In the past blogs, we covered how to set the scope, identify major risks and analyze them using the bowtie methodology. In this edition, our focus is on evaluating the risk which was analyzed previously.
It is possible to evaluate risks in different ways, divided into two categories, the qualitative and the quantitative way. Using the quantitative way, the focus is set on numbers and data-driven values which are for example based on manufacturer specifications, historical data or any other reliable source, while qualitative data is driven by expert judgments and historical (non-numerical) data.
The quantitative approach
An example of a quantitative approach is LOPA (Layer Of Protection Analysis) or, in combination with bowtie, the bowtie-adapted LOPA. See figure 1 below. LOPA works with event frequencies and control failure probabilities (probability of failure on demand). Basically, LOPA takes the initial frequency of an event and multiplies this by the probability that the barriers in that specific scenario line would fail. This results in a current frequency of the unwanted outcome or consequence. If this value is lower, then the acceptable target frequency we have set before, then the risk is considered acceptable.
Figure 1: LOPA example
Heavy rain occurs every 2 times we drive a car. As we are not good at defensive driving we fail in doing so during heavy rain every second time (1/2=0.5). This would result in us losing control over the car every 0.5 x 0.5 times which equals 0.25, or every 4 times (the current top event frequency). However, we consider it acceptable only if we lose control every 5 times. Because we don’t meet this condition the criticality for the top event has not been met. If we calculate further and we know that we forget to wear the seatbelt once every 10 times, it would result in a probability of failure on demand of 0.1. If we now multiply the current frequency of the top event (0.25) with the PFD of this specific barrier (0.1) we would get a consequence frequency of 0.025. Or in other words, we would hit the internal of the car every 40 times we drive a car. However, we accept this consequence if it occurs every 0.05 times, in other words, every 20 times (1/0.05 = 20). Thus, because of the current frequency is lower than the acceptable frequency we have met the criticality and accept the risk.
Learn how to do this, while using our lOPA plugin? Hit the button below.
The qualitative approach
Besides the quantitative ways, there are also qualitative ways of assessing the risks. Some of those are ALARP thinking (elaborated on in our guest blog by Risktec) or the use of risk matrices which is most common. Within the bowtie, a set of risk matrices (figure 2) can be assigned to both the hazard (entire bowtie) as well as every consequence (unwanted outcome of the individual scenarios). The risk matrix helps to categorize the outcomes without assigning very specific values. Usually, this is a 4×5, 5×5 or 6×5 matrix with a severity and a frequency axis. Assessing both individually for the entire hazard or individual scenario would result in a specific risk matrix value.
Figure 2: Risk matrix
Those values can be divided over different categories, for example, impact on people, assets, environment and reputation. Hitting the internal of the car might have a less acceptable matrix value in regards to people than it has in regards to reputation or environment (figure 3).
Figure 3: Impact displayed on a consequence of a bowtie
Using the same approach the risk matrix can also be used to assess the inherent risk (situation without implemented controls or barriers) and residual risk (situation after barriers or controls are implemented). This is displayed in figure 4. The difference between both indicates that effect of the controls or measures in place.
Figure 4: The inherent risk is D3 which equals likely resulting in major injury. But the residual risk is assessed at B1 which equals unlikely and only resulting in slight injury. The risk therefore is significantly decreased by the implemented barriers.
The use of risk matrices can be customized to any organization and can also be very thought out. Our partner Emily Harbottle wrote a great guest blog a while ago explaining this in the finest detail.
What do you do when your risk is not ALARP? You’ll find that out in one of our next method blogs about risk treatment. But first, we dive into the software in the risk evaluation phase. Stay tuned for the next part of this blog series, risk evaluation with BowTieXP.