What should a risk assessment report or documentation include? If one feels the risk is low and the cost to fix it is high, is it necessary to include it in the report? Is it wise to have an expert or regulating authority involved in the inspection part of the assessment?
Is it sufficient if a single person does the assessment or should a team approach be taken?
A very broad-brush approach would start with the following headings:
. What could go wrong? - (The hazards)
. How likely is it? - (The probabilities)
. What happens if it does? - (The consequences)
. What can we do to prevent it? - (Safety measures)
. What can we do to minimise the effects? - (Mitigation)
For each hazard, assess the "risk" - the product of the probability and the cost of the consequences. While this can be done quasi-scientifically by researching the probability of failure of equipment etc, this can rarely be justified as there are too many unknowns and in a well-engineered installation the probabilities of failure will be down in the noise. I tend to feel there are 4 useful categories of risk -
. "No problem"
. "OK but be careful" - usual engineering measures are acceptable
. "OK but be very careful" - extra precautions such as dual redundancy are required
. "Don't go there!"
The risk assessment report should identify all hazards considered, even those identified as "not a problem". For each, give the risk with supporting information showing how it has been assessed. Also look at the measures that can be taken to avoid the risk, and also the mitigation provided. This can involve a lot of work, and how far you go will depend on the type of installation. As well as safety concerns, you can factor in issues with environmental damage and loss of production or plant damage.
The report should also list all assumptions used in the assessment, such as that everyone working on it will have the necessary levels of competence. Spell these out in words of one syllable or even less so the HR and management types get the message - it's always amazed me that the engineers go to great lengths to assess and justify engineering changes through HAZOP and the like, then the HR dept can decide to sack all the experienced techs and bring in screwdriver jockeys for a week a year.
If you want to get into this in some depth, there is an ISO/IEC standard 31000 covering the topic. This can be regarded as "best practice" and gives an overview of an approach to take. Also google "safety case". This is a formal approach that produces "A documented body of evidence that provides a convincing and valid argument that a system is adequately safe for a given application in a given environment".
It looks as if you are saying that a single person can do the assessment,but it will be reviewed by management. Also, you don't have much use for expert authorities.
You have obviously been through this and I appreciate the valued input.
I think the size of the team involved depends on the circumstances. For a new plant where a whole-site assessment is involved, a multi-disciplinary team is needed - with reps from Operations and the various engineering disciplines (a bit like a HAZOP). For a small project with limited scope one or two people can probably do it with advice as required from subject matter experts.
One point to note - when considering hazards, don't forget the small stuff. In terms of lost-time injuries etc, many many more hours of lost time will arise from slips, trips, falls and strains than from major incidents - yet these are often totally overlooked in risk assessments.
My reason for stating that you need to list all the assumptions is that if you make an unqualified statement that the risk of a fatality is less than say 1 in 1^8 over the life of the plant (well below the ALARP safe level) then some bean counter may well pick this up and decide that he doesn't really need all that nasty expensive maintenance on safety gear - or pay the outrageous sums needed to keep someone who knows what he's doing around just in case something breaks.
Perhaps I'm a bit cynical - but some of this safety/reliability stuff seems to be more for form's sake than have any real significance. On one job I was involved with, we were asked to give an MTBF - for a one-off plant which used a boiler design which was a first for the manufacturer, and an unusual combination of gas turbines and gas compressors. My boss basically gave the only possible answer when he said that they should come back in 20 years when he could answer the question.
Yesterday I went on a service to look at a machine that was not working correctly. Eventually I determined that the estop relay was not functioning.
It was a control system I designed maybe a decade ago. It did not have an estop relay as it seemed unnecessary to me at the time.
Somewhere along the line their safety committee had determined the machine needed an estop relay so the maint dept added one. They used a small ice cube relay.
A few days ago it failed. Because of the way it was hooked into the power circuit there was no indication that it had failed. I eventually tracked the power feed back when I realized an output had come on but the valve had not fired. I saw some wiring and a relay that was not shown on the drawings. The LED on the relay was on, but when I pulled it out of the socket it made a funny noise. I tapped it a couple times on the cabinet and put it back in and the machine started working properly.
However, they lost a weeks worth of production over a $6 relay.
This raises another point often overlooked during development of a safety system.. You need to think about not only the effects of the system not working when it should, but also what happens if it goes off when there is no problem?
These can range from the simple "Cry Wolf" effect (a nuisance alarm that occurs every 5 minutes will always be at least ignored if not overridden) to catastrophic (think about an airbag triggered by RFI while you're cruising at max on a highway).
Even a plant trip can have some associated hazards - the second safest condition of a plant is running stably at design rates, while start-up and shut-down are comparatively hazardous and can impose extra stresses on equipment such as thermal effects. So "if in doubt, trip" is not necessarily the best option.
Tom... would you like a copy of my paper, "Probabilistic Risk Assessment of Safety Systems!" as a starter!
The List of references and Bibliography may prove helpful!
Regards, Phil Corso
I certainly would, Phil.
Walt Boyes, FInstMC, Chartered Measurement and Control Technologist
Life Fellow, International Society of Automation
Editor in Chief, Control and ControlGlobal.com