Machinery Safety Risk Assessment of a Metal Packaging Company


Published on

My thesis.

1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Machinery Safety Risk Assessment of a Metal Packaging Company

  1. 1. AB HELSINKI UNIVERSITY OF TECHNOLOGY Faculty of Electronics, Communications and Automation Teppo-Heikki Saari Machinery Safety Risk Assessment of a Metal Packaging CompanyMaster’s Thesis submitted in partial fulfillment of the requirements for thedegree of Master of Science in TechnologyEspoo, December 15, 2009Supervisor: Professor Jouko LampinenInstructor: M.Sc. Hanna N¨atsaari a¨
  2. 2. Teknillinen korkeakoulu ¨ ¨ Diplomityon tiivistelmaElektroniikan, tietoliikenteen ja automaation tiedekuntaTekij¨: a Teppo-Heikki SaariOsasto: Elektroniikan ja s¨hk¨tekniikan osasto a oP¨¨aine: aa Laskennallinen tekniikkaSivuaine: Systeemi- ja operaatiotutkimusTy¨n nimi: o Pakkausmateriaalitehtaan koneturvallisuuden riskiarviointiTy¨n nimi englanniksi: o Machinery Safety Risk Assessment of a Metal Packaging CompanyProfessuurin koodi ja nimi: S-114 Laskennallinen tekniikkaTy¨n valvoja: o Prof. Jouko LampinenTy¨n ohjaaja: o FM Hanna N¨¨tsaari aaTiivistelm¨ aEU:n ja Suomen ty¨turvallisuuslains¨¨d¨nt¨ velvoittaa ty¨nantajaa arvioimaan ty¨ymp¨rist¨n o aa a o o o a oriskit ty¨kyvyn turvaamiseksi ja yll¨pit¨miseksi. Vaikka vaade ty¨olosuhteiden parantamiseksi on o a a olains¨¨d¨nn¨n kautta asetettu, eiv¨t kaikki yritykset Suomessa sit¨ noudata. Erityisesti pienten aa a o a aja keskisuurten yritysten ongelmana ovat olleet resurssien ja helppok¨ytt¨isten, selkeit¨ tuloksia a o atuottavien metodien puute.T¨ss¨ ty¨ss¨ selvitet¨¨n mink¨laisia k¨sitteit¨ turvallisuuteen ja riskiarviointiin yleisesti liittyy, a a o a aa a a asek¨ mink¨laisia metodeita riskej¨ ja ihmisten tekemi¨ virheit¨ arvioitaessa yleisesti k¨ytet¨¨n. a a a a a a aaLis¨ksi t¨ss¨ ty¨ss¨ arvioidaan pakkausmateriaalitehtaan riskej¨ k¨ytt¨m¨ll¨ er¨st¨ menetelm¨¨, ja a a a o a a a a a a a a aatutkitaan mink¨laisia tuloksia menetelm¨ tuottaa sek¨ mitk¨ tekij¨t vaikuttavat riskiarviointiproses- a a a a asiin yleisesti.Riskin k¨sitteeseen sis¨ltyy vaaran toteutumisen todenn¨k¨isyys. T¨ss¨ ty¨ss¨ tehtaalla esiintyvien a a a o a a o ariskien arviointiin k¨ytetty menetelm¨ perustuu asiantuntija-arvioihin, jolloin arvioinnin tulokset ovat a aluonteeltaan subjektiivisia. Menetelm¨ voikin antaa hyvin erilaisia tuloksia riippuen arvioinnin suorit- atajasta. Suuret vaihtelut tuloksissa johtavat ep¨varmuuteen siit¨, mitk¨ vaarat tehtaalla ovat kaikkein a a asuurimpia, ja n¨inollen arvioinnin pohjalta teht¨v¨t – mahdollisesti kalliit – p¨¨t¨kset eiv¨t ole a a a aa o atehty k¨ytt¨en tarkinta mahdollista tietoa ty¨ymp¨rist¨n turvallisuuden tilasta. T¨t¨ ep¨varmuutta a a o a o aa avoidaan pienent¨¨ selkiytt¨m¨ll¨ toimintatapoja ja parantamalla menetelm¨n dokumentaatiota. aa a a a aRiskej¨ on mahdollista hallita usein eri keinoin. Lains¨¨d¨nn¨lliset keinot pyrkiv¨t pienent¨m¨¨n a aa a o a a aaolemassaolevia riskej¨ ja ehk¨isem¨¨n uusia syntym¨st¨. Fyysiset keinot pyrkiv¨t suojaamaan a a aa a a ak¨ytt¨j¨¨ v¨litt¨m¨sti toiminnan aikana. Johtuen riskin ja turvallisuuden subjektiivisesta luonteesta, a a aa a o aselkein ja kustannustehokkain tapa pienent¨¨ riskej¨ on turvallisuusilmapiirin parantaminen vaikut- aa atamalla ty¨ntekij¨n toimiin muuttamalla h¨nen k¨ytt¨ytymismallejaan. Erilaiset ’behavioural safety’ o a a a a-ohjelmat ovatkin suurten organisaatioiden turvallisuuskulttuurin keskeisimpi¨ osia. aSivum¨¨r¨: 114 aa a Avainsanat: Koneturvallisuus, RiskiarviointiT¨ytet¨¨n tiedekunnassa a aaHyv¨ksytty: a Kirjasto:
  3. 3. Helsinki University of Technology Abstract of master’s thesisFaculty of Electronics, Communications and AutomationAuthor: Teppo-Heikki SaariDepartment: Department of Electrical EngineeringMajor subject: Computational ScienceMinor subject: Systems and Operations ResearchTitle: Machinery Safety Risk Assessment of a Metal Packaging CompanyTitle in Finnish: Pakkausmateriaalitehtaan koneturvallisuuden riskiarviointiChair: S-114 Computational sciencesSupervisor: Prof. Jouko LampinenInstructor: M.Sc. Hanna N¨¨tsaari aaAbstract:The occupational health and safety legislation of the EU and Finland require employers to assess workenvironment risks in order to secure and maintain the employees’ working capacity. Although therequirement comes through the use of legislation, it is not fulfilled by every entrepreneur in Finland.Especially the small and middle-sized companies have had a problem with the lack of resources andof easily applicable and productive methodology.The aim of this study is to find out what kind of concepts are generally related to safety and riskassessments, and what kind of methods are used to assess risk and human error. In addition, risks ina packaging materials factory were assessed by using a certain method, and the results and factorsgenerally affecting the risk assessment process were analysed in this thesis.The probability of hazard realisation is included in the concept of risk. The method used to assessthe risks at the site is based on expert judgement, which implies that the assessment results aresubjective in nature. The method can produce very different results depending on the assessor. Greatvariation in results lead to uncertainty in hazard ranking, and it has an effect on the subsequent –possibly costly – decisions that have not been made based on the most accurate information aboutthe safety situation of work environment. This uncertainty can be reduced by clarifying operationalmodes and by improving method documentation.It is possible to control risks in many different ways. Regulational controls aim at reducing existingrisks and preventing new ones. Physical controls directly protect the operator during the operation.Due to the subjective nature of risk and safety, the most clear and cost-effective way of reducing risk isimproving safety climate through affecting employee actions by changing his or her behaviour patterns.Various behavioural safety programs are a central part of safety culture in large organisations.Number of pages: 114 Keywords: Machinery safety, Risk assessmentDepartment fillsApproved: Library code:
  4. 4. - 3
  5. 5. He who knows and knows he knows,He is wise – follow him;He who knows not and knows he knows not,He is a child – teach him;He who knows and knows not he knows,He is asleep – wake him;He who knows not and knows not he knows not,He is a fool – shun him. — Arabian proverbScience perishes by systems that are nothing but beliefs;and Faith succumbs to reasoning. For the two Columnsof the Temple to uphold the edifice, they must remainseparated and be parallel to each other. As soon asit is attempted by violence to bring them together,as Samson did, they are overturned, and the wholeedifice falls upon the head of the rash blind man or therevolutionist whom personal or national resentmentshave in advance devoted to death. — Albert Pike
  6. 6. PrefaceI wish to express my gratitude to all of those who made this thesis possible. In Helsinki, December 6, 2009 Teppo-Heikki Saari ii
  7. 7. ContentsPreface iiAbbreviations vi1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 The Site and its operations . . . . . . . . . . . . . . . 2 1.2 Research questions and structure . . . . . . . . . . . . . . . . 32 Overview of risk assessment concepts 4 2.1 Basic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1 Risk, hazard, mishap, accident, incident . . . . . . . . 4 2.1.2 Categorisation of risk . . . . . . . . . . . . . . . . . . . 5 2.2 Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Categorisation and taxonomy . . . . . . . . . . . . . . 8 2.2.2 Major error types of interest . . . . . . . . . . . . . . . 9 2.3 Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1 Approaches to safety . . . . . . . . . . . . . . . . . . . 11 2.3.2 Safety hindrances . . . . . . . . . . . . . . . . . . . . . 12 2.3.3 Safety facilitators . . . . . . . . . . . . . . . . . . . . . 15 2.4 Human factors . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Overview of risk assessment methods 19 3.1 Probabilistic risk assessment . . . . . . . . . . . . . . . . . . . 20 3.1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.2 Defining objectives and methodology and gathering in- formation . . . . . . . . . . . . . . . . . . . . . . . . . 21 iii
  8. 8. 3.1.3 Identification of initiating events . . . . . . . . . . . . . 21 3.1.4 Scenario development . . . . . . . . . . . . . . . . . . . 22 3.1.5 Logic modelling . . . . . . . . . . . . . . . . . . . . . . 22 3.1.6 Failure data analysis . . . . . . . . . . . . . . . . . . . 22 3.1.7 Sensitivity analysis . . . . . . . . . . . . . . . . . . . . 23 3.1.8 Risk acceptance criteria . . . . . . . . . . . . . . . . . 23 3.1.9 Interpretation of results . . . . . . . . . . . . . . . . . 25 3.2 Human reliability analysis . . . . . . . . . . . . . . . . . . . . 26 3.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 26 3.2.2 Task analysis . . . . . . . . . . . . . . . . . . . . . . . 27 3.2.3 Database methods . . . . . . . . . . . . . . . . . . . . 27 3.2.4 Expert judgement . . . . . . . . . . . . . . . . . . . . . 27 3.2.5 Technique for Human Error Rate Prediction (THERP) 28 3.3 Other risk and error assessment methods . . . . . . . . . . . . 29 3.3.1 Five steps to risk assessment . . . . . . . . . . . . . . . 29 3.4 Method used by the Company . . . . . . . . . . . . . . . . . . 30 3.4.1 Risk rating . . . . . . . . . . . . . . . . . . . . . . . . 32 3.4.2 Method previously used at the Site . . . . . . . . . . . 374 Risk control and regulation 39 4.1 Physical risk controls . . . . . . . . . . . . . . . . . . . . . . . 40 4.2 Behavioural safety . . . . . . . . . . . . . . . . . . . . . . . . 43 4.3 Regulatory standards in the EU . . . . . . . . . . . . . . . . . 44 4.3.1 The structure of European harmonised standards . . . 45 4.3.2 The European Machinery Directive . . . . . . . . . . . 47 4.4 Regulatory standards in Finland . . . . . . . . . . . . . . . . . 48 4.5 Regulatory standards in the Company . . . . . . . . . . . . . 50 4.5.1 The Company Directives . . . . . . . . . . . . . . . . . 50 4.5.2 OHSAS 18000 . . . . . . . . . . . . . . . . . . . . . . . 515 Case study 52 5.1 Analysis of current safety situation in the Company . . . . . . 52 5.1.1 Accident statistics . . . . . . . . . . . . . . . . . . . . 52 5.1.2 Safety culture and climate . . . . . . . . . . . . . . . . 54 iv
  9. 9. 5.1.3 Safety limitations at the Site . . . . . . . . . . . . . . . 57 5.2 Assessing risks with the Company method . . . . . . . . . . . 58 5.2.1 Drum line packaging area . . . . . . . . . . . . . . . . 58 5.2.2 Manually operated slitters and power presses . . . . . . 60 5.2.3 73mm/99mm tin can manufacturing line (CN02) . . . . 61 5.2.4 Machine tools at maintenance department . . . . . . . 626 Discussion 64 6.1 Issues encountered during the assessment process . . . . . . . 64 6.2 Comparison and critique of the methods . . . . . . . . . . . . 65 6.3 Analysis of the results . . . . . . . . . . . . . . . . . . . . . . 67 6.3.1 Are the results valid? . . . . . . . . . . . . . . . . . . . 69 6.4 Addressing the issues encountered during the assessment . . . 707 Conclusion 73References 74Appendix 79A Appendices 79 A.1 Safe system of work instructions for surface grinder . . . . . . 80 A.2 Modified Company method risk scoring components . . . . . . 81B Risk assessment results 82 v
  10. 10. AbbreviationsALARP As Low As Reasonably PracticableCCF Common Cause FailureDPH Degree of Possible HarmEEM External Error ModeEHS Environment, Heath and SafetyEOC Error of CommissionFE Frequency of ExposureFMEA Failure Mode and Effect AnalysisFTA Fault Tree AnalysisHEA Human Error AnalysisHEP Human Error ProbabilityHRA Human Reliability AnalysisLO Likelihood of OccurrenceLWDC Lost Work Day CaseMRO Maintenance, repair and operationsNP Number of People at RiskOHCA Occupational Health Care ActOSHA Occupational Safety and Health ActPEM Psychological Error MechanismPPE Personal Protection EquipmentPRA Probabilistic Risk AssessmentPSA Probabilistic Safety AssessmentPSF Performance Shaping FactorRCAP Risk Control Action PlanRCD Residual Current DeviceRHT Risk Homeostasis TheoryRR Risk RatingSRK Skill, rule and knowledgeTHERP Technique for Human Error Rate Prediction vi
  11. 11. Chapter 1Introduction1.1 BackgroundSince the days of the Renaissance, when gambler Girolamo Cardano (1500-1571 AD) took the first steps in the development of statistical principles ofprobability, and shortly after that Blaise Pascal and Pierre de Fermat (1654AD) created the theory of probability by solving Paccioli’s puzzle, the con-cept of risk has gone through several phases of evolution and it is nowadayswidely applied in nearly every facet of life. [3]Global competition has lead to higher demands on production systems. Endcustomer satisfaction is dependent on the production systems’ capability todeliver goods and services that meet certain quality requirements. To do sothe systems must be fit for use and thereby fulfil important quality parame-ters. One such parameter is safety.It is human to make mistakes and in any task, no matter how simple, errorswill occur. The frequency at which the errors occur depends on the nature ofthe task, the systems associated with the task and the influence of the envi-ronment in which the task is carried out. Providing safe equipment throughdesign and safe work environment through regulation and practises is the keyto reducing risk and removing occupational hazards in process industry.The technology of safety-related control systems plays a major role in theprovision of safe working conditions throughout industry. Regulations re-quire that suppliers and users of machines in all forms from simple tools toautomated manufacturing lines take all the necessary steps to protect work-ers from injury due to the hazards of using machines. It is through the usageof scientific methods that allow us to comprehensively identify the risks re-lated to working with machinery and to estimate what can go wrong duringthe process.It has been recognised by many authorities that safety should be number onepriority of the industry. Yet, in many cases companies tend to cut resourcesfrom risk assessment and a thorough analysis is never conducted. Although 1
  12. 12. the knowledge is readily available for use, many Finnish companies – espe-cially small and middle-sized ones – do not conduct risk assessments. Oneof the aims of this thesis is to examine do the risk assessment methods workand what kind of results they give.My thesis studies various methods of assessing risks in a manufacturingplant. My objective of the thesis to assess production process risks in CrownPakkaus Oy (hereafter referred to as the Site), a speciality packing companypart of CROWN Cork & Seal (hereafter referred to as the Company), as acase study. I have restricted the scope of the thesis to risk analysis of ma-chinery. Also, the other main objective is to give the reader a picture of thekey elements in the field of risk analysis and assessment. These include basicconcepts, methodology, and legislation.1.1.1 The Site and its operationsThe Site’s history goes back to the year 1876, when the family of G.W.Sohlberg began tinsmith products manufacturing in the Helsinki city area.Manufacturing of cans out of lacquered tinplates began in 1909 and the re-quired machines for the printing of sheets were acquired in 1912. Premisesbecame too small for the business, and the company’s operations were trans-ferred in 1948 to the existing factory premises in Herttoniemi, Helsinki. Thecompany acquired the first automated canline in 1959, began manufacturingdrums in 1964, and transferred to the welded cans among the first in Europein 1970. In 1993 the Site was merged into the Europe’s largest packagingcompany Carnaud Metalbox, and later from 1996 onwards the Site has beena part of the world’s leading packaging industry group, Crown Holdings, withheadquarters in the USA. In 1998 the Site started using the current name,Crown Pakkaus Oy.The Site’s clients are major chemistry and food processing companies fromFinland and from the neighbouring areas. The clients in the field of chem-istry are mainly paint, lubricant and chemical companies. The most impor-tant food clients are canning and vegetable companies.The range of packaging manufactured at the Site is wide and it covers thepaint pails from 1 / 3 litre to 20 litre, drums of 200 litre, chemical pails from34 litre to 68 litre, food cans from 73 mm to 99 mm (diameter) and seasonalcans from 155 mm to 212 mm (diameter). The slowest manufacturing pro-cess is capable of producing 6 pieces per minute, and the fastest 400 piecesper minute respectively.The Site operations can be categorised in the following way: pre-printing,printing, manufacturing, storage and maintenance. For the processing ofcolor-print data, the Site has a digital reprography equipment and the equip-ment for manufacturing print film and printing plates. There are three lac-quering lines and three two-colour sheet offset printing lines at the print shop.For packaging manufacturing, the Site has eight automated welding lines, 10 2
  13. 13. lines for manufacturing tin can lids/ends, and several individual manuallyoperated machines e.g. power presses and slitters.1.2 Research questions and structureThe thesis aims at answering the following questions: • What kind of concepts does the field of risk management deal with? • What kind of risks can be found in an industrial environment and production processes? • What kind of methods can be used to assess risks? • What matters affect the risk assessment process? • How is it possible to reduce the probability of occurrence of risks?The structure of the thesis is as follows.In the second chapter I examine different concepts related to risk and safetyanalysis. Next, I examine various aspects of risk assessment methods in thethird chapter. In Chapter 4 review some methods of controlling risks. Theseinclude physical controls and regulatory controls. My analysis of regulationstakes into account three viewpoints: the EU, Finnish Government, and TheCompany. The Company case study is introduced after that in Chapter 5.Beginning with a short description of what The Company does and what isthe main purpose of the thesis, I then present the results of the risk assess-ment. The risks were assessed using the Company method. In Chapter 6 Ipresent discussion of the results. Chapter 7 includes the conclusions. 3
  14. 14. Chapter 2Overview of risk assessmentconcepts2.1 Basic definitions2.1.1 Risk, hazard, mishap, accident, incidentThe field of risk analysis contains several concepts that are defined invarious ways depending on the author or researcher. In this chapter arepresented definitions of concepts that I have used in this thesis. I havechosen the definitions by their clarity, intelligibility and unambiguity. Theexact wording of concepts vary depending on the author.Risk is a measure of the potential loss occurring due to natural or humanactivities. Potential losses are adverse consequences of such activities inform of loss of human life, adverse health effects, loss of property, anddamage to the natural environment. [33]Accident is an unintentional event which results or could result in an injury,whereas injury is a collective term for health outcomes from traumaticevents [1].Incident is an undesired event that almost causes damage or injury [16].These are events to learn from before any damage has occurred.Much of the wording is comparable to that found in military standardsystem safety requirements. In system safety literature, writers trace theprinciples embodied in military standard system safety requirements to thework of aviation and space age personnel that commenced after World WarII. The U.S. Government standards define concepts like mishap and risk inthe following way.Mishap is an unplanned event or series of events resulting in death, injury,occupational illness, or damage to or loss of equipment or property, ordamage to the environment. Accident. [34]Risk is an expression of the impact and possibility of a mishap in terms of 4
  15. 15. potential mishap severity and probability of occurrence. [34]Hazard is a condition that is a prerequisite for an accident. [38]2.1.2 Categorisation of riskThe VTT Technical Research Centre of Finland has prepared a risk assess-ment toolkit for small and middle-sized enterprises [54]. The toolkit is foundon the Internet, and provides information on several types of risks and howto control them. The risks are classified from the point of view of companyand its business, thus taking a broader stand on different business risks. Forthe purpose of clarifying the concept of risk and its different aspects, I shallnow present the different risk views mentioned in the toolkit.Personnel risksThe term ‘personnel risks’ refers to risks to a company’s operations that eitherconcern or are caused by its personnel. At worst, these risks could mean acompany completely losing the input of a key employee, or an employeedeliberately acting against a company’s interests. Personnel risks include: • Fatigue and exhaustion • Accidents and illnesses • Obsolete professional skills • Personal or employment-related disputes • Unintended personal error • Information leaks or theftSmall companies may be more vulnerable to personnel risks. Key expertisemay rest with one person, another may have many ideas of responsibility orthere may be no contingency arrangements in place.Business risksBusiness risks are related to business operations and decision-making. Busi-ness risks involve profit potential. A company can neither be successful in itsoperations or make a profit or fail and suffer losses. The information availablefor the assessment of business risks is difficult to use because of the fact thatbusiness risks are often quite unique. In business, you must recognise prof-itable opportunities before others and react quickly, though decision-making 5
  16. 16. may be difficult due to the lack of precise information.Business risks form an extensive field. Because of risk chains, the assessmenthas to reach even the most distant links in the supply chain. For instance,a fire at the plant of a network partner can cause interruptions that lead toa loss of sales income and clientele. Business risks may therefore arise fromthe company’s own or external operations.The character of business risks depends on the company’s field of operationand its size. The risks of a small company differ from those of a larger oneoperating in the same field. The only common factor is that, in the end,companies always bear the responsibility for business risks themselves andcannot take out insurance to cover them.Agreement and liabilitiesAgreements and making agreements are an essential part of business activity.An appropriate agreement clarifies the tasks, rights and responsibilities ofthe parties in agreement. An agreement risk can be caused by the lackof an agreement or deficiencies in an agreement. An agreement risk canbe related to issues such as the way an agreement was made, a partner inthe agreement, making a quotation, general terms of agreement, contractualpenalties/compensation etc.Information risksInformation risks have long been underestimated and inadequately managed.All companies have information that is critical to their operation, such ascustomer and production management information, product ideas, market-ing plans, etc. There is a lot of information in different forms: personalexpertise and experience-based knowledge, agreements, instructions, plans,other paper documents, and electronic data e.g. customer, order and salaryinformation.Product risksA company earns its income from its products and services. Launching prod-ucts onto the market always involves risks. Errors in decision-making con-cerning products may prove very expensive. These risks can be reducedthrough systematic risk management that covers the entire range of productoperations and all product-related projects. 6
  17. 17. Environmental risksEnvironmental risks refer to risks that can affect the health and viability ofliving things and the condition of the physical environment. Environmen-tal risks can be caused by the release of pollutants to air, land or water.Environmental damage can also be caused by irresponsible use of energyand natural resources. Pollutants can include waste (controlled waste, spe-cial waste), emissions to air due to production or usage of the product (e.g.smoke, fumes, dusts, gases, etc.), releases to the ground and water systems(e.g. effluent, chemicals, oil/fuel discharges, etc.), noise (vibration, light, etc.if causing a nuisance), and radiation.Environmental risks can be hidden and cause damage over a long period oftime. A disused refuse pump can contaminate the ground around it. Anenvironmental risk can also emerge suddenly e.g. due to an accident. Achemical container that breaks during transport can result in the leakageof harmful substances into the ground, a water system, the air or a surfacewater drain.Project risksA project is a singular undertaking with an objective, schedule, budget, man-agement and personnel. There are two main types of project: • Delivery projects in which a customer is promised the delivery of a product or a service by a defined date and under stipulated conditions. • Development projects in which, for instance, a new device is developed for a company’s own use.These project types are often combines in small and middle-sized enterprises.A typical project frequently calls for some development work or tailoringbefore the product or service intended to meet the customer’s needs, canbe delivered. Projects are difficult and risky because each is unique andso nearly everything is new, such as the workgroup, customer or product.Projects are also subject to disturbances because there are usually severalprojects in progress the same company, and they compete in importance aswell as for resources – at worst interfering with each other.Crime risksMost crimes against companies are planned beforehand. Typically, a com-pany becomes an object of a crime because criminals observe it as a suitabletarget. In addition to preventing costs caused by crime, the management ofcrime risks also helps in the management of a company’s other risks. Struc-tural protection and alarm systems can prevent fire and information risks as 7
  18. 18. well as property risks. At the same time, indirect costs caused by interrup-tions in production, cleaning up the consequences of vandalism and delayeddeliveries are prevented.2.2 ErrorThe term error refers strictly to human actions in contrast to risk or hazardwhich may be due to circumstances and environment when no human hascontributed to the situation. A human error is an unintended failure of a purposeful action, either singly or as part of a planned sequence of actions, to achieve an unintended outcome within set limits of tolerability pertaining to either the action or the outcome. [55]There are three major components to an error [24]: • External Error Mode (EEM) is the external manifestation of the error (eg. Closed wrong valve) • Performance Shaping Factors (PSF) influence the likelihood of the error occurring (eg. Quality of the operator interface, time pressure, training, etc.) • Psychological Error Mechanism (PEM) is the ‘internal’ manifestation of error (how the operator failed, in psychologically meaningful terms, eg. Memory failure, pattern recognition, etc.)2.2.1 Categorisation and taxonomyThe skill, rule and knowledge (SRK) based taxonomy was developed by Ras-mussen [40] and has since been widely adopted as a model for describinghuman performance in a range of situations.Skill based behaviour represents the most basic level of human performanceand is typically used to complete familiar and routine tasks that can be car-ried out smoothly in an automated fashion without a great deal of consciousthought. In order to complete the task successfully, the tasks that can be car-ried out using this type of behaviour are so familiar that little or no feedbackof information from the external or work environment is needed. A typicalrange of error probability for skill based tasks is from as high as 0.005 (al-ternatively expressed as 5.0E-03) or 1 error in 200 tasks to as low as 0.00005(5.0E-05) or 1 error in 20,000 tasks on average. [15]Rule based behaviour is adopted when it is required to carry out more com-plex or less familiar tasks than those using skill based behaviour. The task 8
  19. 19. is carried out according to a set of stored rules. Although these rules mayexist in the form of a set of written procedures, they are just as likely to berules that have been learned from experience or through formal training andwhich are retrieved from memory at the time the task is carried out. Errorprobability values for rule based tasks are typically an order of magnitudehigher than for skill based tasks. They lie within the range from 0.05 (5.0E-02) or 1 error in 20 tasks to 0.0005 (5.0E-04) or 1 error in 2000 tasks onaverage. [15]Knowledge based behaviour is adopted when a completely novel situation ispresented for which no stored rules, written or otherwise, exist and yet whichrequires a plan of action to be formulated. While there is clearly a goal tobe achieved, the method of achieving it will effectively be derived from firstprinciples. Once a plan or strategy has been developed, this will be put intopractice using a combination of skill and rule based actions, the outcome ofwhich will be tested against the desired goal until success is achieved. Knowl-edge based tasks have significantly higher error probabilities than either skillor rule based tasks mainly because of the lack of prior experience and theneed to derive solutions from first principles. Error probability values varyfrom 0.5 or 1 error in 2 tasks to 0.005 (5.0E-03) or 1 error in 200 tasks onaverage. [15]2.2.2 Major error types of interestIn contrast to the rough labeling of errors according to their probabilityof occurrence given by the SRK taxonomy, it is also possible to categoriseerrors by their nature of occurrence, i.e. their root cause. The followingcategorisation of different error types is omitted from [24]. • Slips and lapses (action execution errors): The most predictable errors, usually characterised by being simple errors of quality of performance or by being omission or sequence errors. A slip is a failure of the execution as planned (eg. Too much or too little force applied). A lapse is an omission to execute an action as planned due to a failure of memory or storage (eg. Task steps carried out in wrong sequence). • Diagnostic and decision-making (cognitive) errors: These relate to a misunderstanding, by the operators of what is happening in the sys- tem and they are usually due to insufficient operator support (design, procedures and training). Such errors have an ability to alter accident progression sequences and to cause failure dependencies between redun- dant and even diverse safety and backup technical systems. This type of error includes misdiagnosis, partial diagnosis and diagnostic failure. • Maintenance errors and latent failures: Most maintenance errors are due to slips and lapses, but in maintenance and testing activities, which 9
  20. 20. may lead to immediate failures or to latent failures whose impact is de- layed (and thus may be difficult to detect prior to an accident sequence). Most PSAs make assumptions that maintenance failures are implicitly included in component and system availability data. However, it is less clear that such maintenance data used in the PSA can incorporate the full impact of latent failures. • Errors of commission (EOC): An EOC is one in which the operator does something that is incorrect and also unrequired. Such errors can arise due to carrying out actions on the wrong components, or can be due to a misconception, or to a risk recognition failure. These EOCs can have large impact on system risk and they are very difficult to identify (and hence anticipate and defend against). • Rule violations: There are two main types of violations (Reason 1990). The ‘routine’ rule violation where the violation is seen as being of neg- ligible risk and therefore it is seen as acceptable and even a necessary pragmatic part of the job. The ‘extreme’ violation where the risk is largely understood as being real, as is the fact that it is a serious viola- tion. Rule violations are relatively unexpected and can lead to failure of multiple safety systems and barriers. PSAs rarely include violations quantitatively. • Idiosyncratic errors: Errors due to social variables and the individual’s current emotional state when performing a task. They are the result of a combination of fairly personal factors in a relatively unprotected and vulnerable organisational system. Some accidents fall into this category, and they are extremely difficult to predict, as they relate to covert social factors not obvious from a formal examination of the work context. These errors are of particular concern where, for example, a single individual has the potential to kill a large number of persons. They are not dealt with in PSA or HRA. • Software programming errors: These errors are of importance due to the prevalence of software-based control systems required to economi- cally control large complex systems. They are also important in other areas and for any safety critical software applications generally. Typi- cally there are few if any techniques applied which predict human errors in software programming. Instead, effort is spent on verifying and val- idating software to show it is error-free. Unfortunately complete and comprehensive verification of very large pieces of software is intractable due to software complexity and interactiveness.Whittingham [55] divides root causes of human errors into two categories,externally induced and internally induced errors. Externally induced hu-man errors are the factors that have a common influence on two or more 10
  21. 21. tasks leading to dependent errors which may thus be coupled together. Ex-amples of these adverse circumstances are deficiencies in organisation of thetask, poor interface design, inadequate training, and excessive task demands.Internally induced errors are sometimes called ’within-person dependency’.They are found in the same individual carrying out similar tasks which areclose together in time or space.2.3 SafetySafety may be the absence of accidents or threats, or it can be seen as theabsence of risks, which for some is unrealistic. It may also be the balancebetween safety and risks, i.e. an acceptable level of risk. [16] It is thuspossible to have a high risk level but even higher safety. Rochlin [45] arguesthat “the ‘operational safety’ is not captured as a set of rules or procedures,of simple, empirically observed properties, of externally imposed training ormanagement skill, or of a decomposable cognitive or behavioural frame”.Safety is related to external threats, and the perception of being shelteredfrom threats. Safety is not the opposite of risk but rather of fear, includinga subjective dimension, but it does not encompass positive health or aim atsomething beyond prevention. Defining an organisation as safe because ithas a low rate of error or accidents has the same limitation as defining healthas not being sick. [44] Safety may be seen as an important quality of workregardless of the frequency of accidents by regarding safety as larger thanjust the absence of risk or fear. [1]2.3.1 Approaches to safetyTechnical approachThe engineering approach focuses on the development of formal reliabilityand systems modelling, with only limited attention to some of the complexi-ties of the human issues involved. [39] The risk is viewed as deriving from thetechnical/physical environment. Technicians are the ones doing safety work,and changes in the technical environment are the way to reduce accidents. Acommon means for technical safety is passive prevention, which means thatsafety should be managed without active participation of humans.By means of safety rounds, audits, accident investigations, risk and safetyanalyses, it is presumed possible to measure the level of safety within theorganisation. The result is then analysed, providing a basis for formulatingaction plans and making decisions to reach the target level of safety. Stan-dards and routines offer assurances that the safety activities are good enough.[11] 11
  22. 22. Psychological approachThe psychological approach to risk and safety focuses on the individual per-spective, investigating perception, cognition, attitudes and behaviour. [39]Some researchers have studied how people estimate risks and make choicesamong alternatives (e.g. [48]). “Risk is largely seen as a taken-for-grantedobjective phenomenon that can be accurately assessed by experts with thehelp of scientific methods and calculations. The phenomenon to be explainedis primarily the malleability of risk perceptions“. [51] Individuals’ percep-tions of risk are influenced by the arguments concerning hazards that areprevalent in a particular society at a certain time. All organisations oper-ate with a variety of beliefs and norms with respect to hazards and theirmanagement, which might be formally laid down in rules and procedures, ormore tacitly taken for granted and embedded within the culture of everydayworking practices. Organisational culture may be expressed through sharedpractices. The process by which culture is created and constructed shouldbe borne in mind when organising everyday work. [43]2.3.2 Safety hindrancesControl and powerMany of today’s safety management systems are built on control. Managingrisk through control does not take into account the fact that individuals areintentional in how they define and carry out tasks. D¨os and Backstr¨m o¨ o[11] state that production problems which call for corrections in a hazardouszone may be impossible to handle. The machinery or safety rules may notbe flexible when changes in production are required. Production is usuallyconsidered more important than safety.The question of politics and power is not addressed in most models anddiscussions. The myth of individual control leads to a search for someone toblame instead of searching for the causes of accidents. [39] It is therefore ofimportance to ask who is defining the risk, safety and the accident, and whois responsible for the consequences. Does the responsibility for risk meanresponsibility for errors?Whittingham describes the concept of blame culture: ”Companies and/or industries which over-emphasise individual blame for human error, at the expense of correcting defective systems, are said to have a ‘blame culture’. Such organisations have a number of characteristics in common. They tend to be se- cretive and lack openness cultivating an atmosphere where errors are swept under the carpet. Management decisions affecting staff tend to be taken without staff consultation and have the appear- ance of being arbitrary. The importance of people to the success 12
  23. 23. of the organisation is not recognised or acknowledged by man- agers and as a result staff lack motivation. Due to the emphasis on blame when errors are made, staff will try to conceal their er- rors. They may work in a climate of fear and under high levels of stress. In such organisations, staff turnover is often high resulting in tasks being carried out by inexperienced workers. The factors which characterise a blame culture may in themselves increase the probability of errors being made.” [55]Work stressOne of the most important situational moderators of stress is perceived con-trol over the environment. Karasek [22] introduced the job demand-controlmodel, stating that jobs which have low job demands and low levels of con-trol (e.g. repetitive assembly line work) create strain. Control in this modelmeans (1) to have the power to make decisions on the job (decision author-ity) and (2) to have use for a variety of skills in the work (skill discretion).Stress is the overall transactional process, stressors are the stimuli that areencountered by the individuals, and strains are the psychological, physicaland behavioural responses to stressors. These factors are intrinsic to the jobitself and include variables such as the level of job complexity, the variety oftasks performed, the amount of control that individuals have over the placeand timing of their work, and the physical environment in which the work isperformed.Stress can also be related to roles in the organisation. Dysfunctional rolescan occur in two primary ways: role ambiguity: lack of predictability of theconsequences of one’s role performance and a lack of information needed toperform the role; and role conflict: competing or conflicting job demands.The association between role conflict and psychosocial strain is not as strongas that between ambiguity and strain. [6]Conflict between safety and production goalsA constant demand for effective resource allocation and short-term revenuesfrom investment may result in priorities that are in opposition to safety,reducing redundancy, cutting margins, increasing work pace, and reducingtime for reflection and learning. Landsbergis et al. [27] found that lean pro-duction creates intensified work pace and demands on the workers.Rasmussen [41] proposed a model that indicates a conflict between safe per-formance and cost-effectiveness. The safety defences are likely to degeneratesystematically through time, when pressure toward cost-effectiveness is dom-inant. The stage for an accidental course of events is very likely preparedthrough time by the normal efforts of many actors in their respective dailywork context, responding to the standing request to be cost-effective. Ulti- 13
  24. 24. mately, a quite normal variation in somebody’s behaviour can then releasean accident. Had this particular root cause been avoided by some additionalsafety measure, the accident would very likely have been released by anothercause at another point in time. In other words, an explanation for the acci-dent in terms of events, acts and errors is not very useful for the design ofimproved safety. It is important to focus not on the human error but on themechanisms generating behaviour in the actual dynamic work context. [41]Attitudes and normsSlovic [47] stated that risk is always subjective. There is no such thing asa real risk or objective risk. The concept of risk depends on our mind andculture and is invented to help us understand and cope with the danger anduncertainties of life. Slovic [47] stated that trust is an important element inrisk acceptance, and should be further investigated. To be socialised into thework role is to understand what is accepted and what is not.In the beginning, reactions towards obvious risks may occur, but may bedifficult to express, and safety has to be trusted. After an introductory pe-riod, during which risk and safety knowledge may be low, perception maybe higher, but along with increased experience risks may become acceptedas normal. Holmes et al. [18] also found that blue-collar workers regardedoccupational injury risk as a normal feature of the work environment and anacceptable part of the job. An experienced worker may become home-blindand not react to hazards. The reinforcement by risks that have been avoidedor mastered may also provide a false sense of safety.The risk homeostasis theory (RHT), presented by Wilde [57], stated thatpeople have a target level of risk, the level that they accept. This level de-pends on perceived benefits and disadvantages of safe and unsafe behaviour.The frequency of injuries is maintained over time through a closed loop.Whenever one perceives a discrepancy between target risk and experiencedrisk, an attempt is made to restore the balance through some behaviouraladjustment.Organisational culture, structural secrecy and unclear communication of in-formation are found to influence towards a normalisation of deviance, whichin turn may lead to failure to foresee risks. Deviance from the originalrules becomes normalised and routine, as informal work systems compen-sate for the organisation’s inability to provide the necessary basic resources(e.g. time, tools, documentation with a close relationship to action). [10] 14
  25. 25. 2.3.3 Safety facilitatorsParticipationMuch intervention research has emphasised the benefits of a participatoryapproach. Participation will improve the information and idea generation,engaging those who know most about the current situation. Participationmay result in a ‘sense of ownership’ and a greater commitment to a goal ora process of change. Behavioural change is likely to be more sustainable if itemerges from the need of the persons involved and with their active partici-pation, rather than being externally imposed. [50]Safety management, risk analyses and interventions are normally conductedby experts on safety. This information and these activities are not only im-portant for designers, technicians or safety committees. Safety work couldbenefit from involving the operating people, taking an active participatorypart. Using this approach in safety intervention work, the participants in-stead of a safety expert will own the process, being their own experts on theirspecial problems and abilities. [50]Social support and empowermentSocial support has been found to be of importance for behavioural change aswell as a moderator of felt work stress. [23] Risks and injuries are delicatesubjects and particularly so if linked to personal mistakes and shortcomings.A supportive social climate with a non-judging and respectful atmosphere isvital to encourage sharing such experiences.There are different sorts of social support: emotional, evaluative, informa-tional and instrumental. [19] The effects and mechanism of social supportcan be to fulfil fundamental human needs such as security, or social contact.It can also provide support in reducing interpersonal conflicts, i.e. prioritis-ing, and it may also have a buffering effect, modifying the relation betweena stressor and health.Perceived self-efficacy plays an important role in the causal structure of socialcognitive theory, because efficacy beliefs affect adaptation and change. [2]Unless people believe they can produce and foretell their actions, they havelittle incentive to act or to persevere in the face of difficulties. Other motiva-tors are rooted in the core belief that one has the power to produce effects byone’s actions. Efficacy beliefs also influence whether people think pessimisti-cally or optimistically and in ways that are self-enhancing or self-hindering.[2] 15
  26. 26. CommunicationCommunication is a key factor binding an organisation together. If risks andsafety are not communicated at and through all levels of the organisation,there will be little understanding of the risks and safety. Lundgren [28] statedthat the risk communication process must be a dialogue, not a monologuefrom either party. Continuous feedback and interpretations are necessary forcommunication to be effective, which forms the basis for the continuous safeoperation. Communication is linked to a systems view and the capability offinding, and analysing risks and implementing safety measures. [45]Effective communication needs openness so that sensitive information canbe outspoken and the question of error, responsibility, blame and shameis openly dealt with in the communication of accidents. All members of anorganisation need feedback, not only in their specific area of responsibility butalso on how the operating level functions and handles the complexity in whichthey operate. It is also of importance to anchor policies, goals and changesand to make them comprehensible and meaningful. [50] Saari stated thatknowledge of risk is not enough to bring about changes in unsafe behaviour,and that decision-making is influenced by feelings. Therefore, social feedbackencouraging safe behaviour has been quite successful in modifying behaviour.[46]LearningLearning is a key characteristic of safe organisations. [39] D¨os and Back- o¨str¨m [11] stated that demands on control and demands on learning and oacting competently appear to come into conflict. The critical competitivefactor for success is not only competence but also its development and re-newal.To learn implies changing one’s ways of thinking and/or acting in relation tothe task one intends to perform. The outcome of learning has two aspects.Within the individual, learning is expressed as constructing and reconstruct-ing one’s cognitive structures or thought networks. Outwardly, visible signsof learning are changed ways of acting, performing tasks and talking. Indi-vidual experiential learning [32] can be understood as an ongoing interchangebetween action and reflection, where past experiences provide the basis forfuture ones. Active participation and personal action are prerequisites forthe learning process to take place.Safety culture/climateSafety climate reflects the symbolic (e.g. posters in the workplace, state ofthe premises, etc.) and political (e.g. managers voicing their commitment tosafety, allocation of budgets to safety, etc.) aspects of the organisation which 16
  27. 27. constitute the work environment. On the other hand, safety culture is madeup of the cognition and emotion which gives groups, and ultimately theorganisation, its character. Unlike safety management and climate, whichcan often be a reactive response to a certain situation, the safety cultureis a stable and enduring feature of the organisation. [56] Flin et al. [12]found that safety climate can be seen as a snapshot of the state of safety,providing an indicator of the underlying safety culture of a work group, plantor organisation. In their review of 18 studies, they identified the six mostcommon themes in safety climate. These were: 1. the perceptions of management attitudes and behaviour in relation to safety, 2. different aspects of the organisational safety management system, 3. attitudes towards risk and safety, 4. work pressure as the balance maintained between pressure for produc- tion and safety, 5. the workforce perception of the general level of workers’ competence, 6. perception of safety rules, attitudes to rules and compliance with or violation of procedures.A number of techniques have been employed to measure safety culture, themost common method is a self-completion questionnaire. Employees respondby indicating the extent to which they agree or disagree with a range of state-ments about safety e.g. “senior management demonstrate their commitmentto safety”. The data obtained from the questionnaires are analysed to identifyfactors or concepts that influence the level of safety within the organisation.2.4 Human factorsHuman factors are defined as: “. . . ..environmental, organisational and job factors, and human and individual characteristics which influence behaviour at work in a way which can affect health and safety”. [17]Good human factors in practice is about optimising the relationships betweendemands and capacities in considering human and system performance (ieunderstanding human capabilities and fallibilities). The term is used muchmore in the safety context than ergonomics even though they mean verymuch the same thing. Like Human Factors, ergonomics deals with the in-teraction of technological and work situations with the human being. The 17
  28. 28. job must ‘fit the person’ in all respects and the work demands should notexceed human capabilities and limitations. The meaning of ergonomics ishard to distinguish from human factors, but is sometimes associated morewith the physical design issues as opposed to cognitive or social issues, andwith health, well being and occupational safety, rather than with the designof major hazard systems.Tasks should be designed in accordance with ergonomic principles to takeinto account limitations and strengths in human performance. Matching thejob to the person will ensure that they are not overloaded and that the mosteffective contribution to the business results. Physical match includes thedesign of the whole workplace and working environment. Mental match in-volves the individual’s information and decision-making requirements, as wellas their perception of the tasks and risks. Mismatches between job require-ments and people’s capabilities provide the potential for human error.People bring to their job personal attitudes, skills, habits and personalitieswhich can be strengths or weaknesses depending on the task demands. In-dividual characteristics influence behaviour in complex and significant ways.Their effects on task performance may be negative and may not always bemitigated by job design. Some characteristics such as personality are fixedand cannot be changed. Others, such as skills and attitudes, may be changedor enhanced.Organisational factors have the greatest influence on individual and groupbehaviour, yet they are often overlooked during the design of work and dur-ing investigation of accidents and incidents. Organisations need to establishtheir own positive health and safety culture. The culture needs to promoteemployee involvement and commitment at all levels, emphasising that devi-ation from established health and safety standards is not acceptable. 18
  29. 29. Chapter 3Overview of risk assessmentmethodsIn this chapter we take a look at the well-established procedures for carryingout a risk assessment on a machine or assembled group of machines.Carrying out a risk assessment on a machine or assembled group of machinesis a well-established procedure in a European Commission standard EN 1050.[13] This procedure forms the basis of most safety design studies that haveto be carried out on machines to satisfy the requirements of the regulations.The standard points out that: • Risk assessment should be based on a clear understanding of the ma- chine limits and its functions. • A systematic approach is essential to ensure a thorough job. • The whole process of risk assessment must be documented for control of the work and to provide a traceable record for checking by other parties.EN 1050 describes risk assessment as a process intended to help designersand safety engineers define the most appropriate measures to enable them toachieve the highest possible levels of safety, according to the state of the artand the resulting constraints. The standard also defines several techniquesfor conducting a risk assessment, including the following: What-If method,Failure Mode and Effect Analysis (FMEA), Hazard and Operability Study(HAZOPS), Fault Tree Analysis (FTA), Delphi technique, Defi method, Pre-liminary Hazard Analysis (PHA), and Method Organised for a SystematicAnalysis of Risks (MOSAR). 19
  30. 30. 3.1 Probabilistic risk assessment3.1.1 IntroductionThe Finnish work safety regulations require the employer to conduct riskassessments that evaluate the safety of the workplace. It is stated in theOccupational Safety and Health Act [37] that ”Employers are required to take care of the safety and health of their employees while at work by taking the necessary measures. For this purpose, employers shall consider the circumstances re- lated to the work, working conditions and other aspects of the working environment as well as the employees’ personal capaci- ties.”In addition, ”Employers shall design and choose the measures necessary for improving the working conditions as well as decide the extent of the measures and put them into practice. ”Probabilistic Risk Assessment (PRA), also known as Probabilistic SafetyAssessment (PSA), is a systematic procedure for investigating how complexsystems are built and operated. The PRAs model how human, software, andhardware elements of the system interact with each other. The methodologywas first used in the USA in 1975 to assess and analyse the potential risksleading to severe accidents in nuclear power plants. [42]The study involved a list of potential accidents in nuclear reactors, estimationof the likelihood of accidents resulting in radioactivity release, estimationof health effects associated with each accident, and comparison of nuclearaccident risk with other accident risks. Since the WASH-1400 report theunderstanding of PSA has increased and it has become a useful tool in riskanalysis. A similar method is used by the NASA in analysing the risks inspace shuttle missions. One of the most important features of PSA is itsquantitative probability assessment of different components and events.The methodology includes several phases which can also be used indepen-dently to examine possible failures within a system. A risk assessmentamounts to addressing three very basic questions posed by Kaplan and Gar-rick: [21] 1. What can go wrong? 2. How likely is it? 3. What are the consequences? 20
  31. 31. The answer to the first question leads to identification of the set of undesir-able scenarios. The second question requires estimating the probabilities (orfrequencies) of these scenarios, while the third estimates the magnitude ofpotential losses.The NASA PRA Guide [49] describes the components of the PRA a modifiedversion. Each component is discussed in more detail in the following.3.1.2 Defining objectives and methodology and gath- ering informationPreparing for a PRA begins with a review of the objectives of the analysis.Among the many objectives possible, the most common ones include designimprovement, risk acceptability, decision support, regulatory and oversightsupport, and operations and life management. Once the object is clarified,an inventory of possible techniques for the desired analyses should be de-veloped. The available techniques range from required computer codes tosystem experts and analytical experts.The resources required for each analytical method should be evaluated, andthe most effective option selected. The basis for the selection should be doc-umented, and the selection process reviewed to ensure that the objectives ofthe analysis will be adequately met.A general knowledge of the physical layout of the overall system, adminis-trative controls, maintenance and test procedures, as well as hazard barriersand subsystems (whose purpose is to protect, prevent, or mitigate hazardexposure conditions) is necessary to begin the PRA. A detailed inspection ofthe overall system must be performed in the areas expected to be of interestand importance to the analysis.3.1.3 Identification of initiating eventsA system is said to operate in a normal operation mode as long as the systemis operating within its design parameter tolerances, there is little chance ofchallenging the system boundaries in such a way that hazards will escapethose boundaries. During normal operation mode, loss of certain functionsor systems will cause the process to enter an off-normal (transient) state.Once in this state, there are two possibilities. First, the state of the systemcould be such that no other function is required to maintain the process oroverall system in a safe condition. The second possibility is a state whereinother functions are required to prevent exposing hazards beyond the systemboundaries. For the second possibility, the loss of the function or the systemis considered as an initiating event (IE).One method for determining the operational IEs begins with first drawinga functional block diagram of the system. From the functional block di- 21
  32. 32. agram, a hierarchical relationship is produced, with the process objectivebeing successful completion of the desired system. Each function can thenbe decomposed into its subsystems and components, and can be combinedin a logical manner to represent operations needed for the success of thatfunction.3.1.4 Scenario developmentThe goal of scenario development is to derive a complete set of scenariosthat encompasses all of the potential exposure propagation paths thatcan lead to loss of containment or confinement of the hazards, followingthe occurrence of an initiating event. To describe the cause and effectrelationship between initiating events and subsequent event progression, itis necessary to identify those functions that must be maintained, activatedor terminated to prevent loss of hazard barriers. The scenarios that describethe functional response of the overall system or process to the initiatingevents are frequently displayed by the event trees.3.1.5 Logic modellingEvent trees commonly involve branch points which shows if a given sub-system (or event) either work (or happens) or does not work (or does nothappen). Sometimes, failure of these subsystems is rare and there may notbe an adequate record of observed failure events to provide a historical basisfor estimating frequency of their failure. In such cases, other logic-basedanalysis methods such as fault trees or master logic diagrams may be used,depending on the accuracy desired. The most common method used in PRAto calculate the probability of subsystem failure is fault tree analysis.Different event tree modelling approaches imply variations in the complexityof the logic models that may be required. If only main functions or systemsare included as event tree headings, the fault trees become more complexand must accommodate all dependencies among the main and supportfunctions within the fault tree. If support functions or systems are explicitlyincluded as event tree headings, more complex event trees and less complexfault trees will result.3.1.6 Failure data analysisHardware, software, and human reliability data are inputs to assess perfor-mance of hazard barriers, and the validity of the results depends highly onthe quality of the input information. It must be recognised that historical 22
  33. 33. data have predictive value only to the extent that the conditions under whichthe data were generated remain applicable. Collection of the various failuredata consists fundamentally of the following steps: collecting and assessinggeneric data, statistically evaluating facility- or overall system-specific data,and developing failure probability distributions using test or facility- andsystem-specific data. The three types of events must be quantified forthe event trees and fault trees to estimate the frequency of occurrence ofsequences: initiating events, component failures, and human error.After establishing probabilistic failure models for each barrier or componentfailure, the parameters of the model must then be estimated. Typicallythe necessary data include time of failures, repair times, test frequencies,test downtimes, and common cause failure (CCF) events. One might alsonon-parametric models and simulate the results.3.1.7 Sensitivity analysisIn a sensitivity analysis, an input parameter, such as a component failurerate in a fault tree logic model, is changed, and the resulting change in thetop event probability is measured. This process is repeated using either dif-ferent values for the same parameter or changing different parameters by thesame amount.There are various techniques for performing sensitivity analyses. These tech-niques are designed to determine the importance of key assumptions andparameter values to the risk results. The most commonly used methods areso-called “one-at-a-time” methods, in which assumptions and parameters arechanged individually to measure the change in virtually any input or modelassumption and observe their impact in final risk calculations.The key challenge in engineering risk analysis is to identify the elements of thesystem or facility that contribute most to risk and associated uncertainties.To identify such contributors, the common method used is the importanceranking. These importance measures are used to rank the risk-significanceof the main elements of the risk models in terms of their contributions to thetotal risk.3.1.8 Risk acceptance criteriaIn an engineering risk assessment, the analyst considers both the frequency ofan initiating event and the probabilities of such failures within the engineer-ing system. In a health risk assessment, the analyst assesses consequencesfrom situations involving chronic releases of certain amount of chemical andbiological toxicants to the environment with no consideration of the frequencyor probability of such releases.The ways for measuring consequences are also different in health and engi- 23
  34. 34. neering risk assessments. Health risk assessment focuses on specific toxicantsand contaminants and develops a deterministic or probabilistic model of theassociated exposure amount and resulting health effects, or the so-calleddose-response models. The consequences are usually in form of fatality. Inengineering risk assessment, the consequence varies. Common consequencesinclude worker health and safety, economic losses to property, immediate orshort-term loss of life, and long-term loss of life from cancer. One useful wayto represent the final risk values is by using the so-called Farmer’s curves. Inthis approach, the consequence is plotted against the complementary cumu-lative distribution of the event frequency.Individual risk is one of the most widely used measures of risk and is definedas the fraction of the exposed population to a specific hazard and subsequentconsequence per unit time. Societal risk is expressed in terms of the totalnumber of casualties such as the relation between frequency and the numberof people affected from a specified level of consequence in a given populationfrom exposure to specified hazards. [33]The ALARP (as low as reasonably practicable) principle [31] recognises thatthere are three broad categories of risk: 1. Negligible risk: Broadly accepted by most people as they go about their everyday lives. Examples of this kind of risks might be being struck by lightning or having brake failure in a car. 2. Tolerable risk: One would not rather have the risk but it is tolerable in view of the benefits obtained by accepting it. The cost in inconvenience or in money is balanced against the scale of risk and a compromise is accepted. This would apply to e.g. travelling in a car. 3. Unacceptable risk: The risk level is so high that we are not prepared to tolerate it. The losses far outweigh any possible benefits in the situation.The principle is depicted in Figure 3.1. 24
  35. 35. ! Figure 3.1: ALARP and risk tolerance regions (adapted from [55]) 3.1.9 Interpretation of results When the risk values are calculated, they must be interpreted to determine whether any revisions are necessary to refine the results and the conclusions. The adequacy of the PRA model and the scope of analysis is verified. Also, characterising the role of each element of the system in the final results is necessary Based on the results of the interpretation, the details of the PRA logic, its assumptions, and scope may be modified to update the results into more realistic and dependable values. The basic steps of the PRA results interpretation are: 1. Determine the accuracy of the logic models and scenario structures, assumptions, and scope of the PRA. 2. Identify system elements for which better information would be needed to reduce uncertainties in failure probabilities and models used to cal- culate performance. 3. Revise the PRA and reinterpret the results until attaining stable and accurate results. 25
  36. 36. 3.2 Human reliability analysis3.2.1 IntroductionHuman actions are an essential part of the operation and maintenance ofmachinery, both normal and abnormal conditions. Generally, man can en-sure a safe and economic operation by proactive means, but in disturbancesa reactive performance may also be required. Thus, human actions affectboth the probability of risk significant events and their consequences, andthey need to be taken account in PSA. Without incorporating human errorprobabilities (HEPs), the results of risk analysis are incomplete.The measurement of human reliability is necessary to provide some assur-ance that complex technology can be operated effectively with a minimum ofhuman error and to ensure that systems will not be maloperated leading toa serious accident. To estimate HEPs, and thus human reliability, one needsto understand human behaviour, which is very difficult to model. HEP isdefined as the mathematical ratio: Number of errors occurring in a task HEP = (3.1) Number of opportunities for errorPractically all HRA methods and approaches share the assumption that itis meaningful to use the concept of a human error, hence to develop waysof estimating human error probabilities. This view prevails despite seriousdoubts expressed by leading scientists and practitioners from HRA and re-lated disciplines. [14]Extensive studies in human performance accidents conclude that ”. . . ‘human error’ is not a well defined category of human perfor- mance. Attributing error to the actions of some person, team, or organisation is fundamentally a social and psychological process and not an objective, technical one.” [59]Also, Reason (1997) concludes that ”the evidence from a large number of accident inquiries indicates that bad events are more often the result of error-prone situations and error-prone activities, than they are of error-prone people.” [43]Attempts to approach to the human reliability problem with the same crite-ria as to the engineering reliability problem reveal their inconsistency. Thehuman failure probability can be determined precisely only for the specificperson, social conditions and short time period. Generalisation of obtaineddata to different peoples, social conditions and large time periods results inthe growth of the result uncertainty. 26
  37. 37. Nevertheless, HRA methods have been successfully used in assessing errorprobabilities. Numerous studies have been performed to produce data setsor databases that can be used as a reference for determining human errorprobabilities. Some key elements of human reliability analysis are presentedin the following sections, and some specific methods for examining that cer-tain area of human reliability are introduced.3.2.2 Task analysisTask analysis is a fundamental methodology in the assessment and reductionof human error. A very wide variety of different task analysis methods exist.An extended review of task analysis techniques is available in Kirwan andAinsworth. [25]Nearly all task analysis techniques provide, as a minimum, a descriptionof the observable aspects of operator behaviour at various levels of detail,together with some indications of the structure of the task. These will be re-ferred to as action oriented approaches. Other techniques focus on the mentalprocesses that underlie observable behaviour, for example, decision makingand problem solving. These will be referred to as cognitive approaches.In addition to their descriptive functions, TA techniques provide a wide va-riety of information about the task that can be useful for error predictionand prevention. To this extent, there is a considerable overlap between taskanalysis and human error analysis (HEA) techniques, thus a combination ofTA and HEA methods will be the most suitable form of analysis.3.2.3 Database methodsDatabase methods generally rely upon observation of human tasks in theworkplace, or analysis of records of work carried out. Using this method, thenumber of errors taking place during the performance of a task is noted eachtime the task is carried out. Dividing the number of errors by the number oftasks performed provides an estimate of HEP as described above. However,since more than one type of error may occur during the performance of atask it is important to note which types of error have occurred.3.2.4 Expert judgementThe use of expert judgement in the risk estimation step of risk assessmentaims at producing a single representation , i.e. in practise an aggregatedprobability distribution of an unknown quality. A formalised procedure forattaining this is described by several different researchers, Winkler et al. [58]and Cooke and Goossens [5] to name but a few. Such a procedure is knownas an expert judgement protocol. The main challenge of the protocol is to 27
  38. 38. control cognitive biases inherent in eliciting probabilities. [53]Expert judgement elicitation and aggregation approaches can be classifiedinto behavioural probability aggregation and mechanical probability aggre-gation. [4] In the behavioural probability aggregation approach, the expertsthemselves produce the consensus probability distribution. The normativeexpert only facilitates the process of interaction and debate. The main objec-tive of the approach is to ensure the achievement of a shared understandingof the physical and social phenomena and/or logical relationships representedby the parameter elicited. It is important to note that this approach inducesstrong dependence between the experts.In the mechanistic approach, experts’ individual probability distributions areaggregated by the decision-maker after their elicitation. The main challengeis to specify the performance of the experts. Such a specification presupposesat least two assumptions: 1. data for calibrating an expert’s performance is available, and 2. the expert has not learned from his past performance, and thus uses cognitive heuristics.In the case of Bayesian mechanistic probability aggregation, the decision-maker defines the likelihoods of the experts’ judgements and treats thesejudgements as data for updating his prior belief to posterior belief accordingto Bayes’ rule.3.2.5 Technique for Human Error Rate Prediction (THERP)Development of the THERP method began in 1961 in the US at Sandia Na-tional Laboratories and the developed method was finally released for publicuse in a document NUREG 1278 in 1983. [52] The stated purpose is topresent methods, models and estimates of HEPs to enable analysts to makepredictions of the occurrence of human errors in nuclear power plant opera-tions, particularly those that affect the availability or reliability of engineeredsafety systems and components.The method describes in detail all the relevant PSFs which may be encoun-tered and provides methods of estimating their impact on HEP. It also pro-poses methods of combining the HEPs assessed for individual tasks in theform of a model so that the failure probability for a complete procedure canbe calculated. This is carried out by using a method of modelling proceduresin the form of HRA event trees. The interaction between individual humanerrors can then be more easily examined and the contribution of those errorsto the overall failure probability of the procedure can be quantified.The key elements of the THERP quantification process are as follows: 28
  39. 39. 1. Decomposing tasks into elements. The first step involves breaking down a task into its constituent elements according to the THERP taxonomic approach given in NUREG 1278. 2. Assignment of nominal HEPs to each element. The assignment of nom- inal HEPs is carried out with reference to the THERP Handbook. Chapter 20 of the Handbook is a set of tables, each of which has a set of error descriptors, associated error probabilities and error factors. The assessor uses these tables and their supporting documentation to determine the nominal HEP for each task element. Problems will arise when task elements do not appear to be represented in any of the tables. 3. Determination of effects of PSF on each element. The determination of the effects of PSF should occur based on the assessor’s qualitative analyses of the scenario, and a range of PSFs are cited which can be applied by the assessor. The assessor will normally use a multiplier on the nominal HEP. 4. Calculation of effects of dependence between tasks. Dependence exists when probability of a task is different from when it follows a particular task. THERP models dependence explicitly, using a five-level model of dependence. Failing to model dependence can have a dramatic effect on overall HEP, and differences in levels chosen by different assessors can lead to different HEPs. 5. Modelling in a Human Reliability Analysis Event Tree. Modelling via an event tree is relatively straightforward, once step 1 has occurred. 6. Quantification of total task HEP. Quantification is done using sim- ple Boolean algebra: multiplication of probabilities along each event branch, with success and failure probability outcomes summing to unity.3.3 Other risk and error assessment methods3.3.1 Five steps to risk assessmentThe process for a risk assessment for the handling and use of machines fol-lows the same general rules for all risk assessments. These rules are mostclearly described in a widely used brochure published by the UK Health andSafety Executive (HSE) called ‘Five steps to risk assessment’. The processis depicted in Figure 3.2. 29
  40. 40. ! Figure 3.2: Five steps to risk assessment3.4 Method used by the CompanyThe Company uses a risk assessment method of its own. The method isbased on the principles presented in ‘Five steps to risk assessment’ by HSE.The risk assessment database works within the Company intranet frameworkwhere the assessor chooses the entity to be assessed (a production line or amachine) and then adds the risks identified.The Company policy is that all risks scoring above 30 on the risk rating levelneed to be controlled. This means defining risk control action plan (RCAP)for every risk exceeding the level. The RCAP includes identifying existingcontrols, nominating actioner, setting completion date and estimating costs.Risks scoring higher than 100 are unacceptable and they need to be elimi-nated urgently.The assessing process is depicted in Figure 3.3. The process has the following steps: 1. Identify activity. The machinery is used in different modes: normal operation, maintenance, repair, emergency. 2. Form assessment team. Consists at least of a trained assessor and the machine operator. 3. Gather information. Acquire information from previous risk assess- ments, accident and incident reports, work instructions, legal require- 30
  41. 41. ! Figure 3.3: The Company method ments, operating manuals, interviews with the operators and mainte- nance personnel, etc. 31
  42. 42. 4. Identify hazards. Using a method applicable, identify the possible haz- ards within the target activity. 5. Identify who might be harmed and how. 6. Identify existing control measures. There are several already applied measures, such as guarding, safety devices, procedures, personal pro- tection equipment, etc. 7. Assess risks. Using the data gathered, calculate the risk level for all the hazards identified using the risk rating formula below. 8. Remove the hazards. Limit the risk as far as possible. This can be applied by reducing speed and force, employing good ergonomics, ap- plying failsafe principles, and strengthening existing control measures. 9. Identify and implement additional controls. After re-assessing the resid- ual risk, inform and warn the personnel about any residual risk. This can take the form of signs and symbols. 10. Document the assessment. Risk assessments should be recorded in the Company database. Update for new information and closure for assigned corrective actions.3.4.1 Risk ratingCalculating the risk level is done based on the following formula: The Risk Rating = LO × F E × DP H × N P (3.2) Based on table 3.1, one estimates the risk based on the four variables.Because each of these elements has a range of values this can sometimes leadto difficulties in ensuring that they are applied consistently from site to siteand from risk assessor to risk assessor. The Company has provided someguidelines in order to maintain consistency in the assessments.Frequency of Exposure and Number of People at RiskThe number of people at risk should be calculated as the number of peoplewho come into contact with the hazard. Where there is a shift system inoperation then it is acceptable to calculate the number of people as thenumber per shift. For example, if the task is undertaken by 2 operators pershift in a 3 shift factory then the number of people is 2. However, one shouldalso remember to include other people who might also come into contactwith the hazard during each shift e.g. supervisors, quality staff, maintenanceengineers.If there are significant differences in the frequency of exposure of differentgroups of people then their risk should be assessed separately. 32
  43. 43. Likelihood of occurrence (LO) Degree of possible harm (DPH)Likelihood of the identified haz- An indication of how serious theard realising its potential and harm or ill health could becausing actual injury and/or illhealth during / or after the ac-tivity Almost impossible (possible 0.1 Scratch/Bruise0.033 only under extreme circum- stances)0.5 Highly unlikely (though 0.5 Laceration/mild ill health conceivable) effect1 Unlikely (but could occur) 1 Break – minor bone or mi- nor illness (temporary)2 Possible (but unusual) 2 Break – major bone or seri- ous illness (permanent)5 Even chance (could happen) 4 Loss of 1 limb/eye or serious illness (temporary)8 Probable (not surprised) 8 Loss of 2 limbs/eyes or seri- ous illness (permanent)10 Likely (only to be expected) 15 Fatality15 Certain (no doubt)Frequency of exposure (FE) Number of people at risk (NP)Frequency of exposure to the The number of people who couldidentified hazard during the ac- be exposed to the hazard duringtivity the activity 0.1 Infrequently 1 1-2 people0.2 Annually 2 3-7 people1 Monthly 4 8-15 people1.5 Weekly 8 16-50 people2.5 Daily 12 More than 50 people4 Hourly5 Constantly Table 3.1: Risk scoring components 33
  44. 44. Degree of possible harmAn important role of a risk assessment is to make employees aware of thehazards and risks they face day-to-day in carrying out their jobs. DPHchosen should therefore be realistic and reflect to a large extent accidenthistory within the Company or elsewhere.The examples shown in tables 3.2, 3.3, and 3.4 show other injuries, whichmight be considered of a similar gravity as the examples given in the scheme,and also suggest some of the types of activities and accidents that commonlylead to these injuries. DPH Activity 0.1 Scratch / bruise Splinters, skin irritation, blisters, superficial wounds, light swelling 0.5 Laceration/mild ill health ef- Handling tinplate fect Small cuts requiring stitches, Short term exposure to solvent, bump to head (no loss of con- fumes etc. sciousness), minor eye irritation 1 Break – minor bone or minor Workshop machinery illness (temporary) Contact dermatitis, fractures to Using tools fingers, toes, nose, open wounds requiring stitches, first degree Prolonged skin exposure to sol- burns ventsTable 3.2: Guidelines for evaluating degree of possible harm (table 1 of 3) 34
  45. 45. 2 Break – major bone or minor Being hit by slow moving fork- illness (permanent) lift truck – pedestrian Fractures to arms, legs, disloca- Slip/trip tion of shoulders, hips, sprains, strains, slipped disc, back in- Manual handling juries, noise induced hearing loss Noise level above 85dB 4 Loss of 1 limb/eye serious ill- Intervention on running ma- ness (temporary) chinery – coaters, presses Amputation of fingers (one or several), severe crushing injuries, Acid or caustic handling second degree burns or extensive chemical burns, non-fatal electric Use of low voltage electrical shock, loss of consciousness, con- equipment cussion 8 Loss of 2 limbs/eyes or seri- Scrap compactors ous illness (permanent) Contact with sensitisers Asthma, cancer, coma, third de- gree burns Serious fireTable 3.3: Guidelines for evaluating degree of possible harm (table 2 of 3) 35
  46. 46. 15 Fatality Working at any height over 2m Work in confined spaces where Immediate death or after pro- breathing apparatus is needed longed treatment or illness Collision between pedestrians and lorries Electrocution Falling into deep water or into chemical tanks Motor accidents as driver or passenger Being crushed by large falling objects eg. Tinplate coil Overturning forklift truck – driver Being hit by fast moving fork- lift truck Palletisers – trapping in hoist area Long term exposure to as- bestos (carcinogen) ExplosionTable 3.4: Guidelines for evaluating degree of possible harm (table 3 of 3) 36
  47. 47. Likelihood of occurrenceTwo factors can help to choose an appropriate likelihood score: • Accident history – do we know that accidents occur regularly relating to this activity within the Company? Throughout industry generally? • The existing controls in place (see table 3.5)The first column in table 3.5 shows how we can interpret the scores to reflectlevels of probability from simpler risk scoring schemes. One of such a schemeis the method previously used at the Site. The first two categories are equalto the lowest probability in the risk matrix approach. The next three areequal to medium probability, and the three last ones are equal to the highestprobability. Interlocked guards in place, pur- 0.033 Almost impossible (possible pose designed equipment in use only under extreme circum- (eg. elevated platform with har- stances) ness), traffic management fully implemented. All legally required and best prac- 0.5 Highly unlikely (though con- tice controls in place. The em- ceivable) ployee would have to remove or circumvent a control to be injured. LOW (1) Adjustable guards in place, 1 Unlikely (but could occur) PPE and SSW, basic walkway 2 Possible (but unusual) marking. MEDIUM (2) 5 Even chance (could happen) No guards, safety relies on 8 Probable (not surprised) operator’s competence and 10 Likely (only to be expected) training. HIGH (3) 15 Certain (no doubt) Table 3.5: Guidelines for evaluating existing controls in place3.4.2 Method previously used at the SiteBefore it was required by the Company that all the sites use the methodologydescribed above, a similar method was used to assess the risks at the Site.There were a couple of reasons for replacing the previous method with thecurrent one. First of all, the Company required the assessment teams to inputall the data in the Company Risk Assessment Database. The old method 37
  48. 48. did not evaluate all the required parameters. Secondly, the method seemed to be inaccurate in distinguishing severe risks from less severe ones. The method was based on simple risk matrix, where assessment team selected values for consequence and probability from three categories. The values for probability and consequence are displayed in table 3.4.2. The resulting severity of the risk follows from a risk matrix (Figure 3.4). Probability Consequence 1. Unlikely 1. Mild (eg. scratch or bruise) 2. Possible 2. Harmful 3. Probable 3. Serious (permanent damage) The notation of the severity is as follows:! Figure 3.4: Severity of risk in a risk matrix • N = negligible, there is very little risk to health and safety, no control measures needed • L = low but significant, contains hazards that need to be recognised, control measures should be considered • H = high, potentially dangerous hazards which require immediate con- trol measures • U = unacceptable, the task/operation in question is discontinued until the hazard is dealt with 38