Understanding Risk Assessment

When peo­ple dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques start­ed in 1995. As a tech­nol­o­gist and con­trols design­er, I had to some­how wrap my head around the whole con­cept in ways I’d nev­er con­sid­ered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get start­ed!

What is risk?

From a machin­ery per­spec­tive, ISO 12100:2010 defines risk as:

com­bi­na­tion of the prob­a­bil­i­ty of occur­rence of harm and the sever­i­ty of that harm”

Risk can have pos­i­tive or neg­a­tive out­comes, but when con­sid­er­ing safe­ty, we only con­sid­er neg­a­tive risk, or events that result in neg­a­tive health effects for the peo­ple exposed.

The risk rela­tion­ship is illus­trat­ed in ISO 12100:2010 Fig­ure 3:

ISO 12100-2010 Figure 3
ISO 12100–2010 Fig­ure 3


R = Risk

S = Sever­i­ty of Harm

P = Prob­a­bil­i­ty of Occur­rence of Harm

The Prob­a­bil­i­ty of Occur­rence of Harm fac­tor is often fur­ther bro­ken down into three sub-fac­tors:

  • Prob­a­bil­i­ty of Expo­sure to the haz­ard
  • Prob­a­bil­i­ty of Occur­rence of the Haz­ardous Event
  • Prob­a­bil­i­ty of Lim­it­ing or Avoid­ing the Harm

How is risk measured?

In order to esti­mate risk a scor­ing tool is need­ed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can result in blind-spots where risks may be over or under-esti­mat­ed.

At the sim­plest lev­el are ‘screen­ing’ tools. These tools use very sim­ple scales like ‘High, Medi­um, Low’, or ‘A, B, C’. These tools are often used when doing a shop-floor inspec­tion and are intend­ed to pro­vide a quick method of cap­tur­ing obser­va­tions and giv­ing a gut-feel assess­ment of the risk involved. These tools should be used as a way to iden­ti­fy risks that need addi­tion­al, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­me­ter includ­ed in the tool. For instance, con­sid­er the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­me­ter (Sever­i­ty, Expo­sure and Avoid­ance) has a scale, with two pos­si­ble selec­tions for each para­me­ter.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s impor­tant to take some time to real­ly exam­ine the scales for each fac­tor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit lat­er in this post.

There are more than 350 dif­fer­ent scales and method­olo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assess­ment: Basics and Bench­marks” avail­able from DSE online.

A sim­i­lar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849–1. Note that this tool is pro­vid­ed in an Infor­ma­tive Annex. This means that it is not part of the body of the stan­dard and is NOT manda­to­ry. In fact, this tool was pro­vid­ed as an exam­ple of how a user could link the out­put of a risk assess­ment tool to the Per­for­mance Lev­els described in the nor­ma­tive text (the manda­to­ry part) of the stan­dard.

Con­sid­er cre­at­ing your own scales. There is noth­ing wrong with deter­min­ing what char­ac­ter­is­tics (para­me­ters) you want to include in your risk assess­ment, and then assign­ing each para­me­ter a numer­ic scale that you think is suit­able; 1–10, 0–5, etc. Some scales may be invert­ed to oth­ers, for exam­ple: If the Sever­i­ty scale runs from 0–10, the Avoid­abil­i­ty scale might run from 10–0 (Unavoid­able to Entire­ly Avoid­able).

Once the scales in your tool have been defined, doc­u­ment the def­i­n­i­tions as part of your assess­ment.

Who should conduct risk assessments?

Lake YogaIn many orga­ni­za­tions, I find that risk assess­ment has been del­e­gat­ed to one per­son. This is a major mis­take for a num­ber of rea­sons. Risk assess­ment is not a solo activ­i­ty for a ‘guru’ in a lone­ly office some­where!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­re­sents a sig­nif­i­cant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will nec­es­sar­i­ly be biased to what that per­son knows, and may miss sig­nif­i­cant haz­ards because the asses­sor doesn’t know enough about that haz­ard to spot it and assess it prop­er­ly.

Risk assess­ment requires mul­ti­ple view­points from par­tic­i­pants with var­ied exper­tise. This includes users, design­ers, engi­neers, lawyers and those who may have spe­cial­ized knowl­edge of a par­tic­u­lar haz­ard, like a Laser Safe­ty Offi­cer or a Radi­a­tion Safe­ty Offi­cer. The var­ied exper­tise of the peo­ple involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and devel­op a more rea­soned assess­ment of the risk.

I rec­om­mend that risk assess­ment com­mit­tees nev­er be less than three mem­bers. Five is fre­quent­ly a good num­ber. Once you get beyond five, it becomes increas­ing­ly dif­fi­cult to obtain con­sen­sus on each haz­ard. Also, con­sid­er the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can esca­late expo­nen­tial­ly.

Train­ing in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vid­u­als involved are trained, and that at least one has some pre­vi­ous expe­ri­ence in the prac­tice so that they may guide the com­mit­tee as need­ed.

When should a risk assessment be conducted?

Risk Assessment Lifetime Flow Chart
Risk Assess­ment in the Life­time of a Prod­uct

Risk assess­ment should begin at the begin­ning of a project, whether it’s the design of a prod­uct, the devel­op­ment of a process or ser­vice, or the design of a new build­ing. Under­stand­ing risk is crit­i­cal to the design process. Cost for changes made at the begin­ning of a project are min­i­mal com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the con­cept stage and be includ­ed at each sub­se­quent stage in the devel­op­ment process. The accom­pa­ny­ing graph­ic illus­trates this idea.

Essen­tial­ly, risk assess­ment is nev­er fin­ished until the prod­uct, process or ser­vice ceas­es to exist.

What tools are available?

As men­tioned ear­li­er in this post, the book ‘Risk Assess­ment: Basics and Bench­marks” pro­vides an overview of rough­ly 350 dif­fer­ent scor­ing tools. You can search the Inter­net and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to devel­op any soft­ware based tools your­self. Depend­ing on your com­fort with soft­ware, this might be a spread­sheet for­mat, a word pro­cess­ing doc­u­ment a data­base, or some oth­er for­mat that works for your appli­ca­tion.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA™ and DSE’s Design­Safe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­nif­i­cant blind spots that may trip you up if you are not aware of their lim­i­ta­tions.

Remem­ber too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assess­ment.

Where can you get training?

There are a few places to get train­ing. Com­pli­ance InSight Con­sult­ing pro­vides train­ing to cor­po­rate clients and will be launch­ing a series of web-based train­ing ser­vices in 2011 that will allow indi­vid­ual learn­ers to get train­ing too.

The IEEE PSES oper­ates a Risk Assess­ment Tech­ni­cal Com­mit­tee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Expo­sure Scale in the CSA tool has a gap between E1 and E2. Look­ing at the def­i­n­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Expo­sures that occur once per hour or less, but more than once per day can­not be scored effec­tive­ly using this scale.

Also, notice the Sever­i­ty scale: S1 encom­pass­es injuries requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid cours­es taught in Cana­da include CPR as part of the course. There is no clear answer for this in the stan­dard. The S2 fac­tor extends from injuries requir­ing more than basic first aid, like a bro­ken fin­ger for instance, all the way to a fatal­i­ty. Does it make sense to group this broad range of injuries togeth­er? This def­i­n­i­tion doesn’t quite match with the Province of Ontario’s def­i­n­i­tion of a Crit­i­cal Injury found in Reg­u­la­tion 834 either.

All of this points to the need to care­ful­ly assess the scales that you choose before you start the process. Choos­ing the wrong tool can skew your results in ways that you may not be very hap­py about.

*Car­dio-Pul­monary Resus­ci­ta­tion

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.