Reinhard Preiss Risk Analysis Techniques in Engineering

TÜV AUSTRIA Fachverlag

Risk Analysis

Reinhard Preiss

Techniques in Engineering

Risk Analysis Techniques in EngineeringISBN 978-3-901942-82-2 Author: Dr. Reinhard Preiss, Executive Business Director Industry & Energy, TÜV AUSTRIA GROUP Published by TÜV AUSTRIA AKADEMIE GMBHLeitung: Mag. (FH) Christian Bayer, DI (FH) Andreas Dvorak , MSc2345 Brunn am Gebirge, TÜV AUSTRIA-Platz 1+43 5 [email protected] | www.tuv-academy.at

Project Management: Mag. Judith MartiskaLayout: Mag. Evelyn HörlProduction: druckwelten.atCover: Markus Rothbauer; Foto: Adobe Stock

© 2020 TÜV AUSTRIA AKADEMIE GMBH

The work is protected by copyright. All rights, in particular the rights of distribution, duplication, translation, reprinting and reproduction, remain reserved to the publisher, even if they are used only in extracts.No part of the work may be reproduced in any form (by photocopy, microfilm or any other process) or stored, processed, reproduced or distributed using electronic systems without the written permission of the media owner.Despite careful examination of all contributions in this work, errors can not be ruled out. The correctness of the content is therefore unaware. A liability of the publisher or authors is excluded.

Making complexity understandableToday companies are faced with a number of challenges: Besides existing market requirements, social demands on businesses have grown that go far beyond the mainte-nance and creation of jobs in recent years.

Added to this – as an expression of the socio-political claim on companies – are legal framework conditions that are becoming increasingly complex and will tie up resources. Correspondingly, many companies – and the industry as a whole – often and quite rightly complain about a hardly manageable flood of regulations.

Companies are often challenged to find dynamic, adaptable solutions in this environment for themselves, especially concerning security.

Assessing risks of technical systems to avert harm to people and environment naturally plays a significant role and is particularly important for the industry.

After all, “security” is no longer a determining factor only for employees but features as an important quality asset in international competition for the business and industrial location.

In addition, there are the challenges in data security, which are gaining importance due to the dynamic development of digitization in production.

Against this background, not only the vehement demands for de-bureaucracy and deregulation are understandable. Besides economic policy conditions, the topics of risk analysis and risk management are growing in significance. Understanding methods of risk analysis and risk ma-nagement and preparing them as a tool for companies is just the kind of valuable support that businesses need in an increasingly complex environment.

Mag. Christoph Neumayer

General Secretary Industriellenvereinigung

PrefaceNothing is as constant as change. This quote attribu-ted to Heraclitus of Ephesus is more valid today than ever. In times of change, paradoxically, people’s need for safety and security increases. Some authors like to talk about the so-called “comprehensive insurance cover society” in this context. However, absolute security is something unattainable, especially in complex technical systems.

Anton Neuhausler has aptly stated: “There is no cer-tainty, only different degrees of uncertainty.” In order to cut through this Gordian knot consisting of safety

needs and practical possibilities, the methods for systematic risk identification and assessment have been developed considerably in the recent past.

The book Risk Analyses Techniques in Engineering on hand in its updated and extended 2nd edition provides an overview of the current state of the art in risk analysis and will prove to be a valuable and practical guide on safety issues, giving an insight on how to meet the increased security requirements with a technically feasible effort.

I hope that the book is distributed widely and above all that it contributes to the systematic improvement of safety.

Dir. Dipl.-Ing. Dr. Stefan Haas

CEO TÜV AUSTRIA HOLDING AG

Foreword of the Author The systematic analysis and evaluation of the risks asso-ciated with technical systems has long been a standard procedure in the high-risk sectors like the chemical in-dustry, oil and gas industry, aviation, and medical engi-neering. Due to the existing and constantly increasing legislative, normative and liability requirements, appli-cation of systematic methods of risk analysis and evalu-ation, ultimately the entire risk management process, is now required in almost all the areas of engineering.

Its objectives include prevention of harm to people, environment and property and ensuring the required

availability of technical systems and processes, thereby taking care of the ethical responsibility of engineering, besides ensuring competitiveness of the technical systems. The estimated costs of disasters exceed the costs for implementing risk minimizing systems enormously. There-fore, saving in cost of risk minimisation can be termed in many cases as short-sighted and uneconomical and is unacceptable both socially and legally in the event of damage to people or environment.

This book should make its contribution in explaining the common methods of risk analysis and management to promote their wide use.

The second edition throws light on a wide range of methods now explained in greater details, with more examples of their application besides highlighting the basics principles underlying the use of newer methods like for example Human Error Analysis and Risk Based Inspection (RBI), the mistakes in the first edition have also been corrected.

At this point, I would especially like to thank my colleague Dr. Joachim Rajek, who has con-tributed the chapter dealing with Risk Based Inspection. His expertise in this area has given an added value to this book, particularly with respect to its application in the area of process industries.

Dipl.-Ing. Dr. Reinhard Preiss

Executive Business Director Industry & Energy TÜV AUSTRIA GROUP

Table of Contents1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.3 Risk analyses as a part of risk management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.3.2 HSE/OI management in the process industry . . . . . . . . . . . . . . . . . . . . . . . . 201.3.3 Examples for performance indicators of the process industry . . . . . . . . . . . . . 23

1.4 Selected application areas of technical risk analyses . . . . . . . . . . . . . . . . . . . . . . . . . 261.4.1 Product safety according to European guidelines . . . . . . . . . . . . . . . . . . . . . . 261.4.2 Product liability according to product liability laws . . . . . . . . . . . . . . . . . . . . 281.4.3 Economic success and image of the product . . . . . . . . . . . . . . . . . . . . . . . . . 291.4.4 Occupational safety and environment protection . . . . . . . . . . . . . . . . . . . . 291.4.5 Process safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301.4.6 Critical infrastructure safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391.4.7 Aviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

1.5 Known/unknown knowns/unknowns – a reflection of risk analysis . . . . . . . . . . . . 451.6 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Methods of Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502.1 General outline of risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502.2 Risk matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

2.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552.2.2 Quantitative – Process industry example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572.2.3 Qualitative – Process industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612.2.4 Qualitative – Railway engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622.2.5 Qualitative according to DoD practice for system safety . . . . . . . . . . . . . . . . 632.2.6 Risk Based Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

2.3 Individual risk, social risk, the ALARP concept . . . . . . . . . . . . . . . . . . . . . . . . . . . 652.3.1 Individual and social risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652.3.2 The ALARP principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

2.4 Principle of minimum endogenous mortality (MEM) . . . . . . . . . . . . . . . . . . . . . . 712.5 The GAMAB Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732.6 The risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752.7 Risk indexes/risk priority number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782.8 Excursus: RAPEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812.9 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 Methodology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853.1 Aspects regarding categorisation and characterisation of methodologies . . . . . . . . . 853.2 Categorisation of methods with respect to detailing steps . . . . . . . . . . . . . . . . . . . . 873.3 Characterisation of methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 FMEA (FMECA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

4.1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984.1.2 Areas of application areas and motivation for FMEA . . . . . . . . . . . . . . . . . . . 984.1.3 Objectives of the FMEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

4.2 FMEA designations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.3 Implementation and steps of FMEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.3.1 Function consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004.3.2 System structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014.3.3 Analysis of potential failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014.3.4 Risk assessment by means of FMECA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044.3.5 Documentation and follow-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

4.4 Application examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114.4.1 Electric pressure cooker – safety features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114.4.2 FMEA concerning natural gas supply availability . . . . . . . . . . . . . . . . . . . . . 1144.4.3 Functional consideration of a car seat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164.4.4 FMEA application in process engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184.4.5 Process FMEA: implementation of a risk analysis . . . . . . . . . . . . . . . . . . . . . 121

4.5 Summary and limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224.6 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225 HAZOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

5.1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235.1.2 Areas of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1245.1.3 Distinction from (Component-) FMEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

5.2 Definitions/Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1245.3 Methodology of HAZOP study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

5.3.1 Continuous systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1265.3.2 Discontinuous (sequential, batch-) systems . . . . . . . . . . . . . . . . . . . . . . . . . . 131

5.4 Execution of HAZOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325.4.1 Defining the objectives and the scope of the study . . . . . . . . . . . . . . . . . . . . 1325.4.2 Selecting the team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325.4.3 Preparing the study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1335.4.4 Team meetings and documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

5.5 Examples of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355.5.1 Continuous system – gas pressure reducing station . . . . . . . . . . . . . . . . . . . . 1355.5.2 Defining the sub-systems for a chemical production . . . . . . . . . . . . . . . . . . . 1405.5.3 HAZOP preparing of a discontinuous system – reactor unit . . . . . . . . . . . . . 1415.5.4 Railway gate at level crossing (HAZOP as PHA) . . . . . . . . . . . . . . . . . . . . . . 1425.5.5 Other applications for HAZOP (emergency measures, personnel selection process) . . 144

5.6 Summary and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1465.7 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1476 Fault Tree Analysis – FTA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1486.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6.1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1486.1.2 Objectives of fault tree analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6.2 Terms and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496.3 Implementation of a fault tree analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

6.3.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516.3.2 Minimal cut set representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

6.4 Application example – liquid separator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1586.5 Application example – automatic filling of a tank . . . . . . . . . . . . . . . . . . . . . . . . . . 1636.6 Summary and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1686.7 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697 Event Tree Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707.1 Methodology and graphical representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707.2 Examples of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

7.2.1 Failure of a cooling system pump of a reactor . . . . . . . . . . . . . . . . . . . . . . . . 1717.2.2 Exhaust gas treatment facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727.2.3 Leakage of a flammable gas/a flammable liquid . . . . . . . . . . . . . . . . . . . . . . . 176

7.3 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1788 Cause-Consequence Analysis and Bow-Tie Analysis . . . . . . . . . . . . . . . . . . . . . . 1798.1 General on methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1798.2 Cause-consequence analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1798.3 Bow-Tie analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

8.3.1 Elements of a Bow-Tie diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818.3.2 Application example – vessel with flammable liquid . . . . . . . . . . . . . . . . . . . 184

8.4 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1869 3-F Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.2 Example of use – necessity of wearing bicycle helmets . . . . . . . . . . . . . . . . . . . . . . 1889.3 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18910 Layer of Protection Analysis (LOPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19010.1 Introduction and history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19010.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19210.3 Implementation of the LOPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

10.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19410.3.2 On the effect of scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19610.3.3 Initiating event, enabling event, conditional modifier . . . . . . . . . . . . . . . . . 19810.3.4 Independent Protection Layer (IPL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20510.3.5 Determination of the occurence probability of a scenario . . . . . . . . . . . . . . 20810.3.6 Target values for risk reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

10.4 Application examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21210.4.1 Application according to general methodology . . . . . . . . . . . . . . . . . . . . . . 21210.4.2 Examples – Austrian LOPA working group [Ref. 10-7] . . . . . . . . . . . . . . . . 214

10.5 Summary and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22410.6 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22511 What-If, SWIFT Analysis, Check Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22611.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22611.2 Analysis of procedures and processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

11.2.1 Approach for the procedure or process analysis . . . . . . . . . . . . . . . . . . . . . . 22611.2.2 Illustration of the procedure analysis by means of an example . . . . . . . . . . . 227

11.3 SWIFT Analysis (Structured What-If analysis) . . . . . . . . . . . . . . . . . . . . . . . . . . . 22811.3.1 Procedure of the SWIFT Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

11.3.2 SWIFT categories – Machinery safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22911.3.3 SWIFT categories – Process engineering . . . . . . . . . . . . . . . . . . . . . . . . . . 23011.3.4 Analysis according to Haferkamp-Jäger (Seveso Guideline), WACKER analysis 23111.3.5 Application example – SWIFT categories for a wind turbine . . . . . . . . . . . . 23611.3.6 Application example – SWIFT category for medical products . . . . . . . . . . . 23711.3.7 Application examples – compressed air supply system . . . . . . . . . . . . . . . . . 238

11.4 Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24111.5 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24512 Relative Risk Ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24612.1 General objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24612.2 Overview of the method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24612.3 Dow Fire & Explosion Index (F&EI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

12.3.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24712.3.2 Procedure to determine the F&EI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24912.3.3 Example of application – storage tank for Toluol . . . . . . . . . . . . . . . . . . . . . 258

12.4 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26113 HACCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26213.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26213.2 HACCP – the methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

13.2.1 HACCP – Hazards and risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26313.2.2 The 7 Principles of HACCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

13.3 Example of application – cheese production . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26813.4 HACCP application in biogas plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27213.5 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27614 Human Factor/Human Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27714.1 General introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27714.2 Skill, rule and knowledge-based: a more precise consideration . . . . . . . . . . . . . . . 281

14.2.1 Failure modes in skill-based level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28314.2.2 Failure modes in rule-based level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28414.2.3 Failure-modes in the knowledge-based level . . . . . . . . . . . . . . . . . . . . . . . . 284

14.3 Latent errors and system failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28614.4 Communication and alarm management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28814.5 Safety culture and integrated approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28914.6 Analysis and quantification of human error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29414.7 Quantification for LOPA applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

14.7.1 Quantification according to TESEO procedure . . . . . . . . . . . . . . . . . . . . . 29614.7.2 Procedural controls for major incident hazards . . . . . . . . . . . . . . . . . . . . . . 29814.7.3 Quantification according to the Rasmussen report . . . . . . . . . . . . . . . . . . . 301

14.8 Examples for accidents due to human error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30114.8.1 Nuclear power plant Three Mile Island – Harrisburg (USA) . . . . . . . . . . . . 30114.8.2 Exxon Valdez (Alaska 1989) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

14.9 Resumee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30414.10 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30515 Functional Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30615.1 Basic concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30615.2 Risk-based definition of safety levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

15.2.1 Machine safety according to EN 13849 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30915.2.2 Machinery safety according to EN 62061 . . . . . . . . . . . . . . . . . . . . . . . . . . 31115.2.3 Process industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

15.3 Examples of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32215.3.1 Overfilling of a separator – SIL according to EN 61511 . . . . . . . . . . . . . . . 32215.3.2 Stop and lock device of a machine – PL according to EN 13849 . . . . . . . . . 323

15.4 Basics of SIL verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32515.4.1 SIL according to EN 61508/EN 61511 . . . . . . . . . . . . . . . . . . . . . . . . . . . 32515.4.2 PL according to EN 13849 (machinery safety) . . . . . . . . . . . . . . . . . . . . . . 33515.4.3 SIL according to EN 62061 (machinery safety) . . . . . . . . . . . . . . . . . . . . . . 340

15.5 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34316 RAM Analyses (Excursus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34516.1 Basics and methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34516.2 Example of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34716.3 Monte Carlo simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34816.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34917 QRA in the Process Industry (Excursus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35017.1 Basic procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35017.2 Loss-of-containment events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35217.3 Consequence analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35417.4 Effect on people, individual and social risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

17.4.1 Effect of toxic exposure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35817.4.2 Effect of fire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35917.4.3 Effect of pressure waves (explosions) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36117.4.4 Illustration of results of a QRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

17.5 Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36617.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36718 Risk Based Inspection (RBI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36818.1 History and introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36818.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37018.3 Executing RBI study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

18.3.1 Overview of the process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37218.3.2 RBI-Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37318.3.3 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37418.3.4 Defining the scope of RBI project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37418.3.5 Risk matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37518.3.6 Collecting the available data and evaluating the quality . . . . . . . . . . . . . . . . 38018.3.7 Conducting the risk screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38018.3.8 Systematic division of the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38118.3.9 POF and COF analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38318.3.10 Defining the risk, identifying the risk driver . . . . . . . . . . . . . . . . . . . . . . . 39318.3.11 Planning the risk mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39318.3.12 Review, reports, updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

18.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39618.5 References/Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

TÜV AUSTRIA AKADEMIE GMBH Introduction 11

1 Introduction

1.1 General

This chapter is an introduction to the field of risk analysis in engineering. It includes basic definitions of the terms and describes the correlation between the analyses and the concept of risk management, besides highlighting the typical areas of its application and their legal context.

Risk management covers all the measures for a systematic identification, analysis, evaluation, monitoring and managing the risks of an organisation and describes its management process. The technical risk analysis is used in this context for identification and evaluation of risks that influence or can affect the safety of technical systems and thereby interfere with the goals of the organisation (e.g. with respect to industrial, individual and environmental safety etc.).

The term risk analysis (in engineering), used in the title of the book, is a collective term for the identification, analysis, evaluation and managing (taking measures) technical risks.

The following areas can be considered typical for application of technical risk analysis:

B product safety and product liabilityB employee and environmental safetyB process safetyB safety of critical infrastructure

There are certainly more areas – for instance particularly the aerospace, rail and other mass transport industries as well as medical engineering – in which the technical risk analysis can make an important contribution in designing and ensuring the safety of the systems.

The primary goals of risk analysis in engineering are:

B prevention of personal injury B prevention of environmental damage and damage to propertyB prevention of damage to image and reputation caused by errors or failures of products

and equipmentsB increasing the availability reliability and efficiency of systems, equipments and processes

Especially the legal security achieved through the analysis and documentation of the risks and the measures to reduce them is of prime importance to all the concerned parties.

With reference to the foreword, the terms known/unknown, knowns/unknowns have been elaborated and explained with the help of examples at the end of the chapter (as theoretical motivation).

Introduction TÜV AUSTRIA AKADEMIE GMBH12

1.2 Terminology

Some important terms that keep appearing repeatedly with reference to risk analysis in engi-neering have been either explained or defined below. A common understanding and a com-mon language of people dealing with the concept of risk and risk analysis in engineering, is an important prerequisite for achieving right and consistent results.

Danger

Condition or characteristic with the potential to cause a negative impact on humans, environment or material; is a broad non-specific term.

Hazard

A danger, as indicated for a specific situation; specific in terms of time and location for the concerned person or asset or environment; poses a potential source of harm.

Note: The aforementioned definitions of the terms danger and hazard, very often used in process engineering, differ in meaning from that in [Ref. 1-1].

Risk

A classical universal definition, as given in [Ref. 1-1], [Ref. 1-2], [Ref. 1-3]: “Effect of uncer-tainty on the goals”.

However, in engineering, the term “risk” is normally interpreted as the probability of occur-rence of a loss and the severity of this loss; the magnitude can be determined only for a specific situation with specific parameters.

Colloquial: risk = function (consequences, probability of occurrence of these consequences).

A universally accepted definition is also as per: [Ref. 1-26]: “Risk is a measure of human in-jury, environmental damage, or economic loss in terms of both the probability of occurrence and the magnitude of the loss or injury”.

Probability

The degree at which an event (damaging event) probably occurs. The probability can be understood with reference to a period (e.g. probability for a year, or with reference to the lifespan) or to the number of events (event probability, often expressed in percentage). When used with reference to a period, often the term “frequency” is used e.g. “once in 100 years”.

Risk analysis

Systematic evaluation of the available information to identify the hazards, and the risks asso-ciated with them and then assess them according to their magnitude (i.e. with reference to the probability of occurrence and the consequence).


Risk evaluation

Comparing risks with predefined threshold values.

Risk assessment

Collective term for risk analysis and risk evaluation.

Risk area; Boundary of risk area

Areas/limits in the risk landscape (small, medium, big risks); the risk tolerance limit and/or he risk acceptance limit separate the risk areas from each other.

Residual risk

Risk that remains even after implementing the safety measures (risk reduction measures).

Acceptable risk

Risk that is acceptable in a certain context with respect to the basic and/or moral concepts of an organisation. Additional measures to reduce the risk are not considered as necessary.

Tolerable risk

Risk, which is tolerated by the concerned persons or organisations taking into consideration the advantages of the risky systems or technology.

However, this term differs from the generally acceptable risk as the tolerance can be varying depending upon the concerned group of people. Additional measures to reduce the risks are normally considered in the context of their cost-benefit equation.

Unacceptable risk

Risk that lies beyond (above) the tolerance limit. Additional measures to reduce the risk are obligatory.

ALARP

Reduction of risk “as low as reasonably practicable”. Implementing measures to reduce a risk so that the residual risk is not unacceptable and the cost of every additional measure for mi-nimising the risk is excessively high compared to the further reduction of the risk [Ref. 1-4].

However, the cost-benefit relation cannot be used to implemenmt risk reduction measures which are below the corresponding good industrial standard (at least for risks which might lead to harm to people or the environment)

Mitigation

Measures to reduce the impact of a hazardous event.


Prevention

Measures to reduce the frequency of the occurrence of a hazardous event

Example

Danger: Sulphuric acid

Hazard: Tank with 1,000 l sulphuric acid in a storage tank

Consequence: Spilling of sulphuric acid due to overfilling resulting in an injury of a person and

environmental pollution due to its spreading in ground water

Risk: Function of the probability of overfilling and of the consequences of spilling

Mitigation: Tank dyke

Prevention: Controlling of the filling level, liquid level-high-alarm with automatic inflow cut off

Qualitative risk analysis

Risk analysis and description of a risk, or the evaluation of the residual risk, which is not based on clearly defined quantitative variables, especially with reference to the probability of oc-currence. Using qualitative keywords like for example unknown-seldom-frequent-continuous (probability of occurrence, frequency), negligible-low-moderate-catastrophic (consequence), etc. For further details and examples of application refer to chapter Risk evaluation.

Quantitative risk analysis

Risk analysis and description of a risk, or the assessment of the residual risk, on the basis of clearly defined quantitative variables, for example the extent of damage in Euros or the num-ber of people affected/degree of injury, and probability of occurrence denoted as frequency (instances per time unit). For further details and examples of application refer to chapter Risk Evaluation.

Note: In process safety, the abbreviation QRA (Quantitative Risk Assessment) stands for a standardised process, based on mathematical methods, for indicating the probability of oc-currence and the consequences of serious accidents affecting the operation of a plant and its environment. Also refer to chapter 17.

Semi-quantitative risk analysis

Risk analysis and description of a risk, or the evaluation of the residual risk, on the basis of ca-librated figures, for example using RPN (Risk Priority Number) for FMECA, or 3-F method or Dow Fire & Explosion Index.

Occasionally, quantitative analysis (according to the above definition) is also called as semi-quantitative analysis, when the probability of occurrence or the consequences are not indica-ted explicitly and are given only in terms of a numerical range (or as magnitude). For further details refer to the description of the specified methods.


Event

Ein Ereignis im Rahmen eines Vorganges (Prozesses), welches zu einer Abweichung vom nor-malen Zustand und in weiterer Folge möglicherweise zum Verlust der Kontrolle über eine Gefährdung führt.

An event, as a part of a process leading to a deviation from the normal condition and which may possibly further lead to loss of control over a hazard.

Consequence

Extent of damage caused by an event.

Scenario

An event or multiple events leading to or which can lead to an undesired consequence.

Risk management process

Figure 1-1: Risk analysis and evaluation as a part of risk management process

Establishing the context

Risk identification

Further risk control(measures, pass on to insurance, etc. )

Risk evaluation

Risk analysis

Start

End

Acceptable?

Ris

k m

onito

ring

and

revi

ew

Ris

k co

mm

unic

atio

n, in

form

atio

n ex

chan

ge

YES

NO

Identifying Hazards

Probability of occurence

Consequence

Risk assessment


Crisis management

Coordinated activities which an organisation has to carry out to deal with imminent or al-ready occurring crises. In this context, a crisis is a situation, which requires special measures across the organisation, as the existing structures and processes cannot deal with it adequately.

Risk management

Processes and practices aimed at managing an organisation with reference to risks.

Risk owner

Person with executive powers to manage risk. The risk owner can change the risk.

RAM analysis

Reliability, availability und maintainability analysis. Is carried out for equipments in the plan-ning stage to determine the configuration (e.g. redundancies), the required maintenance, spare parts stock, etc. in order to achieve or prove the availability of the equipments (e.g. 99.9 %) as per a given specification. The analysis is based on statistically existing or assumed failure rates of individual components of the equipments.

Corporate Security

Tasks of organisations and systems that are related to security against intentional hazards (caused deliberately by people) [Ref. 1-20].


1.3 Risk analyses as a part of risk management

1.3.1 Overview

According to ISO 31000 [Ref. 1-2], organisations are subject to various internal and external factors and influences, which make it uncertain, when and whether they can achieve their goals. The effect of this uncertainty on the goals of an organisation is termed as “risk”.

Risks form a part of all the activities of an organisation. Organisations manage these risks by identifying, analysing and then evaluating, whether there is a need to change the risk through measures of risk management in such a way that it complies with the respective risk criteria. During the entire risk-management process they communicate with the stake holders, consult them, monitor and review the risks and their change management in order to ensure that no further measures are required for managing the risk. A detailed description of this systematic and logical process is provided by ISO 31000 [Ref. 1-2] and ONR 49000 [Ref. 1-1].

In Figure 1-2, ONR 49000 [Ref. 1-1] describes the focus of an organisation on its goals and strategies and the commitment of its top management and executives in applying the risk management process for management functions, as an essential requirement of effective risk management. Risk management process covers the tasks aimed at managing and monitoring an organisation with respect to the risks. Defining the parameters, identifying, analysing and evaluating risks and managing them along with risk communication and risk monitoring form the crux of this process.

Figure 1-2: Risk management system and process


Risk identification

Further Risk control (measures, pass on to insurance, etc.)

Risk evaluation

Risk analysis

Start

End

Acceptable?

Ris

k m

onito

ring

and

revi

ew

Ris

k co

mm

unic

atio

n &

con

sulta

tion

YES

NO

Risk Management Policy

PLAN

DO

CHECK

ACT RisK Management System

RiskAssessment


For introducing the risk management process, to run it effectively, to maintain it and for a consistent improvement, big and complex organisations require an organisational framework which is called as risk management system.

The risk management system includes all the elements of the management system of an orga-nisation, which have the task of managing risks. It describes the managerial functions in an organisation and involves planning, implementing, evaluating and consistent improvement, which can also be described as “plan – do – check – act” (as usual in case of other management systems).

The possible individual aspects of elements of the risk management process are cited below with examples:


It is important to define the goals, strategies, scope and the factors influencing the operations of an organisation or of everything that forms a part of it, where the risk management process is applied. The resources required for risk management, the responsibilities and authorizations and the related documentation should be specified.

The following aspects have to be taken into consideration:

B defining the responsibilities for the risk management processB defining the scope and application of the risk management activities (e.g. with respect to

activities, processes and products etc.)B clarification of the relationship between the risk management process and other projects

or activities of the organisationB defining the methods of risk assessment, especially with reference to life cycle, metho-

dology, details of execution, documentation and updates. It involves determining the analysis required for it, its scope, its scale, goals and the required resources.

B defining the risk criteria: Definitions can be derived from legal, regulatory or other requi-rements (e.g. organization internal obligatory ones). Decisions regarding the consistent review of the risk criteria and the usage (e.g. with respect to the best available technology) should be taken. Risk acceptance and tolerance limits should be defined clearly.

B defining the methodology of risk evaluation (e.g. matrix, graph, ranking, etc.) or modify-ing it according to the use case, if necessary

B defining the method for evaluating the performance and efficiency of risk managementB describing the strategy regarding combination of risks


Risk identification

The aim of the corresponding structured process is to ensure a comprehensive and systematic identification of risks (or hazards underlying the risks), specific for the respective issue. In this case, a prior definition of basic conditions is useful, for example:

B common sources of risks within and outside the organisationB methodology for identifying, if necessary diversified per use case and/or phases of the life cycleB availability of information for identifying the risksB required technical and other competence of the personnel involved in the process

Risk analysis

The risk analysis should provide a deeper insight into the risk. Risk analysis is an input for risk evaluation and in deciding what strategies and methods are most appropriate for its ma-nagement.

In addition, risk analysis can also contribute in deciding between multiple options, which include risks of different types having different risk levels.

Risk analysis studies the causes and sources of risks, their effect and the probability of their occurrence. Factors influencing the effect and probabilities should be identified.

As per the applied methodology or initially a common method of determining the effects and the probability of occurrence of scenarios should be defined.

If necessary, a (prior-)standardisation of the risk reduction of safety measures should be carried out.

Risk evaluation

During risk evaluation, the risk level, determined in the risk analysis, is compared with the risk criteria (e.g. evaluation methods, acceptance or tolerance limits), which are defined in the context. Based on this, the need for risk control can be identified.

Risk control and handling

Risk control and handling involves selecting and implementing one or more options to cope with the risks. For example,

B avoidance of the risk sourceB acceptance or tolerance under permanent/periodic controllingB reduction of consequences or/and probability of occurrence through technical/organisa-

tional measures. B transferring the risk (e.g. by means of an insurance)B documentation and communication concerning residual risks


Risk monitoring

An important goal is to ensure the integrity of risk control measures. In addition, events, developments, and changes have to be monitored and analysed continuously to identify any changes in the nature or magnitude of the risk. This includes:

B product monitoringB process monitoringB analysis of occurrencesB management of changeB periodic re-evaluation of risks

1.3.2 HSE/OI management in the process industry

Many organisations in the process industries, especially in the energy sector (oil and gas) regulate the responsibilities and processes with respect to health, safety and environment or with respect to operational integrity (a process by which health, saftey, environmental sustainability and productivity are ensured) in special management systems.

An HSE/OI management system (H – Health, S – Safety, E – Environmental; O – Ope-rational, I – Integrity) is a structured collection of guidelines, methods and processes, which a company uses to implement the risk management efficiently and successfully.

A system of this kind is represented below as an example (it might differ from actual sys-tems of larger industrial companies in some details, but the basics are the same), and the individual elements are briefly summarized.

11 elements of HSE/OI management system

Figure 1-3: HSE/OI management system

Management Leadership & Commitment

Risk Analysis & Risk Management

Design and Construction

Documentation & Information

Training

Operations & Maintenance

Management of Change

Management of Contractors

Emergency Planning

Incident Analysis & Learning

Review & Improvement

Documents

Reinhard Preiss Risk Analysis Techniques in Engineering