Post on 13-May-2015
description
Workplace Health, Safety and Workplace Health, Safety and Risk EC214CRisk EC214C
Health & safety management,Health & safety management,risk assessment and incident risk assessment and incident
investigationinvestigation(Final Version)(Final Version)
Professor Richard BoothProfessor Richard Booth
December 2010December 2010
Contact detailsContact details
Prof Richard BoothProf Richard Booth r.t.booth@aston.ac.ukr.t.booth@aston.ac.uk Mobile: 07973 333 289Mobile: 07973 333 289
Only in emergencyOnly in emergency Text messages best ‘first time’Text messages best ‘first time’ Give name; moduleGive name; module
Module ObjectivesModule Objectives
Principles of health and safety Principles of health and safety (H&S) management, evolution, (H&S) management, evolution, effectiveness factorseffectiveness factors
Foundations for risk Foundations for risk assessmentassessment
Assess risks: workplaces, Assess risks: workplaces, processes, work equipmentprocesses, work equipment Basic and advanced methodsBasic and advanced methods
Incident investigationIncident investigation
Module documentsModule documents
Power Point notesPower Point notes BS 8800:1996 ‘Guide to BS 8800:1996 ‘Guide to
occupational health and safety occupational health and safety management systems’, Annex management systems’, Annex on ‘Risk assessment’on ‘Risk assessment’
‘‘Occupational Safety’ handoutOccupational Safety’ handout ‘‘Events and Causal Factors Events and Causal Factors
Analysis’ (ECFA) casesAnalysis’ (ECFA) cases
ContentContent
Module introduction (now)Module introduction (now) Shortcomings of reactive H&S Shortcomings of reactive H&S
managementmanagement Accident causation/prevention:Accident causation/prevention:
human errors & violationshuman errors & violations latent and active failureslatent and active failures perceptions of riskperceptions of risk
ContentContent
Risk Assessment Risk Assessment Foundations Foundations H&S management systemsH&S management systems H&S ‘culture’ and measurementH&S ‘culture’ and measurement
Risk assessment methodologiesRisk assessment methodologies Risk decision-making (tolerability)Risk decision-making (tolerability) Incident investigation / analysisIncident investigation / analysis
40% Assessed Course Work40% Assessed Course Work Two pieces Two pieces
60% two-hour examination60% two-hour examination Six questions in two equal sections; Six questions in two equal sections;
answer three, at least one from each answer three, at least one from each sectionsection
May take material out of May take material out of sequence in order to set ACW sequence in order to set ACW soonsoon
AssessmentAssessment
2010 ACW (RTB) – advance 2010 ACW (RTB) – advance information (may be an addition)information (may be an addition)Risk AssessmentRisk Assessment
Prepare a ‘suitable and sufficient’ Prepare a ‘suitable and sufficient’ risk assessment of an activityrisk assessment of an activity
Must cover both analysis of risks and Must cover both analysis of risks and selection of preventive measuresselection of preventive measuresDecide is risk with precautions is tolerableDecide is risk with precautions is tolerableShould satisfy statutory requirementsShould satisfy statutory requirementsStarting point should be Risk Assessment Starting point should be Risk Assessment Annex of BS8800: 1996Annex of BS8800: 1996Choice of activity to be assessed is yours, Choice of activity to be assessed is yours, though consult me as to suitability of your though consult me as to suitability of your proposalproposal
2010 ACW2010 ACWRisk Assessment: examplesRisk Assessment: examples Operation, adjustment and maintenance Operation, adjustment and maintenance
of a (workshop) machine of a (workshop) machine Changing a vehicle’s flat tyre on a Changing a vehicle’s flat tyre on a
motorway hard shoulder motorway hard shoulder Acting as a security officer (bouncer) at a Acting as a security officer (bouncer) at a
place of entertainmentplace of entertainment Work at heights:Work at heights:
Painting windows on the second floor of a buildingPainting windows on the second floor of a building Mountain rescue (not just issues relating to heights)Mountain rescue (not just issues relating to heights)
Work in a ‘confined space’Work in a ‘confined space’ Looking after a toddler or a very elderly Looking after a toddler or a very elderly
and infirm personand infirm person Managing a school field tripManaging a school field trip
Classify work activitiesClassify work activities
Identify hazards Identify hazards
Determine riskDetermine risk
Decide if risk is tolerableDecide if risk is tolerable
Prepare risk control action planPrepare risk control action plan
Review adequacy of action planReview adequacy of action plan
Basic steps in risk assessmentBasic steps in risk assessment
Labourer fatally injured in a Quarry ConveyorLabourer fatally injured in a Quarry Conveyor
18-year old male employed as a labourer. He was 18-year old male employed as a labourer. He was sweeping a work area when he slipped on wet sweeping a work area when he slipped on wet floor and fell into conveyor belt that was floor and fell into conveyor belt that was unguarded and in motion. He was asphyxiated as unguarded and in motion. He was asphyxiated as a result of being drawn into the conveyor a result of being drawn into the conveyor
Conveyor fixed-guard removed by two fitters Conveyor fixed-guard removed by two fitters weeks before to carry out maintenance work; weeks before to carry out maintenance work; guard not replaced. Check carried out by a guard not replaced. Check carried out by a manager on the safety of the conveyor, and fitters manager on the safety of the conveyor, and fitters told to replace the guard. This they did. Fitters not told to replace the guard. This they did. Fitters not admonishedadmonished
Conveyor guard was again removed by the same Conveyor guard was again removed by the same two fitters to carry out maintenance and was not two fitters to carry out maintenance and was not replaced. No subsequent checks were carried out replaced. No subsequent checks were carried out on the conveyor guard before accidenton the conveyor guard before accident
DP asphyxiated1600
7-4-08
DP starts to sweep up work area floor
7-4-08
DP employed as a labourer10-3-08
DP slippedon floor
just before 16007-4-08
DP fell into conveyor
just before 16007-4-08
Conveyor unguarded
DP wearing unsuitable footwear
No hazard-spotting training
given
Floor wet and slippery
Labourer fatally injured in an un-guarded conveyor
Manager did not criticise Fitters for
not replacing guard
20-3-08
Fitters fail to replace guard after
maintenance12-3-08
Conveyor required regular
maintenance
Staff not criticised for breaking safety
rules
Fitters (again) fail to replace guard
after maintenance26-3-08
Conveyor Inspection
schedule not adhered to
Fitters replace guard
21-3-08
Manager instructs fitters to replace
guard20-3-08
DP did notrealize conveyor was dangerous
Manager observes unguarded conveyor20-3-08
Inspections dueon 27-3-08 & 3-4-08 not carried out
No interlocked guard fitted
Conveyor in motion
DP drawn into conveyor belt
just before 16007-4-08
Inspection procedures
LTA
Quarry conveyor – causal Quarry conveyor – causal factorsfactors
The deceasedThe deceased Fellow workersFellow workers Supervisors and managersSupervisors and managers The Quarry CompanyThe Quarry Company Management of safetyManagement of safety
Risk assessmentRisk assessment [Supplier of conveyor (no [Supplier of conveyor (no
guard)]guard)]
Lessons to be learntLessons to be learnt
Technical shortcomingsTechnical shortcomings Human failures: ‘unintended’ Human failures: ‘unintended’
errors; risk-taking ‘violations’errors; risk-taking ‘violations’ Active and latent failures Active and latent failures Risk assessmentRisk assessment Safety proceduresSafety procedures Legal issuesLegal issues
Traditional, reactive, approach Traditional, reactive, approach to health & safety managementto health & safety management
Do nothing until serious harm Do nothing until serious harm occursoccurs
Search for cause (superficially Search for cause (superficially and with pre-conceptions)and with pre-conceptions)
Debate: cause unsafe act or Debate: cause unsafe act or unsafe condition?unsafe condition?
Solution: rule / technical fix to Solution: rule / technical fix to prevent recurrenceprevent recurrence
ACCIDENTACCIDENT
Investigate accident -Investigate accident -
steered by thesteered by the
preconceptions of thepreconceptions of the
investigatorinvestigator
Attribute primaryAttribute primary
cause tocause to unsafeunsafeactsacts
Attribute primaryAttribute primary
cause tocause to unsafeunsafeconditionsconditions
RULERULE devised devised forbiddingforbidding
unsafe actsunsafe acts
TECHNICALTECHNICALsolution to makesolution to makeconditions safeconditions safe
Traditional Safety ManagementTraditional Safety Management
Causation debate missed:Causation debate missed:
Single primary accident cause Single primary accident cause gross over-simplificationgross over-simplification
Contribution of conditions and Contribution of conditions and behaviour in preventionbehaviour in prevention
Latent (decision) failures - not Latent (decision) failures - not just active failures – and also just active failures – and also different failure ‘types’different failure ‘types’
Prevention founded on accident Prevention founded on accident investigationinvestigation
Controls devised in this way may:Controls devised in this way may: Fail to remedy shortcomings in Fail to remedy shortcomings in
management systems management systems Conflict with each other Conflict with each other Become obsoleteBecome obsolete Conflict with needs to get job Conflict with needs to get job
donedone Be over-zealous (OTT) Be over-zealous (OTT)
TimeTime
Per
cep
tio
n o
f ri
skP
erce
pti
on
of
risk
Perceptions of risk and preventionPerceptions of risk and prevention
TimeTime
Per
cep
tio
n o
f ri
skP
erce
pti
on
of
risk
Serious accidentSerious accident
Perceptions of risk and preventionPerceptions of risk and prevention
TimeTime
Per
cep
tio
n o
f ri
skP
erce
pti
on
of
risk
Serious accidentSerious accidentRules and safeguards devisedRules and safeguards devised
herehere may be may be violatedviolated when when
perceptions decay over perceptions decay over timetime
Perceptions of risk and preventionPerceptions of risk and prevention
Accident causationAccident causation
Multi-causalityMulti-causality Active and Latent failures (‘resident Active and Latent failures (‘resident
pathogens’ metaphor)pathogens’ metaphor) Events and outcomes; accident Events and outcomes; accident
‘triangle’‘triangle’ Behaviour in the face of dangerBehaviour in the face of danger Reason’s classification Skill-, rule- Reason’s classification Skill-, rule-
and knowledge-based errors, and and knowledge-based errors, and violationsviolations
Hazard identification, risk Hazard identification, risk assessment, preventive actionassessment, preventive action
Events and OutcomesEvents and Outcomes
ws
Near miss
Hazard
Fatality
Property damage
Major injury
Minor injury
Event
Accident
Incident
OUTCOME
Environmental damage
The Accident TriangleThe Accident Triangle
Major or >3 day injury
Minor injury
Non injury189
7
1
Hale and Hale Model – Hale and Hale Model – behaviour behaviour in the face of dangerin the face of danger
Action
PresentedInformation
ExpectedInformation
PerceivedInformation
PossibleActions
Cost / BenefitDecision
HumanHumanFailureFailure
Knowledge-Knowledge-basedbased
Rule-basedRule-based
LapsesLapses
SlipsSlips
ExceptionalExceptional
Skill-basedSkill-based(unintended)(unintended)
ErrorsErrors
SituationalSituational
MistakesMistakes(intended (intended
actionaction**))
RoutineRoutine
ViolationsViolations
(intended)(intended)
* But unintended diagnostic error
Reason’s error type classificationReason’s error type classification
- ve Safety - ve Safety CultureCulture
Mini assignmentMini assignment From your own experience, provide From your own experience, provide
a brief description of an incident a brief description of an incident associated with each of the associated with each of the Human Human FailureFailure categories proposed by categories proposed by James ReasonJames Reason
Clue: start with incidents then seek Clue: start with incidents then seek to categorise them, not the other to categorise them, not the other way roundway round
Some incidents may involve several Some incidents may involve several failure categoriesfailure categories
Discussion Discussion (and hand in if feedback (and hand in if feedback wanted)wanted) in one/two weeks in one/two weeks
Initial Status Initial Status ReviewReview
OHS PolicyOHS Policy Management Management ReviewReview
PlanningPlanning
Checking & Checking & correctivecorrectiveactionaction
Implementation Implementation & operation& operation
Continual Continual improvementimprovement
The Main Elements in HSG65The Main Elements in HSG65
Organising
Planning and Implementing
Measuring Performance
Policy
Reviewing Performance
Auditing
Initial Status Initial Status ReviewReview
OHS PolicyOHS Policy Management Management ReviewReview
PlanningPlanning
Checking & Checking & correctivecorrectiveactionaction
Implementation Implementation & operation& operation
Continual Continual improvementimprovement
Management system BS 18004: Management system BS 18004: 20082008
Safety management & cultureSafety management & culture
Management system crucial, but:Management system crucial, but: Organisation’s safety procedures Organisation’s safety procedures
may look well-considered, but may look well-considered, but reality: sullen scepticism / false reality: sullen scepticism / false perceptions of risk perceptions of risk
Critical point: not the apparent Critical point: not the apparent adequacy of safety procedures; adequacy of safety procedures; it’s the perceptions and beliefs it’s the perceptions and beliefs that people hold about themthat people hold about them
Ris
k In
dic
ato
rsR
isk
Ind
icat
ors
Time & EffortTime & Effort
Safety CultureSafety Culture
RegulatioRegulationn
LeadLead
ManagementManagementLeadLead
PeoplePeopleLeadLead
Reactive to Proactive - Safety Reactive to Proactive - Safety Improvement StagesImprovement Stages
Definition of Safety CultureDefinition of Safety CultureHSG65 ‘97HSG65 ‘97
““The safety culture .... is product of individual and The safety culture .... is product of individual and group values, group values, attitudesattitudes, , competenciescompetencies, & , & patterns of patterns of behaviourbehaviour that determine that determine commitmentcommitment to, & style & proficiency of, an to, & style & proficiency of, an organisation’s organisation’s H&SH&S programmes programmes
Organisations with a positive safety culture Organisations with a positive safety culture characterised by characterised by communications founded communications founded on mutual on mutual trusttrust, by shared perceptions of , by shared perceptions of the importance of safety and by confidence the importance of safety and by confidence in the efficacy of preventive measures”in the efficacy of preventive measures”
British Standard BS8800: British Standard BS8800: 20042004
““The extent to which organizations The extent to which organizations are successful in managing [safety] are successful in managing [safety] is heavily influenced by the is heavily influenced by the leadership of [safety] by top leadership of [safety] by top management who regard it as a key management who regard it as a key business objective, business objective, and the active and the active involvement of the work force and involvement of the work force and their representativestheir representatives” ”
Safety cultureSafety culture
What I What I thinkthink and and knowknow about about safetysafety Attitudes and beliefsAttitudes and beliefs CompetenceCompetence
What everybody else thinks about – What everybody else thinks about – and and knowsknows about – safety about – safety
What do we What do we dodo, in practice?, in practice? Patterns of behaviourPatterns of behaviour
(What we do depends on what (What we do depends on what others say and do)others say and do)
What promotes a positive safety What promotes a positive safety culture?culture? Good Good communicationscommunications High level of High level of trusttrust between staff – all levels between staff – all levels All staff encouraged to All staff encouraged to participateparticipate / be pro- / be pro-
active in improving safety performanceactive in improving safety performance The The commitmentcommitment of everyone to the of everyone to the
overall goals of the organizationoverall goals of the organization Continual improvementContinual improvement (not ‘step’ (not ‘step’
change)change) Safety Safety ‘champions’‘champions’ Care and concernCare and concern
BS8800: 2004 BS8800: 2004
Staff committed to Staff committed to aims of organizationaims of organization, & , & way organization is managedway organization is managed
Top management and senior staff Top management and senior staff demonstrate visible commitmentdemonstrate visible commitment
Senior staff / supervisors spend time Senior staff / supervisors spend time discussing & promotingdiscussing & promoting safety. Safety is safety. Safety is managed with same determination as other managed with same determination as other key business objectiveskey business objectives
Safety representatives carry out functions Safety representatives carry out functions with active support of managementwith active support of management
Anecdotes – cultureAnecdotes – culture Communications in a Train Communications in a Train
Operating CompanyOperating Company Management perceptions Management perceptions Office move Office move Locomotive windscreen wipersLocomotive windscreen wipers Safety briefingsSafety briefings
Nuclear power stationsNuclear power stations BREL to privatisationBREL to privatisation Two cases: rubber factory and Two cases: rubber factory and
catering contractorscatering contractors
Measuring safety cultureMeasuring safety culture
Informal discussions, feedback Informal discussions, feedback from briefings / tool box talksfrom briefings / tool box talks
Semi-structured questionnaire / Semi-structured questionnaire / interviews with groups / individualsinterviews with groups / individuals
Organizational questionnairesOrganizational questionnaires Attitude surveys of personnel within Attitude surveys of personnel within
the organizationthe organization Observations of individual and Observations of individual and
group behaviours in practice group behaviours in practice
Positive safety culture Positive safety culture objectivesobjectives Employees agree via communications Employees agree via communications
founded on mutual trust that founded on mutual trust that procedures:procedures: founded on shared perceptions of founded on shared perceptions of
hazards and riskshazards and risks necessary and workablenecessary and workable will succeed in preventing accidentswill succeed in preventing accidents prepared with consultation prepared with consultation subject to continual reviewsubject to continual review
Risk Risk AssessmentAssessment
Risk Assessment LawRisk Assessment Law Most UK risk assessment Most UK risk assessment
legislation based on EU directiveslegislation based on EU directives More explicit that underpinning law: More explicit that underpinning law:
Health and Safety at Work Act 1974Health and Safety at Work Act 1974 Every employer: Management of Every employer: Management of
Health and Safety at Work Health and Safety at Work Regulations 1999Regulations 1999
Hazard-specific RegulationsHazard-specific Regulations Industry-specific RegulationsIndustry-specific Regulations
Management of Health & Safety Management of Health & Safety at Work Regulationsat Work Regulations
regulation 3:regulation 3: reg 3(1) “Every employer shall make a suitable reg 3(1) “Every employer shall make a suitable
and sufficient assessment of risks to and sufficient assessment of risks to employees and othersemployees and others for the purpose of identifying for the purpose of identifying the measures he needs to take to comply with the the measures he needs to take to comply with the requirements and prohibitions imposed upon him … ”requirements and prohibitions imposed upon him … ”
reg 3(3) Review assessments: validity; reg 3(3) Review assessments: validity; significant changesignificant change
reg 3(4) Five or more employees: record reg 3(4) Five or more employees: record significant findingssignificant findings
Hazard-specific regulationsHazard-specific regulations
The Control of Substances Hazardous The Control of Substances Hazardous to Health Regulations 2005 (CBH)to Health Regulations 2005 (CBH)
The Noise at Work Regulations 2005The Noise at Work Regulations 2005 The Provision and Use of Work The Provision and Use of Work
Equipment Regulations 1998 (PUWER)Equipment Regulations 1998 (PUWER) The Supply of Machinery (Safety The Supply of Machinery (Safety
Regulations) 1992Regulations) 1992 The Manual Handling Operations The Manual Handling Operations
Regulations 1992Regulations 1992 The Lifting Operations and Lifting The Lifting Operations and Lifting
Equipment Regulations 1998Equipment Regulations 1998
Industry-specific regulationsIndustry-specific regulations
Nuclear Installations Regulations 1971Nuclear Installations Regulations 1971 Control of Major Accident Hazards Control of Major Accident Hazards
(COMAH) 1999 [2005](COMAH) 1999 [2005] Offshore Installations (Safety Case) Offshore Installations (Safety Case)
Regulations 1992Regulations 1992 Railways and Other Guided Transport Railways and Other Guided Transport
Systems (Safety) Regulations (ROGS) Systems (Safety) Regulations (ROGS) 2006 2006
Construction (Design & Management) Construction (Design & Management) Regulations (CDM) 2007Regulations (CDM) 2007
Classify work activitiesClassify work activities
Identify hazards Identify hazards
Determine riskDetermine risk
Decide if risk is tolerableDecide if risk is tolerable
Prepare risk control action planPrepare risk control action plan
Review adequacy of action planReview adequacy of action plan
Basic steps in risk assessmentBasic steps in risk assessment
Key termsKey terms
HazardHazard source of potential harm, or source of potential harm, or
situation with potential for harmsituation with potential for harm
RiskRisk combination of likelihood and combination of likelihood and
consequences of a specified consequences of a specified hazardous event, hazardous event, oror
statistical probability of a defined statistical probability of a defined hazardous eventhazardous event
Types of assessment – note Types of assessment – note overlapoverlap Continuing (dynamic) risk assess-Continuing (dynamic) risk assess-
ment (informal; usually no records)ment (informal; usually no records) Systematic, documented, qualitative Systematic, documented, qualitative
assessment of ‘general workplace assessment of ‘general workplace hazards’ (BS 8800: 1996 BS18004: hazards’ (BS 8800: 1996 BS18004: 2008)2008)
Machinery risk assessment (EN 292)Machinery risk assessment (EN 292) Substances and Energies (CBH) Substances and Energies (CBH) ‘‘Major hazards’ risk assessment – Major hazards’ risk assessment –
quantitative (PRA / QRA)quantitative (PRA / QRA) Starting point: task or processStarting point: task or process
Risk assessmentRisk assessmentfor ‘General Workplace for ‘General Workplace
Hazards’Hazards’
BS 8800: 1996 Annex DBS 8800: 1996 Annex D
Classify work activitiesClassify work activities TasksTasks: location; duration; : location; duration;
frequency; personnelfrequency; personnel Controls in placeControls in place: training; : training;
systems work; hardwaresystems work; hardware Machinery; toolsMachinery; tools: instructions: instructions Manual handlingManual handling: size, shape, : size, shape,
weightweight SubstancesSubstances: physical form; data : physical form; data
sheetssheets MeasurementsMeasurements: reactive (lagging) : reactive (lagging)
monitoring datamonitoring data
Identify hazards Identify hazards
Is there a source of harm?Is there a source of harm? Who (or what) could be harmed?Who (or what) could be harmed? How could harm occur?How could harm occur? Hazards prompt-list, eg:Hazards prompt-list, eg:
Slips / falls: on level or from heightSlips / falls: on level or from height ViolenceViolence Substances: inhaled, ingested, skin Substances: inhaled, ingested, skin
absorptionabsorption Repetitive work (WRULDs)Repetitive work (WRULDs)
Determine riskDetermine risk Severity of harmSeverity of harm
Slightly harmful: minor cuts / bruises; Slightly harmful: minor cuts / bruises; temporary discomforttemporary discomfort
Harmful: concussion, minor fractures; Harmful: concussion, minor fractures; deafness; asthmadeafness; asthma
Extremely harmful: amputations; Extremely harmful: amputations; fatalities; occupational cancerfatalities; occupational cancer
Likelihood of harmLikelihood of harm Highly unlikelyHighly unlikely UnlikelyUnlikely LikelyLikely
Assess adequacy of controlsAssess adequacy of controls
Determine riskDetermine risk Frequency / duration of Frequency / duration of
exposure & numbers at riskexposure & numbers at risk Failures of services, machine Failures of services, machine
parts, safety devicesparts, safety devices Protection from PPEProtection from PPE Human failures - unintended Human failures - unintended
errors or intentional violations errors or intentional violations of proceduresof procedures
Rough probability: ‘once in ten Rough probability: ‘once in ten years?’ (BS 2004) years?’ (BS 2004)
Decide if risk is tolerableDecide if risk is tolerable
Use risk level estimatorUse risk level estimator Risks classified according to Risks classified according to
estimated likelihood and estimated likelihood and potential severity of harmpotential severity of harm
Reasonable starting pointReasonable starting point Numbers may be used to Numbers may be used to
describe risk levels (no greater describe risk levels (no greater accuracy)accuracy)
HighlyHighlyUnlikelyUnlikely
LikelyLikely
UnlikelyUnlikely
HarmfulHarmfulSlightlySlightlyHarmfulHarmful
ExtremelyExtremelyHarmfulHarmful
TRIVIALTRIVIALRISKRISK
MODERATEMODERATERISKRISK
MODERATEMODERATERISKRISK
MODERATEMODERATERISKRISK
SUB-SUB-STANTIALSTANTIAL
RISKRISK
INTOLERABLEINTOLERABLERISKRISK
Risk level EstimatorRisk level Estimator
TOLERABLETOLERABLERISKRISK
TOLERABLETOLERABLERISKRISK
SUB-SUB-STANTIALSTANTIAL
RISKRISK
Prepare risk control action planPrepare risk control action plan
(Note that risk matrix should (Note that risk matrix should strictly be non judgmental)strictly be non judgmental)
Control effort and urgency Control effort and urgency proportional to risk levelproportional to risk level
Inventory of actions, in priority Inventory of actions, in priority
order, to order, to devise devise maintainmaintain or or improve controlsimprove controls
RISK LEVELRISK LEVEL ACTION (AND TIMESCALE)ACTION (AND TIMESCALE)
TRIVIALTRIVIAL No action, no recordsNo action, no recordsTOLERABLETOLERABLE No further action necessary: No further action necessary:
monitor to ensure controls monitor to ensure controls maintainedmaintained
MODERATEMODERATE Efforts to reduce risk, but costs Efforts to reduce risk, but costs of prevention should be limitedof prevention should be limited
SUBSTANTIALSUBSTANTIAL Urgent efforts to reduce risk: Urgent efforts to reduce risk: reduction costs may be highreduction costs may be high
INTOLERABLEINTOLERABLE Work should not be started or Work should not be started or continued until risk reduced: no continued until risk reduced: no cost constraints for preventioncost constraints for prevention
Risk-based control planRisk-based control plan
Prepare risk control action planPrepare risk control action plan
Controls - consider, eg:Controls - consider, eg: Eliminate hazards?Eliminate hazards? Protect everyone?Protect everyone? Blend of technical controls and Blend of technical controls and
procedures?procedures? Planned maintenance?Planned maintenance? PPE should be last resortPPE should be last resort Pro-active measurement Pro-active measurement
indicators part of plan (leading indicators part of plan (leading indicators)indicators)
Review adequacy of action planReview adequacy of action plan
New controls: tolerable risk levels?New controls: tolerable risk levels? But, new hazards created?But, new hazards created? Most cost-effective solution?Most cost-effective solution? Peoples’ views: need for and Peoples’ views: need for and
practicality of controls?practicality of controls? Used in practice, not ignored in face Used in practice, not ignored in face
of work pressures?of work pressures? Continual review, and revise if Continual review, and revise if
necessarynecessary
Critique of three-point scalesCritique of three-point scales
Three point scalesThree point scales LikelihoodLikelihood SeveritySeverity
Can cause problemsCan cause problems Disproportionate number “medium”Disproportionate number “medium” Lack of adequate discriminationLack of adequate discrimination
Skewed towards less serious Skewed towards less serious outcomesoutcomes
Likelihood of Hazardous EventLikelihood of Hazardous Event Rating 1 = Negligible (zero to Rating 1 = Negligible (zero to
extremely low)extremely low) Rating 2 = Very unlikelyRating 2 = Very unlikely Rating 3 = UnlikelyRating 3 = Unlikely Rating 4 = LikelyRating 4 = Likely Rating 5 = Very likelyRating 5 = Very likely Rating 6 = Almost certainRating 6 = Almost certain
Remember to rate Remember to rate hazardous eventhazardous event
Rate Hazardous EventRate Hazardous Event Important to rate likelihood of Important to rate likelihood of
hazardous eventhazardous event Not likelihood of the eventNot likelihood of the event Not likelihood of someone getting hurtNot likelihood of someone getting hurt
For exampleFor example Lifting very light load from deskLifting very light load from desk People fallingPeople falling People touching live cablesPeople touching live cables
Judgement and knowledge at timeJudgement and knowledge at time SubjectiveSubjective Not absolute (see later)Not absolute (see later)
SeveritySeverity Rating 1 = Minor injury, first aid Rating 1 = Minor injury, first aid
injuryinjury Rating 2 = Lost time accident - up Rating 2 = Lost time accident - up
to 3 dayto 3 day Rating 3 = “over 3 day” injuryRating 3 = “over 3 day” injury Rating 4 = Major injuryRating 4 = Major injury Rating 5 = Disabling injuryRating 5 = Disabling injury Rating 6 = FatalityRating 6 = Fatality Select most likely outcome - Select most likely outcome - not not
worst caseworst case
Assessing RisksAssessing Risks
Both likelihood & severity Both likelihood & severity subjective estimates: might be subjective estimates: might be challenged by challenged by ‘wisdom’ of ‘wisdom’ of hindsighthindsight if things go wrong if things go wrong
Calculating riskCalculating risk Multiply likelihood and severityMultiply likelihood and severity High risk, high priorityHigh risk, high priority Reduce to lowest reasonable numberReduce to lowest reasonable number Likelihood and severity independentLikelihood and severity independent Can band riskCan band risk
Risk MatrixRisk Matrix
Use matrixUse matrix Previously only 6 levels of risk Previously only 6 levels of risk
(1 to 9)(1 to 9) Banded into three bandsBanded into three bands
Now 18Now 18 Can be banded, eg six bandsCan be banded, eg six bands
Risk MatrixRisk MatrixSeveritySeverity
LLiikkeelliihhoooodd
11 22 33 44 55 66 Risk levelsRisk levels
11 11 22 33 44 55 66 InsignificantInsignificant
22 22 44 66 88 1010 1212 Very lowVery low
33 33 66 99 1212 1515 1818 LowLow
44 44 88 1212 1616 2020 2424 HighHigh
55 55 1010 1515 2020 2525 3030 Very highVery high
66 66 1212 1818 2424 3030 3636 ExtremeExtreme
Risk ControlRisk Control
Two topicsTwo topics Reducing risks – Reducing risks – Workplace Workplace
precautions (RCMs)precautions (RCMs) How RCMs are maintained - How RCMs are maintained -
Risk Control SystemsRisk Control Systems
Deciding on Risk ReductionDeciding on Risk Reduction
Depends on two main factorsDepends on two main factors Absolute level of riskAbsolute level of risk How easy it is to reduce the riskHow easy it is to reduce the risk
Reduce riskReduce risk So far as is reasonably practicable (ALARP)So far as is reasonably practicable (ALARP) Used widely in UK legislationUsed widely in UK legislation
The higher the risk the more The higher the risk the more resources devoted to reducing itresources devoted to reducing it
Extreme risk - consider stopping Extreme risk - consider stopping tasktask
But do not include ‘unforeseeable’ But do not include ‘unforeseeable’ outcomes (despite hindsight)outcomes (despite hindsight)
Advanced Risk Advanced Risk Assessment Assessment
MethodologiesMethodologies
‘‘Advanced’ Risk AssessmentAdvanced’ Risk Assessment
‘‘Major Hazard’ industry-specific Major Hazard’ industry-specific Regulations (ie, not CDM)Regulations (ie, not CDM)
Quantification of riskQuantification of risk Human / organisational failures Human / organisational failures
crucial – hence detailed ‘Safety crucial – hence detailed ‘Safety Case’Case’
Ideal for 1960s technologiesIdeal for 1960s technologies Serious concern: programmable Serious concern: programmable
electronic systems in process etc electronic systems in process etc controlcontrol
Advanced Risk Assessment Advanced Risk Assessment TechniquesTechniques Hazard and Operability Studies Hazard and Operability Studies
(HAZOPS)(HAZOPS) Failure Modes & Effects Analysis Failure Modes & Effects Analysis
(FMEA)(FMEA) Event Tree Analysis (ETA)Event Tree Analysis (ETA) Fault Tree Analysis (FTA)Fault Tree Analysis (FTA) Human Reliability Analysis (HRA)Human Reliability Analysis (HRA) Cost Benefit Analysis (CBA)Cost Benefit Analysis (CBA)
DEFINE SYSTEM
IDENTIFY HAZARDS
HAZARDOUSEVENTS HAZARDS
EVENTS CONTINUINGHAZARDS
ANALYSE CONSEQUENCES
DECIDE RISK CONTROL STRATEGY
VERIFY
ESTIMATE/
MEASURE RISKS
EVALUATE RISKS
NO CHANGE (MONITOR)
YESYES
NONO IS RISK TOLERABLE?
Task-based approachTask-based approachHAZOPSHAZOPSFMEAFMEA
CHECK-LIST
Event Tree AnalysisEvent Tree Analysis
Fault Tree AnalysisFault Tree AnalysisEvent Tree AnalysisEvent Tree Analysis
CHierarchy
Risk Matrix or Risk Calculator
1 in 10,000
1 in 1m
QRA
Steps in advanced Steps in advanced risk assessmentrisk assessment
Cost-Benefit AnalysisCost-Benefit Analysis
Hazard and Operability StudiesHazard and Operability Studies‘HAZOPS’‘HAZOPS’ HAZOPS is a qualitative type of HAZOPS is a qualitative type of
analysis, based on a multi-analysis, based on a multi-disciplinary team approachdisciplinary team approach
Methodology stimulates the Methodology stimulates the imagination through ‘active’ imagination through ‘active’ structured lateral thinkingstructured lateral thinking
Open ended procedure which Open ended procedure which relies on ‘brain-storming’relies on ‘brain-storming’
INTENTION
DEVIATIONS
PossibleCauses
PotentialConsequences
Principle of HAZOPSPrinciple of HAZOPS
HAZOPS MethodologyHAZOPS Methodology Define objective of the studyDefine objective of the study Principles of examination:Principles of examination:
Divide process/activity into sections, Divide process/activity into sections, eg, pipes/ tanks. Identify the precise eg, pipes/ tanks. Identify the precise design intention, eg, flow rate/mindesign intention, eg, flow rate/min
Identify how deviations from Identify how deviations from intention are caused: use of guide intention are caused: use of guide words words
Analyse the consequences for each Analyse the consequences for each deviationdeviation
HAZOPS MethodologyHAZOPS Methodology
Principles of examination:Principles of examination: Decide what actions are required to Decide what actions are required to
control riskscontrol risks+ actions to prevent deviations by actions to prevent deviations by
design (priority), and/ordesign (priority), and/or+ actions to mitigate the actions to mitigate the
consequencesconsequences Review the system after modificationsReview the system after modifications
INTENTION
DEVIATIONS
PossibleCauses
PotentialConsequences
Inductive logic
Deductive logic
NONO MOREMORE LESSLESSOTHER THANOTHER THAN
GUIDE WORDSGUIDE WORDS
Principle of HAZOPSPrinciple of HAZOPS
possiblecauses
processdeviations
possibleconsequences
property wordsproperty words HAZOPSHAZOPS eg. flow, temperature, pressureeg. flow, temperature, pressure
guide wordsguide words NO or NOTNO or NOT Complete negation: intentionsComplete negation: intentions MOREMORE Quantitative increaseQuantitative increase LESSLESS Quantitative decreaseQuantitative decrease AS WELL ASAS WELL AS Qualitative increaseQualitative increase PART OFPART OF Qualitative decreaseQualitative decrease REVERSEREVERSE Logical opposite: intentionLogical opposite: intention OTHER THANOTHER THAN Complete substitutionComplete substitution
Guide WordsGuide Words PropertyProperty
NoNo MoreMore LessLess As well asAs well as Other thanOther than Part ofPart of ReverseReverse
FlowFlow TemperatureTemperature PressurePressure LevelLevel CompositionComposition EtcEtc
Typical problems revealed with Typical problems revealed with guide wordsguide words
No FlowNo Flow Blockage; pump failure, valve closed or Blockage; pump failure, valve closed or
jammed; leak; suction vessel empty; jammed; leak; suction vessel empty;
Reverse FlowReverse Flow Pump failure; NRV failure or wrongly Pump failure; NRV failure or wrongly
inserted; wrong routing; delivery over inserted; wrong routing; delivery over pressurised; pump reversedpressurised; pump reversed
More FlowMore Flow Surging; valve stuck open; leakSurging; valve stuck open; leak
Typical problems revealed with Typical problems revealed with guide wordsguide words
Less FlowLess Flow Partial pump failure; leak; partial blockagePartial pump failure; leak; partial blockage
More Temp, More PressureMore Temp, More Pressure External fires; blockage; reaction; External fires; blockage; reaction;
explosion; valve closed; loss of level in explosion; valve closed; loss of level in heater; hot ambient tempheater; hot ambient temp
Less Temp, Less PressureLess Temp, Less Pressure Heat loss; vaporisation; ambient conditions; Heat loss; vaporisation; ambient conditions;
rainrain
Typical problems revealed with Typical problems revealed with guide wordsguide words
More Than (Impurities)More Than (Impurities) Ingress of contaminants, eg, water, air, lube Ingress of contaminants, eg, water, air, lube
oils; corrosion productsoils; corrosion products
Part Of (Composition)Part Of (Composition) High or low concentration of mixture; High or low concentration of mixture;
additional reactions in reactor or other additional reactions in reactor or other location; feed changelocation; feed change
Other Than (Normal operation)Other Than (Normal operation) Start-up and shutdown of plant; corrosion; Start-up and shutdown of plant; corrosion;
emergencies; failure of power, water, fuel, emergencies; failure of power, water, fuel, steam, air or inert gassteam, air or inert gas
ExercisesExercisesMetal cleaning shopMetal cleaning shop
Fan
Window
Valve
Toluene Bath
Pump
Filters
Solvent Containers
Do
or
80°C
Face velocity 5 m/sec
Toluene
Metal cleaning shopMetal cleaning shopDesign intentionDesign intention
Inside tank ‘T-1’: 300 gallons Inside tank ‘T-1’: 300 gallons toluene, heated to constant 80 toluene, heated to constant 80 degrees Cdegrees C
Outside tank ‘T-2’: 500 gallons Outside tank ‘T-2’: 500 gallons toluene stored under ambient toluene stored under ambient conditionsconditions
Line between T-1 and T-2: constant Line between T-1 and T-2: constant flow at 10 gallons/minuteflow at 10 gallons/minute
Local Extract Ventilation ‘LEV’: Local Extract Ventilation ‘LEV’: constant face velocity = 5 m/secconstant face velocity = 5 m/sec
Divide system into lines & tanksDivide system into lines & tanks
Fan
Filters
Face velocity 5 m/sec
Local Extract VentilationLocal Extract VentilationDesign intention:Design intention: to to provide constantprovide constantface velocity 5m/secface velocity 5m/sec
HAZOP WorksheetStudy Session Reference: HAZOP Study Reference: Sheet:... of ....
Deviation Possible Causes Consequences Existing Controls Risklevel
Action Required
No Flow Power fails Increased None A Consider emergency concentration power supply
Flammable liquid storage tank
T-1
To flareNitrogen
PIC
Atmosphere
25m3
1.1bar
20 CO
Suction from intermediate storage tank
150m capacity3Pump
P-1
V-5
V-1
V-8V-7
CV-1CV-2Relief valve
FIC
PI
CV-3V-4PumpP-2
V-3
V-2
To reactor
Line 2
Line 1
HAZOP WORK-SHEET
Storage tank T-1
To store flammable reagent at 1.1 bar and 20° C
GUIDE WORD PROPERTY POSSIBLE CAUSES CONSEQUENCES ACTION REQUIRED
MORE LEVEL 1. Pump P-1 fails to stop Reagent released Incorporate high level alarm and trip
2. Reverse from process Reagent released Consider check valve Line 2LESS 3. Pump P-1 cavitates Damage to P-1 Can reagent explode?
If pump overheats?4. Rupture in Line 2 Reagent released Consider alarm and pump
shut-down5. V-3 open Reagent released Consider alarm6. V-1 open Same Same7. Tank rupture Same What external events can
cause rupture?NO Same as LESS
OTHER THAN COM– 8.Wrong reagent Possible reaction Is reagent sampled beforePOSITION pumping ?
AS WELL AS 9.Impurity in reagent Possible overpressure, if What are the possible volatile impurities?
LESS PRESSURE 10. Break in flare or Reagent released Consider low pressure alarm nitrogen lines11. Loss of nitrogen Tank implodes What is design vacuum of
tank ?12. CV-2 fails closed Tank implodes13. PIC fails Tank implodes
MORE 14. PIC fails Reagent released via R.valveWhat is capacity of CV-1 R. valve?
15. CV-1 fails closed Reagent released via Relief16. V-7 closed Same as (15) Is V-7 locked open?17. Overfill tank See (6) Is V-8 locked open?
Failure Modes and Effects Failure Modes and Effects Analysis ‘FMEA’Analysis ‘FMEA’
An inductive technique to An inductive technique to identify systematically potential identify systematically potential hardware failure modes and hardware failure modes and analyse their consequencesanalyse their consequences
Technique based on reliability Technique based on reliability technologytechnology
Analyses risk in semi-Analyses risk in semi-quantitative or quantitative formquantitative or quantitative form
DEFINE SYSTEM
IDENTIFY HAZARDS
HAZARDOUSEVENTS HAZARDS
EVENTS CONTINUINGHAZARDS
ANALYSE CONSEQUENCES
DECIDE RISK CONTROL STRATEGY
VERIFY
ESTIMATE/
MEASURE RISKS
EVALUATE RISKS
NO CHANGE (MONITOR)
YESYES
NONO IS RISK TOLERABLE?
Task-based approachTask-based approachHAZOPSHAZOPSFMEAFMEA
CHECK-LIST
Event Tree AnalysisEvent Tree Analysis
Fault Tree AnalysisFault Tree AnalysisEvent Tree AnalysisEvent Tree Analysis
CHierarchy
Risk Matrix or Risk Calculator
1 in 10,000
1 in 1m
QRA
Steps in advanced Steps in advanced risk assessmentrisk assessment
Cost-Benefit AnalysisCost-Benefit Analysis
FMEA analytical procedureFMEA analytical procedure
Break down system /machine Break down system /machine /equipment to component level/equipment to component level
Describe how many ways a Describe how many ways a component can fail (failure component can fail (failure modes). These include: modes). These include: fail to operate at prescribed timefail to operate at prescribed time fail to cease operation at fail to cease operation at
prescribed timeprescribed time premature operationpremature operation
FMEA analytical procedureFMEA analytical procedure
Analyse the effects of each Analyse the effects of each failure modefailure mode
Determine how serious each Determine how serious each failure mode is (ranking order)failure mode is (ranking order)
Decide which failure modes will Decide which failure modes will result in intolerable risksresult in intolerable risks
Recommend corrective/ Recommend corrective/ preventive actions to reduce preventive actions to reduce risks by designrisks by design
Example: Chlorine storage Example: Chlorine storage systemsystem
Pressure
switch
Storage
tank
Relay
Pump
Valve
PT
Details of pressure switch Details of pressure switch designdesign
Pressure
switch
Storagetank
Relay
Pump
Valve
PT
PressureBellows
Micro-switch
PivotSpring
Beam
PRESSURE SWITCH
Details of the transmitter Details of the transmitter design: Normally Open relaydesign: Normally Open relay
Pressure
switch
Storagetank
Relay
Pump
Valve
PTRELAY
CoilSpringContacts
Wiring frompressure switch
Signal topump
FMEA: estimation and FMEA: estimation and evaluation of risksevaluation of risks
A
B
C
D
E
I II III IV
Probabilitylevel
MediumMedium risk risk
High riskHigh riskRP1RP1
RP3RP3
Low riskLow risk
RP2RP2
MediumMedium risk risk
Severity Category
A
B
C
D
E
Probabilitylevel
10-1
10-2
10-3
10-4
10-5
Description
I
II
III
IV
Severitycategory
Minor
Critical
Major
Catastrophic
DegreeFunctional failure – minor injury/ ill healthNo major damage or serious injuryMajor damage and/or potential serious injuryComplete system loss and/or potential fatality
Description
Probabilityvalue
Frequent
Probable
Occasional
Remote
Improbable
Risk assessment
FMEA No.
PROJECT No.
SYSTEM
SUBSYSTEM
DATE
PREP.BY
EVAL.BY
FAILURE MODES AND
EFFECTS ANALYSIS
1.0 PRESSURE SWITCH (to signal relay when tank pressure reaches a pre-set point)
Bellows cracking
Small release
Monitoring atmosphere
II C 2
Bellows rupture
Large release Monitoring IV D 1
Switch fails open
No pump trip
Observation of increase in pressure
IV C 1
Switch fails closed
Pump stops
Observation of constant pressure I C 3
Spring breaks
Pump stops Same as above I D 3
Pivot loose
Pump stops at higher pressure
Observation II C 2
2.0 RELAY (to trip pump)
Coil failure
No pump trip
Observation IV B 1
Pumping
Control
1 4
H.Raafat
Spring failure
Pump tripsNo pressure increase
I D 3
No pump trip
Observation IV C 1
Failure detection method
Failure effects
Failure modes
Component
(function)Item
Open circuit failure
Severity category
Probability level
* RPC
PAGE OF
* RPC = risk priority code1=high, 2=medium, 3=low
FMEA: worksheetFMEA: worksheet
ANALYSISANALYSISANALYSIS
ITEM COMPONENT(function)
FAILUREMODE
RISK ASSESSMENT
2.0 Relay CR-2
(to trip pump)
Coilfailure
Opencircuitfailure
FAILUREEFFECTS
No pumptrip
No pumptrip
FAILUREDETECTION
METHOD
Observation
Observation
Severitycategory
Probabilitylevel
Risk priority
code
IVIV
IVIV
BB
CC
11
11
FMEA: summary sheetFMEA: summary sheet
FMEA SUMMARYFMEA SUMMARYFMEA SUMMARY
ITEM COMPONENT FAILURE MODERISK
PRIORITYCODE
ACTION REQUIRED/REMARKS
2.0 Relay CR-2 Coil failure 1Design change: Make relay continuously energised+ high pressure alarm
2.0 Relay CR-2 Open circuit 1Design change: As above.NB. Short circuit failurewill require attention
Rank failure modes according to criticality;Decide actions required to reduce risks;Design measures should be considered as a priority
GuardGuard
closedclosed
GuardGuard
openopen
HazardHazard
Normally open (NO) cam-Normally open (NO) cam-activated electrical switchactivated electrical switch
GuardGuardclosedclosed
GuardGuardopenopen
HazardHazard
Normally closed (NC) cam-Normally closed (NC) cam-activated electrical switchactivated electrical switch
Cam operated electrical limit switchesCam operated electrical limit switches
Event Tree Analysis ‘ETA’Event Tree Analysis ‘ETA’ Inductive technique to analyse Inductive technique to analyse
systematically the consequences of systematically the consequences of an event, action or decisionan event, action or decision
Based on decision trees which uses Based on decision trees which uses binary logicbinary logic
Begins with an initiating or triggering Begins with an initiating or triggering event and follows through potential event and follows through potential scenarios (outcomes)scenarios (outcomes)
Technique for the quantification of Technique for the quantification of risksrisks
DEFINE SYSTEM
IDENTIFY HAZARDS
HAZARDOUSEVENTS HAZARDS
EVENTS CONTINUINGHAZARDS
ANALYSE CONSEQUENCES
DECIDE RISK CONTROL STRATEGY
VERIFY
ESTIMATE/
MEASURE RISKS
EVALUATE RISKS
NO CHANGE (MONITOR)
YESYES
NONO IS RISK TOLERABLE?
Task-based approachTask-based approachHAZOPSHAZOPSFMEAFMEA
CHECK-LIST
Event Tree AnalysisEvent Tree Analysis
Fault Tree AnalysisFault Tree AnalysisEvent Tree AnalysisEvent Tree Analysis
CHierarchy
Risk Matrix or Risk Calculator
1 in 10,000
1 in 1m
QRA
Steps in advanced Steps in advanced risk assessmentrisk assessment
Cost-Benefit AnalysisCost-Benefit Analysis
Fire protection systemFire protection system
Event Tree can be used to Event Tree can be used to calculate the reliability of the calculate the reliability of the fire protection systemfire protection system
The protection system consists The protection system consists of:of: smoke detectorsmoke detector audible alarmaudible alarm drench valvedrench valve sprinkler (water system)sprinkler (water system)
WATER
PROCESS
Sprinkler System
Valve
Detector
ALARM
Control
“FIRE”“FIRE”
FailsFails
Success
MajorMajorFire
AA BB CC DD EEInitiating
eventDetector Valve Water
supply
SuccessSuccessAlarm
Major fireMajor firePossible fatalitiesPossible fatalities
Sprinkler mightSprinkler mightworkwork
Evacuation ofEvacuation ofpersonnelpersonnel
No sprinklerNo sprinklerprotectionprotection
Quantification of Event TreesQuantification of Event Trees
Allocate probability to each Allocate probability to each eventevent Note binary logicNote binary logic
Multiply probabilities along Multiply probabilities along each brancheach branch
“FIRE”“FIRE”
FailsFails
Success
P = 0.1P = 0.1
P = 0.90
P = 0.05P = 0.05
P = 0.95
P = 0.9
P = 0.1P = 0.1
P = 0.95
P = 0.05P = 0.05
P=0.731
Evacuation ofEvacuation ofpersonnelpersonnel
No sprinklerNo sprinklerprotectionprotection
P=0.1
Major fire
Possible fatalities
Sprinkler might work
MajorFire
AA BB CC DD EEInitiatingEvent
Detector Valve Water supply
SuccessSuccessAlarm
Calculation of riskCalculation of risk
In order to calculate the level of In order to calculate the level of risk, it is essential to estimate the risk, it is essential to estimate the frequency of ‘FIRE’frequency of ‘FIRE’
Multiply this frequency by final Multiply this frequency by final probability of each branch of treeprobability of each branch of tree
Can calculate Individual Risk, if Can calculate Individual Risk, if the proportion of time exposed & the proportion of time exposed & vulnerability known/estimatedvulnerability known/estimated
“FIRE”“FIRE”
FailsFails
Success
P = 0.1P = 0.1
P = 0.90
P = 0.05P = 0.05
P = 0.95
P = 0.9
P = 0.1P = 0.1
P = 0.95
P = 0.05P = 0.05
Evacuation ofEvacuation ofpersonnelpersonnel
No sprinklerNo sprinklerprotectionprotection
Major fire
Possible fatalities
Sprinkler might work
MajorFire
AA BB CC DD EEInitiatingEvent
Detector Valve Water sprinkler
SuccessSuccessAlarm
ƒ = 0.1/yr
ƒ = 0.0731 /yr
ƒ = 0.01/yr
Fault Tree Analysis ‘FTA’Fault Tree Analysis ‘FTA’
Deductive technique to identify Deductive technique to identify combinations of events (causes) resulting combinations of events (causes) resulting in particular outcome (loss/accident)in particular outcome (loss/accident)
Combines hardware failures and human Combines hardware failures and human error in the same studyerror in the same study
Provides systematic basis for qualitative Provides systematic basis for qualitative and quantitative measurement of riskand quantitative measurement of risk
Useful technique for accident investigation Useful technique for accident investigation and analysisand analysis
One of the most powerful risk management One of the most powerful risk management toolstools
DEFINE SYSTEM
IDENTIFY HAZARDS
HAZARDOUSEVENTS HAZARDS
EVENTS CONTINUINGHAZARDS
ANALYSE CONSEQUENCES
DECIDE RISK CONTROL STRATEGY
VERIFY
ESTIMATE/
MEASURE RISKS
EVALUATE RISKS
NO CHANGE (MONITOR)
YESYES
NONO IS RISK TOLERABLE?
Task-based approachTask-based approachHAZOPSHAZOPSFMEAFMEA
CHECK-LIST
Event Tree AnalysisEvent Tree Analysis
Fault Tree AnalysisFault Tree AnalysisEvent Tree AnalysisEvent Tree Analysis
CHierarchy
Risk Matrix or Risk Calculator
1 in 10,000
1 in 1m
QRA
Steps in advanced Steps in advanced risk assessmentrisk assessment
Cost-Benefit AnalysisCost-Benefit Analysis
Explosiveconcentration
Temperatureto ignite
TOPTOPEVENTEVENT
FTAFTA
EXPLOSION
Ignitionsource
Energyto ignite
Heatedsurfaces
Nakedflame
Electro-static
Sparksgenerated
ANDAND
1st level1st level
2nd level2nd level
3rd level3rd level
OROR
OROROROR
OROR
The ‘OR’ GateThe ‘OR’ Gate
ARRIVE LATE A
OR
WAKE UP LATE X
DELAYED EN ROUTE Y
INCORRECT TIME Z
TOP EVENT (OUTPUT)
INPUT EVENTS
Event ‘A’ occurs if (at least) one of X OR Y OR Z occurs
The ‘AND’ GateThe ‘AND’ Gate
AND
FIRE A
TOP EVENT (OUTPUT)
INPUT EVENTS
FLAMMABLE CONCENTRATION
X
IGNITION SOURCE
Y
&
Event ‘A’ occurs if both X AND Y occur
Fuse
Switch
Bulb 1
Bulb 2Power Source
Room dark
Power off
Power supply failed
Switch open
Fuse Blown
Both bulbs burned out
Bulb 1 burned out
Bulb 2 burned out
FTA –lighting systemFTA –lighting system
Human Reliability Human Reliability Analysis Analysis (HRA)(HRA)
Richard BoothRichard Booth
Risk Assessment Risk Assessment MethodologiesMethodologies
Machine/ Process
CONTROLS
Display
HUMAN-MACHINE INTERFACE
Human error ratesHuman error rates
10 10 10 10 10 1.0-5 -4 -3 -2 -1
SKILL
RULE
KNOWLEDGE
ERROR RATE
Err
or
Rat
e
Stress Level
Bored Over-excited
Human Error as a function of stress levelHuman Error as a function of stress level
Hierarchical Task Analysis Hierarchical Task Analysis ‘HTA’‘HTA’
A process of developing a A process of developing a description of a task in description of a task in terms of operations - things terms of operations - things which people should do and which people should do and plans - statements of plans - statements of conditions when each conditions when each task/step has to be carried task/step has to be carried outout
Hierarchical Task AnalysisHierarchical Task Analysis
(HTA)(HTA)
Prepare a cup ofmedium sweet tea
Prepare cupand tea bag
Switch ONkettle
Pour boilingwater ontea bag
Add milk tocorrect
concentration
Add onespoon of
sugar
1 2 3 4 5
Example: Wiring three-pin plugExample: Wiring three-pin plug
Washing machine - no plug + no Washing machine - no plug + no instructionsinstructions
Old plug, three fuses: 3A, 5A Old plug, three fuses: 3A, 5A and 13Aand 13A
Three wires: blue, brown + Three wires: blue, brown + yellow/greenyellow/green
Screw driver and Stanley knifeScrew driver and Stanley knife Task Analysis ‘HTA’Task Analysis ‘HTA’
Hierarchical Task Analysis Hierarchical Task Analysis ‘HTA’‘HTA’ 0
WIRE A THREE PIN PLUG
1
PREPARE PLUG
2
PREPARE CABLE
3 4
TEST PLUG
2.1
CUT & STRIP OUTER CABLE SHEATH
2.2 2.3
CARRY OUT ASSEMBLY
3.2 3.3 3.4
SELECT AND FIT 13 Amp FUSE
3.5
TIGHTEN CABLE STRIP & REPLACE COVER
Plan 0: do in order
Plan 2: 1 then 2 then 3
Plan 3: 1,2,3,4 then 5
CUT & STRIP INDIVIDUAL WIRES AS MARKED
TERMINATE ALL 3 WIRE STRANDS
3.1
FIT BLUE WIRE IN TERMINAL 1 & TIGHTEN SCREW
FIT YELLOW WIRE IN TERMINAL 2 & TIGHTEN SCREW
FIT BROWN WIRE IN TERMINAL 3 & TIGHTEN SCREW
Risk Decision-Risk Decision-makingmaking
Tolerability decisionsTolerability decisions
Professional judgementProfessional judgement reliance on professionals to make risk reliance on professionals to make risk
decisionsdecisions BootstrappingBootstrapping
what people tolerated in past: basis what people tolerated in past: basis for future risk criteriafor future risk criteria
Cost-Benefit AnalysisCost-Benefit Analysis decisions made by comparing costs decisions made by comparing costs
and benefits of an activity in and benefits of an activity in monetary termsmonetary terms
DefinitionsDefinitions
Risk: Risk: Quantified risk assessmentQuantified risk assessment Chance / probability something Chance / probability something
adverse will happenadverse will happen Intolerable riskIntolerable risk
Risk cannot be justified save in Risk cannot be justified save in extraordinary circumstancesextraordinary circumstances
DefinitionsDefinitions
Tolerable riskTolerable risk Risk society tolerates for benefits in Risk society tolerates for benefits in
belief that risk properly controlled belief that risk properly controlled
Acceptable riskAcceptable risk Risk regarded by those exposed as Risk regarded by those exposed as
not worthy of worry not worthy of worry
HSE ‘ALARP’HSE ‘ALARP’
Intolerable RiskIntolerable RiskUpperUpperLimitLimit
LowerLowerLimitLimit
NegligibleNegligible
As Low As ReasonablyAs Low As Reasonably Practicable ‘ALARP’Practicable ‘ALARP’
Broadly acceptableBroadly acceptable
HSE ‘ALARP’ HSE ‘ALARP’
Intolerable RiskIntolerable RiskUpper Limit:Upper Limit:1 in 1,000 (workers)1 in 1,000 (workers)1 in 10,000 (public)1 in 10,000 (public)Risk of death / yearRisk of death / year
Lower Limit:Lower Limit:1 in a million 1 in a million (workers & public)(workers & public)Risk of death / yearRisk of death / yearNegligibleNegligible
As Low As ReasonableAs Low As Reasonable Practicable ‘ALARP’Practicable ‘ALARP’
Broadly acceptableBroadly acceptable
DefinitionDefinition
Perceived riskPerceived risk Evaluation by an individual of Evaluation by an individual of
the likelihood of an adverse the likelihood of an adverse event and the likely event and the likely consequencesconsequences
Note: definition of risk close Note: definition of risk close to BS 8800 (1996 & 2004)to BS 8800 (1996 & 2004)
The Statistics of Risk - The Statistics of Risk - presentation of risk datapresentation of risk data
Probability of death expressed as Probability of death expressed as an annual experiencean annual experience
Probability of death as a Probability of death as a consequence of an activityconsequence of an activity
Relative risk of death from Relative risk of death from specified specified exposureexposure compared with compared with no (or no (or lower)lower) exposure exposure
Average loss of life expectancy Average loss of life expectancy from exposure to a riskfrom exposure to a risk
Cause of DeathCause of Death chance/yearchance/yearAll causesAll causes
Overall averageOverall average55-6455-64 menmen
womenwomen35-4435-44 menmen
womenwomen5-145-14 boysboys
girlsgirls
Hang glidingHang glidingRoad accidentsRoad accidents
Gas explosion (home)Gas explosion (home)Electrocution (home)Electrocution (home)LightningLightning
1 in 871 in 871 in 651 in 65
1 in 1101 in 1101 in 5781 in 5781 in 8731 in 873
1 in 4,4001 in 4,4001 in 6,2501 in 6,250
1 in 6701 in 6701 in 10,2001 in 10,200
1 in 1 million1 in 1 million1 in 1 million1 in 1 million
1 1 in 10 millionin 10 million
Death as an annual experienceDeath as an annual experience
Cause of DeathCause of Death chance/yearchance/year
Work AccidentsWork Accidentsdeep sea fishingdeep sea fishingextraction oil / gasextraction oil / gasconstructionconstructionagricultureagricultureall manufacturingall manufacturing
1 in 7501 in 7501 in 9901 in 990
1 in 10,2001 in 10,2001 in 13,5001 in 13,5001 in 53,0001 in 53,000
Death as an annual experienceDeath as an annual experience
ActivityActivity Chance ofChance ofdeathdeath
Travel for 100,000 kmTravel for 100,000 kmby motor bikeby motor bikeby pedal cycleby pedal cycleby carby carby railby railby busby busby airby air
Balloon (Atlantic)Balloon (Atlantic)
PregnancyPregnancy
AnaesthesiaAnaesthesia
1 in 1001 in 1001 in 2001 in 200
1 in 2,2001 in 2,2001 in 9,0001 in 9,0001 in 22,0001 in 22,0001 in 44,0001 in 44,000
1 in 31 in 3
1 in 13,0001 in 13,000
1 in 25,0001 in 25,000
Death as a consequence of an activityDeath as a consequence of an activity
CauseCauseLoss of LifeLoss of Life
Expectancy (days)Expectancy (days)
Being unmarried (male)Being unmarried (male)Smoker (male)Smoker (male)Being unmarried (female)Being unmarried (female)Smoker (female)Smoker (female)Dangerous jobDangerous jobVehicle accidentsVehicle accidentsHomicideHomicideAverage jobAverage jobMedical X raysMedical X raysCoffee drinkingCoffee drinkingReactor accidentsReactor accidentsNuclear industryNuclear industrySmoke alarmSmoke alarmMobile coronary-care unitsMobile coronary-care units
3,5003,5002,2502,2501,6001,600800800300300207207909074746666
0.2 to 20.2 to 20.20.2-10-10-125-125
Average loss of life expectancy as a Average loss of life expectancy as a consequence of an activityconsequence of an activity
CBA Rational methodCBA Rational method
CBA only rational basis for CBA only rational basis for making risk tolerability/ making risk tolerability/ acceptability judgementsacceptability judgements
Framework for identifying and Framework for identifying and quantifying all desirable and quantifying all desirable and undesirable consequences of undesirable consequences of an activityan activity
Cost-benefit modelCost-benefit modelCost £Cost £
Number of accidentsNumber of accidents
Cost preventionCost prevention- Employer- Employer
Cost accidentsCost accidents- Employer- Employer
Total CostsTotal Costs- Employer- Employer
‘‘Optimum’ performanceOptimum’ performance- Employer- Employer
Public perceptions: key issuesPublic perceptions: key issues
The statistics of risk and lThe statistics of risk and lay estimates of ay estimates of statistical risksstatistical risks
Experts’ criticisms of lay risk decisions Experts’ criticisms of lay risk decisions Risk-averse litigious societyRisk-averse litigious society Media influenceMedia influence Trust and competence; Trust and competence; erosion of public erosion of public
confidenceconfidence Reminders of riskReminders of risk Costs & benefits (NIMBY)Costs & benefits (NIMBY) Personal choice & control – risk-taking Personal choice & control – risk-taking
behaviourbehaviour Knowledge and DreadKnowledge and Dread
Accident investigation Accident investigation and Analysisand Analysis
Accident Analysis - OverviewAccident Analysis - Overview
Objectives : Objectives : To provide familiarity To provide familiarity withwith
The purpose of accident The purpose of accident investigation and analytical methodsinvestigation and analytical methods
The accident investigation processThe accident investigation process Analytical methodsAnalytical methods
Fault tree analysis (FTA) – covered in risk Fault tree analysis (FTA) – covered in risk assessmentassessment
Events & Causal Factors AnalysisEvents & Causal Factors Analysis Change AnalysisChange Analysis
Change Analysis: fall in Victoria SquareChange Analysis: fall in Victoria SquareNormal SituationNormal Situation Accident situationAccident situation CommentsComments
Time to get to station 30mTime to get to station 30m Time to get to station Time to get to station 35m35m
Indicates that IP (me) Indicates that IP (me) was not walking unduly was not walking unduly fast, as was the casefast, as was the case
Preoccupied when going to Preoccupied when going to catch a traincatch a train
More preoccupied than More preoccupied than usual when going to usual when going to catch (the) traincatch (the) train
Result of dealing with Result of dealing with arrangements for AI arrangements for AI Course at last minuteCourse at last minute
Stress state ‘normal’Stress state ‘normal’ Stress state ‘elevated’Stress state ‘elevated’ Anxiety about CourseAnxiety about Course
No physical barriers for No physical barriers for normal route (and no steps)normal route (and no steps)
Frankfurt ‘Christmas’ Frankfurt ‘Christmas’ Market in operationMarket in operation
Diversion necessary Diversion necessary from normal route (one from normal route (one step to descend)step to descend)
Pedestrians few and no effort Pedestrians few and no effort to navigate aroundto navigate around
Pedestrians difficult to Pedestrians difficult to navigate aroundnavigate around
Also, carrying a Also, carrying a shoulder bag and shoulder bag and rucksackrucksack
No unusual ‘distractions’No unusual ‘distractions’ Market stalls a Market stalls a significant distractionsignificant distraction
Attention directed to Attention directed to stall producestall produce
Walking/observing on Walking/observing on ‘autopilot’‘autopilot’
Walking/observing on Walking/observing on ‘autopilot’‘autopilot’
No recognition of No recognition of changed changed circumstances /routecircumstances /route
Change Analysis: fall in Victoria Square Change Analysis: fall in Victoria Square - consequences- consequences
Normal SituationNormal Situation Accident situationAccident situation CommentsComments
Accept full first aid Accept full first aid treatmenttreatment
Cancelled ambulance Cancelled ambulance despite police advice despite police advice (and not given (and not given necessary treatment)necessary treatment)
Situational violation Situational violation (need to catch the (need to catch the train)train)
Safe arrival at stationSafe arrival at station Fall on unseen step, Fall on unseen step, and arrival at station and arrival at station bloody and shakenbloody and shaken
Delegates at AI course Delegates at AI course impressed by this impressed by this Change Analysis! Change Analysis!
Emergency admission Emergency admission to hospital suffering to hospital suffering from whiplash injuries from whiplash injuries three days later three days later
Investigation PurposesInvestigation Purposes
In GeneralIn General To understand the failures which gave rise To understand the failures which gave rise
to the exact pattern of eventsto the exact pattern of events To identify the conditions that have proven To identify the conditions that have proven
inadequate, both in order to:inadequate, both in order to:
Identify root causesIdentify root causes Latent errors versus Active errorsLatent errors versus Active errors Prevent all accidents with common rootsPrevent all accidents with common roots
To LearnTo Learn
Role of Analytical Investigation - Role of Analytical Investigation - SummarySummary
To counteract investigator biasesTo counteract investigator biases To assist the process of gathering To assist the process of gathering
evidenceevidence To verify investigation findingsTo verify investigation findings To co-ordinate investigative To co-ordinate investigative
activitiesactivities To identify root causesTo identify root causes To assist the communication of To assist the communication of
findingsfindings
Investigator BiasInvestigator Bias
Inappropriate general theoriesInappropriate general theories Mind setsMind sets Stop rulesStop rules HindsightHindsight Stakeholder biasStakeholder bias
eg, litigation (defendant / plaintiff)eg, litigation (defendant / plaintiff) Eg, prosecutionEg, prosecution
Effects of Inadequate Effects of Inadequate InvestigationInvestigation
Incomplete investigations and / Incomplete investigations and / or misleading conclusions lead or misleading conclusions lead toto Inappropriate allocation of resources Inappropriate allocation of resources
to preventative measuresto preventative measures Danger remaining in the workplace or Danger remaining in the workplace or
work practicework practice See earlier notes on ‘traditional’ See earlier notes on ‘traditional’
accident investigation and accident investigation and accident causationaccident causation
Activity Phases in InvestigationsActivity Phases in Investigations
Critical initial actionsCritical initial actions Collecting relevant factual informationCollecting relevant factual information Analysing the information collectedAnalysing the information collected Integrating the factual findings and Integrating the factual findings and
analytical resultsanalytical results Reaching valid and meaningful Reaching valid and meaningful
conclusionsconclusions Establishing reasonable recommendationsEstablishing reasonable recommendations Reporting result for actionReporting result for action
Exercise: FLT Fatal AccidentExercise: FLT Fatal Accident
Person lies dead Person lies dead on the warehouse on the warehouse floorfloor
Tyre track on his Tyre track on his body definitely body definitely matches FLTmatches FLT
FLT driver was FLT driver was taken to hospital taken to hospital in a state of in a state of shockshock
Accident SceneAccident Scene
Warehouse
X
Racking
Victim
FLT
Offices
Fatality due to FLT collision
&
FLT Collides with person
&
Victim
Dies
Person in the FLT Path
FLT Fails to Stop
Not aware ofNeed to Stop
Aware but
unable to Stop
Driveractually
Ill
DrivingToo fast
FaultyBrakes
Not Awareof Person
Thinksperson will evade
1
Person Aware of FLT
Unaware of FLT
Thinks FLT will Evade
Unable to move out of way
Personactually Ill
PersonSlips/trip Falls
DisabledTime tooshort
&
Person DidNot See FLT
Person DidNot Hear FLT
2 3
Poor visibilityVision obstructedNot lookingReversingPerson Conspicuity
Poor visibilityVision obstructedNot lookingvisually impairedFLT Conspicuity
Wearing PPENoisy placeFLT quietWearing stereoHearing impaired
FLT AccidentFLT AccidentInvestigationInvestigation
Events and Casual Factors Events and Casual Factors Analysis - PurposesAnalysis - Purposes
Organises the data and the reportOrganises the data and the report Clarifies reasoningClarifies reasoning Illustrates multiple causesIllustrates multiple causes Displays interactions and relationshipsDisplays interactions and relationships Illustrates chronologyIllustrates chronology Provides flexibility in interpretation of dataProvides flexibility in interpretation of data Efficient communication tool for A/I Efficient communication tool for A/I
teamworkteamwork Links specific factors to organisational Links specific factors to organisational
factorsfactors
Events and Casual FactorsEvents and Casual FactorsGeneral FormatGeneral Format
Systemic Factors
Contributing Factors
Systemic factors
Contributing factors
Secondary events
Primary events
ECF Chart FormatECF Chart Format
Events should be organised in Events should be organised in chronological order from L to Rchronological order from L to R
Events should bear the time where Events should bear the time where knownknown
Events should be enclosed in Events should be enclosed in rectangles, Conditions in ovalsrectangles, Conditions in ovals
Events should be connected with Events should be connected with solid lines, Conditions with dashessolid lines, Conditions with dashes
Anything without valid evidence Anything without valid evidence should be in dashed boxes/ovalsshould be in dashed boxes/ovals
ECF Chart Format (cont)ECF Chart Format (cont)
The primary sequence of events The primary sequence of events should be a bold central lineshould be a bold central line
Secondary event sequences, Secondary event sequences, contributing and systemic factors contributing and systemic factors should be shown above or below should be shown above or below the primary linethe primary line
Break out each significant actor into Break out each significant actor into a parallel primary line (optional)a parallel primary line (optional)
Model: pre-accident > accident > Model: pre-accident > accident > ameliorationamelioration
Events & Conditions CriteriaEvents & Conditions Criteria
Events should describe occurrences NOT Events should describe occurrences NOT conditions or resultsconditions or results
Event descriptions should contain one subject Event descriptions should contain one subject and one active verband one active verb
Conditions are passive and singularConditions are passive and singular Describe events and conditions preciselyDescribe events and conditions precisely Events are single discrete occurrencesEvents are single discrete occurrences Quantify events and conditions where possibleQuantify events and conditions where possible Annotate with the time where knownAnnotate with the time where known Each event must be derived from the events Each event must be derived from the events
conditions preceding itconditions preceding it
Labourer fatally injured in a Quarry ConveyorLabourer fatally injured in a Quarry Conveyor
18-year old male employed as a labourer. He was 18-year old male employed as a labourer. He was sweeping a work area when he slipped on wet sweeping a work area when he slipped on wet floor and fell into conveyor belt that was floor and fell into conveyor belt that was unguarded and in motion. He was asphyxiated as unguarded and in motion. He was asphyxiated as a result of being drawn into the conveyor a result of being drawn into the conveyor
Conveyor fixed-guard removed by two fitters Conveyor fixed-guard removed by two fitters weeks before to carry out maintenance work; weeks before to carry out maintenance work; guard not replaced. Check carried out by a guard not replaced. Check carried out by a manager on the safety of the conveyor, and fitters manager on the safety of the conveyor, and fitters told to replace the guard. This they did. Fitters not told to replace the guard. This they did. Fitters not admonishedadmonished
Conveyor guard was again removed by the same Conveyor guard was again removed by the same two fitters to carry out maintenance and was not two fitters to carry out maintenance and was not replaced. No subsequent checks were carried out replaced. No subsequent checks were carried out on the conveyor guard before accidenton the conveyor guard before accident
DP asphyxiated1600
7-4-08
DP starts to sweep up work area floor
7-4-08
DP employed as a labourer10-3-08
DP slippedon floor
just before 16007-4-08
DP fell into conveyor
just before 16007-4-08
Conveyor unguarded
DP wearing unsuitable footwear
No hazard-spotting training
given
Floor wet and slippery
Labourer fatally injured in an un-guarded conveyor
Manager did not criticise Fitters for
not replacing guard
20-3-08
Fitters fail to replace guard after
maintenance12-3-08
Conveyor required regular
maintenance
Staff not criticised for breaking safety
rules
Fitters (again) fail to replace guard
after maintenance26-3-08
Conveyor Inspection
schedule not adhered to
Fitters replace guard
21-3-08
Manager instructs fitters to replace
guard20-3-08
DP did notrealize conveyor was dangerous
Manager observes unguarded conveyor20-3-08
Inspections dueon 27-3-08 & 3-4-08 not carried out
No interlocked guard fitted
Conveyor in motion
DP drawn into conveyor belt
just before 16007-4-08
Inspection procedures
LTA
‘‘Northern Tower’Northern Tower’
Accident Accident InvestigationInvestigation
Richard BoothRichard Booth
Northern Tower: Window Cleaner fatally injured by Roof Hoist Cleaning Machine
DP fatally injured when a rail-mounted window cleaning DP fatally injured when a rail-mounted window cleaning machine ran down a slope and trapped him between cable machine ran down a slope and trapped him between cable winding drum and a ventilation duct. He remained alive for 5 winding drum and a ventilation duct. He remained alive for 5 mins. He was working alone, and no CCTV. He had stopped mins. He was working alone, and no CCTV. He had stopped machine at top of the incline to re-route electric cable. machine at top of the incline to re-route electric cable.
DP started work with cleaning company. He received only DP started work with cleaning company. He received only cursory trainingcursory training
Equipment had been … delivered to client (who had not Equipment had been … delivered to client (who had not assessed the competence of the supplier). The design did assessed the competence of the supplier). The design did not comply with relevant BS: not fitted with brake, and not comply with relevant BS: not fitted with brake, and trapping points existed, including fatal trap (not identified by trapping points existed, including fatal trap (not identified by supplier. supplier.
These shortcomings were also not identified by H&S These shortcomings were also not identified by H&S Inspector who examined equipmentInspector who examined equipment
Northern Tower: Window Cleaner fatally injured by Roof Northern Tower: Window Cleaner fatally injured by Roof Hoist Cleaning MachineHoist Cleaning MachineA young man was fatally injured (the DP) when a rail-mounted A young man was fatally injured (the DP) when a rail-mounted window cleaning machine ran down a slope and trapped him window cleaning machine ran down a slope and trapped him between the cable winding drum and a ventilation duct (1645 on 4 between the cable winding drum and a ventilation duct (1645 on 4 April 2008). He remained alive for approximately 5 minutes – he April 2008). He remained alive for approximately 5 minutes – he could partially breathe. He was working alone, and there was no could partially breathe. He was working alone, and there was no CCTV on the roof. He had stopped the machine at the top of the CCTV on the roof. He had stopped the machine at the top of the incline to re-route the electric cable to avoid it becoming snagged incline to re-route the electric cable to avoid it becoming snagged
The DP started work with the cleaning company on 25 March 2008. The DP started work with the cleaning company on 25 March 2008. He had received only cursory trainingHe had received only cursory training
The equipment had been designed, built and delivered to the client The equipment had been designed, built and delivered to the client (who had not assessed the competence of the supplier, XX (who had not assessed the competence of the supplier, XX Engineering Ltd) in June 2000. The design did not comply with the Engineering Ltd) in June 2000. The design did not comply with the relevant British Standard in that the equipment was not fitted with a relevant British Standard in that the equipment was not fitted with a brake, and trapping points existed. In particular, the trap between brake, and trapping points existed. In particular, the trap between the ventilation duct and cable drum was not identified by XX the ventilation duct and cable drum was not identified by XX Engineering Ltd. Cable snagging was a continual problem. These Engineering Ltd. Cable snagging was a continual problem. These shortcomings were also not identified by the Government Health and shortcomings were also not identified by the Government Health and Safety Inspector who examined the equipment in operation on 10 Safety Inspector who examined the equipment in operation on 10 July 2000July 2000
DP asphyxiated1645
4-4-08
DP stops machine at top of slopeC 16,38 4-4-08
DP employedas a window
cleaner25-3-08
DP walked from machine to vicinity of ventilation duct
C 1639 4-4-08
Machine moved slowly down slope
on railsC 1639.50
4-4-08
Trap between drum & duct
remains
Brake stillnot fitted
Cursory training given
Northern TowerWindow Cleaner fatally injured by Roof Hoist
Cleaning MachineECFA
Machine designed6-00
Clientprocurement procedures
LTA
No reference made to relevant
BSs
Machine installed on roof
6-08
Inspector’sReport approves safety standards
Machine buiit6-08
XX Engineering Ltd contracted to supply machine
before 6-00
DP did notrealize machine was dangerous
Safety Inspector evaluated machine
safety in motion10-7-2000
DP partially ableto breathe
DP trapped between cable
drum and ventilation ductC 1640 4-4-08
Inspection procedures
LTA
DP cleans windows with
cleaning machine4-4-08
Designeers’ competence LTA
No braking system
Trap between cable drum and
ventilation duct not detected
Roof not covered by CCTV
DP working alone
Fatal AccidentFatal Accidenton North Sea Gas Rigon North Sea Gas Rig
ObjectivesObjectives
Management of construction Management of construction projectsprojects
Safety management procedures Safety management procedures for the workfor the work
Challenges of ensuring high Challenges of ensuring high safety standards even in safety standards even in companies with companies with sophisticatedsophisticated systemssystems
ObjectivesObjectives
From a study of what went wrong in From a study of what went wrong in this case:this case: Practical skills in construction safetyPractical skills in construction safety Practical skills in construction managementPractical skills in construction management Don’t take anything for granted!Don’t take anything for granted! Don’t ‘walk by’ – but diplomatic action!Don’t ‘walk by’ – but diplomatic action!
Key immediate eventsKey immediate events
DP replacing corroded stair treads on DP replacing corroded stair treads on the Rigthe Rig
Fell into gap between two removed Fell into gap between two removed treadstreads
Fell circa 5mFell circa 5m No fall protectionNo fall protection (Other tasks on 11 November) (Other tasks on 11 November)
Proximate causal factorsProximate causal factors
Approved P2W (RA) LTAApproved P2W (RA) LTA Fall protectionFall protection (Manual handling) (Manual handling)
Apparent non-compliance with Apparent non-compliance with P2W:P2W: SledgehammerSledgehammer Two treads removed concurrently Two treads removed concurrently
(routinely?)(routinely?)
Root causesRoot causes
Arrangements re Oilco and UMIC (a Arrangements re Oilco and UMIC (a consortium)consortium) Overall interfaceOverall interface Planning maintenance workPlanning maintenance work Method statements and risk assessments Method statements and risk assessments
on-shoreon-shore P2W / risk assessments P2W / risk assessments off-shoreoff-shore Monitoring complianceMonitoring compliance
Overall InterfaceOverall Interface
Contractual arrangements: client Contractual arrangements: client and contractorand contractor
Changes in methods for safety Changes in methods for safety appraisal (Oilco-instigated)appraisal (Oilco-instigated)
Some confusionSome confusion
Planning maintenance workPlanning maintenance work
Work needed identified off-Work needed identified off-shore (DP as PA)shore (DP as PA)
Workpack prepared on-shore Workpack prepared on-shore (GA – UMIC)(GA – UMIC)
Workpack approved off-shore Workpack approved off-shore (budget) (Oilco)(budget) (Oilco)
Method statements and risk Method statements and risk assessments on-shoreassessments on-shore
Oilco’s ARAT scheme made UMIC’s Oilco’s ARAT scheme made UMIC’s risk assessments redundantrisk assessments redundant
Superficial MS (no explicit RA), but Superficial MS (no explicit RA), but ‘low risk’‘low risk’
Communications re precautions Communications re precautions LTALTA VerbalVerbal WrittenWritten
P2W / risk assessments off-shoreP2W / risk assessments off-shore
Create plausible assessment from ‘drop-Create plausible assessment from ‘drop-down’ menusdown’ menus
Distinction: task description and Distinction: task description and ‘specific controls’‘specific controls’ Two-tread removal Two-tread removal
No consideration by Committee of on-No consideration by Committee of on-shore Workpack materialsshore Workpack materials Two-man operationTwo-man operation MS and precautionsMS and precautions
P2W / risk assessments off-shoreP2W / risk assessments off-shore
Strategic approach: interfaces Strategic approach: interfaces and threats to Rigand threats to Rig
‘‘Low risk’ taskLow risk’ task No-one on Committee knew No-one on Committee knew
task, even JD (off-shore task, even JD (off-shore supervisor)supervisor)
Monitoring complianceMonitoring compliance
DP as PA his own ‘supervisor’DP as PA his own ‘supervisor’ Oilco AA inspections per MIM not carried Oilco AA inspections per MIM not carried
outout Scope?Scope?
UMIC checks intermittentUMIC checks intermittent All worthless:All worthless:
SledgehammerSledgehammer Two-tread removal(?)Two-tread removal(?) Fall protectionFall protection Manual handlingManual handling
UncertaintiesUncertainties
Approved toolsApproved tools Did supervisors not see risks, or turn blind Did supervisors not see risks, or turn blind
eye?eye? Events from start of final shiftEvents from start of final shift Two-tread removal routine?Two-tread removal routine?
Was there a distinctive problem on 11 November?Was there a distinctive problem on 11 November? Exactly what happenedExactly what happened
Feet firstFeet first Head firstHead first
ECFAECFA
Selection of primary and secondary Selection of primary and secondary eventsevents
Causal factors /conditions linking Causal factors /conditions linking primary and secondary eventsprimary and secondary events Showing how risks too high in November as Showing how risks too high in November as
a consequence of secondary eventsa consequence of secondary events
Sledgehammer is a handtool but use involved
substantial force
TR work on NE stairs commenced:
installed tape ‘barriers’
11-11-05Before 0830
DP fell head first between gap
created by the two removed treads
C 1023DP fell C 5m onto landing/stairway beneath gap in
treadsC 1023 11-11-05
(Alarm: 1024)
DP fitted two-way adaptor to
compressed air supplyC 1005
DP used sledge- hammer and
caulking chisel to
remove Tread 2C 0835
ISSOW committee: DP’s P2W for NW stairs approved by
Shell OIM03/11/05
No TR pre-start briefing/ RA/
toolbox talk carried out or recorded
4/5-11-05& 9/11-11-05
DP fell feet first between gap
created by the two removed treads
C 1023
DP returned to stairs with caulking
chiselBefore C 1010
DP attempted to step upwards across gap
between two removed treads
C 1023
DP placed caulking chisel on
upper landingC 1023
DP completely removed using caulking chisel
Tread 1C 1010-1020
DP removed all treads utilising Sledgehammer
4/5-11-05& 9/10-11-05
ISSOW committee: DP’s P2W for ‘NE’ stairs approved by
Shell OIM10/11/05
Use of sledge hammer not
observed (or seen and condoned)
4/5-11-05& 9/11-11-05
DP prepared Permit-to-work (P2W) for tread replacements on
NW stairs (inc RA)03/11/05
Shell Offshore Maintenance Supervisor approved Workpack06-09-05
DP sent Graham Atkinson (GA)
schedule of stair tread
replacements24-6-05
DP designated as Performing
Authority (PA) for TR task3-11-05
DP started/restarted tread
replacement (TR) on NW stairs
4-11-05& 9-11-05
DP explained use of sledge hammer to Tony Burgum
(AMEC)C 1005
TR work on NW stairs completed
10-11-05
DP prepared 8 light fittingsBefore 0830
MIM required Shell Area Authority (AA) to make scheduled
checks on work
Two men inter-alia needed (or mechanical aids)
for safe T handling
P2W went liveC 0615
11-11-05
Interface Shell-AMEC LTA
GA included Method Statement and some controls
for TR task in Workpack
Stair tread Workpack completed
onshore by GA05-09-05
Submission of a RA In Workpacks
still retained in AMEC pro-formas
2005
AMEC ceased to supply onshore RA
with EM workpacks
2001
AMEC staff took over preparation of
Workpacks with AMEC RA method
Shell contracted AMEC to carry out maintenance etc services offshore
before 1996
Shell ceased to use AMEC
onshore RA for Extraordinary
Maintenance (EM) tasks1999
Shell Asset Coordinator approved Workpack13-09-05
No RAs in Workpack
ISSOW committee: DP’s P2W for NW stairs approved by
Shell OIM08/11/05
No expliicit prohibition of Sledgehammer in MS or RA
P2W de-facto one-man task
DP P2W application contained LTA RA
Precaution: only one T to be removed
at a time
No requirement for RA in Extraordinary
MaintenanceWorkpacks
WorkpackTR Method Statement:
LTA as a taskdescription
Precautions:(barriers); not to leave
Stairs unattended with atread removed
Two tread removal mayhave occurred on first treads on each flight of NW stairs
One-on-one T removalnot specified as an explicit
risk control
No precautions: falls from heights; manual handling
Easier to removeT2 first (T1 tighter fit)
LTA document change control arrangements
LTA Audit/Reviewof SMS/RA procedures
Shell/AMEC WSsclaim that a sledgehammernot a ‘hand-tool’ (thus not
permitted)
Use of Sledgehammer involved ‘excessive’ force
DP as PA could notbrief etc himself
Shell & AMEC Monitoring/Supervision
of TR task LTA
DP as PA could notsupervise himself
DP removed two treads at a time
4/5-11-05& 9/10-11-05
T2 removed first (no evidence of attempt to fit T1 in place before
removing T2)
Shell ‘ARAT’ RA method adopted
by AMEC1997/98
Graham Atkinson (AMEC) began preparation of
2005 Extraordinary Maintenance
Workpack01-05
DP as a PerformingAuthority (PA) responsible for
preparing P2Ws
P2Ws issuedidentical (10/11/05 P2W
should have statedNE stairs)
ISSOW committee did not consider need for two-men
P2W proforma - no ‘field’for staff numbers
Workpack not seen by ISSOW
committee
DP describes TR task aseasy – no mention of special
problems on 11 Nov Sledgehammer foundupright on tread 4
(ie, not in use)
Shell and AMEC staff signed onto
DP’s P2W11-11-05
Unlikely to say ‘easy’ if problems with T1 removal encountered for first time
Undocumented informalRA still carried out by
AMEC onshore
Onshore Shell staff completed Workpacks for
offshore maintenance (including RA)
Shell evaluation of importance of
AMEC RA LTA
P2W: No precautions:falls from heights; manual
handling
Workpack specifiedtwo-man operation for TR
task
P2W: One-on-oneT removal not specified
as explicit risk control
Violation of P2W procedure
Shell/AMEC staff fittinglights (not involved with TR)
Approved P2W MS & RA LTA
P2W RA: “Do not use ‘excessive force’ re sprains/
strains & personal injury
P2W equipment: air drill, Cengar saw &
‘handtools’. Caulking chisel not included
P2W Task Description: ‘Stair treads to be change
out on one for one basis’
DP had break in tea room
C 0900 - 0930
Gap between two removed treads >> body dimensions
GA de factoacknowledged risk of fall
from height if one Tremoved
Systematic AA TR task monitoring during shift not
carried out4/5-11-05
& 9/10-11-05
Systematic AA TR task monitoring at start of shift not
carried out4/5-11-05
& 9/11-11-05
Systematic AA TR task monitoring at
end of shift not carried out4/5-11-05
& 9/10-11-05
Tread found on lowerlanding (outside protected
zone)
DP not wearingfall-arrest harness
No other means ofarresting fall
Use of Sledgehammer increased risk of falls from
height
Shell & AMEC Monitoring/Supervision
of TR task LTAIN – FROM ‘A’B
OUT – TO ‘B’A
Secondary Events 1: AMEC/Shell Onshore Workpack preparation and Risk Assessment arrangements: pre 1996 to 2001/2005
Systematic supervision of TR
task not carried outby AMEC staff
4/5-11-05& 9/11-11-05
Removal of two-treads together not observed (or seen
and condoned)4/5-11-05
& 9/11-11-05
Secondary Events 4: Shell/AMEC Supervision/Monitoring
of Tread Replacement Task:3 – 11 November 2005
Shell ‘ARAT’ RA superseded by
ISSOW procedure
Secondary Events 2: AMEC Tread Replacement Workpack
preparation and Shell (Offshore) approval: January
2005 to September 2005
Primary Events: David Soanes’ (DP’s) activities leading to his fall
through the gap created by the removal of two stair treads: 4 - 11
November 2005
Secondary Events 3: DP preparation/submission of Tread
Replacement P2W for Shell ISSOW Committee and OIM approval:
3 – 10 November 2005(Also covers P2W violation event:
11 November 2005)
Figure 1. Events & Causal Factors Analysis (ECFA) of the fatal accident to Mr David Soanes on 11th November 2005Symbols: ‘Events’ are normally in rectangles; ‘Conditions and Causal Factors’ are in ovals. (For reasons of space and clarity, a small number of supporting evidence ‘events’ are shown in ovals with a light blue ‘fill’.) Uncertain events and conditions/causal factors have dotted surrounds. Times given for Primary Events on 11 November are approximate, inter-alia, because there are inconsistencies in times given in Witness Statements
Abbreviations:
AA (Shell) Area AuthorityARAT (Shell) Activity Risk Assessment ToolDP Deceased Person (David Soanes, AMEC)EM Extraordinary Maintenance (Tread replacement work categorised as EM)GA Graham Atkinson (AMEC)ISSOW (Shell) Integrated Safe System of Work ProcedureLTA Less Than AdequateMS Method StatementOIM (Shell) Offshore Installation ManagerPA Performing Authority: first-line supervisor responsible, inter-alia, for P2W preparationP2W Permit to WorkRA Risk AssessmentT (Stair) TreadTR Tread ReplacementT1 Tread 1 – the first tread below the landing on the NE stairsT2 Tread 2 – the second tread below the landing on the NE stairs
Stairs left unattended with T2 removed. Also T1
part-removed?
DP’s body rotated anti-clockwise (viewed from
inboard) on descent
Hugh McQueen & Gary Snow heard ‘thud’; Stephen
Kelly: ‘dull thump’
Hugh McQueen heard loud ‘bang’ - tread hitting
deck below
DP’s body rotated clockwise (viewed from
inboard) on descent
DP struggled to control barrow with
> 10 treads10-11-05
The one-person handling of the barrow may have promoted work starting at the top of each flight
DP used sledge hammer to break
front bolts of
Tread 1Between 0835 -
1015
Location of chisel (& airline)suggests it was placed by DP on
landing when standing on stairs
Next apparent task was to remove bolt
detrita from stair stringers before fitting T2
DP may have wished to fetch Cengar Saw to remove
bolt detrita
Position of DP’s body not inconsistent with feet-first
fall
Position of DP’s body consistent with head-first fall
No ‘mate’ to assist in this task
Gap between two removed treads > body dimensions
DP bent double – head on top step; one leg
wrapped round handrail
Caulking chisel (pneumatic) not
listed in P2W
Violation of onshore AMEC MS
Supports view: removal / partial removal of two
treads perhaps ‘routine’
DP reported no relevant TR problems to John Dickinson (AMEC
Supervisor) C 1015
DP seen by Ray Cotton (AMEC) standing on stairs with caulking chisel
C 1020
Tony Burgum (AMEC) heard DP operating
caulking chiselC 1010-1020
Two treads may have been removed when Ray
Cotton spoke to DP
Ray Cotton did not hear chisel operating as he left
DP reported no TR problems to Ray Cotton
Cengar Saw used by DP on 10-11-05
Bang heard before DP spoke to Ray Cotton
DP may have prepared P2W without full scrutiny of
Workpack
DP signature on P2W
FTAFTA
Top Event: fall 5m onto landingTop Event: fall 5m onto landing Distinguish clearly between second Distinguish clearly between second
and third level downand third level down OR gate: fall direction leads to OR gate: fall direction leads to
distinctive root causesdistinctive root causes Root causes can be Root causes can be listedlisted at the at the
bottom (at appropriate locations)bottom (at appropriate locations)
FTAFTA
In In risk assessmentrisk assessment OR gates OR gates predominatepredominate
InvestigationInvestigation more AND gates more AND gates (except where uncertainty) (except where uncertainty)
AND gates can exaggerate AND gates can exaggerate significance of events under the significance of events under the gategate
DP 95% male by weight
Unintendedskill-based error
DP fell into gap in stair treads
Size of gap greater that DP body dimensions
Two treads removed
Walked across missing treads
One man (DP) allocated to task
No-one to pass equipment to DP
across gapDP wished to obtain
Cengar Saw Routine‘violation’
DP thinksthat job was facilitated
by two-tread removal
Treads not removed on ‘one
for one’ basis
LTA P2W approved (no fall
from height precautions)
No onshoreRA available at
Shell P2Wmeeting
Physically unable to bridge gap between
missing treads
Misjudged width of gap with two
treads removed
Failed to traverse gap between
missing treads
No fall protection, eg, fall-arrest harness; under-stair
protection
Situational‘violation’
Fell feet first
No (other)person
available
AMEC Workpack
specified two-man task
No-one to pass caulking chisel to
on landing
Noexplanationin Workpack why two-men
needed
DP willingto perform task on
his own
DP lost balance
Fell Head first
DP needed to place caulking chisel
on landing
The DP was not involved in removing/replacing treads at the time of his accident, as the two treads had been ‘accounted for’ before the fall. But he had to reach upwards and forwards to place the caulking chisel on the landing which he did moments before falling.
DP thinksthat ‘violation’ likely to be condoned, if
observed
DP fell circa 5-m onto the lower stairs/ landing
A sledgehammer was not listed explicitly in the P2W as an approved tool. Crucially, its use (compared with the small hand tools envisaged by AMEC/Shell) significantly changed the nature of, and hazards associated with, the task. This is irrespective of whether a sledgehammer is a ‘hand tool’, or whether its use involved ‘excessive’ force.
Shell & AMEC argue that a sledgehammer is not a ‘hand tool’ and was therefore prohibited on these grounds. Their perception provides a further reason why the use of the sledgehammer (which must have been visible on the NW stairway, even when not being used) should have been a compelling reason for a review of the P2W.
This branch is predicated on the ‘solution’ adopted would have been to amend the P2W to include the use of a sledgehammer – and introduce fall protection measures.
An alternate scenario is that compliance with the approved P2W should have been rigorously briefed and closely monitored, but noting that the P2W was deeply flawed.
The chance of observing the removal of two treads together (which I believe happened on at least some occasions before 11 November) was less likely to be observed than sledgehammer use.
Two-treadremoval not detected/
remedied(11 Nov)
Shell no longer required AMEC to include RAs in workpacks
Offshore P2W application LTA
(no fall analysis)
OUT – to BA
The Task Description Details consisted only of the phrase: “Replace corroded stairtreads to North West Stairway PW Cellar Deck, Stairtreads to be change out on one for one basis”.
Falling through the stairtreads (whether one or two were removed) was not shown in the Specific Control Table: it was not listed either in the ‘Hazard Description’ or Specific Controls’ Columns.
Offshore P2W form did notrequire listing of
no of men
P2W meeting did not consider risks of one-man
working
There is no evidence to show that the ISSOW meeting was aware that Workpack specified two-men.
The Cengar saw was needed for the next task: removal of bolt detrita from the stair stringers. But it is possible that the DP wished to cross the missing treads for another, or for more than one, reason
Forgot two treads removed
A Fault or Event caused by a combination of contributory events
A basic Fault or Event caused by a component or human failure
A Fault or Event that is not developed further due to lack of information or importance
‘House’ Event. This symbol represents a normal or acceptable situation, not a fault condition
FTA Symbols
OR gate. The output exists if any (or any combination) of the inputs are present
AND gate. The output exists only if all the inputs are present simultaneously
Transfers. These symbols (IN & OUT) are used to duplicate an entire part of a tree to/from another location on the Tree
Figure 2. Fault Tree Analysis (FTA) of the fatal accident to Mr David Soanes on 11th November 2005
One man (DP) allocated to task IN – FROM AB
No (other)person
available
Falls hazards not recognised by DP
Onshore MS: no fall precautions
P2W not reviewed for hazards from two-
tread removal
Increased risk of sledge-
hammer use observedbut condoned
P2W not reviewed for hazards with
use of sledgehammer
Monitoring notcarried out
MonitoringLTA
Failure to detect use of
sledgehammer
This branch could have been developed in the same way as sledgehammer use (see branch on right) with substitution of ‘two-tread removal’ for ‘sledgehammer use’ - but all faults with dashed surrounds
Symbols with dashed surrounds indicate that the information is uncertain or speculative
DP leantacross gap
RevisionRevision
Elements of an OH&S systemElements of an OH&S system Safety cultureSafety culture Human failures; slips/lapses Human failures; slips/lapses
violations etcviolations etc Advanced risk assessment methodsAdvanced risk assessment methods Incident investigationIncident investigation
Change analysisChange analysis ECFAECFA FTAFTA
Concluding remarksConcluding remarks