Académique Documents
Professionnel Documents
Culture Documents
Assessment Matrix
P.L. Clemens
June 1993
2nd Edition
The Risk Assessment Matrix
k g
is in
that
R eas
Likely
constitute risk,
cr
define a
In
R = K2> K1
RISK PLANE.
SEVERITY
R = P x S = K1
Iso-risk RISK
contours Is
CONSTANT
along any
ISO-RISK
CONTOUR.
PROBABILITY
is a function of
EXPOSURE
0 INTERVAL.
NEVER PROBABILITY
5
8671
ISO-Risk Contour Uses
2 3
Risk Assessment Convention: ACCEPTANCE: Risk
Tolerance Boundaries
If possible, assess Risk for the follow iso-risk contours.
Worst-Credible Severity of
outcome. (It’ll fall at the top end
of its own iso-risk contour.)
NOT
ACCEPTABLE
SEVERITY
LIKELY
1
Likely
RISK ASSESSMENT GUIDES: If
PROVISIONALLY
risk for a given Hazard can be ACCEPTABLE
assessed at any severity level, an
iso-risk contour gives its
probability at all severity levels.
(Most, but not all hazards behave ACCEPTABLE
(de minims)
this way. Be wary of exceptions –
usually high-energy cases.)
0
0 PROBABILITY
6
8671
The Risk Plane Becomes a Matrix
S
E
V
E “Zoning” the Risk Plane into
R judgmentally tractable cells
I
T produces a Matrix.
Y
F E D C B A
PROBABILITY I
S
E
Matrix cells approximate the V II
E
continuous, iso-risk contour functions R III
in the Risk Plane. Steps in the Matrix I
define Risk Tolerance Boundaries. T IV
Y
PROBABILITY
7
8671
A Typical Risk Assessment Matrix*
A guide for applying subjective judgment.
Decide on TARGETS.
*Adapted from MIL-STD-882D **Life Cycle = 25 yrs.
9
8671
Useful Conventions
Factors of 10 separate adjacent
Probability Steps.
Most D = 10 x E
C = 10 x D
analysts B = 10 x C
A = 10 x B
consider …but F = 0 (“Impossible”)
that… F E D C B A
1
S I
E
V II 2
Severity Level III E
Is OSHA-recordable R III 3
I
T IV
Y
PROBABILITY
10
8671
“Calibrate” the Matrix
14
8671
Risk for a Given Hazard Varies
From Target to Target
With Size of the Exposed Population
From Operational Phase to Operational Phase
With Exposure Duration The PERCEPTION of
ALWAYS assess RISK varies from
Risk for the Worst- analyst to analyst. Use
Credible Severity of several ANALYSTS!
AN outcome.
IMPORTANT
CONVENTION
15
8671
Pick Targets* with Care
Personnel (illness/injury/health)
Equipment productivity (downtime)
Product environment
Proprietary information
Reputation
Others?
*Too few or wrong targets ≈ ineffective program;
too many ≈ burdensome to implement
16
8671
Consider Population
Employees
Vehicles
Machines
How many exposed
RISKS SUM.
Operations ?
Stacks
As the exposed population increases,
RISK INCREASES! Production Lines
Don’t assume that risk for the fleet is
the same as Risk for one taxi! Others?
17
8671
Pick Operational Phases* with Care
Delivery
Installation
*TOO FEW or WRONG
Calibration
PHASES ≈ ineffective
Startup program; TOO MANY ≈
Shakedown burdensome to implement!
Standard-run
Standard shutdown
Maintenance
Others?
18
8671
Exposure Interval is Important
20
8671
Avoid Useless Debates
S 1
I
E
V II 2
E
R 3
III
I
T
Y IV
21 PROBABILITY
8671
Some Matrix Design “Don’ts”
Discontinuities…
Can a countermeasure
F E D C B A
make the “leap” from
S
I ? 1 Zone (1) to Zone (3)
E
V II 2 in a single step?
E
?
R III 3
I F E D C B A
T
Y IV FLAWED I 1
S
E
V II 2
PROBABILITY E
R
Make every one-step path I III 3
T
from a high Risk Zone (1) Y IV PREFERRED
to a lower Risk Zone (3)
pass through the PROBABILITY
23
8671
intermediate Zones (2).
More Matrix “Don’ts”
24
• (1) Avoided.
8671
Risk Assessment in Process
Context
1. Identify TARGETS to be protected: 2. Recognize RISK TOLERANCE LIMITS (i.e., Risk Matrix Boundaries)
• Personnel • Product • Environment
• Equipment • Productivity • Other
HAZARD: Act or condition posing threat
3. “SCOPE” system as to:(a) physical boundaries; (b) of harm.
operating phases (e.g., shakedown, startup,
standard run, emergency stop, maintenance); and IDENTIFY/ Describe hazard:
4. VERIFY SOURCE – MECHANISM – OUTCOME
(c) other assumptions made (e.g., as-is, as-
designed, no countermeasures in place) etc. HAZARDS
DEVELOP
COUNTERMEASURES EVALUATE REPEAT for each
WORST-CASE EVALUATE TARGET/HAZARD
AND RE-EVALUATE
SEVERITY PROBABILITY combination.
ABANDON
ACCEPT
(WAIVER) AND
USE RISK MATRIX.
MATRIX must be defined for
OR and must match the
ACCESS RISK
assessment probability interval
and force/fleet size.
IS
NO RISK
ACCEPTABLE? See 2. above.
5. Do the countermeasures introduce new hazards? YES
Probability
System Number:
Probability
Risk Code
Severity
Severity
Target*
D = Design Alteration E = Engineered Safety Feature
Hazard
Code
Srd-A (Chem/Int)
Risk
Revision Addition S = Safety Device W = Warning Device
Hazard No. / Description P = Procedures/Training
Srd-A.a.042 – Flange Seal A-29 leakage, P I D 2 I E 3
E II C 2 Surround flange with sealed annular stainless steel catchment
releasing pressurized UnFo3 chemical II D 3
T III C 3 housing with gravity runoff conduit led to Detecto-BoxTM III D 3
intermediate from containment system, containing detector/alarm device and chemical neutralizer
producing toxic vapors and attacking nearby (S/W). Inspect flange seal at 2-month intervals, and re-gasket
equipment. during annual plant maintenance shutdown (P). Provide
personal protective equipment (Schedule 4) and training for
Identify target(s) response/cleanup crew(S/P).
27
8671
Hazard Analysis and
Risk Assessment…
HAZARD No. Chem/Int-001 HAZARD TITLE: Flange Seal A-29 Leakage Provide brief name for hazard. REVISED: 7/22/93
HAZARD DESCRIPTION
Flange Seal A-29 leakage, releasing pressurized UnFo3 chemical intermediate from containment system, producing Describe hazard, indicating: source,
toxic vapors on contact with air and attacking nearby equipment. mechanism, worst-credible outcome.
Identify applicable
EXPOSURE INTERVAL 25 years ACTIVITY/PROCESS PHASE: Startup/Standard Operation/Stop/Emergency Shutdown operating phases.
INITIAL RISK ASSESSMENT Identify (X) all applicable target(s). ADDITIONAL COUNTERMEASURES*
(with existing of planned/designed-in countermeasures) Surround flange with sealed annular stainless steel catchment housing, with gravity run-
off conduit led to Detecto-BoxTM containing detector/alarm feature and chemical neu-
HAZARD TARGET(S): SEVERITY: PROBABILITY: RISK CODE: tralizer (S/W). Inspect flange at two-month intervals and re-gasket during annual plant
(check all applicable) (worst credible) (for exposure interval) (from Matrix)
maintenance shut-down (P). Provide personal protective equipment and training for re-
Personnel: X I D 2 sponse/cleanup crew (S/P).
Equipment: X II C 2
Downtime: X III C 3 For each target, assess severity, Describe added countermeasures
and probability for the worst-credible to control Probability / Severity –
Environment: O 0 outcome. Show risk (from reduce Risk.
assessment matrix) for hazard-target THESE COUNTERMEASURES
Product: O 0 combination “as-is” – i.e., with no MUST BE IN PLACE PRIOR TO
added countermeasures. SYSTEM OPERATION!
POST-COUNTERMEASURE RISK ASSESSMENT
*Mandatory for Risk Codes 1 & 2, unless permitted by Waiver.
(with additional countermeasures in place) Personnel must not be exposed to Risk Code 1 or 2 hazards.
HAZARD TARGET(S): SEVERITY: PROBABILITY: RISK CODE: Code Each Countermeasure: (D) Design Alteration / (E) = Engineered Safety Features
(check all applicable) (worst credible) (for exposure interval) (from Matrix) (S) = Safety Devices / (W) = Warning Devices / (P) =Procedures/ Training
Personnel: X I E 3
COMMENTS
Equipment: X II D 3
In-plant diking protects environment from runoff.
Downtime: X III D 3
Reassesses Severity/Probability and show risk (from assessment matrix) for
Environment: O 0 original hazard-target combinations, presuming new countermeasures to be in
Product: O 0 place, if risk is not acceptable, additional countermeasures must be developed.
28
8671
Why Assess Risk?
29
8671
Risk Assessment/Management
IS NOT…
A substitute for conforming to applicable…
CODES
STANDARDS BUT…
REGULATIONS Codeworthy Systems
may still pose
Untenable Risk!
30
8671