Hi all, - feedback please - i had a noncoformance raised against 4.3.1 stating that where i have scored probability of a hazard causing injury as a 1(low- "no known instances of occurence and/or not reasonably forseeable"), as the scoring was based on the companies experience and knowledge rather than probabilistic risk. I contested this at the time - stating that the scoring was based on current controls in place, history, employees using it etc etc and that just because someone else in another company in a different part of the country had an accident with a similar piece of equipement shouldn't mean that there is a higher liklihood of it happenign here. Agreed - if this was to do with design of a machine that was resulting in failures - of course this could happen anywhere regardless of your controls - but the example used was a recipricating saw - on site for over 10 years, no accidents, well maintained, all trained etc etc - but the auditor "googled" recipricating saws and showed that there had been accidents on this type of equipment therefore the probability of this happening should be higher than low. Is it me or is this defeating the object of what i'm trying to do? Should i be googlling all activies/equipment used to see if somewhere in the world someone has been injured and then increase the probability of it happening in my company because of someones elses failures???? I use a pencil everday - and sometimes risk walking with one in my hand - if someone has previously slipped over with a pencil in hand, and stabbed themselves - does this mean i am more likely to do it too? They could have been walking throgh a spill on tiled floors - and the injury having nothign to do with using a pencil - but during a long drawn out argument with my auditor - this should be classed as probabilistic risk??????

The probability or likelihood is a subjective determination based on the maturity and successful application of your controls. Were I the auditor, I would be more inclined to take issue with your contextual use of wording "no known instances/not reasonably foreseeable". Propoability or likelihood matrix terms in my experience tend to the simpler (clearer) subjective, e.g. 1=very unlikely; 2=unlikely' 3=fairly likely; 4=likely;5=very likely (for any given injury or ill-health outcome). It's the wording that's causing the issue - not your approach or practice?

As you have already alluded to, risk assessments should be task specific and the likelihood and severity considered against the implemented controls. Considering accidents involved with the same process in different companies only helps to identify hazard pathways and lessons learned and clearly does not affect the likelihood / severity of your specific assessment. The residual risk will depend not just on the type of process / machine, but the info / instruction / trailing given, monitoring undertaken, process safety systems in place, overall safety culture etc. etc. all of which have nothing to do with what a different company are doing.

Looking with an auditors hat - No known instances - this is a general cross industry phraseology so your procedure needs to make this absolutely clear. I would question Low as a term also as the descriptor is for an event that has never happened whilst low suggets that it does occassionally. I think you need to address the methodology to get a continuous logic and flow through. I have to admit that as an auditor I am uncomfortable with Low, Medium, High as they are very coarse and do not really aid decision making. If you can create a document that leads people through including the identification of the current controls before you make an initial assement for each aspect involved. I am also not too happy with the task being defined as Use of Reciprocating Saw and that is assessed in toto - there are a range of aspects to the task each with its own risk level. It is the aspects that are not well controlled by the initial controls that need to be examined for further control. You need to aim controls at the aspect causing the hazard/risk. Bob

Evans If this was an OHSA18001 audit, i.e. Certification or surveillance then your auditor had no cause to raise an NCR. If your company has implemented a risk assessment process which meets "your" requirements whilst generally meeting the requirements of the standard then the auditor must assess you against your process ONLY. This is especially the case with regards to any form of assessment of significance for which there is no golden rule, no agreed standards and no scientific approach possible - they are all subjective to some degree or other. Seems like a harsh call.

Isnt this about the old chestnut of "Empirical risk" as opposed to "Perceptive risk" Ive never been in favour of taking into account controls to determine the initial level of risk especially where it involves Training etc as its subjectivity becomes even wider. I like the idea of "Raw Risk" or Inherent risk being identified. Once this is done you can then look at applied controls and see if the risk has actually been reduced or not. Many lay people out there think Risk assessment means everything including how you deal with a problem. I like reminding people what Risk Assesment means "ASSESS RISK" and nothing else!

Client Managers would be perfectly within their rights to raise an NCR against RA methodology if it were considered not to be effective and/or not consistent with the standard. However, there is not enough information given by the poster to comment accurately. I'd like to see the actual wording of the NCR. This is also likely to be a Minor NCR. Its possible that the CM was attempting to explain the common hazards associated with the process / equipment. If the CM identified a possible gap in the RA then it should be applauded by the Client, if relevant. If correctly assessed, NCRs are very much a positive finding - we don't know everything. Lets see the actual wording then make judgement...Poor old auditor...

Yes some are remarkably dull; however I was ‘one’ for around 15 months and have to say that most were extremely competent people. In my view it was the clients (stress some clients) that had a poor understanding of the standard. Your comment "You would think that if you have a reasonable risk assessment methodology and apply it that would satisfy the auditors" just about nails my point. The methodology must satisfy the standard not the auditor. The auditor merely assesses effectiveness. If companies want certification to give tenders a better chance (sorry make work safer...) then they must comply with the standard, it’s their choice. If the RA methodology was/is not compliant then the initial certification process was ineffective, which is another story... I thought it was an interesting job and had the same view of you until I actually did it! The reason I left…the travelling was excessive and not enough time to deliver a quality report on the day… Cheers G

How can they go from industry to industry and authoritatively understand the hazards and risks associated with each. I’ve had auditors come in to audit 9, 14 and 18 and more recently 22. They didn’t have a clue what they were looking for(they may have had one area of speciality), and that is year on year for 10 years with different “large” bodies. It was a tick exercise. In 10 years we received no NCR’s just cheesy observations to populate the report. As you have alluded to the auditors are chased from pillar to post, (time and geography wise) and can’t possibly do the job properly (Some of the auditors have told me this) If they were any good they would be in industry making large bucks (don’t take this seriously!) I think this is going off topic-sorry!!

Your auditor is saying that you are rating the probability of an accident as being too low. You justify this by saying no such accident has occurred at your workplace due to the control measures you have in place. That is a great achievement and to maintain standards such that this is consistently achieved is to be commended. You rightly feel aggrieved, but what s/he is saying is that to have a score of "1" for potentially dangerous machines is not a true evaluation. He used the example of a reciprocating saw, a Machinery Directive Annex IV item?, showing you that this machine has potential to be very dangerous. Saws can sever limbs and can kill people. Thus this machine can never be a level 1 - unless it was remotely operated and is totally enclosed.

This is precisly the reason why numerical systems etc are a nonsense IMO. They are too subjective and distract from the real issue of controlling the risk.

Broadly agree with Clairel. Numerical RA Methodology is only good as a teaching tool. Experience, intelligence, knowledge, ability, call it what you will, is how you control risk IMO. If one needs to multiply 5 x 5 to work out that the risk rating of working with electricity in a swimming pool is high, then its high time we all went for a dip!

Let us be totally frank and realise that NO RA is perfect and none will guarantee that the failure will not take place. Even with engineering approaches using failure rate figures the answer we achieve is but a mere indication. Every task is much more than the sum of its failure rates and when it comes to Human Beings the failure rate is a totally variable figure from 0-100% depending even on whether somebody cut them up on the road this morning. The best we can hope with any risk assessment procedure is to ensure reproducability across the range of assessors in any company. This means that we have to allocate some form of descriptors to the hazrd and probability coupled with some form of banding for overall risk and how the combination of descriptors fit a task into a band. Using common sense merely produces a subjective assessment what we want is a high degree of inter-subjectivity - real is unobtainable. Yes it is to some extent circular and the end controls do matter in that they should be reducing ALL the risk aspects of the task to at least an acceptable level of control. Without some form of prioritisation we end up with a scatter gun of control measures with potentially still a high uncontrolled risk lurking within the task that is still inadequately controlled. This is why a second iteration of assessment is necessary once any further control measures are added - to ensure all risks are controlled adequately. How you perform this without some form of matrix, however it is hidden or disguised I do not yet know. Certainly my guessed assessement is no help to a manager 400miles away having to do an assessment himself and achieve a reliable answer Bob Bob

quote=Kay] Taking a step back from the detail of the Risk Assessment, I emphatically DO NOT think this can be classed as a Nonconformity against OHSAS 18001:2007 4.3.1. You were being audited for compliance with a standard. The standard does not say anything about how you should evaluate risks. It merely says you should have a procedure, and what needs to be in your procedure.

But even 5X5 are flawed -what the difference between 16 and 17 on a 5X5?