Marvin Rausand - Risk Assessment

Figure 2.6Loss spectrum for a hazardous event .

In this case, it may be meaningful to talk about the mean consequence or mean loss if the hazardous event should occur

(2.9)

Observe that ( 2.9) is the conditional mean loss given that the specified hazardous event has occurred. The minimum and maximum loss and the standard deviation may easily be provided. In cases where the consequences cannot be easily measured with a common unit, it is considered much more meaningful to present the entire consequence spectrum to the decision‐maker, primarily for the whole study object but also for the most critical hazardous events (or end states).

Some of the consequences of an accident may occur immediately, whereas others may not materialize until years after the accident. People are, for example, still (claimed to be) dying of cancer in 2019 as a consequence of the Chernobyl accident in 1986. A large quantity of nuclear fallout was released and spread as far as northern Norway. During the accident, only a few persons were harmed physically, but several years after the accident, a number of people developed cancer and died from the fallout. The same applies for other accidents involving hazardous materials, and notably for the Bhopal accident that took place 23 December 1984, in Bhopal, India. When we assess the consequences of an accident, it is therefore important not only to consider the immediate consequences but also to consider the delayed effects.

In some cases, it is useful to define a limited set of possible consequence classes or categories and use these rather than a continuous spectrum of consequences. The term severity is sometimes used to describe these classes:

Seriousness of the consequences of an event expressed either as a financial value or as a category.

The categories may be, for example, catastrophic , severe loss , major damage , damage , or minor damage . Each category has to be described to ensure the categories are understood by all relevant stakeholders. This is discussed further in Chapter 6.

This section defines a number of terms that are associated to risk and that are treated in more detail in later chapters of the book.

Most well‐designed systems have barriers that can prevent or reduce the probability of hazardous events, or stop or mitigate their consequences.

Physical or engineered system or human action (based on specific procedures or administrative controls) that is implemented to prevent, control, or impede energy released from reaching the assets and causing harm.

Barriers are also called safeguards, protection layers, defenses, controls , or countermeasures . Barriers are discussed in more detail in Chapter 14. Some categories of barriers are listed in Table 2.9.

Table 2.9Categories of barriers.

Safety is a problematic concept that is used with many different meanings. Many standards and guidelines related to risk assessment use the word safety but avoid defining the concept. An exception is MIL‐STD‐882E (2012), where safety is defined as “freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.” According to this definition, safety implies that all hazards are removed and that no assets will be harmed. This implies that risk is zero. For most practical systems, safety is therefore not attainable, and may be considered a Utopia.

Many risk analysts feel that the definition of safety in MIL‐STD‐882E is not of any practical use and that we need a definition such that safety is an attainable state. The following definition is therefore proposed:

A state where the risk has been reduced to a level that is as low as reasonably practicable (ALARP) and where the remaining risk is generally accepted.

This definition implies that a system or an activity is safe if the risk related to the system/activity is considered to be acceptable. Safety is therefore a relative condition that is based on a judgment of the acceptability of risk. The meaning of acceptable risk and ALARP is discussed further in Chapter 5.

From Definition 2.31, safety is closely dependent on risk because it is the risk level that determines whether a system is safe or not. An important distinction between risk and safety, as defined above, is that safety is a state that either is reached or not, whereas risk is measured on a continuous scale and can be high, medium, or low or measured or expressed in other ways. This means that even if a system is safe , there will still be risk.

In this book, we use the word risk to describe our uncertainty about adverse events that may occur in the future . Sometimes, decision‐makers may be wondering “whether the estimated risk in the coming period (e.g. five years) is higher or lower than the risk was in the past period.” With our definition of risk, speaking of risk in the past has no meaning. This is because when a period is over, there is no uncertainty related to what happened in that period. We therefore need another term that can be used to describe what happened in a past period – and we use the term safety performance .

An account of all accidents that occurred in a specified (past) time period, together with frequencies and consequences observed for each type of accident.

In this way, the estimated risk in the coming period can be compared to the safety performance in the past period.

Observe that the occurrence of events and accidents is – at least partly – a random process. If the risk in the coming period is estimated to be rather high, and by the end of that period, we find that the safety performance in the period showed no accidents, this does not necessarily mean that the risk analysis was wrong. The same argument can also be used the other way around. In particular for major accident risk, it can be claimed that risk analyses are hardly ever wrong (although they may not always be right)!