Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation
MODULE 27
RISK REDUCTION AND MITIGATION
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page i
CONTENTS
27. RISK REDUCTION AND MITIGATION .................................................................1
27.1 LOSS CAUSATION MODEL................................................................................1
27.1.1 Three Stages of Control ..................................................................................1
27.2 RISK ELIMINATION............................................................................................5
27.2.1 Inherently Safer Plants.....................................................................................5
27.2.2 Inherent vs. Add On Safety .............................................................................5
27.2.3 Inherent Safety................................................................................................6
27.3 REDUCING THE CONSEQUENCES ...................................................................8
27.3.1 Measures to Reduce the Consequences of the initial event ...............................8
27.3.2 Measures to Reduce the Consequences of the Knock-On Events .....................9
27.4 REDUCING THE LIKELIHOOD (FREQUENCY) .............................................10
27.5 RISK REDUCTION BY PLANT LAYOUT.........................................................11
27.6 RISK REDUCTION AND ORGANISATIONAL CULTURE ..............................12
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 1
27. RISK REDUCTION AND MITIGATION
The risk presented by any hazardous event such as a fire, explosion or toxic release can be
reduced by the following means:
(i) elimination
(ii) reduce the frequency of occurrence (likelihood)
(iii) reduce the consequences (initial or knock-on)
27.1 LOSS CAUSATION MODEL
Dominoes have been widely used to convey the principles of accident prevention and loss
control. HW Heinrich’s original domino sequence was a classic in safety thinking and teaching
for over 30 years in many different countries. Since dominoes have been used for so long by
so many as a classic illustration in accident causation, their application in Figure 27.1 has been
updated to reflect the direct management relationship with the causes and effects of accident
loss. Also, arrows are incorporated to show the multi-linear interactions of the cause and
effect sequence.
27.1.1 Three Stages of Control
The model not only reflects multiple causes but also multiple opportunities for control. These
opportunities can be grouped into three major categories or stages of control: 1) pre-contact,
2) contact, and 3) post-contact.
Pre-Contact Control: This is the stage that includes everything we do to develop and
implement a program to avoid the risks, prevent the losses from occurring, and plan actions to
reduce loss if and when contacts occur.
Pre-contact control is the most fruitful stage. This is where we develop an optimum program,
establish optimum standards, maintain effective performance feedback, and manage
compliance with performance standards. The goal here is the PREVENTION part of control.
Contact Control: Accidents usually involve contact with a source of energy or substance
above the threshold limit of the body or structure. Many control measures take effect at the
point and time of contact, by reducing the amount of energy exchange or harmful contact. For
example:
• substitution of alternate energy forms or less harmful substances
- electric motors instead of shafts and belts
- higher flash point substances or non-flammable materials
- less toxic solids, liquids, vapours and gases
• reducing the amount of energy used or released
- low voltage or low pressure equipment
- reduced temperatures in hot water systems
- use of materials which do not require high processing temperatures
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 2
Figure 27.1 DNV Loss Causation Model
D D
D D
IMMEDIATE CAUSES
LACK OF CONTROL
BASIC CAUSES
ACCIDENT
INCIDENT
D D D
D D
D D D
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 3
• placing barriers between the source of energy and the people or property
- personal protective equipment or devices
- fire walls
- explosion bunkers
- enclosures or insulation for noise-emitting machines, for heat and cold, for
electricity and for radiation
- filters for removing toxic elements from the air
• modifying contact surfaces
- padding points of contact
- adding bumper guards to building columns in materials handling areas
• strengthening the body structure
- reinforcement of roofs, floors, columns, docks, platforms, materials handling
equipment, load-bearing surfaces, etc.
- reinforcing the structures of vehicles for impact resistance
The contact stage is where the incident occurs that may or may not result in loss, depending
on the amount of energy or substance involved. Effective controls keep the exchange at a
minimum, resulting in minor rather than major losses, and “close calls” rather than accident
losses. These measures do not prevent the contacts or incidents, but they do contribute
significantly to the control of losses.
Post-Contact Control: After the accident or “contact”, the extent of losses can be controlled
in many ways, such as:
• implementation of the emergency action plans
• proper first aid and medical care for people
• rescue operations
• fire and explosion control
• prompt ventilation of the air-polluted workplace
• effective cleanup of spills
Post-contact controls do not prevent the accidents, but they minimise the losses. They can
mean the difference between injury and death, between reparable damage and total loss,
between a complaint and a lawsuit, between business interruption and business closing.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 4
Figure 27.2 Loss Causation Model
FAILURE TO MAINTAIN COMPLIANCE WITH ADEQUATE STANDARDS FOR:
• Leadership and Administration • Personal Protective Equipment
• Management Training • Health Control
LACK • Planned inspections • Program Evaluation System
• Task Analysis and Procedures • Engineering Controls
OF • Accident/Incident Investigation • Personal Communications
• Task Observations • Group Meetings
CONTROL • Emergency Preparedness • General Promotion
• Organisational Rules • Hiring and Placement
• Accident/Incident Analysis • Purchasing Controls
• Employee Training • Off-the-Job Safety
ê
PERSONAL FACTORS
JOB FACTORS
• Inadequate Capability • Inadequate Leadership or Supervision
- Physical/Physiological • Inadequate Engineering
- Mental/Psychological • Inadequate Purchasing
BASIC • Lack of Knowledge • Inadequate Maintenance
CAUSES • Lack of Skill • Inadequate Tools, Equipment, Materials
• Stress • Inadequate Work Standards
- Physical/Physiological • Abuse or Misuse
- Mental/Psychological • Wear and Tear
• Improper Motivation
ê
SUBSTANDARD PRACTICES SUBSTANDARD CONDITIONS
• Operating Equipment Without Inadequate Guards or Barriers
Authority Inadequate or Improper Protective Equipment
• Failure to Warn Defective Tools, Equipment or Materials
• Failure to Secure Congestion or Restricted Action
• Operating at Improper Speed Inadequate Warning System
• Making Safety Devices Inoperable Fire and Explosion Hazards
• Removing Safety Devices Poor Housekeeping, Disorder
IMMEDIATE • Using Defective Equipment Noise Exposure
• Failing to Use PPE Properly Radiation Exposure
CAUSES • Improper Loading Temperature Extremes
Inadequate or Excess Illumination
• Improper Placement
Inadequate Ventilation
• Improper Lifting
• Improper Position for Task
• Servicing Equipment in Operation
• Horseplay
• Under Influence of Alcohol and/or
Other Drugs
ê
CONTACTS
• Struck Against (Running or Bumping • Caught Between (Crushed or Amputated)
into) • Contact With (Electricity, Heat, Cold, Radiation,
• Struck by (Hit by Moving Object) Caustics, Toxics, Noise)
INCIDENT • Fall to Lower Level • Overstress, Overexertion, Overload
• Fall on Same Level (Slip and Fall, Tip
Over)
• Caught in (Pinch and Nip Points)
• Caught on (Snagged, Hung)
ê
PERSONAL HARM PROPERTY DAMAGE PROCESS LOSS
• Major Injury or Illness • Catastrophic • Catastrophic
LOSS • Serious Injury or Illness • Major • Major
• Minor Injury or Illness • Serious • Serious
• Minor • Minor
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 5
27.2 RISK ELIMINATION
If a hazard can be eliminated while still achieving the design intent of the system then this
should be the preferred option. An example of this is the replacement of a flammable heat
transfer medium with a non-flammable one. Further examples of this are listed in this section.
Elimination or reduction of risk by making plants and processes inherently safe is a topic
preached by many, the most vocal of which is Trevor Kletz and the principles of inherent
safety will be discussed now.
27.2.1 Inherently Safer Plants
In the 1960 and 70’s the chemical industries expanded rapidly and introduced many new and
hazardous processes. It was realised by the major operators such as ICI, pioneers in the field
of process safety, that new approaches to address these safety concerns were required.
Techniques developed included risk assessment, HAZOP and inherent safety. Over the years
HAZOP and Risk Assessment have become common in many industries and an accepted part
of the process industry approach. Making plants inherently safer should be given equal
attention as these methods since it has a major impact on the control of industrial risk and
company profitability. The principal of inherent safety is to eliminate hazards at plant design
stage by making plants simple, user-friendly and inherently low risk.
27.2.2 Inherent vs. Add On Safety
Safer process plants can be achieved by the following:
• Reducing the risk potential of the plant and process;
• Incorporating safety systems to control hazards in the engineering design;
• Establishing an effective safety management system to incorporate design, operation,
maintenance and incident response;
• Controlling the quality of the people who design, operate, and maintain the plant by
selection, motivation and training.
These are different types of safeguards which can be incorporated into the design and
operation of a plant to reduce the risk presented by the plant. A given level of safety
performance can be achieved in different ways by apportioning different standards to each of
these aspects. For example a high hazard plant can still reach a target risk level by the use of
engineered safety systems. Examples are by the provision of sophisticated instrumentation and
control systems which will alert operators or automatically shut down the plant in the event of
potentially hazardous process deviations.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 6
It is therefore a balance between the risk potential of the plant, the risk reduction achieved by
the various safeguards provided and the costs/benefits of these safeguards. Traditional safety
developments have focused on improvements in the areas of “add on” engineered controls and
management and may have drawn attention away from the fundamental step of reducing the
hazard or risk potential of the plant and process.
27.2.3 Inherent Safety
Inherent safety focuses on the elimination or reduction of the hazard potential of the plant at
the process development and early process design stages. The need for “add on” safety
systems and detailed management controls is therefore reduced. The plant can be said to be
“inherently safer” because its safety performance is less reliant on “add on” engineered systems
and management controls which can and do fail.
“Inherently safer” is just another way of expressing this idea of plant and processes that are by
their nature less hazardous, either because they use inherently less dangerous materials,
conditions or equipment, or because they are less prone to accidental releases, dangerous
instabilities or runaway reactions. This approach has the advantage of providing a means to
address safety, health, environmental and loss prevention issues in a strategic and integrated
manner by dealing with the hazards at source, rather than perhaps retrospectively trying to find
ways to live with them.
In practice of course it is not always possible to eliminate hazardous materials. Kletz proposes
the following routes by which we can achieve an inherently safer plant:
• Intensification reducing the hazardous inventories;
• Substitution substituting hazardous materials with less hazardous ones;
• Attenuation using the hazardous materials or processes in a way that
limits their hazard potential e.g. dissolved in a safe solvent,
stored at low pressure or temperature;
• Simplification making the plant and process simpler to design, build and
operate hence less prone to equipment, control and human
failings.
Kletz summarises these concepts by the notion of a “friendly plant” which is less likely to fail
and even if it does will have less severe consequences. This focuses attention on minimising
the hazard potential at source and on reducing the likelihood of the hazard by reducing
complexity, minimising leak paths and adopting good ergonomic design.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 7
Table 27.1 The Friendly Plant Concept - A Risk Based Approach
CONSEQUENCE REDUCTION
FRIENDLY PLANT Classical Inherently Safer Plant
Tolerant of People or Equipment Failings Less Hazardous:
• processes
• materials
• conditions
and lower inventories
ALTERNATIVE - UNFRIENDLY PLANT Needs Extra:
• hardware
• control systems
“High Consequence” Plant • engineered safeguards
....to control hazards, leading to a complex
(unfriendly) plant
FREQUENCY REDUCTION
FRIENDLY PLANT Simpler Plant
Simpler to:
• design
Less Prone to People or Equipment Failings • build
• operate
• maintain
ALTERNATIVE - UNFRIENDLY PLANT Complex Plant
Needs Extra:
• hardware
Prone to Failings • control systems
• engineered safeguards
....to prevent or control failings, leading to a complex
(unfriendly) plant, and extra:
1. manpower
2. training
3. procedures
4. management controls
......to make plant operable
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 8
27.3 REDUCING THE CONSEQUENCES
If a hazard cannot be eliminated, whether for process, financial or other reasons then reduction
of consequences should be considered. The reduction of the consequences of an event falls in
to two categories:
(i) Reducing the consequences of the initial event
(ii) Reducing the consequences of the knock-on effects (i.e. mitigation measures after the
initial event)
Specific examples of consequence and frequency reduction methods follow. There is some
overlap with the principles of inherent safety already discussed, since if you cannot eliminate a
hazard then the next best thing is to reduce its hazard potential.
27.3.1 Measures to Reduce the Consequences of the initial event
Minimisation of Inventories
In the design stage of a project it is often possible to minimise the quantities of hazardous
material in process or in storage.
In operation it may also be possible to reduce hazardous inventories, or to maintain lower
inventories in process hold tanks if the risk of leakage from such tanks is more serious than
from storage tanks.
Similarly the use of minimum pipe sizes will also minimise consequences following pipeline
failure by minimise the potential release rate.
Use of Less Hazardous Materials
Substitution of one material for another may allow reduction of accident consequences if the
new material is less toxic or less volatile than the former material.
Use of Lower Temperature or Pressures
Reducing the severity of process conditions can result in lower discharge rates in an accident,
or less vapour generation.
Active Systems for Inventory Reduction
Active systems can be used for diverting hazardous releases from the process in the event of
an incident. Such systems are aimed at reducing potential consequences following the initial
release. Examples of these types of systems are emergency blowdown systems, where high
pressure inventories are depressurised to a safe system, such as a flare system, burn pit, knock
out drum, etc.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 9
27.3.2 Measures to Reduce the Consequences of the Knock-On Events
Emergency Protection Systems
These systems are used to reduce the consequences hazardous releases in the event of a
release. They include the following:
• active fire fighting/protective systems such as water spray, deluge, foam etc.
• active gas dispersion or scrubbing systems, such as steam or water curtains
• passive systems such as fire protective insulation, blast walls etc.
Plant Siting and Layout
In most industrial situations a cost effective measure for reduction of the consequences of an
accident is to ensure that there is nothing or no one within the area at risk. Munitions
factories have traditionally used this principal, which can be applied also in the case of toxic
releases, explosive clouds, and fires.
Plant siting should, of course be considered for offsite consequences, and should consider risk
from materials transport as well as process hazards.
Site layout should consider domino effects and plant damage from adjacent units, and also safe
locations for control rooms and other manned areas, and for emergency services.
Emergency Plans and Procedures
Here we are talking about consequence mitigation, i.e. how the consequence of an accident
can be reduced by prompt and effective intervention. This depends critically on preparedness
and training of emergency staff, and the availability of suitable equipment to carry out the
plans.
Avoiding Ignition Sources
By eliminating ignition sources on a plant the consequences following a flammable release will
be minimised, i.e. the flammable gas will not ignite but will disperse safely. Although it is
normal practice when handling flammable materials to control ignition sources (flameproof
equipment, etc.) nevertheless with large releases there is an increased risk that these releases
will find a source of ignition.
Secondary Containment
Process equipment which contains highly toxic materials may be contained in a specially sealed
building maintained at sub-atmospheric pressure. In the event of toxic release a blower system
would be used to evacuate the toxic air, and pass it through a chemical treatment/scrubbing
system thus avoiding or at least minimising release to atmosphere.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 10
27.4 REDUCING THE LIKELIHOOD (FREQUENCY)
The following are examples of methods which can be used to reduce the likelihood
(frequency) of the initiating event.
Using Less Hazardous Materials
It may be possible to avoid the use of a particular material in favour of one which is less
corrosive thus reducing the likelihood of vessel failure.
Low Pressure or Temperature
Use of lower pressures or temperatures, or the avoidance of pressure or temperature cycling
will reduce the likelihood of mechanical failure of equipment.
Use of High Safety Factors
Increasing the margin between design conditions and operating conditions will reduce the
likelihood of mechanical failure. For example if a plant contains a particularly toxic material
then the design pressure could be increased to well above the operating pressure to minimise
the chances of failure. Such a procedure can be used also to avoid the need for relief devices
if these could lead to a hazardous release. Heavy gauge process piping can often be employed
to reduce the risk of mechanical damage.
Use of Exotic Engineering Materials
Where the risk of corrosion can be a significant contributor to the likelihood of a hazardous
release, a change to an ‘exotic’ material can reduce this likelihood.
Process Interlocks and Shutdown Systems
If control failure on a process plant can lead to circumstances in which a hazardous release
could occur, process interlocks and shutdown systems are often employed to reduce the
probability. In such cases an improvement in reliability of such a system can further reduce the
risk.
Effective Safety Management Systems
An effective safety management system will reduce the likelihood of a hazardous event
occurring by ensuring that safe systems of work are in-place and that hazards are identified
and controlled.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 11
27.5 RISK REDUCTION BY PLANT LAYOUT
Safety is of major importance when considering site layout. The most important feature with
regard to siting is the distance between the site and built-up areas.
In general, distance always tends to reduce casualties but this relationship is affected by the
nature of the land. However, it is important not to rely on distance as the principle means of
protection. The plant should be designed and operated to high standards wherever its
location.
If the hazard is an explosion then the main dangers are from the blast wave which can cause
human body damage, building collapse and injury or damage due to flying glass and other
missiles. Explosion overpressure falls off rapidly with distance, but the effects are immediate
and allow no time for evacuation.
For toxic releases distance reduces the concentration of the gas cloud. There is also a time-lag
before which these effects occur which may allow evacuation or other emergency measures to
be carried out.
An area of low population density around a works will contribute towards minimising
casualties. However, land is in demand and therefore providing unpopulated areas around
major hazard sites is not practical, especially in the UK. The compromise is therefore to limit
population around these sites so as not to exceed a specified risk level to the local population.
According to Lees (Loss Prevention in the Process Industries) the following are some of the
ways in which plant layout can affect safety and loss prevention:
1. Minimisation of vulnerable pipework
2. Segregation of different risks
3. Containment of accidents
4. Efficient and safe construction
5. Facilitation of process operation
6. Efficient and safe maintenance
7. Minimisation of personal injuries
8. Safe control room design
9. Emergency control facilities
10. Fire fighting facilities
11. Access for emergency services
12. Security
For more details on designing plant layout to reduce risk refer to Lees, Loss Prevention in the
Process Industries, Volume 1, Chapter 10.
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 12
27.6 RISK REDUCTION AND ORGANISATIONAL CULTURE
Douglas Macgregor developed one of the most long-lasting models for motivation in the
organisation. His model is described by Theories X and Y and the two corresponding
approaches to management. This model is particularly useful because it provides the link
between motivation factors and styles of management and has implications for the preferred
forms of organisational culture.
Theory X is characterised by a belief that people are inherently lazy and will only respond to
threats – “carrot and stick”. The X-style manager comes to understand the work environment
through statistics and analysis and takes a prescriptive approach in order to achieve
organisational objectives.
More optimistically, Theory Y is characterised by a belief that people want some control of
their work and, if given the opportunity, they are essentially self-directed. The Y-style
manager is more likely to use problem-solving and facilitation in the work environment, and
will set goals towards organisational objectives.
Modern management thinking recognises and prefers the strength of the Y-style approach.
This approach implies that people must be given time and space to plan their actions and
consider what is to be done, and encourages assessment and problem solving based on
understanding. The X-style simplifies and limits understanding of the organisation; it also
assumes that the organisation can be controlled through mechanistic methods. Conversely, the
Y-style tends to grow understanding of the people in the work environment and takes a more
organic approach.
MacGregor’s thinking has guided all subsequent work on organisational culture.
James Reason in “Managing the Risks of Organisational Accidents” provides a definition of
organisational culture:
Shared values (what is important) and beliefs (how things work) that interact with an
organisation’s structures and control systems to produce behavioural norms (the way we do
things around here).
James Reason draws from the work of many organisational theorists and describes the main
components of a culture for managing risk as:
• Informed culture: one in which those who manage and operate the system have
current knowledge about human, technical, organisational, environmental, business
factors
• Reporting culture: an organisational climate in which people are prepared to report
their errors and near-misses
• Just culture: an atmosphere of trust in which people are encouraged, even rewarded,
for providing essential risk-related information, but in which there is a clear line drawn
between acceptable and unacceptable behaviour
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
�Risk ID & Assessment Training Course DNV Consulting
Module 27: Risk Reduction and Mitigation Page 13
• Flexible culture: during emergencies the organisation can shift from a conventional
hierarchical model to a flatter professional structure, where control passes to experts
on the spot, and then reverts back to the traditional bureaucratic mode once the
emergency has passed
• Learning culture: the capability, willingness and competence to draw the right
conclusions from management information systems.
“Learning disabilities are tragic in children, but they are fatal in organisations. Because of
them, few corporations live even half as long as the person – Most die before they reach the
age of forty.” Peter Senge.
High Reliability Organisations:
The ideas on the importance of a flexible culture are drawn from the concept of “High
Reliability Organisations” (HRO). Karl Weick, the guru of HRO, states that the key to
organisational reliability is developing a culture of “mindfulness”, in which staff are constantly
wary of the dangers, sensitive to new and surprising occurrences and have sufficient resources
to deal with emergencies when they arise. Complex systems such as hydrocarbon plants have
a capacity to produce novel or surprising events. The HRO approach states that it is not
possible (or even desirable) to develop a procedure for every possible hazardous event.
Attempts to develop such procedures are potentially dangerous because written procedures
eliminate thinking.
HROs also rely on redundancy. This is not just a matter of running the plant with more people
than are needed for normal operation, but also includes ‘the principle of requisite variety’
according to which it is necessary to match the variety in the things going on in a system with
a variety of human resources. Other features of HROs:
• Encourage and reward the reporting of errors (they are preoccupied with failure)
• Do not simplify interpretations of events. (Simplification limits the precautions that
people take)
• Do not over specify the structure of work. (If safety becomes a matter of routine,
attention is dulled.)
P:\2004 Contracts\21506545 PetroVietnam HAZOP+QRA Course\CD-ROM\Word files\Module27.doc ©2004 DNV, All Rights Reserved
