Documente Academic
Documente Profesional
Documente Cultură
XBRA3103
OSH Risk Management
Summary 38
Key Terms 38
References 38
6.3.2 Frequency 71
6.3.3 Probability 71
6.4 Analysing Critical Tasks 73
6.4.1 Reduce the Task to the Steps Performed 73
6.5 Pinpoint Loss Exposures 75
6.6 Make an Improvement Check 77
6.7 Develop Controls 78
6.8 Procedures/Practices Write-up 81
6.8.1 Making the Investment 83
6.9 Put to Work 83
6.10 Update and Maintain Records 84
Summary 85
Key Terms 86
References 86
INTRODUCTION
XBRA3103 OSH Risk Management is one of the courses offered by Faculty of
Science and Technology at Open University Malaysia (OUM). This course is
worth 3 credit hours and should be covered over 8 to 15 weeks.
COURSE AUDIENCE
This course is offered to all learners taking the Bachelor of Occupational Health
and Safety Management programme. This module covers the principle of
occupational safety and health (OSH) risk management. Learners will be able to
apply the concept of OSH risk management in managing risks at the workplace.
They will be able to use common tools in identifying hazards such as Job Safety
Analysis, Hazard and Operability Study, Fault Tree Analysis, Failure Mode and
Effects Analysis, Structured What-If Technique as well as Task Analysis.
STUDY SCHEDULE
It is a standard OUM practice that learners accumulate 40 study hours for every
credit hour. As such, for a three-credit hour course, you are expected to spend
120 study hours. Table 1 gives an estimation of how the 120 study hours could be
accumulated.
Study
Study Activities
Hours
Briefly go through the course content and participate in initial discussion 3
Study the module 60
Attend 3 to 5 tutorial sessions 10
Online participation 12
Revision 15
Assignment(s), Test(s) and Examination(s) 20
TOTAL STUDY HOURS ACCUMULATED 120
COURSE OUTCOMES
By the end of this course, you should be able to:
3. Organise and implement a risk assessment programme where this has not
already been started;
4. Identify specific training needs for the activities being assessed; and
COURSE SYNOPSIS
This course is divided into 10 topics. The synopsis for each topic can be listed as
follows:
Topic 3 discusses risk assessment. It covers what is risk assessment, why conduct
risk assessment, risk assessment management, risk assessment methodology,
decisions on risk control action and risk assessment challenges at the workplace.
Topic 4 elaborates on risk control. It discusses risk control and prevention, risk
control principles and location of the control used.
Topic 5 discusses Job Safety Analysis (JSA). It covers what is JSA, terminology,
benefits of doing a JSA, basic steps in JSA as well as JSA and safety and health
procedures.
Topic 10 describes the Failure Mode and Effects Analysis (FMEA). It covers the
definition of FMEA, benefits and limitations as well as the FMEA process.
Learning Outcomes: This section refers to what you should achieve after you
have completely covered a topic. As you go through each topic, you should
frequently refer to these learning outcomes. By doing this, you can continuously
gauge your understanding of the topic.
Summary: You will find this component at the end of each topic. This component
helps you to recap the whole topic. By going through the summary, you should
be able to gauge your knowledge retention level. Should you find points in the
summary that you do not fully understand, it would be a good idea for you to
revisit the details in the module.
Key Terms: This component can be found at the end of each topic. You should go
through this component to remind yourself of important terms or jargon used
throughout the module. Should you find terms here that you are not able to
explain, you should look for the terms in the module.
PRIOR KNOWLEDGE
No prior knowledge is required.
ASSESSMENT METHOD
Please refer to myINSPIRE.
REFERENCES
Bahr, N. J. (1997). System safety engineering and risk assessment: A practical
approach. Washington, DC: Taylor and Francis.
Hughes, P., & Ferrett, E. (2002). Introduction to health and safety at work.
Oxford, England: Butterworth-Heinemann.
Kletz, T. (1999). HAZOP and HAZAN (4th ed.). New York, NY: Taylor & Francis.
INTRODUCTION
Look at Figure 1.1 that depicts several workplace safety signs. Did you know that
work activities pose potential risks and hazards? The safety and health of
employees are jeopardised especially if these risks are not properly monitored
and controlled. All employees are entitled to safe and healthy work conditions,
regardless of whether they are working in the field, at the office or at any other
workplace setting. They deserve a safe work environment. Hence, employee
safety and health should be a primary concern for all organisations. In other
words, employers should develop strategies and policies to ensure the
establishment of safe and healthy workplaces.
As part of the legal requirements under Section 16, OSHA 1994, management
must establish a Safety and Health Policy for the workplace. This is considered a
pledge by top managements in terms of their commitment to protect the safety
and health of employees at the workplace. This document is the basis for all OSH
activities within the organisation. As part of the management commitment, this
document should be reviewed regularly especially with regard to individual
responsibilities and accountabilities. Once the document is approved, it should
be communicated to all employees.
SELF-CHECK 1.1
Terminology Meaning
Hazard „Source, situation or act with a potential for harm in terms
of human injury or ill health or a combination of these.‰
(OHSAS 18001:2007)
Hazard Identification „Process of recognising that a hazard exists and defining
its characteristics.‰ (OHSAS 18001:2007)
Risk „Combination of the likelihood of an occurrence of a
hazardous event or exposure and the severity of injury or
ill health that can be caused by the event or exposure.‰
(OHSAS 18001:2007)
Risk Assessment „Process of evaluating the risk that arises from a hazard,
taking into account the adequacy of any existing controls,
and deciding whether or not the risk is acceptable.‰
(OHSAS 18001:2007)
Risk Management „Total procedure associated with identifying a hazard,
assessing the risk, putting in place control measures, and
reviewing the outcomes.‰ (DOSH HIRARC Guidelines)
(a) Consider the impact of certain risky events on the performance of the
organisation;
(b) Devise alternative strategies for controlling these risks and/or their impact
on the organisation; and
(c) Relate these alternative strategies to the general decision framework used
by the organisation.
(b) The active involvement of each individual at the workplace means that
each person contributes to the consideration of safety at every level of the
work environment. In other words, OSH is everybodyÊs business.
(ii) All views can be considered before decisions are made; and
(iii) There is room for negotiation about the different points of view with
the aim of achieving resolution of any disputes.
(e) Hazard identification, risk assessment and risk control at workplace level
may be defined as the systematic application of management policies,
procedures and practices to the four-step process of:
SELF-CHECK 1.2
Figure 1.2: A common process flow of safety and health risk management
(a) Identify areas of OSH risk in the business and in associated work activities;
(b) Help to demonstrate due diligence by directors, managers and other key
persons involved in the process;
(a) Policy;
(b) Organising;
OSH risk management is also covered in OHSAS 18001:2007 under Clause 4.3:
Planning, where it is mentioned that the organisation shall establish, implement
and maintain a procedure(s) for ongoing hazard identification, risk assessment
and determination of necessary controls.
According to Risk Management Guide for Small Business by New South Wales
Department of State and Regional Development, good governance focuses on
areas such as:
(b) Quality outcomes ă ensuring that the products developed or the services
provided by the business are of the highest quality and standard;
(c) Compliance ă ensuring that the business complies with all required
regulations, legislation and standards on an ongoing basis; and
Effective governance can help improve performance, satisfy customer needs and
meet compliance requirements. Risk management is an integral part of business
governance.
Every risk has its own distinct characteristic that requires particular management
or analysis. Most people will recognise the „obvious‰, or most apparent risk that
they are facing. For example, the owner of a take-away restaurant will
immediately recognise the risk to the safety of their staff from using hot cooking
oil and implements. However, the risk to the business from a new local
competitor may not be as readily identified. An emerging concept in risk
management is that there are three types of risk:
Preparing for uncertainty: By their very nature, disaster and the unexpected are
unpredictable. A business owner must plan accordingly and determine how to
minimise business disruption.
(c) Biological hazards ă including viruses, bacteria, fungi and other hazardous
organisms;
SELF-CHECK 1.3
1. What is the process of OSH risk management?
Ć Hazard, hazard identification, risk, risk assessment and risk management are
commonly used terms related to OSH risk management.
Andrews, J. D., & Moss, T. R. (2002). Reliability & risk assessment (2nd ed.). New
York, NY: ASME Press.
Bakri, A., Mohd. Zin, R., Misnan, M. S., & Mohammed, A. H. (2006).
Occupational safety and health (OSH) management systems: Towards
development of safety and health culture. Proceedings of the 6th Asia-
Pacific Structural Engineering and Construction Conference (ASPEC), (pp.
C-19-28). Kuala Lumpur, Malaysia.
Hughes, P., & Ferrett, E. (2002). Introduction to health and safety at work.
Oxford, England: Butterworth-Heinemann.
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Define hazards and hazards identification;
2. Describe categories of OSH hazards at the workplace; and
3. Explain the methods used in identifying hazards at the workplace.
INTRODUCTION
Accidents can happen almost anywhere. However, accidents do not just happen;
they are the result of a process, involving many steps which have to occur in
order for the accident to happen. When an accident occurs, it is not only affects
the quality of work produced but also the employeeÊs respect for management. It
also diminishes a workerÊs motivation.
Another impact that accidents have on companies is that they could also
interrupt production, leading to missed business opportunities. Besides, a major
or high profile accident could also severely tarnish a companyÊs corporate image
which has taken a long time to nurture. This has, in fact, proven true on more
than a few occasions. There is no doubt that OSH is vital for business
sustainability.
When accidents occur leading to either injuries or fatalities, such tragedies bring
pain and agony not only to the victims but also to their families. It will create
anxiety for the rest of the family, especially for the victim's children. Life will
never be the same for them.
(a) Physical hazards such as noise, radiation, ventilation, thermal stress, poor,
electricity;
Since there are a lot of hazards that can cause injuries and property damage at
the workplace, it is important to manage them efficiently and effectively. In order
to identify the risk controls, it is necessary to identify the hazards and measure
the risks. These critical steps need to be planned and must be part of the
organisationÊs strategy to eliminate or minimise any accidents at the workplace.
SELF-CHECK 2.1
1. Explain what hazards are.
(iv) Chemical Safety Data Sheet (CSDS) or Material Safety Data Sheet
(MSDS) if it involves exposure to hazardous substances.
(iii) There is evidence or reason to suspect injury through medical records, etc.;
(i) For employees who are exposed to a hazard for which there is an
identifiable health effect or disease (CSDS and others);
(iii) There are valid techniques for detecting effects and valid biological
monitoring methods are available; and
Many formal techniques have been developed for the systematic analysis of
complex systems. They attempt to consider all reasonable possibilities.
Therefore, techniques of mathematical analysis have been developed for
this purpose aided by brainstorming techniques among experts in the
processes. However, all these techniques suffer from the drawback that the
probability of future events can only be guessed.
We will only discuss further the first four techniques of hazard analysis
mentioned.
SELF-CHECK 2.2
1. Explain the five hazard identification techniques.
Health and Safety Executive (HSE). (1996). Five steps to risk assessment (2nd
revision). Sudbury, Suffolk: HSE Books.
Hughes, P., & Ferrelt, E. (2002). Introduction to health and safety at work.
Oxford, England: Butterworth-Heinemann.
Health and Safety Executive (HSE). (1997). Successful health and safety
management (2nd ed.). Sudbury, Suffolk: HSE Books.
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Define risk assessment;
2. Explain the importance of risk assessment;
3. Discuss the relationship between OSH management systems and
risk assessment; and
4. Describe the tolerability-of-risk triangle concept.
INTRODUCTION
The methods for analysing hazards in occupational safety and health
management have improved over the years, with many theories on hazard
analysis having been introduced. The approach of these various methods may be
different but the ultimate objective is the same, that is, to prevent occupational
accidents or incidents from occurring.
Relative Risk = L S
Where,
L = Likelihood
S = Severity
(c) What is the possibility of avoiding the hazard if it does occur?; and
(d) What is the likelihood of an injury should a safety control system fail?
Example:
S = Severity
F = Frequency
F1 Infrequent exposure
F2 From frequent to continuous exposure
P = Possibility
P1 Possible
P2 Less possible to not impossible
L = Likelihood
L1 Highly unlikely
L2 Unlikely
L3 Highly likely
(a) To have a „feeling‰ about or gauge how safe the workplace is;
Risk assessment exercise is one of the core processes in Occupational Safety and
Health Management Systems (OSHMS) such as OSHAS 18001 and MS 1722.
Furthermore, the risk assessment process will give an overview of the level of
OSH risks at the workplace.
SELF-CHECK 3.1
What are the factors that must be taken into account when conducting
risk assessment at the workplace?
Figure 3.1 shows the relationship of risk assessment in the management system.
This is taken from the OSHAS 18001:2007 standard, which originated from
Quality Management System (QMS). This system covers all stages of
management from the planning stage to corrective action and will enable the
continuous improvement of OSH activities and standards in the organisation.
We will look into the details of the four elements ă Planning, Execution Process,
Monitoring and Follow-up, and Corrective Actions.
3.3.1 Planning
The planning stage plays a crucial role in the management of OSH at the
workplace. Without proper planning, we are managing OSH without direction
or a map. There are five main activities in the planning stage as summarised in
Table 3.1.
Table 3.1: Five Main Activities in Planning Stage of Risk Assessment Management
Activity Details
Safety and Health An established Safety and Health Policy as a management
Policy commitment to ensure that the workplace is safe.
A legal requirement, endorsed by top management and to
be reviewed and revised when necessary.
Needs to be communicated to all levels of employees.
Works as a guideline and direction in general on how to
manage OSH at the workplace.
Risk Assessment An important step to identify the hazards, measure them
and identify the controls needed to minimise the risk to the
workers and damage to properties and environment.
Used to decide on priorities and set objectives or targets to
eliminate risks or at least to minimise them to an acceptable
level (Hughes & Ferrett, 2002).
A standard operating procedure (SOP) is normally
established to standardise the process and procedures for
performing risk assessment.
A task force represented by each department is necessary
when performing risk assessment. This will ensure that the
right person, who is familiar with their work and activities,
can perform holistic risk assessment as accurately as
possible. Furthermore, risk assessment should include
„non-employees affected by the employerÊs undertakings
such as contractors, clients and members of public‰
(Hughes & Ferrett, 2002).
Without proper coordination of the above links, the success rate of achieving the
risk assessment objectives is low. That is why it is important for top management
and all levels of employees to support and commit to minimising accidents at the
workplace through risk management. Based on OSHAS 18001:2007, to ensure the
success of the execution process, the organisation needs to meet all the criteria
summarised in Table 3.2.
Table 3.2: Seven Main Activities in Execution Process of Risk Assessment Management
Activity Details
Roles, The roles, responsibilities and accountabilities of the top
Responsibilities and management, middle management and employees with regard
Accountabilities to OSH shall be defined clearly in their job descriptions.
This will ensure that employees at all levels are aware of
their responsibility for their own safety and of their roles
towards overall OSH in the organisation.
Risk assessment can be useless if the employees do not want
to comply with OSH requirements stated in the procedure at
the workplace, especially when it is related to work safety
such as wearing Personal Protective Equipment (PPE).
Training and Employees at all levels must be trained in OSH, at the very
Competence least in terms of their responsibilities towards OSH in their
jobs.
For certain tasks that need special knowledge and skills in
OSH, for example, working in confined spaces or with
electrical work and radiation equipment, training must be
provided.
It is required by law to have a competent person perform
special tasks such as in the scope of a Safety and Health
Officer and Chargeman. They should have appropriate
education, training or experience in these tasks (OSHAS
18001).
Communication and Any OSH issues shall be communicated to employees via e-mail,
Consultation intranet, notice board, memo, toolbox meeting or other methods.
Regular consultation between management and employees
through the Safety and Health Committee to discuss OSH
issues is required by law.
Documentation Document mapping on the levels and interrelation of
documents is important to ensure employees are aware of
the OSH documentation system.
From document mapping, the employees will know which
documents need to be referred to and where they can get the
documents.
This is important for fast retrieval and referral of documents
when needed.
Only write documents that are needed, that is, „write what
you do, do what you write‰.
Document Control This is important to ensure ONLY the latest documents are
referred to.
It is critical to review and revise documents at regular time
intervals to ensure they are updated and still valid for use.
The archive of documents needs to be stated to ensure OSH
documents or records are kept as required by law, especially
with respect to training records, OSH meeting minutes and
medical records.
Operational Control Based on the results of Risk Assessment, some risks need to
be controlled through documented Standard Operating
Procedures (SOP) to ensure workers perform their tasks
safely as stated in the SOP.
This is an additional precaution to ensure employees follow
the steps on how to perform the task safely and minimise
any accidents.
Some of the common documented operational control
procedures are hot work activities (welding, metal cutting,
brazing), electrical work, work at heights, working in
confined spaces and equipment maintenance work.
Emergency ERP is needed as a proactive preparation when the
Response organisation needs to respond to any emergency situations
Preparedness (ERP) such as fire outbreaks, chemical spills, gas leaks, bomb
threats or any other emergency cases that could have an
impact on the organisationÊs OSH matters and operations.
ERP need to be tested periodically to ensure its effectiveness.
It is reviewed and revised for improvement when needed.
Activity Details
Performance It is a qualitative or quantitative measure to monitor the
Measurement and extent to which the organisationÊs OSH objectives are met
Monitoring (OSHAS 18001).
Proactive (number of training, inspections, compliance) and
reactive (number of accidents, near-miss) data can be
collected to measure the performance.
The data collected can be used to update the risk
assessment register and also to facilitate the corrective and
preventive actions to minimise the risks.
Evaluation of The organisation needs to periodically evaluate its
Compliance compliance commitment on legal requirements.
Incident Incident investigation is important in order to identify the
Investigation root cause of a particular incident. The results of the
incident investigations can then be compared with the
results of the existing risk assessment. Consequently, the
risk assessment should be reviewed and revised to ensure
that corrective and preventive actions are taken and
implemented appropriately.
Non-conformity, Non-conformity, C&P actions are needed to identify and
Corrective and investigate non-conformity with OSH matters.
Preventive (C&P) All the C&P actions are needed so that OSH matters are
Actions correctly mitigated and recurrence is prevented.
The C&P actions taken need to be reviewed to ensure their
effectiveness.
The findings need to be updated and the effectiveness of
actions linked to risk assessment.
Records of Control All records of work done need to be kept and controlled.
The records and data can be used for future reference in
terms of continual improvement of risk assessment.
The records must link back to the risk assessment in order
to ensure that the risk assessment is accurate, or effective in
eliminating or minimising the risk.
Internal Audit The purpose of the audit process is to ensure that the risk
assessment management, from planning stage to execution
stage, achieves its goals in meeting OSH policy and
objectives.
The audit must be performed periodically by a competent
auditor and the audit report will be reviewed and presented
to management in the corrective actions step.
SELF-CHECK 3.2
1. Relate the risk assessment components in the OSH management
system.
(a) Qualitative;
(b) Quantitative; or
Quantitative analysis uses numerical values (rather than the descriptive scales
used in qualitative and semi-quantitative analysis) for both severity and
likelihood using data from a variety of sources such as past accident experience
and from scientific research.
Severity (S)
Likelihood (L) 1 2 3 4 5
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
High
Medium
Low
To use this matrix, first find the severity column that best describes the outcome
of risk. Then follow the likelihood row to find the description that best suits the
likelihood that the severity will occur. The risk level is given in the box where the
row and column meet. The relative risk value can be used to prioritise necessary
actions to effectively manage workplace hazards. Table 3.7 determines priority
based on the following ranges:
Later, UK regulatory authorities used the TOR for reaching decisions on whether
risks from an activity or process are unacceptable, tolerable or broadly
acceptable. In the context of tolerable, it does not mean acceptable. It refers to
risks that are worth taking and that are properly controlled.
Figure 3.2 represents the meaning and value of the tolerability-of-risk triangle.
The triangle can be divided into three broad regions:
(a) The zone at the top represents the unacceptable region. For practical
purposes, a particular risk falling into that region is regarded as
unacceptable, whatever the levels of benefit associated with the activity.
Any activity or practice giving rise to risks falling in the uppermost region
would, as a matter of principle, be ruled out unless the activity or practice
can be modified to reduce the degree of risk so that it falls into one of the
regions below, or there are exceptional reasons for the activity or practice to
be retained.
(b) The zone between the unacceptable and the broadly acceptable region is the
tolerable region. Risks in that region are typical of the risks from activities
that people are prepared to tolerate in order to secure benefits, in the
expectation that: the nature and the level of risks are properly assessed and
the results used properly to determine control measures; the residual risks
are not unduly high and kept as low as reasonably practicable (ALARP);
and the risks are periodically reviewed to ensure that they still meet
ALARP criteria.
(c) The zone at the bottom represents the broadly acceptable region. Risks
falling into the region are generally regarded as insignificant and
adequately controlled. Regulators would not usually require further action
to reduce risks unless reasonably practicable measures are available. The
levels of risk characterising this region are comparable to those that people
regard as insignificant or trivial in their daily lives. They are typical of the
risk from activities that are inherently not very hazardous or from
hazardous activities that can be, or are, readily controlled to produce very
low risks. Nonetheless, the health and safety executive would take into
account that duty holders must reduce risks wherever it is reasonably
practicable to do so or where the law so requires it.
The details of the two main challenges are summarised in Table 3.8.
To ensure risk assessment is effective and adds value to the organisation, the two
factors above must first be corrected. In order to achieve this, a paradigm shift
among management and employees is needed. The importance of risk
assessment must be explained and communicated to management and
employees by a competent safety and health professional.
ACTIVITY 3.1
With regard to the two main risk assessment challenges, discuss with
your coursemates how best to overcome these challenges.
Health and Safety Executive (HSE). (1996). Five steps to risk assessment (2nd
revision). Sudbury, Suffolk: HSE Books.
Guidelines for hazard identification, risk assessment and risk control (HIRARC).
(2008). Department of Occupational Safety and Health, Ministry of Human
Resources, Malaysia.
Health and Safety Executive (2001). Reducing risks, protecting people. Retrieved
from http://www.hse.gov.uk/risk/theory/r2p2.pdf
Hughes, P., & Ferrett, E. (2002). Introduction to health and safety at work.
Oxford, England: Butterworth-Heinemann.
Health and Safety Executive (HSE). (1997). Successful health and safety
management (1997, 2nd ed.). Sudbury, Suffolk: HSE Books.
INTRODUCTION
„Prevention is better than cure‰ is a common quote when it comes to illnesses. If
we can identify the potential cause of an illness, by taking extra precautions and
controls, we can minimise the chances of getting that illness. For example, we can
prevent heart disease by controlling our diet and exercising regularly.
(a) Improved productivity which results from employees feeling safe and
healthy when they are at work;
(b) A positive image among customers and the public when the organisationÊs
management is committed to workplace safety and health; and
(c) Minimised legal impact from enforcement bodies and also from the public
when the workplace is safe.
In this topic, we will look at how we can establish intervention, control and
prevention of risks at the workplace. It will also cover the basic hazards
prevention and risk control at the workplace and methods of prioritising
hazards control.
According to Section 15 of the Occupational Safety and Health Act (OSHA) 1994,
it is the duty of every employer and every self-employed person to ensure, as far
as it is practicable, to protect the safety, health and welfare of all employees. All
identified safety and health hazards must be eliminated if possible or controlled
as quickly as possible, subject to priorities based upon the degree of risk posed
by the hazards. The preferred method of hazard control should be through the
application of engineering controls or the substitution of less hazardous
processes or materials. Total reliance on personal protective equipment (PPE) is
acceptable only when all other methods are proven to be technically and/or
economically infeasible.
The decision of risk control can be guided using a common risk control
hierarchy. This is based on safety standards and also regulations in certain
countries such as Control of Substances Hazardous to Health Regulations and
Management of Health and Safety at Work Regulations in the UK.
Figure 4.1 summarises the common hierarchy of risk control principles from the
most effective to the least effective methods.
Figure 4.1: Hierarchy of the risk control principles in minimising risk at the workplace
The following subtopics will explain further the hierarchy of risk control
principles.
ACTIVITY 4.1
1. How can we convince management to invest financially in risk
control items in order to minimise risk at the workplace? Discuss.
4.2.1 Elimination
This is the most desired and effective risk control activity. By removing the
hazards, the risk will be automatically eliminated. For example, if the activity or
process is too risky or the risk is too high to workers, we should abandon the
process or activity completely.
4.2.2 Substitution
In the substitution approach, we use an alternative approach to minimise the
risk. A simple example is instead of using hazardous chemicals, such as acids, for
cleaning, we can use neutral liquids such as water and soap. When substitution
risk control is implemented, care should be taken not to introduce new hazards
as a result of introducing new material in the substitution process.
Figure 4.2: An example of total enclosure for toxic gas cylinder storage for equipment
operation
4.2.4 Isolation
Isolation is used to separate the equipment, machinery or process by using an
enclosure, fence, guard or barrier. This will prevent workers from approaching
the hazards. An example of isolation is shown in Figure 4.3.
Figure 4.3: An example of isolation risk control when nitrogen gases are needed to
support the workerÊs activity
Source: Bahr (1997)
4.2.5 Reduction
Reduction in risk control is performed by minimising the root cause of the risks.
This can be done by improving the process or activity. For example, noise
generated from piling activities can be minimised by reducing the hammering
force but increasing the frequency of hammering.
(a) Dust filters to filter dust and prevent dust inhalation by workers.
(b) Motion sensors to power off the machine when the sensor detects any
human part entering any equipment.
(c) Gas detection sensors to detect any toxic gas or chemical leaks before the
gas or chemical vapours are inhaled by workers.
Therefore, controlling risk in this approach involves overseeing all the factors,
which requires a system to monitor all the variable factors. This risk control
approach works as a compliment with other risk control approaches. To ensure
we are efficiently and effectively manage risk using this approach, the system
will involve a closed loop management system. In a management system, a
PDCA (PlanăDoăCheckăAct) cycle is adopted. Figure 4.4 explains the common
PDCA cycle.
Procedure Description
Emergency response A procedure to respond in case of emergency, including
plan building evacuation, mitigation response and
communication protocol during emergency.
Permit to work system Critical procedure when dealing with work with
contractors and also non-routine or abnormal work.
Housekeeping Housekeeping guidelines for workers to ensure the
workplace is clean and organised.
Accident investigation A standard process flow to gather information and
perform investigation when accidents occur. This will help
the organisation come up with a systematic flow to identify
the root cause and identify the corrective and preventive
actions to prevent the re-occurrence of the accident.
Preventive and A procedure to provide guidelines on how to perform
corrective maintenance maintenance safely.
Equipment / plant A procedure to assist the operators in operating the
operation equipment or plant safely.
SELF-CHECK 4.1
1. What are the critical factors involved in the selection of risk
control approaches once risks have been identified and assessed?
Discuss.
Risk controls can be ranked as most effective, more effective, less effective
and least effective, which helps to determine the effectiveness of control
measures currently in place.
Health and Safety Executive (HSE). (1997). Successful health and safety
management (2nd ed.). Sudbury, Suffolk: HSE Books.
Hughes, P., & Ferrett, E. (2002). Introduction to health and safety at work.
Oxford, England: Butterworth-Heinemann.
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Describe Job Safety Analysis (JSA) and its benefits;
2. Explain basic steps in JSA; and
3. Discuss the relationship between JSA and Safe Operating
Procedure.
INTRODUCTION
Do you know what the first step in managing OSH risk is? The first step in
managing OSH risk is the identification of hazards for all possible situations
where people may be exposed to injury, illness or disease or the loss of property
and assets to the organisation including damage to the general environment.
There are many techniques that are used for the identification of hazard. The
selection of methods depends on the type of hazard.
Some techniques are designed for the identification of a hazard as it exists in situ,
such as observing the status of housekeeping or measuring noise levels at the
workplace. Others are designed to identify hazards that arise out of chemical
processes or equipment used in process plants. Bear in mind that this can also be
done even during the design stage of the process plant. For this situation,
identification techniques such as, Hazard and Operability Study (HAZOP) or
Failure Modes and Effects Analysis (FMEA) will be used. These techniques and
others will be discussed in subsequent topics of this module.
In this topic, we will first learn about the Job Safety Analysis (JSA) process for
specific jobs and tasks. In other words, we will focus on the identification of
hazards for activities that are carried out in sequence. Quite often these activities
are carried out by workers.
In other words, JSA goes beyond the process of identifying hazards to include
the process of controlling and mitigating the effects of the identified hazards.
Hazard and risk evaluation focuses on the worker as he performs his task and
takes into account the tools he uses, the materials he is handling or exposed to,
his work position, the procedure he uses to accomplish the work and his work
environment.
SELF-CHECK 5.1
1. Describe the differences between hazard identification activity
and JSA.
5.2 TERMINOLOGY
We have learnt that Job Safety Analysis (JSA) is a documented process where a
complete task or a job is broken down into its sequential steps. Each step is
evaluated for actual or potential hazards and risks through observation or other
means and control measures are developed to eliminate the hazards or reduce
their risks.
Terminology Definition
Hazard Source, situation or act with a potential for harm in terms of
human injury or ill health or a combination of these.
Hazard Process of recognising that a hazard exists and defining its
identification characteristics.
Risk Combination of the likelihood of an occurrence of a hazardous
event or exposure and the severity of injury or ill health that can be
caused by the event or exposure.
Risk assessment Process of evaluating the risk that arises from a hazard, taking into
account the adequacy of any existing controls, and deciding
whether or not the risk is acceptable.
SELF-CHECK 5.2
1. Define JSA.
(a) Hazard;
(b) From accident theories, we know that the root cause of accidents is the
„lack of management control‰ meaning that, there are weaknesses in the
management system (Bird, 1974). By doing JSA, the organisation will have
the opportunity to discover weaknesses in the system such as hazards that
were not previously recognised, training requirements that have not been
thought through, proper equipment that is not provided or procedures that
are not appropriate.
(c) Doing JSA will provide management with the discipline to analyse a work
activity and have this written down in detailed sequential steps. The result
will become a useful guide for workers involved in this particular activity
in the future. It can be used to train new workers. This will also improve
communication between workers and their supervisors.
(d) With the reduction in incidents and accidents, the potential improvement in
work methods, worker morale, compliance with legal and management
system and improved image and reputation will all lead to increased
productivity and profitability for the organisation.
SELF-CHECK 5.3
(a) Jobs that involve lifting, climbing, working at heights or trips, slips and
falls;
(b) Jobs that have potential to cause disabling injuries including loss of limbs,
body functions or illnesses such as cancer;
(c) Jobs that are complicated requiring detailed steps and planning such as
when installing heavy equipment;
(d) Jobs that are risky, where a simple error can cause heavy consequences such
as when handling materials with fire and explosion hazards; and
(e) Jobs that are new or have had a JSA done previously but now have changed
the processes or procedure.
A valuable source of information that you can use to determine which job is to be
analysed, is your organisationÊs OSH reports, which include OSH audits and
incident or accident investigation reports.
(b) Workers will have the „buy-in‰ when the time comes for them to carry it out.
Make sure the job steps are simple and perhaps consist of no more than ten steps.
If the steps are long or complicated, this may indicate that the job can be further
broken down into separate smaller tasks and a separate JSA can be carried out for
these. On the other hand, do not make the steps so broad that each step contains
many activities. Do not, for instance, make „change the car tyre‰ as a step as this
involves many activities. Likewise, do not describe the steps in "unbolting the
wheel". Look for logical break points to define the steps. For example, the job of
„change the car tyre‰ can be broken down as shown in Table 5.2.
Table 5.2: Job Safety Analysis Worksheet for Changing a Car Tyre (Break Down the Job
into a Sequence of Steps)
As can be seen in Table 5.2, in each of the steps given, you will have different
activities, use different tools and be confronted with different sets of hazards.
Review with the worker to see if all the steps to accomplish the job have been
taken into account and whether the steps are in the right order. Therefore, in the
case of „change the car tyre‰, the job begins with „secure the car‰ and finishes off
by "lowering the jack".
You can also use a form to record each job and its consequential steps. The form
can be as simple as the one in Table 5.2, or you may consider using a more
comprehensive one which includes risk assessment for each hazard (see
Appendix 1). Evaluate the risk in exactly the same way as discussed in the
previous topic.
Step 1:
Gather information on previous accidents in the workplace in question.
Step 2:
Observe and take note of the general environment of the work at the time the
work observation is being conducted. Although the work environment may
not be directly related to the work itself, it may affect the work or the worker
to some, or a considerable, extent. For example, you should observe:
(a) The status of housekeeping where the job is to be performed;
(b) Whether there are obstructions in the path of the worker, for example,
materials on the floor that could cause him to trip;
(c) The level of lighting;
(d) The level of noise; and
(e) The existence of live electrical hazards or radiation hazard.
Use the information given and also information from personal experience or
general observation of the work to list the things that could go wrong at each
step of the job. When this is done, the actual observation can be more focused on
the job and the worker itself.
Do you still remember the hazard identification techniques that we learnt earlier?
To supplement the techniques discussed previously, you can identify the
potential hazard at each step by asking yourself a series of questions. These are
some examples of questions that you can modify for your own needs:
(a) Can the worker make harmful contact or be struck by sharp, fixed or
moving objects?
(b) Can the worker get caught in between objects or moving machinery?
(c) Can any part of the workerÊs body, clothing or jewellery get caught in
moving parts?
(d) Can the worker make contact with electricity or hot, toxic, caustic and
hazardous substances?
(f) Are the tools, machines and equipment that the worker uses appropriate
and safe?
(g) Does the worker know how to use the tools, machines and equipment
correctly?
(i) Can the worker be injured by reaching over to the machinery, moving or
feeding material into it?
(j) Is machinery adequately guarded and floor openings or pits and holes
covered?
(k) Is the worker required to make repetitive motions over long periods?;
(l) Is the worker required to carry out lifting, pulling or carrying heavy objects
without mechanical assistance?
The answer to these questions are noted for each of the steps that are ready to be
used for the next JSA step, which is to determine preventive measures to control
these hazards.
Remember the example in Table 5.2? Now, take a look at Table 5.3; it is the same
example with potential accidents or hazards included.
Table 5.3: Job Safety Analysis Worksheet for Changing a Car Tyre
(Identify Potential Hazards)
Determining the preventive and control measures for the hazards found in JSA
will follow the same rules as discussed in the previous topic. You can also use the
Hierarchy of Control principles to determine the preventive and control
measures for JSA.
As can be seen in Table 5.4, we have added the preventive measures to the
example that we created in subtopic 5.4.2.
Table 5.4: Job Safety Analysis Worksheet for Changing a Car Tyre
(Determine Preventive Measures to Control These Hazards)
The job instruction must be made known to those who have to perform the job or
those who are involved in one way or another with the job. Furthermore, those
who are directly involved in the job must be given training. The right tools,
equipment and other requirements identified in the JSA must also be made
available. Finally, the procedures must be enforced and monitored.
Copyright © Open University Malaysia (OUM)
TOPIC 5 JOB SAFETY ANALYSIS (JSA) 61
In the construction industry, JSA is crucial to the success of every project. Every
job can be different at different times and places. Thus, JSA should be conducted
most of the time and be included in the project method statements. It should be
the organisationÊs policy to conduct JSA for any new job.
SELF-CHECK 5.4
Describe the actions an organisation must make on the completion of a
JSA.
The result of the JSA will directly make the worker and the workplace safer.
This will improve productivity and profitability in the organisation.
Through the JSA process, the organisation has the opportunity to identify
potential improvements to its management system.
Four major steps in conducting a JSA include to select the job to be analysed,
break down the job into a sequence of steps, identify potential hazards and
determine preventive measures to control these hazards.
Reason, J. (1990). Human error. New York, NY: Cambridge University Press.
APPENDIX 1
INTRODUCTION
Task analysis is the systematic examination of a task to identify all hazards or
risks associated with the task and develop controls for those exposures.
Organisations of all types have found this to be an extremely useful activity, not
only to improve safety and health but also for the overall improvement of
operations. Task analysis is the direct application of the goals of occupational
safety and health (OSH) control management to the work that is being done in an
organisation.
(a) Task
A task is a segment of work, which requires a set of specific and distinct
actions for its completion.
Examples are:
A task for an electrician might be to wire a junction box. This task could be
done in isolation or could be one of a series of tasks necessary to complete a
much larger work assignment, such as wiring a house.
(c) Procedure
A procedure is a step-by-step description of how to proceed, from start to
finish, in performing a task properly.
(d) Step
A step is one segment of the total task where something happens to
advance the work being performed.
Upon completion of task analysis, we can further develop task procedure or task
practice. The use of task practice is to avoid attempts to procedurals tasks which
cannot realistically be procedurals and thus have an end product which is not
practical. Task practices are especially useful with trades, crafts, maintenance and
materials handling where the same task may be done in a wide variety of settings
and circumstances.
Table 6.1 explains the five steps in developing task procedures and practices.
Step Description
Step 1 Systematically create an inventory of tasks and identify the critical tasks.
Step 2 Analyse each critical task by:
Reducing it to the steps performed;
Identifying all loss exposures;
Making improvement suggestions; and
Developing controls for each exposure.
Step 3 Write task procedures or practices.
Step 4 Put procedures to work.
Step 5 Maintain records through periodical review and updates.
SELF-CHECK 6.1
1. Define task analysis.
(a) Create an inventory of all the tasks performed by all the occupations;
The best system will probably include a combination of these approaches. The
following discussion looks at one such approach.
These occupations are functional to the operation and are not necessarily the
classification established by the human resources department. The best list of
occupations will come from those who supervise the work.
Copyright © Open University Malaysia (OUM)
68 TOPIC 6 TASK ANALYSIS
Examples of such tasks might include emergency shutdown actions for specific
equipment, a control room operator's procedure for instrument loss or donning
of escape breathing apparatus. It also includes tasks that a worker may no longer
be familiar with because they are seldom done.
The people who can best identify all the tasks for a particular occupation are the
supervisors or leaders and workers. They are the most experienced or
knowledgeable about the occupation. They can do this as a team by
brainstorming about the hands-on work related to that occupation or by
observing and talking with those who actually do the work. This provides an
excellent opportunity to apply the principle of involvement by utilising the
expert experience and help of those who will be most affected; the work group.
Remember, a team of people who are knowledgeable about the work being
considered should always be made a part of every stage of task analysis and
procedure.
(a) Terms such as operate and maintain, when used to describe a single task,
often indicate that the work has been too broadly defined and should be
broken down to several more manageable tasks. Determine whether the
work described is a skill or a segment of work, which requires a set of
specific and distinct steps for its completion;
(b) Activities which use the -ing form of the verb (stacking, moving, loading,
and cleaning) are usually general responsibilities rather than specific tasks.
Tasks can be identified from such descriptions, however, by further asking
„What is being stacked, moved, loaded or cleaned and where is this taking
place?‰;
(c) Rarely would a task be comprised of a single step, such as „rotate the 7/8
wrench one half a turn clockwise‰ or „push the reject button.‰ Rather, a
task is almost always made up of a number of definite steps, each
contributing to the completion of the task (tasks can be too narrowly
defined, as well);
(e) The greater the number of people required completing the work, the greater
the chance that more than one task is involved, for example, one to two
workers versus three to five; and
Perhaps the most common error made by task inventory development teams is to
be too broad in defining what will be considered a task. When tasks are broadly
defined at this initial stage, the subsequent stages are seriously compromised.
This is because all the specific work being done within each occupation will not
have been fully identified.
(a) Can this task, if not done properly, result in major loss while being
performed?
(b) Can this task, if not done properly, result in major loss after having been
performed?
(c) How serious is the loss likely to be? What is the severity of injury, cost of
damage or cost of quality or production loss likely to be? Are other persons
or departments likely to be affected?
Frequency of loss is strongly influenced by how often the task is performed in the
organisation in a specific time period (repetitiveness), and how likely it is to
result in a loss each time it is done.
There are many degrees of criticality and, in fact, every task worth doing is
critical to some degree. Thus, a system, which develops a scale of criticality, is
likely to result in fewer differences of opinion than one which merely classifies
the task as critical or not critical. It is suggested that the above factors be
converted into three scales relating to severity, frequency of exposure and
probability of loss. Some subjective judgment is still required by the team
members, the fact that each factor is given due consideration resulting in a more
consistent and logical classification of tasks according to its criticality. The
following paragraphs describe a practical evaluation system that is both easy to
understand and simple to use.
6.3.1 Severity
Severity is derived from the losses being incurred or the loss most likely to be
incurred as a result of wrong performance of the task. In many cases, a whole
range of losses could occur but only the most likely result is considered. If a
wrong vessel entry procedure results in an accident, it is more likely to be serious
than not, while a wrong shovelling technique is more likely to result in a small
loss than a large loss.
Scale Description
0 No injury, illness or quality, production, environmental or other loss of
less than $1,000.00
2 Minor injury or illness without lost time; non-disruptive property
damage; quality, production, environmental or other loss of $1,000.00
to $10,000.00
4 A lost time injury or illness without permanent disability; disruptive
property damage; quality, production, environmental or other loss of
more than $10,000.00 but not exceeding $50,000.00
6 Permanent disability; loss of life or body part; extensive loss of
structure, equipment, material; quality, production, environmental or
other losses exceeding $50,000.00
6.3.2 Frequency
Frequency of exposure can be assessed from Table 6.3, using a scale of one to
three.
6.3.3 Probability
The probability or likelihood of loss occurring whenever a particular task is
performed is influenced by the following factors:
(b) Difficulty (that is, is the task prone to quality, production or other
problems?);
(d) The chance that there will be loss if the task is improperly performed.
These factors are not evaluated separately but they should all be borne in mind.
The key question is „How likely is it that things will go wrong as a result of the
performance of this task?‰ From this consideration, an estimate of the likelihood
should be quantified. A scale of from -1 to +1 is used as follows:
The points allotted to each of the three factors are then added to indicate a scale
of criticality ranging from 0 to 10 (refer to Table 6.4). It is, in effect, an order of
priority. Management may decide that all tasks allotted less than, say, three
points will be disregarded from an occupational safety and health control point
of view and not be listed as critical tasks. On the other hand, tasks allotted eight
or more points will be regarded as the most critical tasks, requiring immediate
attention.
The Critical Task Inventory Worksheet and Critical Task Analysis Worksheet
(refer to Figure 6.1 and Figure 6.2) are useful tools for listing the tasks performed
by an occupation and then evaluating the criticality of each task. The Major Loss
Exposures column shows the specific potential losses which could occur while
the task is being performed. Notice that all types of loss exposures should be
considered including safety, health, environment, quality, damage, fire,
production problems and excessive costs. For some organisations, the losses
might include matters such as loss of a major customer or loss of significant data.
The worksheet also documents whether a task procedure or a set of task practices
is needed. At times, this can be determined when the criticality of tasks is
evaluated. At other times, further analysis of the task is required before making
this decision. Whether skill training is required can also be decided. These and
other important considerations can be recorded so that the completed form
serves as a checkpoint to determine progress in dealing with the tasks that have
been inventoried and evaluated. It can also become the basis for identifying tasks
for the observation programme.
SELF-CHECK 6.2
1. Explain how to determine a task as critical.
Identifying every step of a critical task is essential to the end result. When the
task is first observed, write down everything the worker does. The worksheet
shown in Figure 6.2 may prove helpful. After each step of the task is identified,
the team can go back and combine things or eliminate unnecessary details.
The breakdown must include every key step that is inherent in doing the task
correctly, but exclude those which will trivialise or overly burden the process.
The decision to consider any aspect of a taskÊs performance as a distinct step can
also follow the thinking used in classifying the criticality of a task. In other
words, one could ask the question, „Could a major loss result if the task is done
incorrectly?‰
Experience shows that many tasks can be broken down into ten to fifteen or even
twenty key steps. Certain tasks might justify a greater number of key steps. Each
task must be evaluated on its own needs. The key to the prevention of losses
from injury, property damage, quality problems or production losses is each
team memberÊs judgment in selecting the appropriate task steps.
Whenever feasible, use the observation and discussion technique, in which you
actually see the person, the equipment, the materials, the surroundings and the
process.
Step 1 - Select several good workers who are willing to share their knowledge
and experience.
Step 2 - Gain cooperation by explaining what is being done and assuring that it
is the work, not the worker, which is being evaluated.
Step 3 - Observe the task being done by one of the selected workers and record
an initial breakdown.
Step 4 - Discuss this breakdown with the worker for accuracy, thus encouraging
the worker to share knowledge and experience.
Step 5 - Repeat Steps 2 to 4 with another worker if appropriate. Record the basic
steps of the task breakdown. It usually helps to start each statement
with an action verb, such as set, adjust, start, and remove and so on.
Step 6 - Contact other interested groups such as safety and quality control for a
detailed discussion and/or critique of the identified steps. Incorporate
their suggestions with revisions as necessary.
Step 1 - Get together the most knowledgeable people available, holding one or
more meetings with some or all of these people, as appropriate.
Step 4 - Present this information to another team for verification to ensure that
all steps have been identified.
When pinpointing these specific loss exposures, avoid describing them in general
terms such as personal injury, poor quality, prolonged down time, or increased
costs. To be of real value, these entries must be specific enough to give team
members sufficient insight when control measures are being considered.
Carefully judge each of these four subsystems within the total system and answer
such questions as:
(a) People
(i) What contacts are present that could cause injury, illness, stress or
strain?
(b) Equipment
(i) What hazards are presented by the tools, machines, vehicles or other
equipment?
(c) Material
(d) Environment
(ii) What are the potential problems of sound, lighting, heat, cold,
ventilation or radiation?
(iii) Is there anything in the area that would be seriously affected if there
are problems with the task?
(iv) Has the external as well as the work environment been considered?
Substitute Use a different substance, material, chemical, etc., that does not
present the problem (such as, less flammable, toxic, corrosive.)
Relocate Relocate the task so that it is done elsewhere in the process, or
relocate where it is done (inside versus outside, shop versus
on-site.) for greater safety and efficiency. Increase peopleÊs
desire to control losses by providing effective incentives and
reinforcements.
The savings resulting from improvement checks have often more than paid for
all the time and effort invested in the entire task analysis process. In fact, for
some organisations, the savings have exceeded the costs of the entire safety and
health programme for that period of time. When it is considered that the primary
purpose of task procedures is to guide training, it becomes even more important
that they show the best methods; otherwise, inefficiencies may be permanently
entrenched in an organisation. A summary of the improvement check process is
shown in Figure 6.3.
Ć WHY is it necessary?
PEOPLE
Ć What are the critical needs for rules, for job instruction and for job
observation?
EQUIPMENT
Ć What are the potential hazards that could cause equipment damage,
fire or explosion?
MATERIAL
Ć How can we best prevent waste and damage of raw materials and
products?
ENVIRONMENT
(a) They start with a statement of the purpose and importance of the task. This
is included to increase motivation and understanding, and thereby
retention and conformance;
(c) They express the steps in a positive way rather than a long list of „donÊts‰;
(e) They are printed in a simple, functional format. Since procedures are
primarily teaching and learning tools, they must be clear, concise, correct
and complete.
As mentioned, not all tasks can or should be procedurals. For some tasks,
practices may be more functional and useful. Guidelines for preparing functional
practices are:
(a) To present positive guidelines for correct performance of the specific task,
plus pertinent rules and regulations;
(b) Sometimes not limited to a specific task, but dealing with a fairly wide
range of work activities (for example, using a chain saw, entering confined
spaces, handling explosives, locking out equipment); and
(c) Especially useful for occupations in which workers perform a large number
of tasks infrequently or where specific tasks are hard to define as
procedurals because the way they are done varies greatly with the specific
situation.
Emergency procedures Refer to the procedures for cases of fire, explosion, flooding
and other catastrophes. Specify emergency first aid equipment,
emergency shutdown procedures and reporting requirements
which apply particularly to the task.
Critical rules and Reinforce the most important rules by including them in the
regulations work practices. Keep them as short and simple as possible; give
the reasons for the rules and focus on the critical few.
Positive and proper Highlight the things that the worker can do to ensure efficient,
practices safe, productive results. Accentuate the positives.
Summary statement Summarise the most important points. Give a prescription for
positive action. Focus on the benefits of proper performance.
The purpose of a task practice is to give people written guidelines for doing
critical tasks the best way.
Ways Description
Employee orientation One of the first things new employees want to know is what
work they will be doing. Copies of task procedures and
practices are useful for explaining this to them. Give them
copies to study before starting proper task instruction.
Proper task Written procedures and practices are of tremendous value in
instruction helping leaders meet their basic responsibility for teaching
others how to do their tasks properly (correctly ă quickly ă
conscientiously ă safely).
Personal contacts, Written task procedures and work practices are an abundant
coaching and tipping source of practical points for supervisors to emphasise in their
personal contacts with workers and in their vital leadership
skills of coaching (the day-to-day actions taken by the
supervisor, designed to stimulate a subordinate to improve)
and tipping (the organised process of giving employees
helpful hints, suggestions, reminders or tips about key quality,
production, cost, or safety points in their work).
Safety talks When everyone in the group performs the task or is directly
affected by it, written procedures and practices provide
supervisors with excellent information to emphasise in their
group meetings (Safety Talks ă Toolbox Meetings ă Tailgate
Sessions).
Accident or incident Written descriptions of the work help supervisors do a
investigation thorough job of investigating accidents and incidents,
analysing whether the work was being done as it should be,
where the process went wrong, and what kinds of changes
could lead to better control.
Skill training By showing specifically and systematically what the work is,
written task procedures and work practices improve the
efficiency and effectiveness of training programmes for
equipment operators and other skilled workers.
(c) Whenever significant changes occur which can or will affect the task
performance (such as materials used, process or design alterations, area
changes, personnel and/or equipment changes).
(c) Checklists;
SELF-CHECK 6.3
Prior to any work being done to identify critical tasks, all persons involved
should have a mutual understanding of two key terms: task and critical task.
Task analysis is geared toward illustrating the proper way to complete a task,
including considerations for safety, quality, reliability and production.
INTRODUCTION
HAZOP studies are undertaken by the application of a formal, systematic and
critical examination of the process and engineering intentions of a process
design. The potential for hazard is, thus, assessed and malfunctions of individual
items of equipment and the consequences for the whole system are identified.
team. This technique became widely known and popular after ICI conducted a
course on the subject in the UK in 1974, shortly after the Flixborough disaster.
The installation of the bypass pipe is a modification with many flaws, the worst
of which was that no HAZOP was conducted prior to the installation. Of course,
at the time the HAZOP technique was not yet known outside of ICI. In fact, the
term HAZOP itself was not invented until 1983. Had the technique been used
during the plant modification this accident may not have occurred.
Following several successive disasters, such as the Seveso disaster in Italy in 1976
and later the 1984 Bhopal disaster in India, the European Union issued The
Seveso II Directive in 1998. The Directive, which was aimed at preventing major
industrial accidents and mitigating its consequences, is a driving factor that
ensures the wider use of HAZOP. HAZOP became a legal requirement for
process plant design in Europe and the US at first, and now throughout the
world.
However, HAZOP has an extended scope that covers the evaluation of potential
deviations from the design intent of a system. It must be emphasised that
HAZOP focuses not only on potential hazards such as safety, health, equipment
integrity, property and environmental risk but also operability problems and
system efficiency. Again, similar to JSA, HAZOP is better applied at an early
stage before work begins or at the design stage of plant construction.
HAZOP studies normally involve a team that has experience in the plant or design
to be studied. These team members apply their experience of the design and their
technical expertise in the HAZOP study sessions to achieve the aims of the HAZOP.
Each HAZOP has a set of objectives, which are particular to that study and which
are decided as near to the beginning of the study as possible. However, there is a
set of four overall aims to which any HAZOP should be addressed to:
(a) Identify all deviations from the way the design is expected to work, their
causes and all the hazards and operability problems associated with these
deviations;
(b) Decide whether action is required to control the hazard or the operability
problem and if so, to identify the ways in which the problem can be solved;
(c) Identify cases where a decision cannot be made immediately, and to decide
on what information or action is required; and
The study may not be able to resolve all the hazards that arise at the meeting and
so firm recommendations for change cannot always be guaranteed to result from
deliberation at a HAZOP study meeting. The meeting may decide that it requires
further information, or that a detailed study of a particular issue is necessary.
Some of the questions may be answered by other personnel who did not attend
the meetings, and some issues could require, for example, specific hazard
analysis.
When all components have to work together as a whole and at the same time are
exposed to operating deviations, the system could still fail to work as intended.
Furthermore, when one part of a system of a process is modified or becomes
faulty, there could be an undesirable ripple effect on the rest of the system.
Legislation in the UK, the European Union and then elsewhere, intended to
control major industrial accidents and their consequences, provide the additional
impetus that ensures the wider use of HAZOP.
(a) Systems involving the delivery of goods and services or the movement of
people as in the services industry (for example, „What could go wrong with
the pizza or speed of delivery of the pizza in a pizza home delivery
service?‰) analysis of operating instructions.
HAZOP is usually conducted for the review of a new plant design, for an existing
plant or facility that is about to be modified or before a set procedure is put into
practice. The best time to conduct a HAZOP is as late as possible but just before the
design is frozen for implementation. HAZOP is useful in that it identifies and
evaluates problems in advance before they arise during the operation phase. This
is because once a plant or a facility is built or a process is implemented, it is
impossible or too expensive to modify them should operational or safety problems
appear. The problem that can arise can be catastrophic as exemplified by the
Flixborough cyclohexane plant disaster in 1974.
The difference between HAZOP and other hazard identification methods is that
HAZOP focuses on problems at a higher level; at the system level. It looks at,
among other matters, conformance with design intent and system performance
concerns. Other methods are more preoccupied with failure at the component
level. This is so with FMEA and FTA. However, HAZOP gives you the big
picture whilst other methods are more detailed and can be used in a
complementary manner to it. For example, if the HAZOP examines the flow of
fluids in a pipe then no flow could be a problem due to a faulty valve. In this
situation, FMEA can be used for in-depth analysis on the potential for valve
failure.
SELF-CHECK 7.1
1. Briefly discuss the history of HAZOP.
7.3 TERMINOLOGY
Now let us look at Table 7.1, which lists commonly used HAZOP terminology.
Terminology Meaning
Characteristics Qualitative or quantitative property of an element. Examples of
characteristics are pressure, temperature and voltage. Traditionally,
the term „parameters‰ are used here. „Characteristics‰ is a more
general term for other situations where HAZOP is now applicable.
Deviation Departure from the design intent (IEC, 2001).
Design intent DesignerÊs desired, or specified, range of behaviour for elements
and characteristics (IEC, 2001).
Element Constituent of a part which serves to identify the partÊs essential
features (IEC, 2001). The choice of elements may depend upon the
particular application, but elements can include features such as
the material involved, the activity being carried out, the equipment
employed, etc. Material should be considered in a general sense
and includes data, software, etc.
Guide word Word or phrase which expresses and defines a specific type of
deviation from an elementÊs design intent (IEC, 2001).
Hazard Source, situation or act with a potential for harm in terms of human
injury or ill health or a combination of these (OHSAS 18001:2007)
In the context of HAZOP, the potential hazard could arise from any
operation or any action that could cause catastrophic release of
toxic, flammable or explosive chemicals that could result in human
injury or ill health to personnel or the public or damage to property
or the environment.
HAZOP A structured and systematic examination of a planned or existing
process or operation in order to identify and evaluate potential
hazards and operability problems or to ensure the capability of
plant and equipment to operate in accordance with the design
intent.
design intent, their causes and their consequences. To facilitate discussions, a set
of pre-determined „guide words‰ is prepared and used to trigger the
brainstorming discussions. See Table 7.2 for a list of guide words to use.
The result of these deliberations is recorded for further action. The result may or
may not include recommended solutions to the problem, which may be included
depending on the objectives of the study. The entire process of this HAZOP
activity is illustrated in Figure 7.1.
Traditionally these parts are called „nodes‰. This is not always appropriate. See
terminology on „parts‰.
See Table 7.2 for the standard guide words used in HAZOP. In practise, this list
of guide words could be supplemented with other guide words to suit the
situation or process at hand such as when HAZOP is used to analyse movements
of goods or people. It is the duty of the HAZOP team leader to prepare suitable
guide words before the HAZOP meeting. Table 7.3 lists additional guide words
that can be used. Sometimes we need additional guide words to characterise the
element we are analysing.
For instance, if we use „more‰ (from Table 7.2) to analyse a problem then the
question is „more‰ of what? Suppose, we are analysing the problem with driving
a car (see Table 7.6) then may be „more‰ „speed‰ (Table 7.4) is the characteristic
of the problem. Table 7.4 lists sample guide words that are used specifically with
the guide words used in Table 7.2 and Table 7.3. Table 7.5 shows examples of the
use of guide words relating to operational procedures.
Table 7.4: Non- Exhaustive List of Guide Words on Characteristics (or Parameters) to be
used with Guide Words in Table 7.2
Now we will look at Table 7.6 for a simple example of the use of guide words in
HAZOP.
Guide Possible
Characteristics Consequences Action Safeguard
word Causes
Car speed More Rushing Skidded in Slow down ABS brake
emergency system
Less Road Pile up Speed up Safety belt
crowded
Air bag
Tyre No Old tyre, Car skidded Learn Check
thread speeding defensive frequently
and braking driving
often
Less Have spare
thread tyre
Low visibility Low Rain Cannot see Stop Check with
the road driving ITIS*
Very low
Car light Dim Stop car
No light Go replace Avoid night
bulb driving
Switch on
hazard
light
Journey Night No street Travel
light during
daylight
Foggy
SELF-CHECK 7.2
1. State the differences between JSA and HAZOP.
This cooling system can be chosen as one part of the total system. Any deviation
in the performance of this part say, the fluid is not cooled enough or if there is no
flow into it, can have consequences to the entire system. Note that this „part‰ is
made up of many components; P4 is the centrifugal pump, P1 is a heat exchanger
Copyright © Open University Malaysia (OUM)
100 TOPIC 7 HAZARD AND OPERABILITY STUDY (HAZOP)
and P2 is an air cooler. When we say that there is no flow in this part, it means
there is no flow throughout P4, P1 and P3. Although there might be flow in P4,
the pipe to P1 from P4 is ruptured. It is important that the HAZOP team in its
examination process strictly limits themselves to the boundary of the chosen part.
In this case, no flow means no flow into P4; the input end of the part. This is the
concept of point of reference (POR).
The objective of the study should primarily be the identification of all hazards
and operability problems. The solution to the problems is a secondary issue. If
need be, this issue should be passed on to other parties. However, consideration
should be given to legislative requirements and the audience of the study.
(i) That the study team members have the knowledge, skills and
experience to contribute to the brainstorming;
(ii) The study team is highly familiar with the information made available
to them including the information contained in the piping and
instrumentation diagram (P&ID);
(v) That the study team rigorously follows sound HAZOP procedures
and ensures that no short-cuts are taken;
(vi) That the study team uses common sense and a sense of proportion by
not going overboard in its recommendations;
(viii) That there is a plan for the study and that team members are provided
with this plan, including a list of guide words;
(ix) The availability of important personnel for the meeting, for example,
designers, users, maintenance staff and specialists, if this is required;
and
(x) That the result of the HAZOP study is properly communicated with
follow-up.
(iv) Safeguards or controls that may prevent either the cause or the
consequence;
(d) Others
Other members of the team, to be called on an ad hoc basis, are designers,
users, maintenance staff and specialists. Their role is to brief and to clarify
issues for the main team.
(d) References.
The team leader should have gathered information about the system from the
piping and instrumentation diagram (P&ID) or any other description of the
process being considered. The design intent for each part can be gathered from
project specifications. Supplementary information is gathered through briefings.
SELF-CHECK 7.3
1. List the guide words you would use to evaluate the HAZOP of
crossing a busy street in Kuala Lumpur.
Apply the special „guide words‰ (from Table 7.2 and Table 7.3) to this element
coupled with an appropriate characteristic (listed in Table 7.4), if necessary, to
question and brainstorm among team members of how deviations from the
design intent of the system can occur. Deviations could be in the form of what
happens to materials, activities, sources and destinations associated with that
part (see Table 7.7). Determine if a hazardous situation or operability problems
can occur.
For each step determine the causes and consequences. Continue this process until
the whole system has been analysed. This process is illustrated in Figure 7.3.
Figure 7.3: Flow chart of the HAZOP examination procedure (IEC 61882)
Source: IEC (2001)
The following are further factors that need to be considered for the HAZOP
procedure:
(a) Causes
The causes must relate only to the parts concerned. It is up to the team
members to generate the causes through brainstorming. The HAZOP
leaderÊs role at this point is to prompt the team for answers but should
never state the causes himself as it is the teamÊs responsibility. The team
leader, on the other hand, should prod the team to identify causes as
exhaustively as possible. There could be more than one cause for each
deviation. Generally causes are derived either from human error,
equipment failure, external sources, events or a combination of these.
(b) Consequences
Once all causes have been identified, the associated consequences should be
discussed. Unlike the causes, the consequences should relate to the whole
system. It is important that consequence identified should be stated „as is‰
without considering any intended safeguard provision or an existing one.
The safeguards should be considered separately.
(c) Safeguards
Safeguards should be considered for each ultimate consequence identified
throughout the system under review. If there are current safeguards
already implemented, evaluate if these are adequate. If not, the team should
recommend appropriate safeguards. Safeguards should generally follow
the same idea as any hazard control, that is, the Hierarchy of Control that
we have discussed earlier in previous topics. In addition to that, consider
measures that will detect and give early warning of impending danger and
measures to mitigate consequences including emergency response and
preparedness.
The HAZOP team may not have all the information at hand or may not
have identified all the hazards when formulating recommendations or the
team may simply not be able to resolve all issues. It is appropriate that the
team make proposals for further studies as part of its recommendations.
SELF-CHECK 7.4
You live in Kuala Lumpur and have to travel by taxi to catch a plane to
Kuching and need to arrive in time for an emergency.
The findings of the HAZOP team are issued as a report. The report content
includes:
(c) Methodology adopted, listing all the parts considered in the analysis and
rationale why parts were excluded;
(i) All the work sheets on which the review was recorded will be attached with
the report. Use the HAZOP recording template as in Figure 7.4. Worked
examples are shown in Figure 7.5 and Figure 7.6.
Figure 7.5: HAZOP study worked sample for a continuous process (IEC 61882:2001)
Source: IEC (2001)
Please ensure that title Safeguards and Comments are joined as one word.
Figure 7.6: HAZOP study worked sample for batch process (IEC 61882:2001)
Source: IEC (2001)
The project manager may make modifications to the original design. This may
solve the problems identified, but it might also introduce new ones. It is before
the final design is implemented that the HAZOP team may find its use again
(b) Like all the other identification methods, there is no guarantee that all
hazards have been recognised. This is especially so if the study is entirely
based on a drawing or plans that are presented, for example, P&ID. If some
item is not represented in the drawing, the hazards caused by the item
would not have been considered;
(d) HAZOP process meticulously examines each part of the system separately
but does not consider interactions or interlinking between parts. A
deviation on one part may have a ripple effect; and
SELF-CHECK 7.5
1. What are the contents of a HAZOP report?
Ć There are four steps in the HAZOP process, namely: definition of scope,
objectives and responsibility of the team; preparation for the meeting;
examination of the system being considered; and documentation of results of
the meeting and follow-up action.
Health and Safety Executive (HSE). (n.d.). Flixborough (Nypro UK) Explosion 1st
June 1974. Retrieved from http://www.hse.gov.uk/ comah/sragtech/
caseflixboroug74.htm
Saudi Aramco. (1997). Guidelines for conducting HAZOP studies (AER-5437 TSI
41-018). Loss Prevention Department, Saudi Aramco.
Kletz, T. (1999). HAZOP and HAZAN (4th ed.). New York, NY: Taylor & Francis.
INTRODUCTION
The Structured „What-If‰ Technique (SWIFT) is a systematic team-oriented
technique for hazard identification. SWIFT is one of many techniques developed
to identify hazards in chemical process plants, but like many other risk analysis
tools, can be adapted to fit many other situations. It addresses systems and
procedures at a high level. Other hazard identification techniques like HAZOP
(Hazard and Operability study) and FMEA (Failure Modes and Effects Analysis)
focus on process flow or hardware at the level of detailed equipment items.
SWIFT, like HAZOP, requires the input of a team of „experts‰ to evaluate the
consequences of hazards, which might result from various potential failures or
errors they have identified. When answering all the questions raised about realistic
deviations from the normal intended operation of a system, design or operation,
the team assesses the likelihood of an incident, the potential consequences and the
adequacy of safeguards to prevent or mitigate it should it occur.
The "What if?" questions, which can be posed by any team member (including
the team leader and recorder), are structured according to various categories.
When the team is no longer able to identify additional questions in a category, a
category specific checklist is consulted to help prompt additional ideas and
ensure completeness.
SELF-CHECK 8.1
1. What is SWIFT?
However, the leader should have HAZOP leadership training so he or she can
recognise the importance of issues, control the flow of the study and keep it on
track. Also, he must still be careful to ensure that he does not assert undue
influence over the direction and outcome of the proceedings, particularly because
he is now a "participant".
For studies of narrow scope, it is also acceptable for the leader to double as the
technical recorder. When recording is performed with the correct level of detail, a
study requiring more than a half a day to complete probably would be more
efficient and effective if the proceedings are transcribed by qualified individual
other than the leader. The significant danger of using the leader is that
incomplete minutes will be obtained due to time pressures. In normal
circumstances it is routine for the recorder to be typing the last discussion
minutes, while the team moves on to the next item.
At a minimum, the team should include one or more persons who have expertise
in technical issues (process engineer, chemist, etc.) related to the process and one
or two persons who have relevant operating experience (lead operator, foreman,
etc.). Depending upon the precise nature of the process or the change being
examined, additional team members might include representatives from
maintenance, instrumentation, quality control, safety and other disciplines.
The reference documents necessary for conducting a SWIFT review are identical
to those required for HAZOP. Just as with a HAZOP, the more comprehensive
and up-to-date the data available to the team, the more efficient and effective the
analysis.
In many cases, the study is likely to involve the analysis of a proposed change in
some part of the process or its mode of operation. If such is the case, the details of
that change should be discussed. To ensure compliance with Management of
Change procedures, this pre-analysis discussion should focus on, but not be
limited to:
(b) The expected impact the change might have on safety and health;
(d) The intended duration of the change and, if possible, an estimate of how
long its start-up is likely to take.
As a result of this discussion, the ground rules for the study can then be
established. At a minimum, these should include setting the boundaries of the
system(s) to be examined, specifying the types of on-site and off-site issues of
concern (safety, health, environment, quality and productivity) as well as clearly
defining any other objectives of interest to the company.
Just as when picking nodes or sections for a HAZOP, experience will enable the
leader to become adept at choosing systems for study which ensure both efficient
use of team time and effectiveness in identifying the hazards.
The leader should begin the discussion by asking for and summarising team
input for each of the regulatory requirements as follows:
Next, the leader should begin the discussion by stating the category of questions
for discussion and then by either asking for ideas or offering an initial question.
The structure for questioning in the original SWIFT (developed for process
industry) is provided by the following categories:
Table 8.1 summarises the intent of each of these question categories. If needed, a
leader or team member may obtain additional ideas of the types of questions
which are appropriate for each category by consulting the Structured Checklists
(Appendix I of the Combined Process Safety Management Practice: Process
Hazards Analysis and Process Modification Guidelines).
Copyright © Open University Malaysia (OUM)
118 TOPIC 8 STRUCTURED “WHAT-IF” TECHNIQUE (SWIFT)
(E/IM). It is important to examine instrument and control system failures, which might be
significant. It is crucial for the team to take note of protective devices and systems which
must remain operative if the various mechanical and human demands are to be prevented
from causing a hazard. Protective system proof testing schedules should also be reviewed.
Process Upsets of Unspecified Origin (PUUO)
This question category is intended to be a "catch all" for additional demands, hazards
or scenarios which were somehow overlooked (may not have been obvious, or just did
not fit into any of the previous categories) during discussions of other question
categories. This category also should serve as a reminder that the materials and
process conditions within a system or subsystem may be directly influenced by the
conditions at the point of interface with other systems or subsystems. A brief review
(even a mini HAZOP if the team considers it necessary) is made by the team to
determine whether "anything else" is important.
Utility Failures (UF)
This question category is straightforward but care should be taken to note external
effects or influences (EE/I), analytical or sampling errors (A/SE), operating errors and
other human factors (OE&HF) and electrical/instrumentation malfunction (E/IM)
demands and hazards which may directly cause a utility failure (UF) type hazard to
develop.
Integrity Failure or Loss of Containment (IF/LOC)
This question category should draw heavily upon all the preceding categories.
Additional care concerning the accuracy and detail of the logical interaction of
previous errors and/or failures with each other should be considered. Integrity failure
or loss of containment (IF/LOC) hazards certainly can introduce some additional
considerations such as normal and emergency venting. However, some combination of
the demands and hazards previously identified will probably represent the major basis
for those scenarios which could result. It should also be noted that vessels, lines,
pumps and various other components need to be considered in this discussion, and the
size of such failures should be specified (small leak, catastrophic failure, etc.)
Emergency Operations (EO)
If the team has been thorough in its analysis of the ultimate effects of the various
consequences relating to all the previous categories, new issues will rarely be
discovered at this stage. It is, however, very important to consider emergency
operations independently because errors or failures related directly to the emergency
condition or emergency procedures may not have been readily apparent when the
emergency was discussed in the context of the precipitating events. Possible escalation
of minor situations during emergencies should also be evaluated by the team.
Consider how the process will be operated or shut down if such conditions should
occur.
Although the questions can be answered as they are raised, it is usually best to
pose and record as many questions as possible in a "brainstorming" manner
before trying to answer them. This is because interrupting the train of thought
when brainstorming may result in questions being forgotten or perhaps never
even being posed. Additional questions can always be added to the discussion
list as they are raised. The SWIFT study leader needs to be aware that this is not
an unusual occurrence during the discussions of the initial questions.
By applying his experience, the leader may further reduce the study time by
selectively changing the order of discussion of the questions posed by the team.
By first considering those questions which appear to involve the most severe
potential consequences, the team can often make a more comprehensive
recommendation which covers many of the same issues which will be identified
during the discussion of the remaining questions. When this approach is used,
however, care must be taken to adequately consider all of the "What if" questions
on the list to ensure that every known important issue has been raised, discussed
and necessary recommendations written.
Depending upon the experience level of the team and leader, the team may either
be asked to review the MP Checklist, or the leader may choose to quickly run
through each item on the list while asking the team, "Does anybody have any
additional Material Problem concerns related to flammability, thermal instability,
flash points, etc." until he has read through the complete list.
Perhaps the team will identify two additional questions. These should be
recorded, discussed and answered as before. Finally, only when the leader is
confident that no more MP issues exist, should he change to the next structured
category, External Effects or Influences (EE/I). This approach should be repeated
during the discussion for each category until all 10 categories in the structure
have been completed.
8.2.8 Recommendations
Just as in a HAZOP, if the team is not satisfied with the level of protection or
otherwise perceives a need for further analysis, recommendations for further
action should be proposed for management consideration. Such
recommendations need to include a brief description of the potential hazard, a
description of what equipment, instrumentation or procedures currently in place
are relied upon to prevent the development of the hazard and, finally, the
objectives which must be achieved to provide a solution to the potential problem.
Care should be taken to provide enough factual information but not too many
specific details of how the correction should be implemented. This provides the
designers with as much flexibility as possible in providing a solution which will
meet the objectives necessary to eliminate or manage the potential hazard.
It is important to remember that the SWIFT team, just like a HAZOP team, has
only the responsibility of identifying and adequately explaining to management
what hazards might be present.
Recommendations should always remain flexible. They should clearly state the
perceived deficiency and the objectives which the team considers important for
eliminating or managing the hazard. Ideas for potential modifications which
came to mind during the discussions can and should be documented; however,
care must be taken not to state them in such a manner that can be construed as
the only solution to the identified problem or as binding upon management.
To wrap up the study of the major process section, the leader should direct the
team in reviewing and updating their thoughts on each of the regulatory
requirements which were used to initiate the discussions. Finally, the review of
an entire unit or plant may consist of a series of several studies, each having a
scope comparable to the typical major section just described.
As with a HAZOP, the team should agree on the "Top 10" (nominally) significant
issues to provide management with a clear understanding of the issues. The report
format for a SWIFT analysis should be no different than that of a HAZOP, and the
recommendations should be prioritised, tracked and completed in the same manner.
SELF-CHECK 8.2
1. What are the procedures for holding discussions on SWIFT by
experts?
The leader should be aware of several potential differences which may require
added attention when changes in non-continuous operations are being analysed
using SWIFT. These include but should not be limited to the following:
(a) Hardware changes directly contact several processing steps and may
therefore impose consequences or impact during one or more operating
steps; and
SELF-CHECK 8.3
Brainstorming Record
Checklists Team of experts
Deviation „What If‰ analysis
Procedures
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Describe Fault Tree Analysis (FTA);
2. Describe the importance of FTA;
3. Explain the six steps in FTA; and
4. Discuss FTA symbols and logic.
INTRODUCTION
NASA administrator Dan Goldin, as quoted by Ericson (1999), said that „To
design systems that work correctly, we often need to understand and correct how
they can go wrong‰.
Fault Tree Analysis (FTA), which is one of the many symbolic logic analytical
techniques found in the operations research discipline, was developed in 1962 for
the US Air Force by Bell Telephone Laboratories for use with the Minuteman
system and was later adopted and extensively applied by the Boeing Company.
A fault tree is a logical diagram which shows the relationship between system
failure, that is, a specific undesirable event in the system and failures of the
components of the system. It is a technique based on deductive logic. An
undesirable event is first defined and the causal relationships of the failures
leading to that event are then identified.
These must occur for the top event to transpire. All the intermediate events
related to the top undesired event are related using logical operations namely
logic gates and Boolean algebra. This will allow us to quantify the fault tree with
event probabilities and, thereby, calculate the probability of the undesired top
event.
We must take note that FTA is not a hazard analysis model to identify all
possible system failures or all possible causes of the hazard. Instead, it is a model
of a particular system operation failure that causes the top event to occur. FTA
model does not list all system or component failures, it only registers the failures
that lead to the top event. The model only assesses likely faults, which can be
from the events connected to:
Fault tree can be used in qualitative or quantitative risk analysis. The difference
between these methods is that the qualitative fault tree is looser in structure and
does not require use of the same rigorous logic as the formal fault tree.
Quantitative FTA is used as a reliability and safety tool.
(d) Identifies design features that preclude occurrence of a top level fault event;
(f) Determines where to place emphasis for further testing and analysis;
(j) Can help identify design, procedural and external conditions which can
cause problems under normal operations;
(m) Can easily include design flaws, human and procedural errors which are
sometimes difficult to quantify (and therefore, often ground-ruled out of
quantitative analysis); and
(n) Requires „cutset analysis‰ to attain the full benefits of the analysis. (Cutsets:
Any group of non-redundant contributing elements which, if all occur, will
cause the top event to occur).
SELF-CHECK 9.1
1. What is FTA?
A fault tree is developed using the following six steps, also illustrated in Figure 9.1:
Step 6 ă Repeat/continue.
Generally, the beginning point of FTA is an existing FMECA and a system block
diagram (Rausand & Hoyland, 2005). FMECA is a critical step in understanding
the process or system. Here, we have to understand and analyse the design,
operation and environment of the process or system. Based on a clear view of the
overall system, the causeăand-effect relationship that leads to the top event can
be identified and understood.
In FTA, it is important to understand the basic terms that are normally used in
the analysis. Here are some critical terms that must be understood correctly.
(b) Fault: „something does not perform the action you desire, even though it
operates as designed‰;
(c) Primary failure: „a failure that occurs under normal operating and
environmental conditions‰;
Figure 9.2: The basic methodology of input faults that lead to an undesired event in FTA
All the definitions of the group and its symbols are summarised in Table 9.1. It is
very important that the user understands and grasps the definitions and symbols
to generate an accurate FTA.
3. Gate Symbols
AND ă output fault occurs if all of the input faults occur.
4. Transfer Symbols
TRANSFER IN ă indicates that the tree is developed
further at the occurrence of the corresponding TRANSFER
OUT (for example, on another page).
It is not difficult to construct a fault tree. However, we must follow a few rules
and several useful rules can be found in the Fault Tree Handbook (NUREG-0492)
from the US Nuclear Regulatory Commission. Some of the rules are as follows
(Bahr, 1997):
(a) Write clear and precise statements that are captured as faults in the event
symbols, describing what faults and when they occurred;
(d) All the inputs to a specific gate should be completely described before
additional study of any of them is undertaken; and
(e) Define the fault event to the gate inputs correctly. Gates should not connect
directly to other gates.
Identified failure areas were investigated further, and a new system was based
on corrections of these failures. As a result, motivation increased significantly.
ACTIVITY 9.1
1. Construct a Fault Tree Analysis for a car accident on the road.
(just a Fault Tree diagram will suffice, without the need for
qualitative and quantitative analysis)
Fault Tree Analysis (FTA) can be used to predict and prevent accidents or as
an investigation tool after-the-fact.
A fault tree is built using special symbols, some derived from Boolean
algebra. The resultant model resembles a logic diagram or a flow chart.
Fault Tree Analysis is a logical method of analysing how and why a disaster
could occur. It is a great technique for working out the overall probability of a
catastrophic event occurring such as a melt-down in a nuclear power plant
where the substantial cost involved is obviously necessary.
Boolean Qualitative
Fault Tree Analysis (FTA) Quantitative
Investigation Top event
Logic diagram
Clemens, P. L. & Sverdrup, J. (1993). Fault tree analysis: Steps in fault tree
analysis. Retrieved from http://www.fault-tree.net/papers/clemens-fta-
tutorial.pdf
Goetsch, D. L. (2005). Occupational safety and health for technologist (5th ed.).
New Jersey, NJ: Pearson Education Inc.
Rausand, M., & Hoyland, A. (2005), System reliability theory: Models, statistical
methods and applications (2nd ed.). New Jersey, NJ: John Wiley & Sons.
INTRODUCTION
High product reliability is essential to the survival and success of modern
industries. Having a product that fails during usage is almost equivalent to
losing a customer. Therefore, in this topic, we will learn about Failure Mode and
Effects Analysis (FMEA). FMEA is a structured procedure for identifying and
preventing as many potential failure modes as possible in the processes of
product design and manufacturing in any industry.
FMEA was first developed for use by the US military. It has also been used for a
long period for space development by National Aeronautics and Space
Administration (NASA). Currently, it is being applied in various fields. For
example, the International Maritime Organization (IMO) has stipulated FMEA as
the safety assessment method to be implemented when constructing high speed
vessels.
There are a number of standards that are often used to specify the approach and
format to be used for FMEA. The major standards are:
All of the standards adopt a similar approach but differ slightly in the level of
detail required. Use of a particular standard is usually specified as a preference
by whichever industry client is the end-user. For example, defence contracts
specify the Defence Standard whilst aerospace contracts specify the MIL STD.
The British Standard is a recent addition to the range of standards, although
many users within the offshore and process industries still specify the MIL STD
as their preference.
SELF-CHECK 10.1
Define FMEA.
(d) It identifies single point failures and requirements for redundancy or safety
systems;
(g) It assists in the definition of maintenance strategy and can be used as the
basis for the failure diagnosis sections of maintenance manuals;
(h) It identifies the need for a built-in test or suitable testing provisions in
service;
(j) It ensures that the reliability engineer has a thorough understanding of the
operation of the system under analysis.
However, there are still some limitations of the technique such as:
(a) It can only be used to identify single failures not combinations of failures;
(b) Unless adequately controlled and targeted, it can be time consuming and
costly;
(c) It can be difficult and tedious for complex multi-layered systems; and
SELF-CHECK 10.2
Step 4: Conduct the FMEA based upon the information derived in Steps 1 to 3.
(b) Drawings showing the relationship of the item under analysis with the
overall system or plant;
In many cases, the given information is not available in the early stages of a
design. These circumstances usually arise because those features are not given
adequate design attention. One of the roles of the FMEA is to ensure that the
design team understands the need and the benefits of having this information
available early in the project definition phase. This will save costly time delays
and misunderstandings later in the project. Therefore, it is important that the
reliability engineer has adequate management support to ensure that this
information is made available at an early stage.
Typically, the ground rules would establish answers to the following issues:
(e) Which level of the system will the analysis start from?
(i) Will the analysis be used as an input to related studies (for example, RCM
or test plans)?
Now, let us look at Figure 10.2 which shows the breakdown of the system into its
hierarchical structure.
Figure 10.3 shows the relationship between the failure effects of the sub-levels
and the failure modes of the next higher level.
Figure 10.3: Example of a relationship between failure effects and failure modes
It can also be started at any level in the hierarchy and can move either up or
down although it is most effective at the higher levels of system hierarchy.
Generally, it takes less time to complete than the hardware approach
although being a „top down‰ approach; it is possible to overlook the
contribution that a component part or single point failure can have on the
system. It is often used in hazard identification exercises as a formal
method of identifying the effects of functional failures on plant safety.
It should be noted that there is no hard and fast rule regarding the format of the
FMEA table. Provided it contains the following key information, its appearance
can be modified to suit the needs of the analyst or client. The FMEA worksheet
should contain the following information as a minimum:
(f) Function
This is a brief description of the itemÊs normal operating function outlining
its primary function and other important functions. For example, the
primary function of a selector valve would be to control the direction of
flow of a fluid; however, it must also operate without external leakage. This
column heading does not exist in the BS5760 format. However, it is
important to be able to recognise all item functions in order to correctly
identify the functional failure modes.
If we consider the selector valve case, it could be in the control circuit for an
emergency shutdown valve, where its normal function is to allow hydraulic
pressure to reach the valve actuator. In an abnormal or dangerous situation,
its function is to operate by stopping the flow of fluid to the actuator and
venting the hydraulic fluid to the supply tank, which then allows the
actuator to close the valve.
Now, these are the examples of typical hardware failure modes reproduced
from BS5760 Part 5.
Ć Corroded Ć Overloaded
Ć Contaminated Ć Omitted
Ć Intermittent operation Ć Incorrect assembly
Ć Open circuit Ć Scored
Ć Short circuit Ć Noisy
Ć Out of tolerance (drift) Ć Arcing
Ć Fails to operate Ć Unstable
Ć Operates prematurely Ć Chafed
This end effect would certainly be alarming to the operators in the control
room. It may be that as a result of the analysis, a decision is taken to install
remote level indication on the hydraulic supply tank to prevent the initial
item failure escalating to an event causing loss potential of production.
However, unless the failure effects are considered fully, key events may be
overlooked.
It can be seen that in three cases, the numbering classification goes from 1 (most
serious) to 5 (least serious) whilst in the case of BS5760, the opposite is true.
Analysts must establish in their ground rules and assumptions what the severity
classification philosophy will be, in order to avoid confusion either internally or
with the client.
SELF-CHECK 10.3
1. Explain the systematic FMEA process.
There are two primary approaches to the completion of an FMEA. One is the
hardware approach, which lists individual items and identifies their possible
failure modes and effects. The other is the functional approach, which
recognises that every item is designed to perform a number of functions that
can be considered as outputs.
It should be noted that there is no hard and fast rule regarding the format of
the FMEA table. Provided it contains certain key information (discussed in
this topic), its appearance can be modified to suit the needs of the analyst or
client.
OR
Thank you.