Risk Analysis - A Subjective Process by Felix Redmill   Page:  1 | 2 | 3 Hazard Identification The purpose of this activity is to identify the sources of risk - the things that can go wrong and lead to breaches of safety. The nature of the hazards depends on the circumstances. For example, in an industrial plant, hazards might include failures of equipment, human error and the use of equipment outside its design specification, whereas in the formation of high-level policy, they may be the potential causes of societal impact or environmental problems. In any case, the aim of the activity is to maximize the identification of hazards. There are many techniques for hazard identification, and all depend on human observation, judgment and creativity. As well as being key attributes of an effective study, these also introduce subjectivity and therefore the potential for bias. A rudimentary means of hazard identification consists simply of pondering the circumstances, and this may be adequate in a low-risk situation. But in the fields of industrial and environmental safety, where risks are high and it is expected that professionalism - both in the relevant field and in hazard identification - should be brought to bear, a number of techniques have been developed. In some well-understood situations or systems, the use of a checklist may be adequate. For example, in the U.K., the annual Ministry of Transport (MOT) safety check of motor vehicles is based on testing, against predefined criteria, a list of components that would be hazardous if in poor condition. However, the adequacy of a checklist depends on a thorough understanding on what could go wrong. Without extensive past experience and documented fault and hazard histories, a checklist is not soundly based. Moreover, its adequacy also depends on the circumstances of its use being the same as those in which it was created; if they differ, the checklist could be out-of-date or inapplicable, and dangerously misleading. Checklists, even when appropriate, need to be reviewed periodically. (The MOT checklist has been updated many times.) In systems that are not so well understood (perhaps because they are only now being planned or designed), techniques that employ the creativity of human investigation are required. Brainstorming is sometimes used, but although it is creative, there is usually little formality in the process. Information for hazard identification may also be derived from audits and formal or informal interviews with staff, all of which depend on human abilities, attitudes and thoroughness. The most powerful method in use today is HAZOP (hazard and operability studies), first developed in the chemical industry and later extended for use with systems involving software [Refs. 7, 8]. In recognition of the fact that no individual is likely to identify all possible hazards, this technique calls for representing a number of viewpoints. Not only is a team essential, but study planning, team leadership and process formality are crucial to efficiency and the effectiveness of hazard identification. Yet, ironically, the features essential to success can also be the seeds of failure. A HAZOP study can be lengthy (in some cases, taking several weeks) and expensive, so it is natural that managers may seek to reduce costs. The planning of an appropriate number of study meetings, the inclusion of expert team members (rather than staff who happen to be available) and the nomination of a trained and competent team leader are all within the discretion of management. If these or other study parameters are compromised, the inevitable results are an inefficiently conducted study and ineffective hazard identification. Moreover, management is likely to perceive the study's poor returns as justifying their own economies rather than as the result of their decisions. Such management thinking overlooks the fact that hazard identification is the foundation of all risk and safety analysis. Hazards not identified are not analyzed or mitigated, so management economies at this stage of the process should only be taken in the light of clear understanding and should always be justified. Another factor prejudicial to maximizing the identification of hazards is the human tendency to perceive problems as unique when they are in fact examples of a wider class [Ref. 9]. We tend to take the "inside" rather than the "outside" view. Taking the latter would lead us to ask such questions as, "What happened on the last occasion that we did something like this?" and, "Has anyone else done something like this and, if so, what happened?" By taking the inside view, we fail to consider or even to recognize relevant information. We neglect lessons that might be learned and experience that could be appealed to. We are likely to be overconfident in our plans (e.g., our system's design), to overemphasize their virtues, and to overlook their weaknesses.   "We tend to take the ‘inside’ rather than the ‘outside’ view." A procedural way of neutralizing the inside view is for a team rather than an individual to engage in hazard identification. However, the team needs to be carefully chosen [Ref. 8]. Members must have different experience, responsibilities and perspectives, for they need to complement each other. Beware the "groupthink" of individuals with similar experience and outlook [Ref. 10], for, ironically, they strengthen the conviction that their collective inside view is both correct and good. A further technique that is often used for hazard identification is fault modes and effects analysis (FMEA), often called "failure modes and effects analysis." This seeks hazards by examining the effects of the failure of each component of a system. As the need for a team is not often emphasized, one person often carries out the method. However, an individual lacks the multiple viewpoints required in hazard identification, is subject to the inside view and an overconfidence bias, and is unlikely to carry out a thorough investigation. FMEA is also likely to miss hazards that result from the interactions of components rather than from the failure of the components themselves; and such hazards are frequent in modern complex systems, particularly those controlled by software. In summary, hazard identification is dependent on the subjective choice of techniques, and each technique not only carries its own propensity for error but also is based on human judgment. If the adverse effects of subjectivity are to be reduced, it should be determined at the definition-of-scope stage which techniques are most appropriate, given the nature of the system to be studied. Then, in planning the study, the neutralization of subjectivity should be considered. The range and types of hazards in even small enterprises or projects can be so large that no single method of identification is likely to uncover them all, and a combination of methods is most likely to be successful. Whether the subject of risk analysis is a high-level policy or an industrial system, hazard identification can never be considered complete. Lowrance [Ref. 2] observed, "We simply commit the sin of pride when we think we have been so smart as to have forestalled absolutely every possibility of failure." Indeed, the search for hazards should never cease. A hazard log should be maintained during the lives of safety-related projects and operational systems, and feedback from audits and interviews should be continuously screened for indications of hazards. Further, formal hazard identification studies should be performed at several stages of the system's life [Ref. 8], particularly when a new set of circumstances prevails and there is new information to be considered. Subjective decisions on when to carry out hazard identification can have a strong influence on the results of risk and safety analyses. Indeed, one of the greatest sources of error in risk analysis is the failure to identify hazards or the ways in which they occur. As Kletz [Ref. 11] points out, ever greater effort is expended on attempts to improve the accuracy of the estimates of the probabilities and consequences of hazards that have been identified, while, in many cases, even greater hazards lie unseen. Hazard Analysis In engineering, risk is taken to be a function of an undesirable event's likelihood and potential consequences. Identified hazards must therefore be analyzed for likelihood and consequence so that their risks can be estimated. Risk Assessment (or Evaluation) When hazards have been identified and analyzed, the risk-assessment stage is concerned with determining the tolerability of their risks. Typically, tolerability is assessed on the basis of both risk values and other factors, such as the benefits to be gained and the costs of reducing the risks. What is tolerable depends on the circumstances and on human values as well as on technological information; and, in the area of public policy, tolerability decisions are the subject of political processes. Comparing risks against benefits is hugely subjective, for a benefit to one person is anathema to another, just as an intolerable risk to one may be quite acceptable to another. Risk tolerability depends on how a risk is perceived, and risk perception differs greatly between people, the reasons being psychological, social and cultural. For example, Slovic, Fischhoff and Lichtenstein [Ref. 12] conclude that perception is a function of many variables, such as whether the risk is voluntarily taken, who has control over it, and whether it has fearfully large consequences. Wynne [Ref. 5] shows its relationship to trust in those with responsibility to manage the risk. When risk-tolerability decisions are based only on likelihood and consequence, and imposed on the public, they are often resented and opposed. The broad subject of risk assessment is the most obviously subjective stage of risk analysis, but space does not allow it to be considered further here.   « BACKJSSNEXT PAGE »