rlm@sevalidation.com Abstract
One of the fundamentals of safety engineering is the need not merely to achieve safety, but to demonstrate its achievement in advance [Redmill and Anderson 2005]. There are now a significant number of standards and taxonomies to follow in order to create a demonstration medium for indicating the level of achieved safety, the residual risks and how both are to be managed through the life of the system. However, it is most difficult to obtain easy to use advice and tools for being able to demonstrate completely that risks are as low as reasonably practicable (ALARP). It is accepted that each project's handling of ALARP has to be specific to the particular project risks involved, and so bespoke guidance is not the objective of this text. This paper seeks to introduce a simple tool, well utilised and accepted in another safety field, but developed from a specific use into having generic scope that will be of useful value to safety practitioners looking for dedicated ALARP advice. The tool is called the Accident Tetrahedron. Keywords ALARP, Exposure, Assets, Hazards, Accident Tetrahedron
1. Introduction
Contemporary risk management follows a maturing path to the establishment, acceptance and management of a level of risk that is deemed tolerable and as low as reasonably practicable (ALARP). The recent issue of military standards [MoD 2004] describes six processes for risk management; hazard identification, hazard analysis, risk estimation, risk and ALARP evaluation, risk reduction and risk acceptance. Whilst these are not the universal descriptions of the processes involved, the underlying principles are consistent with other procedures and handbooks, for example IEC 61508, JSP 454 and Mil Stan 882D. Guidance on demonstrating ALARP is given in the UK by both military [MoD 2004] and civilian organisations [HSE 2003]. The MoD guidance on demonstrating ALARP suggests the following principles; Show that the sum of all risks from the system is in the broadly acceptable class. If that isn't possible, then show that the risks are not in the intolerable class. Identify risks that may be addressed by the application of good practice. Those risks not addressed by good practice need risk reduction techniques applied. Cost benefit analysis needs to be undertaken, with costs balanced against loss prevention. A grossly disproportionate factor of costs should be applied according to risk level.
The HSE guidance [HSE 2003] concentrates on the design phase, where it feels there is maximum potential for reducing risks. Their design guidance indicates the following principles; Carry out risk assessment and management in accordance with good design principles. Risks should be considered over the life of the facility and all affected groups considered. Use appropriate standards, codes, and good practices with any deviations justified.
Identify practicable risk reduction measures and their implementation, unless the implementation is demonstrated as not reasonably practicable.
The HSE also makes some important statements of principle when considering ALARP [HSE 2001]; The zone between the unacceptable and broadly acceptable regions is called the tolerable region. Risks in that region are typical of the risks from activities that people are prepared to tolerate in order to secure benefits in the expectation that the nature and level of the risks are properly assessed and the results used properly to determine control measures; the residual risks are not unduly high and kept as low as reasonably practicable (the ALARP principle); and the risks are periodically reviewed to ensure that they still meet the ALARP criteria, for example, by ascertaining whether further or new controls need to be introduced to take into account changes over time, such as new knowledge about the risk or the availability of new techniques for reducing or eliminating risks." The ALARP demonstration needs to be recorded in the safety documents produced, but the question remains; how can one ensure that the ALARP consideration is as complete as possible? Whilst fairly well accepted in the UK, ALARP demonstration is seen by many international viewers as difficult to verify and there is the perception that claims that all practicable risk reduction has been done, may be made without an appropriate effort [Bibb 2005]. Recent developments in The Medical Device Risk Management Standard (ISO 14971) indicate that the consideration of ALARP may be deleted from the new 2nd edition due to the completeness question [Bibb 2005]. Discussions concerning the problem of demonstrating completeness in risk assessments, and therefore ALARP, have even reached parliament. Medical discussions have highlighted that a risk appraisal process that excludes what are held by some stakeholders to be important factors, may fail to secure the crucial property of stakeholder confidence. It follows from this that, by instilling a misleading impression of completeness, robustness or rigour, risk assessments based on such incomplete risk characterisation may leave regulators and business highly exposed to a subsequent backlash on the part of the excluded parties [GeneWatch 1999]. A solution to the ALARP completeness question is proposed in the rest of this paper, generalising a specific analogy that already exists in the fire and safety domain.
These are the four methods by which all of the available fire extinguishers control fires from candles to forestfires. A pictorial presentation of the fire tetrahedron has been developed from the fire triangle [Sutton 2004]. For ease of two-dimensional representation, this has been done using four linked equilateral triangles, the diagram is presented in Figure 1.
Fuel
Oxygen
Heat
Many texts cite accidents as occurring when humans suffer an exposure to hazards. It should be noted that the definition of accident might also include equipment, valuable assets, societal assets and the environment etc. This citation of exposure to hazards may be used as a generic approach to assessing accidents and their prevention. Transferring the ideas of the fire triangle and tetrahedron leads to a strong tool for considering accident initiation and propagation. More importantly, the tool provides a route to demonstrate ALARP arguments in a systematic way and can be used to provide a route to proposing a justification for a completeness argument. Developing the parallels with the original fire tetrahedron further indicates that accident initiation should be prevented if; Potential exposure is sufficiently reduced in either the temporal or spatial frame of reference (so that vulnerable entities and hazards are prevented from sharing the same space and time, for example personal protective face equipment when operating a cutting machine). The number of people or value of assets used is sufficiently reduced (such that the consequences are below the threshold of a systems definition of accident, for example that the destruction of a remotely operated vehicle may be regarded differently to the destruction of a human operator). The severity of the hazard is sufficiently reduced (to a level that is tolerable and accepted, for example a lower strength or non-toxic material is used in some operation or system).
and also the accident propagation should be prevented if; The reaction chain within a system can be broken (deliberate and planned intervention as an accident sequence develops to halt or reduce the progress of the event).
Exposure
Assets
Hazards
In the specific 'fire' case, the system chain reaction refers to the nature of the combustion being a sustaining exothermic chemical reaction (for example, rapid oxidation) that continues to provide heat into the fire system [Schmitt 1985]. It is the essential component for ignition to progress on to combustion and is not limited to the provision of heat. It may be the case that the chemical reaction also produces oxygen, or potentially more fuel, for example in a nuclear based reaction process. The combustion mechanism as a system is well researched and understood, so the system chain reaction can also be specifically targeted for fire prevention. In the more generic case of accident-systems as a whole and in other specific safety fields, this may not be the case. The concept of recovery analysis is already commonly used to highlight methodologies that may be used to prevent accident propagation by directly affecting the accident systems chain of reaction. For example, in the area of industrial pollution, the dispersal of an accidental spillage can be well understood with flow directions, migration, and run-off knowledge. Containment practices are well established in the nuclear industry and also in the field of water science and technology, where recovery analysis methods have been studied with appropriate barriers introduced along release migration routes [Rossi and Ettala 1996].
Assessing each example with ALARP arguments in mind and using the accident tetrahedron as a guide enables the systematic recording of the strategies that have been put in place to manage the risk in a reasonably practicable
way. It is suggested that the prompts of the four components of the tetrahedron may be shown to be 'improving practice' for contributing to a more complete justification that a risk condition may be considered ALARP. NOTE: The examples below are not meant to be complete ALARP assessments, but may be taken as indicative of the concept of use. The risk situations considered may be chosen as required and could even be different phases of the same procedure. Risk situation Exposure reduction methods (Temporal and/or spatial factors between hazards and assets) Disposal carried out using single detonation. Temporary safe refuges used as protection. Protective equipment used. Transport at night preferred. Protective casing used on transporters. Cutting time is kept to a minimum. Protective equipment used. Hazard reduction methods People / Asset reduction methods
Explosives disposal
Nuclear transport
Tree cutting
(Quantity, nature (Factors to reduce or severity factors) number or value of assets exposed to hazards) Limited control Task planning here due to nature undertaken. Carried out of possible by single highly trained explosive types. person or even a remotely operated vehicle (ROV). Controlled entry to sites. Quantities below Carried out by as small critical mass and a team as possible. Low critical exposure population areas and levels transported routes used. Police separately. escort used as warning. Wood is cut away Task planning in small masses at undertaken. Cutting a time rather than carried out by single, in one large mass. trained person. Local areas evacuated or park area closed to public.
Of course the fourth aspect to the tetrahedron needs to be considered the chain of system reactions and sequence of responses to an accident once initiated and in progress. This aspect needs to deal with the accident once it is under way, to reduce the duration or severity, rather than to prevent it occurring in the first place. There are several strategies in place for this already in industry, perhaps under the name of 'crisis planning' or 'major accident planning'. For example; Wider area evacuation strategies. Trained response teams and first-aiders. Attendance of dedicated emergency personnel. Provision and placement of containment reservoirs. Provision of 'safe' areas. Communication and alarm procedures.
When using the Accident Tetrahedron as guidance, the system reaction reduction strategies also need to be demonstrated as having been considered and put in place, or argued that they are not reasonably practicable. For our three examples above, potential ALARP arguments for the system reaction aspects once an accident has started could be as shown in Table 2. Again these should not be taken as totally complete you can probably think of more, the accident tetrahedron gives focus and structure to the thought process. Note: For a more usable presentation these tables may be combined they are shown separately here for discussion and construction purposes only.
System Reaction Methods (Quantity, nature or severity factors) Water deluge system; provision of safe areas for nonparticipants; decontamination system on-site; medical facilities; evacuation plan; event rehearsal. Police / Army escort including vehicle mechanics; decontamination equipment carried in separate vehicle; spare transport vehicles along route; medics in convoy; communication equipment carried; event rehearsal. First aid kit carried; Emergency shut off available; working in pairs; event rehearsal.
Tree cutting
brings about increasing sophistication. When assessing ALARP arguments, there are two areas of benefits where a value should be required; avoidance of the negative and promotion of the positive. The third area for a complete cost/benefit analysis is the cost of implementing the actions that gain the benefits. The cost of developing and implementing a solution is wholly dependent on the nature of the required tasks from re-design and re-assessment to re-work and new procedures. These costs will be different for each part of the Accident Tetrahedron. However, here the new tool can be of further help by providing a usable framework for organising the construct of accident prevention costs into the four tetrahedral aspects. The implementation of a solution should demonstrably consider the costs for all four areas. Specifically, modifying the chain of corporate system reactions may be more difficult and expensive in effort than in direct costs, where as affecting the spatial separation between a worker and a hazard, would probably have reasonably high direct costs and require only a little effort. The elicitation of actual costs in the four areas is not a research area for this paper and further study on measuring the costs of system response modification is still required.
The resulting completeness argument must always be subject to regular reviews. It is likely that new technological developments will offer safer working practices, for example an increase in the utility of remotely operated vehicles and cutting equipment, or better body protection armour. It may just be the case that existing, expensive (and therefore not reasonably practicable) protection methods become cheaper or more easily available.
8. Summary
A discussion on a new approach and tool for ALARP justifications has been produced. The approach has been derived by taking an accepted and specific method already in use for fire prevention, and enlarging its area of use to the more generic field of accidents to humans, equipment and other valuable assets. The tool represents an easy-touse and systematic method for guiding the demonstration of ALARP. Some brief examples of use have been utilised, and a new strategy for claiming ALARP completeness has been developed. It is suggested that the four components of the Accident Tetrahedron may be considered as a new concept of separate lines of defence or layers of protection when considering ALARP justifications, all of which must be considered during risk assessments. Further research is recommended on the costs of mitigation methods across the four areas of the tetrahedron. A specific retrospective application would also have benefit. The author is aware of at least one equipment safety case intending to use this method for ALARP justifications in the future, the intent has already been independently endorsed.
References
Bibb (2005). The medical device risk management standard an update. The Safety-Critical Systems Club Newsletter, Vol. 14 No. 3, May 2005. GeneWatch (1999). Appendix 32 to the Minutes of Evidence II, Scientific Advisory System : Genetically Modified Foods. Select Committee on Science and Technology, House of Commons, May 1999. Heinrich (1931). Heinrich HW, Peterson D & Roos N, Industrial Accident Prevention, 5th Edition, Mcgraw Hill, New York, 1980. ISBN 0-07028-061-4. HSE (2001). Reducing Risks, Protecting People HSE's Decision Making Process. HMSO Norwich, 2001. ISBN 07176-2151-0. HSE (2003). Policy and Guidance on Reducing Risks As Low As Reasonable Practicable in Design, The Health and Safety Executive, June 2003. (http://www.hse.gov.uk/risk/theory/alarp3.htm) HSE (2004). Guidance on as low as reasonably practicable (ALARP) decisions in Control Of Major Accident Hazards (COMAH), The Health and Safety Executive, 2004. (http://www.hse.gov.uk/comah/circular/perm12.htm) Maguire (2005). Introduction to Safety, SE Validation, 2005. ISBN 0-95501-070-5. MoD (2002). An Introduction to System Safety Management and Assurance, LSSO, MoD, 2002. (http://www.ams.mod.uk/ams/content/docs/syssafmn/intro.pdf) MoD (2004). Safety Management Requirements for Defence Systems Part 1, Interim Defence Standard 00:56 Issue 3, MoD, December 2004. Ontario (1999). Ontario's Basic Certification Training Program Participants Manual, Ontario Workplace Safety and Insurance Board, 1999. Reason (1997). Managing the Risks of Organizational Accidents, Ashgate, 1997. ISBN 1-84014-105-0. Redmill & Anderson (2005). Preface to Constituents of Modern System-Safety Thinking, Proceedings of the 13th Safety-Critical Systems Symposium, February 2005, Springer-Verlag, London. ISBN 1-85233-952-7. Rossi & Ettala (1996). Recovery Analysis in Risk Management of Hazardous Materials, Water Science and Technology Vol 33 No 2, IWA Publishing, 1996. Schmitt (1985). Pyrophoric Materials Handbook : Flammable Metals and Materials, C.R. Schmitt, Editied by J. Schmitt, Saber-Towson. 1996 (http://saber.towson.edu/~schmitt/pyro/) Sutton (2004). Notes for Guidance, The Fire Safety Advice Centre, Merseyside Fire Liaison Panel, 2004.