RISK ASSESSMENT

Peer-Reviewed

THE POWER OF WH
Assessing & Understanding
By Bruce K. Lyon and Georgi Popov

T
TWO SMALL WORDS, when asked in the form of a question, can identify and analyze a system’s major hazards and hazard expo-
be most powerful in reducing risk and uncertainty. For serious sure scenarios, causes, deviations or weaknesses that can lead
injuries and fatalities that have occurred, the question is what to hazards, existing controls and needed controls to achieve an
if the causes, conditions and controls were better understood? acceptable risk level (Lyon & Popov, 2018).
Would it have been possible to prevent such incidents from Like HAZOP and other PHA methods, what-if analysis is
occurring? What if, indeed. However, the time for the OSH used to breakdown a series of actions or steps to understand pro-
professional to ask, “what if?” is before such incidents occur: cess-related hazards and their causes and effects. A PHA is a set
during the planning, designing, developing, installing, operat- of organized and systematic analyses of identified hazards and
ing and maintaining of systems. What-if analysis and assess- controls associated with a process. It provides information to as-
ment can be a most powerful tool in controlling risks to an sist in making decisions for improving safety and reducing oper-
acceptable level throughout the life cycle of a system. ational risk associated with a process. A PHA is directed toward
For example, in chemical operations, the question becomes analyzing potential causes and consequences of fires, explosions,
“What if an operator mixes two incompatible chemicals?” or releases of toxic or flammable chemicals, and focuses on equip-
“What will happen if sulfuric acid and sodium hypochlorite ment, instrumentation, utilities, human actions and external
(better known in its less concentrated form as bleach) are mixed factors that may impact the process. In many cases, an additional
in a quantity that could produce a cloud containing chlorine and benefit of conducting such an analysis is a more thorough under-
other toxic compounds?”; “What if the cloud impacted workers standing of the industrial process, leading to opportunities for
on site and members of the public in the surrounding communi- improving process efficiency and cost reduction.
ty?” Such questions can be critical in understanding the effects In the U.K., risk assessments have been legally required of
and preventing or reducing operational risks. businesses since 1999 by the Health and Safety Executive. How-
ever, in the U.S., few hazard analyses and risk assessments are
Traditional What-If Methods required by law. Two exceptions include OSHA’s Process Safety
Originally developed by the British chemical industry in Management of Highly Hazardous Chemicals (PSM) standard,
the 1960s as an easier alternative to the hazard and operability and EPA’s Risk Management Plan (RMP) rule, both of which
study known as HAZOP, what-if methods have become a com- require PHAs (Popov, Lyon & Hollcroft, 2016). Following are
mon process hazard analysis (PHA) method for process safety brief summaries of these two standards:
management. The primary objectives of what-if analysis are to •Established in 1992, OSHA’s PSM (29 CFR 1910.119) requires
process hazard analyses for regulated industrial processes con-
KEY TAKEAWAYS taining 10,000 lb or more of a hazardous chemical for protecting
• The concept of using the what-if question to determine potential
effects is important and fundamental to assessing and controlling
the employees working in and around such processes.
•EPA’s RMP rule (40 CFR Part 68 Chemical Accident Preven-
risk. It is essentially reasoned curiosity for the purpose of discovery tion Provisions), issued in 1994 because of the Clean Air Act
to reduce uncertainty. Amendments of 1990, mirrors the OSHA PSM requirements
• The traditional what-if analysis has limitations as a hazard analy­
sis technique. It does not estimate risk levels and, therefore, does
for process hazard analyses in regulated facilities for the pur-
pose of protecting the public and the environment from unde-
not distinguish which hazards present the greatest risk. sired consequences of explosions or releases.
• By coupling the what-if methodology with an estimation of risk,
a powerful and valuable tool can be added to the risk management
Specifically, OSHA’s PSM standard addresses mandated
process hazard analyses in 1910.119(e)(1) stating that “an initial
tool kit. The authors propose such a tool with a modified what-if process hazard analysis (hazard evaluation)” of covered pro-
risk assessment that incorporates risk analysis and evaluation. A cesses be conducted by the operation. What-if hazard analysis
case study is presented to illustrate its application. is one of several PHA methodologies referred to in the OSHA

36 PSJ PROFESSIONAL SAFETY JUNE 2020 assp.org

HAT IF
g Risk
PSM standard and EPA RMP rule as an acceptable method TABLE 1
(Popov et al., 2016). Methods listed in OSHA 1910.119(e)(2) APPROPRIATE PHA METHODS
considered appropriate to determine and evaluate process haz-
ards are described in Table 1.
In addition to OSHA and EPA, the what-if method is listed Methods listed in OSHA 1910.119(e)(2) considered appropriate to deter-
as a hazard analysis method in several consensus standards mine and evaluate process hazards.
including ISO 31010:2019, Risk Management—Risk Assessment PHA method Description
Techniques, ANSI/ASIS/RIMS RA.1-2015, Risk Assessment, What-if Uses a multi-skilled team to create and
and ANSI/ASSP Z590.3-2011(R2016) Prevention Through De- answer a series of what-if type
sign. ISO 31010 also includes an annex that provides a descrip- questions. This method has a relatively
tion of the method and its application. loose structure and is only as effective as
the quality of the questions asked and
Hazard Analysis, Risk Analysis & Risk Assessment the answers given.
To know which methods to apply in different situations, it is Checklist Uses established codes, standards and
important to understand several key terms. The term hazard well-understood hazardous operations
analysis is sometimes used interchangeably with risk analysis or as a checklist against which to compare
even risk assessment. But OSH professionals should understand a process. A good checklist is dependent
specific differences among the terms hazards, risks, hazard on the experience level and knowledge
analysis, risk analysis and risk assessment. of those who develop it.
•Hazards are defined as having the potential for harm and in- What-if/checklist A team-based, structured analysis that
clude aspects of technology and activity that, if left uncontrolled, combines the creative, brainstorming
can create risk; in other words, hazards are a source of risk. Haz- aspects of the what-if method with the
ards are produced by equipment, technology, energy sources, sub- systematic approach of the checklist.
stances and chemicals, and materials, and by human actions and The combination of techniques can
inactions. Basic workplace hazard classifications include physical compensate for the weaknesses of each.
and mechanical, chemical, biological, ergonomic and psychosocial. Hazard and A team-based, structured, systematic
•Risks are produced from hazards when their exposures to operability study review of a system or product that
people and assets pose a chance for loss. This chance for loss or (HAZOP) identifies risks using guide words that
risk (R) is measured by the likelihood (L) of the event occurring question how the design can fail due to
and the resulting severity (S) of the loss. certain limitations and deviations of the
•Hazard analysis is the process of determining whether operation.
credible means exist from failures or other causes that could Failure mode Technique used to identify the ways
lead to an incident or undesired event. Hazard analysis involves and effects systems and their components can fail
CECILIE_ARCURS/E+/GETTY IMAGES

analysis of identified hazards, existing controls and potential analysis (FMEA) and the resulting effect.
exposures. As a result, it produces a range of possible conse- Fault-tree Technique used for identifying and
quences and severity estimates. analysis analyzing factors that can contribute to
•Risk analysis includes hazard analysis plus the selection of a a specified undesired event. Causal
consequence and its severity level (S), the analysis of how the event factors are deductively identified,
could occur and its likelihood (L), and an estimate of risk level. organized in logical manner and
•Risk assessment includes all the steps in risk analysis fol- represented pictorially in a tree diagram.
lowed by an evaluation of risk: comparing the estimated risk

assp.org JUNE 2020 PROFESSIONAL SAFETY PSJ 37

FIGURE 1
COMPARISON OF HAZARD ANALYSIS, RISK ANALYSIS & RISK ASSESSMENT

Hazard Identify hazards,

Analyze range
controls and
analysis exposures
of severities

Risk Identify hazards, Analyze how event Estimate

Choose a severity risk level
controls and could occur and its
analysis exposures
consequence (S)
likelihood (L) (S) x (L) = R

Evalute risk level

Identify hazards, Analyze how event Estimate
Risk Choose a severity risk level
against risk criteria
controls and could occur and its
assessment exposures
consequence (S)
likelihood (L) (S) x (L) = R
to determine
action

FIGURE 2 process or operation, or at a more specific focus such as a piece

of equipment, procedure or activity. Some areas where what-if
WHAT-IF RISK REDUCTION PROCESS can be useful include:
•process safety management operations that contain hazardous
Define
purpose chemical processes (e.g., refrigeration and chiller systems contain-
Document
and scope
Assemble ing ammonia such as meat packing, food processing and storage);
findings team •nonroutine activities such as equipment installations, repair
or decommission;
•business continuity threat assessments and tabletop drills to
Communicate Communicate develop emergency scenarios and necessary measures for pre-
results objectives paredness, disaster recovery and business continuity;
•design safety reviews of new facilities, systems and equipment;
•management of change procedures;
•procurement of new technology, equipment or materials.
Select Gather Although relatively easy to apply, this method relies heavily
additional information
controls on the experience and knowledge of the what-if analysis team.
Therefore, it is critical to assemble an experienced facilitator
and team knowledgeable in the process.
Break down
Assess risks tasks/ What-If Analysis Process
elements The what-if hazard analysis method uses a cross-functional
Answer Generate team to discuss aspects in a random, creative fashion, asking
what-if what-if what-if questions to identify any weaknesses, deviations or haz-
questions questions
ards. The team should include subject matter experts in the sys-
tem or component being analyzed and be led by an experienced
level with the established risk criteria to determine acceptabili- facilitator. While brainstorming, the team identifies potential
ty and actions required (Figure 1). hazard scenarios and their causes, assesses the risk with any
The traditional what-if method and its variants are consid- existing controls for these hazards, and selects additional con-
ered hazard analyses rather than risk assessments. However, trols needed. The team generates a spreadsheet listing the tasks
the authors propose modifying the method to include the addi- or elements and posed what-if questions along with resulting
tional steps of a risk assessment presented in this article. consequences, existing safeguards, risk levels and recommend-
ed additional controls. A recorder or scribe must collect and
Application of the Traditional What-if document the findings.
A traditional what-if analysis is a team-based, qualitative Figure 2 illustrates the what-if continuous improvement risk
method that uses brainstorming to determine what can go reduction process. The following steps detail this process.
wrong in a given scenario. Variants of what-if include what-if/ 1) Define context. As part of the context, define a clear pur-
checklist and structured what-if analysis. Although the method pose and scope including the activity or system to be analyzed,
was originally used by chemical and petrochemical industries, boundaries of the analysis, level of detail desired and risk crite-
what-if and its variations have become widely used in other ria to be used.
industries including energy, manufacturing, high-tech, food 2) Assemble team. Select a cross-functional team of trained,
processing, transportation and healthcare. experienced and knowledgeable members to conduct the what-if
What-if analysis can be applied at virtually any point of the analysis. An experienced facilitator and scribe are also needed.
life cycle of a system; it is commonly used to identify failures or Members from the engineering, design, production, operations,
deviations and the resulting effect so that proper controls can maintenance, and safety, health and environmental departments
be implemented. It can be used broadly to analyze a system, are generally included. Knowledge of design standards, regula-

38 PSJ PROFESSIONAL SAFETY JUNE 2020 assp.org

tory codes, operational error potential, incident history, mainte- participate meaningfully; and it leads to deeper insight, espe-
nance needs and other practical experience is required. cially for those conducting the analysis. However, it also has
3) Communicate objectives. The facilitator should clearly some limitations, such as: 1) it is only useful if the right ques-
communicate to the team the purpose, scope, boundaries of the tions are asked; 2) it relies on the intuition and experience of
analysis and team responsibilities. The team must also under- team members; 3) it can be subjective and create greater poten-
stand the risk criteria and definitions to be used in the analysis. tial for bias; and 4) it can be more difficult to translate results
4) Gather information. Facilitator gathers applicable in- into convincing arguments for change. Therefore, the success of
formation regarding the system, historical information, spec- the what-if technique depends in large part on the experience
ifications and instructions, and provides it to the team for and knowledge of the facilitator and the team.
review. The team should observe the activity or system in place.
Particularly, prior to the analysis the team should gather and SWIFRA: Structured What-If Risk Assessment
study reference materials such as piping and instrumentation A traditional what-if analysis does not typically include a
diagrams, schematics, drawings, instruction manuals, main- risk estimation and is considered a hazard analysis. Hazard
tenance and service guidelines, component specifications, and analyses, such as job hazard analyses, are useful in identifying
safeguarding elements. and analyzing hazards, however, they do not provide risk-based
5) Break down into tasks/elements. Using information gath- information needed for prioritizing, treating and managing
ered, break down the activity or system into sequential tasks or risks. ISO 31010:2019 touches on this shortcoming where
elements for analysis. the standard suggests that the structured what-if technique
6) Generate what-if questions. For each task/element, the (SWIFT) “summarize risks” as the team considers the current
team generates what-if questions to identify potential hazards controls and include the “description of the risk,” its causes,
and hazard scenarios. The questioning process is applied to consequences and expected controls. For these reasons, the
each task separately, investigating potential scenarios such authors have developed the structured what-if risk assessment
as procedural upsets, miscommunications, operator errors, (SWIFRA), a method that expands the analysis to include how
equipment failures and software errors. An unstructured or and why with the what-if question and incorporates risk esti-
structured brainstorming method can be used. As team mem- mation, evaluation and recommended risk treatments.
bers pose specific what-if questions, the scribe records each It is common to use a qualitative or semiquantitative risk as-
question on a flip chart or laptop projection in view of the team. sessment method to rank the actions created in terms of priori-
Additional questions are generated during this process and are ty (ANSI/ASSP/ISO/IEC, 2019). To convert a hazard analysis to
recorded by the scribe. The facilitator completes and refines the a risk assessment, several components must be addressed. First,
list of what-if questions for the analysis. specific consequences are selected to be analyzed and assessed.
7) Answer what-if questions. The team discusses and an- Then, for each consequence, an estimate of its severity (S), like-
swers each what-if scenario as to the causes, resulting effects lihood of occurrence (L) and risk level (R) are determined. The
and consequences, and existing safeguards or controls. estimated risk levels are then compared and evaluated with the
8) Assess the risks with current con-
trols. An estimate of severity and likeli- FIGURE 3
hood can be included in the analysis. A TRADITIONAL WHAT-IF HAZARD ANALYSIS EXAMPLE
risk level is estimated based on the se-
verity and likelihood of occurrence. Risk
What-If Analysis
levels are evaluated and compared to a
predetermined criterion. If the risk levels Facility/operation/process:
are not acceptable, additional risk treat- Date: Team:
ment is recommended based on the risk
A. Process
treatment strategies (Lyon & Popov, 2019).
ID # What-if . . . Causes Consequences Controls Recommendations
9) Select additional controls. Apply ad- A.1
ditional risk reduction measures as neces-
sary. Risk reduction options are identified A.2
and selected according to the hierarchy of A.3
controls, effectiveness and feasibility.
10) Communicate results. Following
the analysis, finalize the spreadsheet and
communicate the recommendations to de- FIGURE 4
cision makers for further action (Figure 3). SWIFRA WORKSHEET
11) Document findings. The what-if
analysis spreadsheet can be used as an
action plan for documentation, assigning Structured What-If Risk Assessment (SWIFRA)
responsibilities and completing recom- # What-if? How? Why?
Current
L S
Risk Risk level
acceptable
Additional
L2 S2
Risk
% RR
mended risk reduction measures. controls level (Y/N) controls level 2
1
Figure 3 shows an example of a tradi-
tional what-if hazard analysis form. 2
Benefits of a what-if analysis technique
3
include that it is easy to use; employees
with little risk assessment expertise can

assp.org JUNE 2020 PROFESSIONAL SAFETY PSJ 39

FIGURE 5
SEMIQUANTITATIVE RISK ASSESSMENT MATRIX EXAMPLE (5 x 4)
Severity of injury or illness
Critical (C)
Negligible (N) Marginal (M) Hospitalization of Catastrophic (CAT)
First aid or minor Minor injury, lost three or more Death or permanent
medical treatment. workday incident. people. Disability in total disability.
excess of 3 months.
1 2 3 4
Frequent (F)
Almost certain to
occur with exposure. Medium Serious High High
5
Has occurred more 5 10 15 20
than once within past
12 months.
Probable (P)
Very likely to occur
Medium Serious High High
with exposure. Has 4
4 8 12 16
occurred within past
Likelihood of occurrence

12 months.

Occasional (O)
Likely to occur. Has Low Medium Serious High
3
occurred within past 3 6 9 12
24 months.

Remote (R)
Can occur if
Low Medium Medium Serious
conditions exist. Has 2
2 4 6 8
occurred within past
36 months.

Improbable (I)
Unlikely to occur. Has Low Low Low Medium
1
not occurred in past 5 1 2 3 4
years.

TABLE 2 method to the following case study

based on the CSB (2018a) investigation
RISK SCORING LEVELS & ACTION EXAMPLE from a chemical release in October
2016. Readers can view an animated
Risk level Risk score Action reenactment of the incident in a video
High 12 or higher Operation not permissible; immediate action required produced by CSB (2018b).
Serious 7 to 11 Remedial action required; high priority CSB Investigation Summary
Medium 4 to 6 Remedial action recommended On Oct. 21, 2016, inadvertent mixing
Low 1 to 3 Considered acceptable; action discretionary of incompatible chemicals at a chemi-
cal processing facility in Atchison, KS,
caused a chemical release. The mixture
established risk criteria to determine acceptability and required of the two chemicals, sulfuric acid and sodium hypochlorite
action. A second feature is added to the SWIFRA: a multiple (bleach), produced a cloud containing chlorine and other
questioning process that asks 1) what-if; 2) how it is possible; compounds. The cloud affected workers on site and members
and 3) why it is possible. The purpose of the multiple what, how of the public in the surrounding community. The incident
and why is to discover the systemic causal factors underlying occurred during a routine chemical delivery of sulfuric acid
the surface causes, much like a five-why method. from a chemical supplier cargo tank motor vehicle (CTMV)
Figure 4 (p. 39) shows an example of a SWIFRA worksheet. To at the chemical facility tank farm. The county’s department
demonstrate the additional risk assessment steps, a simple semi- of emergency management ordered thousands of community
quantitative 5 x 4 risk assessment matrix (Figure 5) can be used members to shelter in place and others to evacuate in some
along with corresponding actions for risk levels found in Table 2. areas. More than 140 people, including members of the pub-
lic, chemical processor employees and a chemical supplier
Case Study: SWIFRA of Chemical Release Event employee, sought medical attention; one worker and five
To demonstrate the inclusion of risk assessment in a members of the public required hospitalization as a result of
modified SWIFRA, the authors applied this modified exposure to the cloud produced by the reaction.

40 PSJ PROFESSIONAL SAFETY JUNE 2020 assp.org

 FIGURE 7
DISTANCE BETWEEN FILL LINES

FIGURE 6
CONNECTION AREA
As-found state of connection area post-incident: Sulfuric acid fill line
padlock (circled) placed on angle iron; sodium hypochlorite dust cap
on the ground beneath the fill lines.

Note. Reprinted from “Key Lessons for Preventing Inadvertent Mix-

ing During Chemical Unloading Operations: Chemical Reaction and
Release in Atchison, Kansas (No. 2017-01-I-KS),” by CSB, 2018.

FIGURE 8
UNIQUE FILL LINE SHAPES & SIZES
CSB recommended using unique fill line shapes and sizes to avoid mis-
matching chemicals during deliveries.
Note. Reprinted from “Key Lessons for Preventing Inadvertent Mix-
ing During Chemical Unloading Operations: Chemical Reaction and
Release in Atchison, Kansas (No. 2017-01-I-KS),” by CSB, 2018.

While this incident involved two specific substances, the ac-

cidental mixing of many acids and bases or other incompatible
chemicals during unloading operations and other activities can
lead to dangerous reactions. Chemical unloading operations
from CTMVs may be perceived as simple compared to other
processes in fixed facilities, but because these operations can
involve extremely large quantities of chemicals the consequenc-
es of an incident may be severe (CSB, 2018a).
As described in the CSB report, CTMV drivers rely on opera-
tors to unlock and identify the fill line designated for the chem-
ical being transferred. Operators show drivers the appropriate
fill line. Once the equipment is unlocked, operators return to the
control room. Drivers then remove the dust cap and connect the
chemical discharge hose from the cargo tank to the fill line.
The connections to the sulfuric acid and sodium hypochlo-
rite fill lines looked the same and they were situated in close
proximity to each other. Figure 6 shows the connectors as they
were found post-incident: the sulfuric acid fill line padlock (cir-
cled) placed on angle iron; sodium hypochlorite dust cap on the
ground beneath the fill lines (CSB, 2018a).
CSB found that the proximity of the sulfuric acid fill line to
the sodium hypochlorite fill line increased the likelihood for
an incorrect connection during chemical unloading. The five
chemical fill lines in the chemical transfer area were all located
near each other; significantly, the sodium hypochlorite fill line
was about 18 in. from the sulfuric acid fill line (Figure 7). In
addition to the incompatibility of sodium hypochlorite and
sulfuric acid, the other chemicals delivered to facility presented
reactivity hazards if mixed. Note. Reprinted from “Key Lessons for Preventing Inadvertent Mix-
CSB recommended physically isolating or using distance to ing During Chemical Unloading Operations: Chemical Reaction and
separate fill lines to lower the risk of incorrect connections. Release in Atchison, Kansas (No. 2017-01-I-KS),” by CSB, 2018.
Physical separation is considered a passive control and can be

assp.org JUNE 2020 PROFESSIONAL SAFETY PSJ 41

FIGURE 9
SWIFRA OF CASE STUDY
Structured What-if Risk Assessment (SWIFRA)
Risk level
Risk Risk
# What if? How? Why? Current controls L S acceptable Additional controls L2 S2 % RR
level (Y/N) level 2
. . . the operator connects to the The filling ports are all the Original design - not Signage/labeling; Design unique connections for each chemical.
wrong chemical during filling? same allowing mismatching of previously considered. procedural training Upgrade chemical unloading and transfer
Answer: Chlorine gas generation chemicals. Management not aware. equipment with chemical portal separation,
1 and possible release, possible 4 3 12 N signage, locks and fittings; update procedures and 2 3 6 50%
fatalities and injuries. training.

. . . the operator is exposed to Inadvertently connecting and Universal ports allow Signage/labeling; Design unique connections for each chemical.
chlorine gas? filling wrong chemical causing mismatching. Connecting procedural training Upgrade chemical unloading and transfer
Answer: Probable death or chlorine gas release. Operator procedure requires operator equipment with chemical portal separation,
2 severe injury. at point of connection in to be a point of release. 4 3 12 N signage, locks and fittings; update procedures and 2 3 6 50%
proximity of release. training. Provide emergency escape respiratory
protection.
. . . local population is exposed to Inadvertently connecting and Univeral ports allow Signage/labeling; In addition to above controls, add new emergency
chlorine gas release? filling wrong chemical mismatching. Community procedural training shutdown devices to complement the devices
Answer: Possible multiple generating and releasing within 1 mile of tank farm. Task that were already in place. Upgrade monitoring,
3 fatalities and injuries to public chlorine gas that drifts over complexity or design; 4 4 16 N detection and warning equipment to decrease 2 3 6 63%
and workers, business community. communication; experience. the risk of chemical releases.
interruption.

especially important when receiving various classes and types data analysis, observations) to develop a list of valid and relevant
of chemicals (CSB, 2018a). The agency also recommended using what-if questions to uncover possible problems the system.
a combination of fill line shapes and sizes to avoid incorrect 2) Create the spreadsheet. The team facilitator loads the list
connections during deliveries (Figure 8, p. 41). of what-if questions into the SWIFRA spreadsheet.
3) Answer the what-how-why. The team goes through each
What-If Analysis what-if question with a multiple what-if or why question pro-
Now, imagine if the company had conducted a traditional cess to determine potential failure modes and their systemic
what-if analysis and asked what if it was possible to mismatch casual factors, as well as controls. For example, in the chemical
connections? What if the operator inadvertently connects the release case study, the team would ask, “what if the operator
wrong chemical while filling tanks? What if the operator had mixes sulfuric acid and sodium hypochlorite connections
noticed that lines were mixed and was able to shut down the during filling of tanks?” The next questions might be, “how
supply line in time? What if only minor quantities of chlorine would this possibly happen?” and “why is this possible?” This
gas were released? would likely lead to conclusions that the current design of the
Certainly, a what-if analysis of the system could prove benefi- filling ports can be easily mismatched with the only existing
cial in preventing such incidents. However, a traditional what-if control measures being procedural and dependent on the indi-
analysis has certain limitations and possible deficiencies. For vidual filling the tanks. The answers generated from the team
example, an inexperienced facilitator may lead the team to are entered into the appropriate columns in the worksheet.
brand it as a near-miss and recommend better procedures and 4) Identify existing controls. The related controls for the
additional training. A more experienced facilitator would use possible what-if are identified and listed in the worksheet.
what-if with a risk reduction model and continue to ask what- 5) Analyze risk. Based on the answers developed and exist-
if questions. S/he may consider cascading what-if questions ing controls, the team estimates likelihood, severity and risk
where the consequences from the previous what-if question level. Figure 9 provides an example using the case study. Con-
would become the next what-if question, much like a five-why sidering the low-level controls, the team estimates likelihood
method. One such question might be, what if chlorine gas was of mixing the lines as probable (4) and severity as critical (3),
released? Consequences might be a Clean Air Act violation and producing a risk level of 12.
an EPA fine of up to $1.7 million. If the near-miss scenario was 6) Evaluate risk. Evaluating the risk level of 12 compared to
not considered a catastrophic consequence, a massive fine and the established risk criteria, it is determined that the risk is un-
the damaged reputation of the organization might be consid- acceptable, requiring additional risk treatment.
ered catastrophic. In fact, on March 6, 2019, both companies 7) Add controls. Based on the findings, the team uses the hier-
were indicted by the U.S. Attorney’s office for violations of the archy of controls model to select and formulate additional controls.
federal Clean Air Act. If convicted, they may face fines of up to 8) Analyze risk reduction. Considering the added controls,
$1.7 million. the team analyzes likelihood, severity and risk levels for each
what-if question, and project a risk reduction factor.
SWIFRA Model
Similar to a traditional SWIFT method, the SWIFRA model Risk Treatment
incorporates structured what-if questions, followed by asking The CSB report indicates that as the agency conducted the
how it is possible and then why it is possible. A risk estimation investigation, the facility managers were also examining their
is also added to the method for current state and future state own processes and equipment to identify opportunities to
along with a risk reduction percentage to help communicate reduce risk and prevent recurrence. As a result, the company
risk reduction to decision makers. The steps for applying a implemented several layers of controls specific to the facility’s
SWIFRA are: ventilation system and chemical transfer equipment, with spe-
1) Develop the what-if questions. The team performs research cial focus on the fill lines, transfer valves, transfer piping, tanks
(e.g., document reviews, interviews, past incidents, historical and associated equipment (CSB, 2018a):

42 PSJ PROFESSIONAL SAFETY JUNE 2020 assp.org

FIGURE 10 Conclusion
HIERARCHY OF RISK TREATMENT For the chemical release incident investigated by CSB, what if
the organization had conducted an effective risk assessment of
the chemical filling process? Would such an assessment identify
problems in the system such as the need to design chemical fill
Avoid
lines to only accept the right chemical? The answer is likely yes.
Eliminate However, until such questions are asked about critical systems,
Substitute uncertainty and risk will remain.
Minimize With a proactive risk assessment and management process, or-
Simplify
ganizations can reduce uncertainty and the potential for serious
incidents. Methods such as what-if analysis and SWIFRA can be
Passive control
powerful tools in identifying, assessing and communicating risk
Active control within an organization. OSH professionals should equip them-
Warn
selves with such tools. The time to ask, “what if?” is now. PSJ

Adminstrative References
ANSI/ASIS International (ASIS)/Risk and Insurance Management
PPE Society (RIMS). (2015). Risk assessment (ANSI/ASIS/RIMS RA.1-2015).
Alexandria, VA: ASIS.
ANSI/ASSP. (2016). Prevention through design: Guidelines for ad-
dressing occupational hazards and risks in design and redesign process-
Note. From “Risk Treatment Strategies: Harmonizing the Hierarchy es [ANSI/ASSP Z590.3-2011(R2016)]. Park Ridge, IL: ASSP.
of Controls and Inherently Safer Design Concepts,” by B.K. Lyon and ANSI/ASSP/ISO. (2018). Risk management—Guidelines (ANSI/ASSP/
G. Popov, 2019, Professional Safety, 64(5), pp. 34-43. Copyright 2019 ISO 31000-2018). Park Ridge, IL: ASSP.
by ASSP. Reprinted with permission. ANSI/ASSP/ISO/IEC. (2019). Risk management—Risk assessment
techniques (ANSI/ASSP/ISO/IEC 31010-2019). Park Ridge, IL: ASSP.
CSB. (2018a). Key lessons for preventing inadvertent mixing during
chemical unloading operations: Chemical reaction and release in Atchi-
•Upgrading chemical unloading and transfer equipment with son, Kansas (No. 2017-01-I-KS). Retrieved from www.csb.gov/mgpi-pro
chemical portal separation, signage, unique locks and fittings. cessing-inc-toxic-chemical-release-
•Implementing an innovative key control and chemical un- CSB. (2018b, Jan. 3). Mixed connection, toxic result [Video]. Re-
loading sequences. trieved from https://youtu.be/Tflm9mttAAI
•Improving movement within the control room by moving EPA. (1997). Chemical accident prevention provisions (40 CFR 68).
the center control console from the middle of the control room Retrieved from www.epa.gov/rmp
to the walls. Lyon, B.K. & Popov, G. (2018). Risk management tools for safety pro-
•Conducting several PHAs covering propylene oxide, phos- fessionals. Park Ridge, IL: ASSP.
phorus oxychloride and acetic anhydride. Lyon, B.K. & Popov, G. (2019, May). Risk treatment strategies: Har-
monizing the hierarchy of controls and inherently safer design concepts.
•Removing the acetic anhydride process entirely, leaving only Professional Safety, 64(5), 34-43.
four liquid bulk chemicals at the facility instead of five, thus re- OSHA. (2013). Process safety management of highly hazardous
ducing the number of bulk flammable chemicals from two to one. chemicals (29 CFR 1910.119). Retrieved from www.osha.gov/laws-regs/
•Upgrading monitoring and detection equipment to decrease regulations/standardnumber/1910/1910.119
the risk of chemical releases. Popov, G., Lyon, B.K. & Hollcroft, B. (2016). Risk assessment: A practi-
•Adding new emergency shutdown devices to complement cal guide to assessing operational risks. Hoboken, NJ: John Wiley & Sons.
the devices that were already in place.
•Installing more emergency supplied air packs along the
Bruce K. Lyon, P.E., CSP, SMS, ARM, CHMM, is vice president with Hays
egress path. Cos. He is chair of the ISO 31000 U.S. TAG, vice chair of ANSI/ASSP Z590.3 stan-
As identified by the CSB investigation, these potential failure dard, advisory board chair to University of Central Missouri’s (UCM) Safety Sci-
modes, causes and needed control measures could have been ences program and a director of BCSP. Lyon is coauthor of Risk Management Tools
identified and the incident prevented by conducting a thor- for Safety Professionals and Risk Assessment: A Practical Guide to Assessing Op-
ough risk assessment of the system. Methods such as SWIFRA, erational Risk. He holds an M.S. in Occupational Safety Management and a B.S. in
HAZOP and failure modes and effects analysis can be used to Industrial Safety from UCM. In 2018, he received the CSP Award of Excellence from
assess such situations before they result in loss. BCSP. Lyon is a professional member of ASSP’s Heart of America Chapter, and a
The primary objective of OSH professionals is to achieve and member of the Society’s Ergonomics and Risk Management practice specialties.
maintain an acceptable level of risk, a risk level that is as low as Georgi Popov, Ph.D., CSP, QEP, SMS, ARM, CMC, FAIHA, is a pro-
reasonably practicable. The use of a hierarchical system for se- fessor in the School of Geoscience, Physics and Safety Sciences at UCM. He is
lecting risk reduction strategies is a fundamental concept in safe- coauthor of Risk Assessment: A Practical Guide for Assessing Operational Risk
ty management (Lyon & Popov, 2019). As always, risk treatment and Risk Management Tools for Safety Professionals. Popov holds a Ph.D. from
plans should be built beginning with higher-level controls that the National Scientific Board, an M.S. in Nuclear Physics from Defense Univer-
seek to avoid or eliminate the hazard, substitute lower hazards, sity in Bulgaria and a post-graduate certification in environmental air quality.
He graduated from the U.S. Army Command and General Staff College in Fort
minimize quantities of hazard energy, simplify systems, and Leavenworth, KS. Popov is chair of ANSI/ASSP Z590.3 standard, a professional
incorporate passive and active engineering controls (Figure 10). member of ASSP’s Heart of America Chapter and a member of the Society’s
Risk treatment plans should also incorporate layers of controls Risk Management Practice Specialty. He received the chapter’s 2015 Safety
that provide multiple layers that prevent, detect, protect, and mit- Professional of the Year (SPY) Award and the 2016 ASSP Region V SPY Award. In
igate as well as provide redundancies for critical failure points. 2017, Popov received ASSP’s Outstanding Safety Educator Award.

assp.org JUNE 2020 PROFESSIONAL SAFETY PSJ 43