Risk Analysis An Introduction
Marvin Rausand Department of Production and Quality Engineering Norwegian University of Science and Technology marvin.rausand@ntnu.no
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 1 / 41
�Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Introduction
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 2 / 41
�What is risk analysis?
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
A risk analysis is:
u
“Systematic use of available information to identify hazards and to estimate the risk to individuals or populations, property or the environment”
– IEC 60300-3-9
u
“A systematic approach for describing and/or calculating risk. Risk analysis involves the identification of undesired (accidental) event, and the causes and consequences of these events”
– NS 5814
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 3 / 41
�Brief history
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Nuclear industry from the 60s: Probabilistic Risk Assessment (PRA) u Chemical industries from the 70s: quantitative risk assessment (QRA), Seveso directive (I and II) u Offshore industry from the 80s: QRA, Industrial Self Regulation in Norway, Safety Case Regime in UK u Shipping industry from 90s: Formal safety assessment (FSA)
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 4 / 41
�Consequence spectrum
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
A consequence spectrum (or, risk picture) of an activity is a listing of its potential consequences and the associated probabilities (e.g., per year). Usually, only unwanted consequences are considered.
C1 C2 Activity C3 p3 p1 p2
Risk is sometimes defined as: Risk = C1 p1 + C2 p2 + · · · + Ck pk =
Ck
pk
k
Ci pi
i=1
This requires that all consequences may be measured with a common measure (e.g., as monetary value)
Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 5 / 41
�Categories of accidents
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Frequency (log scale)
1.
- Traffic accidents - Occupational accidents, etc.
High risk 2.
- Air trafic accidents - Railway accidents 3. - Major industrial accidents - Nuclear accidents - Catastrophies
Low risk
Severity (log scale)
– Based on Rasmussen (1994)
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 6 / 41
�Standards for risk analysis
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
u u u
u
u u
IEC 60300-3-9: “Risk analysis of technologuical systems” EN 1050: “Safety of machinery – Risk assessment” EN 50126: “Railway applications – The specification and demonstration of reliability , availability, maintainability amd safety (RAMS)” ISO 17776: “Petroleum and natural gas industries – Offshore production installations – Guidelines and tools for hazard identification and risk assessment” NORSOK Z-013: “Risk and emergency preparedness analysis” EN 1441: “Medical Devices - Risk Analysis”
More standards on: http://www.ntnu.no/ross/srt
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 7 / 41
�Risk analysis procedure
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Planning and organizing
What is acceptable risk?
Description of object
Hazard identification
Frequency analysis
Consequence analysis
Risk evaluation
Risk reducing measures
Acceptable? Yes Other measures desirable?
No
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 8 / 41
�Risk analysis procedures - (2)
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Causal analysis
Accidental event
Consequence analysis
(b)
(a) Methods
(c)
- Fault tree analysis* - Reliability block diagrams* - Influence diagrams* - FMECA* - Reliability data sources*
- Checklists - Event tree analysis* - Preliminary hazard - Consequence analysis models - FMECA* - Reliability - HAZOP assessment* - Evacuation models - Event data sources - Simulation
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 9 / 41
�Acceptable risk
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Several principles can be used to determine the acceptable risk:
u u u u u
The ALARP principle (“As low as reasonably practicable”) The precautionary principle Risk acceptance as defined in NORSOK Z-013 Minimum endogeneous mortality (MEM) Globalement au moins aussi bon (GAMAB)
Risk acceptable is generally a complicated and multifaceted issue.
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 10 / 41
�ALARP principle
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Unacceptable region
Risk cannot be justified except in extraordinary circumstances
The ALARP or Tolerability region (Risk is undertaken only if a benefit is desired)
Tolerable only if risk reduction is impracticable or its cost is grossly disproportionate to the improvement gained
Tolerable if cost of reduction would exceed the improvement gained Broadly acceptable region (No need for detailed work to demonstrate ALARP) Necessary to maintain assurance that risk remains at this level
Negligible risk
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 11 / 41
�Risk assessment and management
Introduction What is ..? Brief history Cons. spectr. Accident categ. Standards Procedure Acceptable risk ALARP principle Assessment Main Steps Conclusions
Risk analysis
- Scope definition - Hazard identification - Risk estimation
Risk assessment Risk evaluation
- Risk tolerability decisions - Analysis of options
Risk management
Risk reduction/control
- Decision making - Implementation - Monitoring
– IEC 60300-3-9 Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 12 / 41
�Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Main Steps
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 13 / 41
�Planning and organization
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Identify relevant laws and regulations u Clarify internal policies and risk acceptance criteria u Define the purpose and objectives of the risk analysis
u
3 3
u
What type of risks should be studied? (Major accidents vs. occupational accidents; random hazards, deliberate actions, and/or environmental loads) Which life phases should be included? (Normal operation, start-up, end-of-life, major overhaul, etc.)
Organize the work, multidisciplinary team where selected experts provide the required expertice
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 14 / 41
�Description of the analysis object
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Description encompassing everything that can incluence the analysis results Main questions: What is the system dependent upon? (inputs) u What activities are performed by the system? (functions) u What services does the system provide? (outputs)
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 15 / 41
�Description of the analysis object - (2)
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Technical, personnel, and organizational relationships u Significant political, social, and economic relationships u Association with and dependency on the wider world u External support if an accidental should occur
u u
Indicate special relationships that are significant to safety
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 16 / 41
�Description of the analysis object - (3)
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Large enterprises can be broken down into smaller elements (i.e., objects and/or functions) u A breakdown that constitutes too many too small elements will demand much resources, whereas insufficient breakdown of the enterprise can lead to unintentional omissions of rare but significant events u A possible technique for breaking down a system is hierarchical breakdown
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 17 / 41
�Hierarchical breakdown
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
1. Company
1.1 Design offices
1.2 Production unit
1.2.1 Building 1
1.2.2 Building 2
1.2.3 Building 3
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 18 / 41
�Identification of hazards
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
u
Potential hazards related to the activity must be identified (e.g., mechanical hazards, fire, explosion, toxix materials, radiation) u In which part(s) of the system are the hazards relevant (e.g., pressure vessels, cranes, storage)
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 19 / 41
�Methods and tools
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Checklists u Preliminary hazard analysis (PHA), also known as:
u
3 3
u
Hazard identification (HAZID) Rapid risk ranking (RRR)
Failure modes, effects, and criticality analysis (FMECA) u Hazard and operability analysis (HAZOP) u Brainstorming u Experience data - data bases
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 20 / 41
�Accidental events
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Some questions to consider when defining accidental events:
u
What type of event is it?
3
Describe the type of event (e.g., fire, gas leak, falling object)
u
Where does the event take place?
3
Describe where the event occurs (e.g., in process area A)
u
When does the event occur?
3
Describe the conditions under which the event occurs (e.g., normal operation, start-up, during maintenance)
Example: “Contamination of water supply by bacteria during flood conditions”
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 21 / 41
�Accidental events - (2)
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
The list of accidental events arising from the PHA or brainstorming should be sorted and filtered (i.e., events may be disregarded due to insignificant consequences or likelihood of occurrence are closed out without unnecessary delay) u The different accidental events are considered for each of the elements to be analyzed. Where are the events relevant? In this relation one can use a simple event/element matrix.
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 22 / 41
�Event-element matrix
Accidental event
Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Admin. building Production unit Area (System element) Laboratory Storage Loading area
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 23 / 41
Dropped object
Toxic exposure
Introduction
Explosion
Collision
Fire
�Accidental events - (3)
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
The results from this step are: A listing of all relevant hazards u A listing and description of all potential (and relevant) accidental events u Identification of where each accidental event may occur
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 24 / 41
�Causal analysis
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
The causes of each accidental event must be identified and described
Human factors
Technical factors Environmental factors Societal factors
Accidental event
Organizational factors
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 25 / 41
�Methods and tools
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
u u u u u u
Fault tree analysis Bayesian belief networks (Influence diagrams) Cause-effect diagrams Reliability block diagrams Root cause analysis Experience data - data bases
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 26 / 41
�Causal analysis results
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
u
For each potential accidental event:
All combinations of events (technical failures, human errors, environmental loads, etc.) that may lead to the accidental event (minimal cut set) u The minimal cut sets may be used to reveal weaknesses in the system and form a basis for improvements
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 27 / 41
�Frequency analysis
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
After the causes of the accidental event have been identified, one is better placed to estimate the frequency (and how the accidental event may be avoided) u The frequency of the accidental events may be estimated based on:
u 1. 2. 3. Data from previous incidents (and data bases) Fault tree analysis Expert judgement
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 28 / 41
�Consequence analysis
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
What is the result? u Identify consequences - bot immediate and delayed, given the accidental event
u
When analyzing consequences, do not forget: The whole chain of events triggered by the accidental event (can a relatively benign event ultimately end up in a disaster?) u Both immediate consequences and those that are not apparent until some time after the event.
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 29 / 41
�Consequence categories
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
It is often desirable to classify consequences into different categories:
u u u u u
Personnel (i.e., health and safety) Environmental Economic Operational Company reputation
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 30 / 41
�Consequence chains
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
All potential event chains following an accidental event must be identified and described u Most systems have one or more safety functions (barriers) that may stop or mitigate the effects of the accidental event. The event chains will depend on whether or not these safety functions are functioning or not.
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 31 / 41
�Methods and tools
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
u u u u u
Event tree analysis Cause consequence analysis Fire and explosion calculations Simulation Experience data - data bases
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 32 / 41
�Risk evaluation
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Which risks are present in my enterprise? u Risk classification matrices should be developed for each consequence category.
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 33 / 41
�Risk evaluation - (2)
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Risk is a function of the frequency of the accidental events and the consequences of the accidental events u Higher frequency of occurrence ⇒ higher risk u More severe consequences ⇒ higher risk
u u
A useful tool for describing risk is a risk classification matrix
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 34 / 41
�Risk classification matrix
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
Frequency/ consequence Catastrophic Critical Major Minor
1 Very unlikely
2 Remote
3 Occasional
4 Probable
5 Frequent
Acceptable - only ALARP actions considered Acceptable - use ALARP principle and consider further investigations Not acceptable - risk reducing measures required
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 35 / 41
�Risk evaluation - (2)
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
What do we do with accidental events once classified? u Part of risk management: guidelines for what should be done with individual events dictated by the risk category to which they belong (Shouldn’t this have been done during the planning phase?)
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 36 / 41
�Risk elimination
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
All accident causal factors (hazards) should be eliminated! We may, however, not have the resources to accomplish it u We must therefore prioritize our corrective actions by addressing high risks before low risks
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 37 / 41
�Risk analysis report
Introduction Main Steps Planning System descript. Hierarchy Hazard ident. Methods Accidental events Event matrix Causal analysis Frequency analysis Consequences Risk evaluation Risk matrix Risk elimination Report Conclusions
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
Summary and conclusions Objectives and scope Limitations, assumptions and justification of hypotheses Description of relevant parts of the system Analysis methodology Hazard identification results Models used, including assumptions and validation Data and their sources Risk estimation results Sensitivity and uncertainty analysis Discussion of results (including discussion of analytic difficulties) References
– IEC 60300-3-9
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 38 / 41
�Introduction Main Steps Conclusions Criticism Challenges
Conclusions
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 39 / 41
�Criticism
Introduction Main Steps Conclusions Criticism Challenges
We sometimes hear that: A risk analysis takes too much time and resources u The risk analysis is used to slow down decision processes u Risk analysis can be a manipulative tool
u
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 40 / 41
�Challenges
Introduction Main Steps Conclusions Criticism Challenges
Where data lacks, qualitative assessments through expert judgment is unaviodable u Confidence in achieved results highly depends on:
u
3 3
u
the confidence in the experts (i.e., their qualification and competence) the effectiveness of assessment procedures
However, uncertainties will be revealed and documented, rather than suppressed u When properly performed, a risk analysis is very transparent
– Adapted from IACS (2002)
Marvin Rausand, October 7, 2005
System Reliability Theory (2nd ed), Wiley, 2004 – 41 / 41
�