Theme - 11

Risk Assessment and Management

Risk-Based
Regulations

Risk
Risk-Based Risk-Based
Design
Assessment and Operation
InWEnt -
Management
International Weiterbildung und Entwicklung gGmbH
Capacity Building International, Germany
Friedrich-Ebert-Allee 40 Socio-political Financial
53113 Bonn
Fon +49 228 4460-0 elements elements
Fax +49 228 4460-1766
www.inwent.org
NOVEMBER 2010 5.03-0015-2010

For further information Contact: Technical Environmental Human

elements elements elements

Disaster Management Institute

Paryavaran Parisar,
E-5, Arera Colony, PB No. 563,
Bhopal-462 016 MP (India),
Fon +91-755-2466715, 2461538, 2461348,
Fax +91-755-2466653
dmi@dmibhopal.nic.in
www.dmibhopal.nic.in
Imprint MoEF
The Ministry of Environment & Forests (MoEF) is the nodal agency in the administrative
structure of the Central Government for the planning, promotion, coordination and
overseeing the implementation of India’s environmental and forestry policies and
programmes.
Chief Editor The Ministry also serves as the nodal agency in the country for the United Nations
Praveen Garg, IAS, Environment Programme (UNEP), South Asia Co-operative Environment Programme
Executive Director, DMI, Bhopal, India (SACEP), International Centre for Integrated Mountain Development (ICIMOD) and for
Editors the follow-up of the United Nations Conference on Environment and Development
(UNCED). The Ministry is also entrusted with issues relating to multilateral bodies such
Dr. Rakesh Dubey, Director, DMI, Bhopal, India
as the Commission on Sustainable Development (CSD), Global Environment Facility
Florian Bemmerlein-Lux, Sr. Advisor, InWEnt, Germany (GEF) and of regional bodies like Economic and Social Council for Asia and Pacific
Support (ESCAP) and South Asian Association for Regional Co-operation (SAARC) on matters
Sudheer Dwivedi, Dy. Director, DMI, Bhopal, India pertaining to the environment.
Dr. Asit Patra, Asstt. Director, DMI, Bhopal, India
Neeraj Pandey, Content Manager, InWEnt India InWEnt - Qualified to Shape the Future
Amit Kumar Dadhich, Content Manager, InWEnt India
COOPERATION
REPUBLIC OF
INDIA in ent
Capacity Building Internationale
InWEnt - Capacity Building International, Germany, is a non-profit organisation with
Huda Khan, Content Manager, InWEnt India FEDERAL REPUBLIC
OF GERMANY
Germany
worldwide operations dedicated to human resource development, advanced training,
Published under and dialogue. Our capacity building programmes are directed at experts and
executives from politics, administration, the business community, and civil society.
InWEnt-gtz-ASEM Capacity Development Programme
We are commissioned by the German federal government to assist with the
for industrial Disaster Risk Management (iDRM) implementation of the Millennium Development Goals of the United Nations. in
addition, we provide the German business sector with support for public private
Edition 1, 2010 partnership projects. Through exchange programmes, InWEnt also offers young
InWEnt people from Germany the opportunity to gain professional experience abroad.
International Weiterbildung und Entwicklung gGmbH Detailed Information can be explored using our WEB sites:
Capacity Building International, www.inwent.org
Germany Division for Environment, Energy and Water
Lützowufer 6-9, 10785 Berlin, Germany
Dr. Christina Kamlage COOPERATION
REPUBLIC OF
INDIA
gtz-ASEM
Phone +49 30 25487-117 The Advisory Services in Environmental Management (ASEM) Programme, is a joint
christina.kamlage@inwent.org FEDERAL REPUBLIC
OF GERMANY
programme of the German Technical Cooperation (GTZ) and the Indian Ministry of
Environment and Forests (MoEF). The German Federal Ministry for Economic
Steffi Mallinger Cooperation and Development (BMZ) supports several environment related projects
Phone +49 30 25487-116 in India through GTZ. ASEM focuses on seven major thrust areas -Sustainable
steffi.mallinger@inwent.org Industrial Development, Sustainable Urban Development, Sustainable Consumption
Disaster Management Institute and Consumer Protection, Sustainable Environmental Governance and the cross
cutting areas. Climate Change and Human Resource Development. Public Private
Paryavaran Parisar, E-5, Arera Colony, PB No. 563 Partnership (PPP) project with Indian and German companies contribute towards
Bhopal-462 016 MP (India), identified project activities. Detailed Information can be explored using our WEB sites:
Fon +91-755-2466715, 2461538, 2461348,
Fax +91-755-2466653 www.asemindia.com
www.hrdp-iDRM.in www.hrdp-net.in
GTZ ASEM
Advisory Service in Environmental Management Disaster Management Institute
A-33, Gulmohar Park, (DMI) Bhopal
New Delhi 110049 The Disaster Management Institute (DMI) was set up in 1987 by the Government of
Fon +91-11-26528840 Madhya Pradesh (GoMP) as an autonomous organization in the aftermath of the
industrial disaster in Bhopal.
Fax +91-11-26537673
Since inception, DMI has built vast experience in preparation of both On-site and
www.asemindia.com Off-site Emergency Management Plans, Safety Audit, Risk Analysis and Risk
Assessment, Hazard and Operability Studies (HAZOP), etc.
The National Disaster Management Authority (NDMA) constituted under the
Disclaimer chairmanship of the Prime Minister selected DMI as a member of the Core Group
Though all care has been taken while researching and compiling the for preparation of the National Disaster Management Guidelines- Chemical Disaster.
contents provided in this booklet. DMI-InWEnt-gtz-ASEM accept no It is a matter of pride that NDMA has selected DMI for conducting Mock Exercises on
liability for its correctness. chemical (industrial) Disaster Management at key industrial locations in the country.
The reader is advised to confirm specifications and health hazards The Ministry of Environment and Forests, InWEnt and gtz-ASEM Germany have
described in the booklet before taking any steps, suitability of action recognized DMI as a Nodal Training Institutes for capacity building in industrial Disaster
requires verifications through other sources also. Risk Management.
Information provided here does not constitute an endorsement or
recommendation. www.HRDP-iDRM.in
Contents
Risk can be defined as the combination of the probability of an event and
its consequences. In all types of undertaking, there is the potential for events
1. What is Risk? -2 and consequences that constitute opportunities for benefit (upside) or threats
to success (downside). Risk Management is increasingly recognised as being
2. Objective of risk assessment -4 concerned with both positive and negative aspects of risk.
3. Risk assessment process -6
In the safety field, it is generally recognised that consequences are only
4. Likelihood and consequences -8 negative and, therefore, the management of safety risk is focused on prevention
and mitigation of harm.
4.1. Estimating likelihood and consequences -8
5. Risk Matrix - 12
6. Risk Management - 13
1. What is Risk?
7. Application of risk assessment - 18
8. Chemical process hazard identification and risk analysis Risk is the likelihood that a harmful consequence (death, injury, loss or illness) might
result when exposed to the hazard. It is represented as:-
methods - 19
8.1. Checklist - 19 Risk = consequence of impact x probability of occurrence
8.2. Safety Audit - 19
A consequence spectrum ‘C’ (or, risk picture) of an activity is a list of its all possible
8.3. Hazard Indices - 19 potential consequences and the associated probabilities ‘p’ (e.g. per year). Usually, only
8.4. Preliminary Process hazard Analysis - 20 unwanted consequences are considered and it can be represented with all activities:
8.5. Failure Modes and Effects Analysis (FMEA) - 21 C1 1

8.6. Hazard and Operability Study (HAZOP) - 22

C2 2
8.7. What if-Analysis - 24 Activity
8.8. Fault Tree Analysis (FTA) - 24 C3 3

8.9. Event Tree Analysis (ETA) - 27

9. Risk Criteria in some countries - 27 Ck K

10. Glossary - 30
Risk for above activity is defined as
11. References - 31
Risk=C1p1+C2p2+....+Ckpk = Cipi ------Equation 1

Equation 1 shows that risk can never be zero, a truth not always grasped by the general
public or the news media. Hazards are always present within all industrial facilities and
they always have undesirable consequences, and their likelihood of occurrence is always
finite. The consequence and likelihood in terms can be reduced, but they can never be
eliminated, as illustrated in Fig-1, in which both axes are approached

1 2
asymptotically, i.e. they never reach zero. The only way to achieve a truly risk-free how much is present,
operation is to remove the hazards altogether (or, with respect to safety, to remove how easy it is for toxic chemicals to interact with human bodies,
personnel from the site or stop the activity). how fast the toxicity depletes and how rapidly their potential for harm decreases, and
how long some chemicals are toxic (e.g. arsenic and lead are toxic forever).
Fig-1 also shows that an inverse
relationship generally exists Likelihood Therefore, a drum of toxic waste is hazardous, whether it is in a well-regulated disposal
between consequence facility, or in the living room. But the level of risk would be very different in these two
and frequency. For example, a cases. Risk can be understood better in Fig-3 with the support of associated activities.
serious event such as the failure
of a pressure vessel may occur only
once every ten years, whereas simple
trips and falls may occur weekly. Risk
Understanding
The total risk associated with a
facility is obtained by calculating
the risk value for each of the Consequence
consequences, and then adding all
Fig-1 Likelihood vs. Consequence What impact What can How likely is
the individual risk values together.
is possible? go wrong? it to occur?
The result of this exercise is
sometimes plotted in an FN curve as shown in Fig-2 in which the ordinate represents
the cumulative frequency (F) of fatalities or other serious events, and the abscissa
represents the consequence term (usually expressed in terms of number of fatalities). Foundation for risk assessment
-Historical -Analytical -Knowledge -Socio-political
The values of F and N typically extend across several orders of magnitude. Both axes on experience methods and experience background
an FN curve are logarithmic.
(More sophisticated analysis will
Fig-3 Foundations of risk management
Frequency

actually have a family of curves with -2

10
roughly the same shape as each other.
The distribution of the curves represents 10
-4

the uncertainty associated with predicting -6 2. Objective of risk assessment

the frequency of events.) 10

The shape of the curve itself will 10

-10

vary according to the system being studied; The purpose of a risk assessment is to determine:
-12
frequently a straight line can be used. 10 whether there is any likelihood of a potentially hazardous situation causing death,
1 10 100 1000 injury, illness or disease to people in the workplace and neighbouring environment.
The degree of risk will depend upon the Fatalities how severe that risk is.
amount of exposure to the hazard Fig-2 Representative FN Curve whether the risk needs to be controlled and how urgently.
associated with a consequence of an
event. For example, toxic chemicals are hazardous - they have the potential to harm After assessing or evaluating the identified risks the next steps are:
health. But the level of risk depends on things such as: determine which ones are the most serious (i.e. those with greater likelihood and
most severe consequences).
what is the density of population, plan the actions needed to control the risks in order of priority, from most serious to
what is the wind direction with respect to human settlements at the time of event, least serious risks to life, property and environment.

3 4

Objectives of the systematic risk assessment may include:
identification of all possible major accident scenarios
identification of potential knock-on effect to and from adjoining plants on-site
and off-site
gaining a thorough understanding of the nature, causes, likelihood and
consequences of these scenarios and to communicate these to the facility
employees
assessing the risks from potential major accidents against acceptable
risk criteria
identification and reliability assessment of existing critical safety equipment
and procedures
identification of possible risk reduction measures
evaluating, selecting and implementing all reasonable risk reduction measures to
reduce the risk to a level that is as low as reasonably practicable (ALARP)
identifying employee training needs
identifying the geographic area of the community to be consulted
identifying critical safety management system components
identifying critical emergency planning elements and
identifying monitoring points, performance criteria and suitable measurement
techniques to provide timely warning of safeguard inadequacies.
Risk assessment is important and relevant to the whole life cycle of a processing
project. The risk increases with the inception of a project and remains prominent during
the operation of the plant. The risk starts reducing with the decommissioning of the
plant. The whole concept can be shown through Fig-4.
Risk
The life span of a process industry comprises a number of stages from conceptual
design to decommissioning. Each stage of a plant may have hazards, some general and
some stage specific. Hazard identification and risk analysis techniques that may be
applied at different stages of a plant are given in Annexure 1.
3. Risk Assessment Process
For risk assessment it is essential to-
-define the context or and system and or project. It is done with the help of Process
and Instrument Diagram (P and ID), Chemistry, Thermodynamics, Operating procedure,
etc.
-identify activity/task/work area/personnel to be assessed. `
The risk assessment process has the following five steps:-
Step 1: Identification of all hazards by:
-observing, inspecting, investigating, communicating, consulting and documenting all
the hazards identified. Experience, Checklists, PHA, What-if, HAZOP, FMEA, etc. are
helpful here.
Step 2: Assessment of the risks of the identified hazards by:
-assessing and prioritising the risks.
-dealing with the highest priority risks first.
-dealing with less risks or least significant risks last.
-assessment of risk is possible by knowing the likelihood and the consequence of the
hazardous events. The tools like event tree/fault tree analysis and modelling are
applied respectively. After knowing the risk, the risk is judged for acceptability, if risk is
below the acceptable level or at par of the acceptable level, only then any further
activities are recommended. If risk is above the acceptable level, then the whole
system will be reviewed and after recommendation of appropriate control measures
on reduction of the risk further activities will be carried on.

Conceptual Step 3: Decision on measures to control the risks by:

New Project -Elimination of the risk is the best and preferred way.
Research Design Routine Demolition
and Operation, Records
If elimination of the risk is not possible, select these control measures in the following
Development Detailed Start-up Modifications,Decommissioning Destroyed order of preference:
Engineering and Expansions (i) substitution
New Project Existing Records (ii) isolation by engineering ways
Shutdown (iii) minimisation by engineering means
Facility Retention
and Facility
Removal
Required (iv) application of administrative measures
Process life Cycle
(v) use of personal protective equipment (PPE)
Fig-4 Risk in project life cycle (vi) transfer of risk by insurance or making strong partners.

5 6
Step 4: Implementation of appropriate control measures by: 4. Likelihood and consequences
-adequately controlling the risks
-not creating other risks
-allowing workers to do their work without undue discomfort or stress. To assess the level of risk, the likelihood of an event occurring (will it happen or could it
happen?) and the extent of the consequences that could result (if it does occur, how
Step 5: Monitor the control measures and review the process: serious will the outcome be?) must be considered. Both factors are equally important in
A: Monitor establishing the level of risk and it is not important which factor is considered first.
-Have the control measures been implemented as intended?
-Are the control measures adequate? 4.1 Estimating likelihood and consequences
-Did the implementation of control measures create other hazards or risks?
When estimating the likelihood of occurrence of an event and the severity of the
B: Review potential consequences, it is important for the person doing the risk assessment to
-Has anything changed over time since the risk assessment process was implemented? refer to the following information:
-Is the control of risks still adequate? past safety records, such as safety committee information.
-Was the risk management process conducted effectively? incident statistics in the workplace or the whole industry.
After review and monitoring if the risk is acceptable then one should carry out its practice and relevant experience in the relevant organisation and others in the
activity otherwise revise all above five processes and continue and repeat till the risk is industry.
acceptable. The Fig-5 shows the risk assessment process. manufacturer's data or information on proper use of machinery.
relevant published literature such as trade magazines, research articles, safety
1. Define Objectives,
Depth and Goal of RA
bulletins, etc.
market research such as industry development of new materials and equipment.
Process Diagram (PFD, P and ID),
2. Describe System Chemistry, Thermodynamics, the results of public consultation such as new public projects or institute
Operating procedure, etc.
information.
Experience, Checklist, PHA,
3. Identify Hazards
What if, HAZOP and FMEA.
economic, engineering or other models such as Quality Assurance (QA), Total
Experience
History Quality Management (TQM) or safety culture.
List of Enumerated Incidents,
Effect Models 4. Enumeration and
List of selected Incidents, specialist and expert judgements such as safety consultants or case law decisions.
Damage Models Selection of Incident
Incident outcomes, etc. other codes of practice (e.g. Manual Tasks and SOPs).
Review risk assessment

5. Estimate Consequences 5. Estimate Frequencies (A) Establishing likelihood

7. Acceptable Risk criteria

6. Risk Estimation
Experience The likelihood of an event occurring will depend on both the probability and frequency
History
Fault tree analysis
of exposure to a hazard. There may be a number of factors specific to the workplace
Standards, Company Policies
8. Risk acceptance Event tree analysis that will influence the likelihood of an event occurring, such as:
as per need how, where and when people are exposed to the hazard.
how exposure varies over time or by location.
how people respond.
Decision for how the climate influences the dispersion of the chemical.
acceptance
how the control system works.
No Yes what is the level of awareness.
what is the ratio of old vs young men/women.
Stop monitoring and enforcement of regulations.

Fig-5 Risk assessment (RA) process Likelihood is subject to the local geographical situation.

7 8
The following factors can affect the likelihood of an event or situation occurring: listening to music through headphones increases the chance of being hit by vehicles
How often the task occurs: Generally, when the same critical task demands are at a construction site.
repeated, the more likely an incident will occur. This includes the same or similar Environmental conditions: For example, water in the vicinity of an electrical hazard.
tasks occurring during the shift. For example, consider how often in a shift a worker Repetition: When workers are consistently required to replicate tasks or components
carries a load; pushes a trolley; or uses a vibrating hand tool. of tasks. For example, when a process task cycle is less than 30 seconds and is
How many people are exposed: Generally, greater the number of people completed for more than one hour; or the process task cycle comprises more than
exposed to the hazard, more likely an incident will occur. For example, three shifts of 50 per cent of the total task time and is completed for more than one hour.
workers in a 24-hour distribution centre, operating morning, evening and night Condition of equipment: The use of defective equipment is more likely to cause an
shifts, carrying out wholesale order make ups, could be exposed to manual tasks, incident. For example, when the tool rest of a bench grinder is not adjusted for the
noise and shiftwork hazards. wear of the abrasive wheel rather than using one that is correctly adjusted.
Duration of exposure: Generally, longer a person is exposed to the hazard, the
more likely an incident will occur. For example, consider a manufacturing worker The judgement basis of effectiveness of existing control measures can be:
who is exposed to an accumulative total of eight hours of industrial noise over a 10 -Do the existing control measures represent good practices?
hour shift. -Are the existing control measures preventing or minimising exposure to the risk?
Quantities of materials or multiple exposure points involved: For example, an -Do workers know about the existing control measures?
incident (such as an explosion) is more likely to occur as a result of a small amount -Are the existing control measures being used or followed?
of flammable liquid, such as petrol, in a container which allows room for expanding -Are there adequate systems or procedures in place in relation to the existing control
gases than from a full container of the liquid with no room for expanding gases; an measures?
item of plant may have a number of places with exposed moving parts that could -Is there adequate training and supervision in relation to the existing control measures?
injure a worker. -Is there adequate maintenance in relation to the existing control measures?
Position of the hazard relative to workers and to other hazards: For -Are the existing control measures easy to use and follow?
example, workers working close to a noisy machine are more likely to suffer hearing Table - 1 provide information about the determination of likelihood.
loss than those working further away; certain chemicals, such as methylated spirits, Table-1
may only represent a risk if they are located near a heat source.
Skills and competence of persons exposed: Workers who are not trained in DETERMINE LIKELIHOOD
safe and efficient methods of work are more likely to be injured. For example, a Rating Frequency Description Frequency example
worker who has not been trained in using a trolley may manually lift and carry loads A Almost certain Happens often More than 1 event per month
over long distances; a worker who has not been trained in the safe operation of B Likely Could easily happen More than 1 event per year
plant could increase the chance of human error leading to dangerous events and C Possible Could happen and has occurred 1 event per 1 to 10 year
injury. here or elsewhere
Experience of persons exposed: For example, a worker with 20 years experience is D Unlikely Hasn’t happened yet but could 1 event per 10 to 100 year
less likely to make the same mistake and cause an incident than a worker with only (e.g. Within a single mine life)
two months experience. Adequate training and reasonable competence to do a task E Rare Conceivable but only in extreme Less than 1 event per 100 year
will reduce the likelihood of an incident. circumstances
Any special characteristics of the people involved: For example, young workers
have a lower level of maturity, which can increase the likelihood of them behaving in (B) Establishing consequences
a way that is dangerous and risky. Further, young workers are still developing and
are more likely to be injured when handling heavy loads due to their reduced The severity or range of the potential consequences resulting from an incident can be
capacities. Additionally, a pregnant woman and the developing foetus may be determined by a number of factors, such as:
affected if exposed to chemicals, heavy loads or noise. how much harm the hazard could do
Distractions: It is more likely that an incident will occur when a worker is not how many people it could affect
paying full attention to the task or their surroundings. For example, a worker whether the harm would be short or long term.

9 10
The following factors can affect the severity of consequences when an event or Forces and energy levels: For example, higher the voltage of electricity and the
situation happens: possibility of a high current flowing through a person, more severe the consequences
Potential for 'chain reaction': Where a hazard, if not eliminated, may evolve and are likely to be.
compound into an even more dangerous situation.
Concentrations of substances: For example, a minor injury might result because of 5. Risk Matrix
a diluted chemical, while a fatality might result from a concentrated form of the
same chemical.
Volumes of materials: For example, the potential consequences of a leak of a small Having determined consequence and frequency values to do with a particular hazard,
amount of a particular chemical, such as ammonia, into the workplace may be the overall risk is determined using a third matrix such as that shown in Table 3, which
relatively minor, compared with the potential consequences of the release of a large shows four levels of risk.
amount of the same chemical. Table-3
Speeds of projectiles and moving parts: Generally, greater the speed at which
projectile or part is moving, the more severe are the consequences of injury. DETERMINE RISK
Heights: The force with which a falling object hits a person (and hence the potential Probability Factor Consequence severity
injury), will generally increase with the distance it falls. Similarly, a person will Low Minor Moderate Major Critical
generally sustain greater injuries if falling from a great height.
Position of the workers to the hazard: For example, workers working close to a A Happens often\almost certain High High Extreme Extreme Extreme
noisy machine are likely to incur greater hearing damage than those working further
away. B Could easily happen\likely Moderate High High Extreme Extreml
Weights: For example, a worker will generally sustain a more severe injury from C Could happen and has occurred
lifting material in 50 kg packages than from lifting the same material packaged in Low Moderate High Extreme Extreml
here or elsewhere\possible
30 kg lots. D Hasn’t happened yet but
Table -2 shows the determination of consequence. Low Low Moderate High Extreme
could\unlikely
Table-2 E Conceivable but only in High High
Low Low Moderate
extreme circumstances\rare
DETERMINE CONSEQUENCE
Consequence Injury Property damage Environmental Impact The risk values will usually line up diagonally, with all the values in any one diagonal
or process loss being the same.
Low/ Minor/short Low financial loss Limited damage to minimal
The meaning of the four colours in Table 3 is as follows:
Insignificant term injury area of low significance
Minor Reversible Medium financial Minor effect on biological
A (Red) Very High
Disability loss or physical environment
This level of risk requires prompt action; money is no object, and the option of doing
or impairment
nothing is not an option. An 'A' risk is urgent. On an operating facility, management
Moderate Moderate High financial loss Moderate short term must implement Immediate Temporary Controls (ITC) while long-term solutions are
irreversible effects but not affecting being investigated. If effective ITCs cannot be found, then the operation must be
disability eco-system stopped. During the design phases of a project immediate corrective action must be
Major Single fatality Major financial loss Serious medium term taken in response to an 'A' finding, regardless of the impact on the schedule and budget.
environmental effects
Catastrophic Multiple fatality Maximum Serious long term B (Orange) High
and/or significant Financial loss environmental damage Risk must be reduced, but there is time to conduct more detailed analysis and
irreversible effects investigations. Remediation is expected within say 90 days. If the resolution is expected

11 12
to take longer than this, an ITC must be put in place.
Risk analysis
C (Yellow) Moderate
The risk is significant. However, cost considerations can be factored into the final action
taken, as can normal scheduling constraints such as the availability of spare parts or -Scop definition
the timing of plant turnarounds. Resolution of the finding must occur within say 18 -Hazard identification
months. An ITC may or may not be required. -Risk estimation

D (Green) Low Risk

Requires action but is of low importance. In spite of their low risk ranking, 'D' level risks assessment
must be resolved and recommendations implemented according to a schedule; they
cannot be ignored. (Alternatively, some companies do allow very low ranked-risk Risk evaluation
findings to be ignored on the grounds that they are within the bounds of ALARP).
Risk
-Risk tolerability management
Risk Categories decisions
5 types of risk categories have been identified:- -Analysis of options

(i) People
-Failure of staff to comply with the procedures whether with the intention to commit
fraud, oversight or negligence.
-Non-familiarity of staff with the set guidelines and procedures. Risk reduction/control
(ii) Process
-Process failure.
-Inadequate controls in the operational processes. -Decision making
(iii) System -Implementation
-Failure of application system to meet user requirements. -Monitoring
-Absence of in-built control measures in the application system.
(iv) Management failure
- Failure of overall management system in absence of policies.
-Failure of overall management in absence of availability of finances. Fig-6 Risk management
(v) External Party / Event
-Imposition/changes of policies by government regulatory bodies. (A)Evaluation of risk
-Unsatisfactory/Non-performance by out-sourced service providers. It should be clear that no unique measure of risk exists. Many such measures have been
proposed and are currently in use, each providing a different view on a particular
6. Risk Management situation. The main types of risks are:

Risk to personnel and public safety and health,

Risk analysis, evaluation and reduction/control make integrated components of risk Risk to the environment,
management. Fig-6 shows a protocol of risk management. Risk evaluation must be a Risk to economic concerns (costs and profits).
repeated process till it comes to the acceptable level.
Regarding safety, health, and environment (SHE) aspects several generally accepted
Risk can be judged qualitatively and quantitatively. definitions and methods already exists.

13 14
The instructions were that the risk must never be in the 'intolerable' range. High risk
scenarios are 'tolerable', but every effort must be made to reduce them to the 'broadly
tolerable' level.
(B) Risk Management Guidance
The Fig-7 illustrates
the steps involved in risk reduction
to an acceptable level and has
following vital components when
risk is above acceptable level:-
The treatment options include:
Avoid the risk by deciding not
to proceed with the project or
activity. This may only occur
within legislative requirements
and business agreements.
Review
Reduce the likelihood of the
occurrence. By review of
engineering modifications,
contract conditions, supervision,
technical controls, compliance
programs, procedure manuals,
quality control manuals, training,
etc.
Reduce the consequence of the
occurrence, e.g. contingency
planning, fraud control planning,
relocation of an activity or
operation, etc.
Transfer the risk to another party.
E.g. use of contracts, insurance,
partnerships, etc.
(C)Risk reduction at source of the hazard
a. Elimination - Getting rid of a hazardous job, tool, process, machine or substance
is perhaps the best way of protecting workers. For example, a salvage firm might decide
to stop buying and cutting up scrapped bulk fuel tanks due to explosion hazards.
b. Substitution - Sometimes doing the same work in a less hazardous way is possible.
For example, a hazardous chemical can be replaced with a less hazardous one. Controls
must protect workers from any new hazards that are created.
STEPS
c. Engineering modifications
Redesign - Jobs and processes can be reworked to make them safer. For example,
containers can be made easier to hold and lift.
AVOID HAZARDS Isolation - If a hazard cannot be eliminated or replaced, it can some times be
isolated, contained or otherwise kept away from workers. For example, an insulated
and air-conditioned control room can protect operators from a toxic chemical.
REDUCE SEVERITY
Automation - Dangerous processes can be automated or mechanised. For
example, computer-controlled robots can handle spot welding operations in car
plants. Care must be taken to protect workers from robotic hazards.
REDUCE LIKLIHOOD
Barriers - A hazard can be blocked before it reaches workers. For example, special
curtains can prevent eye injuries from welding arc radiation. Proper equipment
guarding will protect workers from contacting moving parts.
APPLY PASSIVE SAFEGUARDS
Absorption - Baffles can block or absorb noise. Lockout systems can isolate energy
sources during repair and maintenance. Usually, the further a control keeps a hazard
away from workers, the more effective it is.
APPLY ACTIVE SAFEGUARDS
Dilution - Some hazards can be diluted or dissipated. For example, ventilation
systems can dilute toxic gases before they reach operators.
APPLY PROCEDURAL
d. Administrative controls
SAFEGUARDS
Safe work procedures - Workers can be required to use standardised safety
practices. The employer is expected to ensure that workers follow these practices.
Work procedures must be periodically reviewed with workers and updated.
CONSIDER HAZARDS UNTIL Supervision and training Initial training on safe work procedures and refresher
GOALS ARE MET training should be offered. Appropriate supervision to assist workers in identifying
possible hazards and evaluating work procedures.
No Yes Job rotations and other procedures can reduce the time the workers are exposed
to a hazard. For example, workers can be rotated through jobs requiring repetitive
STOP tendon and muscle movements to prevent cumulative trauma injuries. Noisy
processes can be scheduled when no one is in the workplace.
Fig-7 Risk management guidance Housekeeping, repair and maintenance programs - Housekeeping includes
cleaning, waste disposal and spill cleanup. Tools, equipment and machinery are
less likely to cause injury if they are kept clean and well maintained.
Hygiene - Hygiene practices can reduce the risk of toxic materials being absorbed
by workers or carried home to their families. Street clothing should be kept in
separate lockers to avoid being contaminated by work clothing. Eating areas must
be segregated from toxic hazards. Eating should be forbidden in toxic work areas.
Where applicable, workers should be required to shower and change clothes at the
end of the shift.
15 16
e. Risk Transfer 7. Application of risk assessment
The risk transfer can be undertaken in by obtaining indemnities from other parties for
loss suffered by the industry.
Risk assessment and management process is applied for future developmental
f. Monitor and Review processes and is recommended for future landuse planning and other developmental
Monitor and review the effectiveness and performance of the risk treatment options, activities. A widely accepted model is suggested in the Fig-8 so that damages in case of
strategies and the management system and changes which might affect it. any accident or disaster can be minimised.
Each step undertaken should be documented to enable effective monitoring and 100 in a million 10 in a million 1 in a million
review. (10-4) (10-5) (10-6)
Risks and the effectiveness of treatment measures need to be monitored to ensure
changing circumstances do not alter the risk priorities.
Identification, assessment, and treatments must be reviewed to ensure the risks
remain relevant and continue to be managed and that any new or emerging risks are
identified and managed. If risk is not found to be reduced, then review the steps from
‘a’ to ‘e’ as discussed above.

g. Risk Audits
A rolling series of continuous self and third party audits and safety inspections, using
checklists, analysis and positive feedback should be encouraged and must be a part of
Risk No Manufacturing, Commercial All other uses
company policy.
source other warehouses, Offices, including institutions,
land open space low-density high-density residential, etc.
h. Communicate and consult use (parkland, golf residential
Communicate and consult with internal and external stakeholders as appropriate at courses, etc.)
each stage of the risk management process and concerning the process as a whole.
Fig-8 Allowable land uses
a communication plan should be developed for internal and external stakeholders
early in the planning process. The popular activities according to risk can be summarised in Fig-9.
communication should be a two-way process involving consultation.

Management is responsible for identifying the existence of risk and undertaking the 1
business of the company in a manner which ensures appropriate management of those High risk

Frequency (log scale)

risks. - Traffic accidents
- Occupational 2
accidents, etc
i. Performance Indicators - Air trafic accident
The following are suggestive indicators: - Railway accident
3
- Major industrial
-No severe insurable loss to disrupt the financial position.
accident
-Risk management to be included in the business planning function. - Nuclear accident
-All new projects to be assessed for risk in accordance with these guidelines prior to - Catastrophies
initiation. Low risk
-Annual assessment of risks to be recorded and acted upon as detailed in the annual
Risk Management and Audit Plan.
-No revenue loss or significant event to disrupt the company activity through improper Severity (log scale)
conduct by staff.
Fig-9 Activities according to risk

17 18
8. Chemical process hazard identification and risk analysis
methods
8.1 Checklist
The checklist is generally a form for approval by various staff and management
functions before a project can move from one stage to the next. It serves both as
means of communication and as a form of control and can highlight lack of basic
information or a situation that requires a detailed evaluation. Checklists are qualitative
in nature; limited to the experience base of the author of the checklist, hence, should
be audited and updated regularly. It is a widely used basic safety tool and can be applied
at any stage of a project or plant development. Accordingly it is named as Process
checklist, System checklist, Design checklist, etc. It can be applied at any stage of the
project life cycle.
8.2 Safety Audit
It is an intensive plant inspection intended to identify the plant conditions or operating
procedures that could lead to accidents or significant losses of life and property. It is
used to ensure that the implemented safety / risk management programs meet the
original expectations and standards. It is also called 'Safety review', 'Process review'
and 'Loss prevention review'. In essence, safety audit is a critical appraisal of
effectiveness of the existing safety programme in a plant.
The review looks for major hazardous situations and brings out the areas that need
improvement. The steps for the identification process are :
a) Obtaining response from plant on a pre-audit questionnaire;
b) Preparation of checklist, inspection and interview plant personnel; and
c) Preparation of safety audit report in the form of recommendations.
The results are qualitative in nature. While this technique is most commonly applied to
operating plants, it is equally applicable to pilot plants, storage facilities or support
functions. The periodicity of such studies depends on the risk involved in the process
and the commitment of the management. In India the safety audit is done by Indian
Standard BIS IS 14489 (1998).
8.3 Hazard Indices
Hazard indices can be used for relative ranking of process plants from the point of view
of their hazard potentials. The most well known techniques are, DOW fire and explosion
index, Mond fire, explosion and toxicity index and chemical exposure index. All these
19
methods provide a direct and easy approach to a relative ranking of the risks in a
process plant. The methods assign penalties and credits based on plant feature.
Penalties are assigned to process materials and conditions that can contribute to an
accident. Credits are assigned to plant safety features that can mitigate the effects of
an incident. Theses penalties and credits are combined to derive an index that is relative
ranking of the plant risk.
8.4 Preliminary Process hazard Analysis
It is used during the conceptual, early development, early design phase, of a plant. The
method is intended for use only in the preliminary phase of plant development for
cases where past experience provides little or no insight into potential safety problems,
for example, a new plant with new process. Early identification of most of the hazards
could possibly result in effective saving in cost that could otherwise result from major
plant redesigns if hazards are discovered at a later stage. It is very useful for 'site
selection'. It does not preclude the need for further hazard assessment; instead it is a
precursor to subsequent hazard analysis. Items for consideration consist of meticulous
preparation of lists of hazards.
a) Raw materials, intermediates, by-products, final products;
b) Plant equipment (high pressure systems);
c) Interface among system components (material interactions, fire);
d) Environment (earthquake, vibration, extreme temperature); and
e) Operations (tests, maintenance and emergency procedure) and safety equipment.
Example :
Toxic gas 'A' is one of the components used in process; causes for the dangers:
a) The hazards due to storing the gas;
b) Hazards from the excess gas after the sue;
c) Lines supplying the gas 'A'; and
d) Leakage during the receipt of the gas etc.
The effects of these causes can be :
a) Injury / Fatality to persons inside the plant or nearby areas, and
b) Damage of property due to explosion.
c) Environmental impacts.
Safety measures / corrective actions provided to minimise effect:
a) Whether less toxic material can be used;
b) Minimising the inventory for the storage of the material;
20
 c) Procedure for safety storage of the gas with enclosure system; The effects for each failure modes, for example the effects of the 'fails to open
d) Provision of plant warning system; condition for the pump' is (a) loss of process fluid in a particular equipment, and (b)
e) Training for operators; and overheating of the equipment. The effect of pump seal leak is a spill in the area of the
f) Informing neighbouring localities about the toxic effect. pump; if the fluid is flammable a fire could be expected, and so on.

8.5 Failure Modes and Effects Analysis (FMEA) The analyst may also note the expected response of any applicable safety system that
could mitigate the effect.
The method is a tabulation of system / plant equipment, their failure modes and each
failure mode's effect on system/ plant. It is a description of how equipment fails (open, Example of the tabulated format may be :
close, on, off, leaks, etc.) and the potential effects of each failure mode. The technique
is oriented towards equipment rather than process parameters. FMEA identifies single Plant:
failure modes that either directly result in or contribute significantly to an important Date:
accident. Human / operator errors are generally not examined in a FMEA; however, the System:
effects of a mal-operation are usually described by an equipment failure mode. The

Occurrence

Occurrence
ACCEPTED
Item or Potential Potential Responsibility

Severity

Severity
“After”
technique is not efficient for identifying combinations of equipment failures that lead

RISK
Potential

RISK
Current Recommended
Process Failure Effect(s) and Action
to accidents. A multi disciplinary team of professionals can perform FMEA. Cause(s) Controls Action
Step Mode of Failure Target Date Taken

FMEA has following six main steps:

a) Determining the level of resolution,
b) Developing a consistent format,
c) Defining the problem and the boundary conditions,
d) Listing various failure modes,
e) Each effects of the failure mode, and
f) Completing the FMEA table.
The level of resolution depends on the requirement of the plant, namely 'plant level',
system level' or in other words whether the study is for the whole plant or a portion of
plant or a particular system or individual equipment. Marking the portion of study on
the drawing can indicate the physical system boundaries and stating the operating
conditions at the interface. Identification of the equipment is necessary to distinguish
between two or more similar equipment by any number and description of the
equipment is required to give brief details about process or system.
All the failure modes consistent with the equipment description are to be listed
considering the equipment's normal operating conditions.
Example of various failure modes of a normally operating pump is :
a) Fails to open, fails to close when required,
b) Transfers to a closed position,
c) Valve body rupture,
d) Leak of seal, and
e) Leak of casing.
8.6 Hazard and Operability Study (HAZOP)
The HAZOP study is made to identify hazards in a process plant and operability
problems, which could compromise the plant's ability to achieve design intent. The
approach taken is to form a multi-disciplinary team that works to identify hazards by
searching for deviations from design intents. The following terms are sued for the
process for analysis :
a) Intentions - Intention defines how the plant is expected to operate,
b) Deviations - These are departures from intentions,
c) Causes - These are reasons why deviation might occur, and
d) Consequence - Results of deviations that might occur.
The method uses guidewords, which are used to quantify or qualify the intention in
order to guide and stimulate the hazard identification process. The guidewords are
used to generate deviations from the design intent. The team then identifies cause and
consequence of the deviations.
HAZOP guidewords and their meanings:

21 22
 Guidewords Meaning 8.7 What-if Analysis

No Negation of Design Intent What-if-Analysis is used to conduct a thorough and systematic examination of a
Less Quantitative Decrease process or operation by asking questions that begins with What-if. The questioning
More Quantitative Increase usually starts at the input to the process and follows the flow of the process.
Part of Qualitative Decease Alternately the questions can centre on a particular consequence category, for example,
As well as Qualitative Increase personnel safety or public safety. The findings are usually accident event sequences.
Reverse Logical Opposite to Intent Effective application of the technique requires in-depth experience of plant operation.
Other than Complete Substitution
Two types of boundaries that may be defined in a “What-if” study are: (a) Consequence
The HAZOP study requires that the plant be examined for every line. The method applies category being investigated, and (b) Physical system boundary. The consequence
all the guidewords in turn and outcome is recorded for the deviation with its causes categories are mainly: (a) public risk, (b) worker risk, and (c) economic risk, for specific
and consequences. plant. The purpose of physical boundaries is to keep the investigating team focused on
a particular portion of a plant in which consequence of concern could occur. The typical
Example : information required for a What-if-analysis is:

a) For a particular line; a) Operating conditions, physical and chemical properties of materials, equipment
b) Taking any guide word for example 'No', description;
c) Deviation in process parameters, namely flow / temperature, b) Plot Plan;
d) For each deviation the causes for such deviations, c) Process and Instrumentation diagram of the plant including alarms, monitoring
e) Consequence, etc. And devices, gauges etc.;
f) Measures to rectify the root cause for deviation. d) Responsibilities and the duties of the operating personnel, communication
system etc., and
The Fig-10 shows overall HAZOP process : e) Procedures for preventive maintenance, work permit system, for hazardous job,
Attitude tackling emergency situations.
Preparation Meeting
leadership 8.8 Fault Tree Analysis (FTA)
HAZOP
Management Follow-up Essentially the fault tree is a graphical representation of the inter relationship between
Team Documentation
commitment
-Further evaluation of
equipment failures and a specific accident. The equipment faults and failures that are
Review
Team’s selected scenarios (e.g. described in a fault tree can be grouped into three classes, namely:
Using LOPA)
Knowledge HAZOP
-Management response to
experience experince findings/recommendations a) Primary faults and failures attributed to the equipment and not to any other
Information
-Completion of action items external cause or condition.
for study (Pand Ids, Scenario -Completion of actions
PFDs, SOPs, etc.) b) Secondary faults and failures attributed to other external cause or conditions.
table to affected employees
c) Commands faults and failures attributed neither to equipment intended not to
any external cause but due to some source of incorrect command.

There are the following steps in performing the fault tree analysis:
Design intent
Intention Deviation Consequence Safeguards Action a) Problem definitions,
b) Fault tree constructions,
Fig-10 HAZOP process c) Fault tree solution (determining minimal cut sets) and minimal cut set ranking.

23 24
a. Problem Definition
No Light in Room on
This consists of: (a) defining accident event: top event of the fault tree analysis, (b) Demand T
defining analysis boundary including un-allowed events, existing events, systems
physical boundary, level of resolution, and other assumptions.

b. Fault Tree Construction

It begins with the top event and proceeds level by level using symbols namely “Or” And
“And” etc. until all the fault events have been developed to their basic contributing
causes.

c. Fault Tree Solution

The completed fault tree provides useful information by displaying the interactions of
the equipment failures that could result in an accident. The matrix system of analysis
gives the minimal cut sets, which are useful for ranking the ways in which accident No Natural Light No Artificial Light
may occur, and they allow quantification of the fault tree if appropriate failure data
are available.
G1 G2

d. Minimal Cut Set Ranking

'Minimal cut set analysis' is a mathematical technique for manipulating the logical
structure of a fault tree to identify all combinations of basic events that result in Or Or
occurrence of the top event. The ranking of minimal cut sets is the final step for the
fault tree analysis procedure. The basic events called the 'cut set' are then reduced to
identify those minimal cut sets which contain the minimal sets of events necessary and
sufficient to cause the top event. Ranking may be based on number of basic events that
are minimal cut set, for example, one event minimal cut is more important than two
event minimal cut set; a two event cut set and as on. This is because of the chance of
occurrence of one event is more than that of two events to occur. Moreover, the human
error is ranked at top, then the active equipment failure, then passive equipment failure.
Heavy No Fault In Light
Night Time Cloud Power Electric Bulb
No Light Cover Supply Circuit Failure
In Fig-11 the causes B1, B2, B3, B4 and B5 are the basic events, which can lead to top B1 B2 B3 B5 B4
event T, which is “No light” in room on demand” and the mathematical expression for
that top event is
Fig-11 Fault Tree for no light in room on demend
T = G1 x G2
= (B1 +B2) x (B3+B4+B5) This indicates the occurrence of either of basic events B1 or B2 along with occurrence
= B1B3 + B2B3 + B1B4 +B2B4 +B1B5 +B2B5 (6 minimal cut sets) of any of the basic events B3, B4 & B5 would lead to top event T.

25 26
8.9 Event Tree Analysis (ETA)
ALARM
ETA is a forward thinking process, begins with an initiating event and develops the SMOKE SPRINKLER SYSTEM
DETECTOR
following sequences of events that describe potential accidents accounting for: (i)
successes, and (ii) failures of the available “safety function” as the accident progresses.
The “safety function” includes operator response or safety system response to the
initiating event. The general procedure for the event tree analysis has four major steps : EXIT
FIRE

a) Identifying an initiating event of interests,

b) Identifying safety functions designed to deal with the identifying event,
c) Constructions of the event tree and
d) Results of accident event sequence. Initiating
Fire Detected? Fire Alarm Sprinkler Resultent
Event Works? Works? Event
Example :
Y
In the Fig-12 the escape of a person in a workplace has been shown along with the Limited Damage
smoke detector, sprinkler system, alarm and exist. The event trees are constructed for Y
Extensive Damage
qualitative and quantitative assessment for proper functioning of fire detection, alarm N People Escape
function, sprinkler system working, etc.
Y
Event tree can be helpful in assessing the impact after an consequence if the protection N Y
Fire Starts Limited Damage
systems are not working. Wet People
Possible Fatalities
9. Risk Criteria in some countries Y-YES N N Extensive Damage

N-NO

Authority and Application Maximum Tolerable Risk (Per Year)

Initiating Fire Spreads Sprinkler Fails People Cannot Resultent
Negligible Risk (Per Year) Scenario
Event Quickly? To Works? Escape? Event

1.0E-6 1.0E- 8 P=0.5

VROM, The Netherlands (New) 1
Y Multiple Fatalities
VROM, The Netherlands (existing) 1.0E -5 1.0E - 8 P=0.3

Y
1.0E-4 1.0E 6 N
HSE, UK (Existing hazardous industry
P=0.1 2
Y
P=0.5 Loss/Damage
HSE, UK (new nuclear power station) 1.0E-5 1.0E- 6 N Fire Controlled
Fire Starts 3
HSE, UK (Substance transport) 1.0E-4 1.0E-6 P=0.7
Y-YES Fire Contained
P=0.9 N 4
HSE, UK (New housing near plants) 3 X 1.0E -6 3 X 1.0E -7 N-NO

Hong Kong Government (New Plants) 1.0E -5 Not used

Fig-12 Event tree for a fire

27 28
 Annexure 1 10. Glossary
Plant stages vis a- vis Hazard identification and hazard analysis techniques
Control: An existing process, policy, device or practice that acts to minimise negative
Sl. No. Project Stage Hazard Identification / risk or enhance positive opportunities.
Hazard Analysis Techniques Control assessment: Systematic review of processes to ensure that controls are still
effective and appropriate.
1. Pre-design a) Hazard indices Event: Occurrence of a particular set of circumstances.
b) Preliminary hazard analysis
Frequency: A measure of the number of occurrences per unit of time.
c) What if-analysis
Hazard: A source of potential harm or a situation with a potential to cause loss.
d) Checklists
Consequence: Outcome or impact of an event.
2. Design / modification a) Process design checks and use of Likelihood: A general description of probability or frequency.
checklist Loss: Any negative consequence or adverse effect, financial or otherwise.
b) HAZOP studies Monitor: To check, supervise, or record the progress of an activity or system on a
c) Failure modes and effects analysis regular basis to identify change.
d) What-if-analysis Residual risk: The remaining level of risk after risk treatment measures have been
e) Fault tree analysis taken.
f) Event tree analysis Risk: The chance of something happening that will have an impact upon the
Department's objectives. It is measured in terms of likelihood and consequence.
3. Construction a) Check list Risk analysis: A systematic process to understand the nature of and to deduce the
b) What-if-analysis level of risk.
Risk Criteria: Terms of reference by which significance of risk is assessed.
4. Commissioning a) Check list Risk evaluation: Process of comparing the level of risk against the risk criteria.
b) Plant safety audits Risk Identification: The process of determining what, where, when, why and how
c) What-if-analysis
something could happen.
Risk Management: The culture, processes and structures that are directed towards
5. Operation and maintenance a) Plant safety audits
realizing potential opportunities whilst managing adverse effects.
b) What-if-analysis
c) Check list Risk Management Process: The systematic application of management policies,
procedures and practices to the tasks of communicating, establishing the context,
6. Decommissioning / shutdown a) Check list identifying, analysing, evaluating, treating, monitoring and reviewing risk.
b) What-if-analysis Risk reduction: Actions taken to lessen the likelihood, negative consequence, or both,
associated with a risk.
Risk retention: Acceptance of the burden of loss, or benefit of gain from a particular
risk.
Risk transfer: Shifting the responsibility or burden for loss to another party through
legislation, contract, insurance or other means. Risk transfer can also refer to shifting
a physical risk or part thereof elsewhere.
Risk treatment: Process of selection and implementation of measures to modify risk.

29 30
11. References Notes

1. Andereassen, M.; Bakken, B.; Danielsen, U.; Haanes, H.; Solum, G.; Stenssas, J.; Thon,
H.; Wighus, R., (1992). Handbook for fire calculations and fire risk assessment in the
process industry, Scandpower A/S.

2. Hazard Identification and Risk Analysis Code of Practice, BIS IS 15656: 2006, Bureau
of Indian Standards, Govt of India.

3. Khan, F.; Abbasi, S., (1998). MAXCRED-a new software package for rapid risk
assessment in chemical process industries, Environ. Modell. Softw..

4. Khan, F.; Abbasi, S., (1999). HAZDIG: a new software package for assessing the risks of
accidental release of toxic chemicals, J. Loss. Prevent. Proc.

5. Roberts, B., (1982). Thermal radiation hazards from release of LPG from pressurized
storage, Fire Safety J.

6. Simmons, J.; Erdmann, R.; Naft, B., (1973). The risk of catastrophic spill of toxic
chemicals. Rep. UCLA-ENG-7425. Unv. of California, Los Angeles, California.

7. TNO (1990). Methods for the determination of the possible damage to humans and
goods by the release of hazardous materials (Green Book). The hague: Dutch ministry
of housing, Physical Planning and Environment.

31 32