Está en la página 1de 30

Working with the Risk

Assessment Matrix
P.L. Clemens
June 1993
2nd Edition
The Risk Assessment Matrix

„ Guides subjective Risk Assessments for


Hazard Analyses.
„ Is based on the Definition of Risk and the
Principle of the Isorisk Contour.
„ Is widely described in the literature,
standards, and regulations.
The matrix can only be used for
Identified Hazards. The Matrix DOES
NOT identify the hazards.
2
8671
Risk Assessment/Management* is
Required by
„ Prudent Engineering – especially in high-energy systems
„ Many Regulatory Standards, e.g….
– 21 CFR 807.90 – requires hazard analyses as a part of “pre-market
notification” for medical devices
– 29 CFR 1910.119 (e) (2) – requires applying “one or more…
methodologies to determine and evaluate…hazards…”
– 29 CFR 1910.146 (b) (4) – requires identifying hazards in “permit
required confined spaces [containing] any…recognized serious
safety or health hazard.”
– DODI 5000.36 – requires system safety programs for many system
acquisitions (Impose MIL-STD-882C)
– NASA NHB 1700.1; Vol.3 – “System Safety”
– Many Others…
*Terminology varies: •Risk Management
•Hazard Analysis •System Safety
3
8671
•Risk Assessment •Loss Control
The Risk Definition

For a given „ The EXPECTATION of LOSS


Hazard, i.e. an „ An Expression of the combined
SEVERITY and PROBABILITY of
activity or condition loss
posing threat of „ The long-term RATE of LOSS: i.e.,
Harm, Risk is... the LOSS RATE VALUE
PROBABILITY
must be attached
Expected Loss to an Exposure
„ RISK ( Unit Time or Activity
)= Interval!
Loss
SEVERITY ( Loss Event ) x
Loss Event
PROBABILITY ( Unit Time or Activity
)
4
8671
The Risk Plane
SEVERITY
and Cataclysmic
PROBABILITY,
the
two variables R = K3 > K2

k g
is in
that

R eas

Likely
constitute risk,

cr
define a

In
R = K2> K1
RISK PLANE.
SEVERITY

R = P x S = K1

Iso-risk RISK
contours Is
CONSTANT
along any
ISO-RISK
CONTOUR.
PROBABILITY
is a function of
EXPOSURE
0 INTERVAL.
NEVER PROBABILITY
5
8671
ISO-Risk Contour Uses
2 3
Risk Assessment Convention: ACCEPTANCE: Risk
Tolerance Boundaries
If possible, assess Risk for the follow iso-risk contours.
Worst-Credible Severity of
outcome. (It’ll fall at the top end
of its own iso-risk contour.)
NOT
ACCEPTABLE

SEVERITY

LIKELY
1

Likely
RISK ASSESSMENT GUIDES: If
PROVISIONALLY
risk for a given Hazard can be ACCEPTABLE
assessed at any severity level, an
iso-risk contour gives its
probability at all severity levels.
(Most, but not all hazards behave ACCEPTABLE
(de minims)
this way. Be wary of exceptions –
usually high-energy cases.)
0
0 PROBABILITY

6
8671
The Risk Plane Becomes a Matrix

S
E
V
E “Zoning” the Risk Plane into
R judgmentally tractable cells
I
T produces a Matrix.
Y

F E D C B A

PROBABILITY I
S
E
Matrix cells approximate the V II
E
continuous, iso-risk contour functions R III
in the Risk Plane. Steps in the Matrix I
define Risk Tolerance Boundaries. T IV
Y
PROBABILITY

7
8671
A Typical Risk Assessment Matrix*
A guide for applying subjective judgment.

Probability of Mishap** TARGETS must


Severity be selected.
Of
Consequences F E D C B A
Impossible Improbable Remote Occasional Probable Frequent
An EXPOSURE
I INTERVAL
Catastrophic 1
must be scaled.
II 2
Critical PROBABILITY
and
III 3 SEVERITY must
Marginal
be scaled.
IV
Negligible Then HAZARDS
must be found,
Risk Code/ 1 Imperative to suppress 2
Operation requires written,
3
Operation and RISK must be
lime-limited waiver, permissible
Actions risk to lower levels
endorsed by management ASSESSED.
*Adapted from MIL-STD-882D **Life Cycle = 25 yrs.
The Alternative to subjectivity – ignore valuable, experience-based RISK JUDGMENT.
8
8671
Severity/Probability Interpretations*
Severity of Consequences Probability of Mishap**
Category/ Personnel
Equipment Down Product Environmental Level Descriptive Definition
Descriptive Illness/ Word
Loss ($) ** Time Loss Effect
Word Injury
Long-term (5 yrs or Likely to occur
I greater) environmental A Frequent repeatedly in
Catastrophic Death >1M >4 months damage or requiring system life
>$1M to correct and/or in cycle
Provide Penalties Likely to occur Provide
Probable several times
stepwise
scaling of
B in system life stepwise
Severe injury Medium-term (1-5 yrs) scaling of
SEVERITY
250k environmental damage cycle
levels for or severe 2 weeks PROBABILITY
II to to or requiring $250K-1M Likely to occur
each occupational to correct and/or in
levels for all
TARGET. Critical illness 1m 4 months Penalties C Occasional sometime in TARGETS.
Values system life
as for cycle
Equipment Not likely to
Loss Short-term (<1 yr) occur in
Minor injury 1 day environmental damage system life
III 1k D Remote
or minor or requiring$1K-$250K cycle, but PROBABILITY
Marginal occupational to to
to correct and/or in possible is a
illness 250k 2 weeks penalties function
So unlilkely it
can be of
EXPOSURE
E Improbable assumed
occurance INTERVAL.

Minor environmental may not be


IV No injury damage, readily repaired experienced
1K <1 day
Negligible or illness and/or requiring < $1K to Physically
correct and/or in penalties F Impossible impossible
to occur

Decide on TARGETS.
*Adapted from MIL-STD-882D **Life Cycle = 25 yrs.
9
8671
Useful Conventions
Factors of 10 separate adjacent
Probability Steps.
Most D = 10 x E
C = 10 x D
analysts B = 10 x C
A = 10 x B
consider …but F = 0 (“Impossible”)

that… F E D C B A

1
S I
E
V II 2
Severity Level III E
Is OSHA-recordable R III 3
I
T IV
Y
PROBABILITY

10
8671
“Calibrate” the Matrix

„ Select a Cell within the Matrix, and attach a hazard


scenario to it
„ Make it a practical scenario – one that’s familiar or
represents a tangible threat, e.g.
Risk from the ensemble of hazards that accompany
Cell I/E = commuting, over a working lifetime of exposure (i.e., 25
years), over a heavily trafficked, two-lane, 15-mile
highway, that is codeworthy, passes through mixed
rural/urban areas, and has occasional chuckholes,
crossing wildlife, hydroplaning, etc. as threats.

„ Use this “calibration benchmark” as a “bootstrapping”


aid in gaging risk for other, less familiar hazards.
11
8671
Setting Risk Tolerance Levels
Use “Bootstrapping”
„ Look to the past to help set risk
tolerance
„ Modify experience with goal setting boundaries*.

“Calibrate” the Matrix. Pick a S


worst-experienced Hazard that’s E
V
actually tolerated. Assign its Risk E
“Never”

to a top-severity cell, just inside R


I
the acceptable zone. T OK with
Y
Let Acceptable Risk for DE waiver
MINIMIS
personnel be OSHA de
minimis.
PROBABILITY
*Management sets/approves risk tolerance boundaries, not the analyst!
12
8671
Altering Risk Tolerance Levels

Risk tolerance limits can be adjusted by:


„ Rezoning cells within the matrix*
„ Redefining severity levels I-IV**
„ Redefining probability levels A-E*
„ Altering exposure Interval**
* Affects risk tolerance all targets
** Affects risk tolerance for selected for targets
13
8671
Why Have That Probability
Level F = “Impossible”?
„ If Probability is zero, isn’t Risk
nonexistent? – YES, but…
–A “left end” starting place is needed for
the “Risk Yardstick.”
–Without “F = ‘Impossible’,” residual risk
cannot be assessed for cases in which
the Hazard is designed out of the
system!

14
8671
Risk for a Given Hazard Varies
„ From Target to Target
„ With Size of the Exposed Population
„ From Operational Phase to Operational Phase
„ With Exposure Duration The PERCEPTION of
ALWAYS assess RISK varies from
Risk for the Worst- analyst to analyst. Use
Credible Severity of several ANALYSTS!
AN outcome.
IMPORTANT
CONVENTION
15
8671
Pick Targets* with Care

„ Personnel (illness/injury/health)
„ Equipment productivity (downtime)
„ Product environment
„ Proprietary information
„ Reputation
„ Others?
*Too few or wrong targets ≈ ineffective program;
too many ≈ burdensome to implement
16
8671
Consider Population
„ Employees

„ Vehicles

„ Machines
How many exposed
RISKS SUM.
„ Operations ?
„ Stacks
As the exposed population increases,
RISK INCREASES! „ Production Lines
Don’t assume that risk for the fleet is
the same as Risk for one taxi! „ Others?
17
8671
Pick Operational Phases* with Care
„ Delivery
„ Installation
*TOO FEW or WRONG
„ Calibration
PHASES ≈ ineffective
„ Startup program; TOO MANY ≈
„ Shakedown burdensome to implement!
„ Standard-run
„ Standard shutdown
„ Maintenance
„ Others?

18
8671
Exposure Interval is Important

„ Changing Exposure interval changes Probability.


An event that is “Improbable” (E) over a very
short Exposure Interval becomes “Remote” (D)
or “Occasional” (C) over a longer interval.
„ If one Matrix and its Risk Acceptance
Boundaries are to be used for all Targets, then
all Targets should be considered over the same
exposure interval.
„ Changes in Exposure Interval should cause
changes in Risk Tolerance Boundaries within the
Matrix.
19
8671
Those Subjective Scales
They lack engineering appeal, but are widely used in many fields…
MUSIC
(Loudness)
MEDICINE BEEF ppp
(Status-Related Terms) Very Well Done
pp
Excellent Well Done
piano
Good Medium Well Done
mp
Satisfactory Medium
mf
Fair Medium Rare
forte
Poor Rare Eight
ff
(Guarded) Very Rare Steps
Eight Seven fff
(Serious) Steps Steps (Tempo)
Critical Lento
(Rate-Related Terms) Adagio
Improved (-ing) Subjective judgments Moderato
Stable become difficult on scales Five
Three Allegro
Failing Steps having more than ≈ 5-6 Steps
steps. Presto

20
8671
Avoid Useless Debates

„ Always assess for Worst Credible Severity.


„ When in doubt, Scale Severity Up.
„ Note that… I/D ≈ II/C ≈ III/B,
and *Worst-Credible
I/E ≈ II/D ≈ III/C ≠
etc. Worst-Conceivable
F E D C B A

S 1
I
E
V II 2
E
R 3
III
I
T
Y IV

21 PROBABILITY
8671
Some Matrix Design “Don’ts”

„ Too many matrix cells… Subjective judgment can’t


L K J I H G F E D C B A readily resolve more than
I six discrete probability
1
S
E
II steps. Added steps become
III
V
E
2 confused/meaningless.
IV
R
I V
3
T
Y VI F E D C B A
FLAWED
VII
I 1
PROBABILITY S
E II 2
V
Keep it SIMPLE! E
R III 3
4 x 6 = 24 cells I
T
Y IV PREFERRED
is better than
7 x 12 = 84 cells. PROBABILITY
22
8671
More Matrix “Don’ts”

„ Discontinuities…
Can a countermeasure
F E D C B A
make the “leap” from
S
I ? 1 Zone (1) to Zone (3)
E
V II 2 in a single step?
E
?
R III 3
I F E D C B A
T
Y IV FLAWED I 1
S
E
V II 2
PROBABILITY E
R
Make every one-step path I III 3
T
from a high Risk Zone (1) Y IV PREFERRED
to a lower Risk Zone (3)
pass through the PROBABILITY
23
8671
intermediate Zones (2).
More Matrix “Don’ts”

„ Too many zones… A 24-cell matrix con be


resolved into nine levels of
F E D C B A
“priority,” or even more. But
S I 6 5 4 3 2 1 what are the rational functions
E
V II 7 5 4 3 2 for the many levels?
E
R
I III 8 6 5 4 4 F E D C B A
T
Y
IV 9 FLAWED 8 7 I 1
S
E
V II 2
PROBABILITY E
R
Three zones will usually suffice. I III
T
3

A Hazard’s Risk is either… Y


IV PREFERRED
• (3) Routinely Accepted
• (2) Accepted by Waiver, or PROBABILITY

24
• (1) Avoided.
8671
Risk Assessment in Process
Context
1. Identify TARGETS to be protected: 2. Recognize RISK TOLERANCE LIMITS (i.e., Risk Matrix Boundaries)
• Personnel • Product • Environment
• Equipment • Productivity • Other
HAZARD: Act or condition posing threat
3. “SCOPE” system as to:(a) physical boundaries; (b) of harm.
operating phases (e.g., shakedown, startup,
standard run, emergency stop, maintenance); and IDENTIFY/ Describe hazard:
4. VERIFY SOURCE – MECHANISM – OUTCOME
(c) other assumptions made (e.g., as-is, as-
designed, no countermeasures in place) etc. HAZARDS

HAZARD HAZARD HAZARD HAZARD


1 2 3 H

TARGET TARGET TARGET TARGET


1 2 3 1

DEVELOP
COUNTERMEASURES EVALUATE REPEAT for each
WORST-CASE EVALUATE TARGET/HAZARD
AND RE-EVALUATE
SEVERITY PROBABILITY combination.

ABANDON
ACCEPT
(WAIVER) AND
USE RISK MATRIX.
MATRIX must be defined for
OR and must match the
ACCESS RISK
assessment probability interval
and force/fleet size.
IS
NO RISK
ACCEPTABLE? See 2. above.
5. Do the countermeasures introduce new hazards? YES

25 6. Do the countermeasures impair system performance?


If so, develop NEW COUNTERMEASURES! STOP
8671
Designing a Risk Assessment
Worksheet
Make it one…
– That’s PRACTICAL and FUNCTIONAL.
– That “prompts” the analyst to consider…
• VARIED TARGETS
• VARIED OPERATIONAL PHASES
• THE EXPOSURE DURATION
– That doesn’t become “just one more lousy form to
fill out!”
DON’T OVERLOOK
ADMINISTRATIVE REQUIREMENTS
EXAMPLES: Review/Approval Signatures; Revision Dates;
Warnings About Countermeasures Implementation; etc.
26
8671
Preliminary Hazard Analysis
Brief Descriptive Title (Portion of System/Sub-system/Operational Phases covered by this analysis):
Pressurized UnFo3 Containment and Replenishment Reservoir and Piping / Startup, Routine Operation, Standard Stop, Emergency Shutdown
Probability Interval: Date: Risk
25 Feb. 1993 Risk Description of Countermeasures
25 years Before After

Analysis: Initial Identify countermeasures by appropriate code letter(s):

Probability
System Number:

Probability

Risk Code
Severity

Severity
Target*
D = Design Alteration E = Engineered Safety Feature

Hazard

Code
Srd-A (Chem/Int)

Risk
Revision Addition S = Safety Device W = Warning Device
Hazard No. / Description P = Procedures/Training
Srd-A.a.042 – Flange Seal A-29 leakage, P I D 2 I E 3
E II C 2 Surround flange with sealed annular stainless steel catchment
releasing pressurized UnFo3 chemical II D 3
T III C 3 housing with gravity runoff conduit led to Detecto-BoxTM III D 3
intermediate from containment system, containing detector/alarm device and chemical neutralizer
producing toxic vapors and attacking nearby (S/W). Inspect flange seal at 2-month intervals, and re-gasket
equipment. during annual plant maintenance shutdown (P). Provide
personal protective equipment (Schedule 4) and training for
Identify target(s) response/cleanup crew(S/P).

Show hazard alphanumeric Assess worst-credible


designator. Severity, and Probability for Describe newly proposed Reassess
Describe Hazard Source, that outcome. Show Risk countermeasures to reduce Probability/Severity, and
Mechanism, Probability/Severity.
(from assessment matrix) for show Risk (from
Worst-credible Outcome Note: These Countermeasures assessment matrix) for
Hazard “as-is” – i.e., with no
added countermeasures. Must be in Place Prior to Operation hazard, presuming new
countermeasures to be in
place. If Risk is not
acceptable, new
countermeasures must be
developed.
Prepared by/Date: *Target Codes: P – Personnel E – Equipment Approved by/Date:
T – Downtime R – Product V – Environment

27
8671
Hazard Analysis and
Risk Assessment…
HAZARD No. Chem/Int-001 HAZARD TITLE: Flange Seal A-29 Leakage Provide brief name for hazard. REVISED: 7/22/93
HAZARD DESCRIPTION
Flange Seal A-29 leakage, releasing pressurized UnFo3 chemical intermediate from containment system, producing Describe hazard, indicating: source,
toxic vapors on contact with air and attacking nearby equipment. mechanism, worst-credible outcome.
Identify applicable
EXPOSURE INTERVAL 25 years ACTIVITY/PROCESS PHASE: Startup/Standard Operation/Stop/Emergency Shutdown operating phases.

INITIAL RISK ASSESSMENT Identify (X) all applicable target(s). ADDITIONAL COUNTERMEASURES*
(with existing of planned/designed-in countermeasures) Surround flange with sealed annular stainless steel catchment housing, with gravity run-
off conduit led to Detecto-BoxTM containing detector/alarm feature and chemical neu-
HAZARD TARGET(S): SEVERITY: PROBABILITY: RISK CODE: tralizer (S/W). Inspect flange at two-month intervals and re-gasket during annual plant
(check all applicable) (worst credible) (for exposure interval) (from Matrix)
maintenance shut-down (P). Provide personal protective equipment and training for re-
Personnel: X I D 2 sponse/cleanup crew (S/P).
Equipment: X II C 2
Downtime: X III C 3 For each target, assess severity, Describe added countermeasures
and probability for the worst-credible to control Probability / Severity –
Environment: O 0 outcome. Show risk (from reduce Risk.
assessment matrix) for hazard-target THESE COUNTERMEASURES
Product: O 0 combination “as-is” – i.e., with no MUST BE IN PLACE PRIOR TO
added countermeasures. SYSTEM OPERATION!
POST-COUNTERMEASURE RISK ASSESSMENT
*Mandatory for Risk Codes 1 & 2, unless permitted by Waiver.
(with additional countermeasures in place) Personnel must not be exposed to Risk Code 1 or 2 hazards.
HAZARD TARGET(S): SEVERITY: PROBABILITY: RISK CODE: Code Each Countermeasure: (D) Design Alteration / (E) = Engineered Safety Features
(check all applicable) (worst credible) (for exposure interval) (from Matrix) (S) = Safety Devices / (W) = Warning Devices / (P) =Procedures/ Training
Personnel: X I E 3
COMMENTS
Equipment: X II D 3
In-plant diking protects environment from runoff.
Downtime: X III D 3
Reassesses Severity/Probability and show risk (from assessment matrix) for
Environment: O 0 original hazard-target combinations, presuming new countermeasures to be in
Product: O 0 place, if risk is not acceptable, additional countermeasures must be developed.

Prepared by / Date: Reviewed by / Date: Approved by:


(Designer/Analyst) (System Safety Manager) (Project Manager)

28
8671
Why Assess Risk?

„ To avoid untenable risk.

„ Tomake “Go/No-Go” operating


decisions.

„ Toguide resource distribution for


improved control of LO$$.

29
8671
Risk Assessment/Management
IS NOT…
A substitute for conforming to applicable…
„ CODES
„ STANDARDS BUT…
„ REGULATIONS Codeworthy Systems
may still pose
Untenable Risk!

30
8671