Overview of the “What-if/Checklist” Technique
The "What-If" technique provides a means to identify potential hazards of a facility, evaluate the significance of the hazards, evaluate the adequacy of existing safeguards, and list preliminary recommendations to reduce or eliminate the likelihood or severity of the hazards.
The "What-If" procedure involves experienced personnel brainstorming a series of questions that begin, "What if... ." Each question represents a potential failure in the facility or mis-operation of the facility. The response of the process and/or operators is evaluated to determine if a potential hazard can occur. If so, the adequacy of any existing safeguards is weighed against the likelihood and severity of the potential scenario to determine whether modifications to the system should be recommended.
The "What-If" technique is one of the least structured hazard identification methods available. Its success is therefore highly dependent upon the experience of the analysts. However, it is a very flexible technique, and can be used in a wide range of circumstances. A "What-If" analysis can be conducted at any stage in the life cycle of a facility. It can be used in simple or complex situations and the level of detail treated in the study can be varied easily.
The technique is often effective for reviewing proposed changes to a facility, since it can be used to focus attention on those aspects of the facility involved in the change without the need to evaluate other parts of the facility not affected by the change.
The "What-If" technique is perhaps the most common process hazard analysis technique used, although in many cases the analysis simply uses the "What-If" thought process rather than a formal review. Despite its common usage, little has been written or documented about the technique.
What-if Checklist vs. What-if Procedure
The “What-If Checklist” technique is a hybrid of the “What-If” and Checklist techniques. It combines the brainstorming of the “What-If” technique with the structured features of the Checklist method. The study team begins the study by answering a series of previously prepared “What If” questions. The questions may have been developed by the Preliminary Hazard Assessment (PrHA) team leader based on his/her knowledge of the process, taken from a previous study, or prepared by another individual experienced with “What-If Checklist” analysis. During the study the PrHA team brainstorms additional questions to complete the analysis of the process under study.
Both “What-If” and “What-If Checklist” studies are conducted in a similar fashion.
The facility being analyzed is first broken down into smaller parts, called systems and subsystems, to simplify the study. In some cases for a small facility, the entire facility may be analyzed without dividing it into smaller parts. For each part of the facility, the system drawings and operating procedures are studied and "What If" questions are developed. The study team addresses each question in turn, analyzing the potential hazards, consequences and the response of the facility and/or operators (i.e., what safeguards exist). Each part of the facility, or step in the procedure, is systematically reviewed. Recommendations are identified, as appropriate, and assignments are made for their follow up.
Developing “What-if Questions
The success of a "What-If" analysis is highly dependent upon the thoroughness of the "What If" questions posed. The PrHA software will provide some questions that can be used. Alternatively, questions from previous studies may be used or the team can brainstorm questions at the outset of the study. It can be useful to have each member of the team individually prepare a list of "What If" questions prior to any team meeting. The lists of each team member should be merged and edited by the team leader. The revised list can then be circulated to the team for consideration prior to the actual team meeting. The "What-If" process is dynamic: as one question is asked other questions will occur to the team. These questions should be documented as they occur for later consideration.
It is useful if some structure is used in developing and categorizing "What If" questions. For example, questions can be developed around the three basic causes of accidents: equipment failure, human error and external events. Questioning can also be focused on hazard categories such as personnel injury and equipment damage.
The results of the team review sessions are documented in a "What-If" worksheet. The worksheet is usually a part of a final report prepared to document the study effort and findings.
Process hazard analyses are usually performed by teams. The interaction of the team members results in a more thorough and complete review than would be accomplished by each individual working separately on the same project. A team typically consists of 5-7 individuals. One member is a person trained and knowledgeable in the PHA technique. The other members are usually selected for their knowledge of the process and/or technical contribution to the team.
The team leader is responsible for study preparation, guiding and managing the team, and supervising the study documentation and report generation. Team members provide information about the system to the team and identify hazard scenarios under the direction of the team leader. In some cases a technical secretary or scribe is employed to record results and prepare reports. Alternatively, the team leader assumes these responsibilities.
There is no one perfect combination of team members. However, since the team members need to be knowledgeable of the process and its operation, at least some of the team should come from the operating facility. A typical team may consist of the following members:
- Team Leader
- Process Engineering Representative
- Operations Representative
- Safety Representative
- Maintenance/Inspection Representative
- Facilities/Mechanical Engineering Representative
The actual composition of a specific team will depend upon the objectives of the study, the type of facility being studied, and other considerations. Other individuals may be used as resources for the team and brought into only those meeting sessions where their particular knowledge is needed. This approach keeps the core team to an efficient size.
A PrHA team will require a number of hours to complete a study for a typical process. The team will therefore usually hold several meetings, or working sessions, spread over several days to perform the study. Since PrHA is tiring, the sessions are usually scheduled for the morning when the team members are most fresh. The sessions are normally scheduled to last for periods of 3-6 hours. Longer sessions or afternoon sessions tend to tire the members, reducing the effectiveness of the analysis and the quality of the study.
During each session, the PrHA team records their work in a worksheet. The basic purpose of the PrHA study is to identify potential hazard scenarios. Therefore, the team should not spend any significant amount of time trying to engineer a solution when a potential problem is uncovered. If a solution to the problem is obvious, the team should document their recommended solution. If a solution is not obvious, they should recommend that someone follow up and resolve the problem outside the PrHA study. Also, if there is insufficient information available at the time to decide if a potential problem exists, the team should note it, assign someone to collect additional information, and continue with the study. The issue should be revisited later by the team, when additional information is available, to determine if a potential problem exists.
There are several factors that can influence the success of a PrHA study. These include:
- clearly understood statement of the study purpose, scope and objectives
- degree of preparation by the team leader
- experience of the team leader in leading PrHAs
- experience and breadth of knowledge of the team
- accuracy of the process drawings and other reference information
- adequacy of the study documentation
- adequacy of follow-up activities after the study is completed
- adequacy of meeting facilities
Defining a Study
The first step in conducting a PrHA is to explicitly state the purpose, scope and objectives of the study. This step directly influences the content and emphasis of the study and the time that will be required to complete the study. Also, be sure that the expected results of the study are clear to those who have requested the study. Sometimes, management has a perception of what the PrHA study will achieve which may be different from that of the team.
The purpose of the study is the underlying reason that the study was requested. Examples are:
- Comply with regulations
- Meet company policy requirements
- Address facility siting
It is also important to define the scope of the study. This includes specifying:
- physical boundaries of the system to be studied
- modes of operation to be included
- whether domino effects (effects on and from adjacent systems) are to be included
- what external events are to be treated
- extent to which recommendations for corrective actions will be developed
- whether severity and likelihood rankings will be used
- whether procedures will be treated implicitly or explicitly
Objectives are usually set by the person requesting the hazard analysis, but could be assisted by the PrHA team leader. The objectives provide a clear focus for the study. Examples are:
- Types of hazards to be treated
- Consequences to be considered
- Types of hazards include:
- Toxic releases
- Fires and explosions
Possible consequences to be considered include:
- Public safety
- Public property damage
- Employee safety
- Loss of plant or equipment
- Loss of production
- Environmental impact
Other study objectives may include such items as:
- Identify the major contributors to risk at the facility
- Determine possible accident sequences for emergency planning
Defining the Risk Rankings
Optionally, the team may assess the likelihood of a hazard scenario occurring, and the severity of its consequences, given that the scenario occurs. The likelihood and severity levels can then be used to estimate the relative risk. This allows prioritizing the scenarios to more effectively address the recommendations that may arise.
If a risk ranking of hazard scenarios is used, levels and definitions should be established for severity, likelihood and risk. These should be established prior to starting the team sessions and should be agreed upon by management.
One scheme used by the government for military and aerospace applications is given in MIL-STD-882B. Definitions for severity and likelihood from this source are shown below.
MIL-STD-882B definitions of severity:
- Catastrophic I Death or system loss
- Critical II Severe injury, severe illness, or major system damage.
- Marginal III Minor injury, minor occupational illness, or minor system damage.
- Negligible IV Less than minor injury, occupational illness, or system damage.
MIL-STD-882B definitions of probability:
- Frequent A: Likely to occur frequently
- Probable B: Will occur several times in life of an item
- Occasional C: Likely to occur sometime in life of an item
- Remote D: Unlikely but possible to occur
- Improbable E: So unlikely, assumed impossible
Various other schemes are possible
In order to compare the potential hazards in various areas of the facility, several statistical comparisons can be made using these severity, likelihood and risk ranking estimates. The risk presented by any area of the plant depends on the number and types of hazards present, the number of ways they can be realized (causes), how likely they are to occur (likelihood) and the extent and magnitude of their consequences should they occur (number of consequences considered important and their severities).
A measure of the risk of any facility or area can then be obtained from the PHA worksheets by multiplying the number of occurrences and magnitude of each risk value in the "What If" analysis. This is called the Risk Prioritization Factor (RPF). Thus, the more scenarios that a system or subsystem has of high risk, the greater the RPF. The scale transformation of the risk value is necessary so that a high risk corresponds to a high numerical rating.
It is unwise to base decisions solely on the risk estimates, since hazard scenarios with high severities and low consequences may be neglected. Many people take the position that high severity incidents are not acceptable no matter what the consequences.
In order to develop a risk ranking of the areas, analysts usually look for groupings of areas by RPF's. On this basis, areas can usually be divided into "First Priority", "Second Priority", "Third Priority", etc. for more detailed hazard analyses.
These prioritizations must be tempered by engineering judgment and a careful check of the original worksheets to see if any unusual conditions exist that could distort the area groupings derived by statistical means.
Additional insight into the risks presented by each area of the plant is provided by calculating the percent of the total scenarios in a system or subsystem in each severity and risk category, along with the total percent of scenarios with a high risk value. This provides an indication of systems that have a high proportion of high risk hazard scenarios and consequently are potential candidates for further analysis.
Carrying out the Review
The team uses the chosen PrHA technique to identify hazard scenarios. Different PrHA techniques vary in how they do this. Details are provided in the tutorials for each specific technique.
When evaluating the possible causes of a scenario, the PrHA team should keep in mind the three basic types of causes:
- Human error
- Equipment failure
- External events
A scenario is determined to be realistic, and is therefore subject to further review, if in the judgment of the team, there are sufficient credible causes to believe it can occur. In determining whether seemingly low probability events can occur, the relative probability of occurrence of the three basic types of causes should be kept in mind. The order of probability of occurrence generally is:
Human errors > Equipment failures > External events
Once realistic hazard scenarios are identified, any existing safeguards should be noted. If a risk ranking is being used, values of severity and likelihood are estimated. It is important that values are assigned consistently throughout the study.
If it is considered that a potentially significant hazard exists, and the existing safeguards are not adequate given the severity and/or likelihood of the event, a recommendation for corrective action may be made. An assignment of responsibility should be made to an individual or department for follow-up on the recommendation.
Even though the team leader prepares in advance for the study, in many cases the team may not have sufficient information, or knowledge, to determine whether a significant hazard potentially exists. In these cases, someone should be assigned to follow up and obtain additional information. This person can then report back to the PHA team at a subsequent meeting. The team can then assess whether or not a potential hazard exists and whether a recommendation is needed. If the problem is a lack of knowledge on the team's part, other specialists may be called in.
It is useful to track the progress of the study by marking on the Process and Instrumentation Diagrams (P&ID) those sections that have been studied. This can be done using a highlighter or by annotating the drawing. This procedure helps ensure complete coverage.
Documenting the Study
Proper documentation of a PrHA study will address the following items:
- documentation of the team sessions
- follow-up reports
- study report
A typical report may include the following sections:
- Scope and Objectives
- Study Approach
- Study Results/Findings
- Description of Hazard Analysis Study Technique
- Study Nodes and Drawings
- Action Items
- Hazard Analysis Study Worksheets
Prioritizing Action Items
The PrHA study may result in a large number of action items. The number of action items may be greater than the facility could reasonably be expected to handle at one time. To properly manage the action items, a method of prioritization of the action items is desirable to allow the facility to focus its resources. Several schemes are available to help prioritize the action items, including:
- Risk ranking: an estimate is made of the likelihood of the event and the severity if it were to occur. Risk is a combination of the likelihood and severity of an incident. A risk matrix, with likelihood and severity as the axes, is then used to determine the risk.
- Simple prioritization: a scale (e.g., 1 to 5, A to E, etc.) is used to subjectively prioritize the action items.
- Categorization: action items are categorized as either safety or procedural items. Higher priority is given to the safety items. Sub-categorization of the items in each category may also be done, such as into hardware (equipment) and procedural items. Procedural items are considered no (or low) cost items and easily accomplished.