RISK AND SAFETY RISK Risk is the potential that something unwanted and harmful (a hazard) may occur. It is the product of the probability of an undesirable event and the effect of that event. Risk can either be: Objective risk of an activity depends on how likely some negative event is to actually occur. For instance, the objective risk of losing money if you bet on Arsenal on Betika is 50%? Subjective risk (perceived risk) depends on what you believe about the world. Example: In the 1990s, some people believed that radiation from cell phones (i.e., ordinary electromagnetic radiation) could cause cancer. When scientists tested this hypothesis scientifically, it turned out that the subjective risk was much higher than the objective risk. We now know that ordinary electromagnetic radiation from cell phones does not cause cancer. HAZARDS Hazards can be defined as damage or undesirable effects caused by a technology, or its use. Let us look at a few examples. HAZARDS EXAMPLE Coal Mining Between 1900 and 1975, about 600 million tons of coal were mined in the province of Limburg in the Netherlands (Pöttgens, 1988). In an area of about 220 km2, the surface dropped an average of 2.5 m. In some locations, there was a drop of more than 10 m. The coal mining operations were damaging the houses. Hundreds of millions in damages were paid by the companies mining the coal. The risk of damage to the houses was known in advance, but it thought to balance out against the benefits of the coal mining. HAZARDS EXAMPLE DC-10 Disaster On March 3, 1974, the freight door of a DC-10 opened during flight. As a result, the plane crashed killing 346 people. The risk was known beforehand, at least to some of the people involved. A similar accident had almost occurred on June 12, 1972 . This was after the possibility of this type of accident had been anticipated as a result of Failure Mode and Effect Analysis (FMEA) of the freight doors in the late 60s. No action had been taken to reduce or avoid the risks because there was an ongoing conflict between the supplier responsible for the door (Convair) and the plane manufacturer (Douglas). Neither party wanted to weaken its legal position by taking the first step in the direction of adapting the design, even though each was aware of the shortcomings. (The company’s management ignored a memo written by a Convair engineer in which the shortcomings of the door design were outlined.) HAZARDS EXAMPLE Tacoma Narrows Bridge Collapse In 1940 in the United States, the Tacoma Narrows Bridge collapsed. The bridge design was innovative, however the bridge started to vibrate when it was hit by side winds. The bridge finally collapsed when it was closed for safety reasons. The vibration of the bridge had not been anticipated by the designers. From experience with previous bridges, they had wrongly concluded that narrower suspension bridges could be built. HAZARDS EXAMPLE Asbestos came into large scale use at the beginning of the 20th century due to its heat resistance, durability, and good insulation properties. However, in the course of time, asbestos proved to have some extremely harmful side effects. Inhaling asbestos fibers can lead to asbestos-related diseases such as asbestosis and mesothelioma (cancer of the lung and stomach lining), which can be lethal. These diseases only become manifest after several decades. It is estimated that as many as 10,000 people in the US and 4,000 people in the UK die annually due to asbestos related diseases. The use of asbestos has been banned in many countries. HAZARDS The previous examples reveal the following: Hazards are inherent to technology. Even with foreknowledge of hazards, risks can be taken because of expected advantages, or other unreasonable human factors. It is not possible to know all the hazards beforehand e.g failing in an unforeseen manner; unforeseen side effects. It may not be precisely clear how a hazard can be attributed to a specific technology. COMPLEXITY OF PREDICTING HAZARDS It is not always possible to predict hazards beforehand in order to express them reliably as risks for several reasons: Ignorance – where we do not know what we do not know. Ambiguity - different interpretations or meanings may be given to the measurement, characterization and evaluation of hazards. Complexity of causal relations between potential harmful agents and specific undesirable effects e.g. interactions between substances and specific environments and intervening variables. Uncertainty - refers to situations in which the type of consequences are known, but cannot meaningfully attribute probabilities to the occurrence of such consequences ASSESSMENT OF RISK Personal risk: Is assessed based on the individual. Assess voluntary activities Assess the degree of occupational hazard and effect on health Public risk: To assess public risk, loss of assets and correction costs are estimated. Loss of or reduction in future income or earning capacity due to loss of limbs or their capability Costs associated with accident, including transplants or reinforcement of body parts/limbs and medical treatment Cost of welfare, which includes rehabilitation, provision of less-demanding alternate jobs and other disability benefits. PERCEPTION OF RISK Perception of risk varies from person to person, based on physical condition, age, experience, expertise etc. Various factors influence the perception of risk a) Probability of risk (the statistical nature of occurrence of risk) b) Consequence of risk: Quantitative measure (physical damage, economic loss, environmental degradation, mental agony) and the possibility of controlling these consequences c) Perceived voluntariness of the risk: For thrill and amusement, or under compulsion d) Magnitude i.e. number of people and extent of the area involved e) Proximity: the closeness of relationship with those affected or the gap in time scale. Close risks are usually experienced as being greater than risks further away. f) Method of information dissemination on risk: The way risks are presented and the risk measure that is used. ASSESSING ACCEPTABILITY OF RISK How do you assess risk acceptability (whether personal or public) a) New or unfamiliar risks are more likely to be unacceptable to the public than familiar risks. b) Voluntarily assumed risks are more likely to be considered acceptable than involuntarily imposed risks. Voluntary risk is the involvement of people in risky actions, although they know that these actions are unsafe. e.g., car racing, stunts etc Jobs involving higher risks generally demand higher wages. c) Free and informed consent, equity, and justice are important factors in acceptability of risk. DISCUSSION Mention a technology of which the risks are acceptable while the technology itself is unacceptable. Can you also think of an example of a technology that is acceptable while its risks are unacceptable? SAFETY Safety is a matter of how people would find risks acceptable or unacceptable, if they knew the risks, and are basing their judgments on their most settled value perspective. Risk is acceptable when those affected are generally no longer (or not) apprehensive about it. This depends on: Whether the risk is assumed voluntarily. How the probabilities of harm (or benefit) is perceived Job-related or other pressures Whether defects of a risky activity or situation are immediately noticeable or close at hand Whether the potential victims are identifiable beforehand. HOW TO ENSURE SAFETY Inherently safe design: avoid hazards for example by replacing substances, mechanisms, and reactions that are hazardous by less hazardous ones. Safety factors: constructions are usually made stronger than the load they probably have to bear by adding a safety factor. Negative feedback mechanism: causes the device to shutdown for cases that a device fails or an operator loses control. e.g. manual revert if there is a problem with autopilot, Redundancy in design: A chain of safety barriers designed to operate independently so that if the first fails the others still help to prevent or minimize the effects. e.g. Nuclear reactors have redundant systems to cool the reactor core; fuse in a plugcircuit breakers trip. Safe exit: The product, when it fails, (1) should fail safely, (2) can be abandoned safely and (3) the user can safely escape the product. CASE STUDY: BHOPAL GAS TRAGEDY Union Carbide India Limited was the subsidiary of Union Carbide Corporation with Indian Government controlled banks and the Indian public holding a 49.1% stake. To manufacture: Phosgene, Monomethylamine, Methyl Isocyanate (MIC) and the pesticide Carbaryl (Sevin) The Methyl Isocyanate (MIC) plant started production in 1979 since it was an intermediate element in the pesticide Sevin. On December 3, 1984, Water entered the Tank E610 containing 40 tons of MIC ° The exothermic reaction increased the temperature inside of the tank to over 200 C and raised the pressure. 30 metric tons of MIC escaped from the tank into the atmosphere, which got added to a weak wind which frequently changed direction, which in turn helped the gas to cover more area in a shorter period of time (about one hour). In just 2 hours the chemicals escaped to form a deadly cloud over hundreds of thousands of people including poor migrant labourers who stayed close to the plant CASE STUDY: BHOPAL GAS TRAGEDY Workers made the following attempts to save the plant: They tried to turn on the plant refrigeration system to cool down the environment and slow the reaction. (The refrigeration system had been drained of coolant weeks before and never refilled - it cost too much.) They tried to route expanding gases to a neighboring tank. (The tank's pressure gauge was broken and indicated the tank was full when it was really empty.) They tried to purge the gases through a scrubber. (The scrubber was designed for flow rates, temperatures and pressures that were a fraction of what was by this time escaping from the tank. The scrubber was as a result ineffective.) They tried to route the gases through a flare tower -- to burn them away. (The supply line to the flare tower was broken and hadn't been replaced.) They tried to spray water on the gases and have them settle to the ground, by this time the chemical reaction was nearly completed. (The gases were escaping at a point 120 feet above ground; the hoses were designed to shoot water up to 100 feet into the air.) CASE STUDY: BHOPAL GAS TRAGEDY The Methyl Isocyanate gas, being highly concentrated, burns parts of body with which it comes into contact, even blinding eyes and destroying lungs. CASE STUDY: BHOPAL GAS TRAGEDY Factors leading to the magnitude of gas leak: Very high inventory of MIC, an extremely toxic material: > 75% capacity against Union Carbide‘s specification that it should never be more than 60% full. The company‘s West Virginia plant controlled the safety systems and detected leakages but the Bhopal plant only used manual labour for control and leak detection. Non-existent catastrophe management plans: Some safety systems were switched off to save money which includes the MIC refrigeration tank which should have kept the MIC tank at 4.5° as opposed to 20°C There was only one manual back-up system, compared to a four-stage system used by union carbide plant of USA Lack of skilled operators: Plant was understaffed due to costs. The accident occurred in the early morning: Most of the people killed lived in a shanty (poorly built) town located very close to the plant fence. Inadequate emergency action plans DISCUSSION: NAIROBI PIPELINE FIRE In September 12, 2011, a fuel tank, located in the Lunga Lunga area of Nairobi and part of a pipeline system operated by the state-owned Kenya Pipeline Company (KPC), had sprung a leak. The pipeline valve failed under pressure allowing the oil to leak into the sewer. The managing director of KPC, is reported to have said the spill occurred from two pipelines, and that engineers had already depressurized the Sinai pipeline but not in time to prevent fuel leaking into the sewer. People in the adjacent densely populated shanty town of Sinai had started to collect leaking fuel when at about 10 a.m., a massive explosion occurred at the scene. Fire spread to the Sinai area. Approximately 100 people were killed in the fire and at least 116 others were hospitalized with varying degrees of burns. Reports indicate that the fire might have started from a discarded cigarette or when the wind changed, bringing embers from nearby garbage fires. What lessons can you derive from this episode? TO READ: Chernobyl Nuclear Power Plant RISK ASSESSMENT Risk assessment is a systematic investigation in which the risks of a technology/activity are mapped and expressed quantitatively in a certain measure of risk. Risk assessments determine the acceptability of risks. There are four ethical considerations in assessing risks: a) The degree of informed consent with the risk b) The degree to which the benefits of a risky activity weigh against the disadvantages and risks c) The availability of alternatives with a lower risk d) The degree to which risks and advantages are justly distributed RISK ASSESSMENT: INFORMED CONSENT Informed consent Risks are more acceptable if those who run the risk consent to the risk. Those running the risk must have received complete information concerning the risk. Challenges to informed consent: Consumers are often incompletely aware of the risks e.g. People buy cell phones without being aware of any possible health risks. Technical products may introduce risks that affect people other than the buyers or sellers of the products without their consent. e.g. paint with organic solvents that contribute to environmental problems such as smog RISK ASSESSMENT: ADVANTAGES VS RISK Do the advantages outweigh the risk? Risks are acceptable if the benefits of the activities outweigh the costs. Cost-benefit analysis is based on this supposition. Limitations: Fallacy of pricing: it is not always possible to express all the relevant costs, benefits, and risks in money in a comparable fashion. Little attention is paid to informed consent and to the just distribution of costs and benefits, although these are important ethical considerations too. RISK ASSESSMENT: AVAILABILITY OF ALTERNATIVES The availability of alternatives: The acceptability of the risks of a technology depends on the availability of alternatives with lower risks Technology A There is an alternative to this technology with lower risk. Technology B Same risk as technology A There is no other alternative available. Risks of technology A are unacceptable (an alternative with lower risks exists) Risks of technology B are acceptable (since no alternative is available). Best available technology refers to an approach that does not prescribe a specific technology but uses the best available technological alternative as yardstick for what is acceptable. RISK ASSESSMENT: DISTRIBUTION OF RISKS AND BENEFITS Are risks and benefits justly distributed? Equal treatment concerning risks can be achieved by setting standards so that the maximum permissible risk is equal for everybody in principle. Objections: People do not get to choose which risks they find acceptable – the regulator, often being the government, does that for them instead. UNCERTAINITIES IN RISK ASSESSMENT Certain aspects make the estimation of risk complex and unreliable. Restricted access to knowledge in risk: legal restrictions Uncertain behavior of materials: Manufacturers’ data is only statistical Varying behavior of user environments e.g. thermal shock, fatigue, creep Use or misuse of materials/products: e.g exposure to snowy or damp weather leading to change of properties. Newer applications of obsolete technologies remaining unpublished Substitution of newer materials whose behavior are not disclosed. Unexpected and unintended outcomes of the product/project RISK ASSESSMENT: PRECAUTIONARY PRINCIPLE The precautionary principle demands that if there is (1) a threat, which is (2) uncertain, then (3) some kind of action (4) is mandatory. There are potential hazards that we are uncertain about with the advent of new technologies. There is no need to determine the probability of a nuclear meltdown; However, we must establish that some sufficiently bad outcome may occur if no precautionary measures are taken. Nanotechnology has a threat of behavior of synthetic non-biodegradable nanoparticles which is uncertain The precautionary principle as stated in the Report of The United Nations Conference on Environment and Development (the Rio Declaration) “Where there are threats of serious or irreversible damage, lack of full scientific certainty shall not be used as a reason for postponing cost-effective measures to prevent environmental degradation.” EXERCISE: HOW RISK IS COMMUNICATED Consider the following situations: Two programs are to be deployed for the safety of the 600 people: Alternative 1: If Program A is followed, 200 people will be saved. If Program B is followed, 1/3 probability is that 600 people will be saved and 2/3 probability that nobody will be saved. Response: 72% of the target group chose option A and 28% option B Alternative 2: If program A is followed, 400 people will die. If Program B is followed, 1/3 probability is that nobody will die and 2/3 probability that 600 people will die. Response: Only 22% of the target group chose option A and 78% option B COMMUNICATION OF RISK: MESSAGING The manner in which risks are presented can greatly influence how the audience perceives the risk. The option perceived from the perspective of gain will be preferred over those from which gains are perceived as risky or only probable. Options emphasizing firm losses will be avoided in favour of those whose chances of success are perceived as probable. It is even possible for people to take opposite decisions on the basis of the same information framed differently. The risk measure used can also influence how people interpret risks. Ethical judgments are often hidden in the use of a certain risk measure. ENGINEERS COMMUNICATING RISK AND PUBLIC POLICY Engineers should be aware that the public’s approach to risk is not the same as theirs. Engineers should not say ‘‘risk’’ when they mean ‘‘probability of harm.’’ They should use the two terms independently. Engineers should avoid saying, ‘‘There is no such thing as zero risk.’’ The public definition of ‘‘zero risk’’ is a familiar risk that requires no further deliberation. Engineers should recognize that the public does not always trust experts. Therefore, they should acknowledge the possible limitations in their position. Engineers should also be aware that people will rely on their own values in deciding whether to base action on the expert’s prediction of probable outcomes. Engineers should take into account regulatory obligations (from government regulators) on top of the cost–benefit approach. Professional engineering organizations, such as the professional societies, have a special obligation to present information regarding probabilities of harm as objectively as possible regarding. RISK ASSESSMENT: SECONDARY COST OF PRODUCTS Manufacturers’ To help reduce secondary costs To know the possible risk for purposes of pricing, disclaimers, legal terms and conditions, etc. To know the cost of reducing the risks To take a decision before finalizing the design Cost understanding of the risk in a product is necessary: of products is high if designed unsafely due to: Returns and Warranty Expenses Loss of Customer Goodwill Cost of litigation Loss of Customers due to injuries in using it Cost of rework, lost time in attending to design problems The buyer needs to understand the risk in a product: To judge whether he/she wants to take the risks To judge whether the “risk vs. costs‟ justifies taking the risk. RISK ANALYSIS Probability of Safety = 1 – Probability of risk Risk = probability of occurrence X consequence in magnitude Different methods are available to determine the risk (testing for safety) 1. Testing on the functions of the safety-system components. 2. Destructive testing: In this approach, testing is done till the component fails. It is too expensive, but very realistic and useful. 3. Prototype testing: In this approach, the testing is done on a proportional scale model with all vital components fixed in the system. Dimensional analysis could be used to project the results at the actual conditions. 4. Simulation testing: With the help of computer, the simulations are done. The safe boundary may be obtained. The effects of some controlled input variables on the outcomes can be predicted in a better way. RISK ANALYSIS: ANALYTICAL METHODS Testing of the safety of a product or project can be done using several analytical methods: 1. Scenario Analysis 2. Fault Tree Analysis 3. Event Tree Analysis 4. Failure Mode and Effect Analysis (FMEA) SCENARIO ANALYSIS A scenario is a synopsis of events or conditions leading to an accident and subsequent loss. Starting from an event, different consequence scenarios are constructed and the means of facing the consequences are designed. The steps for scenario building are: 1) Identify the hazard of interest 2) Identification to a hazard? and characterization of risk: What can go wrong that could lead 3) Quantification of risk, likelihood, and magnitude: Develop a planned scenario. How likely is this to happen? 4) Develop a scenario tree. If it happens, what are the consequences? Match the probability and loss characteristics of various exposures to your intuition of risk (through loss scenarios) SCENARIO ANALYSIS: EXAMPLE Consider 3 loss scenarios facing a transport and logistics company. Scenario A: A truck carrying dangerous cargo overturns in a populated area. A spill occurs resulting in an explosion or release of toxic chemicals. Scenario B: The company is found liable for an accident involving bodily injury and property damage from relatively “ordinary” road hazards. No spill or disruption of cargo is involved. Scenario C: Involves multiple simultaneous catastrophes to the company fleet. Probability/Loss combinations: Scenario A: (probability of occurrence of 0.001 and loss potential of Kes. 100M) – deemed sufficiently possible and significant - RISKY Scenario B: More probable in occurrence, but affordable to the firm – NOT RISKY Scenario C: The probability of this occurrence is rare (virtually impossible), though the loss potential is great – GRAY AREA FAULT-TREE ANALYSIS The failure (undesirable event) is initially defined, and the events (causal relationships) leading to that failure are identified at different components level. This method can combine hardware failures and human failures. The main elements of a fault tree are: Top event - the description of the critical system event Basic events - the lowest level of identified causes Logic gates, such as OR or AND gates - gives the logical relationship between the TOP event and the basic events FAULT TREE ANALYSIS When there’s an unexpected breakdown, performing a fault tree analysis helps to get to the root cause. Example: if the fire protection system fails, there are two possible failure modes: either (hypothesis A) a failure occurred in the fire detection system or (hypothesis B) the fire suppression system failed. FAULT-TREE ANALYSIS CRASH AT THE MAIN ROAD JUNCTION Consider the probability of a crash at a main road junction. Car at main road junction Side road car fails to stop Side road driver could not stop Side road car driver did not stop Driving too fast Driver too ill Vision obscured Road too slippery Brake failure Tyres won EVENT-TREE ANALYSIS The catastrophe is selected as the final event, then a tree is then constructed relating the sequence of events which individually or in combination, could lead to the final event. Event trees are meant to show the path by which we get to the catastrophic event. Distinction between FTA and ETA: FTA is used for consequence analysis. FTA allows one to proceed back in time from possible catastrophic accidents to examine the components of sequences with probability of failure. ETA allows the observer to proceed forward in time from potential component failures to final accident. ETA is a variant of FTA that can be used to explore both success and failure alternatives at each level. EVENT-TREE ANALYSIS Example: Going late for duty Branching structure starts with the initiator (initiating event) and leads to the bad event (final damaged state). Options: Drive own car, use public transport (express train), call colleague and carpool FAILURE MODE AND EFFECT ANALYSIS (FMEA) FMEA concept was introduced in 1960s by aerospace companies, and later extended to automobile industries and other types of industries. Various parts of the systems and their modes (patterns, propagation and nature) of failure are studied. FMEA requires relevant knowledge, insight and engineering judgment. Types of FMEA: 1. 2. Design FMEA: Analyzes product design (systems and subsystems) before release to production, with a focus on product function. Process FMEA: Used to analyze manufacturing and assembly processes before they are implemented FAILURE MODE AND EFFECT ANALYSIS (FMEA) FMEA is performed in several stages: Stage 1: Identification of possibilities and defining the scope 1. Understanding the product/process and its function: Involves creation of block diagrams of product/process showing major components or process steps as blocks. 2. Identifies relations between the blocks, that is, input, function and output of the design Identify possible failure modes in the products/process A failure mode is defined where a component, subsystem, system, and process could potentially fail to meet the design intent. Failure mode in one component can cause failure in another. FAILURE MODE AND EFFECT ANALYSIS (FMEA) Stage 3. 2: Measuring the volume of risk involved from the failure modes identified. Description of effects of each risk/failure mode as perceived by both internal and external customers. The examples of risk/failure effect may include injury to the user, environment, equipment, and degraded performance. Numerical ranking is assigned to each risk or failure, depending on the severity e.g. 1 for no effect and 10 for very severe failure, affecting system of operation and user. Failures are, thus, prioritized and real critical risks can be addressed first. FAILURE MODE AND EFFECT ANALYSIS (FMEA) 4. Causes of each failure mode are identified. 5. 6. A cause is defined as a design weakness that results in a failure e.g. improper torque, contamination, excessive loading, external vibration. Determine the probability factor indicating the frequency of occurrence (weighting from 1(not likely) to 10 (inevitable)). Design or process mechanism is identified to prevent the cause of failure or detect failure before it reaches the customer. 7. This includes identification of tests, monitoring and other techniques to detect risk or failure. Assessment of detection rating is done. Value 1 – design control will certainly detect the potential cause Value 10 – design control will not detect the cause or mechanism FAILURE MODE AND EFFECT ANALYSIS (FMEA) Stage 3: Classification of severity of effects and the solutions for the causes of high risk 8. 9. Risk priority number (RPN) is calculated to prioritize failure modes. It is a relative measure of design risk. RPN=Severity X Probability X Detection Recommended actions are determined to address potential risks or failures with high RPN Stage 4: Revalidation of the procedure, after correction and preventive actions are implemented. 10. Revalidation of each action by reassessing severity, probability and detection and review of the revised RPN. FMEA has to be updated as and when the design or process is modified or changed. FMEA FORM Identify failure modes and their effects Identify causes of the failure modes and controls Prioritize Determine and assess actions FAILURE MODE AND EFFECT ANALYSIS (FMEA) Identify failure modes at each process step! Identify consequences of that failure! Determine Severity of failure mode! Identify potential root causes of failure mode! Potential for occurrence! Risk Priority Number (RPN). Highest # equals Highest Risk! Severity x Occurrence x Detectability = RPN Use to identify what items to address first. Document current process controls! How capable are we of detecting the failure mode with our current controls? RISK ASSESSMENT WITH FMEA Severity Occurrence Detection RISK ASSESSMENT WITH FMEA CASTING ATTACH TORQUE OVER TORQUE UNDER TORQUE CROSS THREAD CASTING FRACTURE 10 CASTING SEPARATION 9 CASTING SEPARATION 9 TORQUE WRENCH NOT CONTROLLED TORQUE WRENCH NOT USED/ CONTROLLED NO LEAD IN ON BOLT THREAD 4 DC TORQUE WRENCH USED / LINKED TO OMS 3 120 ADD TORQUE ALARM AND CALIBRATION AT START UP. JENNY TONE 10 2 1 20 COST ANALYSIS A product involves primary cost and secondary cost. P - Primary cost of products, including loss of human lives, or property (assets), crops and natural resources are estimated. S - Secondary costs including loss of human capability or earning capacity, cost of treatment and rehabilitation, damage to property, warranty, loss of customer goodwill, loss of customers M: Point of Minimum total cost H: Highest acceptable risk may fall below risk at least cost M High safety and low risk lead to high primary cost and low secondary cost High risk low safety causes high secondary costs with low primary costs. RISK BENEFIT ANALYSIS Risk-benefit analysis is about the cost of risk-taking vs the benefit. Project feasibility is first based on risk-benefit analysis, and only thereafter, costeffectiveness without increasing the risk visualized It is done to find out: a) What are the risks involved? b) What are the benefits that would accrue? c) When would benefits be derived and when risks have to be faced? d) Who will benefit and who will be subjected to risk? Are they the same set of people or different? LIMITATIONS OF RISK BENEFIT ANALYSIS Benefits may go to one group and risks may go to another group. Sometimes, people who are exposed to maximum risks may get the minimum benefits. Is an individual or government empowered to impose a risk on some one else for supposed benefit to somebody else? The units for comparison are not the same. Example: Commissioning the express highways may add a few highway deaths versus faster and comfortable travel for several commuters. The benefits may be in terms of fuel, money and time saved, but lives of human being sacrificed. How do we then compare properly? Risks to known persons are also perceived differently from statistical risks! Both risks and benefits lie in the future - Quantitative estimation of future benefits, using the discounted present value may not be correct and sometime misleading. Both risks and benefits may have uncertainties - Estimated probability may differ from time to time, and region to region. REDUCING RISK Application of inherent safety concepts in design e.g. LPG cylinder is provided with frame to protect the valve while handling and facilitate cryogenic storage. Use of redundancy principle in the instrument protection/design Use of stand-by devices and back-up for computer storage Periodic monitoring and testing of safety system to ensure reliability e.g. fire extinguishers Issue of operation manuals, training of the operating personnel and regular audits are adopted to ensure that the procedures are understood, followed and the systems are kept in working condition Development of well-designed emergency evacuation plan and regular rehearsal drills to ensure preparedness, in case of emergency. CHERNOBYL NUCLEAR POWER PLANT Built at the banks of Pripyat river of Ukraine Had four reactors, each capable of producing 1,000 MWs of electric power. • Reactor unit 4 was to be shut down for routine maintenance on 25 April 1986. • During the shutdown, they decided to perform a test to determine whether cooling of the core could continue in the event of a loss of power. CHERNOBYL NUCLEAR POWER PLANT • At 1:23, on April 26th 1986, the engineers continued with their experiment and shut down the turbine engine to see if its inertial spinning would power the reactor’s water pumps. • To conduct the test, the power plant output was reduced to 700 MW. But due to a sudden and unexpected demand, the power output had to be raised. • To go ahead with the test, the reactor operators had already disconnected the emergency core-cooling system, ignoring the raise in demand situation. • Further, a control device was not properly reprogrammed to maintain power at 700-100 MW level. The test was conducted at 200 MW power output which is very low for the test. • The operators blocked all emergency signals and automatic shut-down controls, thus all safety systems were disconnected. • The operators raised control rods to restore power output and tried to continue the test. which made the power stabilize at 200 MW. This made the reactor unsafe and was a violation of safety law. The temperature of RBMK reactor increased and the fission rate increased. • Later, the operator working in the night shift committed an error, by inserting the reactor control rods so far. This caused the reactor to go into a near-shutdown state, dropping the power output to around 30 MW. CHERNOBYL NUCLEAR POWER PLANT Boiling started at the bottom of the core. Power level of the core increased to 530W. Engineers inserted all the control rods as a temperature control measure, but they got blocked half way because of the graphite tip design. The absorbent cooling rod did not penetrate the core. Cooling rod tips accelerated the reaction and caused an explosion Steam was generated due to depressurization Second explosion due to build-up of hydrogen after zirconium-steam reactions Result: The reactor core melted and due to the hydrogen accumulation, it caught fire and the radioactive waste began to spread out in USSR and also Europe. More than 50 tons of radioactive material was released into the atmosphere, where it was carried by air currents. This was 400 times to the amount of radioactive materials released at the time of Hiroshima bombing. FATAL EFFECTS Two workers died. One immediately got burnt to ashes after the accident, while the other was declared dead at the hospital within few hours of admission. 28 emergency workers and staff died within 4 months of the accident due to the thermal burns and the radiation effect on their bodies. This accident created 7,000 cases of thyroid cancer. Acute radiation syndrome (ARS) was diagnosed in 237 people, who were on-site and involved in cleaning up. The land, air and ground water were all contaminated to a great extent. The direct and indirect exposure to radiation led to many severe health problems such as Downs Syndrome, Chromosomal Aberrations, Mutations, Leukemia, Thyroid Cancer and Congenital Malfunctions, etc. A number of plants and animal faced destruction as after-effect. SAFETY LESSONS Decision making on the test and increase in the load should have been coordinated amongst all decision makers Periodical mock drill of emergency for the operators (safe exit) should have been arranged. When the test began at low loads, the demand for increased out-power should have been declined. Tests should have been abandoned and all controls switched on. Then output should have been increased. The thickness of the containment should be more, to withstand the possible explosion and further damage due to radiation and leakage over the surroundings.