Developing and Using a Risk Assessment Model

Consistency in evaluating and quantifying risk begins with documented definitions.

By Dave Harrold, CONTROL ENGINEERING January 1, 2000

U ntil senior management of manufacturing facilities formally access and document acceptable safety, health, environmental, and liability risk the entire company risks messy public relations and possible legal action from the public, workers, local and national regulators, and insurance providers.

Development of a risk assessment model requires addressing event severity in key domains and quantifying event likelihood.

For example, key domains frequently included are:

  • Public safety and health;

  • Site safety and health;

  • Environmental impact;

  • Liability costs;

  • Production interruptions and quality issues; and

  • Equipment damage and repair costs.

Each domain is evaluated and event definitions and guidelines are documented from minor to severe and/or life-threatening events.

Sample – Domain Impact Risk Assessment Matrix

Less severe to highly severe Public safety and health Site safety and health Environmental impact Liability costs Business interruptions and quality issues Equipment damage and repair costs
10 Fatality or permanent health effect Multiple fatalities Widespread offsite and long-term or permanent damage > $100 million > $10 million > $10 million
9 Fatality or permanent health effect
8 One severe or multiple injuries Localized offsite long-term damage > $1 million
7 One severe or multiple injuries > $10 million > $1 million
6 Injury or hospital-ization Major release violation or short-term damage > $250 thousand
5 Injury or hospital-ization > $1 million > $250 thousand
4 Exposure above limits Significant release violation > $10 thousand
3 Exposure above limits > $10 thousand > $10 thousand
2 Exposure Minor release
Source: Control Engineering

Events, when they happen, may be very severe, but their likelihood of occurrence may be infrequent.

Definitions for event likelihood must be developed in addition to event severity.

Sample – Event Likelihood Risk Assessment Matrix

Unlikely to highly likely Event likelihood or frequency
(f = frequency of hazardous event, events per year)
10 A failure that can reasonably be expected to occur within the expected lifetime of the facility.
Examples: Process leaks; single instrument or valve failures; or human errors that could result in material release.
10-2& f, per year
9
8
7 A failure or series of failures with a low probability of occurence within the expected lifetime of the facility.
Examples: Dual instrument or valve failures; combination of instrument failures and operator errors; or single failures of small process lines or fittings.
10-4& f & 10-2, per year
6
5
4 A failure or series of failures with a very low probability of occurrence within the expected lifetime of the facility.
Examples: Three or more simultaneous instrument, valve, or human failures; or spontaneous failure of single tanks or process vessels.
f & 10-4, per year
3
2
Source: Control Engineering with data from Arthur D. Little Inc.

Once each event has been quantified for severity and likelihood, quantitative information can be used to determine the overall risk associated with an identified hazardous event.

Many people believe conducting risk assessments is reserved for formalized meetings where entire processes are dissected, analyzed, and risks are documented. Conducting formalized hazard analysis and operability (HAZOP) studies is important, and may be required by law, but most processes undergo regular changes. With few exceptions changes to manufacturing processes require some form of approval and sign-off. A part of the approval and sign-off procedures should include a mini-HAZOP of the change being proposed and approved. The mini-HAZOP review may be as simple as a couple of knowledgeable people sitting down and examining how the proposed change impacts the key domains and the likelihood of an unexpected event occurring as a result of the proposed change.

Putting it all together
Control Engineering has developed a sample risk assessment model consisting of three matrices to illustrate how identified events are assessed and ranked.

Assume a key product quality parameter (i.e., color) has only been successfully measured using laboratory equipment, but process engineering has determined that a virtual sensor could be developed using neural network technology and a model-based controller could be deployed to reduce product color variations.

The existing control system is not capable of hosting the neural network calculations or model-based controller. A personal computer (PC) based ‘soft-controller’ exclusively running a well-known vendor’s neural network and model-based software is being proposed.

Among the unexpected risks identified for the proposed change are:

  • Loss of control would produce off-spec product;

  • Use of standard PC and operating system software; and

  • First deployment (by customer) of neural network and model-based control.

Using the three matrixes that make up the risk assessment model, each risk is evaluated, and ranked. The following is a representative sample of several (but not all) of the evaluation findings.

Identified risk Domain examined Findings and valuations
Loss of control would produce off-spec product. Public safety and health No risk identified. Zero severity value is assigned.
Site safety and health The facility has limited off-spec storage capacity. Large quantities of off-spec material require workers to divert material into portable bulk-packs. Setting up empty bulk-packs and diverting product is a manual effort and has only been necessary once in the past two years. The presence of the bulk-packs adds congestion to the plant floor. Both situations increase the possibility of severely injuring a worker. A severity value of six is assigned.
Environmental impact No risk identified. Zero severity value is assigned.
Liability costs Injuries frequently occur when workers perform non-normal duties. Worker injury could increase liability, but the company provides very good insurance and no one can remember an injured worker suing the company. A severity risk of two is assigned. Note : After considering customer impact of lost production the severity risk value is changed to five.
Business interruptions and quality issues. Production is sold out so any unplanned interruptions would impact meeting customer delivery commitments. Because of contractual customer delivery commitments liability issues could be as much as $1,000,000. A severity value of five is assigned. Note : Based on this conversation, it is decided to revisit the liability costs domain.
Equipment damage and repair costs. Beyond the cost of the PC, no risk is identified. A severity value of three is assigned.
Note : This list is intended to be a representative example, not an entire review of all identified risk.

After each remaining risk (i.e., use of standard PC and operating system software, and first deployment (by customer) of neural network and model-based control) has been examined and documented for each domain each risk is reassessed for the likelihood the event and domain risk will actually happen.

Domain examined Findings and valuations Likelihood and valuations
Public safety and health No risk identified. Zero severity value is assigned. No risk identified. Zero likelihood value was assigned.
Site safety and health The facility has limited off-spec storage capacity. Large quantities of off-spec material require workers to divert material into portable bulk-packs. Setting up empty bulk-packs and diverting product is a manual effort and has only been necessary once in the past two years. The presence of the bulk-packs adds congestion to the plant floor. Both situations increase the possibility of severely injuring a worker. A severity value of six is assigned. Until the new controller is proven and operators are comfortable using it, the likelihood of creating off-spec product is fairly high. A likelihood value of seven is assigned.
Environmental No risk identified. Zero severity value is assigned. No risk identified. Zero likelihood value is assigned.
Liability Injuries frequently occur when workers perform non-normal duties. Worker injury could increase liability, but the company provides very good insurance and no one can remember an injured worker suing the company. A severity risk of two is assigned. Note : After considering customer impact of lost production the severity risk value is changed to five. A worker or customer suing is considered not very likely. A likelihood value of two is assigned.
Business interruptions and quality issues. Production is sold out so any unplanned interruptions would impact meeting customer delivery commitments. Because of contractual customer delivery commitments liability issues could be as much as $1,000,000. A severity value of five is assigned. Note : Based on this conversation, it is decided to revisit the liability costs domain. A likelihood value of six is assigned.
Equipment damage and repair costs. Beyond the cost of the PC, no risk is identified. A severity value of three is assigned. A likelihood value of two was assigned.
Note: This list is intended to be a representative example, not an entire review of all identified risk.

Different risk assessment methods use quantitative values differently. For purposes of this abbreviated example, risk ranking is completed for each domain using the risk-ranking matrix. The results are:

Domain examined Severity ranking assigned Likelihood ranking assigned Risk ranking
Public safety and health 0 0 Low risk
Site safety and health 6 7 Moderate risk
Environmental impact 0 0 Low risk
Liability costs 2 2 Low risk
Business interruptions and quality issues 5 6 Moderate risk
Equipment damage and repair costs 3 2 Low risk

The rankings are subjective and disagreement over numerical values is not uncommon. The important thing is to complete the analysis as thoroughly as possible and negotiate the numerical values if necessary, always erring on the high side.

For our example worst case risk appears in the area of worker injury and business interruptions. Both rank a loss of production risk in the moderate category.

Not captured here, but always an intangible benefit of conducting any risk assessment, is the sharing of ideas and concerns that occur and which are useful in making more informed decisions.

For those curious about the proposal to use a PC based controller to virtually measure and control product color, stay tuned. Our example project is still under management advisement, but approval is expected in time for the February issue of Control Engineering .

In the meantime, start thinking about incorporating a formalized risk assessment model into your manufacturing process. The benefits might surprise you.

Comments?
E-mail dharrold@cahners.com