Recent Changes - Search:




edit SideBar

OFD-Chapter 5

Risk Assessment

Definitions and Risk Assessment Principles

The objective of risk assessment is to evaluate the risk related to a specific activity for the purpose of managing this risk in an effective way.


Safety management principles

Two different safety management principles are possible: Consequence Based Safety Management will claim that the worst conceivable events at an installation processing hazardous materials should not have consequences outside certain boundaries, and will thus design safety systems to assure this. Risk Based Safety Management maintains that the residual risk should be analysed both with respect to the probabilities and the nature of hazard, and hence give information for further risk mitigation. This implies that very unlikely events might, but not necessarily will, be tolerated.

Risk Based Safety Management

Risk based safety management is the philosophy in line with central regulations and legislation in Western countries increasingly requiring risk assessment and documentation.

The Risk Based Safety Management (often called risk management) principle is that some risks, specified through risk acceptance criteria, should be removed or reduced to meet safety requirements (residual risk level objectives). However, both prescriptive requirements (detailed standards) and goal-oriented requirements (risk based decisions) have a role to play in design of processes and installations.

The Risk Based Safety Management is a systematic approach which measures risk through risk analysis methods and relates it to established risk acceptance criteria for the identification of design specifications or need for risk reduction measures. Beyond implementing risk reducing measures in order to meet tolerable risk level, such measures should also be implemented if further risk reduction can be obtained at costs lower than the benefits obtained. This is often referred to as the ALARP principle. They can either be consequence reducing measures or accident probability reducing measures. Probability reducing measures should be preferred.

The principle is illustrated in the figure below

Figure: Risk Based Safety Management

The ALARP principle - As Low As Reasonable Practicable

Below a certain risk level where where the hazard is in the unacceptable area and risk cannot be tolerated whatsoever; normally defined by risk acceptance criteria, the ALARP principle (As Low As Reasonable Practicable) should be applied in order to optimise risk reduction. In such cases cost benefit analyses should be used in order to evaluate different risk reducing options. Risk reducing measures should be implemented if the cost is not disproportoinate relative to the benefits of risk reduction.

The ALARP principle is illustrated in the figure below

Figure: The ALARP principle

Quantitative Risk Assessment (QRA)

QRA is a formalized mathematical method used in order to evaluate numerical individual, environmental, employee and public risk level values for comparison with regulatory risk criteria. Since satisfactory demonstration of acceptable risk levels is often a requirement for approval of major hazard plant construction plans, the use of QRA is important for such cases in order to indicate and take actions for risk minimization. However, even if QRA uses scientific methods and verifiable data, it does have uncertainties, limitations and application boundaries and therefore its use has to consider very carefully those aspects. That is why QRA is used as a complementary tool in decision making process, in areas where its strengths recommend it.

Risk Assessment Methodologies

Status: Risk assessment methodologies are in principle applicable to any object or activity. Risk assessment methodologies are frequently applied for risk assessment of flammable gas applications, though there are not many examples of specific hydrogen studies so far.

Risk Assessment studies should preferably be undertaken by multidisciplinary teams, all though the effort should be in proportion to the risk being assessed. There are several risk assessment methods available, and one should select the method most applicable to the object analysed and the purpose of the assessment.

Risk assessment process:

The risk assessment process is an iterative process, as shown in the figure below: The risk is assessed, as well as the effect of risk reduction measures, until the risk inflicted by the system assessed (with implemented risk reduction measures) is evaluated as tolerable.

Fig 1: Risk assessment process

But even when the assessed risk is evaluated as tolerable, the risk assessment process is not finished. The society’s safety objectives and even an enterprise’s safety objectives are more ambitious than maintaining the risk at a fixed level: risk assessment and risk reduction is also an iterative process through time. Indeed, change in state of the art enabling further risk reduction will eventually lower the level of tolerable risk. Besides, new knowledge about the hazards evaluated may also render risk assessments obsolete.

Hazard identification methodologies

The hazard identification is the initial step in risk assessment, and thorough hazard identification is of indisputable importance to the worth of the risk assessment. The purpose of the hazard identification is to identify all hazards of relevance. Each hazard should be described in terms of accident(s) it may lead to. In order to identify the hazards which may arise, a systematic review should be made of technical as well as operational conditions which may influence the risk. Historical records and experience from previous risk analysis do provide a useful input to the hazard identification process. Examples of this type of methodology are checklists, hazard indices and review of historical occurrences.

The hazard identification should not only consider the initial events, but also include the chain of events causing local and remote impairment, loss or damage.

Hazard identification of a particular system, facility or activity may yield a very large number of potential accidental events and it may not always be feasible to subject each one to detailed quantitative analysis. In practice, hazard identification is a screening process where events with low or trivial risks are dropped from further consideration. However, the justification for the events not studied in detail should be given. Quantification is then concentrated on the events which will give rise to higher levels of risk.

Fundamental methods such as Hazard and Operability (HAZOP) studies, Fault trees, Event tree logic diagrams and Failure Mode and Effect Analysis (FMEA) are tools which can be used to identify the hazards and assess the criticality of possible outcomes. These methods also have the advantage of being sufficiently general for use on hydrogen facilities without specific adaptation.

The HAZOP technique consists of the application of a formal systematic detailed examination of the process and engineering intention of new or existing facilities to assess the hazard potential of operation outside the design intention or malfunction of individual items of equipment and their consequential effects on the facility as a whole. The technique is to divide the process into natural sub-section and use a set of guidewords to identify possible deviations with hazardous potential. The technique is well suitable for hydrogen applications, especially for the more complex systems.

The Failure Mode and Effects Analysis (FMEA) is a qualitative technique for systematically analysing each possible failure mode within a system, and identifying the resulting effect on that system, the mission and people. FMEA is highly suitable for reliability assessment and can e.g. be used for in depth study of a critical part of a system. The FMEA may be extended with a criticality analysis (CA); a quantitative procedure which ranks failure modes according to their probability and consequences (i.e. the resulting effect of the failure mode on system, mission or personnel) and is then named a Failure Mode and Effects Criticality Analysis (FMECA).

The FMEA and FMECA, were originally developed by the NASA as a means of assuring that hardware built for space applications had the desired reliability characteristics. In the offshore industry FMEA and FMECA have been increasingly utilised during the last years. FMECA was also used in the European Integrated Hydrogen Project (EIHP2) for development of guidelines for inspection and maintenance of hydrogen applications.

The initial step of an FMEA is a functional description of the system and the division of the system into subsystems and items. Each item is given an identification code. For each item the purpose/function of the item is then described, and possible failure modes are listed and analysed with respect to causes and possible consequences. Means for detection of failure modes and mitigation/repair are also analysed.

Risk analysis methodologies

The risk assessment tasks will depend on the purpose of the risk assessment. The risk assessment will normally involve a comparison of a calculated risk level with criteria for acceptable risk level. The acceptable or tolerable risk level would be based on the enterprise's own safety standards and/or risk criteria established by the authorities. The risk assessment may also include comparison of alternative designs or activity plans.

If the risk is not controlled (acceptance criteria are not met) or the objective is to reduce the risk further to a level as low as reasonably practicable (ALARP), options of risk reducing measures should be addressed and their desirable effect should be estimated. This should indeed be a multidisciplinary exercise, preferably involving people responsible for (future) operation of the object evaluated. The process of the risk assessment includes thus a re-evaluation of the risks and of risk reduction measures based on cost-benefit analysis.

If the risk is controlled and the acceptance criteria are met, the chosen concept including the assumptions might be acceptable, but not the optimum from a cost-benefit point of view. In order to optimise the design, sensitivity calculations may be carried out.

Risk analysis methodologies are often grouped into three categories: qualitative, deterministic and probabilistic. A qualitative analysis will normally characterise hazards with respect to likelihood and severity of consequences without quantification. A deterministic analysis will quantify the consequences of the most severe event possible, while the probabilistic analysis will quantify the probability and consequences of different scenarios developing from the possible initial events. The probabilistic analysis, also called quantitative risk analysis, is further described in Ch 4.4.

The qualitative analysis will normally include an element of rough quantification though, and the deterministic analysis will also have an element of probability evaluation involved in determination of which events are possible. The detailing level of the analysis will primarily depend on the anticipated risk, the knowledge of the system analysed and of the quality of data and models available. Indeed, a comprehensive and detailed analysis based on limited information, poor data or inadequate models would be a waste of resources.

Rapid Risk Ranking [5] is a semi-quantitative risk analysis methodology adapted for hydrogen applications in the European Integrated Hydrogen Project (EIHP2). The method involves elements of quantification for both likelihood and consequences, but the effort is focused on the most severe consequences, as well as the most likely outcomes of the initial events analysed. The risk is then presented visually in a way that facilitates risk evaluation and comparison of different applications/plants/installations analysed.

Accident Database, Failure Rate Database

It is acknowledged in most industries that it is of utmost importance to learn from accidents, incidents and failures of the past to prevent them to happen in the future and to mitigate their consequences. I.e. an important part of the work towards achieving effective risk control one should learn from events, failures and errors committed in the past, and not only within their own industry or company, but also look beyond and draw lessons from elsewhere.

The use of incident and failure rate databases as a management tool has shown that it provides an opportunity for an organisation or company to check its performance, learn from its mistakes, and improve its management systems and risk control. Comprehensive knowledge of events having the potential for inducing hazardous situations or loss of production, will also contribute to the corporate learning and memory. On company or plant level, the lessons to be learned from consulting such databases are both qualitative as well as quantitative. They can range from the identification of component/system failures, accident scenarios or initiating events not being predicted in advance to quantitative statistical calculations and estimations to be used in reliability, maintainability or risk studies. They also increase the culture of personnel working in risky technology industries by making them aware of the factors (technical, organisational, human, etc.) and the dynamics that led to accidents or failures. On a national or international level, Safety Authorities are utilising accident databases as an operative and a management tool in several ways, such as following up of the overall safety level within the area of the authority’s interest, resource allocation concentrated and prioritised on the most accident-prone areas and in accident prevention. Accident information taken from a database may also support surveillance visits, in conducting accident investigations and in the work of developing of rules and regulations.

Recent progress

Hydrogen Accident Databases

Hydrogen Incident and Accident Database (HIAD)

Under the EU’s 6th framework programme, a Network of Excellence project “HySafe – Safety of Hydrogen as an Energy Carrier” was established and defined. In this project, a specific Work Package (WP) was devoted to database development, namely the WP5 – Hydrogen Incident and Accident Database (HIAD).

HIAD is planned to be one of the tools for communication of risks associated with hydrogen to all partners in the HySafe Consortium and probably beyond at a later stage. In addition, HIAD will serve as a common methodology and format for data collection and storage. HIAD is aiming to hold high quality information of historical accidents and incidents related to hydrogen production, transport (road/rail/pipeline), supply and commercial use. The database will be maintained such that it is updated with the latest information concerning each event for example in order to take advantage of results from accident investigations. Hence, HIAD will, when fully operable be an important source for most tasks constituting a risk analysis process, such as hazard identification, estimation of probabilities and consequences and to propose risk reduction measures.

During the work with developing HIAD, the challenge was to develop a tool that should serve various purposes such as being a data source for doing risk assessments and reveal trends and being a source for experience transfer and risk communication. In addition it should be easy to use, so the user friendliness encompassing the tasks of recording and extraction of information/data by having a professional and modern user interface, was hence given high priority.

The building blocks of HIAD are illustrated in the figure below.

Fig 2: HIAD building blocks

Information held by HIAD and being relevant for risk assessment exercises and related modelling development work could be such as environment/location and application, release size and volume, ignition sources and ignition time (‘ignition modelling’), fire characteristics, description of consequences (input to work with safety distances), damage cost, and causal relations (input to fault tree construction). All information recorded for each event will in general be important for the corporate learning about risks related to hydrogen applications and serve as ballast for the risk analysts in their hazard identification phase of any risk analysis. This work is by experience considered as the most crucial one in the sense that hazards and risk elements not captured here will not be included in the further risk assessment process.

It has been decided that HIAD should not be limited to real accidents and incidents, but should also include hazardous situations and near-misses. An example of this is that HIAD should contain all hydrogen releases irrespective of size/volume and not only those that ignited. One benefit of this is enabling the estimation of ignition probabilities from the HIAD data.

H2 Incidents

US Department of Energy has published a tool for reporting of hydrogen incidents and a database called H2Incidents at This database is designed as a simplified version of HIAD, described above.

This database has focus on initiating events and pre-event conditions and could be a useful tool for improving check lists and hazard identification tools. The lack of scenario orientation (nature of event) makes it less useful for evaluating likely progress of an initial event.

Modelling as a Tool for Quantitative Risk Assessment

This chapter has the goal to present a general description on quantitative risk assessment based on available methodologies on the topic, which use

  • event trees or other equivalent approaches
  • approaches available for handling large databases as well as
  • transfer of information from the design documents to the safety/reliability models

The QRA approaches are illustrated with results from available case studies, by underlying the specifics for the hydrogen cases. QRA is considered as part of an integrated evaluation of a given installation (deterministic and probabilistic) designed to give a complementary set of insights. The main strong feature of QRA results resides in the fact that it gives a set of insights based on risk ranking and evaluation.

Quantitative Risk Analysis Objectives

The objectives of a QRA may include

  • Estimating risk levels and assessing their significance. This helps decide whether or not the risks need to be reduced.
  • Identifying the main contributors to the risk. This helps understanding of the nature of the hazards and suggests possible targets for risk reduction measures.
  • Defining design accident scenarios. These can be used as a design basis for fire protection and emergency evacuation equipment, or for emergency planning and training.
  • Comparing design options. This gives input on risk issues for the selection of a concept
  • Evaluating risk reduction measures. QRA can be linked to a cost-benefit analysis, to cost-effective ways of reducing the risk.
  • Demonstrating acceptability to regulators and the workforce. QRA can show whether risks have been made 'as low as reasonably practicable'.
  • Identifying safety-critical procedures and equipment. These are critical for minimize risks, and need close attention during operation.
  • Identifying accident precursors, which may be monitored during operation to provide trends in incidents?
  • Taken together, these possible uses of QRA provide a rational structure for monitoring guidance for decision-making about safety issues.

QRA strengths

The main strengths of QRA are:

  • QRA is one of the few techniques able to provide guidance to designers and operators on how best to minimize the risks of accidents.
  • QRA combines previous experience with structured judgments to help anticipate accidents before they occur.
  • QRA is most effective when applied to major accidents. These are difficult to address subjectively, because they lie outside the experience of most designers, operators and regulators. The chances of such accidents occurring are low, but their consequences can be catastrophic, involving the potential for massive loss of life, damage to the environment, financial loss, and on occasions leading to the failure of the company or major changes to the entire industry. Thus there is a moral and practical incentive to use the best-available methods to minimize these risks.
  • QRA is used for comparative ranking of risks
  • QRA is usually applied to activities where there is operating experience to provide a statistical base for the analysis (e.g. semi-submersible drilling rigs). However, safety in these areas can be managed reasonably well on the basis of accident experience. The added value of a QRA is usually greatest in relatively novel applications (e.g. early concrete platforms, floating production systems, tension leg platforms, extension of using from one area-nuclear ¡V to another-non ¡¥nuclear etc) with little operating experience, especially where standard technology is applied in novel environments.
  • There are specific energy related areas with extensive use of QRA, e.g. onshore process industries by evaluating the hydrocarbon release forming fires and explosions and predicting risk of process or pipeline operations,in hydrogen installations, chemical production plants, space industry, aircraft industry , nuclear industry etc.

QRA Limitations

The main QRA limitations are:

  • Since QRA is a relatively new technique, there is a lack of agreed approaches and poor circulation of data, resulting in wide variations in study quality.
  • On the other side, because it is quantitative, QRA appears to be objective, but in reality it is very judgmental, using in a very intensive manner subjective type of probabilities, dependent on expert judgment. Expert judgments may be explicit in areas where data is unavailable, but there are also many implicit judgments in the analysis and application of data that is available, and these are often unrecognized. Therefore the evaluation of the sensitivity and uncertainties of the results is actually a decisive factor of the analysis. QRA thus has rather a higher impact and significance from the point of view of risk ranking, than from the point of view of absolute risk values.
  • The QRA results provide valuable insights and support for the decision-making about safety issues and in general it is recognized that a sound decision making on issues involving subjective or objective probabilities cannot be made without inputs from the QRA.
  • The previous general accepted conclusions is also valid for the decision-making about hazardous activities, which are influenced by economic, social and political factors.

Quantitative Risk Assessment (QRA)- methods and examples

Irrespective of the detailed approach adopted for QRA it has some specific features, as follows

  • A QRA type of analysis is a systematic process of modeling the installations based on barrier approach and considering all the challenges potentially leading to undesirable effects to public, environment or workers
  • Any QRA is structured on some key steps, which are present in any QRA analysis, e.g.:
    • Definition of risk sources,
    • Scenarios and mitigation systems (like ventilation ones),
    • Implementation of results from deterministic (e.g.thermohydraulic) analyses,
    • Use of extensive diverse databases,
    • Definition of the list of postulated initiating events (IE). The IE frequency analysis estimates how likely it is for the IE to occur. The frequencies are usually obtained from analysis of previous operating history of the installation. If no data is available a set of FT are built to derive expected frequencies for IE.
    • Definition of scenarios and failures in detail, leading to the development of ET. The definition of the consequences of each scenario is part of this task. Consequence modeling evaluates the resulting effects if the accidents occur, and their impact on personnel, installation, environment and population, based on the adopted set of acceptable final states of the installation, given a set of challenges to it. Definition of end states-states in which we expect to have potential hazardous situation is also part of building ET.
    • Definition of a set of systems operating as barriers for various challenges to the installation, for which FT¡¦s are built. The action includes system definition, defining the system boundaries, part of the installation or the activity whose risks are to be analyzed and detailed system failure mechanisms.
    • Integration of the FT into the ET is performed so that to derive the full set of paths leading to various potential dangerous from risk perspective end states.
    • Risk quantification and assessment of acceptability is finally performed for the risk metrics adopted, which usually is related to:
      • Individual risk - the risk experienced by an individual person.
      • Group (or societal) risk - the risk experienced by the whole group of people exposed to the hazard. Up to this point, the process has been purely technical, and is known as risk analysis.
    • Writing of the QRA report based on the steps performed. QRA reporting includes also documentation on actions performed for all steps during the process.
    • The use of the QRA results as input to the design and/or ongoing safety management optimization based on risk criteria for the installation, depending on the objectives of the study.andout text is modified after ¡§A guide for Quantitative Risk Assessment for Offshore Installations, CMPT publication¡¨, Aberdeen, UK, John Spouge, (1999). This feedback is done so that to incorporate risk control measures. The use of QRA report conclusions is correlated with other types of analyses for further steps in risk management activities. QRA and other risk assessment methodologies as part of risk management process] []
  • QRA models are based on the assumption that the models are defined by using a systemic approach, e.g. by considering the installation compose of a system ofsystems. Those systems with their components and the interdependencies between them define the installation reaction during various operation regimes. From this point of view a model for which QRA type method is applied has some specific features, e.g.
    • The model consists of systems and subsystems performing various functions, acting as barriers to prevent undesired effects from various challenges to the whole installation
    • The model response to a given challenge is evaluated by using response combination of scenarios (usually called Event Trees ¡V ET) and barrier failures (usually called Function events defined by failures in Fault Trees ¡V FT).
    • Modeling is performed at various levels, in relationship with the boundaries defined for the whole installation, leading to models of
      • QRA/PRA level 1, in which the potentially risk inducing states for the installation itself, without its confinement envelope is considered.
      • QRA/PRA level 2, in which the potentially risk inducing states for the installation with its confinement envelope is considered
      • QRA/PRA level 3, in which the potentially risk inducing states for the installation with the consideration of protection by distance, zoning etc is considered.

Human Factors

Human factors and safety

In the context of technology and safety, the term ‘human factors’ refers to factors that involve humans and that have an impact on safety. The involvement of humans in a technological setting comprises humans as planners and operators (that is, professional engagement with technology) and as users (typically non-professional users, clients or customers).

In any technological application, the contribution of humans is to some degree paradoxical: humans contribute essentially to maintaining safety not only in the design phase but also in the operational phase by controlling processes; but, at the same time, humans also make errors and thereby create dangerous situations and sometimes accidents. The various estimates of how often human error is the primary causal factor in industrial and transport vary somewhat, but typically range between 50% and 90%. Organizational factors may be involved in active human errors and will typically be categorized as poor/lacking procedures, training, man-power planning etc. or sometimes more global shortcomings such as poor safety culture.

Human errors and organisational failures

The modern view of human error among safety specialists is that while human error is unavoidable the circumstances that prompt human errors or allow us to capture them before they lead to negative outcome are to a large extent controllable. This view of human error has in large part been shaped by Rasmussen and Reason each of whom has promoted the “systems view” of human error. Rasmussen advocated on a general level the idea that human error is human-system mismatch. His so-called SRK-framework (skill, rule, knowledge) has been used widely in for analysing human error and was subsequently further developed by Reason.

Rasmussen’s three levels of performance essentially correspond to decreasing levels of familiarity or experience with the environment or task.

  • Skill-based performance: at this level people carry out routine, highly-practiced tasks in what can be characterized as a largely automatic fashion. Except for occasional checking, very little conscious effort is required (e.g., writing on a keyboard, changing gears, or doing any of the countless daily well-rehearsed tasks at home or at work)
  • Rule-based performance: at this level we execute a well-known routine procedure, but have to take into account some change in a situation and modify our pre-programmed behaviour, typically a situation with which we are familiar or have been trained to deal with, we engage in rule-based behaviour (e.g., filling up petrol in one’s car at the usual petrol station)
  • Knowledge-based performance: this level of performance is required and used when we face a novel situation and have no applicable rules. It may be a form of problem solving employing analytical reasoning and stored knowledge. In a technological setting this is the type of behaviour

Rasmussen’s skill-rule-knowledge framework for classifying performance relates essentially to a cognitive classification of how familiar we are with tasks and, hence, at which level of conscious effort and attention we are devoting to our tasks. These distinctions between different levels of performance are important and useful, because they allow us

  • to model complex performance (typical in technological work settings) by reference to the short-cuts that people have learned to use to save time and effort, and
  • to analyze errors according to different levels of performance.

Reason adapted Rasmussen performance based model, tying the classification of errors to cognitive processing. An often used definition of human error is the following taken from the domain of medicine but based on Reason’s work focusing originally on industrial safety:

An error is defined as the failure of a planned action to be completed as intended or the use of a wrong plan to achieve an aim.

An error is thus either a failure for form a suitable plan (wrong intention) or a failure to carry out one’s plan. The latter Reason classified as lapses and slips, depending on whether it is memory failure (lapse) or a response failure (a slip).

The diagram below shows Reason’s categories and how they expand upon the SRK-framework.

Human Reliability Assessment (HRA)

In his well-known textbook on HRA methods, Kirwan emphasizes that one of the primary goals of human reliability analysis is to provide a means of properly assessing the risks attributable to human error. To achieve this aim three overall phases must be carried out: (A) Identifying what errors can occur. (B) Deciding how likely the errors are to occur (C) Enhancing human reliability by reducing this error likelihood (Human Error Reduction)

Thus, HRA is used to identify, model, predict, and when possible, to reduce human errors in operations and will typically include normal production operations, maintenance, testing and emergency conditions. It is well-known that maintenance and testing are phases are especially vulnerable to human error that can seriously influence system safety . For instance through insertion of an incorrect component, miscalibration, failure to align the system back to its operational configuration.

A number of methods and techniques are available with which to perform a structured analysis of human reliability of a specific industrial setting in which an HRA is undertaken. A common preliminary phase for conducting an HRA is, when the scope of the problem and the exercise to be undertaken has been defined, to perform a risk assessment. This may be carried out with techniques described in the section above on hazard identification methodologies, e.g., fault and event trees. Next, it is customary to define the interaction between humans and the system in terms of a task analysis - e.g., hierarchical or time-line task analysis. The next step involves the identification of possible errors, possibly by using group-based techniques such as HAZOP, as described above. Following the identification of errors, it is necessary to estimate the likelihood of their occurrence. To arrive at a quantification of human error probabilities either human error databases can be used or expert judgment or a mixture of both. In the table overleaf we show an illustration of human error quantification from a commonly used HRA method. Finally, risk reduction options must be reviewed and possibly a prioritization, selection and a plan for implementation of risk reduction.

Generic classifications (HEART, after Williams, 1986)

Safety culture

It has become widely accepted that an organisation’s safety culture can have an impact on safety performance. Two installations may be entirely alike in terms of production, ownership, workforce, procedures and yet differ in terms of safety performance and measurable safety climate .When seeking to assess and control the impact of human factors on the level of risk of a plant or other installation the area it is therefore essential to include organizational factors as well.

The diagram overleaf seeks to depict how safety cultural factors along with traditional work condition factors (here called safety management factors) are within the control of the organization at hand. In this section we review briefly how safety culture is conceptualised in the safety analysis literature and how it may be measured.

The concept of safety culture was introduced in the aftermath after the nuclear power plant accident in Chernobyl in 1986, when the concept was invoked to explain a corporate attitude and approach that tolerated gross violations and risk taking behaviour. A large number of

studies have since developed models and measures of safety culture. One of the most widely cited definition of safety culture was offered by the Advisory Committee on the Safety of Nuclear Installations in the UK (ACSNI, 1993), who defined safety culture as follows:

The safety culture of an organisation is the product of individual and group values, attitudes, perceptions, competencies and patterns of behaviour that determine the commitment to, and the style and proficiency of, an organisation’s health and safety management. Organisations with a positive safety culture are characterised by communications founded on mutual trust, by shared perceptions of the importance of safety and by confidence in the efficacy of preventive measures (ACSNI, 1993).

The first-generation models characterised positive safety culture for a given organisation as founded on mutual trust, shared belief in the importance of safety and shared belief that preventive measures make a difference. In subsequent models (from mid-90s and later) there is additionally an emphasis on organisational learning: i.e., willingness and ability to learn from experience (errors, incidents and accidents).

There is no “standard model” of safety culture, but there is widespread agreement that safety culture includes factors relating to

  • Visible top management and shop floor management commitment to safety
  • Work force ownership and participation in safety solutions
  • Open communication
  • Mutual trust between management and employees
  • Willingness and ability to learn from experience (“an organisation with a memory”)
  • Work force involvement in company and motivation
Measuring safety culture / climate

A distinction is often made between culture and climate: culture is slow to change and involves mostly tacit (unspoken, hard or impossible to articulate) beliefs and norms, whereas climate is shaped by context and more explicit. Therefore, empirical studies, and especially surveys and interviews, are usually said to uncover, at best, safety climate, whereas safety culture is only characterised indirectly.

When considering empirical approaches to safety climate, decisions must be made about the following three dimensions:

(a) what should be measured (what are the factors to be measured?)
(b) how should measures be made (what are the methods and techniques to perform the measurement?)
(c) where should measures be made (in which part of the organisation should sampling and appraisal be made?)

As described above, the issue of what should be measured is addressed in somewhat different but not necessarily incompatible ways by different analysts. There is general but not precise agreement about the factors that are involved in safety climate [culture].

Similarly, different methods and techniques are available for assessing safety climate – interviews, field observations, participation, surveys. But within this range of methods, surveys (written or web-based questionnaires, oral interview surveys) yield a uniform output that may be quantified more or less directly.

Finally, assessment of safety climate in an organisation may be targeted at both the management level (top and middle management including supervisors) and the shop floor level, and at different operational units and even office staff and planners.

Taking the range of choices into account, the most typical kind of safety climate [culture] assessment method is that of questionnaire-based surveys of staff perceptions and attitudes. A questionnaire-based survey will typically be targeted at the operational staff, including possibly group leaders, and, of course, will use some form of safety climate questionnaire – a safety climate assessment tool.

There are a large number of such tools (questionnaires) available, some of these being domain specific (maritime, oil production platforms, aviation, process industry etc). Questionnaires require the respondent to answer specific questions in terms of the selection of one among a fixed set reply options – typically a selection from a Likert-type ranking scale: “Strongly Agree, Agree, Neither Agree Nor Disagree, Disagree, or Strongly Disagree”. Question items will form groups that correspond to underlying factors (say, perception of top management commitment to safety). For validated survey tools, factors will have been established through possibly pilot surveys and subsequent statistical analysis (for instance, factor analysis). Finally, analysts will be able to establish a benchmark when survey tools that have been applied to a range of installations or workplaces within comparable parameters. For instance, the EU-project ARAMIS, adapting a construction and production plant questionnaire, has used this to collect data from five European Seveso-type plants. On the ARAMIS approach (Duijm et al. 2004) , a single global safety climate index has been established for use in integrated assessment of safety management – instead of a range of different indices, each corresponding to a single safety climate factor.

supplier and delivery organisations

GAPS &Recent progress:

Residual Risk and Social Perception of Hydrogen

For a long time, risk assessment process was considered as of the relevance of the technicians or experts. However, with the recent changes in both international and European juridical context the public and other entities of the civil society became and are recognised as being concerned by the decision aiming at reducing the risks; and are then involved in the risk assessment and risk management process. The Aarhus convention on “Access to Information, Public Participation in Decision-making and Access to Justice in Environmental Matters” (1998) have influenced a lot of current national approaches to risk assessment. In France for example, this convention was introduced through the law n° 2002-276 of February 27th 2002 on “the democracy of proximity” and more recently the law n° 2003-699 of July 30th 2003 on “industrial and natural risks prevention and damages amends”, and its 1st February 2005 decrees of application including that “Local Committee of Information and Dialogue” must be created for all industrial Seveso High threshold site. Let notice that even if the juridical and technical wills are present, the involvement of different people (stakeholders) raised practical problems: how to go toward a common understanding and a co-elaboration of common decisions.

Risk perception research paradigm(s)

There are two major frameworks for studying the views on risk by the public involved, respectively, a largely anthropological approach that seeks to characterise risk perception by reference to social structures (“ways of life”). The other and rather more dominant approach, sometimes called the psychometric paradigm, attempts to characterise the underlying factors behind the perception of risk by the public (and various sub-populations defined by, e.g., age, education, gender, profession, ethnicity etc.) by methods refined by psychologists who identify such factors as types of personality or heuristics and biases behind judgments about probability estimates. However, both approaches demonstrate the fact that the risk management process (identificationtion, assessment, control) aims at reducing the uncertainty a stakeholder has concerning a done situation. One can think that the only competent person to do that is the “expert”. The objective would then be to reduce the gap between the expert and the non-expert person and create a common way of looking to “risk” and its causes and consequences.

Risk perception research approaches

It has been known for long that lay people tend to overestimate low-frequency events and underestimate high-frequency events. But it was not till the late 70’s that it was discovered that that there is, one the one hand, a low correlation between lay estimates of risk and direct measures of subjective seriousness of a large and widely delimited set of activities, but on the other hand, a strong correlation between the perception of risk and two main dimensions: the level of dread or perceived disastrousness (imaginability of the hazard) and the perceived controllability of the hazard (familiarity and predictability). Four approaches to risk perception exist: two approaches that insist on the “decisional dimension” of risk perception and two other approaches on the “contextual dimension of perception”. The first approach to risk perception is based on economics paradigm. This approach status that, in a risky situation, each rational actor knows the possible results of a decision (losses and gains) and are able to define the chance (probability or possibility) of a given result. Each rational actor aims at maximising the utility. This first approach consider that: (i) stakeholders (actors) are all similar in their perception and (ii) each risk perception depends on “probability” and “consequences”. The second approach based on a psychometric paradigm focus on perception biases. This approach recognise, in addition to the quantitative criteria that make risk perception “probability” and “gravity of the consequences” the existence of some other “qualitative aspects” like: novelty, familiarity, controllability, acceptability, redoubt ability, etc.). Two biases of perception are here listed: “the availability bias” and “the catastrophe potential”. The first bias makes a direct correlation between “information availability” and “stakeholder correct perception” of a done situation. The second bias states that perception do not only depend on “observable facts” but also on “potential consequences”. These two first approaches have omitted the heterogeneity of “stakeholders” and the heterogeneity of the context where they live. The third approach is a sociologic one. This one study how do people perceives risk in their diversity using both quantitative and qualitative approaches. By insisting on the importance of the socio-demographic profiles of the stakeholders and their individual’s history, the sociological approach tends to consider each risk as equivalent. The fourth approach, to risk perception, takes into account the diversity of both people and risks. This approach is based on the cultural dimension of perception. This approach reveal that risk percpetion depend on stakeholders’ values and on the way their conceive knowledge.

Empirical studies of risk perception of hydrogen technologies

There have been a small number of published studies of public perceptions of the risk of hydrogen technology. There is, of course, an old history of hydrogen applications (the Hindenburg airship; H-bomb; but it is not known how important such associations are)

The following studies of risk perception of hydrogen technology for transport applications have been identified:

The EU-funded CUTE project which has tested the introduction and operation of H2 buses in London, has collected public perception of hydrogen technology for buses.

Method: telephone survey, N=414.

Results: 45% heard about H2 vehicles, 35% support the introduction of H2 vehicles, 60% need more information, 4% gave “danger” as the first words that come to mind when hearing the word hydrogen, 22% “positive”,13% “explosive/flammable”, 13% fuel/energy.

LBST project (Ludwig-BOolkow-Systemtechnik) in in co-operation with Ludwig-Maximilians University of Munich:

Method: surveys of respondent attitudes
Sub-study 1: The attitudes towards hydrogen of secondary students in three schools
Sub-study 2: In 1997 the first hydrogen bus was introduced in Munich, and the passengers of this bus were surveyed.
Sub-study 3: Students who were among the bus passengers (Sub-study 2) and compared their answers to those of the students questioned during Sub-study 1. This gave an indication of how the experience of using hydrogen transportation affects the attitude towards this new fuel.

Results: the often-expected spontaneous association of hydrogen with danger or past accidents like the Hindenburg airship was not confirmed. Generally the attitude of the interviewee towards hydrogen was positive. Contact with hydrogen technologies was shown to have a further positive effect on attitude towards the fuel.

Title: Greening London's black cabs: a study of driver's preferences for fuel cell taxis

Method: the study investigates the preferences of London taxi drivers for driving emissions-free hydrogen fuel cell taxis, both in the short term as part of a pilot project, and in the longer term if production line fuel cell taxis become available.

Results: driving hydrogen-fuelled vehicles does not seem to raise safety concerns amongst taxi drivers.

Risk criteria: other domains, comparable applications, harmonisation efforts.

It is usual to consider “risk perception” at the end of a “technical process” based on identification, evaluation, assessment and hierarchization of risks. However, risk perception do not depend on purely facts measures (gravity of the consequences) or prediction (probability). Values and contextual aspects like socio- economics ones, organizational ones, etc. determine the stakeholders perception. These statements show us that “risk assessment” process must be enriched at its early steps by both qualitative and quantitative studies of stakeholders’ visions and perceptions.

<< | Content | >>

Edit - History - Print - Recent Changes - Search
Page last modified on August 29, 2017, at 12:04 PM