Embed Size (px)
Citation preview
Consolidated Comments Date: 4th August 2008 Document: CDV IEC 310101 2 (3) 4 5 (6) (7)
Clause No./Subclause
No./Annex
(e.g. 3.1)
Line No. Type of com-ment2
Comment (justification for change) Change proposed OB/7 observationson each comment
submitted
General Tech Documentation is an essential part of what someone performing a risk assessment has to do
Include more about risk documentation and reporting
General Should include other qualitative tools eg spider chart to get away from matrix
General Need at least some definitions for ease of use and to stress to users that some definitions have changed since 60 300-3-9
Include definitions for risk, assess, analyse and evaluate risk, risk level, consequences, likelihood event, hazard, treat and control.
Not agreed
General There are some systems where risk cannot be defined by a likelihood of a consequences because under some circumstances (not all of which can be identified) failure will occur (software is a good example) The treatment is a required SIL (safety integrity level) to withstand a wider range of adverse circumstances This concept needs to be mentioned see MIL 882C or RTCA DO 178BSome environmental risks may also be approached by analysing the vulnerability of species and considering how to protect them rather than considering the probability of hazards or risks
Insert something in 4.3.1 ? eg?In some circumstances a consequence may occur as a result of a range of different events or conditions and the aim is to achieve objectives in spite of the event or circumstances and regardless of its likelihood. Examples are safety critical software, business continuity management and some environmental applications. In this case the focus of risk assessment is on analysing the criticality and vulnerability of the system with a view to defining treatments which relate to levels of protection or recovery strategies.
revised
Forward The forward about IEC immediately gives the impression that the standard only has technical application and is likely to put off a significant part of intended audience
Replace with general ISO/IEC forward Trying if rules allow
Intro 2nd last para at end
should explicitly state that the methods discussed are not exhaustive, exclusive or prescriptive. It should also state that the omission of a method from the standard does not mean it is not valid.
This standard does not refer to all methods nor does the fact that a method is applicable to a particular circumstance mean that it should necessarily be applied
Agreed
Introduction Needs more to explain the hierarchy of standards documents and to refer between them to avoid conflict
Eg This is a supporting standard for ISO31000 and provides guidance on selection and application of systematic techniques for risk assessment detailed standards are available
Agreed
1
for some of the techniques summarised here
scope Should state not covering analysis of financial risks or analysis of risks in some other systems
noted
4 Title The standard is no longer limited to technological systems
Delete for technological systems A better heading for 4.1 would be the role of risk assessment
heading changed but role of risk assessment not agreed
Paragraphs relating to concepts currently in several different places need to be bought together in this section and headings tidied The section on application as part of the life cycle fits better in this general section than at the in its present position.
Move section 5.6 to become either a sub-section in 4.1 – “role of risk assessment” or a new section 4.4 Application of Risk AssessmentProposed headings are 4 Risk Assessment Concepts4.1 purpose and benefits (or role of risk assessment)4.2 risk assessment and the risk management framework4.3 Risk assessment as part of the risk management process4.4 application of risk assessment4.4.1 General4.4.2pplication as part of the lifecycle
headings changed
4.1 purpose Needs a comment relating to its application in projects as opposed to organisational context
Add line at 4.4.1 general “ Risks may be assessed at an organisational level, at a departmental level, for projects, individual activities or specific risks. Different tools may be appropriate in different contexts
Accepted in 4.3.4
4.1 Dot point 1
Information is not necessarily objective Delete “objective information for” replace with “reasoned arguments and information about uncertainty to assist”
agreed
4.1 Some dot points describe the process not its purpose – Same purpose is repeated in dot point 2, 5 and dot point 12Dot point 10 too specific
Delete dot point 2,3, 10 and 12 dot points modified
2
4.1 Quantification is not in itself a benefit a benefit may be to set priorities for any type of risk not just OHS
Delete dot point 4 and change dot point 9 to assist with establishing priorities
Agreed
4.1 Bullets Te 'understanding of the risk and its potential impact upon objectives' should be above 'providing objective information for decision makers' (especially since at times the information obtained from risk assessment may not be strictly objective - think of all the stuff about subjective probabilities (and I don't see that as a problem).
``change bullet order Agreed
4.1 Last bullet point
Te Check whether this standard uses acceptability and tolerability according to guide 73
To be checked
4.2.1 heading Ed This paragraph has two sections – framework and process. Separate these two by subheadings. This removes the need for a sub heading - general
Change subheading general to “risk management framework” and insert heading ”risk management process” after the first set of dot points
done
4.2.1 Para 1 Paraphrase of 31000 is neater wording A risk management framework provides the policies, procedures and organizational arrangements that will embed risk management throughout the organization at all levels.
Agreed
4.2.1 Para 2 Policy to ensure objectives are met seems out of place here – objectives for what? -the organization, risk management or risk assessment
Replace words after policy or strategy with for deciding when and how risks should be assessed
Agreed
4.2.1 Last bllt point first set
Gen "how performance will be reported and reviewed" - performance of what? Does it mean how risk assessments will be reported and reviewed
revised
4.2.1 Para 2 Not part of risk assessment to set up the framework but to work within it and be aware of it.
Replace second para with the following This standard assumes that risk assessment takes place within the framework and process of risk management described in ISO 31000. In particular those carrying out risk assessment will need to be clear about
agreed
4.2.2 Dot points in previous version missing from this were good
Add “Bring together different areas of expertise for analysing risk”
agreed
4.2.2 Last para
Thee final paragraph concern the framework rather than the process
Delete paragraph and Add dot point to 4.2.1 how the risk assessment process interfaces
Noted
3
with other management processes including change management, project and programme management and financial managementAdd dot point to 4.2.2 “contribute to interfacing of risk assessment with other management areas and processes”
Did not deal with highlighted comment I would like it in
4.2.2 Replace "Involving stakeholders in the risk management process is necessary in order to:" with involving stakeholders will assist in the following steps.
agreed
4.2.2 first bullt point
To put "develop a communication plan" first is a bit chicken and eggish
Move develop a communication plan to end Re-order other dot points to the same order as the risk management process
noted
4.2.3 superfluous Delete sentence that forms 2nd paragraph noted
4.2.3(now 4.3.3)
The lead in lines for 1), 2) and 3) are all different1) - involves2) - may involve3) - includes4) -includes
I don't really care which it is, but it would be better if it was consistent.
Revised
4.2.3 None available
Te Decisions need to be backed up with actions. Suggest re-enforcing this often missed step.
Insert “and actions” after “decisions” in the first line of page 13.
agreed
4.2.3 superfluous Delete sentence that forms 2nd paragraph noted
4.2.4 2nd sentence
clarifies Insert their before likelihoods agreed
4.2.4 Bullets the last two should be up front agreed
4.2.4 Bullets Positive aspects need to be included Add bullet “how to make the most of opportunities”
agreed
4.2.5 Mitigating implies only negative risk - Replace mitigate with change revised
4.2.5 Te Possible inconsistency with terminology used in ISO 31000.
Change “occurrence” to “likelihood” Revised
5.1 Last para of 5.1 would be better after first sentence of 5.1
Eric
5.1 last para Line 2 Ed Insert achievement of before objectives Agreed
5.3.1 There are some systems where risk cannot be Insert something in 5.3.1 ? eg? agreed
4
defined by a likelihood of a consequences because under some circumstances (not all of which can be identified) failure will occur (software is a good example) The treatment is a required SIL (safety integrity level) to withstand a wider range of adverse circumstances This concept needs to be mentioned see MIL 882C or RTCA DO 178BSome environmental risks may also be approached by analysing the vulnerability of species rather than specifically causes l
In some circumstances a consequence may occur as a result of a range of different events or conditions, or where the specific event is not identified. In this case the focus of risk assessment is on analysing the criticality and vulnerability of the system with a view to defining treatments which relate to levels of protection or recovery strategies.
5.3.1 Risk Analysis
Mention that more than one technique might be required for complex problems at end of paragraph 3
noted
5.3.1 Second para
te The sequence of the terms consequence and likelihood are noted firstly in this order and then again in reverse.
Change to “The consequences and likelihood are then combined to determine a level of risk.
revised
5.3.1 Para 2 Many of the risk analysis techniques in Annex do not determine both consequences and likelihood and combine them. This paragraph needs to be less mechanistic
Replace Ist 3 paras with words from 6.4.3 lines 487- 494 in ISO31000 ieRisk analysis is about developing an understanding of the risk. It provides an input to risk evaluation and to decisions on whether risks need to be treated and on the most appropriate treatment strategies and methods.Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences and the likelihood those consequences can occur. Factors that affect consequences and likelihood should be identified. Risk is analysed by determining consequences and their likelihood and other attributes of the risk An event may have multiple consequences and can affect multiple objectives Existing risk controls and their effectiveness should be taken into account.Then add para 2 from 5.3.4Keep methods of analysis are described in Annex B
agreed
5.3.1 Word semi is missing before quantitative in last sentence of paragraph starting quantitative analysis
Insert word semi-
5
5.3.2 Para 1 Impacts and Severity have negative implications Replace severity with magnitude and impact with consequences
agreed
5.3.2 Para 1 The consequences considered may be indirectly rather than directly related to objectives - statement needs to be broader
consequence analysis analyses the nature and type of impact which could occur assuming that a particular ……
agreed
5.3.2 The section on consequence analysis seems out of balance with the likelihood analysis . It needs to be expanded by mentioning modelling and vulnerability analysis. add after first sentence of paragraph
It can vary from a simple description of outcomes to detailed quantitative modelling or vulnerability analysis
Agreed
5.3.2 ed Last line of this section is a repeat of the bullet point introduction.
Delete last line. noted
5.3.2 Para 1 Provide some guidance on choosing conceivable, credible or relevant consequences in this section
After impacts of different severity add words
Typically impacts may have a low consequence but high probability; or a high consequence but a low probability, or some intermediate outcome.
In many cases it is appropriate to focus on risks with potentially very large outcomes, as these are often of greatest concern to managers. In some cases it may be important analyse both common low consequence risks separately For example, a frequent but low-impact (or chronic) problem may have large cumulative or long-term effects. In addition, the treatment actions for dealing with these two distinct kinds of risks are often quite different, so it is useful to analyse them separately
agreed
Add to first paragraph of 5.3.2 The types of consequence and to which stakeholder will have been decided when the context was established
agreed
5.3.2 Above dot points
may not should Change to “depending on context consequence analysis may
Revised
6
There is nothing on controls analysis although some of the techniques listed in appendix B do focus on controls| (Eg HACCP LOPA and to an extent Bow tie analysis) Controls assessment is in appendix although it is not a formal technique . Suhggest removing technique from appendix and adding paragraph in Analysis or evaluation section
The level of risk will depend on the adequacy and effectiveness of existing controls This requires answers to the following :
What are the exiting controls for a particular risk?
Are those controls capable of adequately treating the risk so that it is controlled to a level that is tolerable?
• In practice, are the controls operating in the manner intended and can they be demonstrated to be effective when required?
These questions can only be answered with confidence if there is proper documentation and assurance processes,
The level of effectiveness for a particular control or suite of related controls may be expressed qualitatively, semi-quantitatively or quantitativelyIn most cases, a high level of accuracy is not warranted. However, it may be valuable to express and record a measure of riskcontrol effectiveness so that judgments can be made on whether effort is best expended in improving a control or providing a different risk treatment.
Heading should be likelihood analysis for consistency
Change heading revised
5.3.3 Ist paragraph states the obvious and is superfluous
Delete agreed
5.3.3 Sub 2) te Predictive techniques use the analysis if the components of the system to estimate the likelihood of events for the system as a whole. I believe the emphasis in the components is not strong enough and the reader and not recognise the difference between the two.
Change to “derive likelihoods by analysis of the components of the system”.
noted
7
5.3.3 Sub 2) te Common mode failure is about simultaneous failures of common modes. Hence the need to be clear on this point. Currently the text refers to “failure of a number of different parts or components”.
Change “failure of a number of different parts or components within the system.” to “failure of a number of parts or components that can fail under a common mode within the system.”
Agreed
5.3.4 Title Change title of 5.3.4 to preliminary analysis
Reword para 1 To make best use of resources Identified risks may be screened to identify the most significant risks or eliminate insignificant risks from further analysis
revised
5.3.4 2nd and 3rd paras
Paragraphs should be in general section
5.3.4 Bullet points
te The screening process should do one of four things. The first one is missing and that is to avoid the risk or to stop proceeding.
Add a new first bullet point : “Avoid the risk or stop continuing exposure to the risk”.
Avoid is included in treatment
5.3.4 End Insert Care should be taken not to screen out low risks which occur frequently and have a significant cumulative effect
agreed
5.3.4(now 5.3.1)
Para 2 Sufficient for what Sufficient for a decision to be made agreed
5.3.6 Last clause
This should be probability or frequency as it is referring to a mathematical distribution
Replace likelihood with probability or frequency agreed
5.3.6 Current 4.3.6 Does not need its own section Add to bottom of 5.3.1 agreed
5.4 Dot points
These are not factors affecting decisions they are decisions
Delete factors affecting agreed
5.4 a) and line above
This only applies to negative risksInsert word negative before risks and level of risk
agreed
5.4 needs to be some recognition that the effectiveness of controls and the cost of improving controls may affect the decision about whether to treat or not (the ALARP principle for example has different decisions depending on cost of control as well as level of rsk.
Insert after paragraph 45 (ie just before a common approach) The decision about whether and how to treat the risk may depend on the costs and benefits of taking the risk and the costs and benefits of implementing improved controls
agreed
5.4 Not enough emphasis on treatment to a reasonable level. current words imply a single level sets the criteria regardless of the cost of treatment.Thgis is not the case in practice (and is allowed for in the ALARP principle
Add sentence from 31000 to para 1”Selecting the most appropriate treatment options involves balancing costs and efforts of implementation against the benefits derived “Add to para 2 It may be necessary to tolerate higher levels of risk if appropriate treatments are not available or are prohibitively expensive
Revised (eric to Check)
8
The ALARP diagram should be in the appendix as an evaluation technique not in the body as it is just one way of making decisions about risks
Move to appendix and combine with F/N plots which are a measure that uses the same principle
Eric to do
5.4 Bullet b)
te While three bands are common they do not always convey the sensitivity of the risk. It is particularly useful to split the middle band into two. The upper of these emphasises that any deterioration in control measures would result in an intolerable risk level. Many common human endeavours fit into this category such as driving a sports car, climbing a mountain, etc.
Add a sentence after these three bullet points that reflect the four common groupings for risk as shown in the ALARP diagram. Suggested wording is: “The middle band reflects the ALARP zone as shown in Figure 2. This band is often separated into two levels. The upper zone indicates where any reduction in the effectiveness of the controls may result in intolerable risk. The lower band indicates that the risk maybe tolerable if the cost of reduction would exceed the improvement gained.”
4.4 The discussion of ALARP must take into account its legal meaning. At the moment the text implies that in the central region a strict cost benefit calculation is applied whereas the legal meaning of ALARP is that between the two bounds of acceptable and intolerable operations are acceptable but the potential for harm must be driven down until it is as low as reasonably practicable
Change las line of 4.4 to The as low as reasonably practicable or ALARP criteria system used in safety applications follows this approach where in the middle band the potential for harm must be reduced until the cost of further reduction is entirely disproportionate to the safety benefit gained.
Eric
9
5.4 After figure 2
te The following wording provides a good explanation of ALARP that would add a lot of value here.
After figure 2 add: “The acceptance threshold, or tolerance for a risk, becomes important where the risk cannot be eliminated. Generally, a tolerable risk is one that may be higher than a broadly acceptable level but has been reduced to ALARP.When a risk is close to the intolerable level, the expectation is that risk will be reduced unless the cost of reducing the risk is grossly disproportionate to the benefits gained. Where risks are close to the acceptable level, then action is only required to reduce risk where the benefits exceed the cost of reduction. The general concept in ALARP requires the balancing of practicality (whether something can be done) and the cost/benefit analysis (whether it is worth doing something).To establish a matrix that can consistently be used both quantitatively as well as qualitatively, there is a need to agree on two criteria: The “Basic Risk Limit”, above which the task,
activity or function will stop under any circumstances; and
The “Basic Risk Objective” for the tolerable risk level but with the recognition that operations must very often occur in the tolerable region between these two criteria.”
Eric
5.5 Bullet points
te No point writing a report if the significant risks are not going to be highlighted and actions taken.
Add the following bullets points: Add “and evaluation” to dot point 9 Conclusions about the decisions and actions to
treat the risks critical assumptions or other factors which
need to be monitored
Revised
5.5 Dot points should follow sensible order for a report limitation and assumptions would normally go after the assessment method has been described.
Eric to check
Add new 5.5 and make current 5.5 5.6 Monitoring and Reviewing Risk Assessment\the risk assessment process will highlight context and other factors that might be expected to vary over time and which could change or invalidate the risk assessment These factors should be specifically identified for on going monitor and review.
Words included: Heading probably not right Eric to consider – also add words French wanted about feedback to risk assessment
10
Data which is needed to improve the quality of analysis should also be noted and consideration given to its collection
5.5 Add section relating to monitoring and documenting controls so that there is data so they can be assessed as part of risk analysis
The effectiveness of Controls should be monitored and documented in order to provide data for use in risk analysis . Accountabilities for creation and reviewing the evidence and documentation should be defined
5.6 explain Insert at beginning of prara 3 Phases have different needs and need different techniques
5.6 2nd last para
Very difficult to read this paragraph. Suggest using bullets.
“During the design and development phase, risk assessment contributes to: ensuring that system risks are tolerable the design refinement process; and cost effectiveness studies; and identifies risks impacting upon subsequent
life-cycle phases.”
Eric to consider
6.1 2nd line ed Improved grammar. It would be correct to say the Annex contains “a range of tool and techniques”. The current wording implies only the ones in the Annex are acceptable.
Change “further explain the range of tools and techniques” to “further explain a range of tools and techniques”.
Agreed
5.2 Para starting “resources and capabilities” Not only management time
Replace availability of management time with time constraints
agreed
Annex A A2 Last bullet
clarify The extent of resources required in terms of time and level of expertise, data needs or cost
Editorial
Annex A A2 add bullet point to explain last column of table A1 Whether there is a requirement for a quantitative output
Agreed
Annex A1 Last para
ed The abbreviations used in the table are not defined and should be noted in the last para.
For each step in the risk assessment process, the application of the method is described as being either strongly applicable (SA), applicable (A) or not applicable (NA) (see Table A1).
Editorial (Eric to consider)
Table A1 The ordering is different to the ordering in Appendix B - is there a good reason for this?There are 4 tools missing from Table A1 - Root cause effectiveness fN curves Risk Indices Cost benefit analysis
Bob
A1 The names of the tools should be consistent with Appendix B (they are not) and abbreviations (LOPA, SWIFT, HACCP) should be expanded.
Bob
11
Ditto a number of techniques are missing from this table - I couldn't find Human reliability analysis Preliminary Hazard analysis Brainstorming Structured or semi-structured interviews Delphi techniques Checklists SWIFT Decision Tree analysis Root cause effectiveness fN curves Risk Indices CBA
A.2 Table A2 p25 ff ed The table columns need some explanation or key – especially the column headed “Quantitative output”
insert words can provide in table heading agreed
Annex A2 Second bullet point
ed I cannot determine if this paragraph is relating to the uncertainties of the inputs or the uncertainty of the risk assessment output. This is quite an important point.
Depending upon the intent, the wording should change to:“The nature and degree of uncertainty of the results of the risk assessment”OR“Suitability to the nature and degree of uncertainty of the information available and what is required to satisfy objectives”.
Don’t knowJean to check with Grant
Annex A table A1
ed Table is poorly placed relative to the section. Move table A1 to under text at section A1. Edtorial
Annex A Table A2
ed Simplify the header and then apply heading styles. Change “Example type of risk assessment method and technique” to “Type”.Correct the formatting of the table header.
Editorial
Annex A Table A Table A difficult to follow . Define symbols used and abbreviations
Possibly a double tick entry for "SA" and a single tick entry for "A" would be more intuitive.
Annex A2 Table A2
It is not clear whether the 'Relevance of influencing factors' refers to the technique, or the context and nature of the risks the tool is being applied to. It may even be a mixture. It seems likely that "resources and capability" refers to the level of resources required to apply the technique and the knowledge and skills of the people required to use the technique, and that the remaining two columns refer to the context and nature of the risk the method is being applied to. However I cannot be sure what was in the minds of the authors and suggest this does need clarification.
clarify jean to Ask Grant to clarify
Annex A table A1.
This table is not consistent with table A2. Eg Delphi Technique. Table A1 lists this as being Strongly Applicable to Risk Identification, and Not Applicable in all other columns, yet Table A2 states this method supports ". . source and effects identification,
Change column in table A 1 to applicable and review rest of table
Bob
12
likelihood and consequence estimation and risk evaluation. "There may be other inconsistencies.
Annex A and B.
It may be beneficial to classify and order the techniques using factors such as: o whether it is applicable to risks in the tactical,
operational or strategic context o whether it is applicable at enterprise level or
project/business unit level (albeit there may be little difference in small organisations)
the industry or context in which it has particular applicability
Table A2 Table A2, Environmental Risk Assessment
te This is also called Aspects and Impacts analysis. At least I believe this is the same from the short description.
Add alternative name in the description “Also known as Aspects and Impacts Analysis.”
noted
Table A2 Top Event table
Only FTA is top event this table should be a continuation of the heading scenario analysis
Agreed (not done)
Table A2 New te Suggest adding mutli- criteria analysis. (If indeed these topics are retained.)
Title of Technique – Multi-Criteria Analysis (MCA)
Overview - The objective is to use criteria to objectively and transparently assess the overall worthiness of a set of options. The analysis involves the development of a matrix of options and criteria which are ranked to provide an overall score. The use of a risk matrix in this process is used to eliminate unacceptable options.
Use – comparing multiple options for a first pass analysis to determine preferred and potential options and inappropriate options.
Inputs – A set of options is required for analysis. Criteria that can be used equally across all options to differentiate between the options.
Process – A group of knowledgeable stakeholders compares each of the criteria against each of the options and provides a relative ranking or score for each. The criteria are provided a weighting. The overall score for each option is calculated by summing the products of the criteria
Draft added
13
weighting and the scores for each criteria. Outputs – Rank order presentation of the
options from best to least preferred. If a risk matrix is also applied then options that fail highly weighted criteria can also be eliminated. (The axes of the matrix are criteria weighting and the criteria score for the option.
Strengths and limitations – Simple structure for very efficient decision making and presentation of the assumptions and conclusions. Can be affected by bias and poor selection of the decision criteria.
Annex B2 Needs some comment as introduction encouraging use of experienced professionals to apply some techniques
The success of each technique depends on the competence with which it is applied . In some cases it may be necessary to obtain additional competence
noted
Annex B Insert a section on SIL analysis probably combined with LOPA
?
Annex B2 Petri Nets and reliability Block diagrams are mentioned in Markov analysis –if this remains they should be included in methods
No
B.2.2 p34 te Structured or semi-structured interviews are valuable in identifying existing controls but they are of limited value in assessing the effectiveness of controls because of the application of cognitive dissonance.
“…They are most often used to identify risks or existing controls as part of …”
Eric to check
B.6.6 p41 line 12-13
ed This dot point is poorly expressed and difficult to fix “It can focus attention on finding solutions without also questioning the reason for engaging in a process in the first place”
Editorial (Eric)
Figure B.9 ge Diagram is incorrect Replace risk with Event Replace Hazards with sources of risk
Agreed
14
B8 There are many methods of environmental risk assessment
Heading should be toxicity assessment Agreed
B9 Heading needs to match acronym Structured What If Technique Agreed
B.9.3 P45 line 35-36
te The statement “Typically a team of more than 4…” is not a unique characteristic of this method and is equally applicable in brainstorming.
Delete the sentence Eric
B.10.4 p48 line 23-25
te How does the reference to “uncertainty” in this paragraph relate to the concept of “likelihood” as per the standard. Are we supposed to relate them or is this a new concept?
B10.4 Put table into words needs looking at (Jean)
B 11 .1 Dot pt 1 Insert functions and associated resources after processesReplace supporting processes with associated process in 11.2
agreed
B.11.3 Input Team for developing the plan Eric
B.11.5 Add dot points Definition of when appliedDefined recovery teams
Eric
B11.6 Dot pt 6 Replace with simplistic or too optimistic expectations of recovery requirements`
Eric
B 13
B 18.2 Par 1,Line 2
te The LOPA technique is normally applied using a semi-quantitative approach to estimating event frequency.
Change “It may be used semi-quantitatively” to “Normally a semi-quantitative approach would be applied”
Eric
B 18.2 Par 2, Line 2
te Clarify Add the following to the end.….”required by IES61508 and IES61511 in the determination of safety integrity level (SIL) requirements for safety instrumented systems”
B13 FMEA/FMECA description comes from 603003.9 and is very out of date. It does not recognise the different types of FMEA used in dependability eg design FMEA and Process FMEA or the ways it is used in other areas of risk management
major modifications proposed and shown in attached document
B 18.3 Par 3 ed Introduces the term ‘initiating event’. Previously referred only to hazards, causes or causal events.
Change “initiating event” to “initiating cause” for No –not a cause
15
consistency throughout the B.18 section.
B 18.3 Par 3 te Input for initiating events should be a frequency (e.g. events per year) not a probability.
Change “Probabilities for initiating events, protection layer failures” to “Initiating cause frequencies, protection layer failure probabilities”
changed
B.18.4 1st bullet point
te Input for initiating events should be a frequency (e.g. events per year) not a probability.
Change “on their probabilities” to “on their frequencies”
B 18.4 3rd bullet point
te While the ‘inherent risk’ (i.e. risk of the initiating event without controls in place) is sometimes used to provide further data for risk ranking of hazardous events, it is probably confusing here. The description ‘scenario risk’ is misleading.
Delete 3rd bullet point. Replace with corrected description of scenario risk – see next.
B 18.4 te The order and description of activities can be improved.
Suggest the following:LOPA is carried out using a team of experts:
initiating causes for an undesired outcome are identified and data is sought on their frequencies and consequences;
A single cause-consequence pair is selected;
Layers of protection that prevent the cause proceeding to the undesired consequence are identified and analysed for their effectiveness;
Independent protect layers (IPLs) are identified (not all layers of protection are IPLs) and the probability of failure for each IPL is estimated;
The initiating cause frequency is combined with the probabilities of failure of each IPL and the probabilities of any conditional modifiers. (a conditional modifier is for example whether a person will be present to be impacted) to determine the frequency of occurrence of the undesired consequence. Orders of magnitude are used for frequencies and probabilities and consequences;
The calculated risk is combined effect of protection layers is compared with risk tolerance levels to determine whether further protection is required.
Compare with mary Aherns version and decide which format then needs to be used for all processes
This is probably better
B 18.4 ed Suggest to include the LOPA ‘onion’ diagram to help with the explanation of IPLs. An appropriate example could be taken from AS IES 61511.
Jean to Find diagram
16
B.18.6 2nd Parbullet 1
ed Wording Change “time, Complex Interactions between” to “time. Complex interactions between”
Eric
B 18.6 2nd Parbullet 2
te Wording Replace bullet 2 with: “Quantified risks may not account for common mode failures”
Revixed
Lloyd’s Register(Philip Skinner)
B 18.6 2nd Parbullet 3
te Wording Change “LOPA does not apply to very complex scenarios”To: “LOPA is difficult to apply to very complex scenarios”
changed
B21.4 18Last para
ge This is a nonsense statement. Procedural controls can be judged for effectiveness and this has nothing to do with controls not being independent.
Makes sense if a comma rather than full stop after independent
fixed
B21.6 3 ge The word barriers and controls are synonymous. The word control is the preferred word
Replace the word ‘barrier’ with ‘control’ Eric
B.24.1 also B.23.2
p75 line 36
ge “Reliability” and “Reliability block Analysis” are referred to but not addressed in this document.
Discuss or cross reference to an appropriate source. ?
B 24.6 replace last clause with of the system
B27 Risk control effectivenss is not a single technique including table B 12 is likely to make people think these are the only definitions
delete table shorten rest and move to body see end for suggested words
agreed
B 30.2(now 29)
Line 4 After which risks need treatment first add or which need to be referred to higher levels of management
added
30.2 Line 4 Ed Repeats screening tool delete one of tem Start sentence it may also be used to select…. agreed
30.2 end The matrix is used as a means of communicating levels of risk in an organisation as well as screening
The consequence likelihood matrix may also be used to help communicate a common understanding for qualitative levels of risks across the organisation. The way risk levels are set and decision rules assigned to them is an expression of the organisation/s risk appetite
revised
30.2 Fig B14 and B 15 have interchanged labels Reverse diagram labels To be done Eric
Add SIL to techniques see below (B)
17
Suggested Additional Method to Add to Annex B
Safety Integrity Level (SIL) Assessment
1. Overview
SIL assessment involves determining the level of risk reduction required for instrumented systems (such as an automatic emergency shutdown or trip). There are four safety integrity levels, with Level 4 being the highest level of safety integrity (reliability) and Level 1 being the lowest.
There are three key steps: Identification of all safety instrumented functions (SIFs). Determination of the required SIL for each SIF. Verification that the design of the instrumented system will meet the required SIL.
SIL assessment is a specific application of several assessment techniques (such as HAZOP, PHA, Layers of Protection Analysis, fault tree analysis, etc.) rather than a specific risk assessment technique in itself.
2. Uses
SIFs are typically identified during, or following, a hazard analysis (such as a HAZOP or PHA). The required risk reduction (i.e. SIL) for each SIF is then determined using a risk assessment technique (such as Layers of Protection Analysis or a Risk Graph or Risk Matrix).
Where SIL requirements are subsequently allocated to SIFs, the device or system must then meet specific requirements for both hardware safety integrity and systematic safety integrity throughout the equipment life cycle (design, install, commission, operate and maintain). This is fully described in IES61508 and IES61511.
3. Inputs
Once the SIFs have been identified, the inputs required to complete a SIL assessment are similar to those required for a Layers of Protection Analysis (refer B.18). The frequency of demand on the SIF is also a key input.
Where a LOPA has already been completed, this may be used as the basis for determining the SILs for the SIFs identified as IPLs in the LOPA.
A clear definition of the tolerable risk target is required.
4. Process
18
A hazard and risk assessment is carried out by a team of experts which should result in:
a description of each identified hazardous event and the factors that contribute to it; a description of the consequences and likelihood of the event; consideration of conditions such as normal operation, start-up, shutdown, maintenance, process upset, emergency shutdown; the determination of requirements for additional risk reduction necessary to achieve the required tolerable risk target; a description of, or references to information on, the measures taken to reduce or remove hazards and risk; a detailed description of the assumptions made during the analysis of the risks including probable demand rates and equipment failure rates,
and of any credit taken for operational constraints or human intervention; allocation of the safety functions to layers of protection, taking account of potential reduction in effective protection due to common cause
failure between the safety layers and/or lack of independence; identification of those safety functions to be applied as SIFs.
Once the need for a SIF is identified, a risk reduction target may be allocated to those specific protection layers for the purpose of prevention or mitigation of hazards. The required SIL is derived taking into account the required risk reduction that is to be provided by that function.
IES61508 defines the Probability of Failure on Demand (PFD) and Risk Reduction Factor (RRF) for different SIL levels in low demand mode as follows:
SIL PFD RRF4 10-5 to <10-4 >10,000 to 100,0003 10-4 to <10-3 >1,000 to 10,0002 10-3 to <10-2 >100 to 1,0001 10-2 to <10-1 >10 to 100
There are several methods available to determine the required SIL and these are further outlined in IEC61511.3 (such as Layers of Protection Analysis or a Risk Graph or Risk Matrix).
Finally, the design of the SIS is assessed to ensure it can meet the required SIL. Typically, this verification step is undertaken using fault tree analysis.
5. Output
SILs required for each SIF.
Verification that the design of each instrumented system will, in principle, meet the required SILs.
6. Strengths and Limitations
19
Strengths include:
Existing, well documented, standards for SIL assessment; Provides a clear requirement on the design and performance of safety instrumented functions; May be applied in conjunction with, or after, the risk assessment (e.g. LOPA) Both qualitative and quantitative methods are available for SIL assessment.
Limitations include:
SILs can only be determined when there is a clearly defined risk target and the risk assessment technique (e.g. LOPA or Risk Graph) has been calibrated to use this target.
Strictly speaking, SIL assessment is only applicable to systems that meet the definition of a safety instrument system (as described in IES61508 and IES61511).
1. Not applicable for IEC use only2. Type of comment: ge = general te = technical ed = editorial NOTE: Columns, 2, 3, 4, 5 & 6 are compulsory.
20
