Thanks to everyone who visited the CGE stand at Hazards27 last week and commiserations to those who tried (and failed) to win my Swiss Cheese model.
Basically we asked (gullible) attendees to throw 3 ten-sided dice and if they managed to get all showing a 0 then we could say that the Threat had occurred and both Prevention Barriers had failed which would result in the Top Event being realised. We could have asked folk to throw all 5 to try and reach the Consequence but old-age was rapidly approaching.
This aimed to crudely (probability purists - back away from the keyboard!) represent a 1 in 10 year Initiating Event prevented by two control measures each with a 1 in 10 Probability of Failure (on Demand).
Whilst this was going on, a learned colleague (Ian Travers) educated us all by highlighting that the word 'Hazard' originally meant 'Chance' and aptly enough, a quick check of the Oxford University Press confirms this and further explains that it is:
Middle English: from Old French hasard, from Spanish azar, from Arabic az-zahr ‘chance, luck’, from Persian zār or Turkish zar ‘ dice’.
Putting aside (for now) the gambling analogies, 1 in 10 is a familiar (lazy) number used in many analyses (e.g. both as a BPCS dangerous failure frequency and conveniently as a probability of failure on demand) so you could anticipate that to get all 3 dice showing zero might take up to 1000 throws for it to occur (hence my faith that the cheese was coming home with me). You could be fooled into thinking that, even with a moderately infrequent event and a couple of low integrity barriers that you could run for a while without incident.
Reality is never that simple and the continuing prevalence of Dangerous Occurrences (Hear Hits/Misses), Incidents and Accidents shows that lining up the holes in the Swiss Cheese slices is not that difficult (uncommon) and that corrective and preventive action is required.
Learning from incidents is a recurring theme at industry events (ideally to learn from others before it happens to you) and as part of the investigation, the team will (or should) consider:
What happened (or didn't) and what did we expect to happen?
Analysing the incident from the perspective of the barriers allows us to evaluate the trajectory between Threat and Consequence (Hiccup to Hazard to Harm) and scrutinise the Presence and Performance of each of the barriers we assumed would be there and predicted would be sufficiently dependable.
It is all too easy to presume that there is 'Defence in Depth' because we have numerous barriers to halt or hinder the escalation across the Bowtie diagram (or LOPA worksheet) and that we've been conservative with our frequencies and probabilities, however the actuality of incidents shows that the outcomes do not match well with simple arithmetical models, because;
Threats happen more often than we remember
Barriers are more likely to fail than our records show (or the manufacturers claim)
Barriers & Threats are not as independent as we'd like to think
Our drawings & documents reflect the plant "As Built" not "As Is"
You don't need to rush down to Games Workshop or dust off your Dungeons & Dragons to get some 10-sided dice to try this at home. A few regular 6-sided dice will do just as well to demonstrate the principle. I've also got a neat Excel simulator (PLAnT = Protection Layer Analysis Tool) that does this - purely for educational purposes - if you're interested or fancy your chances.
Don't allow the Numbers to Numb (or Dumb) you - it's easy to get drawn into scientific notation and be assured that it's a sufficiently small number, so make sure you also represent numbers in unscientific notation (simply by inversion) to get universal understanding & consent.