Marvin Rausand - Risk Assessment

1 1 Adapted from https://complexitylabs.io/system-boundary/.

2 2 The manufacturer has to carry out a risk assessment of the washing machine to meet the requirements of the machinery safety regulations, usually according to ISO 12100.

Results from risk analyses are used as input to decision‐making. In many cases, the decisions are concerned with whether the risk has to be reduced. In an ideal world, we could argue that it should be unnecessary to make this decision; instead, we should avoid all risk. The reality is usually that this is not possible, very often for cost reasons but often also for practical reasons. Normally, we have to accept that all risk cannot be removed. The question then becomes how much risk should be removed? A balance has to be found between our ideal goal of removing all risk and the practical constraint of having a limitation in how much resources can be used to reduce risk. This is where risk acceptance criteria (RAC) are needed to help us decide what this balance should be.

Many people do not like the terms acceptable risk and risk acceptance because “to accept” may imply “to consent” or “to agree with.” Also, they do not want to give the impression that risk associated with their activity is viewed as unconditionally acceptable (CCPS 2009). They prefer the term tolerable risk because this term makes it clear that this risk is something we can cope with, something we can endure. We tolerate risk, but we do not accept it. The same people also prefer the term risk tolerance criteria over RAC. We have chosen to use the term RAC in this book.

In the Railway Safety Directive (EU 2016), the term common safety targets (CSTs) is used. The directive states that “CSTs may be expressed in terms of risk acceptance criteria.”

NS 5814 (2008) states that “the results of risk analysis must be compared with the criteria for acceptable risk” and requires that RAC be established before a risk assessment is conducted. A definition of RAC is

Criteria used as a basis for decisions about acceptable risk (NS 5814 2008).

RAC can be quantitative and/or qualitative. Some standards and guidelines find it essential that certain qualitative principles be adopted, irrespective of the numerical value of quantitative acceptance criteria (e.g. see NSW 2011). Examples of qualitative criteria include the following:

All avoidable risk should be avoided.

Risk should be reduced wherever practicable.

The effects of events should be contained within the site boundary.

Further development should not pose any incremental risk.

No single component failure should lead to serious consequences.

Some of these criteria are not very precise. What is “avoidable risk”? What is a “practicable” risk reduction? Without further guidance on what these terms mean, they can be interpreted very differently by decision‐makers. Most things are in principle “avoidable” and the term “practicable” can mean very different things to people. It may be observed that some of these criteria are useful for design purposes. The third and the last criterion can both be used directly as design criteria for technical systems.

RAC may be based on requirements from authorities, standards, experience, theoretical knowledge, and norms. The level of risk that is considered “acceptable” in a given context depends on several factors, among others, the benefits we get from the activities that cause the risk and whether or not the risk is voluntary. NS 5814 (2008) defines acceptable risk as follows:

Risk that is accepted in a given context based on the current values of society and in the enterprise.

This definition makes it clear that acceptable risk is related to a specific context. This means that risk is not accepted unconditionally. What is acceptable in one context is thus not necessarily acceptable in other contexts. Further, it is conditioned on current values and those values may change with time. Also, different societies and different enterprises may have different values.

The seminal book by Fischhoff et al. (1981) states that no risk is acceptable in isolation or in a universal sense. It is, therefore, somewhat misleading to talk about acceptable risk . They claim that one rather should speak in terms of acceptable options . The acceptability of an option represents a trade‐off among the full set of associated risk, costs, and benefits of this option. In turn, the desirability of these factors depends on the other options, values, and facts examined in the decision‐making process. Owing to this fact, the most acceptable option in an acceptable risk problem may not be the option with the least risk. According to Fischhoff et al. (1981):

Acceptable risk problems are decision problems, that is, they require a choice among alternatives. That choice is dependent on values, beliefs, and other factors. Therefore, there can be no single, all‐purpose number that expresses the acceptable risk for a society ….

In many decision situations, we are considering just two options: to perform an activity or not. In the North Sea, developing oil and gas fields represents risk to the people working there and to the environment due to possible oil spills. The safest option has clearly been not to develop the fields, but still decisions have been made again and again to develop new fields. The reason for this is obviously that the benefits are very large. What we accept is thus to get a certain set of benefits in return for taking a certain risk.

Much effort has been devoted to establishing quantitative RAC in the nuclear power industry. The following items have, for example, been proposed as candidates for setting quantitative criteria (e.g. see Cameron and Willers 2001 ; CNCS 2009):

1 The overall risk to the public.

2 The risk to an individual.

3 The sum of frequencies of all event sequences that can lead to a release of radioactive material that may require temporary evacuation of the local population (called small release frequency, SRF).

4 The sum of frequencies of all event sequences that can lead to a release of radioactive material that may require long‐term relocation of the local population (called large release frequency, LRF).

5 The conditional probability of containment failure (given core damage).

6 The sum of frequencies of all event sequences that lead to significant core degradation (called core damage frequency, CDF).

7 The probability of a particular accident sequence.

8 The reliability of individual safety systems.

Quantitative criteria for new nuclear power plants may, for example, be formulated as follows (CNCS 2009):

CDF per reactor year

SRF per reactor year

LRF per reactor year

There is still no general agreement on the values to be used for these limits. As Fischhoff et al. (1981) argue, it may never be possible to define these limits completely generally.

Observe that the quantitative criteria mentioned in Example 5.2are not risk criteria, but rather probability criteria, stating limits on the probability of certain events per reactor year. This is used in some contexts, in particular for events where the consequence is considered to be high in any case.