Abstract
This knol provides guidance on the nature of risk, and how people’s perception of risk means that particular emphasis must be paid to the consequence term. The use of risk matrices is explained.
Introduction
- Hazards;
- The consequences of those hazards (safety, environmental, financial); and
- The predicted frequency (likelihood) of those hazards.
These three terms can be combined as shown in Equation (1).
RiskHazard = Consequence * Predicted Frequency…………………………………. (1)
Risk is not the same as uncertainty. Events which have a desirable outcome may contain a high level of uncertainty, but they do not create risk. Risk implies some type of negative outcome.
Equation (1) shows that risk can never be zero — a truth not always grasped by members of the general public or the news media. Hazards are always present within all industrial facilities. Those hazards always have undesirable consequences, and their likelihood of occurrence is always finite. The consequence and likelihood terms can be reduced, but they can never be eliminated, as illustrated in Figure 1, in which both axes are approached asymptotically, i.e., they never reach zero. The only way to achieve a truly risk-free operation is to remove the hazards altogether (or, with respect to safety, to remove personnel from the site).
Figure 1
Likelihood vs. Consequence
Figure 1 also shows that an inverse relationship generally exists between consequence and frequency. For example, a serious event such as the failure of a pressure vessel may occur only once every ten years, whereas simple trips and falls may occur weekly.
The total risk associated with a facility is obtained by calculating the risk value for each consequence, and then adding all the individual risk values together. The result of this exercise is sometimes plotted in an FN curve as shown in Figure 2 in which the ordinate (y-axis) represents the cumulative frequency (F) of fatalities or other serious events, and the abscissa (x-axis) represents the consequence term (usually expressed as N fatalities). In Figure 2 it is projected that the organization will have a fatality about once every fifty years, whereas a catastrophic event (say more than 10 fatalities) will occur every thousand years or so.
Because the values of F and N typically extend across several orders of magnitude both axes on an FN curve are logarithmic. (More sophisticated analyses will create a family of curves with roughly the same shape as one another. The distribution of the curves represents the uncertainty associated with predicting the frequency of events.) The shape of the curve itself will vary according to the system being studied; frequently a straight line can be used.
Figure 2
Representative FN Curve
FN curves are generally used when making industry-wide decisions; FN curves would not generally be calculated for individual process plants. However, if two types of technology are being considered their respective FN curves can be compared, as illustrated in Figure 3, which compares two technologies: A and B (such as determining the overall risk associated with moving from gasoline to hydrogen powered cars).
Family of FN Curves
The Subjective Nature of Risk
When Oscar Wilde coined the above phrase he meant that facts are never truly objective; each person has their own perception of what they perceive to be the same reality. His insight also suggests that there is no such entity as ‘common sense’ — no two people have a truly common view of the world so they do not share a ‘common sense’. This observation regarding different truths applies very much to hazards analysis and risk management. Each person participating in hazards analysis and risk management has his or her own opinions, memories, attitudes and overall ‘world view’. Most people are — in the strict sense of the word — prejudiced; that is, they pre-judge situations rather than trying to analyze the facts rationally and logically. People jump to pre-conceived conclusions, and those conclusions will often differ from those of other people who are looking at the same information with their own world view. With regard to risk management, even highly-trained, seasoned experts, who regard themselves as being governed only by the facts, will reach different conclusions when presented with the same set of facts. Risk is fundamentally subjective. Indeed, Slovic (1992: 119) [1] states that there is no such thing as ‘real risk’ or ‘objective risk’. His point is that if risk can never be measured objectively then objective risk does not exist at all (analogous to the philosophers’ question, ‘Does a tree make a noise when it falls in the forest if there is no one there to hear it?’). The subjective component of risk becomes even more pronounced when the perceptions of non-specialists, particularly members of the public, are considered. Hence the successful risk management involves understanding the opinions, emotions, hopes and fears of many people, including managers, workers and members of the public.
- Degree of control;
- Familiarity with the hazard;
- Direct benefit;
- Personal impact;
- Natural vs. man-made risks;
- Recency of events; and
- Effects of the consequence term.
Degree of Control
Voluntary risks are accepted more readily than those that are imposed. For example, someone who believes that the presence of a chemical plant in his community poses an unacceptable risk to himself and his family may willingly go rock-climbing on weekends because he feels that he has some control over the risk associated with the latter activity, whereas he has no control at all over the chemical plant, or of the mysterious odors it produces. Similarly, most people feel safer when driving a car rather than riding as a passenger, even though that feeling must be wrong at least half of the time. The feeling of being in control is one of the reasons that people accept highway fatalities more readily than the same number of fatalities in airplane crashes.
The desire for control also means that most people generally resist risks that they feel they are being forced to accept, and will magnify the perceived risk associated with tasks that they are forced to do against their desire.
Familiarity with the Hazard
Most people understand and accept the possibility of the risks associated with day-to-day living, but they do not understand the risk associated with industrial processes, thus making those risks less acceptable. A cabinet full of household cleaning agents, for example, seems less risky than a high-tech chemical facility that makes those chemicals, even though any individual is probably more at risk from the cleansers than from the factory’s emissions.
Hazards that are both unfamiliar and mysterious are particularly unacceptable, as can be seen by the deep distrust that the public feels with regard to nuclear power plants.
Direct Benefit
People are more willing to accept risk if they are direct recipients of the benefits associated with that risk. The reality is that most industrial facilities provide little benefit to the immediate community apart from offering some job opportunities and in increased local tax base. On the other hand, it is the community that has to take all of the associated risk associated with those facilities, thus creating the response of ‘NIMBY’, which stands for, ‘Not in My Backyard.
Personal Impact
The impact of the consequence term will depend to some degree on the persons who are impacted by it. For example, if an office worker suffers a sprained ankle he or she may be able to continue work during the recovery period; an outside operator, however, may not be able to work at his normal job during that time.
Natural vs. Man-Made Risks
Natural risks are generally considered to be more acceptable than man-made risks. For example, communities located in areas of high seismic activity understand and accept the risks associated with earthquakes. Similarly people living in hurricane-prone areas regard major storms as being a normal part of life. However, these same people are less likely to understand or accept the risks associated with industrial facilities.
Recency of Events
People tend to attribute a higher level of risk to events that have actually occurred in the recent past. For example, the concerns to do with nuclear power plants in the 1980s and 90s were very high because the memories of Chernobyl and were so recent. This concern is easing given that these two events occurred outside the memory of most people living.
Effects of the Consequence Term
Frequency and consequence terms are usually treated as having the same weight. For example, according to Equation (1), a hazard resulting in one fatality every hundred years has the same risk value as a hazard resulting in ten fatalities every thousand years. In both cases the fatality rate is one in a hundred years, or 0.01 fatalities yr-1. But the two risks are not perceived to be the same. In general, people feel that high-consequence events that occur only rarely are less acceptable than more frequent, low consequence accidents. Hence, the second of the two alternatives shown above is perceived as being worse than the first.
The same way of looking at risk can be seen in every day life. In a typical large American city around 500 people die each year in road accidents. Although every effort is made to reduce this fatality rate the fact remains that this loss of life is perceived as a necessary component of modern life, hence there is little outrage on the part of the public. Yet, were an airplane carrying 500 people to crash at that same city’s airport every year, there would be an outcry. Yet the fatality rate is the same in each case, i.e., 500 deaths per city per year. The difference between the two risks is a perception rooted in feelings and values.
To accommodate the difference in perception regarding risk Equation (1) can be modified so as to take the form of Equation (2).
Equation (2) shows that the contribution of the consequence term has been raised by the exponent n, where n > 1. In other words, high consequence/low frequency accidents are assigned a higher perceived risk value than low consequence/high frequency accidents.
Since the variable ‘n’ represents subjective feelings it is impossible to assign it an objective value. However, if a value of say 1.5 is given to ‘n’ then Equation (2) for the two scenarios just discussed — the airplane crash and the highway fatalities — becomes Equations (3) and (4) respectively.
Riskairplane = 500 1.5 * 1 …………………………. (3)
= 11180
Riskautos = 1 1.5 * 500 …………………………. (4)
The 500 airplane fatalities are perceived as being equivalent to over 11,000 automobile fatalities, i.e., the apparent risk to do with the airplane crash is 17.3 times greater than for the multiple automobile fatalities.
In the case of hazards that have very high consequences, such as the meltdown of the core of a nuclear power plant, perceived risk rises very fast as a result of the exponential term in Equation (2), thus explaining public fear to do with such facilities. Over the years, managers and engineers in such facilities have reduced the objective risk to an extremely low value, largely through the extensive use of sophisticated instrumentation systems. However, since the worst-case scenario — core meltdown — remains the same the public remains nervous and antagonistic. In such cases management would be better advised to address the consequence term rather than the likelihood term. With regard to nuclear power, the route to public acceptance is to make the worst-case scenario of low consequence.
The subjective and emotional nature of risk is summarized by Brander [2] with reference to making design improvements to passenger ships When discussing the Titanic tragedy, he states,
They [scientists and engineers] tend to argue with facts, formulas, simulations, and other kinds of sweet reason. These don’t work well. What does work well are shameless appeals to emotion – like political cartoons. Like baby seals covered in oil. And always, always, casualty lists. Best of all are individual stories of casualties, to make the deaths real. We only learn from blood.
Risk Matrices
- Consequence Matrix;
- Frequency Matrix; and
- Risk Matrix.
Consequence Matrix
A representative consequence matrix is shown in Table 1. The matrix has four levels of consequence covering worker safety, public safety, the environment and economic loss. There are no rules as to how many levels should be selected, nor does any major regulatory body insist on a particular size of matrix. However, many companies choose four levels; three levels does not provide sufficient flexibility and differentiation, but five levels imply a level of accuracy that is probably not justified — estimates of hazard consequences are usually very approximate. The steps in Table 1, from ‘Low’ to ‘Very Severe’, are roughly in orders of magnitude, i.e., each increased level is about ten times more serious than the one before it.
Consequence Categories
| |
Worker Safety |
Public Safety |
Environment |
Economic (annual) |
|
Low, 1 |
Reportable or equivalent. |
None. |
Limited impact that is readily corrected. |
$10,000 to 100,000 |
|
Moderate, 2 |
Hospitalization or lost-time injury. |
Minor medical Attention. |
Report to Agencies and take remediative action. |
$100,000 to 1 million |
|
Severe, 3 |
Single disabling injury. |
Hospitalization or serious injury. Some local reporting. |
Irreversible damage to low quality land, or clean-up of environmentally sensitive areas required. |
$1 million to 10 million |
|
Very Severe, 4 |
Fatality or multiple serious injuries. |
Fatality or multiple serious injuries. Massive negative publicity. |
Months of clean-up work needed in environmentally sensitive areas. |
≥ $10 million |
Worker Safety
The first of the consequence columns shown in Table 1 is worker safety — the topic that usually receives the most attention during risk analyses. Indeed many risk analysts will elect to consider this item only, which is why it has been shaded. If the workers are safe, it is argued, then the other consequence terms will probably be acceptable also.
Public Safety and Health
Incidents that affect members of the public usually attract a good deal of attention. Hence the categories for public safety, which are shown in the third column of Table 1, are an order of magnitude higher than for worker safety. (It could be argued that all people have the same value, and that a member of the public is not ‘more valuable’ than a worker. However, as is stressed throughout this ebook, risk is fundamentally a subjective topic. Incidents that affect the public are ‘worse’ than those involving just workers. Such incidents become even less acceptable if they affect children.)Related to public safety and health is the topic of negative publicity, particularly those major events that ‘make the newspapers’.
Environment
Environmental risks are shown in Table 1. In practice environmental issues are normally controlled by rules and regulations rather than an objective analysis of risk.
Economic Loss
The final consequence category in Table 1 is economic loss. All process incidents generate losses in one or more of the following areas:
- Damaged or destroyed equipment;
- Lost production;
- Off-quality product;
- Litigation; and
- Clean-up.
Economic loss can either be one-time (say the destruction of a piece of equipment) or on-going, in which case the value shown in Table 1 represents an annual loss).The difficulty with using the ‘Economic Loss’ column in a risk-ranking matrix is that it effectively assigns a financial value to human life and suffering. For example, Table 1 suggests that a single, disabling injury is ‘worth’ from $1 to 10 million. Such statements, being entirely subjective, can be controversial and almost impossible to defend. A similar critique can be made about insurance payments — it is not possible to truly assess the cost of a fatality or an injury.
The cost associated with a safety event can be derived from incident data. For example, Hayes (2004) states that, for BP process facilities, the cost of a serious incident is in the range $2 ‑ 10 million, whereas the cost of a lost-time incident is $150,000.Once more, these costs should not be treated as setting a financial value on human loss and suffering.
Frequency Matrix
Once the consequences associated with an incident have been identified, the next step is to estimate the frequency with which the incident may occur. A representative frequency matrix is shown in Table 2. As with the consequence matrix, four value levels are provided. The use of just three levels is probably too coarse, but five levels or more implies a degree of accuracy that probably could not be justified (precision is not the same as accuracy).
As with the consequence matrix, the steps in Table 2 are roughly an order of magnitude greater than the one before it.
Table 2
Frequency Matrix
| |
Frequency |
Comments |
|
Low, 1 |
< 1 in 1000 years |
Essentially impossible: ‘Once in a blue moon’. |
|
Moderate, 2 |
1 in 100 years to 1 in 1000 years |
Conceivable — has never happened in the facility being analyzed, but has probably occurred in a similar plant somewhere else. |
|
High, 3 |
1 in 10 years to 1 in 100 years |
Might happen in a career. |
|
Very High, 4 |
> 1 in 10 years |
It is likely that the event has occurred at the site if the facility is more than a few years old. |
In practice, the most difficult judgment to make is between the ‘High’ and ‘Moderate’ values. Such events in this range have probably not been observed by the workers at the site, yet they are plausible.
One way of helping people visualize and estimate the frequency of very unlikely events is to examine the overall industry record. For example, if a certain event has an estimated frequency of 1 in 100 years, it is not likely that anyone on the plant will have witnessed that event. However, if there are 100 similar plants world-wide, then that event should be occurring about once a year somewhere in the world. (Because shared information can be so useful many companies choose to tell others about their safety difficulties, in spite of potential trade secrets and other legal issues.)
Risk Matrix
Having determined consequence and frequency values to do with a particular hazard the overall risk is determined using a third matrix such as that shown in Table 3, which shows four levels of risk.
Risk Ranking Matrix
| |
Consequence |
||||
|
Frequency |
|
Low, 1 |
Moderate, 2 |
Severe, 3 |
Very Severe, 4 |
|
Low, 1 |
D |
D |
C |
C |
|
|
Moderate, 2 |
D |
C |
C |
B |
|
|
High, 3 |
C |
C |
B |
A |
|
|
Very High, 4 |
C |
B |
A |
A |
|
The risk values will usually line up diagonally, with all the values in any one diagonal being the same.
The meaning of the four letters in Table 3 is as follows.
A — (Red) Very High
This level of risk requires prompt action; money is no object, and the option of doing nothing is not an option. An ‘A’ risk is urgent. On an operating facility, management must implement Immediate Temporary Controls (ITC) while longer-term solutions are being investigated. If effective ITCs cannot be found, then the operation must be stopped. During the design phases of a project immediate corrective action must taken in response to an ‘A’ finding, regardless of the impact on the schedule and budget.
B — (Orange) High
Risk must be reduced, but there is time to conduct more detailed analyses and investigations. Remediation is expected within say 90 days. If the resolution is expected to take longer than this, then an ITC must be put in place.
C — (Yellow) Moderate
The risk is significant. However, cost considerations can be factored into the final action taken, as can normal scheduling constraints such as the availability of spare parts or the timing of plant turnarounds. Resolution of the finding must occur within say 18 months. An ITC may or may not be required.
D — (Green) Low
Requires action but is of low importance. In spite of their low risk ranking, ‘D’ level risks must be resolved and recommendations implemented according to a schedule; they cannot be ignored. (Alternatively, some companies do allow very low risk-ranked findings to be ignored on the grounds that they are within the bounds of ALARP)
In addition to the four letters shown in Table 3, the following types of risk response can be used.
O — Operational. Sometimes the risk associated with a hazard is purely economic; it has neither safety nor environmental implications. Use of the letter ‘O’ tells management that they do not have to respond to this finding for safety reasons, but they may choose to do so in order to improve profitability. Use of this term also means that a hazards analysis team will probably not use the economic consequence column in Table 2. Instead all economic findings will be placed in the ‘O’ category, regardless of their magnitude.
S — Standards. Some risks represent a violation of regulations, industry consensus standards/codes or company policy. It is difficult to assign frequency and consequence values to this type of risk, but professional practice suggests that something should be done (and if the issue is a code or regulatory violation, then something must be done). One option is to arbitrarily assign a B‑level risk to regulatory and code violations, and a C-level risk to non-conformance to consensus standards.
L — Low Hanging Fruit. This term is obviously written tongue-in-cheek, yet many times it is unnecessary to dwell on the development of recommendations; what needs to be done is simple, straightforward, effective, quick, cheap and non-controversial. In such cases, there is little point in conducting a risk assessment — it is better simply to fix the problem. For example, if an operating procedure is not up to date, it is better just to rewrite it rather than worrying about the risk associated with use of the present procedure. Similarly, if a safety sign is unreadable it should simply be replaced.
Although problems such as these can be addressed right away, management may consider the implications of why these minor problems existed in the first place. For example, an improperly formatted operating procedure is not a major issue, but it may point to a fundamental difficulty with the way in which procedures are written. Similarly, an illegible safety sign may indicate deeper problems regarding the occupational safety and housekeeping program.
