## PT Notes

### Designing Risk Matrices

*PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.*

Risk matrices are used widely in process safety to rate and rank risks posed by processes to help with decision making. For example, commonly they are used in process hazard analysis (PHA) to rate the risks of hazard scenarios and determine the need for risk reduction. Use of risk matrices finds favor because they appear to be simple to understand, provide a clear rationale for risk estimates, do not require specialized expertise, and are graphically appealing. However, there are no industry or government standards for risk matrices for process safety. Consequently, risk matrices are constructed intuitively but arbitrarily by companies without the benefit of established industry guidelines.

Risk matrices are deceptively simple but their design and use are rife with pitfalls, even for experienced users. Some of these pitfalls are not obvious and invalid risk ratings can result which are unrecognized. In PHA, the results of an otherwise well-performed study may be invalidated by use of poorly designed risk matrices.

Issues that must be addressed in designing risk matrices include:

• Range of scenario severities and likelihoods to be addressed

A risk matrix must cover the overall ranges of consequence severities and likelihoods that may be encountered and used in all studies that will use the risk matrix. Consequence severities may range from the minor to the catastrophic and likelihoods may range from likely to extremely unlikely. The endpoints of the overall ranges of severities and likelihoods must be defined. The objective in defining the overall ranges is to include any values that could possibly be encountered. If practitioners find a scenario for which they believe the severity or likelihood falls outside the overall range, the risk rating scheme is most likely inadequate and does not meet the needs of the study.

• Number of severity and likelihood levels

Scenario severities and likelihoods are defined as levels or categories. Each level or category represents a value, or part of the range of values, of severity or likelihood. The number of severity and likelihood levels should be consistent with the ability of practitioners to discriminate between levels.

Risk matrices that effectively force many scenarios into one risk level should be avoided. Enough levels must be used to provide sufficient discrimination across the spectrum of possible values. However, risk rating is a subjective process that has its limits. There are significant uncertainties involved and the level of discrimination must be commensurate with what is practical. Large numbers of levels should be avoided because they require more discrimination than can be accomplished by a PHA team. Too many levels will leave practitioners in a quandary regarding which level to assign when several seem possible.

• Definitions of severity and likelihood levels

Severity and likelihood levels defined in purely qualitative terms such as “high”, “medium”, and “low” are of little value in process safety other than for rough screening or possibly for ranking risks within an individual project. Such schemes are open to widely different assignments of severity and likelihood by team members owing to the subjectivity involved in assigning levels. Consequently, companies typically provide definitions for each of the severity and likelihood levels in more meaningful terms. Usually, the levels are described more quantitatively. This does not mean that a quantitative analysis is being performed; rather the definitions are used to guide the assignment of levels by the analysts.

There should be no overlap in the endpoints of the ranges for severity or likelihood levels in order to avoid ambiguity in the assignment of values to levels. Definitions of severity and likelihood levels must not be too close, otherwise analysts will not be able to decide which level to assign. The ranges of severity and likelihood covered by each level should not be too large as this may force difficult choices between adjacent levels. Such a rating scheme may bias the choice if the decision guidance for one selection is more onerous than another. Analysts may feel justified in making the selection that produces the less onerous result since they are conflicted as to which level is the appropriate one. The narrowest ranges that permit discrimination between levels should be used.

It is useful to provide a likelihood level that denotes an event or scenario is not credible so as to avoid the prolonged discussion by analysts that may otherwise occur. Similarly, it is useful to provide a severity level for which there is no adverse impact.

• Decision requirements to be used

Decision requirements are associated with risk levels in a risk matrix. They specify the actions required for events or scenarios that fall into each risk level. Typically, the requirements specify the amount of risk reduction needed and/or the type of action needed for risk reduction. Companies must decide on the decision requirements to be incorporated into their risk rating schemes so that suitable risk levels can be defined.

Of course, decision requirements for risk levels must correlate with the risks posed. Decision requirements usually vary according to the type of consequence and the type of casualty. The decision requirements and framework of the As Low As Reasonably Practicable (ALARP) principle are often used.

Decision requirements based on risk ratings must be workable. For example, high severity scenarios in PHA often are assigned the lowest likelihood value, usually on the basis that many existing safeguards would need to fail. Thus, if the decision requirement for such scenarios is other than “no action needed”, nothing can be done to achieve tolerable risk as the addition of a safeguard will only decrease the likelihood since PHA assumes all safeguards fail and, therefore, no credit is taken for consequence severity mitigation unless credit is taken for certain safeguards, such as passive ones. However, crediting any safeguards in this way may violate regulatory requirements in some jurisdictions. Thus, risk matrices should contain a lowest likelihood level for the highest severity level such that the corresponding risk level does not require any further risk reduction.

Decision guidance must be appropriate to the underlying risks. It must be viewed as reasonable in the eyes of the practitioners whose confidence in their work may otherwise be undermined. Decision requirements also must be reasonably achievable for the processes where they will apply. There is little point in requiring risk reduction actions that are infeasible, impractical or nonsensical.

• Number of risk levels

Each combination of severity and likelihood levels is assigned to a risk level. A sufficient number of risk levels must be defined to provide discrimination for decision making. Adjacent risk levels must provide sufficient risk discrimination to permit meaningful differences in the decision requirements for the risk levels, recognizing the uncertainties in the severities and likelihoods used in their estimation.

• Assignment of risk levels

Different decision requirements are associated with each risk level in risk matrices. Some risk matrices apply the same decision guidance to events and scenarios of comparable risk. In such cases, assignments must be consistent so that combinations of severity and likelihood values that yield the same risk values are assigned to the same risk level, i.e. the underlying risks for each risk level must be comparable for all events or scenarios assigned to that level. However, aversion to high consequence events often is incorporated into the decision requirements.

Different risk levels should not share the same underlying risk values. Risk matrices can be designed to minimize this problem and, in particular, avoid risk ranking reversals.

• Calibration of risk matrices with risk tolerance criteria

The assignment of decision requirements to risk levels must reflect a company’s risk tolerance criteria. Risk matrices must be calibrated according to a company’s risk tolerance criteria through the appropriate assignment of decision requirements to risk levels.

In order to calibrate risk matrices, the overall facility risk tolerance criteria must be allocated to events or scenarios by estimating the number of hazardous events or hazard scenarios possible and dividing an the overall facility risk tolerance criterion by that number. For people, both individual and group risk are of concern. Each has its own risk tolerance criteria. Consequently, risk matrices are needed for each type of risk to people.

Also, the number of events or scenarios may differ for different facilities and therefore risk matrices must be calibrated for each facility. Similarly, the number of scenarios for each consequence type will vary and risk matrices may need to be calibrated for each consequence type individually. Furthermore, the reference risk tolerance criteria may differ for different facilities and companies. Consequently, each facility and company will need to address its own appropriate calibration and use of customized risk matrices.

Companies should develop risk matrices that produce consistent risk ratings across all their processes and facilities to encourage consistent decisions on risk reduction. The design and calibration of risk matrices to a common standard and the performance of risk rating in accordance with a defined procedure help to ensure consistency.

The design of risk matrices is described in:

*Guidelines for designing risk matrices*, Process Safety Progress, Volume 37, pages 49–55, Issue 1, March 2018.

You may contact Primatech for further information by clicking here.

To comment on this PT Note, click here.

Copyright © 2018, Primatech Inc. All rights reserved.