Risk acceptability and tolerability

Eric Marsden
<[email protected]>

How safe is safe enough?

Warmup. Before reading this material, we
suggest you look through:
▷ slides on risk metrics (how to measure risk
levels?)
▷ slides on risk perception
Available from risk-engineering.org &
slideshare.net
What is risk acceptance?

▷ Risk acceptance issues affecting individual decisions:

• Should I buy airplane tickets on Tinkertown Airlines, which are 300€ cheaper than
Air Reliable?
• Do I go skiing hors piste?

▷ Risk acceptance issues affecting societal decisions:

• Encourage nuclear power plants, or coal-fired plants, or increased electricity
pricing?
• Should we allow genetically modified foods?

▷ Note: risk acceptance is often controversial both in theory and in

practice…
Where does this fit into risk engineering?
curve
fitting
data probabilistic model consequence model

event probabilities event consequences

risks
Where does this fit into risk engineering?
curve
fitting
data probabilistic model consequence model

event probabilities event consequences

risks costs

criteria

decision-making
Where does this fit into risk engineering?
curve
fitting
data probabilistic model consequence model

event probabilities event consequences

risks costs
These slides
criteria

decision-making
Risk acceptance criterion

▷ Criterion: a standard of judging; any establishing the context

established law, rule, principle or fact by

Risk assessment

Communication & consultation

which a correct judgment may be formed risk identi�cation

Monitoring and review

▷ Risk acceptance criteria: criteria used as
risk analysis
basis for decisions about acceptable risk,
during the risk evaluation phase of risk criteria
analysis risk evaluation

▷ Risk evaluation: comparison of risk risk treatment

analysis results with risk criteria in order to

determine whether a specified level of risk is
The risk management process, according to the ISO 31000
acceptable or tolerable standard
Risk acceptance criteria: examples

▷ Some examples of qualitative risk acceptance criteria:

• “All avoidable risks shall be avoided”
• “Risks shall be reduced wherever practicable”
• “The effects of events shall be contained within the site boundary”
• “Further development shall not pose any incremental risk”
Risk acceptance criterion

▷ Risk acceptability is inherently contingent on time and

situations, and is hence never absolute, nor universal:

‘‘
The act of adopting an option does not in and of itself mean that
its attendant risk is acceptable in any absolute sense. Strictly
speaking, one does not accept risks. One accepts options that
entail some level of risk among their consequences.

▷ An extensive social sciences literature develops these concepts

and relationships with risk perception, trust, communication
and governance

Source: Acceptable Risk, Fischhoff et al. 1981

“Tolerable” risk

▷ UK Health and Safety Executive distinguishes between tolerable

and acceptable risks:

‘‘
“Tolerability” does not mean “acceptability”. It refers to a
willingness to live with a risk so as to secure certain benefits and
in the confidence that it is being properly controlled. […] unacceptable

tolerable
increasing level
For a risk to be “acceptable” on the other hand means that for of risk acceptable
purposes of life or work, we are prepared to take it pretty well as it broadly acceptable
is. negligible

▷ iso 31 000 standard:

• risk appetite: the amount and type of risk that an organization is
prepared to pursue, retain or take
• risk tolerance: organization/stakeholder’s readiness to bear risk after
risk treatment in order to achieve its objectives
Source: The tolerability of risk from nuclear power stations, UK HSE, 1992
 ▷ Objective level of risk generated by a project
▷ Is the origin of the risk natural or industrial/technological?
▷ Is the nature of the hazard familiar or unfamiliar?
Factors ▷ Are the possible effects memorable or easily forgotten, dreaded or not?
influencing ▷ Is the hazard of a catastrophic or a chronic nature?

risk ▷ Is exposure to the risk perceived to be fair or unfair?

▷ Is the activity perceived to be morally relevant?
acceptance
▷ Are sources of information concerning the risk and the activity perceived to
be trustworthy?
▷ Is the governance of the industrial activity and the risk management process
perceived to be open and responsive?
Decision rules
Absolute risk targets

▷ Aviation safety: probability of catastrophic failure should be less than

10−9 per flight hour
• other targets for Hazardous, Major and Minor severity effects
• accompanied by a design principle: In any system or subsystem, the failure of
any single element, component, or connection during any one flight should […]
regardless of its probability […] not be Catastrophic.

▷ Air traffic management:

• maximum tolerable probability of atm directly contributing to an accident of a
commercial air transport aircraft of 1.55 ⋅ 10−8 accidents per flight hour

▷ Maritime safety, for new ships:

• maximum tolerable probability of fatality for crew members: 10−4 per ship-year
• maximum tolerable probability of fatality for passengers or public: 10−5 per
ship-year
Risk matrix

Frequency
very infrequent infrequent fairly frequent frequent very frequent

Consequence
catastrophic

very large

large

medium

small

Unacceptable

Reduce risks as low as reasonably practicable

Acceptable

▷ Risk matrices are widely used in the process industry

▷ Companies and regulators use specific frequency and consequence thresholds

• where is the cutoff between “infrequent” and “fairly frequent” for our activity?
Risk matrix

▷ The risk matrix (also called a “heat map”) can be used for three main
purposes:
• determine how significant each risk is
• prioritize or rank risks relative to one another to help allocate safety spending
• highlight areas for further more detailed risk assessment (e.g. fully quantitative
rather than qualitative for higher level risks)

▷ When used for decisions related to acceptability of a hazardous activity,

the aggregate risk level should be used
• all risks from the facility added together then positioned in the matrix
• it’s not sufficient for each accident scenario from the facility to be in an
“acceptable” location of the matrix, considered in isolation!
ALARP principle

risk
Unacceptable region
Risk can only be justi�ed
under extraordinary circumstances

Tolerable region ALARP: As Low As

cable
Risk must be reduced ALARP Reasonably Practi

Broadly acceptable region

Risk is negligible and/or
adequately controlled
negligible risk
ALARP principle

▷ The ALARP principle is fairly widely used

• for example by UK HSE
• similar concepts: ALARA (“as low as reasonably acheivable”) used concerning
radiation protection, SFAIRP (“so far as is reasonably practicable”)

▷ Much discussion revolves around interpretation of the term “reasonably”

• companion principle ASSIB (“And Still Stay In Business”) is also important

▷ To determine “reasonably practicable”, either:

• refer to industry standards and good practice
• use benefit-cost analysis with a “gross disproportion factor” analysis slides at
→ Benefit-cost
ring.org
risk-enginee
Compromise on safety? Never!
▷ Implicit in ALARP approaches is the idea of balancing safety benefits with their
costs

▷ Some observers/critics refuse this type of compromise out of principle

▷ Certain safety authorities and regulators seem quite embarrassed by the issue
and avoid mentioning it in public communications

▷ Others acknowledge the issue in a transparent manner, see commitments from

UK Office of Nuclear Regulation in its Strategy 2020-25 document (point 3
below)
MEM decision rule

▷ MEM: Minimum Endogenous Mortality

▷ Basis:
• there are different mortality rates in society, depending on age and gender
• these deaths are partly caused by hazardous industrial systems

▷ Decision rule: new system should not lead to a significant increase in risk
estimated for a population with the lowest endogenous mortality
• number of natural deaths is the reference point for acceptability

▷ Mostly used in Germany, for railways

to
lity: deaths due
Endogenous morta )
isease , ag ing
internal causes (d
GAME decision rule

▷ game: Globalement au Moins Equivalent, or Globally at least equivalent

▷ Mainly used in French railways

▷ The en 50126 standard:

• “All new guided transport systems must offer a level of risk globally at least as
good as the one offered by any equivalent system”

▷ Example: Channel Tunnel Safety Authority imposed a requirement that

the safety performance of the Tunnel should be no worse than that of a
surface railway of similar length

▷ Note: requires an existing system which acts as the reference

“Best available technology” rule

▷ bat: Best available technology

• a regulatory principle which is widely used to control environmental risks
• emissions limit values and the equivalent parameters and technical measures in
permits shall be based on the best available techniques, without prescribing the
use of any specific technique or technology
• “available” means developed on a scale which allows implementation in the
relevant industrial sector, under economically and technically viable conditions,
taking into consideration the costs and advantages

▷ batneec (Best available techniques not entailing excessive costs):

applied to air pollution emissions from large industrial installations (eu
directive 84/360/EEC)
Criteria used by US federal regulatory agencies
Individual risk Population risk Usual acceptable residual
considered considered risk (lifetime risk for lifetime
exposure)
Toxics Yes Yes, indirectly Unstated, but usually 10-5 to
“ reasonable worst 10-6 for public, 10-4 to
-5
case for occupational 10 for occupational exp.
exposure
Pesticides No for carcinogenic Yes for residue Zero for additives (Delaney
additives; yes for tolerance clause) 10-6 for assumed
residue tolerance max residues in average
diet, 10-6 for non-dietary
exposure
drinking water Yes, a standard No 10-4 to 10-6 range
exposure scenario in considered to be adequate
middle range
homogeneity for
water quality Yes, a standard
exposure scenario in
No 10-5 to 10-7
Note absence of
cat egories…
middle range different risk
hazardous Yes No listing : 10-5
waste corrective actions : 10-4 to
handling, 10-6
active disposal incinerators : 10-5
Superfund Yes, “ reasonable Yes 10-4 to 10-6, depending
sites maximum exposure ” partly on anticipated future
using mix of midrange use of site
and conservative
assumptions
hazardous air Yes Yes 10-4 to 10-6
pollutants
food additives, No for carcinogenic No Zero for additives; 10-6 for
colours and additives; yes for assumed max residues in
contaminants; additives, “ high use ” diet
cosmetics contaminants
occupational Yes, for full working life No Feasible controls (in
exposure at possible exposure practice 10-3)
limit

Source: A survey of methods for chemical health risk assessment among federal regulatory agencies, L. Rhomberg, 1996
The precautionary principle

▷ The purpose of the precautionary principle is to create an impetus to take “Better safe than
a decision notwithstanding scientific uncertainty about the nature and sorry”
extent of the risk

‘‘
Where there are threats of serious or irreversible environmental damage, lack
of full scientific certainty shall not be used as a reason for postponing cost
effective measures to prevent environmental degradation.
— 1992 Rio Declaration on Environment and Development

▷ Simpler definition: incomplete scientific knowledge is not a valid excuse

for regulatory inertia
The precautionary principle

▷ uk guidance: precautionary principle should be invoked when:

• there is good reason, based on empirical evidence or plausible causal
hypothesis, to believe that harmful effects might occur, even if the
likelihood of harm is remote
• a scientific evaluation of the consequences and likelihoods reveals
such uncertainty that it is impossible to assess the risk with
sufficient confidence to inform decision-making

Source: hse.gov.uk/aboutus/meetings/committees/ilgra/pppa.htm
The Imperative of Responsibility [Jonas]

▷ Hans Jonas (1903–1993), German philosopher

‘‘
[…] the frivolous joyous human holiday of several industrial
centuries will perhaps be paid for by thousands of years of
transformed terrestrial life.

▷ The Imperative of Responsibility: in Search of an Ethics for the

Technological Age (1979)
• human survival depends on our efforts to care for our planet and its
future
• we have a responsibility to future generations
• Jonas’ supreme principle of morality: “Act so that the effects of your
action are compatible with the permanence of genuine human life”
• inspired the environmental movement in Germany in the 1970s
 ▷ Cat stretching (slide 2): norsez via flic.kr/p/e8q1GE, CC BY-NC-ND
Image licence
▷ Railway tracks on slide 10, Martin Fisch via flic.kr/p/o4Hice, CC
credits BY-SA licence
▷ Ducks on slide 21, flic.kr/p/6jFbTs, CC BY-SA licence

For more free content on risk engineering,

visit risk-engineering.org
 Further ▷ Reducing risk, protecting people: HSE’s decision-making process, uk
Health and Safety Executive, 2001,
reading hse.gov.uk/risk/theory/r2p2.pdf

For more free content on risk engineering,

visit risk-engineering.org
Feedback welcome!
This presentation is distributed under the terms of the
Creative Commons Attribution – Share Alike licence

@LearnRiskEng

fb.me/RiskEngineering
Was some of the content unclear? Which parts were most useful to
you? Your comments to [email protected]
(email) or @LearnRiskEng (Twitter) will help us to improve these
materials. Thanks!

For more free content on risk engineering,

visit risk-engineering.org