Как найти причину проблемы с помощью диаграммы Иcикавы (Ишикавы)

ALARP

So what is ALARP?

The ALARP principle

No industrial activity is entirely free from risk and so many companies and regulators around the world require that safety risks are reduced to levels that are As Low As Reasonably Practicable, or "ALARP".

The "ALARP region" lies between unacceptably high and negligible risk levels. Even if a level of risk for a "baseline case" has been judged to be in this ALARP region it is still necessary to consider introducing further risk reduction measures to drive the remaining, or "residual", risk downwards.

The ALARP level is reached when the time, trouble and cost of further reduction measures become unreasonably disproportionate to the additional risk reduction obtained.

ALARP for life

Risk can be reduced by avoidance, adopting an alternative approach, or increasing the number and effectiveness of controls.

At the concept stage of a new project there is the greatest opportunity to achieve the lowest residual risk by considering alternative options, e.g. for an offshore oilfield development, options may range from fixed legged platforms to floating production vessels to subsea facilities.

Once the concept is selected and the early design progresses, the attention shifts to considering alternative layout and system options to optimise inherent safety. In the detailed design phase, the focus moves on to examining alternative options for improving safety systems.

During operations, the attention is on collecting feedback, improving procedures and managing change to maintain the residual risk at an ALARP level. However, with advances in technology, what is ALARP today may not be ALARP tomorrow, so periodic reviews will be necessary.

Conclusion

The key to a convincing ALARP assessment lies in the documented consideration of improvement options, both implemented and discounted, at a level of resolution appropriate to the project phase. ALARP decision making amounts to taking a balanced view and reaching a defensible consensus.

This article first appeared in RISKworld Issue 4.

Принцип ALARP в Великобритании

Разработанный в Англии в рамках закона о Здравоохранении и Безопаснсоти в 1974г. принцип  ALARP основывается на оценке стоимости риска и стоимости задействованных средств, для того, чтобы его снизить.

Здесь исходят из принципа, что нулевой риск физически и финансово недостижим, и что необходимо найти правильное соотношение между затратами и допустимым уровнем риска. Принцип ALARP состоит в том, что риск  должен быть сведен к наиболее низкому уровню, который возможен. Здесь речь идет об анализе стоимость/результат по овладению рисками.

Чтобы провести такую оценку, принцип ALARP опирается на систему глобального анализа рисков, описанную в европейских(EN 50126) и международных (CEI 61508)нормах. С одной стороны он опирается на классификацию рисков по четырем категориям, по пересечению частоты и глубины риска.

Начиная с некоторого уровня, риск рассматривается, как недопустимый и не может быть оправдан ни при каких чрезвычайных обстоятельствах.
Ниже этого уровня существует допустимая зона, в которой действие может произойти, если связанные с ним риски низки насколько это возможно. Допустимый не означает приемлемый: оценка положительного влияния на ситуацию должна быть проведена для того, чтобы определить, стоимость средств или предусмотреть иные меры безопасности. Необходимо, таким образом, быть готовым к тем большим затратам, чем выше степень риска. Поэтому, если степень риска остается высокой, расходы, непропорциональные степени риска, могут быть оправданы. Если риск менее высок, то необходимо уравновесить затраты и получаемое улучшение ситуации.

В приемлемой зоне риски рассматриваются как незначительные, и, следовательно, не являются предметом демонстрации по принципу ALARP. Это не означает, что никакие заградительные меры для рисков не будут предприняты, но, что стоимость их не будет высокой.

The BowTie method in 5 minutes

Four incident analysis methods to choose from

It is a given that in many organizations more than one method is adopted to do incident analysis. If these organizations wish to learn from all incidents, the outcome of these methods needs to be consolidated.

Providing the right method to untangle a complicated incident is crucial if you are to uncover what lessons should truly be learned on both organizational and operational level. Four of the most populair barrier based incident analysis methods were selected for BowTieXP:

• BSCAT
• Tripod Beta
• Root Cause Analysis (RCA)
• Barrier Failure Analysis (BFA)

We observed first three below.

BSCAT

Next generation incident analysis tool

BSCAT is a next generation incident analysis tool that uses barrier thinking to clarify and structure your incident analysis. The BSCAT method can utilize pre-existing BowTies or be used on its own. It is the first method to complete the circle and link risk assessments with incident analysis. BSCAT is built on top of the BowTieXP platform.

Recent insights reveal that improved safety management performance can be obtained if a more focused approach on barrier performance is followed. Advanced Barrier Management is a relatively new concept that addresses the effectiveness of specific barriers that aims to prevent undesired top events from happening and/or that aims to limit the extend of the undesired consequences.

The Bowtie-concept provides a clear visual presentation of several high risk scenarios and how these scenarios can be managed. When applying the bowtie-approach one is triggered to think of available and/or potential barriers that keep control of the hazard scenarios and their effectiveness. Bowtie-based risk analysis is part of mature risk based safety management framework and should be applied by all organizations that aim to have a better understanding and control of their key risks. Allocation of accountabilities and document links can be part of the bowtie-thinking when the software program BowtieXP is applied.

From SCAT to BSCAT

BSCAT links the bowtie-concept to DNV’s classical concept for incident investigation (SCAT), which is already used by many organizations. The Systematic Cause Analysis Technique provides a framework with predefined categories of direct and basic causes that have proven to be important contributions for incidents in a variety of market sectors. By applying this SCAT technique on barrier performance, one can assess the performance of barriers during an incident investigation and come up with specific improvement actions that address the basic causes of failure. The BSCAT-concept supports in particular (complex) incident investigations that are characterized by a variety of events that went wrong. BSCAT is now supported by a software tool – branded as DNV BSCAT – that allows for smart generation of incident diagrams. DNV BSCAT operates under the proven BowtieXP platform. 

Tripod Beta Method

The tripod method is a way of conducting incident analysis. It is mostly used for high risk, complex incidents, since it is a very extensive and detailed method. Training is highly recommended when using the tripod method.

A Tripod Beta tree is built in three steps. The first step is to ask the question: ‘what happened?’. All the events that happened in the incident are listed as a chain of events. The next step is to identify the barriers that failed to stop this chain of events. The question that is asked in this step is: ‘How did it happen?’. When all the events and the failed barriers in between are identified, the reason for failure of these barriers is analyzed. The last question for this step is: ‘Why did it happen?’. For each of the failed barriers a causation path is identified.

All the items that appear in the Tripod Beta method are explained in more detail below.

1. What happened?

---

First it needs to be identified what happened during the incident; what events occurred. This is the core of the tripod diagram and is represented with three shapes, the head ‘trio’. These three elements are:

1. Event
2. Hazard
3. Object

The trio can be explained as an AND gate, both the Hazard and the Object need to be present for the Event to occur. The Hazard acts on the Object to change its state or condition that is described as the Event. In a tripod tree there can be multiple trios. Hazards and Objects can form new Events.

Event

In the tripod theory an Event is a happening, a ‘change of state’, whereby an object is affected by a Hazard. All events may cause potential injury, damage or loss. Examples of events are:

• Cut in a finger
• Car collision
• A failed money investment

Hazard

A Hazard is an entity with the potential to change, harm or damage an object upon which it is acting. Hazards can be a physical energy source or can have a more abstract nature. Examples of a Hazard are:

• Working on height
• Explosive material
• Economic crisis

Object

The Object is the item that is changed by the Hazard. The Object can be someone or something that is harmed, changed or damaged. Examples of Objects are:

• Employee
• IT system
• Environment

2. How did it happen?

---

Barriers

The second step in the tripod analysis is to analyze how the incident could have happened by identifying the failed barriers. The barriers can be placed between the Hazard and the Event and between the Object and the Event. To identify these two types of barriers two questions are asked:

• What Barriers should have prevented the exposure to the Hazard?
• What Barriers should have protected the Object from the Hazard?

A Barrier is something that should prevented the meeting of an Object and a Hazard. It protects people, assets, environment from the negative consequences of a Hazard. Barriers can have their effect on the Hazard (e.g. insulation) or the Object (e.g. PPE). In a Tripod analysis a Barrier can be qualified as failed, missing or effective.

3. Why did it happen?

---

The last step is to identify why the incident happened; what caused the Barriers to fail. To analyze this we follow a certain pathway, called the ‘Causation Path’. The causation path consists of three items:

1. Active Failure
2. Precondition
3. Latent Failure

Active Failure

The Active Failure explains the human act that directly caused the Barrier to break. The Tripod method is based on the Human Error theory. This theory states that incidents happen when people make errors and fail to keep the barriers functional or in place. These errors are Active Failures. Examples of Active Failure are:

• Neglecting to wear PPE
• Wrong design decision
• Inappropriate use of tools

Precondition

The Precondition is the environmental, situational or psychological ‘state’ in which the Active Failure takes place. It explains the context of the human error and it provides the control breaching capacity of the Active Failure. This can be related to supervision, training, instructions, procedures, etc. Examples of Preconditions are:

• Bad sight
• Budget squeeze
• Poor ergonomics of tools

Latent Failure

Latent Failures are the organizational or systemic deficiencies that create Preconditions. The Latent Failure acts on a system level, it always involves the organization. A Latent Failure is not incidental, but is present for a longer time; it is an underlying failure. Examples of Latent Failures are:

• Inadequate training
• Failure to identify hazards
• Imbalanced budgets

Root cause analysis in IncidentXP

IncidentXP already allows users to choose between multiple barrier-based incident analysis techniques. However, we continued to get a lot of requests for one particular method: traditional Root Cause Analysis (RCA). This method is the fourth we're adding to IncidentXP and joins BSCAT, Tripod Beta and Barrier Failure Analysis.

What is RCA?

Root Cause Analysis is a simple and straightforward incident analysis technique. It starts with an incident and drills down into the chain of events that led to that incident until the root causes are identified. This method is widely used throughout the world, and the idea of drilling down to the root cause is also present in all of our other incident analysis methods.

Solving RCA problems

However, a traditional root cause analysis has the potential to turn into a jumble of elements. We felt this could be improved, so we did two things. First, we added some more subtle categorisations so you can see at a glance where the real problem areas are. You don't need to use them, but if you do, we think you will create better analyses, and it will be easier for your audience to see what you're trying to communicate. Second, you can cut up a large diagram into smaller pieces, and link them together. Separating the main diagram from sub-diagrams avoids a situation where the diagram becomes so large you lose overview. We hope these changes to RCA will help you create better analyses.

Features

RCA will include all the features you expect like reports, case file overviews, import/export options, easy manipulation of the diagram, scrap book support, find and replace, spell checking, undo/redo, auto-save, and many others

Barriers vs RCA

The main difference between RCA and our other incident analysis methods, is that RCA is not barrier based. Everything in RCA is an event, including those things that would be considered barriers in BSCAT, Tripod or BFA. This doesn't matter if you just want to use RCA, but there is one important caveat. Whereas the barrier based incident analysis methods like BSCAT and Tripod can be mapped back onto the bowtie because their structure is similar, RCA cannot be linked back to a bowtie, because the bowtie structure depends heavily on identifying barriers, which RCA does not do. We will examine other possibilities in the future, like classifying events. But we will base that development on real world feedback.