Inspections must be performed by worker members of the committee. In
some areas, a worker member and a management member may inspect
the workplace as a team. The area supervisor should be invited to
participate in the inspection process. Hazards and unsafe work
practices must be noted on the inspection form and prioritized according
to severity of the hazard. Immediately dangerous to life and health
35

(IDLH) hazards shall be isolated, corrected on the spot, or work must be

stopped.
Workplace inspections by safety committee members should identify
unresolved health and safety issues or hazards that might cause injury
or illness. Committee inspections are not intended to identify lists of fixit items. Fix-it items must be reported daily by all employees as part of
their routine workplace vigilance and due diligence. Workplace
inspections should evolve to become an efficient audit of a departments
internal responsibility system and its occupational health and safety
management programs.
After inspections are completed, the departmental safety committee
shall review their inspection reports and the actions recommended to the
Chair or Department Head. A summary of the inspection process and
safety issues identified shall be included in the next minutes of the local
safety committee.
Confirmation of corrective actions is essential. It may be appropriate to
re-inspect the area of concern at a pre-set date or to discuss the action
plan for the safety issue identified.
2.3.2.4 Inspection checklists
No checklist can be complete enough to evaluate a workplace for all
hazards. They are useful tools for recording notes about physical or
procedural deficiencies, but should not become the focus of the
workplace inspection. The focus must be on outstanding or newly
created hazards and unsafe work procedures. A sample inspection
report form is appended. The Agricultural Safety Audit Program (ASAP)
from the Workplace Safety and Insurance Board promotes a systematic
approach for farm safety audits. The hazard identification checklists are
useful tools for workplace inspections..

36

Table 1: Inspection report

BUILDING:
ROOM
INSPECTED BY
DATE
ACCOMPANIED BY
TO BE COMPLETED DURING THE INSPECTION:
Item
No.

Hazard and Location

(Include any Immediate Action Taken)

Hazard
Rating

DEPARTMENT
ASSIGNED TO:
(Person to
Correct)

FOLLOW-UP:
Action Taken and
Date

HAZARD PRIORITY RATING

DISTRIBUTION

1.
2.
3.
4.

1.
2.
3.
4.

Immediately dangerous to life and health (e.g. stop work)

High (e.g. correct within a day)
Medium (e.g. correct within two weeks)
Low (e.g. correct within a semester)

Notes

37

Supervisor 9
Dept. Chair 9
Local JHSC 9
EHS 9

2.3.3 Brainstorming
Most problems are not solved automatically by the first idea that comes
to mind. To get to the best solution it is important to consider many
possible solutions. One of the best ways to do this is called
brainstorming. Brainstorming is the act of defining a problem or idea
and coming up anything related to the topic - no matter how remote a
suggestion may sound. All of these ideas are recorded and evaluated
only after the brainstorming is completed.
2.3.3.1 Procedure
This is a process of conducting group meetings with people who are
familiar with the operation of the area under review, recording all ideas a
thoughts relating to possible hazards and then sorting the results into
some of priority order.
1. In a small or large group select a leader and a recorder (they may
be the same person).
2. Define the problem or idea to be brainstormed. Make sure
everyone is clear on the topic being explored.
3. Set up the rules for the session. They should include:
Letting the leader have control.
Allowing everyone to contribute.
Ensuring that no one will insult, demean, or evaluate another
participant or his/her response.
Stating that no answer is wrong.
Recording each answer unless it is a repeat.
Setting a time limit and stopping when that time is up.
4. Start the brainstorming. Have the leader select members of the
group to share their answers. The recorder should write down all
responses, if possible so everyone can see them. Make sure not
to evaluate or criticize any answers until done brainstorming.
5. Once you have finished brainstorming, go through the results and
begin evaluating the responses. Some initial qualities to look for
when examining the responses include
Looking for any answers that are repeated or similar.
Grouping like concepts together.
38

 Eliminating responses that definitely do not fit.

Now that you have narrowed your list down some, discuss
the remaining responses as a group.

2.3.4 Knowledge of employees

Employees should be encouraged to describe any hazards they are
aware of. Inquiries of this nature should be conducted in an atmosphere
of "no blame" where even if the employee is not doing things properly
they are not criticized for it. The aim is to identify and document hazards
at this stage.
An authorized employee representative will be given the opportunity to
attend the opening and closing conferences, and to accompany the
investigator and the employer during the walk-around inspection. The
investigator may also consult with a reasonable number of employees
concerning safety and health matters in the workplace. Employees are
protected under the Act from discrimination by the employer for
exercising their safety and health rights.
The investigator will also explain the requirements of the Employee
Right-to-Know (RTK) Standard. Under RTK, employers must establish a
written comprehensive Right-to-Know program that includes provisions
for container labeling, material safety data sheets and employee training.
The program must contain a list of the hazardous chemicals in each
work area and the means the employer will use to inform employees of
the hazards of both everyday and non-routine tasks.

2.3.5 Trade Journals

Trade journals are often a source of information regarding hazards
encountered by others in the industry. They can be a source of useful
inquiry, as members of the same industry would expect to encounter
similar hazards. Trade journals can offer statistical data about accidents
happened in the risk assessment field. They can offer hazards as well
as hazard areas associated with the new technology and fields of
industry. Each industrial, social, engineering, medical, agricultural
branch has its own trade journals. Consulting trade journal help
assessor to consult new hazardous materials exists in the assessed
industry.
2.3.5.1 International Journal of Applied Management and Technology
39

The on-line, international, peer-reviewed journal IJAMT, sponsored by

Walden University School of Management, is published biannually in
May and November. It is available on the Internet to all interested parties
for purposes of research and practical application. The journal welcomes
original, unpublished manuscripts in the field of applied management
and technology in all sectors of society from scholars, scholarpractitioners, and advanced graduate students. http://www.ijamt.org/
2.3.5.2 Journal of Accident Investigation
This biannual, interdisciplinary journal published by the National
Transportation Safety Board provides for the public exchange of ideas
and information developed through accident investigations at the NTSB
in all modes of transportation. The intended audience is professionals in
safety, accident investigations, engineering, and the behavioral
sciences. http://www.ntsb.gov/publictn/2005/JRN0501.htm
2.3.5.3 Risk Analysis
Risk Analysis, the journal of the Society for Risk Analysis, provides a
focal point for new developments in risk analysis for scientists from a
wide range of disciplines. The analysis of risks is being increasingly
viewed as a field in itself, and the demand for a more orderly and formal
treatment of risks is great. Risk Analysis is designed to meet these
needs of organization, integration, and communication. The journal
covers topics of great interest to regulators, researchers, and scientific
administrators. It deals with health risks, engineering, mathematical, and
theoretical aspects of risks, and social and psychological aspects of risk
such as risk perception, acceptability, economics, and ethics. All
scientific articles in Risk Analysis are fully peer reviewed.
http://www.sra.org/journal.htm
2.3.5.4 Risk, Decision and Policy
This unique publication is published three times per year by Cambridge
University Press and includes both theoretical and applied papers on
decision-making while under risk. The journal's coverage includes
technical articles, comments, guest-edited symposia on current policy
issues, forum pieces, commissioned surveys, book and software
reviews, and news on conferences and related societies around the
world. This publication will help decision and risk researchers in
40

statistics, economics, psychology, medicine and public health, as well as

policy-makers in both business and government. http://www.cup.org.
2.3.5.5 Risk: Health, Safety & Environment
As the official journal of the Risk Assessment & Policy Association, this
refereed, interdisciplinary quarterly explores public and private efforts to
manage science and technology for net reduction in the probability,
severity, and aversive quality of health, safety, and environmental
impacts of natural and artificial hazards. A cumulative index is provided,
as well as an index of book reviews and essays.
http://www.fplc.edu/risk/profrisk.htm
2.3.5.6 Risk Management: An International Journal
This journal aims to generate ideas and promote good practice and to
facilitate the exchange of information and expertise for those involved in
the business of managing risk, across countries and across disciplines.
Perpetuity Press in Leicester, United Kingdom, publishes the journal's
four issues annually. Starting January 2002, free instant access to a
leading risk, security, and crime prevention abstract database--Security
and Risk Abstract Database--is included with every journal subscription.
http://www.perpetuitypress.com/ (click on "Journals")
2.3.5.7 Environmental & Ecological Risks
See Human and Ecological Risk Assessment Journal listed below.
2.3.5.8 Annals of Internal Medicine
The American College of Physicians-American Society of Internal
Medicine publishes Annals of Internal Medicine, one of the most cited
medical journals in the world, on the second and fourth Tuesdays every
month. ACP-ASIM membership or a nonmember subscription is required
to view the journal's research articles on line, but non-technical
summaries of the articles are available to the public.
http://www.acponline.org/journals/annals/
2.3.5.8 Health, Risk & Society

41

Social scientists, practitioners, and policy makers who have an interest

in risk issues relating to health are among the readership of this
international scholarly journal devoted to a theoretical and empirical
understanding of the social processes that influence the ways in which
risks are taken, communicated, assessed, and managed in relationship
to health and health care. Published quarterly by Taylor and Francis
Group Ltd., the journal welcomes contributions from a variety of social
sciences disciplines that examine the issues of risk within health and
health care, including economics, sociology, psychology, and
management. Submission of articles that explore the ways in which risk
was handled at a variety of levels--that is, in the community, within
various organizations, and at national and supranational levels--is
encouraged. http://www.tandf.co.uk/journals/titles/13698575.asp
2.3.5.9 Human and Ecological Risk Assessment Journal
Human and Ecological Risk Assessment is the first journal devoted to
providing a framework for professionals researching and assessing
developments in both human and ecological risk assessment. The
journal was created to enhance the communication and cooperation of
professionals working on human risk assessment with those in the
ecological risk assessment domain. Given the rapid development in
these respective disciplines and their unique potential inter-relatedness,
efforts to directly enhance technical information transfer will markedly
benefit each field. The journal is a bimonthly, international, peerreviewed publication focusing on scientific and technical information and
critical analysis.
http://www.crcpress.com/cgi-in/scart.cgi?store=wrisk&catalog=10807039
2.3.5.10 Journal of the American Medical Association (JAMA)
This international peer-reviewed general medical journal, which began
publication in 1883, promotes the science and art of medicine and the
betterment of the public health. A search of the JAMA web will produce
many references to health-related risk, such as the topical October 27,
1999, issue on obesity research that includes information on related
disease risks. http://jama.ama-assn.org/
2.3.5.11 Journal of the National Cancer Institute

42

The Journal of the National Cancer Institute, which includes news

articles, abstracts of reports, calendar of events, and job openings, is
published twice a month and is available on line by subscription. The
journal's table of contents and abstracts are available without charge.
http://jnci.oupjournals.org/
2.3.5.12 Toxicological Sciences
One of the Society of Toxicology's official journals and fully owned and
financed by the society, Toxicological Sciences publishes research
articles 12 times a year that are broadly relevant to assessing the
potential adverse health effects resulting from exposure of human or
animals to chemicals, drugs, natural products, or synthetic materials.
Manuscripts are published in all areas of toxicology, both descriptive and
mechanistic, as well as interpretive or theoretical investigations that
elucidate the risk assessment implications of exposure to toxic agents
alone or in combination. Beginning January 1, 1999, Toxicological
Sciences became available on line free to the public and is published by
Oxford University Press. http://toxsci.oupjournals.org/

2.3.6 OSHA (Occupational Safety & Hazard Administration)

publication and safety alerts
More than three decades ago, the Occupational Safety and Health Act of
1970 created the Occupational Safety and Health Administration to help
employers and employees reduce injuries, illnesses, and deaths on the
job in America. Since then, workplace fatalities have been cut by 62
percent and occupational injury and illness rates have declined 40
percent. At the same time, U.S. employment has doubled and now
includes nearly 115 million workers at 7 million sites.
OSHA provides national leadership in occupational safety and health.
The agency seeks to find and share the most effective ways to get
resultsto save lives and prevent injuries and illnesses. The message is
simpleSafety and health add value: to your business, to your
workplace, and to your life.
For business, protecting workers safety and health is the right thing to
do. It saves money and adds value to the organization. When workers
stay whole and healthy, businesses experience lower workers
compensation insurance costs, reduced medical expenditures,
43

decreased payout for return-to-work programs, fewer faulty products,

and lower costs for job accommodations for injured workers. There are
also indirect benefits such as increased productivity, lower costs for
training replacement workers, and decreased costs for overtime.
Every workplace is a community. Safety and health add value to
workplaces by increasing morale, improving productivity, and reducing
turnover. The best companies build a reputation that is synonymous not
only with an excellent product, but also an outstanding work environment
where safety and health is a core value.
Every employee benefits when safety and health is a priority at the
workplace. Every worker wants to make a contribution through his or her
job, yet the primary purpose of work is to make a living. Safety and
health add value to the lives of workers by enabling them to maintain
their incomes and provide for their families. Getting hurt or sick is not
just physically painful. On-the-job injuries and illnesses can significantly
reduce income, increase stress, and hinder a full family life.
Establishing a safe and healthful working environment requires every
employer and every worker to make safety and health a top priority. The
entire workforcefrom the CEO to the most recent hiremust
recognize the value of safety and health and acknowledge that this is
central to the mission and key to the corporate vision and identity.
OSHA provides leadership and encouragement to employers and
workers to help them recognize and realize the value of safety and
health on the job. The agencys ultimate goal will always be to reduce
injuries, illnesses, and deaths to zero.
2.3.6.1 OSHA's history and purpose
OSHA stands for the Occupational Safety and Health Administration, an
agency of the U.S. Department of Labor. The U.S. Congress passed the
Occupational Safety and Health Act of 1970 (the OSH Act)1 to assure
so far as possible every working man and woman in the nation safe and
healthful working conditions and to preserve our human resources. The
legislation, signed into law by President Richard M. Nixon on Dec. 29,
1970, established OSHA and its sole responsibility to provide worker
safety and health protection.
Nearly everyone in America works or has someone in the immediate
family who does. Whether you are an employer, employee, or have a
44

family member who works, you need to know about OSHA. The more
you know about OSHA, the better you can protect yourself, your
coworkers, or your employees and contribute to safe and healthful
working conditions for all Americans.
2.3.6.2 What OSHA does?
OSHA uses three basic strategies, authorized by the Occupational
Safety and Health Act, to help employers and employees reduce
injuries, illnesses, and deaths on the job:
Strong, fair, and effective enforcement;
Outreach, education, and compliance assistance; and
Partnerships and other cooperative programs.
Based on these strategies, OSHA conducts a wide range of programs
and activities to promote workplace safety and health. The agency:
Encourages employers and employees to reduce workplace
hazards and to implement new safety and health management
systems or improve existing programs;
Develops mandatory job safety and health standards and enforces
them through worksite inspections, employer assistance, and,
sometimes, by imposing citations, penalties, or both;
Promotes safe and healthful work environments through
cooperative programs, partnerships, and alliances;
Establishes responsibilities and rights for employers and
employees to achieve better safety and health conditions;
Supports the development of innovative ways of dealing with
workplace hazards;
Maintains a reporting and recordkeeping system to monitor jobrelated injuries and illnesses;
Establishes training programs to increase the competence of
occupational safety and health personnel;
Provides technical and compliance assistance and training and
education to help employers reduce worker accidents and injuries;
Works in partnership with states that operate their own
occupational safety and health programs; and
Supports the Consultation Service.
www.osha.gov
2.3.6.3 Who is not covered?
The OSH Act does not cover:
The self-employed;
45

 Immediate members of farming families on farms that do not

employ outside workers;
Employees whose working conditions are regulated by other
federal agencies under other federal statutes. These include mine
workers, certain truckers and transportation workers, and atomic
energy workers;
Public employees in state and local governments; some states
have their own occupational safety and health plans that cover
these workers.
For more information visit http://www.osha.gov or
http://www.osha.gov/Publications/osha2056.pdf#search='about%20OSH
A'

2.3.7 Manufacturers instruction books

Manufactures instruction books often provide advice and warnings
regarding safety and health issues. It is important to ensure all
instructions are understood and more importantly, followed by all
employees. Manufacturers information, including material safety data
sheets, should always be reviewed to ensure the products in use are the
safest available and do not have hidden hazards.
Ask " what if ..? It is important to try to anticipate how human
behavior, plant, and system failure could combine to create a hazardous
situation. Constantly ask yourself. What if .?

2.3.8 Sample inspection worksheet

Always note details of the hazard onto a worksheet. Development of a
physical hazard list is very important as this forms the basis for the next
step of the process. There are no standard formats used to record the
data and so the following example worksheet, Tables 2 & 3 are only for
reference and may need modification to suit nature of individual projects.

46

Table 2: Sample inspection worksheet

Company: Printing
Inspection work sheet No.1
Inspected by:

Site / location

Date:
Plant
Hazard and source
Comments
Large
paper Crush from paper holding Operator and
guillotine
bar
passes-by
protection
Amputation from blade due
to:
Access to blade from
rear
Safety latch failure
Electronic beam not
failing to safety
Industrial
truck

casual
need

lift Could trip over or lose load Usually received pallet

if overloaded
loads within capacity,
but heavier loads than
the trucks capacity arrive
occasionally
If raised above mast height Fitted with overhead
load could fall on operator protection
Person could be struck Truck
regularly

and crushed by lift truck

operates
near
operations on binding
line
Rear turning wheels could Two
people
have
run over and crush a previously had their feet
persons foot
run over while talking to
driver

47

Table 3: Sample inspection of pizza shop

Company: Pizza shop
Inspection work sheet No.1
Inspected by:
Date:
Plant
Pizza oven
Electric knife
Electric meat slicker

Site / location

Hazard and source

Comments
Possible bums when Has
happened
taking food out.
frequently. Should use
gloves.
Possible electrocution Could connect through
form cutting cord
remote controlled device
(RCD)
Possible electrocution Use RCD: test regularly
Cutting hazard
Use steel mesh cutting
glove&
safe
work
practices.

2.4 Risk Examples in Pictures

Vision is the most effective sense for people to memorize and remember
things. Therefore, here below are some risk pictures that enables the
student to be familiar with daily and operational risk.

Figure 13: Slipping or tripping at work

48

Figure 14: Getting into contact with hazardous material (asbestos, fumes, etc. )

Figure 15: Performing work at height

Figure 16: Handling, transporting or supporting loads while suffering from

sprains, strains, or pains

49

Figure 17: Having long exposure to computers or other display screen

equipment

Figure 18: Working at a noisy place: causes hearing loss or deafness.

Figure 19: Predictable or unpredictable, controlled or uncontrolled risk

associated with natural or climate phenomena.

50

Figure 20: Being exposed to vibration

Using hand powered hand tools, equipment or processes causing handarm vibration syndrome that impair blood circulation, damage to the
nerves and muscles, and of ability to grip things properly. Table 4
shows the maximum time to be exposed to sound depending on the
sound intensity. Table 5 shows the action and the corresponding sound
level for each action. It is clear that people works in a very noisy factor
has to use ear protectors if they worked more than 8 hours per day.
Also, people works in an airport have to use ear protector all the time to
save their hearing nerves.
Table 4: Maximum daily duration per day for sound levels
Duration per Day
Hours
8
6
4
2
1
3/4
1/2
1/4

Sound Level
dB
90
92
95
100
105
107
110
115

51

Table 5: Action and corresponding sound level

Action

Sound level, dB

Leaves rustling

10

Whispers

20

Quiet Radio

40

Conversation

60

Busy Traffic

70

Very Noisy Factory

90

Loud Rock Band

110

Threshold of pain

120

Jet airplane from 30 m

140

Figure 21: Getting hurt by electricity

Figure 22: Neglecting maintenance or doing unsafe maintenance work

52

Figure 23: Improper selection of work equipment

Figure 24: Risks resulting from transport, road traffic, road conditions

Figure 25: Risk associated with pressure systems

53

Figure 26: Risks resulting from fire or explosions or use or storage of explosive
materials or chemicals
Risks due to radioactive materials: Non-ionizing radiation
(ultraviolet radiations from the sun) can damage skin, laser (can
cause burns and damage eyes); Ionizing radiations naturally
occurring radiations from radon gas or radiations from radiography
or thickness measuring gauges
Feeling stressed by work (adverse reaction people have to
excessive pressure or other types of demand placed on them).
Stress is identified by defining the hazard behind it.

Figure 27: Feeling stressed by work

2.5 Common Risks Associated with New Project

The following lists common risks that most projects will encounter; they
form a starting point for developing a catalog of risks. However, the list is
54

not exhaustive; most project managers will find several more risks that
they can add, and project experience will tend to increase this number.
When you are assessing the risks for your projects, always refer to a list
such as this. Otherwise, you run the project management risk that not all
project risks are identified.

2.5.1 Staff risks

Key staff will not be available when needed.
Key skill sets will not be available when needed.
Staff will be lost during the project.

2.5.2 Equipment risks

Required equipment will not be delivered on time, Access to
hardware will be restricted.
Equipment will fail.

2.5.3 Client risks

Client resources will not be made available as required.

Client staff will not reach decisions in a timely manner.
Deliverables will not be reviewed according to the schedule.
Knowledgeable client staff will be replaced by those less qualified.

2.5.4 Scope risks

Requirements for additional effort will surface.
Changes of scope will be deemed to be included in the project.
Scope changes will be introduced without the knowledge of project
management.

55

2.5.5 Technology risks

The technology will have technical or performance limitations that
endanger the project.
Technology components will not be easily integrated.
The technology is new and poorly understood.

2.5.6 Delivery risks

System response time will not be adequate.
System capacity requirements will exceed available capacity.
The system will fail to meet functional requirements

2.5.7 Physical risks

The office will be damaged by fire, flood, or other catastrophe.
A computer virus will infect the development system.
A team member will steal confidential material and make it
available to competitors of the client.
Contaminants originates from work operations

2.5.8 Political risk

Governmental intervention
Inflationary/deflationary polices
Changes in legislation, sanctions

2.5.9 Financial risk

Inadequate inflation forecasts
Incorrect marketing decision
Availability of money on time
56

2.5.10 Environmental risk

Work and surrounding environment
Environmental regulation
Table 6: Some of the physical risks originates from work operations
Process Types
Hot operations
Welding
Chemical reactions
Soldering
Melting
Burning
Liquid operations
Painting
Degreasing
Cleaning
Shaping operations
Cutting
Grinding
Drilling

Contaminant Type

Contaminant
Examples

Gases (g)
Particulates (p)
(dusts, fumes, mists)

Chromates (p)
Zinc, Manganese and
compounds (p)
Carbon monoxide (g)
Fluorides (p)
Vinyl chloride (g)

Vapors (v)
Gases (g)
Mists (m)

Benzene (v)
Sulfuric acid (m)
Hydrogen chloride (g)

Dusts (d)

Asbestos
Uranium
Zinc

Therefore, it is very essential for work places or projects to identify

hazards and risks as a first step in risk assessment process. The
following chapter show in details the methods used to identify hazards
for risk assessment procedures.

57

Chapter 3 Identification of Risks

The techniques for identifying Hazards and Risks - for finding out what
types of hazards exist in a certain plant- are often confused with the
methods and techniques for risk analysis; the following figure represents
the difference between the two categories. The left-hand side of the
figure shows methods of risk and hazard identifications, while the right
hand side shows methods of risk analysis.
The traditional methods for identification of hazards was to build up (or
to dig down) the plant and see what happens, until an error or a risk
occurs, we can say that we didn't know that the risk exists. This is not a
bad method if the size of the accident is limited, but it is not satisfactory
when the limits of the accidents are very wide.
Obvious

Obvious

See What
Happens

Experience

Check Lists

Fault Trees

PRA

RISK

Markov Chains

FMECA

PETRI Network

HAZOP

Network Analysis

etc.

Simulation

Figure 28: Identification and analysis of risk

Check lists are often used to identify hazards but their disadvantage is
that items, which are not on the list, are not mentioned and our minds
are closed to what is on the list. Indeed, checklists may be satisfactory if
there is little or no innovation of risks and all the hazards have been met
before.

58

For this reason the process industries have come to prefer the more
creative or open-ended technique such as HAZOP and FMECA.
After we have identified the hazards, we have to decide how far to go in
removing them or protecting people and property. Some of the methods
used are listed on the right hand side of Figure 28. Sometimes there is a
cheap and obvious way of removing the hazard, and sometimes it is less
easy to decide. We can then try to work the probability of an accident
and the extent of the consequences and compare them with a target or
criterion.

3.1 Preliminary Risk Analysis (PRA)

The Preliminary Risk Analysis is a practical method for the analysis of
the dangerous elements of a system; it consists of a table of elements
associated with the impact of each element on the system, as a sort of
listing, or check tables, Table 7.
Table 7: PRA
System or
subsystem

Phase

Dangerous
elements

Restaurants

Food
preparation

Oil
Oven
Heaters

Events causes
dangerous
situation
Contact between
oil and heat
source

Dangerous
situation
Beginning of
fire

Events causes
potential
accidents
No extinguisher

Potential
accidents

Consequences

Gravity

Fire

Complete
destruction of the
restaurant

Very
high

Preventati
ve
measures
Sprinkles
and fire
extinguish
er

The main aim of the method is to identify the different dangerous

materials presented in the system and to watch out for all elements, their
capability of initiating an accident according to their existence or
mistreating.
In order to identify the dangerous elements and the dangerous
situations, the analyst is helped by checklists of these elements or their
dangerous situations. These checklists should be adapted for each case
and made according to similar situations or in a way that serves the
required study or the required analysis.
The Columns of Gravity and Consequences, give the analyst the chance
to list hierarchically the risks encountered in site, while the columns
Preventative Measures and Application of Measurements, and drive the
way for prediction and detection of the risks in order to be minimized or
eliminated. These columns indicate the measures selected in specific
sites in order to show out their capacity of their efficiency in the system.
59

This study, as the name says, permits the analyst to have a preliminary
view of the risks and the dangerous situations existing in the system. Its
objective mainly is the listing of the big problems encountered in the
system without the details of each risk. This analysis is usually followed
by another type of risk identification acting as a middle way between no
identifications and a detailed identification of risks at a certain site.

3.2 Failure Modes, Effect and Criticality Analysis

(FMECA)
Dated earlier in the 1960's in the aeronautics industry, the method of
FMECA had been applied successfully in the nuclear, chemical, and the
petroleum industry. For the time being, it is the method mostly applied in
all industries for the identifications of risks.
Its success relies on the ease of use that necessitates a good
knowledge of its theory and manipulations. The method of FMECA,
consider systematically, each one of the components of the system in
terms of operating modes and modes of failure. Causes of these failures
are listed, the consequences of each failure on the system, the
environmental impact, etc. In order to complete the study, two other
factors are added which are the Probability and the Gravity of each
mode of failure, so this combination makes it possible to analyze
critically the mode of failure and the component(s) associated with it.
If the system has a very big number of components, a global FMECA is
made and after, each component of the global study will be studied in
details and so on.

3.2.1 Objectives and domains of applications

The FMECA is a tool for the prevention of accidents; it is used generally
at the stage of design of a new process. In general, we can recognize
two types of this study:
FMECA in Manufacturing.
FMECA in Processing.
The FMECA in manufacturing is concentrated on the optimization of the
reliability. It is generally based on historical data, and it permits the
60

designer to define the actions necessary and the dangers surrounding

this type of design.
The FMECA in processing serves as a method of:
Means of production (machines, production lines, etc.).
The sequence of the operation of production, either manually or
automatically of a certain product, treatment of information, etc.
The method of FMECA is a technique that eases the critical examination
of the projected process, it analyses the quantity and the quality of the
process with the estimation of its criticality and it is accomplished at the
stage of design and along the line of production. At the stage of the
study, the risk associated with the used technology might be quantified.
It is assumed that the analysis is revised in the phase of production and
the exploitation of the product. The study is made throughout the
process of Manufacturing in its different stages.

3.2.2 Preparation for the study and the methodology of analysis

For the preparation of the study, certain steps has to be made in order to
start, these different steps are shown in Figure 26.

61

Regular Request
of the Analysis

Design Project

Example:
* Improving the Reliability
* Improving the Availability

Definition of the Objectives

From different Domains

Team Work

Path, Duration, and Delay of

the Analysis

<3 Months

Decomposition of the Process

* Definition of Each process

* Decomposition into Sub-processes

Collection of Data

* Data Banks
* Production Files of Similar Projects

Analysis

Figure 29: Preparation of the analysis

62

3.3 HAZOP
For certain procedures, and in particular, in the industry that involves the
production of the usage of chemical products, the PRA is not suitable,
and it is preferable to make what is called, the influence of deviations
with respect to nominal values. These different deviations in physical
parameters, guide the study of the HAZOP.

3.3.1 What is HAZOP?

As been mentioned before, HAZOP is a method of risk identification; it is
the abbreviation to HAZard and OPerability study. It is the method
recommended for the identification of risks and hazards, which prevent
efficient operation.
HAZOP is a technique which provides opportunities for people to let their
imaginations go free and think of all possible ways in which hazards and
operating problems might arise but, to reduce the chance that there is
something that is forgotten, it is done systematically. Each path and
each sort of hazard is being considered in turn. The study is carried out
by a team so that they can stimulate each other and build upon each
other's ideas.
A path for this purpose, is one joining two main items, for example, we
might start with the line leading from the feed tank through the feed
pump to the first feed heater. A guide series of key words are applied to
this line in turn. These guide words are:
NONE
MORE OF
LESS OF

PART OF
MORE THAN
OTHER THAN

NONE for example, means any forward flow or reverse flow when there
should be forward flow, so we ask:

Could there be no flow?

If so, how could it arise?
What are the consequences of no flow?
Are the consequences hazardous or do they prevent efficient
operation?
If so, can we prevent no flow by changing the design?
63

These questions are typical questions in the case of the guide word
NONE, similar questions could be asked in case of MORE OF, and so
on for all guide words.
Table 8: Deviation generated by each guide word
NONE

No forward flow when there should be,

I.e. no flow or reverse flow
MORE OF
More of any relevant physical property than there
should be,
e.g. higher flow, higher temperature, higher
pressure, etc.
LESS OF
Less of any relevant physical property than there
should be,
e.g. lower flow, lower temperature, lower
pressure, etc.
PART OF
Part of composition of system different from what
it should be,
e.g. change in ratio of components, component
missing, etc.
MORE THAN More components present in the system than
should be,
e.g. extra phase, impurities, etc.
OTHER
What else can happen apart from normal
THAN
operation,
e.g. uprating, low rate, maintenance, etc.
Table 8 explains the main deviations associated with each guideword,
while Figure 30 shows the flow chart of the method in general.
The guides word OTHER THAN is applied after all other guide words
and it means other types of problems that could arise in mind and hasn't
been mentioned by any other guide word. In general, its the other
causes of hazards that havent been mentioned yet.

64

Start

Select Deviation,
e.g. more flow

No

Move on to
another deviation

Is more flow
possible?
Yes

Is it
Hazardeous?

No

Consider
other causes
of more flow

Yes
What change
will tell
him?

No

W ill the Operator

know?
Yes
What change in Plant or
in method will prevent
the deviation or stop its
consequences

Is the cost
justified?

No

Consider other
changes or agree
to accept hazard

Yes
Agree change(s)

Follow up to
verify action

End
Fig.1. Flow chart of the method HAZOP

Figure 30: Flow chart of the method HAZOP

65

3.3.2 When is a HAZOP Carried Out?

A HAZOP cannot be carried out before the line diagram of the process is
completed (process and instrumentation flow diagram). It should be
carried out as soon as possible thereafter. If an existing plant is being
studied, the first step is to bring the line diagram up-to-date or checks
that it is up-to-date. Carrying out a HAZOP on an incorrect line diagram
is useless.
The HAZOP on a large project may take several months even with 2 or 3
teams working in parallel on different sections of the plant. It is thus
necessary to either:
Hold up detailed design and construction until the HAZOP is
complete or,
Allow detailed design and construction to go ahead and having the
risk of modifying the detailed design or even alter the plant when
the results of the HAZOP are known.

3.3.3 Some Points to Watch during HAZOP

It is possible for a team to get carried away by enthusiasm and install
expensive equipment to guard against unlikely hazards. The team leader
can counter this by asking how often the hazard will occur and how
serious the consequences will be. Sometimes he may suggest a full
hazard analysis, but more often he can bring a problem into perspective
by just quoting a few figures or asking a team member to do so.
The team consists mainly of engineers, they like hardware solutions, but
sometimes a hardware solution is impossible or too expensive and we
have to make a change in methods or improve the training of the
operators. So solutions are mostly like to be through either hardware
changes, or software changes, which is usually less expensive.
In many plants, the HAZOP is considered unsuitable for small
modifications. It is difficult to assemble a HAZOP team for every change
of a valve. However, many accidents have occurred because small
modifications had unforeseen side effects. They should be thoroughly
probed before they are authorized. Many types of guide sheets are
available for helping people to do so.

66

A HAZOP is not a substitute for knowledge and experience. It is not an

oven that consumes line diagrams and produces lists of modifications. It
is merely harnesses the knowledge and experience of the team in a
systematic and concerted way. Because the designs are so complicated,
the team cannot apply their knowledge and experience without this
scratch for their thinking. If the team lacks knowledge and experience,
the HAZOP will produce nothing worthwhile. Table 9 shows a small
example of the application of HAZOP through a checklist.
Table 9: HAZOP
Element
Name
Oven

Element
Function
Cooking

Dangerous
Deviation
High
Temperature

Possible
Cause
Defected
therm ostat

Consequences
Fire

Method
of
Detection
Alarm
Person

Corrective
Action
Stop
and
reparation

Observation

3.4 What is Risk Assessment?

A risk assessment is nothing more than a careful examination of what, in
your work, could cause harm to people, so that you can weigh up
whether you have taken enough precautions or should do more to
prevent harm. The aim is to make sure that no one gets hurt or becomes
ill. Accidents and ill health can ruin lives, and affect your business too if
output is lost, machinery is damaged, insurance costs increase, or you
have to go to court. You are legally required to assess the risks. The
important things are whether a hazard is significant, and whether you
have it covered by satisfactory precautions so that the risk is small. You
need to check this when you assess the risks. For instance, electricity
can kill but the risk of it doing so in an office environment is remote,
provided that live components are insulated and metal casings properly
earthed
Risk assessment is the process of evaluating a hazard to determine the
level of action required to reduce a risk to an acceptable level. When
evaluating the risks imposed by a hazard one should consider both the
likelihood and consequences of the event happing. Judging how likely it
is that something will happen or what its potential consequences might
be is like predicting the future. You cannot be rally sure; you can make a
"best estimate" on the basis of the information available. Because it is so
unpredictable it is better to be conservative in your judgment.

67

3.4.1 Likelihood
This is defined as the chance of an event actually occurring. In the
context of risk management the event referred to is any event, which
may cause injury or harm to a person. When making an assessment of
likelihood, you must establish which of the following categories most
closely describes the likelihood of the hazardous event occurring.

Very likely
Likely
Unlikely
Highly unlikely

could happen frequently

could happen occasionally
could happen, but only rarely
could happen but probably never will

When evaluating the likelihood of an accident, a factor that will modify

the likelihood category, is exposure. Exposure is a measure of how often
or how long a person is actually exposed to a hazard. Some examples
are:
Very rare
one per year or less
Rare
a few times per year
Unusual
one per month
Occasional
once per week
Frequent
daily
Continuous
constant
It is a common mistake to place too much emphasis on the mitigating
effects of a low exposure level. Just because a person is not exposed to
a hazard very often, does not always mean we can take fewer
precautions. The certainty or likelihood of an accident happening is more
important than how often a person is expected to a hazard. Figures 31
and 32 show the degree of two types of probability scales used in risk
assessment
Example
A power press is a common machine in a workshop. In essence the
stored energy in a rotating flywheel is instantaneously connected to a
crankshaft, via a key. The crankshaft drives a ram from its resting
position at the top of its stroke, down to the bottom of its stroke, where it
punches a hole in a piece of metal called a blank. When the ram has
completed its punching operation on the blank, it returns to its resting68

place at the top of the stroke. The operator removes the blank and
replaces it with a new blank.
Description

Likelihood

Certain

Very Likely

Likely

May Happen

Unlikely

Figure 31: Five degree probability (likelihood) scale

Description

Likelihood

Certain

Likely

May Happen

Unlikely

Figure 32: Four degree probability (likelihood) scale

The design of the machine is such that if a fault develops in the key, the
press will unexpectedly operate and complete a stroke. If at this point in
time the operator has his fingers under the ram whilst changing the
blank, the normal result is a serve crush or amputation injury. The
operator would expect to have his fingers in the danger zone for only a
split second each time the press cycles. There are no guards or devices
69

that can prevent the machine from cycling once a key fault has
developed. Good maintenance will reduce the number of key faults
happening but they can never eliminate them totally. For this example
lets assume that maintenance has reduced the risk of the press
malfunctioning to once in 5 million operations.
At first glance it seems we need to do nothing further to reduce the risk.
Closer examination will reveal that operators of presses often exceed 60
operations per minute. Using 60 operations per minute for this example
and 1 fault every 5 million operations we fined that:
60 operation/min x 60 min/hour x 8 hrs/day x 5 days/week x 34.72
weeks = 5 million operations.
This indicates that a press operator is at risk of having an accident every
34.72 weeks. The exposure to risk is "very rare" however the "likelihood"
of the accident happening is almost certain if a key fault develops.
Control measures must be put in place to reduce the likelihood of this
accident occurring because it is unacceptable for an organization to
have a serious accident every 34 weeks.
The location of a hazard can affect the likelihood of the accident
happening. For example, an exposed V belt drive located adjacent to a
walkway where persons could easily come into contact with the nip
points would have a higher likelihood rating than if the same drive
arrangement were located in a position form which persons were located
in a position from which persons were excluded.
When we assess "likelihood" it should be remembered we are only
assessing the possibility of an accident happening. As part of our
assessment of likelihood we must take into consideration how often and
for how long the person is at risk, however this is of lesser importance
than the certainty of an accident occurring.

3.4.2 Consequences
Consequences is a measure of the expected severity should an accident
occur. When assessing the consequences of an accident, the most
severe category one could reasonably expect to result from that accident
should be selected.
The consequences of an event can be categorized as follows:
70

Fatal
Major Injuries
Minor
Negligible injuries

death
normally irreversible injury of damage to health
requiring extended time off work to effect best
recovery.
typically a reversible injury or damage to health
needing several days away from work to recover.
Recovery would be full and permanent.
would require first aid and may need the
emained of the work period or shift off before
being able to return to work.

Figure 33 below shows the consequences rating for: injury, asset

damage and environmental damage
Consequence
Injury

Asset Damage

Environmental
Damage

Rating

Multiple fatalities

Extensive damage,
Massive leak/spill,
shut down, or loss of
public concern
plant

Single fatality, or
permanent
disability

Major damage, or
partial shutdown

Nonconformance
with regulations

Localized damage,
or partial shutdown
Minor damage, or
parts replacement
Slight damage, no
lost time

Localized leak/spill,
or partial shutdown
Public concern with
no lasting effect
Effect contained
locally

Serious injury
Minor injury
Slight injury

3
2
1

Figure 33: Five degree consequences (severity) scale

If the position of the danger to the consequences in the event of an
accident happening then the added consequences must be taken into
consideration and the consequence rating increased.
When making a risk assessment all aspects of likelihood and
consequences should be taken into consideration. The interrelated
parameters of likelihood and consequences can easily be presented on
the simple matrix shown below.

71

Consequences
Rating

Personnel

Property
Damage

Environmental
Damage

Fatalities

Extensive

Massive

Serious

Major

Beyond
regulations

Minor

Minor

No lasting effect

Slight

Slight

Contained
locally

Figure 34: Four degree consequences (severity) scale

3.4.3 Risk matrix

If we consider the likelihood of an accident whilst driving a car and the
consequences, statistically it is highly unlikely that we will have an
accident and the worst consequence would be a fatality. From the matrix
below we can see that the risk is in the medium range which means that
we make efforts to reduce the risk of an accident by such means as
driver training, road management and vehicle design.
Table 10: Risk matrix based on consequences and likelihood

Consequences
Fatality
Major injuries
Minor injuries
Negligible
injuries

Very likely
High
High
High
Medium

Likelihood
Likely
Unlikely
High
High
Medium
Medium

72

High
Medium
Medium
Low

Highly
unlikely
Medium
Medium
Low
Low

Events or situations assessed as very likely with fatal consequences are

most serious (high risk); those assessed as highly unlikely with
negligible injuries are the least serious (low risk).
When developing risk control strategies any item with a high rating
should be addressed first.
Using the above matrix it would be normal to develop a list of hazards
with highly rated risk at the top of the list. Management would then be
expected to determine at what point it would be reasonable to take no
further action.

Figure 35: 9X9 risk matrix

3.4.5 Risk management worksheets

There are no standard formats used to record the data in connection
with risk management assessments. The examples given are only for
reference and may need modification to suit the nature of individual
projects. Always use a Risk management worksheet for systematic
recording. An example of risk management worksheet is shown in table
11.

73

Table 11: Example of risk management worksheet

Plant risk
Company:
JHT printing
Hazard identification

Management worksheet
Site/ location: paper store / 5 Jones St.
Likelihood

Very likely
Likely
Unlikely
Highly
unlikely
Crush from guillotine
Very likely
paper holding bar
Amputation
from
guillotine blade due
to:
Electrocution hazard
Unlikely
from knife
Electrocution hazard
Unlikely
from meat slicer
Cutting hazard from
Likely
meat slicer

Consequence
Fatality
Major injuries
Minor injuries
Negligible injuries

Date: 02/01/95

Risk rating
High
Medium
Low

Control action
1. Initiated
2. Implemented
3. Reviewed
1.

2.

3.

Major injury

High

Fatality

High

Fatality

High

Minor injury

Medium

3.5 Risk Control

Control means the measures to be taken to eliminate or reduce the risk
to an acceptable level.
When a risk assessment has identified a hazard as having unacceptable
risks we have to put in place control measures to eliminate the risk or
reduce the risk to an acceptable level.

74

Severity
S4
S3

Sc 1

Unacceptable
Sc 1

S2
S1

Acceptable
P1

P2

P3

P4

Probability

Figure 36: Risk matrix after applying preventive measures

3.5.1 Hierarchy of control

Hierarchy of control means the order in which controls should be
considered when selecting methods of controlling a risk. Control
measures can be sorted into a number of categories with the most
effective listed at the top. The list of categories is collectively known as
a "hierarchy of control".
When selecting appropriate measures to control a risk we should select
a control measure from as high on the hierarchy of control list as
practicable. The hierarchy of control list usually comprises:

Elimination
Substitution
Isolation
Engineering Controls
Administrative controls
Provide personal protective equipment (PPE)

3.5.2 Elimination
The most satisfactory method of dealing with a hazard is to eliminate it.
Once the hazard has been eliminated the potential for harm has gone.
Example
The dangers associated with transporting of an explosive material called
ammonium nitrate fuel oil (Anfo) are known and documented. Anfo is
75

made by simply mixing ammonium nitrate with fuel oil (diesel). Both
constituents are safe in isolation but when mixed they become unstable.
The dangers of long distance transport can be removed by not mixing
the component parts until they are on site. By this simple expedient we
have eliminated the hazard.

3.5.3 Substitution
This involves substituting a dangerous process or substance with one
that is not as dangerous. This may not be as satisfactory as elimination
as there may still be a risk (even if it is reduced).
Example
Many chemicals can be substituted for other safer chemicals, which
perform in the same manner but do not have the same dangers e.g.
water based paints rather than those that contain lead.

3.5.4 Separation
This means separate or isolate the hazard from people. This method has
its problem in that the hazard has not been removed. The guard or
separation device is always at risk of being removed or circumvented.
Example
A guard is placed over a piece of moving machinery. If the guard is
removed for maintenance and not replaced people are again at risk.

3.5.5 Administration
Administrative solutions usually involve modification of the likelihood of
an accident happening. Reducing the number of people exposed to the
danger and providing training to those who are exposed to the hazard
can do this.
Example
The dangers of electricity are well known and only trained and licensed
people are allowed to work on electrical equipment. We can appreciate
that the electrician is still at risk, but there training is such that the risk
are reduced to an acceptable level.

76

Administrative solutions also include danger signs and written systems

of work such as those for working in confined spaces and lock out
spaces and lock out procedures.

3.5.6 Personal protective equipment (PPE)

Provision of personal protective equipment should only be considered
when all other control methods are impractical, or to increase control
when used with another method higher up in the hierarchy of control.
Example
To remove the possibility of a person dropping something on their foot in
a workshop situation would be impracticable, as it would involve
securing every movable object large enough to do damage if it fell on a
person's foot. The practicable solution is to provide every person at risk
with safety footwear.
Control are not mutually exclusive, several in the hierarchy may be
needed to obtain the level of control necessary.
Table 12: Protective requirement for eye, head, and foot/toe
WHERE
NEEDED

TYPES OF
PROTECTION

Eye

Head

Foot/Toe

Where machines
or operations
present a danger
from flung objects,
direct or reflected
brightness,
hazardous liquids,
or injurious
radiation.
Goggles, full face
shields, safety
glasses, sideshields, welders
lenses (should
meet standards).

Where there is
danger from
impact and
penetration from
falling or flying
objects or from
limited electric
shock.

In areas where
there is a potential
for foot or toe
injuries.

Safety hats full

brim, brimless,
limited voltage
protection, no
voltage protection,
(should meet
standards).

Impact and
compression
resistance,
metatarsal
protection,
puncture
resistance,
electrical hazard
resistance,

77

FITTING
REQUIREMENTS
SUGGESTED
RECORDS

EXAMINATIONS
NEEDED

Comfortable fit
(not interfere with
movement).
Date issued,
reissued, type
issued, instructions
given
(need to wear,
cleaning needs,
maintenance,
conservation,
disciplinary action,
fitting).

Comfortable,
proper fit.
Date issued, type
issued,
instructions given
(need to wear,
maintenance,
disciplinary

conductive (should
meet standards).
Proper fit.
Date issued,
amount
reimbursed,
instructions given
(need to wear,
maintenance,
disciplinary
action).

action).

Visual acuity,
depth perception.

Table 13: Protective requirement for hand, hearing and respiratory

WHERE
NEEDED

Hand

Hearing

Danger of cuts, or from

handling corrosives,
solvents, or other
chemicals.

Noise exposure that

equals or exceeds 85
dBA in an 8-hour
time-weighted period.

TYPES OF
Cotton/leather gloves;
PROTECTION gauntlets; heatresistant gloves;
barrier creams; chain
mail gloves; halygloves; rubber gloves.
(Should meet
standards).

FITTING
REQUIREMENTS

Proper fit.

Respiratory

In areas that present

a limited breathable
environment or the
possibility of an
oxygen-deficient
environment or air
contamination.
Full muffs, disposable Air-purifying
plugs, Swedish wool, respirators, chemical
non-disposable plugs. cartridge respirators,
(Should meet
air-supplied
standards).
respirators,
combination
respirators, self
contained breathing
devices. (Should
meet standards).
Proper fit, correct
type for noise
exposure.

78

Significant fitting
requirements.

SUGGESTED
RECORDS

Date issued, reissued,

type issued,
instructions given,
(need to wear,
maintenance,
conservation,
disciplinary action.)

Audiometric exam,
date issued,
instructions given
(need to wear, effects
of noise, cleaning,
conservation, fitting,
disciplinary action.)

Date issued,
reissued, type issued,
instructions given
(respiratory hazards
present; functions; fit
testing; proper
utilisation, cleaning
and maintenance;
conservation,
disciplinary action).

EXAMINATIONS
NEEDED

Audiometric
(baseline and
annual).

Pulmonary function.

3.6 Apply Hierarchy of Control

It is crucial to apply the control measure from as high on the hierarchy of
control list as practicable. If we go back to the power press example in
"Risk assessment" mentioned earlier we could examine the steps we
should take to control the risk of an operator having an accident whilst
loading the press.
The contribution to industry of the power press is so great that to
eliminate them completely from the working environment would not be
practicable. Since power presses were first invented in the early part of
this century, designers have not been able to eliminate the hazard of an
unexpected stroke. Based on the evidence and current knowledge,
elimination of the hazard is not practicable.
We could then look to substitution to reduce the risk. We could substitute
a power press for a hydraulic press or a drilling machine. Both of these
alternatives are too slow to be viable alternatives in most cases.
Separating the operator and the hazard is possible in most cases if we
use an automatic feed and a guard to eliminate persons from the danger
area. This method is effective, but will not applicable to all cases.
Administration should be our next alternative. This would involve training
the operator to remove the work-piece and place a new blank in the
machine without putting their fingers in a position where they could be
79

crushed in the event of a malfunction of the press e.g. By using a push

stick or similar.
Personal protective equipment may not always be applicable. In fact it
should be the aim of the organization to remove the necessity for
personal protective equipment.
Accepting a solution too low on the hierarchy of control list is a common
failing, which must be avoided.

3.7 Monitoring and Review

Review is an important aspect of any risk management process. It is
essential to review what has been done to ensure that the controls put in
place are effective and that they have not introduced new hazards.
Example
An agricultural machine was found to be hazardous and a guard was
subsequently fitted round the moving parts. This guard excluded
persons from the danger area; however, due to the nature of the
environment it was found that chaff built up behind the guard. If a review
had not been carried out of the new guard after it had been in service for
a short while, the chaff in conjunction with the moving parts may have
caused a fire.
The lesson to be learnt here is that however the initial risk management
process was done, there is always the possibility that something will be
overlooked and not addressed in the initial stages. The review system
allows further modifications to be carried out.

3.8 Conclusion
Hazard identification, risk assessment, control and review are not a task
that is completed and then forgotten about. Hazard identification should
be properly documented even in the simplest of situations. Sample work
sheets to assist in this process are very useful. Risk assessment should
include a careful assessment of both likelihood and consequence.
Control measures should conform to the recommendations of the
hierarchy of control. The risk management process is an on going
activity which should include regular reviews of all aspects of

80

organizations activities including the purchase of new plant and

consumables, safety existing plant, systems of work including
administrative initiatives such as evacuation, fire and violence in the
workplace strategies.

81

Chapter 4 Methods of System Analysis

4.1 Introduction
As long as we identified the Danger(s), concerning a specific system, it
would be necessary to start analyzing the system with these danger(s) in
order to find out the probable Risk(s) associated and to try to reduce it or
to eliminate it -if it is possible-.
Several methods exist for the analysis of systems, each have
advantages and disadvantages, although we tried to cover up all
available methods, some other methods are beyond this course, such as
the method of Fuzzy Sets for the analysis of systems which resembles
to small extents the method of Monte Carlo simulation, but based on
another mathematical base and not based on statistical data.
Each of the method has more or less frequent application in some fields
of the Security of functions. In order to satisfy the needs of any system,
one method or more should be used to reach out for a complete risk
analysis study.

4.2 Markov Chains

The fundamental characteristic of a Markov chain is that the system of
interest is conditional only on its current situation. Since pure static
systems rarely exist, the Markov chains are used to present dynamic
systems observing its stochastic states, Figure 37.

82

State

Time

Figure 37: Stochastic Processes

The Markov chains is based on the graphical representation of the
studied process, so in order to explain the different steps of the study,
we will consider a system of two parallel components, Figure 38.

C1

C2

Figure 38: Parallel system of two components

4.2.1 Presentation of the Process

The constructor of the system stated that in this system, any one of the
two components could supply the full demand at the exist; with priority
that C2 is the firstly repaired. The analysis of this system with the
Markovian processes consists of identifying the different states of the

83

system during its exploitation. These different states are listed in Table
14.
Table 14: Different states of the system.
C1
1
1
0
0

C2
1
0
1
0

Success
1
1
1
0

States
E1
E2
E3
E4

State of Working
Complete Failure

The construction of the graphical representation of the system starts with

the presentation of each state of the system with a circle, Figure 39. The
next step is to find out the behavior of the system from one state to
another:
The state of perfect working E1 may be transferred to the state E2
or E3 with the error C2 or C1 respectively.
The state E2 may be transferred to the state of complete failure E4
through the error C1 or through the reparation C2.
The state E3 could also be transformed into total failure through
P1 or reparation E1 through C1.
Finally, the state E4 is transferred to E3 through reparation C2 that
is the priority of reparation.
Each of these transformations listed above is called transition, which is
represented graphically with an arrow from the state of departure to the
state of arriving, Figure 39. For each transition of the state Ei to the state
Ej, we will associate it with an index of transition Lij, which is defined as
the probability of the transition from state Ei to state Ej during the period
between t and t+t, assuming that we are now at time t.

84

P1
P2

E1

E4

P1
P2

P1
P2

E2
P1
P2

Figure 39: Graphical Presentation of the System

For any process, it doesn't exist in a simple equation to estimate the
transformation and only the simulation through Monte Carlo techniques
is feasible. Also, because the process is Markovian, all the indexes of
transition are constants and the analytical treatment is relatively simple.
The constancy of the index of transition applies to all the phenomena,
which have an exponential nature.
The Markovian processes proceed in a certain manner that needs no
memory: the probability of the transformation of Ei to Ej, doesn't depend
on time but only on the presence of the state Ei. This property is
fundamental for the Markovian processes.
Only in the case of very small graphs, the utilization of specific software
is available for the evaluation and the analysis of the Markovian state
and the reliability of the system.

4.3 PETRI Network

The Petri Networks are graphical oriented, which makes the core of a
highly advanced mathematics. The Network is constructed of Places,
Transitions and Arcs, Figure 40. Places are represented graphically with
circles; the places could be marked by one or more small coins.

85

Transitions are represented graphically with right segments, so

transitions have two possible states (valid or not valid). The Arcs
represented by arrows; the arcs are of two types either being the
between a place and a transition (arc upstream), or being the
between a transition and a place (arc downstream).

the
are
link
link

Coins
Amont Arc

Inhibiteur
Arc

?M1

Transition

!M2
Aval Arcs

Messages

Places
.

Figure 40: PETRI networks

These entities represent graphically the state of the network. In order to
simulate the behavior of the system, the static representation of the
system changes as the evolution of the system goes on. This action is
reserved for the marking of the system with the coins, as the coins are
moved from one place to another, this represent the changes in the
system. In order to find a valid state of the system, any transition must
have at least one coin in each of its amount places. Therefore, it might
be drew, and this drew consists of drawing a coin in each of its amount
places and putting one in its avail places. The result will be a new
marking of the network that represents a new state of the system.
According to their origin, the Petri networks follow sequentially the
different states of the system under consideration, and so we can have
the following results of such analysis:
Detailed analysis of the behavior of the system.
Identification of the states from a graphical point of view.
Identifying the non-accessible states.

86

 Identifying the blocking, causes of delay, etc.

Identifying the conflicts between different states.
The utilization of the Petri networks for the identification of different
states of the system in order to generate the equivalent Markov
processes is one of the very common methods of system analysis in the
field of Security of Function.

4.4 Simulation, (The Monte Carlo Technique)

Within operations research, simulation typically involves the
construction of a mathematical model. Rather than directly describing
the overall behavior of the system, the simulation model describes the
operation of the system in terms of individual events of the individual
components of the system. In particular, the system is divided into
elements whose behavior could be predicted. The interrelationship
between elements is also built into the model. After constructing the
model, it is then activated (by generating input data) to simulate the
actual operation of the system over time and record its behavior. By
repeating this for the various alternative design configurations and
comparing their performances, the most promising configuration can be
identified.
Simulation models are often used to analyze a decision under
uncertainty that is a problem in which the behavior of one or more
element of the model can be represented by a probability distribution.
This type of simulation is called Monte Carlo Method. Because of
statistical errors, it is impossible to reach optimum with a simulation of
Monte Carlo, but it should be at least expected to be close to optimal if
the simulated experiment is built properly.

If the behavior of an element cannot be predicted exactly, given the state

of the system, it is better to take random observations from the
probability distribution functions involved than to use averages to
simulate this performance. To choose a probability distribution function
that represents the data, it is rather recommended to use a probability
distribution function that best fits the model rather than using histograms

87

of the data collected in the past. This is usually preferable because it

would seem to come closer to the prediction of future behavior of the
data rather than reproducing a certain behavior over a certain period in
the past.

4.5 Fault Trees

The method of Fault Trees for the system analysis is the method highly
recommended in static -or semi static- systems. The method is also
grouped under the name of the defaults tree or the cause's tree. The
causes-tree is the tree more and more correctly applied in terms of
mathematics and correspond more to the diagram of causesconsequences.
This method is a deductive method, which means that it starts with an
effect and tries to find its causes, or its elements, and this might be, the
reason for its high popularity.

4.5.1 The construction of the tree.

The beginning of the construction is by indicating the error that could
happen; this error will be the head of the tree. It is worth mentioning that
the choice of the error depends largely on the analysis of the system and
the study of its components.
The construction of the tree could be thought of as a task consisting of
different steps:
a. Decomposition of System; the decomposition is the physical
analysis of the system. Although the used criterion varies from one
system to another, the used criteria could be one of the following:
Technological Criteria, for example an automatic alarm is
installed in the system
Maintenance Criteria, for example a part of the system is
replaced systematically.
b. Identifications of Components; It is necessary to identify each
component of the system, its operation and its modes of failure.

88

c. Reconstitution of the system with its components; which means

the composition of the system in good function with the defined
components.
d. Phases; the so-called phases are the modes of operation of the
system, for example, for a plane; the modes of operation are
Taking-off, Flying, and Landing.
e. Boundary Conditions; Systems boundaries have to be well
defined in relation with its surrounding environment.
f. Hypothesis; what kind of hypothesis is applied on the system and
its operations.
g. Initial Conditions; with the mentioned hypothesis, it is the state in
which we will start to study the system.
h. Definition of Undesired Error (Event)
i. Decomposition of the Events; this is done by simply asking the
question, what are the past events that could lead to the current?
j. Finishing the Construction; it is important to mention that at such a
moment, it is important to consider the current components as
elementary ones, as we can still decompose each element to its
components indefinitely.

4.6 Critical Analysis of System (Simulation)

4.6.1 Example 1: simulation of a CPM network
In order to illustrate the method of Monte Carlo for the simulation of
Uncertain Network times, a small project has been studied carefully, and
an identification of its network has been drawn, Figure 41, the network
consists of 10 activities, Act.1 ... act.10, the activities relationships are
illustrated according to logical relations between each node and the
other. Directions of arrows indicate the logical path of flow between
nodes while the relative length of arrows has no actual implications on
the period of each activity.

89

8
10

Figure 41: Network model of the Project

The activities of the network are known to have a random distribution
which is bounded between two definite times, a minimum time and a
maximum time. In order to simulate this network and to find the Critical
Path of the project, which is the path of activities that should gain
maximum attention to the manager and that the delay in that path could
delay the whole project, the Bounded Monte Carlo Simulation is used as
follows:
The activities are arranged in a table with its minimum and
maximum time, Table 15.
Random observations are sampled according to the following
approach
Sample time = minimum time + rand (max time- min time)
100 samples for each activity are done (presented here are only
10 samples).
For each one of the 100 samples, a different network is
constructed with the sampled times.
For the 100 generated networks, the Critical Path has been
calculated and identified.

90

 Finally, the critical indexes of each activity are calculated as the

ratio between the number of ten on the critical path and the total
number of samples (100 samples). Table 16.
Table 15: Random observations
Act. Min Max
1-2
8
10
1-3
5
7
1-4
7
9
2-5
5
7
3-6
4
6
3-5
8
10
3-7
11 13
4-7
10 12
5-8
6
8
5-9
6
8
6-8
2
4
7-8
0
2
7-10 3
5
8-10 2
4
9-10 0
3
Total 72 96

s1
9,5
6,3
8,4
6,7
4,9
9,0
11,4
10,8
6,1
7,4
2,4
1,9
4,6
2,6
0,3

s2
8,6
5,1
8,1
5,1
4,2
9,9
12,8
11,3
6,4
6,4
2,1
0,5
3,5
3,6
0,6

s3
8,1
7,0
8,3
5,3
4,3
9,9
12,9
10,2
7,1
7,1
2,5
1,6
3,7
2,2
2,7

s4
8,3
5,5
7,7
5,7
5,7
9,1
11,6
10,2
6,5
7,8
2,3
1,7
3,7
3,9
2,2

s5
8,4
6,4
8,2
6,9
5,5
8,4
12,9
10,8
6,4
8,0
2,8
0,5
4,8
3,6
2,5

s6
8,9
5,2
7,5
5,3
5,1
9,3
12,5
11,1
7,0
6,9
3,3
0,4
4,0
2,5
2,8

s7
8,0
5,7
7,4
6,1
5,3
8,7
12,8
10,2
6,9
6,7
2,9
0,6
4,2
2,2
1,5

s8
9,5
6,5
7,1
5,6
5,4
8,3
12,6
10,3
7,0
6,5
2,4
1,2
4,3
3,0
1,2

s9
9,7
6,5
7,5
5,9
5,3
9,1
11,5
11,2
7,9
6,1
2,5
0,2
3,0
2,2
0,7

s10
8,5
5,0
7,5
5,8
4,3
9,8
11,6
11,8
6,8
6,3
2,6
1,0
3,1
3,5
1,8

Mean
8,8
5,9
7,8
5,9
5,0
9,2
12,3
10,8
6,8
6,9
2,6
1,0
3,9
2,9
1,6
82,8

STD
0,60
0,71
0,45
0,58
0,54
0,60
0,64
0,57
0,50
0,65
0,36
0,61
0,60
0,69
0,92

Table 16: Critical Index of activities (activities with * means that it was on the
Critical Path in this sample).

Act.

Min Max

1-2
1-3
1-4
2-5
3-6
3-5
3-7
4-7
5-8
5-9
6-8
7-8
7-10
8-10
9-10

8
5
7
5
4
8
11
10
6
6
2
0
3
2
0

10
7
9
7
6
10
13
12
8
8
4
2
5
4
3

s1

s2

s3

s4

s7

*
*

*
*

91

s8

s9

s10

*
*

*
*

s6

s5

*
*

Critical
Index
40%
70%
0%
40%
0%
70%
0%
0%
70%
30%
0%
0%
0%
70%
30%

4.6.2 Results
According to the critical indexes listed in Table 16, we can identify
two probable critical Paths, (1-3-5-8-10), with a probability of 70%, and
another (1-2-5-9-10) with a probability ranges between 30% and 40% in
some activities. So the final Network with the most probable Critical Path
is illustrated in Figure 42.

10

7
Activity with 0% Probability
Activity with 30% or 40% Probability
Activity with 70% Probability

Figure 42: Final critical paths for the network

92

Chapter 5: The Process of Fire Risk

Management
The process of risk management involves the four steps shown in the
following diagram, Figure 43 the four steps are undertaken in a cycle
until an acceptable level of risk is achieved.

Hazard
Identification

Risk
Assessment

Risk Control

Monitoring
Review

Figure 43: Hazard identification

An industrial fire or explosion can be defined as a characteristic of a
system plant or process that represents a potential for unplanned event
leading to undesirable loss consequences. The keywords in this
definition are undesirable consequences "hazard identification" is the
process of recognizing hazards that can pose significant undesirable l
oss consequences. Hazard identification should be a continuous activity
in the evaluation of new materials, plant additions, and production
modifications.

5.1 Methodology of Hazard Identification

1.
2.
3.
4.
5.

Engineering checklist.
Hazard indices.
Hazard and operability study Hazop.
Preliminary hazard analysis PHA.
Failure mode and effect analysis FEMA.
93

6.
7.
8.
9.

Fault tree analysis FTA.

Event tree analysis ETA.
Cause consequence analysis.
Reliability analysis.

5.2 Fire Risk Assessment

5.2.1 The primary steps in fire risk assessment include:
Identifying the event sequence that could lead to significant loss.
Quantification of the fire risk (i.e probability of fire event
occurrences and loss consequences).
Development and evaluation of alternative fire prevention and/or
fire protection strategies (i.e recommendation) to reduce fire risk.
Quantified measurement of the change of fire risk (i.e. differences
in probability and/or consequences).
Fire Risk = probability of occurrence x loss consequences
Methods of
occurrence:

assessing

the

probability value

of

fire

event

1- Objective estimation:
Valid and applicable data on loss event frequencies then the
probabilities can be extracted from that source. But due to complexity
and Varity of heavy industries valid and applicable data are scare.
2- Subjective estimation:
Available loss trending information

Equipment failure.
Human error.
Ignition source.
Loss control elements.
Damage ability factor.

The physical intensity of fire-explosion loss scenarios are quantified in

terms of the expected energy released.
a. Heat exposures.
b. Smoke and /or corrosive gas contamination
94

c. Explosion blast over pressure etc.

d. Area involved
e. Duration.
Direct loss of fire event
a. Damage to building
b. Damage to equipment.
c. Damage to products.
d. Etc.
Direct loss of fire event
a. Business interoperations.
b. Liability for injury or death.
c. Environmental contamination.
d. Damage to company image.
e. Etc.

5.2.2 Type of risk assessment

Depends on:
a- Complexity of the operation.
b- Time and cost limitation.
Routine code compliance can be conducted by using simple
checklist.
New technologies or high hazard operations require application of
more detailed risk assessment and decision analysis methods.

5.2.3 Risk management

RM means:
1. Establishing acceptable level of risk.
2. Method of handling identified risks.
Risk decision making process based on
1.
2.
3.
4.

Profit (competitive market position).

Protection of company assets (major loss exp.)
Continued company operation (business interruption).
Community good well (embarrassment).
95

5.
6.
7.
8.

Legal requirements (liability, building code, etc).

Insurance company requirements.
Environmental concerns.
Continued growth (expansion).

If the risk is acceptable is acceptable, no immediate action is required,

but monitoring for changes which could increase the risk must be done.
If the risk is unacceptable then decision must be made about how to
deal with the risk.

5.2.4 Risk management for handling fire risk exposure

1.
2.
3.
4.
5.

Risk avoidance by non-participation of risky operation.

Risk transfer by purchasing insurance to cover potential loss.
Risk financing self-insurance. Alternate risk transfer arrangement.
Risk reducing by providing loss control improvement.
Risk management program that includes combination of the
above.

5.2.5 Cost /benefit analysis

Evaluate the cost of fire prevention and protection alternative which
include
a- Design
b- Installation.
c- System maintenance
d- Training expenses.

5.2.6 Development and monitoring of loss control program

Loss control improvements at industrial facilities include the
development and monitoring of comprehensive loss control programs.
Written documentation should be provided for these programs and up
dated periodically.
The fire loss control program should define specific objectives
regarding:
1. Personnel safety.
2. Property conservation.
3. Environmental impact.
4. Minimizing interrupt to plant production.

96

Loss control program documentation should include a through

description of:
1. Engineering design.
2. Applied engineering standards.
3. Administrative control.

5.2.7 Fire prevention

There are several methods to be employed through design, operational
controls, operator training, and maintenance to prevent fire from starting.
5.2.7.1 Automatic fire detection and suppression
Fixed fire protection systems and equipment installed that rapid ally
detect, suppress and control fires that do occur.
5.2.7.2 Protection for structures and equipment
Fire protection standard for passive and active measures which will be
used to protect operations, structures and equipment in the event that
fire is not rapid ally extinguished.
5.2.7.3 Manual protection
Provision of manual fire fighting capabilities is as a back up to active and
passive fixed protection system including fire department, pre-fire
planning, and periodical emergency drills.
5.2.7.3 Audit program
Description of the loss prevention and auditing procedures for new
facility processes, plant modifications, self-inspection and maintenance
activities.
An effective fire protection program must include all major engineering
disciplines as well as risk management, safety, security production,
maintenance.

97

Chapter 6: Summary of Risk Assessment

Steps in Workplace

STEP 1: Look for the hazards

STEP 2: Decide who might be harmed and how
STEP 3: Evaluate the risks and decide whether the existing precautions
are adequate or whether more should be done
STEP 4: Record your findings
STEP 5: Review your assessment and revise it if necessary
Dont be overcomplicated. In most firms in the commercial, service and
light industrial sectors, the hazards are few and simple. Checking them
is common sense, but necessary. You probably already know whether,
for example, you have machinery that could cause harm, or if there is an
awkward entrance or stair where someone could be hurt. If so, check
that you have taken what reasonable precautions you can to avoid
injury. If you are a small firm and you are confident you understand
whats involved, you can do the assessment yourself (you dont have to
be a health and safety expert!). If you are a larger firm, you could ask a
responsible employee, safety representative or safety officer to help you.
If you are not confident, get help from a competent source. But
remember - you are responsible for seeing it is adequately done.
3
Hazard and Risk - dont let words in this guide put you off! Hazard
means anything that can cause harm (e.g. chemicals, electricity, working
from ladders, etc) risk is the chance, high or low, that somebody will be
harmed by the hazard.

98

6.1 Step 1: Look for the Hazards

If you are doing the assessment yourself, walk around your workplace
and look afresh at what could reasonably be expected to cause harm.
Ignore the trivial and concentrate on significant hazards, which could
result in serious harm or affect several people.
Ask your employees or their representatives what they think. They may
have noticed things, which are not immediately obvious. Manufacturers
instructions or data sheets can also help you spot hazards and put risks
in their true perspective. So can accident and ill-health records.

6.2 Step 2: Decide Who Might Be Harmed, and How

Dont forget:
Young workers, trainees, new and expectant mothers, etc who
may be at particular risk
Cleaners, visitors, contractors, maintenance workers, etc who may
not be in the workplace all the time
Members of the public, or people you share your workplace with, if
there is a chance they could be hurt by your activities.
4

6.3 Step 3: Evaluate The Risks And Decide Whether

Existing Precautions Are Adequate or More Should Be
Done.
Consider how likely it is that each hazard could cause harm. This will
determine whether or not you need to do more to reduce the risk. Even
after all precautions have been taken, some risk usually remains. What
you have to decide for each significant hazard is whether this remaining
risk is high, medium or low.
First, ask yourself whether you have done all the things that the law says
you have got to do. For example, there are legal requirements on
prevention of access to dangerous parts of machinery. Then ask
yourself whether generally accepted industry standards are in place. But
dont stop there - think for yourself, because the law also says that you
must do what is reasonably practicable to keep your workplace safe.
99

Your real aim is to make all risks small by adding to your precautions as
necessary. If you find that something needs to be done, draw up an
action list and give priority to any remaining risks which are high and/or
those which could affect most people. In taking action ask yourself:
a) Can I get rid of the hazard altogether?
b) If not, how can I control the risks so that harm is unlikely?
In controlling risks apply the principles below, if possible in the following
order:
Try a less risky option
Prevent access to the hazard (e.g. by guarding)
Organize work to reduce exposure to the hazard
Issue personal protective equipment
Provide welfare facilities (e.g. washing facilities for removal of
contamination and first aid)
Improving health and safety need not cost a lot. For instance, placing a
mirror on a dangerous blind corner to help prevent vehicle accidents, or
putting some non-slip material on slippery steps, are inexpensive
precautions considering the risks. And failure to take simple precautions
can cost you a lot more if an accident does happen.
5
But what if the work you do tends to vary a lot, or you or your employees
move from one site to another? Identify the hazards you can reasonably
expect and assess the risks from them. After that, if you spot any
additional hazards when you get to a site, get information from others on
site, and take what action seems necessary. But what if you share a
workplace?
Tell the other employers and self-employed people there about any risks
your work could cause them, and what precautions you are taking. Also,
think about the risks to your own workforce from those who share your
workplace. But what if you have already assessed some of the risks? If,
for example, you use hazardous chemicals and you have already
assessed the risks to health and the precautions you need to take under
the Control of Substances Hazardous to Health Regulations (COSHH),
you can consider them checked and move on.

100

6.4 Step 4: Record Your Findings

If you have fewer than five employees you do not need to write anything
down, though it is useful to keep a written record of what you have done.
But if you employ five or more people you must record the significant
findings of your assessment. This means writing down the significant
hazards and conclusions. Examples might be Electrical installations:
insulation and earthing checked and found sound or Fume from
welding: local exhaust ventilation provided and regularly checked. You
must also tell your employees about your findings.
Suitable and sufficient - not perfect!
Risk assessments must be suitable and sufficient. You need to be able
to show that:
A proper check was made
You asked who might be affected
You dealt with all the obvious significant hazards, taking into
account the number of people who could be involved
The precautions are reasonable, and
The remaining risk is low.
6
Keep the written record for future reference or use; it can help you if an
inspector asks what precautions you have taken, or if you become
involved in any action for civil liability. It can also remind you to keep an
eye on particular hazards and precautions. And it helps to show that you
have done what the law requires.
There is an example at the end of this guide, which you may find helpful
to refer to, but you can make up your own form if you prefer. To make
things simpler, you can refer to other documents, such as manuals, the
arrangements in your health and safety policy statement, company rules,
manufacturers instructions, your health and safety procedures and your
arrangements for general fire safety. These may already list hazards and
precautions. You dont need to repeat all that, and it is up to you whether
you combine all the documents, or keep them separately.

6.5 Step 5: Review Your Assessment and Revise It If

Necessary

101

Sooner or later you will bring in new machines, substances and

procedures that could lead to new hazards. If there is any significant
change, add to the assessment to take account of the new hazard. Dont
amend your assessment for every trivial change, or still more, for each
new job, but if a new job introduces significant new hazards of its own,
you will want to consider them in their own right and do whatever you
need to keep the risks down. In any case, it is good practice to review
your assessment from time to time to make sure that the precautions are
still working effectively.

Acronyms
ACOP

= Approved Codes of Practice

ARARs

= Applicable or Relevant and Appropriate Requirements

BHHRA

= Baseline Human Health Risk Assessment

BHHRA

= Baseline Human Health Risk Assessment

CERCLA

= Comprehensive Environmental Response, Compensation,

and Liability Act

CERCLA

= Comprehensive Environmental Response, Compensation,

and Liability Act

CMT

= Corrosion Management Technology

COC

= Chemical of Concern

COPC

= Chemical of Potential Concern

COPC

= Chemical of Potential Concern

COSHH

= Control of Substances Hazardous to Health Regulations

CRE

= Center for Risk Excellence

CROET

= Community Reuse Organization of East Tennessee

D&D

= Decontamination and Decommissioning

DOE U.S.

= Department of Energy

DSEAR

= Dangerous Substances Explosive Atmosphere Regulation

102

EE/CA

= Engineering Evaluation/Cost Analysis

ELCR

= Excess Lifetime Cancer Risk

EM

= Environmental Management

EPA U.S.

= Environmental Protection Agency

ES&H

= Environmental Safety and Health

ETTP

= East Tennessee Technology Park

EUWG

= End Use Working Group

FFA

= Federal Facilities Agreement

HAZAN

= Hazard Analysis

HAZOP

= Hazard Operability

HEAST

= Health Effects Assessment Summary Table

HI

= Hazard Index

HS&E

= Health, Safety and Environment

IAMS

= Integrated Asset Management System

IRIS

= Integrated Risk Information System

LMES

= Lockheed Martin Energy Systems, Inc.

M&I

= Management and Integration

MHO

= Manual Handling Operations

NPL

= National Priorities List

OSP

= Operation System Performance

PPE

= Personal Protective Equipment at Work

PRG

= Preliminary Remediation Goal

RAB

= Risk Advisory Board

RAGS

= Risk Assessment Guidance for Superfund

RAIS

= Risk Assessment Information System

RATL

= Risk Assessment Technical Lead

RCRA

= Resource Conservation and Recovery Act

RFI RCRA = Facility Investigation

RGO

= Remedial Goal Option

103

RI/FS

= Remedial Investigation/Feasibility Study

RMA

= Risk Management Analysis

ROD

= Record of Decision

SOP

= Standard Operating Procedure

TDEC

= Tennessee Department of Environment and Conservation

TQM

= Total Quality Management

Appendices
Appendix 1: Some Important Pieces of Health and
Safety Legislation
A.1.1 Besides the Health and Safety at Work Act itself, the
following apply across the full range of workplaces:
1.

Management of Health and Safety at Work Regulations 1999:

require employers to carry out risk assessments, make
arrangements to implement necessary measures, appoint
competent people and arrange for appropriate information and
training.

2.

Workplace (Health, Safety and Welfare) Regulations 1992: cover

a wide range of basic health, safety and welfare issues such as
ventilation, heating, lighting, workstations, seating and welfare
facilities.

3.

Health and Safety (Display Screen Equipment) Regulations

1992: set out requirements for work with Visual Display Units
(VDUs).

4.

Personal Protective Equipment at Work Regulations 1992:

require employers to provide appropriate protective clothing and
equipment for their employees.

5.

Provision and Use of Work Equipment Regulations 1998: require

that equipment provided for use at work, including machinery, is
safe.

104

6.

Manual Handling Operations Regulations 1992: cover the moving

of objects by hand or bodily force.

7.

Health and Safety (First

requirements for first aid.

8.

The Health and Safety Information for Employees Regulations

1989: require employers to display a poster telling employees
what they need to know about health and safety.

9.

Employers Liability (Compulsory Insurance) Act 1969: require

employers to take out insurance against accidents and ill health
to their employees.

Aid)

Regulations

1981:

cover

Some important pieces of health and safety legislation

10. Reporting of Injuries, Diseases and Dangerous Occurrences
Regulations 1995 (RIDDOR): require employers to notify certain
occupational injuries, diseases and dangerous events.
11. Noise at Work Regulations 1989: require employers to take
action to protect employees from hearing damage.
12. Electricity at Work Regulations 1989: require people in control of
electrical systems to ensure they are safe to use and maintained
in a safe condition.
13. Control of Substances Hazardous to Health Regulations 2002
(COSHH): require employers to assess the risks from hazardous
substances and take appropriate precautions.
A.1.2 specific regulations cover particular areas, as asbestos and lead,
14. Chemicals (Hazard Information and Packaging for Supply)
Regulations 2002: require suppliers to classify, label and
package dangerous chemicals and provide safety data sheets for
them.
15. Construction (Design and Management) Regulations 1994: cover
safe systems of work on construction sites.

105

16. Gas Safety (Installation and Use) Regulations 1994: cover safe
installation, maintenance and use of gas systems and appliances
in domestic and commercial premises.
17. Control of Major Accident Hazards Regulations 1999: require
those who manufacture, store or transport dangerous chemicals
or explosives in certain quantities to notify the relevant authority.
18. Dangerous Substances and Explosive Atmospheres Regulations
2002: require employers and the self-employed to carry out a risk
assessment of work activities involving dangerous substances.

106

Glossary of Risk Terms

Risk Management Vocabulary
Guidelines for Use in Standards
(adapted form IEC, International Electrochemical Commission)

Introduction
All types of undertaking are faced with situations (or events) that constitute
opportunities for benefit or threats to their success. Opportunities may be realized or
threats averted by effective management. In certain fields, fluctuation as
representing opportunity for gain as well as potential for loss. Consequently, the risk
management process is increasingly recognized as being concerned with both the
positive as well as the negative aspects of these uncertainties. This Guide deals
with risk management from both the positive and negative perspectives.
In the preparation or revision of a standard that includes risk management aspects;
first considerations should be given to the definitions within this Guide. It aims to
provide basic vocabulary to develop common understanding among organizations
across countries. However, it may be necessary to deviate from the exact wording
to meet the needs of a specific domain. In this case, the rationale for deviation
should be made clear to the reader.
In the safety field, risk management is focused on prevention and mitigation of harm.
This Guide is generic and is compiled to encompass the general field of risk
management. The terms are arranged in the following order.
a) Basic terms
- risk
- consequence
- probability
- event
- source
- risk criteria
- risk management
- risk management system
b) Terms related to people or organizations affected by risk
- stakeholder
- interested party
- risk perception
- risk communication
c) Terms related to risk assessment
- risk assessment
- risk analysis
- risk identification
107

- source identification
- risk estimation
- risk evaluation
d) Terms related to risk treatment and control
- risk treatment
- risk control
- risk optimization
- risk reduction
- mitigation
- risk avoidance
- risk transfer
- risk financing
- risk retention
- risk acceptance
This Guide provides standards writers with generic definitions of risk management terms. It
is intended as a top-level generic document in the preparation or revision of standards that
include aspects of risk management. The aim is to promote a coherent approach to the
description of risk management activities and the use of risk management terminology. Its
purpose is to contribute towards mutual understanding risk management practice.

Overview of risk management terms and definitions

The relationships between the terms and definitions for risk management are shown in
Figures 1 to 3.
Risk management is part of the broader management processes of organizations. Risk
management depends on the context in which it is used. The words used in each context
may vary.
Where risk-management-related terms are used in a standard, it is imperative that their
intended meanings within the context of the standard are not misinterpreted or
misunderstood. Accordingly, this Guide provides definitions for the various meanings that
each term is likely to have without giving definitions that may contradict each other.
Increasingly, organizations utilize risk management processes in order to optimize the
management of potential opportunities. This differs from the risk assessment process,
where risk is taken as producing only negative consequences. However, since the business
community increasingly adopts the broader approach to risk, this Guide seeks to address
both situations.
The definitions in this Guide are broader in concept than those in given in Annex A.

Terms and Definitions

3.1 Basic terms
3.1.1
risk
combination of the probability (3.1.3) of an event (3.1.4) and its consequence (3.1.2)
NOTE 1 The termrisk is generally used only when there is at least possibility of negative consequences.
NOTE 2 In some situations, risk arises from the possibility of deviation from the expected outcome or event.

3.1.2

108

consequence
outcome of an event (3.1.4)
NOTE 1 There can be more than one consequence from one event.
NOTE 2 Consequences can range from positive to negative. However, consequences are always negative for
safety aspects.
NOTE 3 Consequences can be expressed qualitatively or quantitatively.

3.1.3
probability
extent to which an event (3.1.4) is likely to occur
The mathematical definition of probability is a real number in the scale 0 to 1 attached to a random event. It can
be related to a long-run relative frequency of occurrence or to a degree of belief that an event will occur. For a
high degree of belief, the probability is near 1.
NOTE 2 Frequency rather than probability may be used in describing risk.
NOTE 3 Degrees of belief about probability can be chosen as classes or ranks such as
rare/unlikely/moderate/likely/almost certain, or
incredible/improbable/remote/occasional/probable/frequent.

3.1.4
event
occurrence of a particular set of circumstances
NOTE 1 The event can be certain or uncertain.
NOTE 2 The event can be a single occurrence or a series of occurrences.
NOTE 3 The probability associated with the event can be estimated for a given period of time.

3.1.5
source
item or activity having a potential for a consequence (3.1.2)
NOTE In the context of safety, source is a hazard (refer to annex A).

3.1.6
risk criteria
terms of reference by which the significance of risk (3.1.1) is assessed
NOTE Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic
and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

3.1.7
risk management
coordinated activities to direct and control an organization with regard to risk (3.1.1)
NOTE Risk management generally includes risk assessment, risk treatment, risk acceptance, and risk
communication.

3.1.8
risk management system
set of elements of an organizations management system concerned with managing risk (3.1.1)
NOTE 1 Management system elements can include strategic planning, decision making, and other processes for
dealing with risk.
NOTE 2 The culture of an organization is reflected in its risk management system.

109

3.2 Terms related to people or organizations affected by risk

stakeholder
any individual, group or organization that may affect, be affected by, or perceive itself to be affected
by, a risk (3.1.1)
NOTE 1 The decision-maker is also a stakeholder.
NOTE 2 Stakeholder includes but has a broader meaning than interested party.

3.2.2
interested party
person or group having an interest in the performance or success of an organization
EXAMPLES Customers, owners, people in an organization, suppliers, bankers, unions, partners, or society.
NOTE A group can comprise an organization, a part thereof, or more than one organization.

3.2.3
risk perception
way in which a stakeholder (3.2.1) views a risk (3.1.1), based on a set of values or concerns
NOTE 1 Risk perception depends on the stakeholders needs, issues, and knowledge.
NOTE 2 Risk perception can differ from objective data.

3.2.4
risk communication

exchange or sharing of information about risk (3.1.1) between the decision-maker and other
stakeholders (3.2.1)
NOTE The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, or
other aspects of risk.

3.3 Terms related to risk assessment

3.3.1
risk assessment
overall process of risk analysis (3.3.2) and risk evaluation (3.3.6)
3.3.2
risk analysis
systematic use of information to identify sources (3.1.5) and to estimate the risk (3.1.1)
NOTE 1 Risk analysis provides a basis for risk evaluation, risk treatment, and risk acceptance.
NOTE 2 Information can include historical data, theoretical analysis, informed opinions, and the concerns of
stakeholders.

3.3.3
risk identification
process to find, list and characterize elements of risk (3.1.1)
NOTE 1 Elements can include source or hazard, event, consequence and probability.
NOTE 2 Risk identification can also reflect the concerns of stakeholders.

3.3.4
source identification
process to find, list and characterize sources (3.1.5)
NOTE In the context of safety, source identification is called hazard identification.

3.3.5
risk estimation
process used to assign values to the probability (3.1.3) and consequences (3.1.2) of a risk (3.1.1)
NOTE Risk estimation can consider cost, benefits, the concerns of stakeholders, and other variables, as
appropriate for risk evaluation.

3.3.6
risk evaluation

110

process of comparing the estimated risk (3.1.1) against given risk criteria (3.1.6) to determine the
significance of the risk
NOTE 1 Risk evaluation may be used to assist in the decision to accept or to treat a risk.

3.4 Terms related to risk treatment and control

3.4.1
risk treatment
process of selection and implementation of measures to modify risk (3.1.1)
NOTE 1 The term risk treatment is sometimes used for the measures themselves.
NOTE 2 Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.

3.4.2
risk control
actions implementing risk management (3.1.7) decisions
NOTE Risk control may involve monitoring, reevaluation, and compliance with decisions.

3.4.3
risk optimization
process, related to a risk (3.1.1), to minimize the negative and to maximize the positive
consequences (3.1.2) and their respective probabilities (3.1.3)
NOTE 1 In the context of safety, risk optimization is focused on reducing the risk.
NOTE 2 Risk optimization depends upon risk criteria, including costs and legal requirements.
NOTE 3 Risks associated with risk control can be considered.

3.4.4
risk reduction
actions taken to lessen the probability (3.1.3), negative consequences (3.1.2), or both, associated
with a risk (3.1.1)
3.4.5
mitigation
limitation of any negative consequence (3.1.2) of a particular event (3.1.4)
3.4.6
risk avoidance
decision not to become involved in, or action to withdraw from, a risk situation
NOTE The decision may be taken based on the result

3.4.7
risk transfer
sharing with another party the burden of loss or benefit of gain, for a risk (3.1.1)
NOTE 1 Legal or statutory requirements can limit, prohibit, or mandate the transfer of certain risk.
NOTE 2 Risk transfer can be carried out through insurance or other agreements.
NOTE 3 Risk transfer can create new risks or modify existing risk.
NOTE 4 Relocation of the source is not risk transfer.

3.4.8
risk financing
provision of funds to meet the cost of implementing risk treatment (3.4.1) and related costs
NOTE In some industries, risk financing refers to funding only the financial consequences related to the risk.

3.4.9
risk retention
acceptance of the burden of loss, or benefit of gain, from a particular risk (3.1.1)
NOTE 1 Risk retention includes the acceptance of risks that have not been identified.
NOTE 2 Risk retention does not include treatments involving insurance, or transfer by other means.
NOTE 3 There can be variability in the degree of acceptance and dependence on risk criteria.

3.4.10
risk acceptance
decision to accept a risk (3.1.1)

111

NOTE 1 The verb to accept is chosen to convey the idea that acceptance has its basic dictionary meaning.
NOTE 2 Risk acceptance depends on risk criteria.

3.4.11
residual risk
risk (3.1.1) remaining after risk treatment (3.4.1)
-------------------------------------------Figure 1 Relationship between terms, based on their definitions regarding Risk
Risk (3.1.1)
Probability (3.1.3)
Event (3.1.4)
Consequence (3.1.2)
Figure 2 Relationship between terms, based on their definitions regarding Risk
Management
Risk management ( 3.1.7)
Risk assessment (3.3.1)
Risk analysis (3.3.2)
Source identification (3.3.4)
Risk estimation (3.3.5)
Risk evaluation (3.3.6)
Risk treatment (3.4.1)
Risk avoidance (3.4.6)
Risk optimization (3.4.3)
Risk transfer (3.4.7)
Risk retention (3.4.9)
Risk communication (3.2.4)
Risk acceptance (3.4.10)
Figure 3 Relationship between terms, based on their definitions regarding Stakeholder
Stakeholder (3.2.1)
Interested party (3.2.2)
Key for Figures 1, 2 & 3
A
B
C
The terms B and C are used in the definition of the term A or the notes to definition A.

112

Annex A
Terms and definitions Applied to safety-related risk management.
A.1. safety. freedom from unacceptable risk
A.2. risk. combination of the probability of occurrence of harm and the severity of that harm
A.3. harm. physical injury or damage to the health of people, or damage to property or the
environment
A.4. harmful event. occurrence in which a hazardous situation results in harm
A.5. hazard. potential source of harm. NOTE The term hazard can be qualified in order to define its origin
or the nature of the expected harm (e.g. electric shock hazard, crushing hazard, cutting hazard, toxic hazard,
fire hazard, drowning hazard).

A.6. hazardous situation. circumstance in which people, property or the environment are exposed
to one or more hazards
A.7. tolerable risk. risk which is accepted in a given context based on the current values of society
A.8. protective measure. means used to reduce risk. NOTE Protective measures include risk reduction
by inherently safe design, protective devices, and personal protective equipment, information for use and
installation, and training.

A.9. residual risk. risks remaining after protective measures have been taken
A.10. risk analysis. systematic use of available information to identify hazards and to estimate the
risk
A.11. risk evaluation. procedure based on the risk analysis to determine whether the tolerable risk
has been achieved
A.12. risk assessment. overall process comprising a risk analysis and a risk evaluation
A.13. intended use. use of a product, process, or service in accordance with information provided by
the supplier
A.14. reasonably foreseeable misuse. use of a product, process, or service in a way not intended
by the supplier, but this way may result from readily predictable human behavior.

--------------------------Bibliography
International standards
[1] ISO 704:2000, Terminology work Principles and methods.
[2] ISO 860:1996, Terminology work Harmonization of concepts and terms.
[3] ISO 3534-1:1993, Statistics Vocabulary and symbols Part 1: Probability and general
statistical terms.
[4] ISO 9000:2000, Quality management systems Fundamentals and vocabulary.
[5] ISO 10241:1992, International terminology standards Preparation and layout.
[6] IEC 60050 (191):1990, International Electrotechnical Vocabulary Chapter 191: Dependability
and quality of service.

ISO/IEC Guides
[7] ISO/IEC Guide 2:1996, Standardization and related activities General vocabulary.
[8] ISO/IEC Guide 51:1999, Safety aspects Guidelines for their inclusion in standards.

----------------------

113

References

References
Risk General
1. HSE (1997), Successful Health and Safety Management, HS(G)65, 2nd
Edition, HSE Books Harms-1 Glendon AI & McKenna EF (1995),
Human Safety and Risk Management, Chapman & Hall.
2. Bird FE & Germain GL (1985), Practical Loss Control Leadership,
International Loss Control Institute, Institute Publishing, Loganville,
Georgia.
3. Harms-Ringdahl, L. (1993), Safety Analysis Principals & Practices in
Occupational Safety, Elsevier
4. Hoyos, C.G & Zimolong, B (1988), Occupational Safety & Accident
Prevention, Elsevier
5. HSE (1997), The Cost of Accidents at Work, HS(G)96, 2nd Edition, HSE
Books.
6. Ringdahl, L. (1993), Safety Analysis Principals & Practices in
Occupational Safety, Elsevier
7. Hoyos, C.G & Zimolong, B (1988), Occupational Safety & Accident
Prevention, Elsevier
8. HSE (1999) The Costs to Britain of Workplace Accidents and Work
Related Ill Health in 1995/96, HSE Books.
9. Baker G (2000) Hard Targets, Paper presented to the Quarries National
Joint Advisory Committee, March.
10.Scott A (1995), Killing Off Errors, Mine & Quarry, May.
11.ASCNI Human Factors Study Group (1993): 3rd Report- Organising for
Safety, HSE Books.
12.Ridley J, Channing J (ed) (1999) Safety At Work, 5th Edition,
Butterworth Heinemann
13.HSE (1992), Dangerous Maintenance: A Study of Maintenance accidents
and how to prevent them, HMSO.
14.HSE (1997), Successful Health & Safety Management, HS(g) 65, HSE
Books.
Accident theory
15.Heinrich HW, Peterson D & Roos N (1980), Industrial Accident
Prevention, 5th Edition, Mcgraw Hill, New York
16.Bird FE & Germain GL (1986), Practical Loss Control Leadership,
International Loss Control Institute, Loganville, Georgia.

114

17.Peterson D (1978), Techniques of Safety Management, 2nd Edition,

Mcgraw Hill
18.Rimmington J (1993), Does Health and Safety Pay? Safety Management,
September, p39-62
19.HSE (1999), Reducing Error and Influencing Behaviour, HS(G)48, HSE
Books
20.HSC (1993) Organising for Safety, 3rd Report of the Human Factors
Study Group of the Advisory Committee on the Safety of Nuclear
Installations, HSE Books.
21.Department of Transport (1988), Investigation into the Kings Cross
Underground Fire, London:HMSO
22.Department of Transport (1987) The Herald of Free Enterprise Formal
Report, London:HMSO
23.Department of Transport (1988) Investigation into the Clapham Junction
Railway Accident, London:HMSO
24.Department of Energy (1990) The Public Inquiry into the Piper Alpha
Disaster, (2 vol), London:HMSO
Human Factors
25.Reason J (1990) Human Error, Cambridge University Press
26.HSE (1999), Reducing Error and Influencing Behaviour, HS(G)48, HSE
Books
27.HSE (1997) Successful Health and Safety Management, HSG65, HSE
Books.
28.Dairymple at al (1998), Occupational Health & Safety Management
Systems: Review and Analysis of International, national and regional
systems and proposals for a new international document, Report prepared
by International Occupational Hygiene Association for the International
Labour Office
29.BSI (1996): BS8800: Guide to Occupational Health and Safety
Management Systems.
30.BSI (1999): OHSAS 18001: Occupational Health and Safety
Management Systems Specification.
Risk Assessment and Risk Management
31.From Cox S.J. & Tait R.S. (1991) Reliability, Safety and Risk
Management. Butterworth Heinemann
32.HSE (1997), Successful Health & Safety Management, HS(G)65, HSE
Books.
33.Bamber L (1999), Principals of the Management of Risk, in Ridley J &
Channing J (ed) Safety at Work,5th Edition, Butterworth Heinmann
115

34.HSE (1988) The Tolerability of Risk from Nuclear Power Stations,

HMSO.
35.IChemE (1992) Nomonclature on Risk Assessment in the Process
Industries, IChemE, Rugby, UK
36.1 Nussey C (1995) Accidents Happen How they can be avioded and the
risks assessed. In proceedings of the IBC Conference on Preventing &
Managing Emergencies, London: IBC Technical Services Ltd.
37.Harms Ringdahl L (1995), Safety Analysis: Principals and Practice in
Occupational Safety, Elsevier Applied Science.
38.1 Cole RJ (1996) HSE Strategy for Improved Health in the Mining
Industry. In proceedings of the IMM Conference on Health & Safety in
Mining & Metallurgy. London: Institute of Mining & Metallurgy.
39.Bailey SR (1995), The Management of Occupational Hygiene,
Occupational Health & Safety Training Unit, University of Portsmouth
40.Glendon AI & McKenna EF (1995), Human Safety & Risk Management,
Chapman & Hall, UK
41.Peterson D. (1978) Techniques of Safety Management, 2nd Edition,
McGraw Hill, New York
42.1 Ferry T. (1988) Modern Accident Investigation and Analysis, John
Wiley & Sons, Canada.
43.HSE (1997), Managing Contractors A Guide for Employers, HSE
Books.
44.Crawshaw A (2000) Contractors Safety Passport Scheme, in Proceedings
of the Quarry 2000 Millennium Conference, Bristol, October. Institute of
Quarrying, UK.
45.Yasser El Shayeb: Risk Analysis in Mining: an Economical Aspect of
Network Simulation, M.Sc. Thesis, Faculty of Engineering, Cairo U.,
1996

116

Alphabetical index
C
consequence 3.1.2

E
event 3.1.4

I
interested party 3.2.2

M
mitigation 3.4.5

P
probability 3.1.3

R
residual risk 3.4.11
risk 3.1.1
risk acceptance 3.4.10
risk analysis 3.3.2
risk assessment 3.3.1
risk avoidance 3.4.6
risk communication 3.2.4
risk control 3.4.2
risk criteria 3.1.6
risk estimation 3.3.5
risk evaluation 3.3.6
risk financing 3.4.8
risk identification 3.3.3
risk management 3.1.7
risk management system 3.1.8
risk optimization 3.4.3
risk perception 3.2.3
risk reduction 3.4.4
risk retention 3.4.9
risk transfer 3.4.7
risk treatment 3.4.1

S
source 3.1.5
source identification 3.3.4
stakeholder 3.2.1

117