I think this is what all involved in a risk assessment may think at some point in time when generic practices are applied.
In real, applying a risk matrix effectively requires more than just picking a color on a grid; it requires a disciplined approach to ensure that "High" risk means the same thing to every engineer in the room.
Lately, we had a workshop, a refresher you can call, and following are some of the key discussions, we had:
1. Initial Assessment
Before looking at the matrix, you must define the scenario clearly to avoid "risk creep" or over-conservative estimates.
Define the "Credible" Worst Case: Do not assess the "absolute" worst case (e.g., a meteor hitting the plant) unless it is a credible threat. Focus on the most severe outcome that is actually possible given the equipment and process.
Assess Unmitigated Risk First: Determine the risk level as if no active or administrative controls are functioning. This establishes the "Raw Risk" and justifies why certain safety systems (like SIS or relief valves) are critical.
Consistency in Consequence Categories: Use a multi-disciplinary approach. A risk might be "Low" for Safety (no injuries) but "High" for Environment (large spill) or Reputation. The highest individual category determines the final risk rank.
Independence of Likelihood and Consequence: A common error is lowering the consequence because the likelihood is low. These must be treated as independent variables.
2. Applying the Hierarchy of Controls
Once a risk is identified, the goal is to move it "down and to the left" on the matrix. Best practices dictate following the Hierarchy of Controls in strict order:
a. Elimination (meaning) Physically remove the hazard (e.g., using a non-toxic chemical). (effectiveness) Highest
b. Substitution (meaning) Replace the hazard with something less risky (e.g., lower pressure). (effectiveness) High
c. Engineering (meaning) Isolate people from the hazard (e.g., blast walls, automated trips). (effectiveness) Moderate
d. Administrative (meaning) Change the way people work (e.g., training, permits, SOPs). (effectiveness) Low
e. PPE (meaning) Protect the worker with equipment (e.g., respirators, fire suits). (effectiveness) Lowest
3. Reaching ALARP (As Low As Reasonably Practicable)ALARP is the point where the cost (time, money, effort) of further reduction is grossly disproportionate to the benefit gained.
The Three Zones
Unacceptable Zone (Red): Risk must be reduced regardless of cost. Operation is usually prohibited.
ALARP Zone (Yellow/Amber): Risk is tolerable only if it can be demonstrated that further reduction is not reasonably practicable.
Broadly Acceptable Zone (Green): Risk is low enough that no further action is required, though continuous monitoring is expected.
The "Good Practice" Test
To prove a risk is ALARP, you must demonstrate that you have met or exceeded industry codes and standards (e.g., ASME, API, ISO). If a standard says a specific safety valve is required, you cannot claim ALARP without it just because it's expensive.
Cost-Benefit Analysis (CBA)In complex cases, a formal CBA is used. If the cost of an additional safety layer is $10$ times higher than the "value" of the risk reduction it provides, it may be deemed not "reasonably practicable."
4. Common Pitfalls to Avoid
Risk Normalization: Just because a high-risk activity hasn't caused an accident in 10 years doesn't mean the likelihood is "Rare." Use data/frequencies, not just "gut feeling."
Double Counting Controls: Don't credit the same safety system twice (e.g., counting a pressure transmitter as both an alarm and a trip if they use the same sensor).
Ignoring Cumulative Risk: Assessing ten "Medium" risks individually might seem fine, but if they all occur in the same area, the aggregate risk to the facility might be "High."
I hope these notes would guide you well.
Share with colleagues when you start a risk assessment next time.