eEdition JJS :: Technical Article

Subjectivity in Hazard Analysis

by Felix Redmill
London, U.K.

Page: 1 | 2 | 3

Introduction
This is the second in a series of three articles on the subjective aspects of risk analysis. In the first, published in the premiere issue of eJSS (February 2003), risk analysis was defined as comprising four stages — scope definition, hazard identification, hazard analysis, and risk assessment. In the first stage, the scope and terms of reference of the analysis are defined. In the second, the hazards that could lead to breaches of safety are identified. In the third, the risks associated with the hazards are determined, and in the fourth the tolerability of each risk is assessed against predetermined criteria.

In considering the subjectivity in risk analysis, the previous article particularly addressed the first and second stages and briefly discussed the fourth. This article examines the subjectivity inherent in the third, hazard analysis, stage.

Once the scope and terms of reference of a risk analysis have been defined, the second stage, hazard identification, lays the technical foundation of the analysis. It cannot be guaranteed that all possible hazards are uncovered, or that all hazards that will be discovered are identified, as it would be extraordinary if further hazards were not revealed later. But the coverage of later analysis is constrained by the thoroughness of the identification process: hazards not identified are neither analyzed nor mitigated.

Given that risk is taken to be a function of probability and consequence, hazard analysis, the third stage of risk analysis, involves determining these two parameters, which may be done quantitatively or qualitatively, depending on the information available and the confidence that can be placed in numeric values. One method is to carry out a bottom-up analysis, starting with each hazard and working forwards towards its system-level consequences. The initial effect of a hazard (e.g., the failure of a component or person) may be local, but the hazardous effect of interest is almost always at the system level — i.e., at the boundary between the system and "the rest of the world." A second method of hazard analysis is to take a top-down approach, commencing with the top hazardous events and working backwards towards ultimate causes, creating fault trees in which successive causal events are identified.

The two approaches are complementary, and neither is likely to offer a complete analysis. Because their results are usually inconsistent in many respects, they should be compared and integrated. Yet, far from comparing them, some modern computer-based tools automatically derive fault trees from the results of a bottom-up technique such as FMEA (failure modes and effects analysis). Naturally, it can then be claimed that the fault tree is consistent with respect to the model produced from the FMEA. But, being the result of human judgment, that model is almost certainly neither complete nor wholly correct. Moreover, the opportunity for cross-checking between bottom-up and top-down methods is lost, and there is likely to be misplaced confidence in the correctness of the fault trees.

The results of a risk analysis depend on the techniques employed, the ways in which they are used, and the consistency with which they are used with respect to each other, all of these factors being subjects of human discretion.

The more sophisticated hazard identification techniques, such as hazard and operability studies (HAZOP) and FMEA, also include bottom-up hazard analysis. Discussion of these, and the subjectivity implicit in their use, has already been provided [Ref. 1] and will not be repeated here. In examining subjectivity in hazard analysis, this article first considers the two aims of the process: to determine consequences and likelihood. It examines the ways in which subjectivity affects the numbers arrived at in both cases. Then it considers the use of the most usual top-down method, fault tree analysis (FTA), in arriving at them. Finally, there is a discussion of the findings.

"Not only is there a degree of uncertainty about a potential future event, there is also error, inaccuracy, and the use of discretion and judgment in the description and valuation of what might occur."

Consequences
At first glance, evaluating consequences may seem objective, but what we evaluate depends on where we look, and this is determined by a number of decisions.

First, the consequences to be evaluated depend on which event in a chain of events is considered to be "final" or of interest in the circumstances. For example, in transport a human or component failure might lead to the loss of control of a vehicle, which could lead to an accident, which in turn could lead to a loss of life. Each of these might be of interest as a "final event," depending on the purpose of the risk analysis, and each carries different assumptions and a different probability of occurrence. Railtrack's safety management manual [Ref. 2] takes loss of life to be of interest, but the motor industry's guidelines [Ref. 3] focus on controllability (or loss of it) of the vehicle.

It must also be decided, at the scope-definition stage of the analysis, whether estimations should be based on the worst possible consequence, the worst credible, or the most likely, and the risk values are influenced by the choice. Further, each scenario is not clearly defined and waiting to be measured, but is a potential outcome whose parameters must be subjectively defined — perhaps in line with the goals or mind-set of a particular industry sector.

Then, the values of the possible losses need to be identified and estimated, and they may be distorted in a number of ways. For example, some costs, such as those of damage limitation and of cleaning up after an incident, are frequently omitted. Further, when there is no previous experience of the hazardous event, it is easy to over- or under-estimate the consequences. For example, in the U.K., the losses attributed to a "hundred-year" flood are now found to be a great deal higher than previously assumed. Then there is the potential to induce distortions by deliberate adjustments of costs or benefits. There is also the problem of putting prices on non-marketed goods. Marketed goods carry known or agreed prices, and their loss or replacement can be valued uncontentiously. But non-commodities, such as human life, reputation, and environmental loss or degradation, are not so easily costed, and their valuation is necessarily subjective.

Thus, there is always subjectivity in the estimation of consequences, and more so when there is little or no experience of the hazardous event. Not only is there a degree of uncertainty about a potential future event, there is also error, inaccuracy, and the use of discretion and judgment in the description and valuation of what might occur.

NEXT PAGE