J JO OÃ ÃO O L LU U Í Í S S S SA AN N T T O OS S

2 2 0 0 0 0 8 8





















Q QU UA AN NT TI I T TA AT TI I V VE E R RI I S SK K A AN NA AL LY YS SI I S S
T T H HE EO OR RY Y A AN ND D M MO OD DE EL L





















Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
A AB BO OU U T T T TH H E E A AU U T T H H O OR R

The aut hor was born in Angola, in March 1968. The aut hor received a Bachelor (1994) degree and a
Licenciat ure (1996) degree in Chemical Engineering from t he School of Engineering of t he Polyt echnic
I nst it ut e of Oport o (Oport o, Port ugal), and a Mast er (M. S.) degree in Environment al Engineering (2001)
from t he Facult y of Engineering of t he Universit y of Oport o (Oport o, Port ugal). Also, t he aut hor has a
advanced diploma in Occupat ional Healt h and Safet y (I SQ – I nst it ut e of Welding and Qualit y, Vila Nova de
Gaia, Port ugal). The aut hor is a Professional Safet y Engineer, licensed by ACT (Labor Condit ions Nat ional
Aut horit y, Nat ional Examinat ion Board in Occupat ional Safet y and Healt h) and I SHST (I nst it ut e of Safet y and
Hygiene and Occupat ional Healt h). The aut hor has several years of background experience in indust rial,
chemical and pet rochemical processes and operat ions. The aut hor experience in occupat ional healt h and
safet y field include chemical and pet rochemical plant safet y reviews, surveys and inspect ions, safet y
requirement s and applicat ion of safet y st andards, codes and pract ices (including OSHA, NFPA, NEC, API ,
ANSI ), process safet y, indust rial risk analysis and assessment , fire and loss prevent ion engineering and
management . The aut hor’s research int erest include environment al engineering and safet y engineering;
much of his research in safet y field has emphasized t he development of safet y processes and risk analyis.

I nquiries about t he cont ent of t his work may be direct ed t o t he following address:

Rua Parque de Jogos, 357, Bloco A, 2º Cent ro
Lugar do Covelo
4745–457 São Mamede do Coronado
PORTUGAL

E-mail: j oao.sant os@lycos.com
Telephone: (351) 91 824 2766
















This work is copyright . Apart from any use as permit t ed under t he Copyright Act , no part may be reproduced
by any process wit hout prior writ t en permission from t he aut hors. Request s and inquiries concerning
reproduct ion and right s should be addressed t o t he above address.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
E EX X E EC CU U T T I I V V E E S SU U M M M M A AR RY Y

I n t his document t he t erm “ risk analysis” is employed in it s broadest sense t o include risk assessment , risk
management and risk communicat ion. Risk assessment involves ident ifying sources of pot ent ial harm,
assessing t he likelihood (probabilit y) t hat harm will occur and t he consequences if harm does occur. Risk
management evaluat es which risks ident ified in t he risk assessment process require management and
select s and implement s t he plans or act ions t hat are required t o ensure t hat t hose risks are cont rolled. Risk
communicat ion involves an int eract ive dialogue bet ween st akeholders and risk assessors and risk managers
which act ively informs t he ot her processes. Due t o t he relat ively short hist ory of use of t echnology, t he
pot ent ial variet y of hazards and t he complexit y of t he environment s int o which t hey may be int roduced, t he
risk analysis process may rely on bot h quant it at ive and qualit at ive dat a.

R RI I S SK K A AN NA AL LY YS SI I S S = = R RI I S SK K A AS SS SE ES SS SM ME EN NT T + + R RI I S SK K M MA AN NA AG GE EM ME EN NT T + + R RI I S SK K C CO OM MM MU UN NI I C CA AT TI I O ON N

The first st ep in risk assessment is est ablishing t he risk cont ext . The risk cont ext includes: t he scope and
boundaries of t he risk analysis as det ermined by nat ional and int ernat ional regulat ions, t he Regulat ions and
t he Regulat or’s approach t o t heir implement at ion; t he proposed dealings; and t he nat ure of t he process and
t echnology. I t should be not ed t hat considerat ion of pot ent ial harm may include economic issues such as
market abilit y and ot her t rade considerat ions, which somet imes fall out side t he scope of t he nat ional and
int ernat ional regulat ions. As t he Regulat or must consider risks t o human healt h and safet y and t he
environment (and ot her t arget s) arising from, or as a result of, human act ivit ies and int eract ion wit h
t echnology. I n addressing harm it is import ant t o define harm, and t he crit eria t o assess harm.
Risk assessment can be usefully considered as a series of simple quest ions: “ What might happen?” , “ How
might it happen?” , “ Will it be serious if it happens?” , “ How likely is it t o happen?” , and finally, ” What is t he
risk?” . I n t he first inst ance, answering t hese quest ions involves hazard ident ificat ion, a process that ident ifies
sources of pot ent ial harm (“ What …?” ) and t he causal pat hway t hrough which t hat harm may event uat e
(“ How…?” ). This is followed by a considerat ion of t he seriousness of t he harm being realised (consequence),
t he chance or probabilit y (likelihood) t hat harm will occur, t he chance of exposure t o t he hazard, and t he
safet y level exist ing for t he process or t echnology. The hazard ident ificat ion, consequence, likelihood,
exposure, and safet y level assessment s t oget her lead t o an appraisal of whet her t he hazard will result in a
risk and t o make a qualit at ive est imat e of t he level of t hat risk (risk est imat e). Alt hough risk assessment is
most simply present ed as a linear process, inrealit y it is cyclical or it erat ive, wit h risk communicat ion act ively
informing t he ot her element s. For t his reason, it is helpful t o use t erminology t hat clearly dist inguishes
bet ween t he likelihood assessment , consequence (loss crit icalit y) assessment , exposure assessment , safet y
level assessment , and t he risk est imat e. Therefore, several different descript ors have been select ed for each
component t hat are designed t o convey a scale of sequent ial levels. The consist ent applicat ion of t his
dist inct t erminology is int ended t o clarify t he discussion of t hese component s of t he risk assessment . The
explanat ions of t he descript ors for consequence need t o encompass adverse consequences of event s
relat ing t o bot h human healt h and safet y and ot her t arget s, e.g. t he environment . They are relat ively simple,
in order t o cover t he range of different fact ors (e.g. severit y, space, t ime, cumulat ive, reversibilit y) t hat may
cont ribut e t o t he significance of adverse consequences. The risk est imat e is derived from t he combined
considerat ion of bot h exposure, likelihood, loss crit icalit y (severit y), and safet y level. The individual
descript ors can be incorporat ed int o a Risk Est imat e Mat rix. The aim of t he mat rix is t o provide a format for
t hinking about t he relat ionship bet ween t he exposure, likelihood, and loss crit icalit y (severit y) of part icular
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
hazards. I t is import ant t o not e t hat uncert aint y about eit her or bot h of t hese component s will affect t he risk
est imat e.
The risk management component of risk analysis builds on t he work of t he risk assessment and may be
described as answering t he quest ions: “ Does anyt hing need t o be done about t he risk?” , “ What can be done
about it ?” , and “ What should be done about it ?” . While risk assessment deals as far as possible wit h
obj ect ive evidence, risk management necessarily involves prudent ial j udgement s about which risks require
management (risk evaluat ion), t he choice and applicat ion of t reat ment measures, and ult imat ely whet her
t he dealings should be permit t ed. Consequent ly, if t here is uncert aint y about risks (e.g. in early st age
research) t his may influence t he management measures t hat are select ed. A considerat ion of t he causal
pat hways for harm t o occur, t hat were elucidat ed in t he risk assessment , provides a basis for st rat egic
select ion of how, where and when t o undert ake risk t reat ment measures. This enables t he ident ificat ion of
t he point s at which t reat ment can be most effect ively applied t o break t he causal pat hway and prevent
adverse out comes from being realised. While t he focus of risk management is on prevent ion, t he Regulat or
also addresses how t o manage adverse out comes if a part icular risk is realised. I mport ant considerations are
whet her t he adverse consequences can be reduced or reversed, ident ifying measures t hat can achieve t hese
ends, and including t hese in licence condit ions or cont ingency plans. Risk management act ions undert aken
by t he Regulat or are not limit ed t o devising t he risk management plan.
Risk communicat ion underpins t he processes of risk assessment and risk management and t he safet y
regulat ions (bot h nat ional and int ernat ional regulat ions) provides legislat ive mechanisms t o ensure t he
clarit y, t ransparency and account abilit y of t he Regulat or’s decision-making processes and t hat t here is public
input int o t hat process. Risk communicat ion involves an int eract ive dialogue bet ween risk assessors, risk
managers and st akeholders. I n many inst ances differing percept ions of risk can influence t he approach of
st akeholders t o part icular issues. The Regulat or undert akes ext ensive consult at ion wit h a diverse range of
expert groups and aut horit ies and key st akeholders, including t he public, before deciding whet her t o issue a
licence. The Regulat or endeavours t o provide accessible informat ion t o int erest ed part ies on applicat ions,
licences, dealings wit h process and t echnology, t rial sit es and t he processes of risk assessment , risk
management , monit oring and compliance undert aken by t he Regulat or Office. Therefore, t he Regulat or is
commit t ed t o act ive risk communicat ion.


















T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
A AC CR RO ON N Y Y M M S S

ANSI
American Nat ional St andards I nst it ut e.

API
American Pet roleum I nst it ut e.

ASME
American Societ y of Mechanical Engineers.

ASTM
American Societ y for Test ing and Mat erials.

CCI
Confident ial Commercial I nformat ion.

CCPS
Cent er for Chemical Process Safet y.

CPD
Cont inuing professional development , a means t o ensure ongoing compet ence in a changing world.

CSR
Corporat e social responsibilit y, a syst em whereby organisat ions int egrat e social and environment al concerns
int o t heir business operat ions and int eract ions wit h st akeholders.

DI R
Dealings involving I nt ent ional Release.

DNI R
Dealings not involving I nt ent ional release.

DOE
Unit ed St at es Depart ment of Energy.

DOT
Unit ed St at es Depart ment of Transport at ion.

ERP
Emergency Response Planning Guideline.

EVC
Equilibrium Vapor Concent rat ion.

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
A AC CR RO ON N Y Y M M S S

FTAP
Fault Tree Analysis Program.

FMEA Failure Mode and Effect s Analysis.

GRI
Global Report ing I nit iat ive, an int ernat ional sust ainabilit y report ing inst it ut ion t hat has developed guidelines
for volunt ary report ing on t he economic, environment al and social performance of organisat ions.

HAZOP
Hazard and Operabilit y Analysis.

HHC
Highly Hazardous Chemical.

HHM
Hierarchical Holographic Modelling.

HSE
Healt h and Safet y Execut ive, t he Unit ed Kingdom Occupat ional Safet y and Healt h regulat or.

I DLH
I mmediat ely Dangerous t o Life or Healt h.

I EEE
I nst it ut e of Elect rical and Elect ronic Engineers.

I LO
I nt ernat ional Labour Organizat ion, a Unit ed Nat ions agency, based in Geneva.

I MO
I nt ernat ional Marit ime Organizat ion, a Unit ed Nat ions agency, based in London.

I OSH
I nst it ut ion of Occupat ional Safet y and Healt h.

I RRAS
I nt egrat ed Reliabilit y and Risk Analysis Syst em.

I SA
I nst rument Societ y of America.


T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
A AC CR RO ON N Y Y M M S S

I SM
I nt ernat ional Safet y Management , a formal code requirement of t he I MO t hat applies t o most classes of
large ship.

I SO
I nt ernat ional Organizat ion for St andardizat ion.

JHA
Job Hazard Analysis.

LFL
Lower Flammabilit y Limit .

M&O
Management and Operat ion.

MCS
Minimal Cut Set .

MOC
Management of Change.

MSDS
Mat erial Safet y Dat a Sheet .

NFPA
Nat ional Fire Prot ect ion Associat ion.

ORC
Organizat ion Resources Counselors.

ORR
Operat ional Readiness Review.

OSH
Occupat ional safet y and healt h.

OSHA
Occupat ional Safet y and Healt h Administ rat ion.

OSHMS
Occupat ional safet y and healt h management syst em.

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
A AC CR RO ON N Y Y M M S S

P&I D
Piping and I nst rument at ion Diagram.

PC 1-4
Physical Cont ainment levels 1-4.

PEL
Permissible Exposure Limit .

PrHA
Preliminary Hazards Analysis.

PHA
Process Hazard Analysis.

PSI
Process Safet y I nformat ion.

PSM
Process Safet y Management .

PSR
Pre-St art up Safet y Review.

RARMP
Risk Assessment and Risk Management Plan.

SAR
Safet y Analysis Report .

SHI
Subst ance Hazard I ndex.

SMARTT
Specific, measurable, agreed, realist ic, t imet abled and t racked act ion – a met hod for managing act ion plans.

SOP
St andard Operat ing Procedure.

SWOT
St rengt hs, weaknesses, opport unit ies and t hreat s analysis.


T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
A AC CR RO ON N Y Y M M S S

TLV
Threshold Limit Value.

TQ
Threshold Quant it y.

UFL
Upper Flammabilit y Limit .

WHO
World Healt h Organizat ion, a Unit ed Nat ions agency, based in Geneva.
































Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

ABSORBED DOSE (AD)
The energy absorbed by mat t er from ionizing radiat ion per unit mass of irradiat ed mat erial at t he place of
int erest in t hat mat erial. The absorbed dose is expressed in unit s of rad or gray (1 rad = 0.01 gray).

ACCEPTABLE
When applied t o fire safet y, “ accept able” is a level of prot ect ion which t he Safet y Aut horit y, considers
sufficient t o achieve t he fire and life safet y obj ect ives defined in safet y requirement s. I n some inst ances, it is
t he level of prot ect ion necessary t o meet a code or st andard. I n ot her inst ances it is a level of prot ect ion
t hat deviat es (plus or minus) from a code or st andard as necessary and yet adequat ely prot ect s against t he
inherent fire hazards.

ACCI DENT
An unplanned sequence of event s t hat result s in undesirable consequences.
An unwant ed t ransfer of energy or an environment al condit ion t hat , due t o t he absence or failure of barriers
or cont rols, produces inj ury t o persons, damage t o propert y, or reduct ion in process out put .

ACCI DENT ANALYSES
The t erm accident analyses refers t o t hose bounding analyses select ed for inclusion in t he safet y analysis
report . These analyses refer t o design basis accident s only.

ACCI DENT EVENT SEQUENCE
An unplanned event or sequence of event s t hat has an undesirable consequence.

ACCI DENT (EXPLOSI VE)
An incident or occurrence t hat result s in an uncont rolled chemical react ion involving explosives.

ACCOUNTABI LI TY
The st at e of being liable for explanat ion t o a superior official for t he exercise of aut horit y. The delegat e of na
aut horit y is account able t o t he delegat ing responsible aut horit y for t he proper and diligent exercise of t hat
aut horit y. Responsibilit y differs from account abilit y in t hat a responsible official “ owns” t he funct ion for which
he or she is responsible; it is an int egral part of his or her dut ies t o see t hat t he funct ion is properly
execut ed, t o est ablish crit eria for t he j udgement of excellence in it s execut ion, and t o st rive for cont inuous
improvement in t hat execut ion. A responsible official is associat ed wit h t he out comes of t he exercise of
aut horit y regardless of whet her it was delegat ed, and regardless of whet her t he designee properly followed
guidance. Account abilit y, on t he ot her hand, involves t he accept ance of t he aut horit y for execut ion (or for
furt her delegat ion of component s of execut ion), by using guidance and crit eria est ablished by t he
responsible aut horit y.






T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

ADDI TI ONS AND MODI FI CATI ONS
Changes t o a st ruct ure, syst em, and component (SSC) for reasons ot her t han increasing resist ance t o
nat ural phenomena hazards.

ADMI NI STRATI VE CONTROLS
Provisions relat ing t o organizat ion and management , procedures, recordkeeping, assessment , and report ing
necessary t o ensure safe operat ion of a facilit y.
Wit h respect t o nuclear facilit ies administ rat ive cont rols means t he sect ion of t he Technical Safet y
Requirement s (TSR) cont aining provisions for safe operat ion of a facilit y including (1) requirement s for
report ing violat ions of TSR, (2) st affing requirement s import ant t o safe operat ions, and (3) commit ment s t o
t he safet y management programs and procedures ident ified in t he Safet y Analysis Report as necessary
element s of t he facilit y safet y basis provisions.

AGGREGATE THRESHOLD QUANTI TY
The t ot al amount of a hazardous chemical cont ained in vessels t hat are int erconnect ed, or cont ained in a
process and nearby unconnect ed vessels, t hat may be adversely affect ed by an event at t hat process.

AI RBORNE RADI OACTI VE MATERI AL OR AI RBORNE RADI OACTI VI TY
Radioact ive mat erial dispersed in t he air in t he form of dust s, fumes, part iculat es, mist s, vapors, or gases.

AI RBORNE RADI OACTI VI TY AREA
Any area, accessible t o individuals, where: (1) t he concent rat ion of airborne radioact ivit y, above nat ural
background, exceeds or is likely t o exceed t he derived air concent rat ion (DAC) values; or an individual
present in t he area wit hout respirat ory prot ect ion could receive an int ake exceeding 12 DAC-hours in a
week.

AMBI ENT AI R
The general air in t he area of int erest (e.g., t he general room at mosphere), as dist inct from a specific
st ream or volume of air t hat may have different properties.

ANALYSI S
The use of met hods and t echniques of arranging dat a t o: (1) assist in det ermining what addit ional dat a are
required; (2) est ablish consist ency, validit y, and logic; (3) est ablish necessary and sufficient event s for
causes; and (4) guide and support inferences and j udgement s.









Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

ANALYTI CAL TREE
Graphical represent at ion of an accident in a deduct ive approach (general t o specific). The st ruct ure
resembles a t ree - t hat is, narrow at t he t op wit h a single event (accident ), t hen branching out as t he t ree is
developed, and ident ifying root causes at t he bot t om branches.

ANNUAL LI MI T ON I NTAKE (ALI )
The derived limit for t he amount of radioact ive mat erial t aken int o t he body of an adult worker by inhalat ion
or ingest ion in a year. ALI is t he smaller value of int ake of a given radionuclide in a year by t he reference
man (I CRP Publicat ion 23) t hat would result in a commit t ed effect ive dose equivalent of 5 rems (0.05
sievert ) or a commit t ed dose equivalent of 50 rems (0.5 sievert ) t o any individual organ or t issue.
ALI values for int ake by ingest ion and inhalat ion of select ed radionuclides are based on Table 1 of t he U.S.
Environment al Prot ect ion Agency's Federal Guidance Report No. 11, Limit ing Values of Radionuclide I nt ake
and Air Concent rat ion and Dose Conversion Fact ors for I nhalat ion, Submersion, and I ngest ion, published
Sept ember 1988.

ARC-FLASH HAZARD
A dangerous condit ion associat ed wit h t he release of energy caused by an elect ric arc (I EEE 1584-2002).

ARC RATI NG
The maximum incident energy resist ance demonst rat ed by a mat erial (or a layered syst em of mat erials)
prior t o breakopen or at t he onset of a second-degree skin burn. Arc rat ing is normally expressed in cal/ cm
2
.

ASSESSMENT
A review, evaluat ion, inspect ion, t est , check, surveillance, or audit , t o det ermine and document whet her
it ems, processes, syst ems, or services meet specific requirement s and are performing effect ively.

AUTHORI ZED PERSON
Any person required by work dut ies t o be in a regulat ed area.

BACKGROUND RADI ATI ON
Radiat ion from (1) nat urally occurring radioact ive mat erials which have not been t echnologically enhanced;
(2) cosmic sources; (3) global fallout as it exist s in t he environment (such as from t he t est ing of nuclear
explosive devices); (4) radon and it s progeny in concent rat ions or levels exist ing in buildings or t he
environment which have not been elevat ed as a result of current or prior act ivit ies; and (5) consumer
product s cont aining nominal amount s of radioact ive mat erial or producing nominal amount s of radiat ion.








T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

BARRI ER
Anyt hing used t o cont rol, prevent , or impede energy flows. Common t ypes of barriers include equipment ,
administ rat ive procedures and processes, supervision and management , warning devices, knowledge and
skills, and physical obj ect s. Barriers may be eit her cont rol or safet y.

BARRI ER ANALYSI S
An analyt ical t echnique used t o ident ify energy sources and t he failed or deficient barriers and cont rols t hat
cont ribut ed t o an accident .

BASELI NE
A quant it at ive expression of proj ect ed cost s, schedule, and t echnical requirement s; t he est ablished plan
against which t he st at us of resources and t he progress of a proj ect can be measured.

BI OASSAY
The det erminat ion of kinds, quant it ies, or concent rat ions, and, in some cases, locat ions of radioact ive
mat erial in t he human body, whet her by direct measurement or by analysis, and evaluat ion of radioact ive
mat erials excret ed or removed from t he human body.

BREATHI NG ZONE
A hemisphere forward of t he shoulders wit h a radius of approximat ely 6 t o 9 inches (i.e., an area as close as
pract icable t o t he nose and mout h of t he employee being monit ored for a chemical or biological hazard).
Breat hing zone samples provide t he best represent at ion of act ual exposure.

CALI BRATI ON
To adj ust and det ermine eit her: (1) The response or reading of an inst rument relat ive t o a st andard (e.g.,
primary, secondary, or t ert iary) or t o a series of convent ionally t rue values; or (2) The st rengt h of a
radiat ion source relat ive t o a st andard (e.g., primary, secondary, or t ert iary) or convent ionally t rue value.

CATASTROPHI C RELEASE
A maj or uncont rolled emission, fire, or explosion, involving one or more highly hazardous chemicals t hat
present s serious danger t o employees in t he workplace or t o t he public.

CAUSAL FACTOR
An event or condit ion in t he accident sequence necessary and sufficient t o produce or cont ribut e t o t he
unwant ed result . Causal fact ors fall int o t hree cat egories: direct cause, cont ribut ion cause, and root cause.








Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

CAUSE
Anyt hing t hat cont ribut es t o an accident or incident . I n an invest igat ion, t he use of t he word “ cause” as a
singular t erm should be avoided. I t is preferable t o use it in t he plural sense, such as “ causal fact ors” , rat her
t han ident ifying “ t he cause” .

CEI LI NG LI MI T
The concent rat ion in t he employee's breat hing zone t hat shall not be exceeded at any t ime during any part
of t he working day. For airborne cont aminant s, if inst ant aneous monit oring is not feasible, t hen t he ceiling
shall be assessed as a 15 minut e t ime-weight ed average exposure t hat shall not be exceeded at any t ime
during t he working day.

CERTI FI CATI ON
The process by which cont ract or facilit y management provides writ t en endorsement of t he sat isfact ory
achievement of qualificat ion of a person for a posit ion.

CHANGE
St ress on a syst em t hat was previously in a st at e of equilibrium, or anyt hing t hat dist urbs t he planned or
normal funct ioning of a syst em.

CHANGE ANALYSI S
An analyt ical t echnique used for accident invest igat ions, wherein accident-free reference bases are
est ablished, and changes relevant t o accident causes and sit uat ions are syst emat ically ident ified. I n change
analysis, all changes are considered, including t hose init ially considered t rivial or obscure.

CHANGE CONTROL
A process t hat ensures all changes are properly ident ified, reviewed, approved, implement ed, t est ed, and
document ed.

CHEMI CAL PROCESSI NG
Those act ivit ies or operat ions t hat involve t he product ion, use, st orage, processing, and/ or disposal of
caust ic, t oxic, or volat ile chemicals in liquid, gaseous, part iculat e, powder, or solid st at es.

COLLECTI VE DOSE
The sum of t he t ot al effect ive dose equivalent values for all individuals in a specified populat ion. Collect ive
dose is expressed in unit s of person-rem (or person-sievert ).








T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

COMBI NED STANDARD UNCERTAI NTY
St andard uncert aint y of t he result of a measurement when t hat result is obt ained from t he values of a
number of ot her quant it ies, equal t o t he posit ive square root of a sum of t erms, t he t erms being t he
variances or covariances of t hese ot her quant it ies weight ed according t o how t he measurement result varies
wit h changes in t hese quant it ies.

COMBUSTI BLE LI QUI D
A liquid having a closed cup flash point at or above 100º F (38º C).COMBUSTI BLE MATERI AL
Any mat erial t hat will ignit e and burn. Any mat erial t hat does not comply wit h t he definit ion of
“ noncombust ible” is considered combust ible. The t erm combust ible is not relat ed t o any specific ignit ion
t emperat ure or flame spread rat ing.

COMMI TTED DOSE EQUI VALENT (HT50)
The dose equivalent calculat ed t o be received by a t issue or organ over a 50 year period aft er t he int ake of a
radionuclide int o t he body. I t does not include cont ribut ions from radiat ion sources ext ernal t o t he body.
Commit t ed dose equivalent is expressed in unit s of rem (or sievert ). See Commit t ed Effect ive Dose
Equivalent , Cumulat ive Tot al Effect ive Dose Equivalent , Deep Dose Equivalent , Dose Equivalent , Effect ive
Dose Equivalent , Lens of t he Eye Dose Equivalent , and Tot al Effect ive Dose Equivalent .

COMMI TTED EFFECTI VE DOSE EQUI VALENT (HE, 50)
The sum of t he commit t ed dose equivalent s t o various t issues in t he body (HT, 50), each mult iplied by t he
appropriat e weight ing fact or (WT). Commit t ed effect ive dose equivalent is expressed in unit s of rem (or
sievert ). See Commit t ed Dose Equivalent , Cumulat ive Tot al Effect ive Dose Equivalent , Deep Dose Equivalent ,
Dose Equivalent , Effect ive Dose Equivalent , Lens of t he Eye Dose Equivalent , and Tot al Effect ive Dose
Equivalent .

CONFI NEMENT AREA
An area having st ruct ures or syst ems from which releases of hazardous mat erials are cont rolled. The
primary confinement syst ems are t he process enclosures (glove boxes, conveyors, t ransfer boxes, ot her
spaces normally cont aining hazardous mat erials), which are surrounded by one or more secondary
confinement areas (operat ing area compart ment s).

CONFI NEMENT BARRI ERS
Primary confinement – Provides confinement of hazardous mat erial t o t he vicinit y of it s processing. This
confinement is t ypically provided by piping, t anks, glove boxes, encapsulat ing mat erial, and t he like, along
wit h any offgas syst ems t hat cont rol effluent from wit hin t he primary confinement .







Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

Secondary confinement – Consist s of a cell or enclosure surrounding t he process mat erial or equipment
along wit h any associat ed vent ilat ion exhaust syst ems from t he enclosed area. Except in t he case of areas
housing glove-box operat ions, t he area inside t his barrier is usually unoccupied (e.g., canyons, hot cells); it
provides prot ect ion for operat ing personnel.
Tert iary confinement – Typically provided by walls, floor, roof, and associat ed vent ilat ion exhaust syst ems of
t he facilit y. I t provides a final barrier against t he release of hazardous mat erial t o t he environment .

CONFI NEMENT SYSTEM
The barrier and it s associat ed syst ems (including
vent ilat ion) bet ween areas cont aining hazardous mat erials and t he environment or ot her areas in t he nuclear
facilit y t hat are normally expect ed t o have levels of hazardous mat erials lower t han allowable concent rat ion
limit s.

CONSEQUENCE
Adverse out come or impact of an event There can be more t han one consequence from one event .
Consequences can be expressed qualit at ively or quant it at ively. Consequences are considered in relat ion t o
harm t o human healt h, act ivit y and t he environment .

CONTAI NMENT SYSTEM
A st ruct urally closed barrier and it s associat ed syst ems (including vent ilat ion) bet ween areas cont aining
hazardous mat erials and t he environment or ot her areas in t he nuclear facilit y t hat are normally expect ed t o
have levels of hazardous mat erials lower t han allowable concent rat ion limit s. A cont ainment barrier is
designed t o remain closed and int act during all design basis accident s.

CONTAMI NATED FACI LI TI ES
Facilit ies t hat have st ruct ural component s and syst ems cont aminat ed wit h hazardous chemical or radioact ive
subst ances, including radionuclides. This definit ion excludes facilit ies t hat cont ain no residual hazardous
subst ances ot her t han t hose present in building mat erials and component s, such as asbest os-cont ained
mat erial, lead-based paint , or equipment cont aining PCBs. This definit ion excludes facilit ies in which bulk or
cont ainerized hazardous subst ances, including radionuclides, have been used or managed if no cont aminant s
remain in or on t he st ruct ural component s and syst ems.

CONTAMI NATI ON AREA
Any area, accessible t o individuals, where removable surface cont aminat ion levels exceed or are likely t o
exceed t he removable surface cont aminat ion values.

CONTEXT
Paramet ers wit hin which risk must be managed, including t he scope and boundaries for t he risk assessment
and risk management process.




T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

CONTI NUOUS AI R MONI TOR (CAM)
An inst rument t hat cont inuously samples and measures t he levels of airborne radioact ive mat erials on a
“ real-t ime” basis and has alarm capabilit ies at preset levels. See Monit oring, Performance Monit oring,
Personal Monit oring, Personnel Monit oring, Post -Accident Monit oring, Primary Environment al Monit ors,
Safet y Class Monit oring Equipment , and Secondary Environment al Monit ors.

CONTROLLED AREA
Any area t o which access is managed by or for DOE t o prot ect individuals from exposure t o radiat ion and/ or
radioact ive mat erial.

CONTROLLED DOCUMENT
A document whose cont ent is maint ained uniform among t he copies by an administ rat ive cont rol syst em.

CONTROLS
When used wit h respect t o nuclear react ors, apparat us and mechanisms t hat , when manipulat ed, direct ly
affect t he react ivit y or power level of a react or or t he st at us of an engineered safet y feat ure. When used
wit h respect t o any ot her nuclear facilit y, "cont rols" means apparat us and mechanisms, when manipulat ed
could affect t he chemical, physical, met allurgical, or nuclear process of t he nuclear facilit y in such a manner
as t o affect t he prot ect ion of healt h and safet y.

CORE SAFETY MANAGEMENT FUNCTI ONS
The core safet y management funct ions are (1) define t he scope of work, (2) analyze t he hazards; (3)
develop and implement hazard cont rols; (4) perform work wit hin cont rols; (5) provide feedback and
cont inuous improvement .

COST-BENEFI T ANALYSI S
A syst emat ic and document ed analysis of t he expect ed cost s and benefit s relat ed t o a part icular act ion.

CRI TI CALI TY
The condit ion in which a nuclear fission chain react ion becomes selfsust aining.

CRI TI CALI TY ACCI DENT
The release of energy as a result of accident ally producing a self-sust aining or divergent fission chain
react ion.









Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

CUMULATI VE TOTAL EFFECTI VE DOSE EQUI VALENT
The sum of all t ot al effect ive dose equivalent values recorded for an individual, where available, for each
year occupat ional dose was received. See Commit t ed Dose Equivalent , Commit t ed Effect ive Dose Equivalent ,
Deep Dose Equivalent , Dose Equivalent , Effect ive Dose Equivalent , Lens of t he Eye Dose Equivalent , and
Tot al Effect ive Dose Equivalent .

DECONTAMI NATI ON
The removal or reduct ion of residual radioact ive and hazardous mat erials by mechanical, chemical or ot her
t echniques t o achieve a st at ed obj ect ive or end condit ion.

DEEP DOSE EQUI VALENT
The dose equivalent derived from ext ernal radiat ion at a dept h of 1 cm in t issue. See Commit t ed Dose
Equivalent , Commit t ed Effect ive Dose Equivalent , Cumulat ive Tot al Effect ive Dose Equivalent , Dose
Equivalent , Effect ive Dose Equivalent , Lens of t he Eye Dose Equivalent , and Tot al Effect ive Dose Equivalent .

DEFERRED MAI NTENANCE
Maint enance t hat was not performed when it should have been or was scheduled t o be and which,
t herefore, is put off or delayed for a fut ure period and report ed annually.

DEFI CI ENCY
Any condit ion t hat deviat es from t he designed-in capacit y of st ruct ures, syst ems, and component s and
result s in a degraded abilit y t o accomplish it s int ended funct ion.

DEFLAGRATI ON
A rapid chemical react ion in which t he out put of heat is sufficient t o enable t he react ion t o proceed and be
accelerat ed wit hout input of heat from anot her source. Deflagrat ion is a surface phenomenon, wit h t he
react ion product s flowing away from t he unreact ed mat erial along t he surface at subsonic velocit y. The
effect of a t rue deflagrat ion under confinement is an explosion. Confinement of t he react ion increases
pressure, rat e of react ion and t emperat ure, and may cause t ransit ion int o a det onat ion.

DERI VED AI R CONCENTRATI ON (DAC)
For t he radionuclides, t he airborne concent rat ion t hat equals t he ALI divided by t he volume of air breat hed
by an average worker for a working year of 2000 hours (assuming a breat hing volume of 2400 m
3
).

DERI VED CONCENTRATI ON GUI DE (DCG)
The concent rat ion of a radionuclide in air or wat er t hat , under condit ions of cont inuous exposure for one
year by one exposure mode (i.e., ingest ion of wat er, submersion in air, or inhalat ion) would result in an
effect ive dose equivalent of 100 mrem or 0.1 rem (1 mSv). Do not consider decay product s when t he parent
radionuclide is t he cause of t he exposure (1 rem = 0.01 sievert ).




T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

DETERMI NI STI C METHOD
The t echnique in which a single est imat e of paramet ers is used t o perform each analysis. To account for
uncert aint y, several analyses may be conduct ed wit h different paramet ers.

DETONATI ON
A violent chemical react ion wit hin a chemical compound or mechanical mixt ure involving heat and pressure.
A det onat ion is a react ion t hat proceeds t hrough t he react ed mat erial t oward t he unreact ed mat erial at a
supersonic velocit y. The result of t he chemical react ion is t he exert ion of ext remely high pressure on t he
surrounding medium, forming a propagat ing shock wave t hat is originally of supersonic velocit y. When t he
mat erial is locat ed on or near t he surface of t he ground, a det onat ion is normally charact erized by a crat er.

DOCUMENT
Recorded informat ion t hat describes, specifies, report s, cert ifies, requires, or provides dat a or result s.

DOCUMENTED SAFETY ANALYSI S
A document ed analysis of t he ext ent t o which a nuclear facilit y can be operat ed safely wit h respect t o
workers, t he public, and t he environment , including a descript ion of t he condit ions, safe boundaries, and
hazard cont rols t hat provide t he basis for ensuring safet y.

DOSE EQUI VALENT (H)
The product of absorbed dose in rad (or gray) in t issue, a qualit y fact or, and ot her modifying fact ors. Dose
equivalent is expressed in unit s of rem (or sievert ) (1 rem = 0.01 sievert ). See Commit t ed Dose Equivalent ,
Commit t ed Effect ive Dose Equivalent , Cumulat ive Tot al Effect ive Dose Equivalent , Deep Dose Equivalent ,
Effect ive Dose Equivalent , Lens of t he Eye Dose Equivalent , and Tot al Effect ive Dose Equivalent .

EFFECTI VE DOSE EQUI VALENT (EDE)
The dose equivalent from bot h ext ernal and int ernal irradiat ion. The effect ive dose equivalent is expressed in
unit s of rem. See Commit t ed Dose Equivalent , Commit t ed Effect ive Dose Equivalent , Cumulat ive Tot al
Effect ive Dose Equivalent , Deep Dose Equivalent , Dose Equivalent , Lens of t he Eye Dose Equivalent , and
Tot al Effect ive Dose Equivalent .













Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

EFFECTI VE DOSE EQUI VALENT (HE)
The summat ion of t he product s of t he dose equivalent received by specified t issues of t he body and t he
appropriat e weight ing fact or. I t includes t he dose from radiat ion sources int ernal and ext ernal t o the body.
The effect ive dose equivalent is expressed in unit s of rem (or sievert ). See Commit t ed Dose Equivalent ,
Commit t ed Effect ive Dose Equivalent , Cumulat ive Tot al Effect ive Dose Equivalent , Deep Dose Equivalent ,
Dose Equivalent , Lens of t he Eye Dose Equivalent , and Tot al Effect ive Dose Equivalent .

EI GHT-HOUR TI ME-WEI GHTED AVERAGE (TWA) EXPOSURE LI MI T
The t ime-weight ed average concent rat ion in t he employee's breat hing zone which shall not be exceeded in
any 8 hour work shift of a 40-hour workweek.

ELECTRI C SHOCK
Physical st imulat ion t hat occurs when elect rical current passes t hrough t he body (I EEE 1584-2002).

ELECTRI CAL HAZARD
A dangerous condit ion such t hat cont act or equipment failure can result in elect ric shock, arc flash burn,
t hermal burn, or blast .

ENERGI ZED
Elect rically connect ed t o or having a source of volt age.

ENERGI ZED
Elect rically connect ed t o a source of pot ent ial difference, or elect rically charged so as t o have a pot ent ial
significant ly different from t hat of eart h in t he vicinit y.

ENERGY
The capacit y t o do work. Energy exist s in many forms, including acoust ic, pot ent ial, elect rical, kinet ic,
t hermal, biological, chemical and radiat ion (bot h ionizing and non-ionizing).

ENERGY FLOW
The t ransfer of energy from it s source t o some ot her point . There are t wo t ypes of energy flows: want ed
(cont rolled and able t o do work) and unwant ed (uncont rolled and able t o do harm).

ENGI NEERED CONTROLS
Physical cont rols, including set point s and operat ing limit s; as dist inct from administ rat ive cont rols.








T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

ENGI NEERED SAFETY FEATURES
Syst ems, component s, or st ruct ures t hat prevent and mit igat e t he consequences of pot ent ial accident s
described in t he Final Safet y Analysis Report including t he bounding design basis accident s.

ENVI RONMENTAL MANAGEMENT SYSTEM (EMS)
The part of t he overall management syst em t hat includes organizat ional st ruct ure, planning act ivit ies,
responsibilit ies, pract ices, procedures, processes, and resources for developing, int egrat ing, achieving,
reviewing, and maint aining environment al policy; a cont inuing cycle of planning, implement ing, evaluat ing,
and improving processes and act ions undert aken t o achieve environment al goals.

ENVI RONMENTAL PERFORMANCE
Measurable result s of t he environment al management syst em, relat ed t o an organizat ion’s cont rol of it s
environment al aspect s, based on it s environment al policy, obj ect ives, and t arget s.

ENVI RONMENTAL PROTECTI ON STANDARD
A specified set of rules or condit ions concerned wit h delineat ion of procedures; definit ion of t erms;
specificat ion of performance, design, or operat ions; or measurement s t hat define t he quant it y of emissions,
discharges, or releases t o t he environment and t he qualit y of t he environment .

EVENT
Occurrence of a part icular set of circumst ances. The event can be cert ain or uncert ain. The event can be a
single occurrence or a series of occurrences.

EVENTS AND CAUSAL FACTORS CHART
Graphical depict ion of a logical series of event s and relat ed condit ions t hat precede t he accident .

EXPANDED UNCERTAI NTY
Quant it y defining an int erval about t he result of a measurement t hat may be expect ed t o encompass a large
fract ion of t he dist ribut ion of values t hat could reasonably be at t ribut ed t o t he measurand.

EXPLOSI VE
Any chemical compound or mechanical mixt ure t hat , when subj ect ed t o heat , impact , frict ion, shock, or
ot her suit able init iat ion st imulus, undergoes a very rapid chemical change wit h t he evolut ion of large
volumes of highly heat ed gases t hat exert pressures in t he surrounding medium. The t erm applies t o
mat erials t hat eit her det onat e or deflagrat e. DOE explosives may be dyed various colors, except pink, which
is reserved for mock explosives.







Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

EXPLOSI VES HAZARD CLASSES
The level of prot ect ion required for any specific explosives act ivit y, based on t he hazard class (accident
pot ent ial) for t he explosives act ivit y involved. Four hazard classes are defined for explosives act ivit ies as
follows in definit ions for explosives hazard classes I t o I V.
Class I consist s of t hose explosives act ivit ies t hat involve a high accident pot ent ial; any personnel exposure
is unaccept able for Class I act ivit ies and t hey t hus require remot e operat ions. I n general, Class I would
include act ivit ies where energies t hat may int erface wit h t he explosives are approaching t he upper safet y
limit s, or t he loss of cont rol of t he int erfacing energy is likely t o exceed t he safet y limit s for t he explosives
involved. This cat egory includes t hose research and development act ivit ies where t he safet y implicat ions
have not been fully charact erized. Examples of Class I act ivit ies are screening, blending, pressing, ext rusion,
drilling of holes, dry machining, machining explosives and met al in combinat ion, some environment al t est ing,
new explosives development and processes, explosives disposal, and dest ruct ive t est ing.
Class I I consist s of t hose explosives act ivit ies t hat involve a moderat e accident pot ent ial because of t he
explosives t ype, t he condit ion of t he explosives, or t he nat ure of t he operat ions involved. This cat egory
consist s of act ivit ies where t he accident pot ent ial is great er t han for Class I I I , but t he exposure of personnel
performing cont act operat ions is accept able. Class I I includes act ivit ies where t he energies t hat do or may
int erface wit h t he explosives are normally well wit hin t he safet y boundaries for t he explosives involved, but
where t he loss of cont rol or t hese energies might approach t he safet y limit s of t he explosives. Examples of
Class I I act ivit ies are weighing, some wet machining, assembly and disassembly, some environment al
t est ing, and some packaging operat ions.
Class I I I consist s of t hose explosives act ivit ies t hat represent a low accident pot ent ial. Class I I I includes
explosives act ivit ies during st orage and operat ions incident al t o st orage or removal from st orage.
Class I V consist s of t hose explosives act ivit ies wit h insensit ive high explosives (I HE) or insensit ive high
explosives subassemblies. Alt hough mass det onat ing, t his explosive t ype is so insensit ive t hat a negligible
probabilit y exist s for accident al init iat ion or t ransit ion from burning t o det onat ion. I HE explosions will be
limit ed t o pressure rupt ures of cont ainers heat ed in a fire. Most processing and st orage act ivit ies wit h I HE
and I HE subassemblies are Class I V.

EXPOSURE ASSESSMENT (EA)
The est imat ion or det erminat ion (qualit at ive or quant it at ive) of t he magnit ude, frequency, durat ion, and
rout e of employee exposure t o a subst ance, harmful physical agent , ergonomic st ress, or harmful biological
agent t hat poses or may pose a recognized hazard t o t he healt h of employees.
The syst emat ic collect ion and analysis of occupat ional hazards and exposure det erminant s such as work
t asks; magnit ude, frequency, variabilit y, durat ion, and rout e of exposure; and t he linkage of t he result ing
exposure profiles of individuals and similarly exposed groups for t he purposes of risk management and
healt h surveillance.







T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

EXTERNAL DOSE OR EXPOSURE
That port ion of t he dose equivalent received from radiat ion sources out side t he body (e.g., “ ext ernal
sources” ).


EXTERNAL EVENTS
Nat ural phenomena or man-caused hazards not relat ed t o t he facilit y.

FI NAL SAFETY ANALYSI S REPORT (FSAR)
The Safet y Analysis Report (SAR) submit t ed t o and approved by DOE prior t o t he aut horizat ion t o operat e a
new nuclear facilit y or t hat document s t he adequacy of t he safet y analysis for an exist ing nuclear facilit y.
See Preliminary Document ed Safet y Analysis, Preliminary Safet y Analysis Report , Safet y Analysis Report ,
Safet y Basis, Safet y Evaluat ion, and Safet y Evaluat ion Report .

FI RE BARRI ER
A cont inuous membrane, eit her vert ical or horizont al, such as a wall or floor assembly t hat is designed and
const ruct ed wit h a specified fire resist ance rat ing t o limit t he spread of fire and t hat also will rest rict t he
movement of smoke. Such barriers may have prot ect ed openings.

FI RE HAZARDS ANALYSI S
An assessment of t he risks from fire wit hin an individual fire area in a facilit y analyzing t he relat ionship t o
exist ing or proposed fire prot ect ion. This shall include an assessment of t he consequences of fire on safet y
syst ems and t he capabilit y t o safely operat e a facilit y during and aft er a fire.

FI RE LOSS
The money cost of rest oring damaged propert y t o it s pre-fire condit ion. When det ermining loss, t he
est imat ed damage t o t he facilit y and cont ent s should include replacement cost , less salvage value. Fire loss
should exclude t he cost s for: (1) propert y scheduled for demolit ion; (2) decommissioned propert y not
carried on books as a value.
Fire loss should also include t he cost of: (1) decont aminat ion and cleanup; (2) t he loss of product ion or
program cont inuit y; (3) t he indirect cost s of fire ext inguishment (such as damaged fire depart ment
equipment ; (4) t he effect s on relat ed areas.











Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

FI RE PROTECTI ON
A broad t erm which encompasses all aspect s of fire safet y, including: building const ruct ion and fixed building
fire feat ures, fire suppression and det ect ion syst ems, fire wat er syst ems, emergency process safet y cont rol
syst ems, emergency fire fight ing organizat ions (fire depart ment s, fire brigades, et c.), fire prot ect ion
engineering, and fire prevent ion. Fire prot ect ion is concerned wit h prevent ing or minimizing t he direct and
indirect consequences of fire. I t also includes aspect s of t he following perils as t hey relat e t o fire prot ect ion:
explosion, nat ural phenomenon, smoke, and wat er damage from fire.

FI RE PROTECTI ON SYSTEM
Any syst em designed t o det ect and cont ain or ext inguish a fire, as well as limit t he ext ent of fire damage
and enhance life safet y.
FI RE RESI STANCE RATI NG
The t ime t hat a part icular const ruct ion will wit hst and a st andard fire exposure in hours as det ermined by
American Societ y of Test ing and Mat erials st andard (ASTM E-119).

FLAME RESI STANT (FR)
The propert y of a mat erial whereby combust ion is prevent ed, t erminat ed, or inhibit ed following t he
applicat ion of a flaming or non-flaming source of ignit ion, wit h or wit hout subsequent removal of t he ignit ion
source.

FLAME SPREAD RATI NG
Flame spread rat ing is a numerical classificat ion det ermined by t he t est met hod in American Societ y of
Test ing and Mat erials st andard (ASTM E-84), which indexes t he relat ive burning behavior of a mat erial by
quant ifying t he spread of flame of a t est specimen. The surface burning charact erist ic of a mat erial is not a
measure of resist ance t o fire exposure.

FLAMMABLE GAS
A gas t hat , at ambient t emperat ure and pressure, forms a flammable mixt ure wit h air at a concent rat ion of
13 percent by volume or less; or a gas t hat , at ambient t emperat ure and pressure, forms a range of
flammable mixt ures wit h air wider t han 13 percent by volume, regardless of t he lower limit .

FLAMMABLE LI QUI D
A liquid having a closed cup flash point below 100º F (38º C) and having a vapor pressure not exceeding 40
psia (2068 mm Hg) at 100º F (38º C).

FLASH HAZARD
A dangerous condit ion associat ed wit h t he release of energy caused by an elect ric arc.






T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

FLASH HAZARD ANALYSI S
A st udy invest igat ing a worker’s pot ent ial exposure t o arc-flash energy, conduct ed for t he purpose of inj ury
prevent ion and t he det erminat ion of safe work pract ices and t he appropriat e levels of personal prot ect ive
equipment .

GRADED APPROACH
The process of assuring t hat t he level of analysis, document at ion, and act ions used t o comply wit h t he
safet y requirement s are commensurat e wit h: (1) The relat ive import ance t o safet y, safeguards, and securit y;
(2) The magnit ude of any hazard involved; (3) The life cycle st age of a facilit y; (4) The programmat ic
mission of a facilit y; (5) The part icular charact erist ics of a facilit y; (6) The relat ive import ance of radiological
and nonradiological hazards; (7) Any ot her relevant fact or.

HARSH ENVI RONMENT
Air environment where service condit ions are expect ed t o exceed t he mild environment condit ions as a result
of design basis accident s, fires, explosions, nat ural phenomena or ot her man-caused ext ernal event s.

HAZARD
A source of danger (i.e., mat erial, energy source, or operat ion) wit h t he pot ent ial t o cause illness, inj ury, or
deat h t o a person or damage t o a facilit y or t o t he environment (wit hout regard t o t he likelihood or
credibilit y of accident scenarios or consequence mit igat ion).

HAZARD ANALYSI S
The det erminat ion of mat erial, syst em, process, and plant charact erist ics t hat can produce undesirable
consequences, followed by t he assessment of hazardous sit uat ions associat ed wit h a process or act ivit y.
Largely qualit at ive t echniques are used t o pinpoint weaknesses in design or operat ion of t he facilit y t hat
could lead t o accident s. The hazards analysis examines t he complet e spect rum of pot ent ial accident s t hat
could expose members of t he public, onsit e workers, facilit y workers, and t he environment t o hazardous
mat erials.

HAZARD CATEGORI ES
The consequences of unmit igat ed releases of radioact ive and hazardous mat erial are evaluat ed and
classified by t he following hazard cat egories:
Cat egory 1 – The hazard analysis shows t he pot ent ial for significant offsit e consequences.
Cat egory 2 – The hazard analysis shows t he pot ent ial for significant onsit e consequences.
Cat egory 3 – The hazard analysis shows t he pot ent ial for only significant localized consequences.








Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

HAZARD CLASSES
Non-nuclear facilit ies will be cat egorized as high, moderat e, or low hazards based on t he following:
High – hazards wit h a pot ent ial for onsit e and offsit e impact s t o large numbers of persons or for maj or
impact s t o t he environment ;
Moderat e – hazards which present considerable pot ent ial onsit e impact s t o people or t he environment , but
at most only minor offsit e impact s;
Low – hazards which present minor onsit e and negligible offsit e impact s t o people and t he environment .

HAZARDS CONTROLS
Measures t o eliminat e, limit , or mit igat e hazards t o workers, t he public, or t he environment , including (1)
Physical, design, st ruct ural, and engineering feat ures; (2) Safet y st ruct ures, syst ems, and component s; (3)
Safet y management programs; (4) Technical Safet y requirement s; (5) Ot her cont rols necessary t o provide
adequat e prot ect ion from hazards.

HAZARDOUS EXPOSURE
Exposure t o any t oxic subst ance, harmful physical agent , ergonomic st ressor, or harmful biological agent
t hat poses a recognized hazard t o t he healt h of employees.

HAZARDOUS MATERI AL
Any solid, liquid, or gaseous mat erial t hat is not radioact ive but is t oxic, explosive, flammable, corrosive, or
ot herwise physically or biologically t hreat ening t o healt h. Any solid, liquid, or gaseous mat erial t hat is
chemical, t oxic, explosive, flammable, radioact ive, corrosive, chemically react ive, or unst able upon prolonged
st orage in quant it ies t hat could pose a t hreat t o life, propert y, or t he environment .
A subst ance or mat erial, which has been det ermined t o be capable of posing an unreasonable risk t o healt h,
safet y, and propert y when t ransport ed in commerce, and which has been so designat ed. The t erm includes
hazardous subst ances, hazardous wast es, marine pollut ant s, and elevat ed t emperat ure mat erials.
Any chemical which is a physical hazard or a healt h hazard.

HAZARDOUS WASTE
A solid wast e, or combinat ion of solid wast es, which because of it s quant it y, concent rat ion, or physical,
chemical, or infect ious charact erist ics may (1) cause, or significant ly cont ribut e t o an increase in mort alit y or
an increase in serious irreversible, or incapacit at ing reversible, illness; or (2) pose a subst ant ial present or
pot ent ial hazard t o human healt h or t he environment when improperly t reat ed, st ored, t ransport ed, or
disposed or, or ot herwise managed.









T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

HEALTH HAZARD ASSESSMENT
The comprehensive and syst emat ic process of ident ifying, classifying, and evaluat ing healt h hazards in t he
workplace. Healt h hazard assessment s evaluat e t he probabilit y and severit y of t he effect s of exposure t o t he
hazard.

HEALTH SURVEI LLANCE
The cont inuing scrut iny of healt h event s t o det ect changes in disease t rends or disease dist ribut ion. The
cont inuing collect ion and maint enance of indust rial hygiene dat a is a component of healt h surveillance
needed t o det ermine whet her observed adverse healt h event s are relat ed t o working condit ions.

HEAT RESI STANT
A mat erial having t he qualit y or capabilit y of wit hst anding heat for a specified period at a maximum given
t emperat ure wit hout decomposing or losing it s int egrit y.

HI GH EFFI CI ENCY PARTI CULATE AI R (HEPA) FI LTER
A filt er capable of t rapping and ret aining at least 99.97 percent of 0.3 micromet er monodispersed part icles.

HUMAN FACTORS
Those biomedical, psychosocial, workplace environment , and engineering considerat ions pert aining t o people
in a human-machine syst em. Some of t hese considerat ions are allocat ion of funct ions, t ask analysis, human
reliabilit y, t raining requirement s, j ob performance aiding, personnel qualificat ion and select ion, st affing
requirement s, procedures, organizat ional effect iveness, and workplace environment al condit ions.

HUMAN FACTORS ENGI NEERI NG
The applicat ion of knowledge about human performance capabilit ies and behavioral principles t o t he design,
operat ion, and maint enance of human-machine syst ems so t hat personnel can funct ion at t heir opt imum
level of performance.

I MMUNE RESPONSE
The series of cellular event s by which t he immune syst em react s t o challenge by an ant igen.

I NCI DENT
An unplanned event t hat may or may not result in inj uries and loss.

I NTERNAL DOSE OR EXPOSURE. That port ion of t he dose equivalent received from radioact ive mat erial
t aken int o t he body (e.g., “ int ernal sources” ).







Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

LI FE CYCLE
The life of an asset from planning t hrough acquisit ion, maint enance, operat ion, remediat ion, disposit ion,
long-t erm st ewardship, and disposal.

LI FE CYCLE PLAN
An analysis and descript ion of t he maj or event s and act ivit ies in t he life of a funct ional unit from planning
t hrough decommissioning and sit e rest orat ion. The plan document s t he hist ory of t he funct ional unit and
forecast s fut ure act ivit ies, including maj or line it em and expense proj ect s and t heir durat ion, relat ionships,
and impact on life expect ancy. The plan also describes maint enance pract ices and cost s.

LI KELI HOOD
Chance of somet hing happening. Likelihood can be expressed qualit at ively or quant it at ively.

MAI NTENANCE
Day-t o-day work t hat is required t o sust ain propert y in a condit ion suit able for it t o be used for it s
designat ed purpose and includes prevent ive, predict ive, and correct ive (repair) maint enance.
The proact ive and react ive day-t o-day work t hat is required t o maint ain and preserve facilit ies and SSCs
wit hin t hem in a condit ion suit able for performing t heir designat ed purpose, and includes planned or
unplanned periodic, prevent ive, predict ive, seasonal or correct ive (repair) maint enance.

MAI NTENANCE MANAGEMENT
The administ rat ion of a program ut ilizing such concept s as organizat ion, plans, procedures, schedules, cost
cont rol, periodic evaluat ion, and feedback for t he effect ive performance and cont rol of maint enance wit h
adequat e provisions for int erface wit h ot her concerned disciplines such as healt h, safet y, environment al
compliance, qualit y cont rol, and securit y. All work done in conj unct ion wit h exist ing propert y is eit her
maint enance (preserving), repair (rest oring), service (cleaning and making usable), or improvement s. The
work t o be considered under t he DOE maint enance management program is only t hat for maint enance and
repair.

MAI NTENANCE PLAN
A narrat ive descript ion of a sit e's maint enance program. The plan should be a real-t ime document which is
updat ed at least annually and which addresses all element s of a successful maint enance program. The plan
should describe t he backlog and st rat egies t o reduce t he backlog, as well as t he maint enance funding
required t o sust ain t he assigned mission. The maint enance plan should int egrat e individual maint enance
act ivit ies addressed under each funct ional unit life-cycle plan.








T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

MAI NTENANCE PROCEDURE
A document providing direct ion t o implement maint enance policy, comply wit h ext ernal direct ives, laws or
meet operat ional obj ect ives in a consist ent manner. A procedure provides adequat ely det ailed delineat ion of
inst ruct ions, roles, responsibilit ies, act ion st eps, and requirement s for conduct ing maint enance act ivit ies.

MARGI N
The difference bet ween service condit ions and t he design paramet ers used in t he design of a component ,
syst em, or st ruct ure.

MARGI N OF SAFETY
That margin built int o t he safet y analyses of t he facilit y as set fort h in t he aut horizat ion basis accept ance
limit s.

MAXI MUM CREDI BLE FI RE LOSS (MCFL)
The propert y damage t hat would be expect ed from a fire, assuming t hat : (1) All inst alled fire prot ect ion
syst ems funct ion as designed; (2) The effect of emergency response is omit t ed except for post -fire act ions
such as salvage work, shut t ing down wat er syst ems, and rest oring operat ion.

MAXI MUM POSSI BLE-FI RE LOSS (MPFL)
The value of propert y, excluding land value, wit hin a fire area, unless a fire hazards analysis demonst rat es a
lesser (or great er) loss pot ent ial. This assumes t he failure of bot h aut omat ic fire suppression syst ems and
manual fire fight ing effort s.

MONI TORI NG
The measurement of radiat ion levels, airborne radioact ivit y concent rat ions, radioact ive cont aminat ion levels,
quant it ies of radioact ive mat erial, or individual doses and t he use of result s of t hese measurement s t o
evaluat e radiological hazards or pot ent ial and act ual doses result ing from exposures t o ionizing radiat ion.
See Cont inuous Air Monit oring, Performance Monit oring, Personal Monit oring, Personnel Monit oring, Post -
Accident Monit oring Equipment , Primary Environment al Monit ors, Safet y Class Monit oring Equipment , and
Secondary Environment al Monit ors.

NATURAL PHENOMENA HAZARD (NPH)
An act of nat ure (e.g., eart hquake, wind, hurricane, t ornado, flood, precipit at ion [ rain or snow] , volcanic
erupt ion. light ning st rike, or ext reme cold or heat ) which poses a t hreat or danger t o workers, t he public, or
t o t he environment by pot ent ial damage t o st ruct ures, syst ems, and component s.








Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

NEAR MI SS
An event t hat did not result in an accident al release of a highly hazardous chemical, but which could have,
given anot her “ failure” . Near misses, somet imes called “ precursors” , include: (1) The occurrence of an
accident init iat or where t he prot ect ion funct ioned properly t o preclude a release of a highly hazardous
chemical; or, (2) t he det erminat ion t hat a prot ect ion syst em was out of service such t hat if an init iat ing
event had occurred, a release of a highly hazardous chemical would have t aken place.

NONCOMBUSTI BLE
A mat erial t hat in t he form in which it is used and under t he condit ions ant icipat ed will not ignit e, burn,
support combust ion, or release flammable vapors when subj ect ed t o fire or heat , as defined by fire
prot ect ion indust ry st andards on t he basis of large scale fire t est s performed by a nat ionally recognized
independent fire t est aut horit y.
NONSTOCHASTI C EFFECTS
Effect s due t o radiat ion exposure for which t he severit y varies wit h t he dose and for which a t hreshold
normally exist s (e.g., radiat ion-induced opacit ies wit hin t he lens of t he eye).

OCCUPATI ONAL DOSE
An individual's ionizing radiat ion dose (ext ernal and int ernal) as a result of t hat individual's work assignment .
Occupat ional dose does not include doses received as a medical pat ient or doses result ing from background
radiat ion or part icipat ion as a subj ect in medical research programs.

OCCUPATI ONAL HEALTH PROGRAM
A comprehensive and coordinat ed effort of t hose involved in Radiological Prot ect ion, I ndust rial Hygiene,
Occupat ional Medicine, and Epidemiology t o prot ect t he healt h and well-being of employees.

PERMI SSI BLE EXPOSURE LI MI T
The maximum level of exposure t o airborne cont aminant s or physical agent s t o which an employee may be
exposed over a specified t ime period.

PERMI SSI BLE EXPOSURE LI MI T (PEL)
The maximum level t o which an employee may be exposed t o a hazardous agent in a specified period.












T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

PREDI CTI VE MAI NTENANCE
Predict ive maint enance consist s of t he act ions necessary t o monit or, find t rends, and analyze paramet ers,
propert ies and performance charact erist ics or signat ures associat ed wit h st ruct ures, syst ems, and
component s (SSCs), facilit ies or pieces of equipment t o discern whet her or not a st at e or condit ion may be
approaching which is indicat ive of det eriorat ing performance or impending failure, where t he int ended
funct ion of t he SSCs, facilit ies or pieces of equipment may be compromised. Predict ive maint enance
act ivit ies involve cont inuous or periodic monit oring and diagnosis in order t o forecast component
degradat ion so t hat "as-needed" planned maint enance can be init iat ed prior t o failure. Not all SSC, facilit y or
equipment condit ions and failure modes can be monit ored and diagnosed in advance; t herefore, predict ive
maint enance should be select ively applied. To t he ext ent t hat predict ive maint enance can be relied on
wit hout large uncert aint ies, it is normally preferable t o act ivit ies such as periodic int ernal inspect ion or
equipment overhauls.

QUALI TY CONTROL
To check, audit , review and evaluat e t he progress of an act ivit y, process or syst em on an ongoing basis t o
ident ify change from t he performance level required or expect ed and t he opport unit ies for improvement .

RELI ABI LI TY CENTERED MAI NTENANCE (RCM)
A proact ive syst emat ic decision logic t ree approach t o ident ify or revise prevent ive maint enance t asks or
plans t o preserve or prompt ly rest ore operabilit y, reliabilit y and availabilit y of facilit y st ruct ures, syst ems, and
component s; or t o prevent failures and reduce risk t hrough t ypes of maint enance act ion and frequency
select ion t o ensure high performance. Reliabilit y cent ered maint enance is t he performance of scheduled
maint enance for complex equipment , quant ified by t he relat ionship of prevent ive maint enance t o reliabilit y
and t he benefit s of reliabilit y t o safet y and cost re uct ion t hrough t he opt imizat ion of maint enance t ask and
frequency int ervals. The concept relies on empirical maint enance t ask and frequency int ervals t o make
det erminat ions about real applicable dat a suggest ing an effect ive int erval for t ask accomplishment . The
approach t aken t o est ablish a logical pat h for each funct ional failure is t hat each funct ional failure, failure
effect , and failure cause be processed t hrough t he logic so t hat a j udgement can be made as t o t he
necessit y of t he t ask, and includes: (1) report ing prevent ive maint enance act ivit ies, plans and schedules; (2)
opt imizing and calculat ing t he prevent ive maint enance int erval by balancing availabilit y, reliabilit y and cost ;
(3) ranking prevent ive maint enance t asks; (4) accessing prevent ive maint enance informat ion from piping
and inst rument drawings (P&I Ds); (5) accessing prevent ive maint enance and ot her maint enance dat a; (6)
list ing recurring failure modes and part s, including failure t o st art and failure t o run; (7) calculat ing and
monit oring st ruct ure, syst em, and component availabilit y; (8) accessing prevent ive maint enance procedures,
and (9) keeping t rack of prevent ive maint enance cost .








Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

RI SK
The chance of somet hing happening t hat will have an undesired impact . I mpact in t erms of t he Act is t he
chance of harm t o human healt h and safet y, or t he environment due t o or as a result of gene t echnology.
Risk is measured in t erms of a combinat ion of t he likelihood t hat a hazard gives rise t o an undesired
out come and t he seriousness of t hat undesired out come.

RI SK ANALYSI S
The overall process of risk assessment , risk management and risk communicat ion.

RI SK ANALYSI S FRAMEWORK
Syst emat ic applicat ion of legislat ion, policies, procedures and pract ices t o analyse risks.

RI SK ASSESSMENT
The overall process of hazard ident ificat ion and risk est imat ion.

RI SK COMMUNI CATI ON
The cult ure, processes and st ruct ures t o communicat e and consult wit h st akeholders about risks.

RI SK ESTI MATE
A measure of risk in t erms of a combinat ion of consequence and likelihood assessment s.

RI SK EVALUATI ON
The process of det ermining risks t hat require management .

RI SK MANAGEMENT
The overall process of risk evaluat ion, risk t reat ment and decision making t o manage pot ent ial adverse
impact s.

RI SK MANAGEMENT PLAN
I nt egrat es risk evaluat ion and risk t reat ment wit h t he decision making process.

RI SK TREATMENT
The process of select ion and implement at ion of measures t o reduce risk.










T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

ROOT CAUSE
The det erminat ion of t he causal fact ors preceding st ruct ures, syst ems, and component s (SSC) failure or
malfunct ion, t hat is, discovery of t he principal reason why t he failure or malfunct ion happened leads t o t he
ident ificat ion of t he root cause. The preceding failure or malfunct ion causal fact ors are always event s or
condit ions t hat are necessary and sufficient t o produce or cont ribut e t o t he unwant ed result s (failure or
malfunct ion). The t ypes of causal fact ors are: (1) direct causes, (2) cont ribut ing causes, and (3) root causes.
The direct cause is t he immediat e event or condit ion t hat caused t he failure or malfunct ion. Cont ribut ing
causes are condit ions or event s t hat collect ively increase t he likelihood of t he failure or malfunct ion, but t hat
individually do not cause t hem. Thus, root causes are event s or condit ions t hat , if correct ed or eliminat ed,
would prevent t he recurrence of t he failure or malfunct ion by ident ifying and correct ing fault s (often hidden)
before an SSC fails or malfunct ions.

SAFETY-CLASS STRUCTURES, SYSTEMS, AND COMPONENTS (SC-SSCs)
Syst ems, st ruct ures, or component s including primary environment al monit ors and port ions of process
syst ems, whose failure could adversely affect t he environment , or safet y and healt h of t he public as
ident ified by safet y analyses. (See Safet y Class St ruct ures, Syst ems, and Component s; Safet y Significant
St ruct ures, Syst ems, and Component s; and Safet y St ruct ures, Syst ems, and Component s.
Safet y-class SSCs are syst ems, st ruct ures, or component s whose prevent ive or mit igat ive funct ion is
necessary t o keep hazardous mat erial exposure t o t he public below t he offsit e Evaluat ion Guidelines. The
definit ion would t ypically exclude it ems such as primary environment al monit ors and most process
equipment .

STAKEHOLDERS
Those people and organisat ions who may affect , be affect ed by, or perceive t hemselves t o be affect ed by a
decision, act ivit y or risk. The t erm st akeholder may also include “ int erest ed part ies” .

STANDARD UNCERTAI NTY
Uncert aint y of t he result of a measurement expressed as a st andard deviat ion.

TECHNI CAL SAFETY REQUI REMENTS (TSRs)
Those requirement s t hat define t he condit ions, safe boundaries, and t he management or administ rat ive
cont rols necessary t o ensure t he safe operat ion of a nuclear facilit y and t o reduce t he pot ent ial risk t o t he
public and facilit y workers from uncont rolled releases of radioact ive mat erials or from radiat ion exposures
due t o inadvert ent crit icalit y. Technical Safet y requirement s consist of safet y limit s, operat ing limit s,
surveillance requirement s, administ rat ive cont rols, use and applicat ion inst ruct ions, and t he basis t hereof.

TECHNI CAL SAFETY REQUI REMENTS (TSRs)
The limit s, cont rols, and relat ed act ions t hat est ablish t he specific paramet ers and requisit e act ions for t he
safe operat ion of a nuclear facilit y and include, as appropriat e for t he work and t he hazards ident ified in t he
document ed safet y analysis for t he facilit y: safet y limit s, operat ing limit s, surveillance requirement s,
administ rat ive and management cont rols, use and applicat ion provisions, and design feat ures, as well as a
bases appendix.

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
G GL LO OS SS SA AR RY Y

THRESHOLD LI MI T VALUES (TLVs)
Airborne concent rat ions of subst ances or levels of physical agent s, and represent conditions under which it is
believed t hat nearly all workers may be repeat edly exposed day aft er day wit hout adverse healt h effect s.
TLVs are issued by t he American Conference of Government al I ndust rial Hygienist s (ACGI H).

TOTAL EFFECTI VE DOSE EQUI VALENT (TEDE)
The sum of t he effect ive dose equivalent (for ext ernal exposures) and t he commit t ed effect ive dose
equivalent (for int ernal exposures). See Commit t ed Dose Equivalent , Commit t ed Effect ive Dose Equivalent ,
Cumulat ive Tot al Effect ive Dose Equivalent , Deep Dose Equivalent , Dose Equivalent , Effect ive Dose
Equivalent , and Lens of t he Eye Dose Equivalent .

TYPE A EVALUATI ON (OF UNCERTAI NTY)
Met hod of evaluat ion of uncert aint y by t he st at ist ical analysis of series of observat ions.

TYPE B EVALUATI ON (OF UNCERTAI NTY)
Met hod of evaluat ion of uncert aint y by means ot her t han t he st at ist ical analysis of series of observat ions.

UNCERTAI NTY
I mperfect abilit y t o assign a charact er st at e t o a t hing or process; a form or source of doubt .

WEI GHTI NG FACTOR (WT)
The fract ion of t he overall healt h risk, result ing from uniform, whole body irradiat ion, at t ribut able t o specific
t issue (T). The dose equivalent t o t issue, (HT ) is mult iplied by t he appropriat e weight ing fact or t o obt ain t he
effect ive dose equivalent cont ribut ion from t hat t issue.



















T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
C CO ON N T T E EN N T T S S

Fundament als of Risk Theory ................................ ................................ ................................ ............ 37
Risk Dynamic Equat ion Model ................................ ................................ ................................ ........ 39
Risk Cont inuit y Equat ions................................ ................................ ................................ .............. 53
General Equation of Risk Transfer ................................ ................................ ................................ .. 56
Risk Equilibrium and Ent opy ................................ ................................ ................................ .......... 58
Risk Analysis Model ................................ ................................ ................................ .......................... 60
Risk Assessment ................................ ................................ ................................ .......................... 61
Risk Management ................................ ................................ ................................ ........................ 62
Risk Communicat ion ................................ ................................ ................................ ..................... 62
Models of Risk Analysis................................ ................................ ................................ ................. 62
Component s in Risk Analysis ................................ ................................ ................................ ......... 63
Qualitat ive and Quant it ative Risk Assessment ................................ ................................ .................. 63
Uncert aint y ................................ ................................ ................................ ................................ . 64
Risk Assessment ................................ ................................ ................................ .............................. 66
The Scope of Risk Assessment ................................ ................................ ................................ ....... 66
Hazard Assessment ................................ ................................ ................................ ...................... 70
Evidence and Exposure................................ ................................ ................................ ................. 72
Likelihood (Probabilit y) of Occurrence ................................ ................................ ............................ 75
Loss Crit icality (Consequences) ................................ ................................ ................................ ...... 77
Safet y Level ................................ ................................ ................................ ................................ 91
Risk Estimation and Risk Treat ment ................................ ................................ ............................... 92
Risk Management ................................ ................................ ................................ ............................ 96
Risk Management and Uncert aint y ................................ ................................ ................................ . 97
The Risk Management Plan ................................ ................................ ................................ ........... 98
Risk Evaluat ion ................................ ................................ ................................ ............................ 98
Risk Prot ect ion................................ ................................ ................................ ............................. 99
Risk Treat ment ................................ ................................ ................................ ............................ 99
Monit oring for Compliance ................................ ................................ ................................ ........... 101
Quality Cont rol and Review ................................ ................................ ................................ .......... 101
Det ermine Residual Risk ................................ ................................ ................................ .............. 104
Risk Communicat ion................................ ................................ ................................ ........................ 105
Risk Perception................................ ................................ ................................ ........................... 105
Uncert aint y ................................ ................................ ................................ ................................ .... 107
Qualitat ive and Quant it ative Met hods ................................ ................................ ............................ 109
Sources of Failure ................................ ................................ ................................ ....................... 111
The Unwant ed Consequences................................ ................................ ................................ ....... 114
Syst em Analysis................................ ................................ ................................ .......................... 117
Describing Random Variables ................................ ................................ ................................ ....... 121
Quant it at ive Analysis met hods................................ ................................ ................................ ...... 124
I dent ifying t he Risks................................ ................................ ................................ .................... 131
Theoret ical Background t o Quant ifying Risks................................ ................................ .................. 132
The Expression of Uncert aint y in Risk Measurement ................................ ................................ ........ 134
Reliabilit y ................................ ................................ ................................ ................................ ....... 146
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Failure or Hazard Rate................................ ................................ ................................ ................. 146
Safet y Reliabilit y ................................ ................................ ................................ ......................... 148
References................................ ................................ ................................ ................................ ..... 150










































T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
F FU UN N D D A A M ME EN N T T A A L L S S O OF F R RI I S SK K T T H H E EO OR RY Y

The st art ing point for t he opt imisat ion of t he act ivit y for t he prevent ion of act ivit y-relat ed event s, incident s,
accident s and work-relat ed diseases in a syst em is represent ed by t he risk assessment of such syst em.
Regardless of whet her a workplace, a workshop or a company is involved, such an analysis allows t o form
t he hierarchical order of hazards depending t heir dimension and t he efficient assignment of resources for
priorit y measures. Risk assessment implies t he ident ificat ion of all risk fact ors wit hin t he syst em under
examinat ion and t he quant ificat ion of t heir dimension, based upon t he combinat ion bet ween four
paramet ers: frequency (likelihood or probabilit y) of t he maximal possible consequences, exposure t o t he
harm or hazard, severit y (loss crit icalit y) for t he human body or any ot her t arget (e.g. evironment , product ,
equipment , business int errupt ion), and t he safet y level of t he syst em. Thus, part ial risk levels are obt ained
for each risk fact or, respect ively t he global risk levels for t he ent ire syst em (e.g. process plant , workplace,
facilit y) under examinat ion. This risk assessment principle is already included in t he European st andards (CEI
812/ 85), respect ively EN 292/ 1-91 and EN 1050/ 96, and const it ut es t he basis for different met hods wit h
pract ical applicabilit y.
I n specialised t erminology, t he safet y of t he person in t he work process (or any ot her t arget ) is considered
t o be t hat st at e of t he syst em in which t he possibilit y of work-relat ed accident s and disease (or any harm or
hazard) is excluded. I n t he usual language, safet y is defined as t he fact of being prot ect ed from any danger,
while risk is t he possibilit y t o be in j eopardy, pot ent ial danger. I f we t ake int o considerat ion t he usual senses
of t hese t erms, we may define safet y as t he st at e of t he work syst em in which t he risk of any hazard (or
accident or disease) is null. As result , safet y and risk are t wo abst ract not ions, mut ually exclusive. I n realit y,
because of t he charact erist ics of any syst em, such absolut e charact er st at es may not be reached. There is
no syst em in which t he pot ent ial danger of harm, accident or disease, could be complet ely excluded; t here is
always a “ residual” risk, even if only because of t he unpredict abilit y of human act ion or act ivit y. I f t here are
no correct ive int ervent ions, along t he way, t his residual risk will increase, as t he element s of t he work
syst em will degrade, by “ ageing” . Consequent ly, syst ems may be charact erised by “ safet y levels” ,
respect ively “ risk levels” , as quant it at ive indicat ors of t he binomial st at es of safet y and risk. Defining safet y
(Y) as a risk (X) funct ion

X
1
Y = [ 1.01]

where it may be assert ed t hat a syst em is safer when t he risk level is lower, and reciprocally. Thus, if t he
risk is null, from t he relat ion bet ween t he t wo variables it result s t hat safet y t ends t owards t he infinit e, while
if risk t ends t owards t he infinit e, safet y vanishes (see Figure 1.01). I n t his cont ext , in pract ice must be
admit t ed bot h a minimal risk limit , respect ively a risk level ot her t han null, yet sufficient ly low t o consider
t hat t he syst em is safe, and a maximal risk level, equivalent t o such a low safet y level t hat t he operat ion of
t he syst em should no longer be permit t ed.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S


R
i
s
k
,

Y
Saf et y, X

Figure 1.01 – Relat ion bet ween risk and safet y.

The specialised lit erat ure defines risk as t he probabilit y of occurrence of an hazard-relat ed harm, or act ivit y-
relat ed accident or disease in a work process, wit h a cert ain exposure, frequency and severit y of
consequences. I ndeed, if we assume a cert ain risk level, it is possible t o make it s represent at ion depending
on t he exposure, severit y and probabilit y of occurrence of t he consequences. This curve allows t he
dist inct ion bet ween accept able risk and unaccept able one. Thus, t he risk of occurrence of an event , wit h
severe consequences (high loss crit icalit y) but low frequency (likelihood or exposure), locat ed under t he
accept abilit y curve, is considered t o be accept able, while t he risk of an event , wit h less severe consequences
(low loss crit icalit y) but high probabilit y of occurrence (likelihood or exposure), wit h it s coordinat es locat ed
above t he curve, is considered as unaccept able. I n exchange, for t he risk represent ed by t he second event ,
alt hough t his t ype of event generat es consequences less severe (low loss crit icalit y), t he probabilit y of
occurrence is so great (very high frequency) t hat t he exposure t o t he hazard is considered t o be unsafe
(unaccept able risk). Any safet y st udy has t he obj ect ive t o ascert ain t he accept able risks. Treat ing risk in
such way raises t wo problems:
(1) How t o det ermine t he coordinat es of risk (severit y, exposure, and probabilit y coupling);
(2) Which coordinat es of risk should be select ed for t he delimit at ion of accept abilit y areas from t hose of
unaccept abilit y.

I n order t o solve t hose problems, t he premise for t he elaborat ion of t he assessment met hod was t he risk-
risk fact or relat ion. I t is a known fact t hat t he exist ence of risk in a syst em is at t ribut able t o t he presence of
human act ivit y-relat ed event (e.g. accident and disease) risk fact ors. Therefore, t he element s t hat are
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
inst rument al for t he charact erisat ion of risk, t hus t o t he det erminat ion of it s coordinat es, are act ually t he
exposure t o t he risk fact or, probabilit y for t he act ion of a risk fact or t o lead t o harm and t he severit y of t he
consequence (loss crit icalit y) of t he act ion of t he risk fact or on t he t arget . Consequent ly, in order t o assess
t he risk or safet y levels it is necessary t o follow t he next st ages:
(1) The ident ificat ion of t he risk fact ors from t he syst em under examinat ion;
(2) The det erminat ion of t he consequences of t he act ion on t he t arget , respect ively t he severit y of such
consequences (loss crit icalit y);
(3) The det erminat ion of t he exposure and probabilit y (likelihood) of t he event on t he t arget ;
(4) The det erminat ion of t he safet y level of t he t arget ;
(5) At t ribut ion of risk levels depending on t he exposure, severit y, probabilit y of t he consequences, and t he
safet y level of t he event of risk fact ors.

I n t he condit ions of a real syst em t hat is real, in operat ion, t here are not sufficient resources (e.g. t ime,
financial, t echnical ones, et c.) t o make possible t he simult aneously t ackling of all risk fact ors for human
act ivit y-relat ed event s. Even if t hey exist , t he efficiency crit erion (bot h in t he limit ed sense of economic
efficiency, as in t he sense of social efficiency) forbids such act ion. For t his reason, it is not j ust ified t o t ake
t hem int egrally int o considerat ion in t he safet y analysis, eit her. From t he mult it ude of risk fact ors t hat may
finally link t oget her, having t he pot ent ial t o result in an harm, accident or a disease, t hose fact ors t hat may
represent direct , final causes are t he ones t hat must be eliminat ed, in order t o guarant ee t hat t he
occurrence of such an event is impossible; t hus, it is mandat ory t o focus t he st udy on t hese fact ors.


R RI I S SK K D DY YN NA AM MI I C C E EQ QU UA AT TI I O ON N M MO OD DE EL L
The mat hemat ical definit ion of risk has been a source of confusion because it depends on t he model used
t o calculat e t he risk. Risk is defined as a combinat ion of several paramet ers such exposure, likelihood or
probabilit y, severit y or loss crit icalit y (include t he inj ury severit y t o human healt h or personnel t arget ), and
safet y level, varying wit h t ime. For a t ridimensional model we can use t he paramet ers exposure, likelihood,
and severit y; if we are using a quadrimensional (or mult idimensional) model, we can use t he t ridimensional
paramet ers plus t he paramet ers safet y level and t ime. I n t his proposed model, a quadridimensional model,
t he dynamic equat ion of risk (R
i
) depends on exposure coefficient (E), likelihood or probabilit y coefficient
(L), severit y of consequences or loss crit icalit y coefficient (K), safet y level coefficient (o), and t ime (t ).

( ) t , , K , L , E f R
i
o = [ 1.02]

The algebraic equat ion t hat relat es risk (R
i
) of any hazard (i) wit h t he aforesaid paramet ers (e.g. exposure,
likelihood, severit y, safet y level and t ime) is called t he risk dynamic model. The paramet ers such exposure,
likelihood or probabilit y, severit y or loss crit icalit y, and safet y level are not direct ly dependent wit h t ime, but
t hey can vary and shift wit h t ime; inst ead t he paramet ers like exposure, likelihood, and severit y are direct ly
dependent wit h t he safet y level of t he syst em. I f t he safet y level of t he syst em varies wit h t ime, t he
exposure, likelihood, and severit y will also change wit h t ime by following t he safet y level variat ion. I n t urn,
safet y level is direct ly dependent of t he qualit y of t he safet y management syst em and wit h ot her fact ors
such safet y issues and safet y measures relat ed wit h t he safet y management syst em implement ed: safet y
policy, HAZOP analysis, process safet y management (PSM), periodical int ernal and ext ernal audit s, life and
fire prot ect ion syst ems, t raining, et c. Thus, we can say t hat t he aforesaid paramet ers of t he risk dynamic
equat ion (e.g. exposure, likelihood, severit y, safet y level and t ime) are not direct ly dependent wit h t ime but
change when t he safet y level change wit h bot h t ime and safet y management fact ors.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
At an inst ant of t ime, t he risk equat ion model for risk est imat e, for a specific hazard (i) and a safet y level
coefficient (o), can be given by t he following expression,

o
· ·
=
o
K L E
R
, i
[ 1.03]

where E is t he exposure coefficient , L is t he probabilit y or likelihood coefficient , K is t he severit y or loss
crit icalit y coefficient , and o is t he safet y level coefficient . Considering, as we have seen above, t hat t he risk
dynamic equat ion (Equat ion [ 1.02] ) is a funct ion of t ime, we can mat hemat ically represent t he risk by t he
following different ial equat ion,

( )
dt
dR
t R
, i
, i
o
o
= [ 1.04]

The risk dynamic equat ion is solely a funct ion of risk paramet ers (e.g. exposure, likelihood, severit y, safet y
level and t ime) at a given point in t he syst em and is independent of t he t ype of t he syst em in which t he risk
is carried out . However, since t he propert ies of t he risk paramet ers can change wit h posit ion (paramet ers or
variables) in t ime, t he risk dynamic equat ion can in t urn vary from point t o point wit h t ime (t ime-spat ial
movement ). The risk is an int ensive quant it y and depends on t he afresaid paramet ers and t ime. Therefore,
in t he presence of an hazard (i), t he risk dynamic equat ion may be writ t en mat hemat ically by t he following
expression,

( ) ( )
o o
o
o
· o ÷ = · o = =
, i , i
, i
, i
R 1 R
dt
dR
t R [ 1.05]

where indicat es t he conservat ion of risk wit h t ime. R
i,o
is risk variable, o is t he risk level coefficient (o =
1÷o), and o is t he safet y level coefficient for risk deplet ion. Equat ion [ 1.05] shows how risk change wit h
t ime. I f t he init ial risk, at init ial t ime (t
0
), is not ice as
0
, i
R
o
, and if some lat er t ime (t ), t he risk has changed t o
R
i,o
, and applying int egrals t o t he Equat ion [ 1.05] gives,

í í
o
· o =
o
o
i
0
, i 0
R
R
t
t
, i
, i
dt
R
dR
[ 1.06]

I nt egrat ing t he Equat ion [ 1.06] ,

( ) | | | |
t
t
R
R
, i
0
i
0
, i
t R ln · o =
o
o
[ 1.07]

and solving t he Equat ion [ 1.07] gives,

( ) ( ) ( )
0
0
, i , i
t t R ln R ln ÷ · o = ÷
o o
[ 1.08]

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Simplifying Equat ion [ 1.08] and subst it ut ing o by (1÷o) gives,

( ) ( )
0
0
, i
, i
t t 1 t
R
R
ln ÷ · o ÷ = · o =
|
|
.
|

\
|
o
o
[ 1.09]

and rearranging t he Equat ion [ 1.09] , we can obt ain t he following final expression for t he risk dynamics
model, which relat es risk wit h t ime,

( ) ( ) | |
0
0
, i
, i
t t 1 exp
R
R
÷ · o ÷ =
|
|
.
|

\
|
o
o
[ 1.10]

or alt ernat ively,

( ) ( ) | |
0
t t 1
0
, i
, i
e
R
R
÷ · o ÷
o
o
=
|
|
.
|

\
|
[ 1.11]

Simplifying t he Equat ion [ 1.10] and Equat ion [ 1.11] , we have t he following equat ions,


( ) ( ) | |
0
0
, i , i
t t 1 exp R R ÷ · o ÷ · =
o o
[ 1.12]

and

( ) ( ) | |
0
t t 1 0
, i , i
e R R
÷ · o ÷
o o
· = [ 1.13]


Assuming t hat t he init ial t ime is zero (t
0
= 0), and rearranging t he Equat ion [ 1.10] or Equat ion [ 1.11] , we
have t he following equat ion,

( ) | |
( ) | | t 1
0
, i
, i
e t 1 exp
R
R
· o ÷
o
o
= · o ÷ =
|
|
.
|

\
|
[ 1.14]

This equat ion est ablishes t he relat ion bet ween risk est imat e, as a rat io bet ween risk at a given inst ant of
t ime and t he init ial risk, and t ime when t he init ial t ime (t
0
) is zero; t his equat ion of t he risk dynamic model is
shown graphically in Figure 1.02 and in Figure 1.03 for different t ime (t ).
Simplifying t he Equat ion [ 1.14] gives,

( ) | |
( ) | | t 1 0
, i
0
, i , i
e R t 1 exp R R
· o ÷
o o o
· = · o ÷ · = [ 1.15]

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5 5,0
0
5
10
15
20
25
30
35
o=0,7
o=0,6
o=0,5
o=0,4
o=0,3

R
i
s
k

R
a
t
i
o

Time (years)
0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5 5,0
0,0
0,5
1,0
1,5
2,0
2,5
o=1,5
o=1,2
o=1,1
o=1,0
o=0,9
o=0,8 o=0,7
o=0,6
o=0,3



Figure 1.02 – Risk rat io est imat e represent at ion based on Equat ion [ 1.14] as a funct ion of t ime (t ) for
different values of safet y level coefficient s (o).

From Figure 1.03 we can see for safet y level coefficient s lower t han 1 (o< 1) t he risk rat io increases wit h
t ime; conversely, for safet y level coefficient s higher t han 1 (o> 1) t he risk rat io decreases wit h t ime below
t he unit y. This signifies t hat t he implicit cost s of t he safet y syst em in t he cases for safet y level coefficient s
great er t han t he unit y are lower t han t he cases wit h safet y level coefficient s below t he unit y. This
demonst rat es t he compet it ion paradigma of t he safet y performance: higher t he safet y level coefficient s, less
is t he cost and financial effort .

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
0,4 0,5 0,6 0,7 0,8 0,9 1,0 1,1 1,2 1,3 1,4
0
2
4
6
8
10
12
14
16
18
20
22
t = 5,0 t = 2,2
t = 4,6 t = 2,0
t = 4,2 t = 1,8
t = 4,0 t = 1,4
t = 3,8 t = 1,0
t = 3,4 t = 0,6
t = 3,0
t = 2,6
t = 2,4
t = 5,0

Safety Level Coefficient


R
i
s
k

R
a
t
i
o
0,4 0,5 0,6 0,7 0,8 0,9 1,0 1,1 1,2 1,3 1,4
0,0
0,5
1,0
1,5
2,0
2,5
3,0
t= 0,6
t = 5,0
t = 5,0
t = 1,4
t = 1,0
t = 0,6
t = 0,0




Figure 1.03 – Risk rat io est imat e represent at ion based on Equat ion [ 1.14] as a funct ion of t he safet y level
coefficient (o) for different values of t ime (t ).

I f we want t o det ermine t he implicit safet y level coefficient (o), assuming t hat bot h final risk value (R
i,o
) and
init ial risk value (
0
, i
R
o
) are known, we shall solve Equat ion [ 1.10] or Equat ion [ 1.11] t o variable o (safet y
level coefficient ). For Equat ion [ 1.10] , when t he init ial t ime is not zero (t = t
0
), t he solut ion gives,

|
|
.
|

\
|
·
|
|
.
|

\
|
÷
÷ = o
o
o
0
, i
, i
0 R
R
ln
t t
1
1 [ 1.16]

and for Equat ion [ 1.11] , when t he init ial t ime is zero (t = 0), we have t he following expression,

|
|
.
|

\
|
· |
.
|

\
|
÷ = o
o
o
0
, i
, i
R
R
ln
t
1
1 [ 1.17]

Let us now est ablish t he relat ion bet ween t wo risks. Assuming t he one risk is given by t he following risk
dynamic equat ion,
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

( ) ( )
( ) ( ) | |
0
t t 1
1
0
, i
1
, i
e R R
÷ · o ÷
o o
· = [ 1.18]

where ( )
1
0
, i
R
o
is t he init ial risk, and o
1
is t he safet y level coefficient for t hat risk, and t he second risk is given
by t he ident ical equat ion,

( ) ( )
( ) ( ) | |
0
t t 1
2
0
, i
2
, i
e R R
÷ · o ÷
o o
· = [ 1.19]

where ( )
2
0
, i
R
o
is t he init ial risk, and o
2
is t he safet y level coefficient , respect ively. The relat ion bet ween bot h
risks can be det ermined by dividing bot h equat ions (Equat ion [ 1.18] and Equat ion [ 1.19] ),

( )
( )
( )
( )
( ) ( ) | |
( ) ( ) | |
0 2
0 1
t t 1
t t 1
2
0
, i
1
0
, i
2
, i
1
, i
e
e
R
R
R
R
÷ · o ÷
÷ · o ÷
o
o
o
o
· = [ 1.20]

for any inst ant of t ime (t ) and an init ial t ime (t
0
).

Consecutive Risks
Consecut ive risks are complex scenarios of great import ance in safet y engineering, and so, equat ions
describing t he risk dynamics are of real int erest . I n consecut ive risks, t he consequences of an risk become
t he risk of t he following consequence, and can be expressed by t he following relat ion,

( )
1
, i
R
o
( )
2
, i
R
o
( )
3
, i
R
o
[ 1.21]

I f t he risk equat ion of consecut ive risks are considered t o be as similar t o Equat ion [ 1.02] , t hen t he
different ial equat ions which describe t he consecut ive risk chain are as follows. For risk ( )
1
, i
R
o
, t he
different ial equat ion has been already developed and is similar t o Equat ion [ 1.05] .

( )
( )
1
, i 1
1
, i
R
dt
R d
o
o
· o = [ 1.22]

For risk ( )
2
, i
R
o
, it depends on charact erist ics of risk ( )
1
, i
R
o
, and is given by t he following equat ion,

( )
( ) ( )
2
, i 2
1
, i 1
2
, i
R R
dt
R d
o o
o
· o ÷ · o = [ 1.23]

For risk ( )
3
, i
R
o
, and t he last risk in t he risk chain, it depends solely on charact erist ics of risk ( )
2
, i
R
o
, given by
t he equat ion,

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
( )
( )
2
, i 2
3
, i
R
dt
R d
o
o
· o = [ 1.24]

For each risk, t he risk level coefficient is respect ively, o
1
= (1÷o
1
), o
2
= (1÷o
2
), and o
3
= (1÷o
3
). I f at t he
init ial t ime (t
0
) we consider t he ( ) ( )
1
0
, i
1
, i
R R
o o
= , ( ) ( )
2
0
, i
2
, i
R R
o o
= and ( ) ( )
3
0
, i
3
, i
R R
o o
= , t hen t he solut ion for
t he risk of each phase at some t ime (t ) is as follows. For risk ( )
1
, i
R
o
, t he equat ion is similar as Equat ion
[ 1.13] .

( ) ( )
( ) ( ) | |
0 1
t t 1
1
0
, i
1
, i
e R R
÷ · o ÷
o o
· = [ 1.25]

I f we assume t hat t he init ial t ime is zero (t = t
0
), t he Equat ion [ 1.25] becomes,

( ) ( )
( ) | | t 1
1
0
, i
1
, i
1
e R R
· o ÷
o o
· = [ 1.26]

For risk ( )
2
, i
R
o
, subst it ut ing Equarion [ 1.25] in Equat ion [ 1.23] gives t he following,

( )
( )
( ) ( ) | |
{ } ( )
2
, i 2
t t 1
1
0
, i 1
2
, i
R e R
dt
R d
0 1
o
÷ · o ÷
o
o
· o ÷ · · o = [ 1.27]

and rearranging Equat ion [ 1.27] , we obt ain t he following equat ion,

( )
( ) ( )
( ) ( ) | |
{ }
0 1
t t 1
1
0
, i 1
2
, i 2
2
, i
e R R
dt
R d
÷ · o ÷
o o
o
· · o = · o + [ 1.28]

We can say t hat t he Equat ion [ 1.28] is in t he form of an different ial equat ion t ype of

( ) | | ( ) ( )
( ) ( ) | |
{ }
0 1
t t 1
1
0
, i 1
2
, i 2
'
2
, i
e R R R
÷ · o ÷
o o o
· · o = · o + [ 1.29]

I f we mult iply t he Equat ion [ 1.29] by
( ) | |
0 2
t t
e
÷ · o
or
( ) t
2
e
· o
, t hen we obt ain t he following relat ion,

( ) | |
( ) | | ( ) { } ( )
( ) ( ) | |
{ }
( ) | |
0 2 0 1 0 2
t t t t 1
1
0
, i 1
2
, i 2
'
2
, i
t t
e e R R R e
÷ · o ÷ · o ÷
o o o
÷ · o
· · · o = · o + ·

[ 1.30]

and assuming t he following equalt y,

( ) | |
( ) | | ( ) { } ( )
( ) | |
| |
0 2 0 2
t t
2
, i
2
, i 2
'
2
, i
t t
e R
dt
d
R R e
÷ · o
o o o
÷ · o
· = · o + · [ 1.31]

and subst it ut ing t he second t erm of Equat ion [ 1.31] in t he first t erm of Equat ion [ 1.30] gives,
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

( )
( ) | |
| | ( )
( ) ( ) | |
{ }
( ) | |
0 2 0 1 0 2
t t t t 1
1
0
, i 1
t t
2
, i
e e R e R
dt
d
÷ · o ÷ · o ÷
o
÷ · o
o
· · · o = · [ 1.32]

Hence, if we apply int egrals t o t he Equat ion [ 1.32] and rearranging gives,

( )
( )
( )
( )
( ) ( ) | |
| |
( ) | |
( ) | | í í
·
¦
)
¦
`
¹
¦
¹
¦
´
¦
· · · o =
÷ · o
÷ · o
÷ · o ÷
o o
o
o
t
t
t t
t t
t t 1
1
0
, i 1
R
R
2
, i
0
0 2
0 2
0 1
2
, i
2
0
, i
dt
e
e
e R R d [ 1.33]

Simplifying Equat ion [ 1.33] , we have t he following,

( )
( )
( )
( )
( ) ( ) | |
| |
í í
· · · o =
÷ · o ÷
o o
o
o
t
t
t t 1
1
0
, i 1
R
R
2
, i
0
0 1
2
, i
2
0
, i
dt e R R d [ 1.34]

Solving Equat ion [ 1.34] gives,

( ) | |
( )
( )
( )
( )
( ) ( ) | |
| |
t
t
t t 1
1
1
0
, i 1
R
R 2
, i
0
0 1 2
, i
2
0
, i
e
1
1
R R
÷ · o ÷
o o
·
o ÷
· · o =
o
o
[ 1.35]

Simplifying Equat ion [ 1.35] and considering t hat o
1
= 1÷o
1
gives,

( ) ( ) ( )
( ) ( ) | | ( ) ( ) | |
| |
0 0 1 0 1
t t 1 t t 1
1
0
, i
2
0
, i
2
, i
e e R R R
÷ · o ÷ ÷ · o ÷
o o o
÷ · = ÷ [ 1.36]

and

( ) ( ) ( )
( ) ( ) | |
| | 1 e R R R
0 1
t t 1
1
0
, i
2
0
, i
2
, i
÷ · + =
÷ · o ÷
o o o
[ 1.37]

I f we assume t he init ial t ime as being zero (t
0
= 0) t he Equat ion [ 1.37] becomes,

( ) ( ) ( )
( ) | |
| | 1 e R R R
t 1
1
0
, i
2
0
, i
2
, i
1
÷ · + =
· o ÷
o o o
[ 1.38]

Finally, for risk ( )
3
, i
R
o
, subst it ut ing t he equat ion of risk ( )
2
, i
R
o
, t he Equat ion [ 1.37] , in Equat ion [ 1.24] it
gives,

( )
( ) ( )
( ) | |
| | { } 1 e R R
dt
R d
t 1
1
0
, i
2
0
, i 2
3
, i
1
÷ · + · o =
· o ÷
o o
o
[ 1.39]

Applying int egrals t o t he Equat ion [ 1.39] and assuming t hat o
2
= 1÷o
2
, it becomes,

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
( )
( )
( )
( ) ( ) ( )
( ) | |
| | { }
í í
· ÷ · + · o ÷ =
· o ÷
o o o
o
o
t
t
t 1
1
0
, i
2
0
, i 2
R
R
3
, i
0
1
3
, i
3
0
, i
dt 1 e R R 1 R d [ 1.40]

Solving t he Equat ion [ 1.41] gives,

( ) | |
( )
( )
( ) ( ) | | ( )
( )
( ) | |
| | | |
¦
)
¦
`
¹
¦
¹
¦
´
¦
)
`
¹
¹
´
¦
÷ ·
o ÷
· + · · o ÷ =
· o ÷
o o o
o
o
t
t
t
t
t 1
1
1
0
, i
t
t
2
0
, i 2
R
R 3
, i
0 0
1
0
3
, i
3
0
, i
t e
1
1
R t R 1 R

[ 1.41]

Rearranging and simplifying t he Equat ion [ 1.41] gives,

( ) ( ) ( ) ( ) ( ) ( )
( )
( ) | | ( ) | |
| | ( )
¦
)
¦
`
¹
¦
¹
¦
´
¦
)
`
¹
¹
´
¦
÷ ÷ ÷ ·
o ÷
· + ÷ · · o ÷ = ÷
· o ÷ · o ÷
o o o o 0
t 1 t 1
1
1
0
, i 0
2
0
, i 2
3
0
, i
3
, i
t t e e
1
1
R t t R 1 R R
0 1 1


[ 1.42]

Hence, t he Equat ion [ 1.42] becomes,

( ) ( ) ( ) ( ) ( ) ( )
( )
( ) | | ( ) | |
| | ( )
¦
)
¦
`
¹
¦
¹
¦
´
¦
)
`
¹
¹
´
¦
÷ ÷ ÷ ·
o ÷
· + ÷ · · o ÷ + =
· o ÷ · o ÷
o o o o 0
t 1 t 1
1
1
0
, i 0
2
0
, i 2
3
0
, i
3
, i
t t e e
1
1
R t t R 1 R R
0 1 1


[ 1.43]

I f t he init ial t ime is equal t o zero (t
0
= 0), t he Equat ion [ 1.43] becomes,

( ) ( ) ( ) ( ) ( ) ( )
( )
( ) | |
| |
¦
)
¦
`
¹
¦
¹
¦
´
¦
)
`
¹
¹
´
¦
÷ ÷ ·
o ÷
· + ÷ · · o ÷ + =
· o ÷
o o o o
t 1 e
1
1
R t t R 1 R R
t 1
1
1
0
, i 0
2
0
, i 2
3
0
, i
3
, i
1


[ 1.44]

For t he above equat ions we have assumed t hat t he risk level coefficient s (o
1
, o
2
, and o
3
) are different ;
inst ead, we will assume as being t he same risk level coefficient (o = o
1
= o
2
= o
3
) and reciprocally, t he
safet y level coefficient is t he same (o = o
1
= o
2
= o
3
). I n t his case, t he equat ions for consecut ive risk
becomes as follows. For risk ( )
1
, i
R
o
we have t he following equat ion,

( ) ( )
( ) ( ) | |
0
t t 1
1
0
, i
1
, i
e R R
÷ · o ÷
o o
· = [ 1.45]

and for risk ( )
2
, i
R
o
we have t he equat ion,
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

( ) ( ) ( )
( ) ( ) | |
| | 1 e R R R
0
t t 1
1
0
, i
2
0
, i
2
, i
÷ · + =
÷ · o ÷
o o o
[ 1.46]

and finally, for risk ( )
3
, i
R
o
we have t he equat ion,

( ) ( ) ( ) ( ) ( ) ( )
( )
( ) | | ( ) | |
| | ( )
)
`
¹
¹
´
¦
)
`
¹
¹
´
¦
÷ ÷ ÷ ·
o ÷
· + ÷ · · o ÷ + =
· o ÷ · o ÷
o o o o 0
t 1 t 1
1
0
, i 0
2
0
, i
3
0
, i
3
, i
t t e e
1
1
R t t R 1 R R
0


[ 1.47]

or simplifying,

( ) ( ) ( ) ( ) ( ) ( )
( ) | | ( ) | |
| | ( ) ( ) { }
0
t 1 t 1
1
0
, i 0
2
0
, i
3
0
, i
3
, i
t t 1 e e R t t R 1 R R
0
÷ · o ÷ ÷ ÷ · · + ÷ · · o ÷ + =
· o ÷ · o ÷
o o o o


[ 1.48]


Risk Dynamic Model Representation
As we have seen, t he risk dynamic equat ion for a single risk is writ t en as being one equat ion ident ical t o t he
Equat ion [ 1.15] .

( ) | | t 1 0
, i , i
e R R
· o ÷
o o
· = [ 1.15]

Let us consider a cert ain domain (see Figure 1.04) and one general funct ion of risk being represent ed in t hat
domain, R
i
(x,y,z), and one point in t he domain (M
0
). Let us t race one vect or represent ing t ime (t ) wit h t he
cosine direct ors cos o, cos m, and cos e. Again, let us consider over t he vect or t ime one space-t ime dist ance,
not ed as At , wit h a origin in t he st art ing point of t he domain (M
0
), assuming t hat t he point M
0
as being t he
posit ion of t he init ial t ime (t
0
), and cross t he point M
1
. The space-t ime dist ance vect or is defined as

2 2 2
z y x t A + A + A = A [ 1.49]

Assuming t hat funct ion R
i
(x,y,z) is cont inuous in space-t ime domain, and has cont inuous derivat ives for t he
independent variables x, y, and z in t he domain. The variat ion (e.g. growing or decreasing) of t he t ot al
funct ion is given by t he following expression,

z y x z
z
R
y
y
R
x
x
R
R
z y x
, i , i , i
, i
A · c + A · c + A · c + A ·
c
c
+ A ·
c
c
+ A ·
c
c
= A
o o o
o


[ 1.50]

where c
x
, c
y
, and c
z
becomes zero whenever At approximat e t o zero (At  0). Dividing all members of
Equat ion [ 1.50] by At ,
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

t
z
t
y
t
x
t
z
z
R
t
y
y
R
t
x
x
R
t
R
z y x
, i , i , i , i
A
A
· c +
A
A
· c +
A
A
· c +
A
A
·
c
c
+
A
A
·
c
c
+
A
A
·
c
c
=
A
A
o o o o


[ 1.51]

M
0
M
1
t
x
y
z
o
m
e


Figure 1.04 – Risk dynamic model in a space-t ime domain.

Assuming t hat t he cosine direct ors are expressed as follows,

( )
t
x
cos
A
A
= o [ 1.52]

( )
t
y
cos
A
A
= m [ 1.53]

( )
t
z
cos
A
A
= e [ 1.54]

and subst it ut ing in t he Equat ion [ 1.51] gives,

( ) ( ) ( ) ( ) ( ) ( ) e · c + m · c + o · c + e ·
c
c
+ m ·
c
c
+ o ·
c
c
=
A
A
o o o o
cos cos cos cos
z
R
cos
y
R
cos
x
R
t
R
z y x
, i , i , i , i


[ 1.55]

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S


Figure 1.05 – Risk dynamics dimensional model in a space-t ime domain.

R
i,o

o
t
0
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
The limit of
t
R
, i
A
A
o
when At  0 is named t he funct ion derivat ive of risk funct ion R
i
(x,y,z), in any abst ract
space-t ime posit ion (x,y,z) over t he t ime vect or direct ion, and is commonly st at ed as
t
R
, i
c
c
o
.

t
R
t
R
, i , i
0 t
lim
c
c
=
A
A
o o
÷ A
[ 1.56]

Hence, t he limit of risk funct ion R
i
(x,y,z) is given by

( ) ( ) ( ) e ·
c
c
+ m ·
c
c
+ o ·
c
c
=
c
c
o o o o
cos
z
R
cos
y
R
cos
x
R
t
R
, i , i , i , i
[ 1.57]

and x, y, and z are t he paramet ers (e.g. safet y level coefficient , t ime, and risk value) of risk in a
t ridimensional syst em. Figure 1.05 shows t he dimensional model of risk est imat e (Equat ion [ 1.15] )
dependence bot h on t he safet y level coefficient (o) and t ime (t ). Risk est imat e increases wit h lower safet y
level coefficent s and wit h high t ime elapsed values.

Cylindrical Coordinate System
I t is oft en convenient t o use cylindrical coordinat es t o solve t he equat ion of risk dynamics. Figure 1.06 shows
how t his t ransformat ion t akes in a coordinat e syst em. The relat ions bet ween rect angular (x,y,z) and
cylindrical (r,u,z) coordinat es are,

( ) u · = cos r x [ 1.56]

( ) u · = sin r y [ 1.57]

z z = [ 1.58]

and

2 2
y x r + = [ 1.59]

u = |
.
|

\
|
÷
x
y
t an
1
[ 1.60]

The risk dynamics equat ion becomes a funct ion of,

R
i
= f(r,u) [ 1.61]

Assuming t hat x = o and y = t ,

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
2 2
t r + o = [ 1.62]

and

|
.
|

\
|
o
= u
÷
t
t an
1
[ 1.63]

x
(x,y,z)
y
z
r
y
x
u
z


Figure 1.06 – The cylindrical coordinat e syst em.

Taken t he risk dynamics equat ion for a single risk (Equat ion [ 1.15] ) when t he init ial t ime is zero (t
0
= 0), as
example of applicat ion for cylindrical coordinat es t ransformat ion, and assuming z as being R
i,o
, t he risk
dynamics equat ion (Equat ion [ 1.15] ) becomes,

( ) | | ( ) | | { } u · · u · ÷
o o
· =
sin r cos r 1 0
, i , i
e R R [ 1.64]

wit h t he following t ransformat ion st eps,

( ) u · = o cos r [ 1.65]

( ) u · = sin r t [ 1.66]

|
.
|

\
|
o
= u
÷
t
t an
1
[ 1.67]





T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K C CO ON NT TI I N NU UI I T TY Y E EQ QU UA AT TI I O ON NS S
The general equat ion for risk t ransfer allowed us t o solve many element ary risk sit uat ions. I n general, t o
solve many pract ical cases, we need t o know t he st at e in t he beginning and t he st at e at t he final posit ion,
and also t he exchanges bet ween t he syst em and t he sorroundings. These posit ions are represent ed by
different ial equat ions. Oft en t hese equat ions are called equat ions of change, since t hey allways describe t he
variat ions or shift ing of risk paramet ers wit h respect t o posit ion and t ime. Several t ypes of t ime derivat ives
are used in t he different ial processes, as will be seen below. The most common t ype of derivat ive expression
is t he part ial t ime derivat ive. The part ial t ime derivat ive of risk is defined as being
t
R
, i
c
c
o
. This definit ion
show t o us t he local change of risk wit h t ime in a fixed posit ion – represent ed as being any paramet er of t he
risk, e.g. exposit ion, likelihood or probabilit y, severit y or loss crit icalit y, or safet y level – usually denot ed by
let t ers x, y, z, et c. Suppose t hat we want t o measure t he risk while we are moving wit h t he syst em in t he x,
y, or z posit ions (or direct ions), st at ed as being
dt
dx
,
dt
dy
, and
dt
dz
. The t ot al derivat ive is commonly
expressed as being,

dt
dz
z
R
dt
dy
y
R
dt
dx
x
R
t
R
dt
dR
, i , i , i , i , i
·
c
c
+ ·
c
c
+ ·
c
c
+
c
c
=
o o o o o
[ 1.68]

This means t hat t he risk is bot h a funct ion of t ime (t ) and t he paramet ers
dt
dx
,
dt
dy
, and
dt
dz
at which t he
observer is moving. Assuming a new not ion for
dt
dx
,
dt
dy
,and
dt
dz
,

x , i
dt
dx
u = [ 1.69]

y , i
dt
dy
u = [ 1.70]

z , i
dt
dz
u = [ 1.71]

t he equat ion [ 1.68] becomes,

z , i
, i
y , i
, i
x , i
, i , i , i
z
R
y
R
x
R
t
R
dt
dR
u ·
c
c
+ u ·
c
c
+ u ·
c
c
+
c
c
=
o o o o o
[ 1.72]

Anot her useful t ype of t ime derivat ive is obt ained if t he observer float s along wit h t he direct ions and follows
t he change in risk wit h respect wit h t ime. This is called t he derivat ive t hat follows t he mot ion, or t he
subst ancial t ime derivat ive,

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
z , i
, i
y , i
, i
x , i
, i , i , i
z
R
y
R
x
R
t
R
Dt
DR
u ·
c
c
+ u ·
c
c
+ u ·
c
c
+
c
c
=
o o o o o
[ 1.73]

where u
i,x
, u
i,y
, and u
i,z
are component s (t he paramet ers of risk) of risk mot ion. These component s (R
i,x
, R
i,y
,
and R
i,z
) define a vect or. This subst ancial t ime derivat ive is apllied t o bot h scalar and vect or variables.
I f we want t o est ablish a t ransfer equat ion, a risk balance must be made, assuming t he case of a general
risk flowing inside a fixed volume element of space (see Figure 1.07).

[ init ial risk] + [ risk generat ed] = [ final risk] + [ accumulat ed risk]

[ 1.74]

The risk accumulat ion is given by
t
R
z y x
, i
c
c
· A · A · A
o
and will be assumed t hat t he risk generat ed in t he
syst em is zero (R
i,G
= 0). Subst it ut ing all t he t erms in t he general risk t ransfer equat ion (Equat ion [ 1.74] ) by
mat hemat ical expressions,

t
R
z y x y x R z x R z y R
R y x R z x R z y R
, i
z z , i y y , i x x , i
G , i z , i y , i x , i
c
c
· A · A · A + A · A · + A · A · + A · A · =
= + A · A · + A · A · + A · A ·
o
A + A + A +


[ 1.75]

x, u
i,x
(x,y,z)
(x+ Ax,y+ Ay,z) (x+ Ax,y,z)
(x,y+ Ay,z+ Az) (x,y,z+ Az)
(x+ Ax,y+ Ay,z+ Az)
(x,y+ Ay,z)
(x+ Ax,y,z+ Az)
y, u
i,y
z, u
i,z


Figure 1.07 – Risk cont inuit y t ridimensional represent at ion in a space-t ime domain.


T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S


Simplifying t he Equat ion [ 1.75] gives,

t
R
z y x y x R z x R z y R
0 y x R z x R z y R
, i
z z , i y y , i x x , i
z , i y , i x , i
c
c
· A · A · A + A · A · + A · A · + A · A · =
= + A · A · + A · A · + A · A ·
o
A + A + A +


[ 1.76]

and dividing all members by z y x A · A · A t he Equat ion [ 1.76] becomes,

t
R
z
R R
y
R R
x
R R
, i z z , i z , i y y , i y , i x x , i x , i
c
c
=
A
÷
+
A
÷
+
A
÷
o A + A + A +
[ 1.77]

Taking t he limit as Ax, Ay, and Az approaching t o zero, we obt ain t he equat ion of cont inuit y or conservat ion
of risk.

u ·
c
c
+ u ·
c
c
+ u ·
c
c
÷ =
c
c
o o o o
z , i
, i
y , i
, i
x , i
, i , i
z
R
y
R
x
R
t
R
[ 1.78]

The above equat ion t ell us how risk changes wit h t ime at a fixed posit ion result ing from t he changes in t he
risk paramet ers. We can convert t he Equat ion [ 1.78] int o anot her form by carrying out t he act ual part ial
different iat ion,

u ·
c
c
+ u ·
c
c
+ u ·
c
c
÷

c
u c
+
c
u c
+
c
u c
· ÷ =
c
c
o o o
o
o
z , i
, i
y , i
, i
x , i
, i z , i y , i x , i
, i
, i
z
R
y
R
x
R
z y x
R
t
R


[ 1.79]

Rearranging t he Equat ion [ 1.79] gives,

c
u c
+
c
u c
+
c
u c
· ÷ =

u ·
c
c
+ u ·
c
c
+ u ·
c
c
+
c
c
o
o o o o
z y x
R
z
R
y
R
x
R
t
R
z , i y , i x , i
, i z , i
, i
y , i
, i
x , i
, i , i


[ 1.80]

Subst it ut ing t he Equat ion [ 1.72] int o Equat ion [ 1.80] gives,

( )
( )
z , y , x , i , i
z , i y , i x , i
, i
, i
R
z y x
R
dt
dR
u · V · ÷ =

c
u c
+
c
u c
+
c
u c
· ÷ =
o o
o
[ 1.81]
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

where

( )
z y x
z , i y , i x , i
z , y , x , i
c
u c
+
c
u c
+
c
u c
= u · V [ 1.82]

Equat ion [ 1.78] t hrough Equat ion [ 1.81] shows t he risk dynamics cont inuit y in a space-t ime domain.


G GE EN NE ER RA AL L E EQ QU UA AT TI I O ON N O OF F R RI I S SK K T TR RA AN NS SF FE ER R
I n risk t ransfer process we are concerned wit h t he t ransfer of a given risk paramet er or singular ent it y
caused by movement t hrough a given syst em. This risk paramet er (or ent it y) being t ransfer wit hin t he
syst em can be one of t he following variables in order t o change (by t ime unit ) t he value of risk est imat e:
exposure, likelihood or probabilit y, severit y or loss crit icalit y, or safet y level. Each risk has a given different
quant it y of t he propert y associat ed wit h it . When a difference of value of t he variable exist s for any of t hese
paramet ers from one posit ion t o an adj acent posit ion in t he space-t ime domain, a net t ransfer of t his
propert y occurs. We can formalize t he risk t ransfer equat ion process by writ ing,

o
u
=
o
d
d
R
, i
[ 1.83]
where R
i,o
is t he amount of risk t ransferred per unit of t ime in t he o (safet y level coefficient ) direct ion, u is
t he funt ion of risk paramet ers (i.e. exposure, likelihood or probabilit y, and severit y or loss crit icalit y), and o
is a proport ionalit y const ant (risk level coefficient ). I f t he process of risk t ransfer is at st eady st at e, t hen t he
risk t ransfer is const ant . Applying int egrals t o t he Equat ion [ 1.83] gives,

í í
u
u
o
o
u = o ·
2
1
2
1
d d R
i
[ 1.84]

Solving t he Equat ion [ 1.84] and simplifying gives,

( )
( ) o A
Au
=
o ÷ o
u ÷ u
=
o
1 2
1 2
, i
R [ 1.85]


and u is a funct ion of exposure coefficient (E), likelihood or probabilit y (L), and severit y or loss crit icalit y (K),
i.e. t he risk paramet ers,

( ) L , K , E f = u [ 1.86]

I n a unst eady st at e syst em, when we are calculat ing t he risk t ransfer, it is necessary t o account for t he
amount of t he propert y being t ransferred. This is done by writ ing a general propert y balance or conservat ion
balance for safet y level coefficient (o),

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
[ I nit ial Risk] + [ Generat ed Risk] = [ Final Risk] + [ Accumulat ed Risk]

[ 1.86]

Formulat ing t he above st at ement using a mat hemat ical expression,

t
R
R R R
, i
, i G , i , i
c
c
+ = +
o
o A + o o
[ 1.87]

and rearranging t he Equat ion [ 1.87] gives,

t
R
R R R
, i
, i , i G , i
c
c
+ ÷ =
o
o o A + o
[ 1.88]

Assuming,

o c
u c
= ÷
o o A + o
i
, i , i
R R [ 1.89]

and subst it ut ing t he Equat ion [ 1.89] in t he Equat ion [ 1.88] we have,

t
R
R
, i
i
G , i
c
c
+
o c
u c
=
o
[ 1.90]

I f we consider t hat t he generat ed risk in an unst eady st at e syst em is zero (R
i,G
= 0), t he Equat ion [ 1.90]
becomes,

t
R
, i
i
c
c
÷ =
o c
u c
o
[ 1.91]

From Equat ion [ 1.78] we can est ablish t he following general equat ion for risk t ransfer process,

z , i
, i
y , i
, i
x , i
, i
i
z
R
y
R
x
R
u ·
c
c
+ u ·
c
c
+ u ·
c
c
=
o c
u c
o o o
[ 1.92]

which eat abish t he relat ionship bet ween risk est imat e when t he safet y level shift and t he risk paramet ers
change in a space-t ime domain.






Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K E EQ QU UI I L LI I B BR RI I U UM M A AN ND D E EN NT TO OP PY Y
There are t hree basic ways a risk may lose it s init ial value. One way is by eliminat ion of risk; a second way is
when risk can cmbine wit h ot her risks; and, t he t hird way is t ransferring risk. Part of t he risk t heory is
concerned, in one way or ant her, wit h t he st at e of equilibrium and t he t endency of syst ems (including t he
safet y management syst em) t o move in t he direct ion of t he equilibrium st at e. I n safet y engineering field,
many of t he problems relat ed t o risk t ransfer involve t he subst it uit ion of risk wit h ot her one of lower value,
t he insurance prot ect ion and ot her t echniques such eliminat ion, mit igat ion, and engineering feat ures and
measures. The equilibrium t heory is not direct ly concerned wit h t he dynamics of risk t ransfer, it serves t o
indicat e how far a risk (and t he safet y syst em) is from t he equilibrium, which in t urn is a fact or in t he risk
t ransfer dynamics. Thus, t he risk t ransferred is proport ional t o t he difference bet ween t he risk at equilibrium
and t he act ual risk value.

( )
o
o
÷ ·
, i eq , i
, i
R R
dt
dR
[ 1.93]

This concept serves as t he basis for engineering calculat ions, in risk t reat ment met hods: subst it ut ion,
eliminat ion and mit igat ion, applicat ion of engineering feat ures and measures, and insurance cover for risk
which cannot be eliminat ed.
The concept of ent ropy would serve as a general crit erion of an est ablished st at e for risk changes wit hin a
safet y syst em. Also, t he concept of ent ropy in essence st at es t hat all syst ems t end t o approach a st at e of
equilibrium, in t he ideal condit ions. The significance of t he equilibrium st at e is realized from t he fact t hat risk
shift can be obt ained from a syst em only when t he syst em is not already at equilibrium. I f a safet y syst em is
at equilibrium, no risk shift process t ends t o occur, and no risk changes are brought about . The safet y
pract ioneer (or engineer) int erest in ent ropy is relat e t o t he use of t his concept t o indicat e somet hing about
t he posit ion of equilibrium in a safet y process or safet y syst em (including safet y management syst ems).
Ent ropy (E
i,o
) of any risk or hazard (i) is defined by t he following different ial equat ion,

o A
÷
=
o
= E
o o
o
, i eq , i , i
, i
R R
d
dR
d [ 1.94]

where R
i,eq
is t he risk at equilibrium (o = 1), R
i,o
is t he risk at any inst ant of t ime, and o is t he safet y level
coefficient . When o is far away from t he unit y, we say t hat risk is not at equilibrium st at e. The ent it y
R
i,eq
÷R
i,o
is t he amount of risk t hat t he safet y syst em absorbs if a change in risk is brought about in an
infinit ely and reversible manner. I t is t he change in ent ropy in a safet y syst em, hazard or risk which is of
usual int erest , and t his is evaluat ed as follows,

( ) ( )
í
o
o
o
o o o
= E ÷ E = AE
2
1
dt
dR
, i
1
, i
2
, i , i
[ 1.95]

or alt ernat ively,

1 2
, i , i , i
R R
o o o
÷ = AE [ 1.96]

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
I f o
2
= 1 we can say t hat t he Equat ion [ 1.96] est ablishs t he relat ion bet ween t wo st at es, t he risk equilibrium
(R
i,eq
) st at e and any risk st at e at any inst ant of t ime,

o o
÷ = AE
, i eq , i , i
R R [ 1.97]

I f AE is posit ive, t he Equat ion [ 1.97] shows t hat t he change could occur from a higher safet y level (o> 1) t o
a bot h less lower level of safet y level (o< 1) or equilbrium st at e (where o is equal t o t he unit y); if AE is
negat ive, t he syst em would occur in t he reverse direct ion. When AE is null or zero, t he syst em is at
equilibrium, and any risk change could not t ake place in eit her direct ion.




































Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K A AN N A A L L Y YS SI I S S M MO OD D E EL L

This chapt er describes t he model of risk analysis consist ent wit h t he int ernat ional regulat ions. I n addit ion it
discusses t wo ot her mat t ers, t he use of quant it at ive risk assessment met hodology and uncert aint y. There
are t hree maj or element s of risk analysis. These are risk assessment , risk management and risk
communicat ion (Davies 1996) and each is int egral t o t he overall process. Prior risk analysis we should made
a risk ident ificat ion; risk ident ificat ion set s out t o ident ify an organisat ion’s exposure t o uncert aint y. This
requires an int imat e knowledge of t he organizat ion, t he market in which it operat es, t he legal, social,
polit ical and cult ural environment in which it exist s, as well as t he development of a sound understanding of
it s st rat egic and operat ional obj ect ives, including fact ors crit ical t o it s success and t he t hreat s and
opport unit ies relat ed t o t he achievement of t hese obj ect ives. Risk ident ificat ion should be approached in a
met hodical way t o ensure t hat all significant act ivit ies wit hin t he organizat ion have been ident ified and all
t he risks flowing from t hese act ivit ies defined. All associat ed volat ilit y relat ed t o t hese act ivit ies should be
ident ified and cat egorised. Business act ivit ies and decisions can be classified in a range of ways, examples of
which include:
(1) St rat egic – These concern t he long-t erm st rat egic obj ect ives of t he organizat ion.They can be affect ed by
such areas as capit al availabilit y, sovereign and polit ical risks, legal and regulat ory changes, reput at ion
and changes in t he physical environment .
(2) Operat ional – These concern t he day-t oday issues t hat t he organizat ion is confront ed wit h as it st rives t o
deliver it s st rat egic obj ect ives.
(3) Financial – These concern t he effect ive management and cont rol of t he finances of t he organizat ion and
t he effect s of ext ernal fact ors such as availabilit y of credit , foreign exchange rat es, int erest rat e
movement and ot her market exposures.
(4) Knowledge management – These concern t he effect ive management and cont rol of t he knowledge
resources, t he product ion, prot ect ion and communicat ion t hereof. Ext ernal fact ors might include t he
unaut horised use or abuse of int ellect ual propert y, area power failures, and compet it ive t echnology.
I nt ernal fact ors might be syst em malfunct ion or loss of key st aff.
(5) Compliance – These concern such issues as healt h and safet y, environment al, t rade descript ions,
consumer prot ect ion, dat a prot ect ion, employment pract ices and regulat ory issues.

Whilst risk ident ificat ion can be carried out by out side consult ant s, an in-house approach wit h well
communicat ed, consist ent and co-ordinat ed processes and t ools is likely t o be more effect ive. I n-house
ownership of t he risk management process is essent ial. Aft er t he risk ident ificat ion, we proceed wit h risk
descript ion. The obj ect ive of risk descript ion is t o display t he ident ified risks in a st ruct ured format , for
example, by using a t able.The risk descript ion t able overleaf can be used t o facilit at e t he descript ion and
assessment of risks. The use of a well designed st ruct ure is necessary t o ensure a comprehensive risk
ident ificat ion, descript ion and assessment process. By considering t he exposure, severit y of consequences,
probabilit y of occurrence, and t he safet y level associat ed wit h each of t he risks set out , it should be possible
t o priorit ise t he key risks t hat need t o be analysed in more det ail. I dent ificat ion of t he risks associat ed wit h
business act ivit ies, or human act ivit ies and decision making may be cat egorised as st rat egic, proj ect or
t act ical, operat ional, et c. I t is import ant t o incorporat e risk management at t he concept ual st age of all
proj ect s and human act ivit ies as well as t hroughout t he life of a specific t arget (e.g. personnel, equipment ,
proj ect , business int errupt ion, product , environment ).

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S


Figure 2.01 – Example of an risk analysis met hodology.


R RI I S SK K A AS SS SE ES SS SM ME EN NT T
For t he purposes of t his document risk assessment is defined as t he overall process of hazard ident ificat ion
and risk est imat ion (likelihood, exposure, consequence, and safet y level assessment s). The risk assessment
process aims t o ident ify and assess all risks t hat could result in harm t o human healt h or ot her t arget (e.g.
environment , business int errupt ion, product , equipment ) due t o t he proposed dealings wit h t he human
act ivit ies and t echnology. The t hree main st eps involved in risk assessment include:
(1) Hazard ident ificat ion involving analysis of what , how, where and when somet hing could go wrong and
t he causal pat hway leading t o t hat adverse out come;
(2) Considerat ion of t he likelihood of an adverse out come and t he severit y of t hat out come (consequences);
(3) Risk est imat ion t o det ermine t he chance t hat pot ent ial harm would be realised.

The risk est imat e is a combinat ion of t he exposure, likelihood (probabilit y), consequences (loss crit icalit y) of
an adverse out come, and safet y level. Also, t he risk est imat e incorporat es considerat ion of uncert aint y.






Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K M MA AN NA AG GE EM ME EN NT T
For t he purposes of t his document risk management is defined as t he overall process of risk evaluat ion, risk
t reat ment and decision making t o manage pot ent ial adverse impact s. Risk management includes risk
evaluat ion, t he process of ident ifying t hose risks t hat warrant t reat ment t o reduce t he likelihood, exposure,
or severit y of an adverse out come. Under t he int ernat ional regulat ions, pot ent ial adverse effect s involve
considerat ion of risk posed by or as t he result of human act ivit y or t he use of t echnology. Risk management
is a key mechanism used by t he Regulat or t o regulat e dealings wit h hazards. One of t he Regulat or’s principal
funct ions in risk management is t o decide whet her or not t o allow cert ain dealings wit h hazards. The crit eria
for t hose decisions consider only harm t o human healt h and safet y and ot her t arget s (e.g. t he environment ,
business int errupt ion, product , and equipment ). Specific quest ions addressed as part of risk management
include:
(1) Which risks require management ?
(2) What condit ions need t o be in place t o manage t hose risks?
(3) Which of t he proposed management condit ions will adequat ely cont rol t hose risks?
(4) I s human healt h and safet y and t he environment adequat ely prot ect ed under t he proposed licence
condit ions?

The t hree main st eps involved in risk management include:
(1) Evaluat ing t he risks, select ing t hose t hat require management ;
(2) I dent ifying t he opt ions for risk t reat ment ;
(3) Choosing t he act ions proposed for risk t reat ment .


R RI I S SK K C CO OM MM MU UN NI I C CA AT TI I O ON N
For t he purposes of t his document risk communicat ion is defined as t he cult ure, processes and st ructures t o
communicat e and consult wit h st akeholders about risks. Specifically, it is t he communicat ion of t he risks t o
human healt h and t he environment posed by cert ain dealings wit h hazards. The principal funct ions of risk
communicat ion in t he cont ext of t he Act are:
(1) To inform st akeholders of risks ident ified from proposed dealings wit h gmos and t he licence condit ions
proposed t o manage t hose risks;
(2) To est ablish effect ive dialogue wit h t he gene t echnology advisory commit t ees, agencies prescribed in
legislat ion, and all int erest ed and affect ed st akeholders.

That dialogue is used t o ensure t hat t he scient ific basis for t he risk assessment s is sound, t hat t he Regulat or
t akes int o account all of t he necessary considerat ions t o adequat ely prot ect human healt h and t he
environment including communit y based concerns, and t hat t he funct ions and processes involving
communicat ion are monit ored and cont inually improved.


M MO OD DE EL LS S O OF F R RI I S SK K A AN NA AL LY YS SI I S S
The model of risk analysis used consist s of t he t hree element s discussed above, namely risk assessment , risk
management and risk communicat ion. The model is const rained by t he nat ional and int ernat ional regulat ions
in which risk assessment and risk management are referred t o as separat e processes. The model recognises
t hat t here is overlap bet ween t he individual element s but also t hat cert ain funct ions required by t he
legislat ion are quit e dist inct wit hin each of t hose element s. These component s can be represent ed as
overlapping domains whose funct ions are highly int erdependent . The separat ion of risk assessment and risk
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
management is crit ical t o clearly dist inguishing t he evaluat ion of risk based on scient ific evidence from
assessing t he significance of t hose risks in a wider cont ext and det ermining appropriat e management
measures. However, it is recognised t hat risk analysis is an it erat ive process, and int eract ion bet ween risk
managers and risk assessors is essent ial for pract ical applicat ion.


C CO OM MP PO ON NE EN NT TS S I I N N R RI I S SK K A AN NA AL LY YS SI I S S
There are t hree key st eps in assessing t he risks t o human healt h and safet y and t he environment . These are
est ablishing t he risk cont ext , assessing t he risks and t hen managing or t reat ing t hose risks. The model
adopt s t he principles t hat t he risk analysis process should follow a st ruct ured approach incorporat ing t he
t hree dist inct but closely linked component s of risk analysis (risk assessment , risk management and risk
communicat ion), each being int egral t o t he overall process. There should be a funct ional separat ion of risk
assessment and risk management , t o t he ext ent pract icable, in order t o ensure t he scient ific int egrit y of t he
risk assessment , t o avoid confusion over t he funct ions t o be performed by risk assessors and risk managers
and t o reduce any conflict of int erest . The risk cont ext includes:
(1) The scope and boundaries of t he risk analysis det ermined by t he nat ional and int ernat ional regulat ions
and t he Regulat or’s approach t o t heir implement at ion; t he proposed dealings;
(2) The nat ure of t he genet ic modificat ion;
(3) The crit eria and baselines for assessing harm.

The risk assessment includes assessing hazards, likelihoods, exposure, consequences, and t he safet y level t o
arrive at a risk est imat e. Risk management includes ident ifying t he risks t hat require management , t he
opt ions t o manage t hose risks and t hen select ing t he most appropriat e opt ions. A decision is made by t he
Regulat or on whet her t o issue a licence on t he basis of t he risk assessment and t hat t he risks ident ified can
be managed. These t hree element s form t he basis of risk analysis under t he Safet y Law. The final decision
on issuing a licence or permission is only made aft er consult at ion and considerat ion of comment s provided
by all key st akeholders. This feedback provides a key point of input by st akeholders int o t he decision making
process. Qualit y cont rol t hrough int ernal and ext ernal review is also an int egral part of every st age of t he
process. Monit oring and review are undert aken as part of ensuring t hat t he risks are managed once a licence
or permission is issued. This is undert aken bot h by t he Regulat or and by applicant s, and t he result s feed
back int o t he process. Compliance wit h licence condit ions is also monit ored by t he Regulat or or any
Regulat or’s official represent at ive. The overall process of risk analysis is highly it erat ive and involves
feedback bot h int ernally during t he process and t hrough communicat ion and consult at ion.


Q QU UA AL LI I T TA AT TI I V VE E A AN ND D Q QU UA AN NT TI I T TA AT TI I V VE E R RI I S SK K A AS SS SE ES SS SM ME EN NT T
The aim of risk assessment is t o apply a st ruct ured, syst emat ic, predict able, repeat able approach t o risk
evaluat ion. This is t he case for bot h qualit at ive and quant it at ive assessment s. The aim of quant it at ive risk
assessment is t o det ermine t he probabilit y t hat a given hazard will occur and t he error associat ed wit h t he
est imat ion of t hat probabilit y. I n such an assessment t he probabilit y includes bot h t he likelihood t hat a
hazard will occur, t he consequences if it did occur, t he exposure t o t he hazard, and t he safet y level as t here
is a direct relat ionship bet ween t he four paramet ers. This t ype of analysis is appropriat e t o sit uations such as
chemical and indust rial manufact ure where t here is a long hist ory during which informat ion has been
accumulat ed on t he t ype and frequency of risks. I t requires large amount s of dat a and ext ensive knowledge
of t he individual processes cont ribut ing t o t he pot ent ial risks t o be accurat e.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Environment al risk assessment s and ot her t arget s (e.g. business int errupt ion, product , equipment , and
personnel or human healt h) in t he absence of quant it at ive dat a are oft en qualit at ive because of t heir
complexit y, t he number of input s, and t he necessit y t o deal wit h mult iple recept ors t hat can give mult iple
impact s. This is not t o say t hat qualit at ive assessment s do not employ quant it at ive dat a. On t he cont rary,
qualit at ive assessment s use quant it at ive informat ion when it is available. I n using qualit at ive assessment s
t he maximum amount of informat ion can be provided describing exposue, likelihood and consequence (loss
cit icalit y). Quant it at ive assessment s use numerical values t hat may be derived from:
(1) Experiment al dat a;
(2) By ext rapolat ion from experiment al st udies on relat ed syst ems;
(3) Hist orical dat a;
(4) I nferred from models used t o describe complex syst ems or int eract ions.

Qualit at ive assessment s use relat ive descript ions of likelihood and adverse out comes and can combine dat a
derived from several sources, some of which may be quant it at ive. The use of qualit at ive or quant it at ive
approaches depends on t he amount , t ype and qualit y of t he dat a; t he complexit y of t he risk under
considerat ion; and t he level of det ail required for decision making. The weakness associat ed wit h qualit at ive
assessment s can be overcome by t aking a number of precaut ions. Four specific weaknesses were ident ified
and t hese can be cont rolled and minimised. Ambiguit y can be reduced by using defined t erminology for
likelihood, exposure, consequences, safet y level and risk. Pot ent ial variat ions bet ween assessors can be
reduced t hrough qualit y cont rol measures including int ernal and ext ernal review and sourcing expert advice.
Differing viewpoint s, perspect ives and biases can be reduced t hrough bet t er descript ions of what t he
nat ional and int ernat ional regulat ion is t rying t o prot ect and st akeholder input t hrough consult at ion.
Qualit at ive risk assessment s are, in most inst ances, t he most appropriat e form because:
(1) The t ypes of human act ivit ies and t ypes of int roduced t echnologies are highly varied and oft en novel;
(2) Pot ent ial human healt h and environment al adverse effect s are highly varied;
(3) Environment al and ot her t arget effect s arise wit hin highly complex syst ems t hat have many incomplet ely
underst ood variables;
(4) Adverse effect s may occur in t he long t erm and are t herefore difficult t o quant ify.

Therefore qualit at ive risk assessment provides t he most feasible mechanism t o assess risk for t he maj orit y of
cases as t here is insufficient dat a t o apply quant it at ive met hods. Models can be used t o inform t he process
but are unable t o approach t he complexit y of t he syst ems involved or cont ribut e definit ive answers.
Qualit at ive assessment s are also more accessible for risk communicat ion.


U UN NC CE ER RT TA AI I N NT TY Y
Regardless of whet her qualit at ive or quant it at ive risk assessment is used, it must be based on evidence and
is t herefore subj ect t o uncert aint y. Uncert aint y is an int rinsic propert y of risk and is present in all aspect s of
risk analysis, including risk assessment , risk management and risk communicat ion. A number of different
t ypes of uncert aint y are discussed in more det ail below. There is widespread recognit ion of t he import ance
of uncert aint y in risk analysis. I n it s narrowest use wit hin risk assessment s, uncert aint y is defined as a st at e
of knowledge under which t he possible out comes are well charact erised, but where t here is insufficient
informat ion confident ly t o assign probabilit ies t o t hese out comes. I t is recognised t hat bot h dimensions of
risk – t he pot ent ial adverse out come or consequence (loss crit icalit y), exposure, likelihood, and safet y level –
are always uncert ain t o some degree. Wit hin t his cont ext , uncert aint y has been int erpret ed more broadly as
incert it ude, which arises out of a lack of knowledge of eit her pot ent ial out come, exposure, likelihood, or
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
safet y level. However, uncert aint y in risk analysis ext ends even more widely: t here can also be uncert aint y
of how risk is perceived and how it is described and est imat ed. Therefore, uncert aint y may be more usefully
described in a broader sense t hat accords more wit h common usage. Examples of uncert aint y wit hin t he
element s of risk analysis could include:
(1) Risk assessment – Uncert ain nat ure of t he hazard, such as t he lack of knowledge of biochemical and
propert ies of t he int roduced hazard, environment specific performance of t he t echnology, it s int eract ion
wit h ot her t arget ent it ies and processes, or landscape changes over long t ime periods; Uncert aint y of t he
calculat ions wit hin t he risk assessment process, including assessment of hazards, likelihood, exposure
and consequences; Uncert ain descript ions used in qualit at ive risk assessment s due t o insufficient
explanat ions of t erminology, use of relat ed t erms t hat are not fully congruent or t he use of t he same
t erm in different cont ext s.
(2) Risk management – Balancing t he sufficiency of prot ect ive measures against t heir effect iveness (safet y
level); Decision making in t he presence of incomplet e knowledge and conflict ing values.
(3) Risk communicat ion - Uncert aint y of communicat ion effect iveness due t o difference in knowledge,
language, cult ure, t radit ions, morals, values and beliefs.

The processes in risk analysis t hat are part icularly sensit ive t o t his broadly defined form of uncert aint y
include est ablishing t he risk cont ext , est imat ing t he level of risk, and decision making. Therefore, t his
broader considerat ion of uncert aint y is useful for a number of reasons, including:
(1) Applicabilit y t o qualit at ive risk assessment s where t he sources of uncert aint y cover bot h knowledge and
descript ions used by assessors;
(2) Ensuring t hat informat ion is not over or under-emphasised during t he ident ificat ion of uncert aint y;
(3) Highlight ing areas where more effort is required t o improve est imat es of risk and apply appropriat e
caut ionary measures;
(4) Even wit h t he best risk est imat es, ext ending analysis of uncert aint y t o t he decision making process will
improve t he qualit y of t he decisions;
(5) Helping t o produce a clearer separat ion of t he values and fact s used in decision making;
(6) Fulfilling an et hical responsibilit y of assessors t o ident ify t he limit s of t heir work;
(7) Developing t rust bet ween st akeholders t hrough increased openness and t ransparency of t he regulat ory
process;
(8) I ncreasing t he opport unit y for more effect ive communicat ion about risk.

One aspect of uncert aint y is relat ed t o t he meaning of words (semant ics) adopt ed by t he Regulat or. A clear
definit ion of t erms is a very import ant and pract ical means for reducing uncert aint y t hat might arise simply
as a result of ambiguit y in language. Specific t erms have been select ed as unique descript ors of likelihood,
consequence, exposure, safet y level and risk. This will aid t he clarit y and rigour as well as t he consist ency
and reproducibilit y of assessment s. This will in t urn enhance t he int elligibilit y of document at ion prepared by
t he Regulat or. I t may be seen as a part of t he scient ific discipline and int ellect ual rigour t hat t he Regulat or
seeks t o bring t o all levels and aspect s of risk analysis. The use of consist ent t erminology has impact s at all
levels of risk analysis: in having an agreed set t ing of cont ext , of undert aking risk assessment , in risk
t reat ment (especially for licence condit ions which need t o be int elligible, unambiguous and enforceable) and
in risk communicat ion.




Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K A AS SS SE ES SS SM ME EN N T T

Risk assessment is t he overall process of ident ifying t he sources of pot ent ial harm (hazard) and assessing
bot h t he seriousness (consequences or loss crit icalit y), t he exposure t o any hazard, t he likelihood of any
adverse out come t hat may arise, and t he safet y level. I t is based on hazard, consequence, exposure,
likelihood, and safet y level assessment s leading t o an est imat ion of risk. For t he purposes of t his document
risk is defined as t he chance of somet hing happening t hat will have an undesired impact . I n t he cont ext of
t he nat ional and int ernat ional regulat ions, only hazards t hat arise as a result of human act ivit y and
t echnology and lead t o an adverse out come for humans or t he ot her t arget where human is involved (e.g.
environment , business int errupt ion, product , processes, equipment int erface) can be considered by t he
Regulat or. Risk, as considered here, is concerned wit h assessing pot ent ial harm t o human healt h and safet y
and t he environment t hat might arise from t he use of any asset or t echnology. Kaplan and Garrick (1981)
suggest t hat risk is most usefully considered as a narrative t hat answers t hree quest ions:
(1) What can happen
(2) How likely is it t o happen
(3) I f it does happen, what are t he consequences?

Therefore, an est imat e of t he level of risk (negligible, low, moderat e, subst ancial, high or very high) is
derived from t he likelihood, exposure, consequences of individual risk scenarios t hat arise from ident ified
hazards, and safet y level. I n addit ion, uncert aint y about likelihood, exposure, and consequences of each risk
scenario will affect t he individual est imat es of risk. The individual st eps in t he process of risk assessment of
hazards are discussed in t his chapt er. They consist of set t ing t he cont ext for t he risk assessment , ident ifying
t he hazards t hat may give rise t o adverse out comes, assessing t he consequences, exposures and likelihoods
of such out comes and arriving at a risk est imat e.
The purpose of risk assessment under t he int ernat ional regulat ions is t o ident ify risks t o human healt h and
t he t arget s and est imat e t he level of risk based on scient ific evidence. Risks t o all living organisms and
relevant ecosyst ems should be considered. Risk analysis can be applied t o many different t ypes of risk and
different met hodologies have been applied t o assess different risks. Assessment of risks t o healt h and safet y
oft en t akes t he form of hazard ident ificat ion, dose-response assessment and exposure assessment leading t o
risk charact erisat ion. I t draws on informat ion from disciplines such as t oxicology, epidemiology and exposure
analysis. Environment al risk assessment requires assessing harm not only t o individuals and populat ions
wit hin a species but also t o int eract ions wit hin and bet ween species in t he cont ext of biological communit ies
and ecosyst ems. There may also be t he pot ent ial for harm t o t he physical environment . I nformat ion can be
sourced from st udies of bot any, zoology, ent omology, mycology, microbiology, biochemist ry, populat ion
genet ics, agronomy, weed science, ecology, chemist ry, hydrology, geology and knowledge of
biogeochemical cycles, and t herefore requires considerat ion of complex dynamic webs of t rophic
int eract ions.


T TH HE E S SC CO OP PE E O OF F R RI I S SK K A AS SS SE ES SS SM ME EN NT T
Risks t hat may be posed by human act ivit ies and t echnology are required t o be considered in t he cont ext of
t he proposed dealing wit h hazards and are assessed on a case by case basis. I n t he case of field t rials, t he
scale of t he release is limit ed in bot h space and t ime. I n a commercial release t he scale is not necessarily
rest rict ed and t herefore a wider range of environment al and ecological set t ings is considered in t he risk
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
assessment . An applicat ion submit t ed t o t he Regulat or must cont ain informat ion t hat defines t he hazard and
t he dealings as set out in t he Safet y Law and nat ional and int ernat ional regulat ions. Ot her import ant fact ors
in est ablishing t he cont ext for risk assessment are:
(1) The locat ion of t he dealings, including t he biot ic and abiot ic propert ies of t he sit e(s);
(2) Size and t ime scale of t he dealings;
(3) The applicant ’s proposed management of t he dealings t o limit disseminat ion of t he hazard or it s
hazardous mat erial;
(4) Ot her hazards already released;
(5) Part icular vulnerable or suscept ible ent it ies t hat may be specifically affect ed by t he proposed release.

I n some inst ances, a part icular hazard may already be present nat urally in t he environment and t his
background exposure may be import ant . For example, many ant ibiot ic resist ance marker genes are derived
from soil bact eria t hat are abundant in t he environment . Therefore exposure t o t he prot ein encoded by such
a gene derived from a genet ic modified organism may be insignificant against t his background.

Qualitatitve Approach
The first t ask of t he safet y pract it ioner is t o develop an underst anding of t he organizat ion t o be assessed.
This does not mean t hat t he pract it ioner must become an expert in t he operat ion of t he ent erprise t o be
evaluat ed, but must acquire enough of an underst anding of how t he organizat ion operat es t o appreciate it s
complexit ies and nuances. Considerat ion should be of fact ors such as (1) hours of operat ion, (2) t ypes of
client s served, (3) nat ure of t he business act ivit y, (4) t ypes of services provided or product s produced,
manufact ured, st ored, or ot herwise supplied, (5) t he compet it ive nat ure of t he indust ry, (6) t he sensit ivit y of
informat ion, (7) t he corporat e cult ure, (8) t he percept ion of risk t olerance, and so on. The t ypes of
informat ion t hat t he pract it ioner should ascert ain:
(1) The hours of operat ion for each depart ment ;
(2) St affing levels during each shift ;
(3) Types of services provided and goods produced, st ored, manufact ured, et c.;
(4) Type of client ele served (e.g. wealt hy, children, foreigners, et c.);
(5) The compet it ive nat ure of t he ent erprise;
(6) Any special issues raised by t he manufact uring process (e.g. environment al wast e, disposal of defect ive
goods, et c.);
(7) Type of labor (e.g. labor union, unskilled, use of t emporary workers, use of immigrant s, et c.).

The second st ep in t he process is t o ident ify t he asset s of t he organizat ion t hat are at risk t o a variet y of
hazards:
(1) People – People include employees, cust omers, visit ors, vendors, pat ient s, guest s, passengers, t enant s,
cont ract employees, and any ot her persons who are lawfully present on t he propert y being assessed. I n
very limit ed circumst ances, people who are considered t respassers also may be at risk for open and
obvious hazards on a propert y or where an at t ract ive nuisance exist s (e.g. abandoned warehouse,
vacant building, a “ cut t hrough” or pat h rout inely used by people t o pass across propert y as a short cut ).
(2) Propert y – Propert y includes real est at e, land and buildings, facilit ies, t angible propert y such as cash,
precious met als, and st ones, dangerous inst rument s (e.g. explosive mat erials, weapons, et c.), high theft
it ems (e.g., drugs, securit ies, cash, et c.), as well as almost anyt hing t hat can be st olen, damaged, or
ot herwise adversely affect ed by a risk event . Propert y also includes t he “ goodwill” or reput at ion of an
ent erprise t hat could be harmed by a loss risk event .
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(3) I nformat ion – I nformat ion includes propriet ary dat a, such as t rade secret s, market ing plans, business
expansion plans, plant closings, confident ial personal informat ion about employees, cust omer list s, and
ot her dat a t hat if st olen, alt ered, or dest royed could cause harm t o t he organizat ion.

The second part in t he safet y risk assessment met hodology is t o ident ify t he t ypes of event s or incident s
which could occur at a sit e based on t he hist ory of previous event s or incident s at t hat sit e, event s at
similarly sit uat ed sit es, t he occurrence of event s (e.g. crimes) t hat may be common t o t hat t ype of business,
nat ural disast ers peculiar t o a cert ain geographical locat ion, or ot her circumst ances, recent development s, or
t rends. Loss risk event s can fall int o t hree dist inct cat egories: crimes, non-criminal event s such as human-
made or nat ural disast ers, and consequent ial event s caused by an ent erprise’s relat ionship wit h anot her
organizat ion, when t he lat t er organizat ion’s poor or negat ive reput at ion adversely affect s t he ent erprise.
There are numerous sources for informat ion and dat a about crime-relat ed event s t hat may impact an
ent erprise. The safet y pract it ioner may consider any of t he following sources in aiding t he det erminat ion of
risk at a given locat ion:
(1) Local police crime st at ist ics and calls for service at t he sit e and t he immediat e vicinit y for a t hree t o five
year period.
(2) Uniform crime report s published by t he Depart ment of Just ice for t he municipalit y.
(3) The ent erprise’s int ernal records of prior report ed criminal act ivit y.
(4) Demographic and social condit ion dat a providing informat ion about economic condit ions, populat ion
densit ies, t ransience of t he populat ion, unemployment rat es, et c.
(5) Prior criminal and civil complaint s brought against t he ent erprise.
(6) I nt elligence from local, st at e, or federal law enforcement agencies regarding t hreat s or condit ions t hat
may affect t he ent erprise.
(7) Professional groups and associat ions t hat share dat a and ot her informat ion about indust ry-specific
problems or t rends in criminal act ivit y.
(8) Ot her environment al fact ors such as climat e, sit e accessibilit y, and presence of “ crime magnet s” .

The pract it ioners should consider t wo subcat egories of non-crime-relat ed event s: nat ural and “ human-made”
disast ers. Nat ural disast ers are such event s as hurricanes, t ornadoes, maj or st orms, eart hquakes, t idal
waves, light ning st rikes, and fires caused by nat ural disast ers. “ Human-made” disast ers or event s could
include labor st rikes, airplane crashes, vessel collisions, nuclear power plant leaks, t errorist act s (which also
may be criminal-relat ed event s), elect rical power failures, and deplet ion of essent ial resources.

Consequential Events
A “ consequent ial” event is one where, t hrough a relat ionship bet ween event s or bet ween an ent erprise and
anot her organizat ion, t he ent erprise suffers some t ype of loss as a consequence of t hat event or affiliat ion,
or when t he event or t he act ivit ies of one organizat ion damage t he reput at ion of t he ot her. For example, if
one organizat ion engages in illegal act ivit y or produces a harmful product , t he so-called innocent ent erprise
may find it s reput at ion t aint ed by virt ue of t he affiliat ion alone, wit hout any separat e wrongdoing on t he part
of t he lat t er organizat ion.
Probabilit y of loss is not based upon mat hemat ical cert aint y; it is considerat ion of t he likelihood t hat a loss
risk event may occur in t he fut ure, based upon hist orical dat a at t he sit e, t he hist ory of like event s at similar
ent erprises, t he nat ure of t he neighborhood, immediat e vicinit y, overall geographical locat ion, polit ical and
social condit ions, and changes in t he economy, as well as ot her fact ors t hat may affect probabilit y. For
example, an ent erprise locat ed in a flood zone or coast al area may have a higher probabilit y for flooding and
hurricanes t han an ent erprise locat ed inland and away from wat er. Even if a flood or hurricane has not
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
occurred previously, t he risks are higher when t he locat ion lends it self t o t he pot ent ial for t his t ype of a loss
risk event . I n anot her example, a business t hat has a hist ory of criminal act ivit y bot h at and around it s
propert y will likely have a great er probabilit y of fut ure crime if no st eps are t aken t o improve securit y
measures and all ot her fact ors remain relat ively const ant (e.g., economic, social, polit ical issues). The
degree of probabilit y will affect t he decision-making process in det ermining t he appropriat e solut ion t o be
applied t o t he pot ent ial exposure.
When looked at from t he “ event ” perspect ive, t he pract it ioner may want t o query how oft en an exposure
exist s per event t ype. For example, if t he event is robbery of cust omers in t he parking lot , t hen t he relevant
inquiry may be how oft en cust omers are in t he lot and for how long when walking t o and from t heir
vehicles. I f t he event is t he rape of a resident in an apart ment building, t hen t he inquiry may focus on how
oft en t he vulnerable populat ion is at risk. I f t he event were a nat ural disast er such as a hurricane, t he
pract it ioner cert ainly would want t o know when hurricane season t akes place.
The securit y pract it ioner should consider all t he pot ent ial cost s, direct and indirect , financial, psychological,
and ot her hidden or less obvious ways in which a loss risk event impact s an ent erprise. Even if t he
probabilit y of loss is low, but t he impact cost s are high, securit y solut ions st ill are necessary t o manage t he
risk. Direct cost s may include:
(1) Financial losses associat ed wit h t he event , such as t he value of goods lost or st olen;
(2) I ncreased insurance premiums for several years aft er a maj or loss;
(3) Deduct ible expenses on insurance coverage;
(4) Lost business from an immediat e post -risk event (e.g. st olen goods cannot be sold t o consumers);
(5) Labor expenses incurred as a result of t he event (e.g. increase in securit y coverage post event );
(6) Management t ime dealing wit h t he disast er or event (e.g. dealing wit h t he media);
(7) Punit ive damages awards not covered by ordinary insurance.

I ndirect cost s may include:
(1) Negat ive media coverage;
(2) Long-t erm negat ive consumer percept ion (e.g. t hat a cert ain business locat ion is unsafe);
(3) Addit ional public relat ions cost s t o overcome poor image problems;
(4) Lack of insurance coverage due t o a higher risk cat egory;
(5) Higher wages needed t o at t ract fut ure employees because of negat ive percept ions about t he ent erprise;
(6) Shareholder derivat ive suit s for mismanagement ;
(7) Poor employee morale, leading t o work st oppages, higher t urnover, et c.

The safet y pract it ioner will have a range of opt ions available, at least in t heory, t o address t he t ypes of loss
risk event s faced by an ent erprise. “ I n t heory” alludes t o t he fact t hat some opt ions may not be available
eit her because t hey are not feasible or are t oo cost ly, financially or ot herwise. Opt ions include safet y
measures available t o reduce t he risk of t he event . Equipment or hardware, policies and procedures,
management pract ices, and st affing are t he general cat egories of safet y-relat ed opt ions. However, t here are
ot her opt ions, including t ransferring t he financial risk of loss t hrough insurance coverage or cont ract t erms
(e.g. indemnificat ion clauses in securit y services cont ract s), or simply accept ing t he risk as a cost of doing
business. Any st rat egy or opt ion chosen st ill must be evaluat ed in t erms of availabilit y, affordabilit y, and
feasibilit y of applicat ion t o t he ent erprise’s operat ion. The pract ical considerat ions of each opt ion or st rat egy
should be t aken int o account at t his st age of t he risk assessment . While financial cost is oft en a fact or, one
of t he more common considerat ions is whet her t he st rat egy will int erfere subst ant ially wit h t he operat ion of
t he ent erprise. For example, ret ail st ores suffer varying degrees of loss from t he shoplift ing of goods. One
possible “ st rat egy” could be t o close t he st ore and keep out t he shoplift ers. I n t his simple example, such a
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
solut ion is not feasible because t he st ore also would be keeping out legit imat e cust omers and would go out
of business. I n a less obvious example, an ent erprise t hat is open t o t he public increases it s access cont rol
policies and procedures so severely t hat a negat ive environment is creat ed by effect ively discouraging
people from going t o t hat facilit y as pot ent ial cust omers and hence, loses business. The challenge for t he
safet y pract it ioner is t o find t hat balance bet ween a sound safet y st rat egy and considerat ion of t he
operat ional needs of t he ent erprise, as well as t he psychological impact on t he people affect ed by the safet y
program.
The final st ep in conduct ing a safet y risk analysis is considerat ion of t he cost versus benefit of a given
securit y st rat egy. The securit y pract it ioner should det ermine what t he act ual cost s are of t he implement at ion
of a program and weigh t hose cost s against t he impact of t he loss, financially or ot herwise.


H HA AZ ZA AR RD D A AS SS SE ES SS SM ME EN NT T
For t he purposes of t his document a hazard is defined as a source of pot ent ial harm. I t can be an event or a
subst ance or an organism. Hazard ident ificat ion underpins t he process of risk assessment . I n it s simplest
form it can be concept ualised as asking t he quest ion: “ What can go wrong?” This process should be
dist inguished from risk est imat ion, which includes considerat ion of likelihood, exposure, consequences or
loss crit icalit y, and safet y level. A crit ical st age of risk assessment is ident ifying all likely hazards in t he
process of t he dealing wit h a part icular hazard. Unident ified hazards may pose a maj or t hreat t o healt h and
t he environment . I t is import ant , t herefore, t hat a comprehensive approach is adopt ed t o ensure t hat t he full
range of hazards is ident ified. A hazard needs t o be dist inguished from an adverse out come and also from a
risk. A hazard is a source of pot ent ial harm and only becomes a risk when t here is some chance t hat harm
will act ually occur. These are import ant dist inct ions t hat can be difficult t o est ablish clearly in some
circumst ances. For example, t he hazard of cat ching a dangerous disease only becomes a risk if t here is
exposure t o t he organism t hat causes t hat disease. The adverse out come only arises if infect ion occurs.
Alt hough a hazard is a source of pot ent ial harm, oft en part icular circumst ances must occur before t hat harm
can be realised and before it can be considered a risk. I ndeed, quit e specific condit ions may be required for
t he adverse out come t o event uat e. For inst ance, a gene encoding virus resist ance in a plant could lead t o
increased weediness in t he presence of t he virus, but only if t he viral disease is a maj or fact or limit ing t he
spread and persist ence of t he plant .

Hazard Analysis
A number of hazard ident ificat ion t echniques are available t hat range from broad brush approaches t o more
t arget ed analysis. Techniques used by t he Regulat or and st aff include, but are not limit ed t o checklist s,
brainst orming, commonsense, previous agency experience, report ed int ernat ional experience, consult at ion,
scenario analysis and induct ive reasoning (fault and event t ree analysis). The AS/ NZS 4360: 2004 (New
Zeland and Aust ralian st andards) cont ain det ails of a range of ot her t echniques t hat have not been broadly
applied in t he cont ext of biological syst ems. These include HAZOP (Hazards and Operabilit y Analysis), SWOT
(St rengt hs, Weaknesses, Opport unit ies and Threat s Analysis), Failure Mode Effect Analysis (FMEA),
Hierarchical Holographic Modelling (HHM), Mult icrit eria Mapping, Delphi Analysis and Syst ems Analysis.
Hazards can be considered from t he t op down, t hat is, t he pot ent ial adverse out comes are ident ified and t he
processes t hat may give rise t o t hem described. Or t hey can be addressed from t he bot t om up, t hat is t he
biological, physical, chemical and human component s and processes t hat make up t he syst em t o be st udied
are examined and pot ent ial adverse out comes ident ified. Where risks have already been ident ified and
charact erised and are well underst ood it is possible t o use deduct ive reasoning t o ident ify hazards. However
deduct ive t echniques are unlikely t o ident ify synergist ic or ant agonist ic effect s. The process of hazard
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
ident ificat ion involves considerat ion of causal pat hways t hat result in harm. Alt hough it is import ant t o
ident ify all pot ent ial hazards it is also import ant t o apply a t est of reasonableness. The number of hazards
t hat can be conceived as an int ellect ual exercise by varying circumst ances, environment al condit ions or
chemical and physical processes is infinit e but not all are realist ic, likely t o event uat e, or t o result in
ident ifiable harm. I n ident ifying hazards t he Regulat or’ represent at ive will look specifically at :
(1) Alt ered biochemist ry;
(2) Alt ered physiology;
(3) Unint ended change in gene expression;
(4) Product ion of a subst ance t oxic t o humans;
(5) Product ion of a subst ance allergenic t o humans;
(6) Unint ended select ion;
(7) Unint ended invasion;
(8) Expansion int o new areas;
(9) Gene flow by sexual gene t ransfer;
(10) Gene flow by horizont al gene t ransfer;
(11) Product ion of a subst ance t hat is t oxic t o, or causes ill-healt h or mort alit y;
(12) Secondary effect s (e.g. loss of genet ic modified t rait efficacy such as pest or pat hogen resist ance,
development of herbicide resist ance);
(13) Product ion (farming) pract ices;
(14) Alt erat ion t o t he physical environment including biogeochemical cycles;
(15) I nt ent ional or unaut horised act ivit ies.

Not all of t he above cat egories of hazard will be relevant t o all hazards and specific ones may warrant a
more det ailed considerat ion in one applicat ion t han in ot hers. Some hazards will have similar adverse
out comes and could be grouped on t hat basis. I n risk assessment s for t he main hazard groups considered
include human healt h and t hat of ot her organisms (non-t arget ).

Causal Linkages
Once hazards have been ident ified it is import ant t o est ablish t hat t here is a causal link bet ween the hazard
and an adverse out come. There should be an ident ifiable pat hway or rout e of exposure t hat demonst rat es
t hat t he hazard will cause t he adverse out come. There are several possible combinat ions:
(1) A single hazard gives rise t o a single adverse out come;
(2) A single hazard gives rise t o mult iple adverse out comes;
(3) Mult iple hazards t hat act independent ly and give rise t o a single adverse out come;
(4) Mult iple hazards t hat int eract and give rise t o single or mult iple adverse out comes.

The Regulat or will also consider if any of t he ident ified hazards have synergist ic, addit ive, ant agonist ic,
cumulat ive or aggregat e effect s, in combinat ion wit h bot h non-t arget organisms and ot her exist ing t arget s.
Addit ive effect s may occur where different hazards give rise t o t he same adverse out come, which could
increase t he negat ive impact . Synergism arises when t he effect s are great er t han when added. For example,
a genet ic modified organism expressing t wo insect icidal genes wit h different modes of act ion may have
great er pot ency t han t he addit ion of t he effect s from t he individual genes. Cumulat ive effect s arise where
t here may be repeat ed exposure over t ime t hat may aggravat e an est ablished disease or st at e and
ant agonist ic effect s may occur where t he hazard alt ers t he charact erist ics of t he t arget in opposing ways.
For example, if a gene was int roduced or modified t o increase product ion of a part icular compound but it
also reduced growt h rat es, t his would be regarded as an ant agonist ic effect . Est ablishing t he underlying
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
causal linkage provides t he foundat ion for likelihood, exposure and consequence assessment s and makes it
easier t o ident ify where furt her informat ion may be required or where t here may be uncert aint y. Ot her
met hods of linking a hazard t o an adverse out come are descript ions based on expert scient ific knowledge, or
by inference from experiment al dat a and models.
Specific circumst ances may be required for a hazard t o event uat e, for inst ance, cert ain charact erist ics of t he
environment may be import ant such as soil t ype or rainfall and t his must be t aken int o account . Factors t hat
may be posit ively associat ed wit h t he development of adverse effect s will also be considered. These include
enabling fact ors such as poor nut rit ion and precipit at ing fact ors such as t he exposure t o a specific disease
agent or t oxin. The regulat ions require t he Regulat or t o consider t he short and t he long t erm when
assessing risks. The conduct of risk analysis does not at t empt t o fix durat ions t hat are eit her short or long
t erm, but t akes account of t he exposure, likelihood and impact of an adverse out come over t he foreseeable
fut ure, and does not discount or disregard a risk on t he basis t hat an adverse out come might not occur for a
long t ime. An example of a short t erm effect is acut e t oxic effect s on an organism due t o direct exposure t o
t he genet ic modified organism. I n cont rast , increased weediness arising from gene flow from a genet ic
modified plant is an example of what could be considered a long t erm effect as it develops over a number of
generat ions. The t imeframes considered by t he Regulat or will be appropriat e t o t he hazard, it s lifecycle and
t he t ype of adverse out come under considerat ion. A genet ic modified organism t hat has a lifespan of many
years may involve considerat ions on a longer t imeframe t han anot her genet ic modified organism t hat has a
significant ly short er lifespan, alt hough t he implicat ions and long t erm consequences of t he release of eit her
would be also be considered.

Hazard Selection
Hazards t hat warrant det ailed est imat ion of likelihood, exposure and consequence t o assess whet her t hey
pose a risk t o human healt h and safet y and ot her t arget s (e.g. environment , business int errupt ion, product ,
equipment and process) are det ermined by applying a number of crit eria including t hose specified by t he
safet y regulat ions and t hose of specific concern t o st akeholders. Those t hat do not lead t o an adverse
out come or could not reasonably occur will not advance in t he risk assessment process. I n some cases t he
adverse out come may not be significant , in which case t he hazard may be set aside. Thus, even at an early
st age, considerat ion of likelihood, exposure and consequence (loss crit icalit y), and safet y level becomes part
of an it erat ive process in t he cycle of risk assessment . Screening of hazards occurs t hroughout t he risk
assessment process, wit h t hose t hat do not require furt her considerat ion being set aside. I t is also possible
t hat addit ional hazards may be ident ified during ot her st ages of t he process, in which case if regarded as
relevant , t hey will be considered. Consult at ion wit h st akeholders on applicat ions ensures all relevant hazards
are ident ified. Hazard select ion should be comprehensive and rigorous. However, care should be t aken t o
avoid over emphasis of unrealist ic event s. I t should be relevant t o t he nat ure of t he hazard and t he spat ial
and t emporal scale of t he proposed release. The process should be it erat ive wit h feedback mechanisms
bet ween individual st eps and t ake int o account t he spat ial and t emporal scale of t he proposed release,
previous relevant assessment s and dat a collect ed from previous releases of t he hazard or hazardous
mat erials, if available. I t should also be t ransparent and consider st akeholder’s concerns relevant t o
t hehealt h and safet y of people and t he environment .


E EV VI I D DE EN NC CE E A AN ND D E EX XP PO OS SU UR RE E
A crit ical considerat ion relat ed t o evidence is how much and what dat a are required. I t is import ant t o
dist inguish bet ween dat a necessary for t he risk assessment and background informat ion t hat does not
direct ly inform t he est imat e of risk. Collect ion of dat a simply t o have t he informat ion when t hat informat ion
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
serves no purpose is an inefficient use of resources. The evidence used t o assess an applicat ion comes from
a variet y of sources. I t can also include experiment al dat a from ot her scient ific lit erat ure relevant t o t he
applicat ion, pract ical experience, reviews, t heory, models, observat ions, anecdot al evidence and
uncorroborat ed st at ement s. Previous assessment s of a hazard by ot her int ernat ional regulat ory agencies are
considered. Where a recognised overseas regulat ory agency has made an assessment of t he same or a
similar hazard, t heir findings will also be considered during t he risk assessment . Ot her sources of qualit at ive
informat ion include:
(1) Expert opinion, from commit t ees or groups of expert s, ot her regulat ory aut horit ies or from individual
expert s;
(2) I nformat ion on pot ent ial hazards provided t hrough public consult at ion;
(3) Published mat erial on relat ed sit uat ions.

Emphasis is placed on quant it at ive dat a. Scient ific st udies by t he applicant will be assessed for t he
appropriat eness and qualit y of experiment al design and dat a analysis and t he conclusions must be
subst ant iat ed by t he dat a. All of t hese aspect s should be independent ly evaluat ed by appropriat ely qualified
st aff. There are int ernat ionally accept ed st andards t hat must be met for part icular t ypes of st udies and dat a
is assessed against t hese st andards. For inst ance, in t oxicological assessment s experiment al dat a from
animal st udies are used t o ext rapolat e t o humans using defined safet y fact ors and environment al risk
assessment is oft en based on effect s on accept ed t est species. Evidence is weight ed by it s source (e.g. a
peer reviewed art icle in a recognised int ernat ional j ournal will have more weight t han an uncorroborat ed
st at ement on a personal websit e) and by it s cont ent . Where st at ement s have insufficient backing t hey may
be given lesser weight or credence. I n cases where t here may be conflict ing evidence wit h regard t o adverse
impact s, for inst ance some informat ion showing a negat ive impact and some showing no effect , t his will be
considered in coming t o a final conclusion. Evidence can be j udged t o have bot h st rengt h and weight . I t can
be weight ed by t he number of st udies, a number of weaker pieces of evidence may count er-weigh a single
st rong piece of evidence, or by t he dept h of t he st udies, a det ailed st udy may have more weight t hat a
superficial one. The st rengt h of t he evidence can be considered t hrough it s relat ionship t o t he problem. I f
evidence is direct ly relat ed t o t he problem it will be st ronger t han evidence t hat only has an indirect bearing
on t he problem. Thus if t here are st udies of t he weediness of a part icular species, t his will have great er
st rengt h t han informat ion about t he weediness of a relat ed species. I n t he absence of direct evidence
indirect evidence is not excluded but will be weight ed appropriat ely. I f dat a are unavailable or incomplet e,
t he significance of t hat absence or incomplet eness in undert aking an evaluat ion of t he risks of a proposal will
be considered. I f t he Regulat or considers t hat t he lack of dat a creat es uncert aint y around a level of risk t hat
appears manageable, t hen furt her collect ion of dat a may be required under st rict ly limit ed and cont rolled
field condit ions. However, if t he Regulat or det ermines t hat t he risk is not manageable, a licence will not be
grant ed. I t is import ant t o consider not only all available evidence and t o use t hat , t hrough logical deduct ion,
t o ext end t he value of t hat evidence, but also t o consider uncert aint y wherever it is apparent and take it int o
account .
As wit h regard t o frequency or likelihood, it is a known fact t hat accident or disease are random event s.
Therefore, risk fact ors will be different iat ed by t he fact t hat each of t hem leads t o t he occurrence of an
accident or disease, while t he probabilit y differs. Thus, t he probabilit y for an accident t o happen because of
t he hazardous mot ions of t he movable part s of a drilling machine is different t han t he one of an accident
caused by light ning. Likewise, one and t he same fact or may be charact erised by anot her frequency of act ion
on t he worker, in different moment s of t he operat ion of a work syst em or in analogous syst ems, depending
on t he nat ure and on t he st at e of t he generat ing element . For inst ance, t he probabilit y of elect rocut ion by
direct t ouch when handling a power-supply device is higher if t he lat t er is old and t he prot ect ion isolat ion of
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
it s conduct ors is t orn, t han if it is a brand new one. Yet , from t he point of view of prompt ness and efficiency,
it is not possible t o work wit h probabilit ies t hat are st rict ly det ermined for each risk fact or. I n cert ain cases,
t his could not even be calculat ed, as in t he case of fact ors relat ing t o t he worker. The probabilit y t o act in a
manner t hat generat es accident s may not but be approximat ed. I n ot her sit uat ions, t he calculat ion required
for t he rigorous det erminat ion of t he probabilit y of occurrence of t he consequence is so t oilsome, t hat it
would event ually be even more cost ly and t ime-consuming t han t he act ual applicat ion of prevent ive
measures. This is why it would be bet t er, as a rule, t o det ermine t he probabilit ies by est imat ion, and t o
classify t hem by ranges. For t he purpose we pursue, for inst ance, it is easier and more efficient t o
approximat e t hat a cert ain accident is likely t o be generat ed by a risk fact or charact erised a frequency t hat is
lower t han once every 100 hours. The difference is insignificant , as against more rigorous values of 1 every
85 hours or 1 every 79 hours, yet t he event may be classified, in all t hree cases, as very frequent . For t his
reason, if we use t he int ervals specified in CEI -812/ 1985, we obt ain five general groups of event s for
exposure coefficient (E), as follows in Table 3.01. We will at t ribut e t o each group a probabilit y class for
exposure, from I t o VI , t hus saying t hat event , which has a probable frequency of exposure L < 1×10
-7
/ hr is
classified in exposure Class I or Class I I , while ot her event , which has a probable frequency of occurrence L
> 1×10
-2
/ hr is classified in exposure Class V or Class VI .

Table 3.01 – Quot at ion scale for exposure coefficient (hourly basis) of t he act ion of risk fact ors on t arget s.
EXPOSURE LEVEL EXPOSURE EXPOSURE
COEFFI CI ENT LEVEL
lower limit upper limit
EXPOSURE
CATEGORY
(E) CLASS
< 1×10
÷9
Ext remely Rare 1 I
1×10
÷9
1×10
÷8
2
1×10
÷8
1×10
÷7

Very Rare
3
I I
1×10
÷7
1×10
÷6
4
1×10
÷6
1×10
÷5

Rare
5
I I I
1×10
÷5
1×10
÷4
6
1×10
÷4
1×10
÷3

Low Frequency
7
I V
1×10
÷3
1×10
÷2
8
1×10
÷2
1×10
÷1

Frequent
9
V
1×10
÷1
1×10
0
Very Frequent 10 VI

The exposure of an t arget (e.g. business, facilit y, personnel, process, product , equipment ) t o an pot ent ial
harm or hazard relat es t he t ime of exposure (cont act t ime) wit h t he life t ime of t hat t arget . We can include
also t he propert y associat ed t o t he hazard, i.e. t he concent rat ion of t he agent (or vect or) if is t he case of
human exposure t o a chemical or biological hazard. I n t he first case, t he exposure coefficient can be
measured by t he following expression,

( ) | |
¯
¯
·
=
=
·
=
1 i
i
m
1 j
j c j
t
t a
E [ 3.01]
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
where a
j
is t he number of cont act occurrences wit h t he hazard for a given event , t
c
is t he cont act t ime (in
homogeneous t ime unit s), and t
i
is t he life t ime of t he event in t he same t ime unit s as t
c
. in t he second case,
when we are dealing wit h account able hazards, i.e. we can measure one given prpert y of t he hazard such
t he concent rat ion of chemical or biological specie, t he exposure coefficient can be evaluat ed by t he following
expression,

( )
¯
¯
·
=

·
|
|
.
|

\
|
=
1 i
i
j c
STV
j
t
t
H
H
E [ 3.02]

where H
j
is t he measured value of t he propert y (i.e. t he concent rat ion,pressure, t emperat ure), H
STV
is t he
st andard value for t he measured propert y (if exist s); if t he st andard value for t he measured propert y does
not exist s we will assume t he H
STV
as being t he unit y. The exposure coefficient will be given t he value of
zero in t he absence of any sort of exposure, and will be given t he value of t en if t here is cont inuous
exposure t o t he hazard (see Table 3.01).

Probability Factors
Condit ions and set s of condit ions t hat will worsen or increase t arget exposure t o risk of loss can be divided
int o t he following maj or cat egories:
(1) Physical environment (const ruct ion, locat ion, composit ion, configurat ion) ;
(2) Social environment (demographics, populat ion dynamics) ;
(3) Polit ical environment (t ype and st abilit y of government , local law enforcement resources;
(4) Hist orical experience (t ype and frequency of prior loss event s);
(5) Procedures and processes (how t he asset is used, st ored, secured);
(6) Criminal st at e-of-art (t ype and effect iveness of t ools of aggression).

The pract ical value of loss risk analysis depends upon t he skill and t horoughness wit h which t he basic risks
t o an ent erprise are ident ified. This is t he first and most import ant st ep in t he ent ire process. Every aspect of
t he ent erprise or facilit y under review must be examined t o isolat e t hose condit ions, act ivit ies, and
relat ionships t hat can produce a loss. For an effect ive analysis, t he observer must t ake int o account t he
dynamic nat ure of t he ent erprise on each shift and bet ween daylight and darkness. The daily rout ine must
be underst ood, because t he loss-producing causes can vary from hour t o hour.


L LI I K KE EL LI I H HO OO OD D ( ( P PR RO OB BA AB BI I L LI I T TY Y) ) O OF F O OC CC CU UR RR RE EN NC CE E
Likelihood is t he chance of somet hing happening. The likelihood assessment cent res around t he quest ion:
“ Will it happen?” , and more specifically, “ How likely is it t o happen?” . Likelihood is anot her maj or component
of risk assessment . I f an adverse event is not expect ed t o occur in some relevant t imeframe t hen it s impact
does not need t o be analysed furt her. Likelihood coefficient (L) is expressed as a relat ive measure of bot h
frequency, t he number of occurrences (a
j
) per unit t ime (t
i
),

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
¯
¯
·
=
=
=
1 i
i
m
1 j
j
t
a
L [ 3.03]

and probabilit y (from zero t o one, where zero is an impossible out come and one is a cert ain out come), t he
number of occurrences (a
j
) per t her t ot al number of event s (n
i
).

¯
¯
·
=
=
=
1 i
i
m
1 j
j
n
a
L [ 3.04]

when we are dealing wit h t ime measurement , likelihood can be expressed as a t ime frequency,

( )
¯
¯
·
=
=
=
1 i
i
m
1 j
j c
t
t
L [ 3.05]

where t
c
is t he cont act t ime for a given occurrence. Likelihood is expressed in t he following t erms for
qualit at ive and quant it at ive risk assessment s: highly likely, likely, unlikely, highly unlikely. I n Table 3.02 and
Table 3.03 we have t he quot at ion scale of t he likelihood on non-human t arget s (e.g. business int errupt ion,
product , equipment , environment ) and human t arget s.

Table 3.02 – Quot at ion scale of t he probabilit y of occurrences (likelihood) of t he act ion of risk fact ors on
human and non-human (e.g. business int errupt ion, product , equipment , environment ) t arget s.

LI KELI HOOD LEVEL LI KELI HHOOD LI KELI HOOD
COEFFI CI ENT LEVEL
lower limit upper limit
LI KELI HOOD
CATEGORY
(L) CLASS
< 1×10
÷6
Negligible 1 I
1×10
÷6
5×10
÷5
2
5×10
÷5
1×10
÷4

Very
Unlikely 3
I I
1×10
÷4
5×10
÷4
4
5×10
÷4
1×10
÷3

Unlikely
5
I I I
1×10
÷3
3×10
÷3
6
3×10
÷3
1×10
÷2

Likely
7
I V
1×10
÷2
3×10
÷2
8
3×10
÷2
1×10
÷1

Very Likely
9
V
1×10
÷1
1×10
0
Maximal 10 VI
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Fact ors t hat are import ant in considering t he likelihood of a hazard leading t o an adverse out come are:
(1) The circumst ances necessary for t he occurrence or presence of t he hazard;
(2) The circumst ances necessary for t he occurrence of an adverse out come;
(3) The act ual occurrence and severit y of t he adverse out come;
(4) The persist ence or spread of t he adverse out come.

Fact ors t hat cont ribut e t o t he likelihood of an adverse out come include:
(1) The survival, reproduct ion and persist ence of t he GMO;
(2) The circumst ances of t he release, t hat is t he environment , biot ic and abiot ic fact ors, and ot her
organisms.

The frequency or probabilit y of an init ial event should not be considered alone if a chain of event s leads t o
t he adverse out come. I n t his case each event in t he chain, wit h an associat ed likelihood, depends on t he
previous event occurring in t he first place. The overall likelihood will be lower t han t he likelihood of any
individual event . Such condit ional probabilit ies need t o be fact ored int o det ermining t he final likelihood of an
adverse out come. Where t he exposure pat hway is complex it may be difficult t o ascribe a single likelihood t o
t he adverse out come. Assessing likelihood is more difficult for dist ant hazards where t here may be many
links in t he chain of causal event s. However, t he occurrence of t he event (i.e. gene t ransfer, acident , nat ural
disast er, chemical spill) does not necessarily result in harm. There are furt her event s necessary t o display a
select ive advant age and give rise t o some ident ifiable harm. I n such cases t he effect of all combined
likelihoods will subst ant ially reduce t he overall likelihood of an adverse out come. I n cont rast , hazards close
t o a pot ent ially adverse out come, such as a product t hat is t oxic t o non-t arget organisms, can usually
provide more robust est imat es of likelihood, part icularly as t here is oft en a direct correlat ion bet ween t he
dose of t oxin and t he severit y of t he adverse out come and t he mechanism of act ion may have been
experiment ally verified. I n t he case of field t rials t here is a fixed period for t he release but any pot ent ial for
adverse effect s beyond t his period must also be considered. As wit h any predict ive process, accuracy is
great est in t he immediat e fut ure and declines int o t he dist ant fut ure. As for t he classes of probabilit y
(likelihood) of occurrence, furt her t o t he experiment s, a met hod was finally chosen for t he adj ust ment of t he
European Union st andard concerning risk assessment for machines, t aking int o considerat ion t he following:
(1) Class 1 – Frequency of occurrence over 10 years;
(2) Class 2 – Frequency of occurrence once every 5 t o 10 years;
(3) Class 3 – Frequency of occurrence once every 1 t o 5 years;
(4) Class 4 – Frequency of occurrence once every 1 mont h t o once in a 1 year;
(5) Class 5 – Frequency of occurrence once every 1 mont h t o once in a 1 week;
(6) Class 6 – Frequency of occurrence once every period of less t han 1 day.


L LO OS SS S C CR RI I T TI I C CA AL LI I T TY Y ( ( C CO ON NS SE EQ QU UE EN NC CE ES S) )
The consequence assessment st ems from t he quest ion: “ Would it be a problem?” . More specifically, if t he
hazard does produce an adverse out come or event , i.e. is ident ified as a risk, how serious are t he
consequences? The consequences of an adverse out come or event need t o be examined on different levels.
For inst ance, harm t o humans is usually considered on t he level of an individual whereas harm t o t he
environment is usually considered on t he level of populat ions, species or communit ies. Consequences may
have dimensions of dist ribut ion and severit y. For example, if a genet ic modificat ion result ed in t he
product ion of a prot ein wit h allergenic propert ies, some people may have no react ion t o t hat prot ein, ot hers
may react mildly while ot hers may be seriously affect ed. That is, t here may be a range of consequences
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
from an adverse out come, some people may be more sensit ive t o a t oxin t han ot hers, so t he response may
range from mild ill healt h in one individual t o serious illness in anot her, wit h t he most common response
falling bet ween t hese t wo ext remes. I n considering consequences it is import ant t o t ake into account fact ors
including t he variat ion and dist ribut ion in t he severit y of t he consequences. Assessing t he significance of an
adverse impact includes considerat ion of five primary fact ors:
(1) The severit y of each pot ent ial adverse impact including t he number, magnit ude and probable severit y of,
in t he sense of degree, ext ensiveness or scale (“ How serious is t he impact ?” , “ Does it cause a large
change over baseline condit ions?” , “ Does it cause a rapid rat e of change, large changes over a short
t ime period?” , “ Does it have long-t erm effect s?” , “ I s t he change it creat es unaccept able?” );
(2) The spat ial ext ent t o which t he pot ent ial adverse impact may event ually ext end (e.g. local, regional,
nat ional, global) as well as t o ot her t arget s;
(3) The t emporal ext ent of t he adverse impact , t hat is t he durat ion and frequency, t he lengt h of t ime (day,
year, decade) for which an impact may be discernible, and t he nat ure of t hat impact over t ime (I s it
int ermit t ent or repet it ive? I f repet it ive, t hen how oft en and how frequent ly?);
(4) The cumulat ive adverse impact – t he pot ent ial impact t hat is achieved when t he part icular proj ect ’s
impact (s) are added t o impact s of ot her dealings or act ivit ies t hat have been or will be carried out;
(5) Reversibilit y – how long will it t ake t o mit igat e t he adverse impact ? I s it reversible and, if so, can it be
reversed in t he short or long-t erm?


Table 3.03 – Quot at ion scale of t he severit y of consequences (loss crit icalit y) of t he act ion of risk fact ors on
t he human body (personnel t arget ).

SEVERI TY
CATEGORY
SEVERI TY OF
CONSEQUENCES
SEVERI TY
COEFFI CI ENT
(K)
SEVERI TY
CLASS
Negligible
Minor reversible consequences wit h predict able disablement , up t o
3 calendar days (healing wit hout t reat ment ).
1 1
2
Limit ed
Reversible consequences wit h predict able disablement bet ween 3
t o 45 days, which require medical t reat ment .
3
2
4
Medium
Reversible consequences wit h predict able disablement bet ween 45
t o 180 days, which require medical t reat ment including
hospit alizat ion. 5
3
I mport ant
I rreversible consequences wit h diminut ion of t he abilit y t o work of
maximum 50 % (t hird degree invalidit y).
6 4
7
Severe
I rreversible consequences wit h loss of t he abilit y t o work of 50 t o
100%, but wit h capacit y of selfservice (second degree invalidit y).
8
5
Very Severe
I rreversible consequences wit h t ot al loss of t he abilit y t o work and
of t he self-service capacit y (first degree invalidit y).
9 6
Maximal Deat h; decease. 10 7

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
The explanat ions for consequences t o human healt h focus on inj ury as t he adverse out come but could
equally focus on t he number of people affect ed or t he spat ial scale (local, regional, nat ional) of t he adverse
impact . Adverse consequences t o t he environment encompass a wide range of effect s and t he descript ions
include some of element s from t he fact ors list ed above. Change is an inherent part of any complex dynamic
syst em, including biological syst ems. Therefore in assessing adverse consequences arising from a hazard it is
import ant t o dist inguish change t hat may occur in t he absence of t he hazard from change occurring as a
result of t he hazard and t o consider whet her t hat change is undesirable. Furt hermore, t hese changes could
vary according t o t he environment al cont ext (e.g. an agricult ural set t ing as opposed t o t he undist urbed
nat ural environment ).
I t is easy t o different iat e risks, depending on t he severit y (loss crit icalit y) of t he consequence. Regardless of
t he risk fact or and of t he event t hat might be generat ed by t he lat t er, t he consequences on t he worker
(personnel t arget ) may be classified in accordance wit h t he maj or cat egories defined by t he Safet y Law:
t emporary work disablement , invalidit y (permanent work disablement ) and decease. Furt her more, t he
maximal possible consequence of each risk fact or may be assert ed wit h cert aint y. For inst ance, t he maximal
possible consequence of elect rocut ion will always be decease, while t he maximal possible consequence of
exceeding t he normat ive noise level will be work-relat ed deafness – invalidit y. I n t he event of work-relat ed
accident s or diseases such as t hese are specified by t he medical crit eria of clinical, funct ional and work
capacit y assessment diagnosis, elaborat ed by t he Minist ry of Healt h and t he Minist ry of Labour and Social
Prot ect ion, knowing t he t ypes of lesions and damages, as well as t heir pot ent ial localisat ion, it is possible t o
est imat e for each risk fact or t he t ype of lesion t o which t he lat t er may event ually lead, in ext remis, t he
organ t hat would be affect ed and, finally, t he t ype of consequence t hat will occur: disablement , invalidit y or
decease. On t heir t urn, t hese consequences may be different iat ed in several classes of severit y. For
inst ance, invalidit y may be classified in first , second or t hird degree, while disablement may be of less t han 3
days (minimal limit set by law for t he definit ion of work accident ), bet ween 3 t o 45 days and bet ween 45 t o
180 days. As in t he case of t he probabilit y of occurrence of accident s and diseases, t he severit y of
consequences may be classified in several classes, as follows:
(1) Class 1 – Negligible consequences (work disablement of less t han 3 days);
(2) Class 2 – Limit ed consequences (work disablement bet ween 3 t o 45 days, requiring medical t reat ment );
(3) Class 3 – Medium consequences (work disablement bet ween 45 t o 180 days, medical t reat ment and
hospit alisat ion);
(4) Class 4 – I mport ant consequences (t hird degree invalidit y);
(5) Class 5 – Severe consequences (second degree invalidit y);
(6) Class 6 – Very severe consequences (first degree invalidit y);
(7) Class 7 – Maximal consequences (decease).

The cost t o societ y of a workplace fat alit y was est imat ed using t he cost -of-illness approach (Fat al
Occupat ional I nj ury Cost Model, FOI CM), which combines direct and indirect cost s t o yield an overall cost of
an occupat ional fat al inj ury (DHHS, NI OSH, Publicat ion No. 2006–158). For t hese calculat ions, only medical
expenses were used t o est imat e t he direct cost associat ed wit h t he fat alit y. The indirect cost was derived by
calculat ing t he present value of fut ure earnings summed from t he year of deat h unt il t he decedent would
have reached age 67, account ing for t he probabilit y of survival were it not for t he premat ure deat h (Biddle,
E., 2004). The mat hemat ical represent at ion of indirect cost s is given by t he following expression,

( ) ( ) ( ) | |
( )
( )
¯
= )
`
¹
¹
´
¦

÷ · +
÷ · +
· · · =
n
1 i
h
s
w
j , s i , s , r L
i n d 1
i n g 1
n C n C n P PDV [ 3.06]
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
where PDV
L
is t he present discount ed value of loss due t o occupat ional fat al inj ury per person, P
r,s,i
(n) is t he
probabilit y t hat a person of race (r), sex gender (s), and age (i) will survive t o age n, i is t he age of t he
person at deat h, n is t he age if t he person had survived, C
w
s,j
(n) is t he median annual earnings of an
employed person of sex (s), occupat ion (j ), and age n (includes benefit s and life-cycle wage growt h
adj ust ment ) , C
h
s
(n) is t he mean annual imput ed value of home product ion of a person of sex (s) and age
(n), g is t he wage growt h rat e at t ribut able t o overall product ivit y, and d is t he real discount rat e (e.g. 3%
per annum).

Table 3.04 – Quot at ion scale of t he severit y of consequences (loss crit icalit y) of t he act ion of risk fact ors on
every t arget (human or personnel, business int errupt ion, environment , product , equipment , et c.) using a
economic and financial approach.

MAXI MUM EXPOSURE VALUE MAXI MUM POSSI BLE LOSS
Value (MEV) % K
MEV
Value (MPL) % K
MPL

0 – 200,000 0 – 20 1 0 – 100,000 0 – 10 1
200,000 – 300,000 20 – 30 2 100,000 – 150,000 10 – 15 2
300,000 – 400,000 30 – 40 3 150,000 – 200,000 15 – 20 3
400,000 – 500,000 40 – 50 4 200,000 – 250,000 20 – 25 4
500,000 – 600,000 50 – 60 5 250,000 – 300,000 25 – 30 5
600,000 – 800,000 60 – 70 6 300,000 – 350,000 30 – 35 6
700,000 – 800,000 70 – 80 7 350,000 – 400,000 35 – 40 7
800,000 – 900,000 80 – 90 8 400,000 – 450,000 40 – 45 8
900,000 – 1,000,000 90 – 100 9 450,000 – 500,000 45 – 50 9
> 1,000,000 > 100 10 > 500,000 > 50 10

On a financial and economic basis, loss crit icalit y (or severit y) is t he maximum expect ed loss if a given
pot ent ial risk becomes real. The evaluat ion concept of economical losses used by t his met hod are t he
Maximum Exposure Value and Maximum Possible Loss. Each of t hese concept s express t he maximum
expect ed loss in t he case of any risk, in t he most unfavourable condit ions, i.e. failure of any int ernal or
ext ernal safet y support mechanisms. Table 3.04 shows t he quot at ion scale of t he severit y of consequences
(loss crit icalit y) of t he act ion of risk fact ors on every risk t arget using t his economic and financial approach.
The loss crit icalit y (or severit y) is det ermined by bot h t he following met hods: (1) using t he absolut e or
financial values such t he maximum exposure value (MEV) and t he maximum possible loss value (MPL); (2)
using t he maximum exposure coefficient (K
MEV
) and t he maximum possible loss coefficient (K
MPL
). I n
calculat ing t he loss crit icalit y coefficient using financial values we should use t he following expression,

|
|
.
|

\
|
· · =
EQ
MPL
EQ
MEV
Sc K
max
[ 3.07]

on t he ot her hand, when we are using t he t he maximum exposure coefficient (K
MEV
) and t he maximum
possible loss coefficient (K
MPL
) we apply t he following expression,

MPL MEV
K K K · = [ 3.08]

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Sc
max
is t he highest coefficient scale value used for evaluat e t he coefficient s (i.e. in t his case is t he value 10),
and EQ is t he equit y of t he business or proj ect (i.e. in t his case is 1,000,000).

Table 3.05 – Quot at ion scale of t he severit y of consequences (loss crit icalit y) of t he act ion of risk fact ors on
business int errupt ion and environment t arget s.

SEVERI TY OF CONSEQUENCES
SEVERI TY
CATEGORY BUSI NESS I NTERRUPTI ON ENVI RONMENTAL
SEVERI TY
COEFFI CI ENT
(K)
SEVERI TY
CLASS
Negligible s 1 day
Minor environment al damage requiring
less t han 10% of t he business equit y t o
correct or in penalt ies.
1 1
1 t o 3 days
Minor environment al damage requiring
10% t o 15% of t he business equit y t o
correct or in penalt ies.
2
Marginal
3 days t o 1 week
Minor environment al damage requiring
15% t o 20% of t he business equit y t o
correct or in penalt ies.
3
2
1 t o 2 weeks
Short t erm environment al damage (unt il
1 year) requiring 20% t o 25% of t he
business equit y t o correct or in penalt ies.
4
Limit ed
2 weeks t o 1 mont h
Short -t erm environment al damage (unt il
1 year) requiring 25% t o 30% of t he
business equit y t o correct or in penalt ies.
5
3
I mport ant 1 t o 2 mont hs
Medium t erm environment al damage (1
t o 3 years) or requiring 30% t o 35% of
business equit y t o correct or in penalt ies.
6 4
2 t o 3 mont hs
Medium t erm environment al damage (1
t o 3 years) or requiring 35% t o 40% of
business equit y t o correct or in penalt ies.
7
Severe
3 t o 4 mont hs
Medium t erm environment al damage (1
t o 3 years) or requiring 40% t o 45% of
business equit y t o correct or in penalt ies.
8
5
Crit ical 4 t o 6 mont hs
Long t erm environment al damage (3 t o 5
years) or requiring 45% t o 50% of
business equit y t o correct or in penalt ies.
9 6
Maximal or
Cat ast rophic
> 6 mont hs
Long t erm environment al damage (5
years or great er) or requiring at least
50% of t he business equit y t o correct or
in penalt ies.
10 7

Costs to Be Considered
Highly probable risks may not require count ermeasures at t ent ion if t he net damage t hey would produce is
small. But even moderat ely probable risks require at t ent ion if t he size of t he loss t hey could produce is
great . Crit icalit y is first considered on a single event or occurrence basis. For event s wit h est ablished
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
frequency or high recurrence probabilit y, crit icalit y also must be considered cumulat ively. The crit icalit y or
loss impact can be measured in a variet y of ways. One is effect on employee morale, anot her is effect on
communit y relat ions. But t he most useful measure overall is financial cost . Because t he money measure is
common t o all vent ures, even government and not -for-profit ent erprises, t he seriousness of safet y
vulnerabilit y can be grasped most easily if st at ed in monet ary t erms. Not e t hat some losses (e.g. loss of
human life, loss of nat ional infrast ruct ure element s, or losses of communit y goodwill) do not lend t hemselves
t o ready analysis in financial t erms. When event s t hat could produce t hese t ypes of losses have been
ident ified, some fact ors ot her t han merely quant it at ive will be used t o measure t heir seriousness. When
t radeoff decisions are being made as part of t he risk management process, a very useful way t o evaluat e
securit y count ermeasures is t o compare cost of est imat ed losses wit h cost of prot ect ion. Money is t he
necessary medium.
Cost s of safet y losses are bot h direct and indirect . They are measured in t erms of lost asset s (t arget s) and
lost income. Frequent ly, a single loss will result in bot h kinds. There t hree maj or t ypes of cost s:
(1) Permanent Replacement – The most obvious cost is t hat involved in t he permanent replacement of a
lost asset . Permanent replacement of a lost asset includes all of t he cost t o ret urn it t o it s former
locat ion. Component s of t hat cost are: (a) Purchase price or manufact uring cost , (b) Freight and
shipping charges, (c) Make-ready or preparat ion cost t o inst all it or make it funct ional. A lost asset may
cost more or less t o replace now t han when it was first acquired.
(2) Temporary Subst it ut e – I t may be necessary t o procure subst it ut es while await ing permanent
replacement s. This may be necessary t o minimize lost opport unit ies and t o avoid penalt ies and
forfeit ures. The cost of t he t emporary subst it ut e is properly allocable t o t he safet y event t hat caused t he
loss of t he asset or t arget . Component s of t emporary subst it ut e cost might be: (a) Lease or rent al, (b)
Premium labor, such as overt ime or ext ra shift work t o compensat e for t he missing product ion.
(3) Relat ed or Consequent Cost – I f ot her personnel or equipment are idle or underut ilized because of t he
absence of an asset lost t hrough a securit y incident , t he cost of t he downt ime also is at t ribut able t o t he
loss event .

Many losses are covered, at least in part , by insurance or indemnit y of some kind. To t he ext ent it is
available, t hat amount of indemnit y or insurance receivement should be subt ract ed from t he combined cost s
of loss enumerat ed previously.

Economic Appraisal and Socioeconomic Costs of Work I ncidents
I mprovement of healt h and safet y at work can bring economic benefit s for companies, workers and societ y
as a whole. Accident s and occupat ional diseases can give rise t o heavy cost s t o companies. For small
companies part icularly, occupat ional accident s can have a maj or financial impact . But it can be difficult t o
convince employers and decision-makers of t he profit abilit y of safer and healt hier working condit ions. An
effect ive way can be t o make financial or economic est imat ions and give a realist ic overview of t he t ot al
cost s of accident s, and t he benefit s of prevent ing accident s. Tot al cost s and benefit s will include bot h
obvious and hidden cost s, t oget her wit h t he cost s t hat can easily be quant ified and t hose t hat can only be
expressed in qualit at ive t erms. Work accident s are a burden for many part ies. Companies oft en do not bear
t he full cost s of occupat ional diseases, occupat ional inj uries or work-relat ed illnesses. Accident s also lead t o
cost s for ot her companies, individual workers and for societ y as a whole. For inst ance, t he company may not
cover healt hcare cost s for workers, or disabilit y pensions may be borne by collect ive funds. Prevent ing
incident s and work accident s, occupat ional inj uries and diseases not only reduces cost s, but also cont ribut es
t o improving company performance. Occupat ional safet y and healt h can affect company performance in
many ways, for inst ance:
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(1) Healt hy workers are more product ive and can produce at a higher qualit y;
(2) Less work-relat ed accident s and diseases lead t o less sick leave. I n t urn t his result s in lower cost s and
less disrupt ion of t he product ion processes;
(3) Equipment and a working environment t hat is opt imised t o t he needs of t he working process and t hat
are well maint ained lead t o higher product ivit y, bet t er qualit y and less healt h and safet y risks;
(4) Reduct ion of inj uries and illnesses means less damages and lower risks for liabilit ies.

I n many count ries regulat ions exist t hat somehow bring back t he cost s t o t he company or person who
caused t he cost s (so-called cost int ernalisat ion). This may funct ion as an economic incent ive t o prevent
fut ure inj uries or diseases. The best way t o obt ain good insight int o t he cost s of work accident s is t o make
an economic assessment . This can be done at different levels, namely:
(1) At t he level of t he individual worker;
(2) At company level;
(3) At t he level of societ y as a whole.


Table 3.06 – Overview of variables direct ly relat ed t o cost s of inj uries and illnesses at individual level.

VARI ABLE DESCRI PTI ON MEASUREMENT
Healt h. Hospit alisat ion (bed-days). Ot her
medical care, such as non-
hospit al t reat ment , medicines.
Permanent disabilit y (numbers,
age of pat ient ). Non-medical
(e.g. vocat ional) rehabilit at ion,
house conversions.
Expendit ures for healt h care t hat
are not compensat ed by insurance
or employers.
Grief and suffering. For vict ims, but also for relat ives
and friends.
No reliable met hod available.
Qualit y of life Life expect ancy.
Healt hy life expect ancy.
Qualit y adj ust ed life years
(QALY). Disabilit y adj ust ed life
years (DALY).
Willingness t o accept , willingness t o
pay. Height of claims and
compensat ions.
Present income losses. Loss in income from present and
second j ob.
Reduct ion in present income, loss of
wages.
Loss of pot ent ial fut ure
earnings.
Also including t he second j ob. Differences bet ween t ot al expect ed
fut ure income and t ot al
compensat ion or pensions.
Expenses t hat are not covered. Examples are cost s for
t ransport at ion, visit s t o hospit als,
et c.
Sum of all ot her expenses for a
vict im and by insurances or
compensat ions cost s arising from
fat alit ies such as funerals (t hat are
not compensat ed).

There is no ult imat e list of cost fact ors t o be included in an assessment . However, a minimum set of cost
fact ors has emerged from pract ice and t heory. Addit ions or modificat ions are t o be made depending on t he
purpose of t he assessment , t he st ruct ure of social securit y in a count ry and so on. Const ruct ing t he list of
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
cost fact ors is one of t he key act ivit ies in any economic appraisal. Tables 3.06 and Table 3.07 offer an
invent ory of cost fact ors t hat can be used as a st art ing point for assessment s at t he individual level and at
societ y level. I t t akes a few st eps t o est imat e t he cost effect s of a work accident .

Table 3.07 – Overview of variables direct ly relat ed t o cost s of inj uries and illnesses at t he level of societ y as
a whole.

VARI ABLE DESCRI PTI ON MEASUREMENT
Healt h. Hospit alisat ion (bed-days). Ot her
medical care, such as non-
hospit al t reat ment , medicines.
Permanent disabilit y (numbers,
age of pat ient ). Non-medical
(e.g. vocat ional) rehabilit at ion,
house conversions.
Act ual expendit ures on medical
t reat ment and rehabilit at ion.
Fat alit ies (numbers, age of
pat ient ).
Willingness t o pay or willingness t o
accept .
Qualit y of life Life expect ancy.
Healt hy life expect ancy.
Qualit y adj ust ed life years
(QALY). Disabilit y adj ust ed life
years (DALY).
Willingness t o pay or willingness t o
accept . Tot al amount of indemnit ies
and compensat ions.
Grief and suffering. For vict ims, but also for relat ives
and friends.
Willingness t o pay or willingness t o
accept . Tot al amount of indemnit ies
and compensat ions.
Present product ion losses. Lost earnings due t o sick leave,
absent eeism and disabilit y.
Tot al lost earning during period of
absence.
Loss of pot ent ial fut ure. Lost earnings during whole
period of permanent .
Sum of lost income during expect ed
disabilit y earnings and product ion
disabilit y period, in which bot h t he
income and t he period are
est imat ed on st at ist ical dat a.
Expenses t hat are not covered. Examples are cost s for
t ransport at ion, visit s t o hospit als,
et c.
Sum of all ot her expenses for a
vict im and by insurances or
compensat ions cost s arising from
fat alit ies such as funerals (t hat are
not compensat ed).
NO HEALTH-RELATED COSTS AND DAMAGES
Administ rat ion of sickness
absence, et c.
Tot al wages spent on t he act ivit y.
Damaged equipment (by
accident s).
Replacement cost s, market prices.
Lost product ion due t o
incapacit y of personnel and
product ion downt ime.
Market price of lost product ion.

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Some effect s of accident s can easily be expressed in money. However, effect s like fat alit ies, sick leave and
t urnover require some furt her elaborat ion. The out comes should support decision-making, but also t he
process of making such an assessment is import ant from t he learning point of view. Be aware t hat t he
out comes of economic analyses are much influenced by t he underlying assumpt ions and t he scope of t he
assessment . The cost fact ors and calculat ion principles should be adj ust ed according t o t he nat ional pract ice
of each count ry.

Table 3.08 – Overview of variables direct ly relat ed t o cost s of inj uries and illnesses at company level.

VARI ABLE DESCRI PTI ON MEASUREMENT
EFFECTS OF I NCI DENTS THAT CANNOT DI RECTLY BE EXPRESSED I N MONEY VALUE
Fat alit ies, deat hs. Number of fat alit ies. Sum of cost s of subsequent
act ivit ies, fines and payment s.
Absent eeism or sick leave. Amount of work t ime lost due t o
absent eeism.
Sum of cost s of act ivit ies t o deal
wit h effect s of lost work t ime, such
as replacement and lost product ion.
I ndirect effect is t hat sick leave
reduces flexibilit y or possibilit ies t o
deal wit h unexpect ed sit uat ions.
Personnel t urnover due t o
poor working environment ,
or early ret irement and
disabilit y.
Percent age or number of persons
(unwant ed) leaving t he company in
a period of t ime.
Sum of cost s of act ivit ies originat ed
by unwant ed t urnover, such as
replacement cost s, addit ional
t raining, product ivit y loss,
advert isement s, and recruit ment
procedures.
Early ret irement and
disabilit y.
Percent age or number of persons in a
period of t ime.
Sum of cost s of act ivit ies originat ed
by disabilit y or
early ret irement , fines, payment s t o
t he vict im.

I mprovement of safet y and healt h at work can bring economic benefit s for companies. Accident s and
occupat ional diseases can give rise t o heavy cost s t o t he company. For small companies part icularly,
occupat ional accident s can have a maj or financial impact . I nformat ion and percept ions about fut ure effect s
of decisions, preferably expressed in monet ary t erms, help employers in t he decision-making process. The
t rue value of economic appraisal is in influencing t he beliefs of decision-makers and policy makers. For
maximum effect iveness in t his respect , economic appraisal should be a j oint act ivit y of all st akeholders. An
effect ive way is t o make financial or economic est imat ions and give a realist ic overview of t he t ot al cost s of
accident s and t he benefit s of prevent ing t hese. Prevent ion of accident s has more benefit s t han j ust reducing
work accident s, occupat ional inj uries and diseases not only reduces t he cost s, but also cont ribut es t o
improving company performance.




Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Table 3.08 – Overview of variables direct ly relat ed t o cost s of inj uries and illnesses at company level
(cont inued).

VARI ABLE DESCRI PTI ON MEASUREMENT
EFFECTS OF I NCI DENTS, I NJURI ES AND DI SEASES THAT CAN READI LY BE EXPRESSED I N MONEY VALUE
Non-medical rehabilit at ion. Money spent by t he employer t o
facilit at e ret urning t o work
(counselling, t raining, workplace
adj ust ment s).
I nvoices.
Administ rat ion of sickness
absence, inj uries, et c.
(Managerial) act ivit ies t hat have t o be
performed by t he company relat ed t o
sick leave.
Tot al wages of t ime spent .
Damaged equipment . Damages or repair cost s of machines,
premises, mat erials or product s
associat ed wit h occupat ional inj uries.
Replacement cost s.
Ot her, non-healt h-relat ed
cost s (e.g. invest igat ions,
management t ime, ext ernal
cost s).
Time and money spent for inj ury
invest igat ion, workplace assessment s
(result ing from occurrence accident s
or illnesses).
Tot al wages of t ime spent .
Effect s on variable part s of
insurance premiums, high-
risk insurance premiums.
Changes in premiums due t o t he
incidence of insurance premiums, and
occupat ional illnesses.
I nvoices.
Liabilit ies, legal cost s,
penalt ies.
I nvoices, claims, cost s of
set t lement s; fines,
Penalt ies.
Ext ra wages, hazardous
dut y pay (if t he company
has a choice).
Ext ra spending on higher wages for
dangerous or inconvenient work.
Addit ional wages.
Lost product ion t ime,
services not delivered.
Product ion t ime lost as a
consequence of an event which
result s in inj ury (e.g. because it t akes
t ime t o replace machines, or
product ion has t o be st opped during
invest igat ion).
Tot al product ion value.
Opport unit y cost s. Orders lost or gained,
compet it iveness in specific market s.
Est imat ed product ion value,
represent ing lost income for t he
company.
Lack of ret urn on
invest ment .
Non-realised profit because of
accident cost s, i.e. expendit ure due
t o accident s and not invest ed in a
profit able act ivit y (like product ion,
st ock market or saving) generat ing
int erest s.
I nt erest s of t he expendit ure
amount , invest ed during x years,
wit h an int erest rat e of y %.


T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Table 3.09 – Yearly cost s relat ed t o safet y and healt h at work.

I SAFETY AND HEALTH MANAGEMENT DAYS SPENT
AVERAGE COST
PER DAY
AMOUNT
Ext ra work t ime (meet ings, coordinat ion)
÷ direct personnel
÷ management , specialist s
Ext ernal OSH services
Prot ect ive equipment
Subst it ut ion product s
I n-company act ivit ies, promot ion (posit ive value)
Tot al (OSH management cost s)
Subsidies and compensat ions
Net (safet y and healt h management cost s)
I I SAFETY AND HEALTH-RELATED COSTS
Work-relat ed absent eeism (workdays)
Excessive personnel t urnover due t o poor working condit ions
Administ rat ive overhead
Legal cost s, fines, indemnit ies
Damaged equipment and mat erials
I nvest igat ions
Effect on insurance premiums (posit ive value)
Tot al (OSH-relat ed cost s)
Compensat ions from insurance
Net (OSH-relat ed cost s)
I I I CONSEQUENCES OF ACCI DENTS TO COMPANY PERFORMANCE
Product ion effect s due t o OSH
÷ lost product ion (reduced out put )
÷ orders lost
Qualit y effect s direct ly relat ed t o OSH
÷ rework, repairs, rej ect ions
÷ warrant ies
Operat ional effect s
÷ more work (e.g. due t o safet y procedures)
I nt angible effect s (company image)
÷ at t ract iveness t o pot ent ial cust omers
÷ posit ion on t he labour market , at t ract iveness t o new personnel
÷ innovat ive capacit y of t he firm
Tot al (effect s on company performance)

Occupat ional safet y and healt h can affect company performance in many ways, for inst ance:
(1) Healt hy workers are more product ive and can produce at a higher qualit y;
(2) Less work-relat ed accident s and illnesses lead t o less sick leave. I n t urn t his result s in lower cost s and
less disrupt ion of t he product ion processes;
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(3) Equipment and a working environment t hat is opt imised t o t he needs of t he working process and t hat
are well maint ained lead t o higher product ivit y, bet t er qualit y and less healt h and safet y risks;
(4) Reduct ion of inj uries and illnesses means less damages and lower risks for liabilit ies.

The cost fact ors and calculat ion principles should be adj ust ed according t o t he nat ional pract ice of each
count ry. Table 3.09 offers guidance for an est imat ion of company spending on occupat ional safet y and
healt h. The t able gives an overview of t he most common cost fact ors. Bear in mind t hat t he cost factors are
rat her general. For specific sit uat ions some fact ors need not be relevant or some ot her may be added. For a
yearly summary, all cost s relat ed t o occupat ional accident s in a single year should be collect ed. Table 3.09
can be used also t o summarise t he cost s of a single accident , but t hen specify only t hose cost s t hat relat e t o
t hat specific accident .

Table 3.10 – Part 1: Summary of invest ment or init ial expendit ures.

CATEGORY COST I TEMS RELEVANCE COST ESTI MATE DESCRI PTI ON
Planning Consult ancy cost s
Engineering
I nt ernal act ivit ies

I nvest ment s Buildings, dwellings, foundat ions
Land propert y
Machines
Test equipment
Transport at ion equipment
Facilit ies, work environment
Workplaces

Removals Equipment
Transport at ion

Personnel Cost s of dismissal
Recruit ment
Training

Preliminary cost s Loss of qualit y
Addit ional wages (overt ime)
Mat erials
Addit ional operat ions
Organisat ional act ivit ies
Product ion losses, downt ime

I ncome Sales of redundant product ion equipment
Tot al

The inst rument for making a cost -benefit analysis consist s of t hree part s (see Table 3.10):
(1) Part 1 – Overview of cost s relat ed t o t he invest ment of int ervent ion. For each cost fact or t he relevance
t o t he sit uat ion can be checked. I f relevant an est imat ion of cost s can be made. Table 1 can be used for
hint s on how t o calculat e or est imat e cost s.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(2) Part 2 – Overview of pot ent ial benefit s, summary of annual benefit s or savings. Only benefit s t hat are
direct ly relat ed t o t he invest ment in quest ion have t o be summarised here. I n t his annual summary
yearly recurring ext ra cost s (e.g. for maint enance) are also account ed for.
(3) Part 3 – Cash flow t able, summary of expendit ures and income for a number of years.

Table 3.10 – Part 2: Summary of annual cost s, cost savings and addit ional income (cont inued).

CATEGORY COST I TEMS RELEVANCE COST ESTI MATE DESCRI PTI ON
Product ivit y

Number of product s
Product ion downt ime reduct ion
Less balance losses
Less st ocks
Ot her, t o be specified

Personnel cost s

OSH services
Savings due t o reduct ion in st affing
Temporary replacement personnel
Cost s of t urnover and recruit ment
Overhead reduct ion
Reduct ion of cost s relat ed t o sick
leave
Effect s on premiums
Ot her, t o be specified

Maint enance Cost changes
Propert y, facilit ies and
mat erial usage


Cost changes of use of propert y
Changes in mat erial usage
Energy, compressed air
Wast e and disposal cost s
Heat ing vent ilat ion
Light ing

Qualit y Changes in amount of rework
Product ion losses
Price changes due t o qualit y
problems

Tot al

By convent ion, all expendit ures have a negat ive sign, cost savings and addit ional income have a posit ive
sign. All invest ment s are assumed t o have t aken place at t he end of year 0. Spreadsheet soft ware (like
Microsoft Excel or Lot us 123) offers ample possibilit ies t o calculat e all kinds of financial indicat ors very
quickly. As calculat ion of discount ed indicat ors requires a lot of arit hmet ic, spreadsheet s are ext remely
useful for t his t ask.





Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Table 3.10 – Part 3: Cash flow t able (cont inued).

YEAR
GENERAL CATEGORY
0 1 2 3 4 5
Planning
I nvest ment s
Removal
Personnel
Preliminary cost s
I ncident al income
Product ivit y
Personnel
Maint enance
Use of propert y, facilit ies and mat erials
Qualit y cost s
Tot al
Cumulat ive cash flow


Lost I ncome Cost
I n most privat e ent erprises, cash reserves are held t o t he minimum necessary for short -t erm operat ions.
Remaining capit al or surplus is invest ed in varying kinds of income-producing securit ies. I f cash t hat might
ot herwise be so invest ed must be used t o procure permanent replacement s or t emporary subst it ut es or t o
pay consequent cost s, t he income t hat might have been earned must be considered part of t he loss. I f
income from invest ment is not relevant t o a given case, t hen alt ernat ive uses of t he cash might have t o be
abandoned t o meet t he emergency needs. I n eit her case, t he use of t he money for loss replacement will
represent an addit ional cost margin. To measure t ot al loss impact accurat ely, t his also must be included. The
following formula can be used t o det ermine t he lost income cost ,

365
t r C
I
a
c
· ·
= [ 3.09]

where I
c
is t he income earned, C
a
is t he principal amount (in monet ary t erms) available for invest ment , r is
t he annual per cent rat e of ret urn, and t is t he t ime (in days) during which t he principal amount is available
for invest ment .

A Cost-of-Loss Formula
Taking t he worst -case posit ion and analyzing each safet y loss risk in light of t he probable maximum loss for
a single occurrence of t he risk event , t he following equat ion can be used t o st at e t hat cost ,

( ) | |
¯
=
÷ + + + =
n
1 i
s I R T P c
I C C C C K [ 3.10]

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
where K
c
is t he crit icalit y or t ot al cost of loss, C
P
is t he cost of permanent replacement , C
T
is t he cost of
t emporary subst it ut e, C
R
is t he t ot al relat ed cost s, C
I
is t he lost income cost , and I
s
is t he available insurance
prot ect ion or indemnit y.

Disability I njury Rate
The disabling inj ury rat e (DI R) is calculat ed by dividing t he number of disabling inj ury claims (N
DI
) by t he
person-year est imat es (PY), and mult iplying t he result by 100. The disabling inj ury rat e represent s t he
probabilit y or risk of a disabling inj ury or disease t o a worker during a period of one-year of work. The
disabling inj ury rat e is similar t o t he LTC rat e alt hough it covers a broader range of inj uries, including t hose
t hat are less severe in nat ure (do not require t ime away from work). The rat e represent s t he number of
claims per 100 person-years and includes claims made for bot h lost -t ime and modified-work.

100
PY
N
DI R
DI
· = [ 3.11]

Duration Rate
The durat ion rat e (DR) is calculat ed by dividing t he number of workdays lost (disabilit y days, D
d
) by t he
person-year est imat e (PY), and mult iplying by 100. The result is expressed as days lost per 100 person-
years, and indicat es, in part , t he economic impact of occupat ional inj ury and disease. Durat ion rat es are not
recommended as reliable indicat ors of full economic cost . I n addit ion, readers are warned t hat duration rat es
are highly unst able when based on only a few lost -t ime claims; it is recommended t hat t he durat ion rat e not
be calculat ed based upon fewer t han 30 lost -t ime claims.

100
PY
D
DR
d
· = [ 3.12]

Fatality Rate
The fat alit y rat e (FR) is calculat ed by dividing t he number of accept ed fat alit ies (N
F
) by t he person-years
est imat e (PY) and mult iplying t he result by one million. The result is expressed as fat alit ies per million
person-years. Fat alit ies t hat are found under t he j urisdict ion of t he Government of Canada are excluded
before t he calculat ion of t he fat alit y rat e.

000 , 000 , 1
PY
N
FR
F
· = [ 3.13]


S SA AF FE ET TY Y L LE EV VE EL L
The safet y level concept is t he abilit y of an safet y syst em t o cont rol and t reat every kind of pot ent ial risks
result ing from a hazard or event . The safet y level coefficient (o) is t he measure of t he safet y level and can
be det ermined by t he following expression,

¯
=
· = o
n
1 i
i
a
N
1
[ 3.14]

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
where N is t he t ot al number of safet y measures and safet y issues support ed by t he safet y syst em, n is t he
number of t he safet y measures and safet y issues evaluat ed for a specific hazard or event (n s N), and a
i
is
t he t he given value for each safet y measures and safet y issues evaluat ed (scaled from 0 t o 1). The possible
set of of safet y measures and safet y issues t o be included in one safet y syst em is list ed as follows:
(1) Process Safet y Management (PSM).
(2) Hazard and Operabilit y Analysis (HAZOP).
(3) Process Hazard Analysis (PHA).
(4) I nspect ions, reviews and surveys.
(5) Surveillance and securit y.
(6) Safet y management syst em cert ified.
(7) Periodical int ernal and ext ernal audit s.
(8) I nt ernal safet y brigades.
(9) Ext ernal safet y brigades.
(10) Emergency t eams and emergency brigades.
(11) Emergency plans and cont ingency plans.
(12) Fire brigades.
(13) Medical and healt hcare support .
(14) Supervising safet y management t eam.
(15) Global prot ect ive equipment .
(16) Personal prot ect ive equipment .
(17) Regulat ory compliance.
(18) Safet y policy.
(19) Dat a records and informat ion of act ivit ies.
(20) Training programs.

The evaluat ion of each safet y it em from t he list ed set obey t o a quot at ion scale from 0 t o 1, being 0 t he
absence or not applicat ion of t he safet y it em and 1 t he complet e compliance of t he safet y it em or it s
advanced development in comparison wit h t he indust ry sect or.


R RI I S SK K E ES ST TI I M MA AT TI I O ON N A AN ND D R RI I S SK K T TR RE EA AT TM ME EN NT T
Risk is measured in t erms of a combinat ion of t he exposure t o an adverse out come (hazard), t he likelihood
t hat a hazard will give rise t o an adverse out come, t he seriousness (consequences or loss crit icalit y) of t hat
adverse out come, and t he safet y level. Mat hemat ically, risk est imat e for an inst ant of t ime is given by t he
Equat ion [ 1.03] ,

o
· ·
=
o
K L E
R
, i
[ 1.03]

To reduce ambiguit y of t erminology used in qualit at ive risk assessment s t he Regulat or will apply a set of
dist inct descript ors t o t he likelihood assessment , exposure assessment , consequence assessment , safet y
level assessment , and t he est imat ion of risk. The definit ions are int ended t o cover t he ent ire range of
possible licence applicat ions and should be regarded as relat ive. For inst ance, t he consequences of a risk
relat ing t o human healt h will be very different t o t he consequences of a risk t o t he environment . They are
relat ively simple in order t o cover t he range of different fact ors (severit y, space, t ime, cumulat ive,
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
reversibilit y) t hat may cont ribut e t o t he significance of adverse out comes. The individual descript ion can be
incorporat ed int o a Risk Est imat e Mat rix (see Table 3.11). Risk assessment grid (mat rix) has t he form of a
t able, wit h lines represent ing classes of severit y (loss crit icalit y) and columns represent ing classes of
probabilit y (likelihood) and exposure; in Table 3.11 we consider a safet y level coefficent (o) equal t o 1, i.e.
t he risk equilibrium st at e. The grid is inst rument al for t he effect ive expression of t he risks t hat exist in t he
syst em under examinat ion, in t he form of t he t riplet severit y-frequency-exposure of occurrence. Risks and
safet y levels scale, drawn up st art ing from t he risk assessment grid, is an inst rument t hat is used for t he
assessment of t he ant icipat ed risk level, respect ively safet y level. The aim of t he Risk Est imat e Mat rix (Table
3.11) is t o provide a guide t o t hinking about t he relat ionship bet ween t he exposure, consequences and t he
likelihood of part icular hazards. Likelihood (probabilit y), exposure, severit y of consequence (loss crit icalit y)
and safet y level assessment s are combined t o give a risk est imat e (Equat ion [ 1.03] ). The risk mat rix is
designed t o be used as a t ool in arriving at t he risk est imat e hierarchy. I t is not a prescript ive solut ion for
deciding on t he appropriat e risk est imat e for any given adverse out come. For example, an adverse out come
such as increased pat hogenicit y due t o gene exchange may vary widely in severit y from event t o event .
Neit her should it be used t o set predet ermined management condit ions for a part icular risk level. Rat her it
should be used t o inform t he risk evaluat ion process.

Table 3.11 – Risk est imat e mat rix assessment for a safet y level coeficient (o) equal t o 1.

SEVERITY OR LOSS CRITICALITY COEFFICCIENT (K)

1 2 3 4 5 6 7 8 9 10

1 1 2 3 4 5 6 7 8 9 10 1
2 4 8 12 16 20 24 28 32 36 40 2
3 9 18 27 36 45 54 63 72 81 90 3
4 16 32 48 64 80 96 112 128 144 160 4
5 25 50 75 100 125 150 175 200 225 250 5
6 36 72 108 144 180 216 252 288 324 360 6
7 49 98 147 196 245 294 343 392 441 490 7
8 64 128 192 256 320 384 448 512 576 640 8
9 81 162 243 324 405 486 567 648 729 810 9
E
X
P
O
S
U
R
E

C
O
E
F
F
I
C
I
E
N
T

(
E
)

10 100 200 300 400 500 600 700 800 900 1000 10
P
R
O
B
A
B
I
L
I
T
Y

O
R

L
I
K
E
L
I
H
O
O
D

C
O
E
F
F
I
C
I
E
N
T

(
L
)


Risk mat rices are oft en asymmet rical because not all risks have t he same mat hemat ical relat ionship bet ween
exposure, likelihood, consequence, and safet y level. I n addit ion, t here may be ot her fact ors t hat influence
t he relat ionship such as sensit ive subpopulat ions, a range of responses or a dist ribut ion of t he frequency of
t he impact . The descript ors nominat ed above for exposure, likelihood, consequence, safet y level, and t he
risk est imat e should be applied for all licence and non-licence applicat ions. The descript ors for t he risk
est imat e are designed t o relat e specifically t o risk assessment applied in t he cont ext of a proposed dealing
wit h a hazard. These descript ors may not necessarily have t he same meaning in a compliance cont ext where
est ablishing an appropriat e response t o noncompliance is required. Comparisons bet ween licence
applicat ions are only possible in t he broadest sense even for t he same cat egories of hazard. For example,
t he int roduct ion of a gene t hat expresses a t herapeut ic agent in an elit e variet y of pot at o known t o be st erile
could be considered a lower risk compared wit h t he int roduct ion of t he same gene int o a part ially
out crossing plant such as whit e lupin, because of t he decreased pot ent ial for spread and persist ence of t he
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
int roduced gene. Direct comparison wit h risks from ot her subst ant ively different genet ic modified organisms
such as a genet ic modified virus may not be inst ruct ive. I t is import ant t o not e t hat uncert aint y about eit her
or bot h of t hese component s will affect t he risk est imat e. The risk est imat e for an individual hazard, group of
hazards or risk scenarios is used in considering t he st rat egies t hat may be required in order t o manage t hose
risks.

Risk Treatment
The nat ure and size of t he ent erprise or proj ect det ermines t he limit s of each of t he aforesaid paramet ers
and t he risk est imat e rat ings. The value of t he rat ing syst em is in it s t ot al relevance t o t he ent erprise. The
t erms are not int ended t o have any absolut e significance. Having at disposal t he four scales – for t he
quot at ion of t he exposure, probabilit y (likelihood), severit y (loss crit icalit y) of consequences, and safet y level
of t he act ion of risk fact ors – we may associat e t o each risk fact or in a syst em a quadriplet of charact erist ic
element s, exposure-severit y-probabilit y-safet y level, combined in t he Equat ion [ 1.03] , t hus set t ing down a
risk level for each quadriplet . For t he at t ribut ion of risk and safet y levels we used t he risk accept abilit y curve.
Because severit y is a more import ant element , from t he point of view of t he finalit y concerning t arget
prot ect ion, as assumpt ion it was admit t ed t hat t he influence of severit y on t he risk level is much great er
t han t he ot her element s (i.e. frequency or likelihood, and exposure). I t is suggest ed t hat t he following risk
est imat e cat egories be used t o summarize t he impact of risk, and int erpret ed as follows in Table 3.12.

Table 3.12 – Risk level est imat or and risk-based cont rol plan.

RI SK ESTI MATE LEVEL RI SK LEVEL ACTI ON AND TI MESCALE
0 < R < 10 Trivial No act ion is required and no document ary records used t o be kept .
10 < R < 100 Tolerable
No addit ional cont rols required. Considerat ion may be given t o a more
cost -effect ive solut ion or improvement t hat imposes no addit ional cost
burden. Monit oring is required t o ensure t hat t he cont rols are
maint ained.
100 < R < 200 Moderat e
Effort s should be made t o reduce risk, but t he cost s of prevent ion
should be carefully measured and limit ed. Risk reduct ion measures
should be implement ed wit hin a defined t ime period. Where t he
moderat e risk is associat ed wit h ext remely harmful consequences,
furt her assessment may be necessary t o est ablish more precisely t he
likelihood of harm and exposure as a basis for det ermining t he need
for improved cont rol measures.
200 < R < 1,000 Subst ancial
Work should not be st art ed unt il t he risk has been reduced.
Considerable resources may have t o be allocat ed t o reduce t he risk.
Where t he risk involves work in progress, urgent act ion should be
t aken.
R > 1,000 I nt olerable
Work should not be st art ed or cont inued unt il t he risk has been
reduced. I f it is not possible t o reduce risk even wit h unlimit ed
resources, work has t o remain prohibit ed.

Therefore, in correspondence wit h t he seven classes of severit y have been set down seven risk levels, in
ascending order, respect ively seven safet y levels, given t he inverse proport ional relat ion bet ween t he t wo
st at es (risk and safet y):
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(1) R1 (minimal risk level)  S1 (maximal safet y level);
(2) R2 (very low risk level)  S2 (very high safet y level);
(3) R3 (low risk level)  S3 (high safet y level);
(4) R4 (medium risk level)  S4 (medium safet y level);
(5) R5 (high risk level)  S5 (low safet y level);
(6) R6 (very high risk level)  S6 (very low safet y level);
(7) R7 (maximal risk level)  S5 (minimal safet y level).

The hierarchy of risk cont rols can be summarized int o five cat egories:
(1) Eliminat ion of risk – I t is a permanent solut ion and should be at t empt ed in t he first inst ance;
(2) Subst it ut ion of risk – I nvolves replacing t he hazard or any environment al aspect by one of lower risk;
(3) Engineering cont rols – I nvolve physical barriers or st ruct ural changes t o t he environment or process;
(4) Administ rat ive cont rols – Reduce hazard by alt ering procedures and providing inst ruct ions;
Personal prot ect ive equipment – This is t he last resource or t emporary cont rol.

Residual risk for every hazard in a syst em may be accept able. This means t hat risk for each hazard is under
accept able cont rol – operat ion or act ivit y may proceed. Given sufficient opport unit y for several mishaps t o
occur, one or t wo or t hree or more will do so! As t ime passes, even if probabilit ies are low, inevit ably
somet hing(s) will go wrong, event ually. Risks for mult iple, independent hazards add. Aft er we measures and
est imat e individual risks (R
i,o
) using risk st at ic equat ion (Equat ion [ 1.03] ) or t he risk dynamic equat ion, we
can assess for a given process or act ivit y t he global risk est imat e (R),

( ) | |
{ }
¯ ¯ ¯
= =
· o ÷
o
=
o
· = |
.
|

\
|
o
· ·
= =
n
1 i
n
1 i
t 1 0
, i
n
1 i
, i
e R
K L E
R R [ 3.15]

and t he average global risk est imat e ( R ),

G , i
R
n
1
R · = [ 3.16]

where n is t he number (or frequency) of t he individual risks.













Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K M MA A N N A A G GE EM ME EN N T T

The risk assessment component of risk analysis may be viewed as providing t he answers t o a set of
quest ions:
(1) “ What might happen?” and “ How might it happen?” – hazard ident ificat ion and risk charact erisat ion;
(2) “ How likely is it t o happen?” and “ What harm will occur if it happens?” – risk est imat ion.

The risk management component of risk analysis builds on t he work of t he risk assessment and may be
described as answering t he quest ions:
(1) Does anyt hing need t o be done about it ?;
(2) What can be done about it ?;
(3) What should be done about it ?

The risk assessment provides t he est imat e of t he risks, including t he likelihood of occurrence, exposure t o
t he hazard and out come, t he absolut e or relat ive magnit ude of t he harm t hat could result , t he safet y level,
and as well as t he degree of uncert aint y t hat applies t o t heir likelihood, exposure, consequences, and safet y
level. The risk management component of risk analysis involves ident ifying t hose risks t hat require
management , t he range of opt ions t hat could effect ively t reat t he risks, deciding on t he act ions t hat will
provide t he required level of management , and implement ing t he select ed measures. The conclusions of t he
risk assessment may already include indicat ions of risks t hat require management , especially if t he
magnit ude of t he consequences is great . Risks wit h est imat es of very high or above, high or moderat e would
generally invoke a requirement for management . The risk assessment may also provide a st art ing point for
select ion of risk t reat ment measures in t hat it is aimed at underst anding risks, and t herefore it may provide
insight s int o t he available mecahisms t o manage risks and t he relat ive merit s of t hose mechanisms.
The considerat ion of whet her part icular risks require management will be informed by review of t he
conclusions of t he risk assessment , considerat ion of t he risks per se in t he cont ext of management , or as a
result of consult at ion wit h st akeholders. While t here is overlap and int eract ion bet ween risk assessment and
risk management , it is import ant t o recognise t hem as separat e and qualit at ively different processes. This
concept ual separat ion ensures t he int egrit y and obj ect ivit y of t he risk assessment , which is t he scient ific
process of invest igat ing phenomena using t he body of evidence t o est imat e t he level of risk and t aking
account of any uncert aint y associat ed wit h t hat assessment . Risk management , while based on t he risk
assessment , necessarily deals wit h prudent ial j udgement s about which risks require management , and t he
select ion and applicat ion of t reat ment measures t o cont rol risks. This separat ion also cont ribut es t o t he
int ellect ual rigour and t ransparency of t he whole risk analysis process. I n pract ice t here is a feedback
bet ween risk assessment and risk management – t he t wo component s are int imat ely relat ed and oft en
it erat ive. Risk management ult imat ely includes t he decision on whet her t o proceed wit h an act ivit y, and in
t he case of risk analysis undert aken by t he Regulat or’s represent at ive, whet her or not a licence should be
issued for t he proposed dealings wit h hazards.






T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

St rat egic
Obj ect ives
Audit ing
Risk Assessment
Risk Report ing
Risk Treat ment
Risk Decision
Residual Risk
Report ing
Monit oring
Risk
Analysis
Risk
Evaluat ion
Threat s and
Opport unit ies

Figure 4.01 – General risk management procedure.


R RI I S SK K M MA AN NA AG GE EM ME EN NT T A AN ND D U UN NC CE ER RT TA AI I N NT TY Y
The risk assessment process will ident ify uncert aint y wit h respect t o t he exposure, likelihood, consequence,
and safet y level of risks. Any proposed risk t reat ment measures should t ake account of t his uncert aint y. The
Regulat or adopt s a caut ious approach t hat encompasses t he credible boundaries of uncert aint y based on t he
best available evidence in:
(1) Det ermining t he necessary level of risk management ;
(2) Assessing t he effect iveness of available risk t reat ment opt ions;
(3) The select ion of t he most appropriat e measures t o t reat risk.



Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
T TH HE E R RI I S SK K M MA AN NA AG GE EM ME EN NT T P PL LA AN N
The risk management is based on t he risk assessment and in part icular, t he risk est imat es derived from t hat
process. The risk management plan provides part of t he basis for t he Regulat or t o make a decision on
whet her t o issue a licence by providing an answer t o t he quest ion: “ Can t he risks posed by a proposed
dealing be managed in such as way as t o prot ect t he healt h and safet y of people and t he environment ?” .
The preparat ion of a risk management plan may be informed by considering a number of general quest ions,
including:
(1) Which risks require management ?;
(2) How many t reat ment measures are available? – t here may be many approaches t o achieve t he same
obj ect ive and some measures may not be compat ible wit h ot hers;
(3) How effect ive are t he measures? – t his quest ion may be informed by t he risk assessment ;
(4) How feasible or pract ical are t he measures?;
(5) Do t he measures t hemselves int roduce new risks or exacerbat e exist ing ones? – a t reat ment measure t o
address one risk may int roduce a new one. For example applying a t ourniquet can reduce t he amount
venom from a snake bit e t hat ent ers t he bloodst ream, but it can also lead t o damage t o t he limb
because of reduced blood flow;
(6) Which t reat ment measure(s) provide t he opt imum and desired level of management for t he proposed
dealing?.

The safet y regulat ions require t he Regulat or t o consider t he short and t he long-t erm when assessing risks
and t his approach is also adopt ed in devising and implement ing risk management condit ions.


R RI I S SK K E EV VA AL LU UA AT TI I O ON N
Risk evaluat ion is t he process of deciding which risks require management . As out lined previously elsewhere
in t his document (see Table 3.12), risks est imat ed as “ Very High” or above, and “ Moderat e” will generally
require specific management . Risks assessed as “ Low” may require management , and t his would be decided
on a case by case basis. I n such cases t he nat ure of t he hazard, t he nat ure of t he risk, especially t he
consequences, as well as t he degree of uncert aint y relat ing t o eit her likelihood, exposure, consequences or
safet y level, will be import ant considerat ions. I f t here is uncert aint y about risks (e.g. in early st age research)
t his may influence t he management measures t hat are select ed. Risks t hat have been assessed as negligible
are considered, on t he basis of present knowledge, not t o pose a sufficient t hreat t o human healt h and
safet y or ot her t arget (e.g. environment , business int errupt ion, product or equipment ) t o warrant t he
imposit ion of management condit ions. Generally speaking, t he Safet y Law does not cont ain specific crit eria,
but it does ident ify what may be considered t he ext remit y of harm: imminent risk of deat h, serious inj ury,
serious illness, or serious damage t o t he environment or ot her t arget . Given t he pot ent ial variet y of hazards
it is not possible t o develop a “ one size fit s all” set of crit eria and t herefore a case by case approach should
be t aken. Fact ors t hat may affect t he det erminat ion of t he relat ive significance of a risk include the severit y
of t he consequences, t he size of t he group exposed t o t he risk, whet her t he consequences are reversible,
t he safet y level, and t he dist ribut ion of t he risk (e.g. demographically, t emporally and geographically). I t is
also import ant t o recognise t hat t here are a number of ot her fact ors t hat may influence t he percept ion of
t he risk which are part icularly pert inent t o hazards and hazard cat egories, including whet her t he risk is
volunt ary or involunt ary, familiar or unfamiliar and t he degree of personal exposure.



T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K P PR RO OT TE EC CT TI I O ON N
I n line wit h t he overarching obj ect ive of prot ect ion, t he Regulat or priorit ises prevent at ive over ameliorat ive
or curat ive risk t reat ment measures, i.e. t he risk t reat ment measures will be focussed on prevent ing t he risk
being realised rat her t han on measures t o repair or reduce t he harm t hat would result . The risk assessment
includes a considerat ion of t he causal pat hway(s) necessary for any given risk t o be realised. This
underst anding of how t he hazard might be t ranslat ed int o harm and t he nat ure of t he harm provides
valuable informat ion for ident ifying risk t reat ment opt ions. For example, a knowledge of t he causal pat hway
enables t he ident ificat ion of weak links in t he chain where t reat ment may be most easily and effect ively
applied. Logic t ree analyses such as diagrammat ic Fault and Event Trees are examples of formal, syst emat ic
t ools t hat are used in hazard ident ificat ion and can also be applied t o risk t reat ment . While t he focus of risk
management will be on t reat ment measures t o prevent risks being realised, at t ent ion will also be paid t o t he
import ant quest ions of what can be done if a part icular risk is realised and what act ions would need t o be
undert aken t o reduce, reverse or repair damage or harm. Where possible management condit ions for
dealings t hat involve moderat e or high risk est imat es were being considered, it would be import ant t o
est ablish whet her harm or damage t hat might result could be reversed, and t hat not only prevent at ive
measures but also curat ive or ameliorat ive act ions be ident ified. For example, if a genet ic modified organism
produced a prot ein t oxic t o humans it would be import ant t o est ablish if a medical t reat ment exist ed t o t reat
t he t oxicit y. Such remedial measures should be included in cont ingency or emergency plans. The
requirement for licence holders t o have cont ingency plans is a st andard licence condit ion. Redundancy in risk
t reat ment opt ions, for example by est ablishing measures which break more t han one point in a causal
pat hway, will increase t he effect iveness of risk management . I t is import ant t o not e t hat in such cases t he
failure of a single risk t reat ment measure will not necessarily result in an adverse out come being realised.


R RI I S SK K T TR RE EA AT TM ME EN NT T
Once t he risks t hat require management have been ident ified, t hen opt ions t o reduce, mit igat e or avoid risk
must be considered. Opt ions t o reduce exposure t o t he hazard or it s product s, and limit opport unit ies for t he
spread and persist ence of t he hazard, it s progeny or t he int roduced hazardous mat erials must be
considered. Ot her measures could include specifying physical cont rols (e.g. fences and barriers), isolat ion
dist ances, monit oring zones, pollen t raps, post release cleanup and specific monit oring requirement s. I t is
import ant t o not e t hat t he background exposure t o t he int roduced hazard or hazardous mat erial or it s
product informs t he considerat ion of t he risks t hat require t reat ment . Where exposure occurs nat urally, t he
significance of exposure t o t he hazard may be reduced. The range of suit able cont ainment and isolat ion
measures will depend on t he nat ure of t he:
(1) Hazard and t arget s;
(2) The charact erist ics of t he hazard;
(3) The abilit y t o ident ify and det ect t he hazard and hazard mat erials;
(4) Proposed dealings;
(5) Environment al condit ions at t he sit e of environment al releases;
(6) Normal product ion and management pract ices;
(7) Cont rols proposed by t he applicant .

Once measures have been ident ified t hey must be evaluat ed t o ensure t hat t hey will be effect ive and
sufficient over t ime and space. That is, t hey will be feasible t o implement , able t o operat e in pract ice, will
meet current ly accept ed requirement s for best pract ice (e.g. Good Agricult ural Pract ice, Good Laborat ory
Pract ice), will manage t he risks t o t he level required and can be monit ored. The t ype of measures will be
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
commensurat e wit h t he risks ident ified. These measures may be eit her prevent at ive or curat ive or
ameliorat ive, i.e. eit her t he measures will seek t o t reat risk by put t ing in place measures t hat will prevent ,
wit h some degree of cert aint y, a hazard being realised, or on t he ot her hand where a hazard may be
realised and harm ensue, but t he measures proposed will redress t hat harm or reduce it . Following such an
increment al pat hway cont ribut es t o overall risk management because it enables a caut ious and syst emat ic
approach t o minimising uncert aint y. The Regulat or may impose condit ions on small scale, early st age field
t rial releases t hat limit t he dealings in space and t ime (i.e. only at a specified locat ion and in a specified
t imeframe) in order t o address any uncert aint y regarding eit her t he exposure, likelihood, consequence or
safet y level considered in t he risk est imat e. Typically t hese condit ions include measures t o limit t he
disseminat ion or persist ence of t he hazard or it s hazardous mat erial. Such releases are described by t he
Regulat or as limit ed and cont rolled. Hence, t he Regulat or should est ablish an risk hierarchy based on t he
following risk definit ions:
(1) Ext remely High Risk – Loss of abilit y t o accomplish t he mission if t hreat s occur during mission. A
frequent or likely probabilit y of cat ast rophic loss or frequent probabilit y of crit ical loss exist s.
(2) High Risk – Significant degradat ion of mission capabilit ies in t erms of t he required mission st andard,
inabilit y t o accomplish all part s of t he mission, or inabilit y t o complet e t he mission t o st andard if t hreat s
occur during t he mission. Occasional t o seldom probabilit y of cat ast rophic loss exist s. A likely t o
occasional probabilit y exist s of a crit ical loss occurring. Frequent probabilit y of marginal losses exist s.
(3) Moderat e Risk – Expect ed degraded mission capabilit ies in t erms of t he required mission st andard will
have a reduced mission capabilit y if t hreat s occur during mission. An unlikely probabilit y of cat ast rophic
loss exist s. The probabilit y of a crit ical loss is seldom. Marginal losses occur wit h a likely or occasional
probabilit y. A frequent probabilit y of negligible losses exist s.
(4) Low Risk – Expect ed losses have lit t le or no impact on accomplishing t he mission. The probabilit y of
crit ical loss is unlikely, while t hat of marginal loss is seldom or unlikely. The probabilit y of a negligible
loss is likely or less.

The scale of any release is a key fact or in set t ing t he cont ext for t he risk analysis, and for risk management
in part icular, because limit ing t he scale effect ively reduces t he exposure t o pot ent ial adverse consequences.
The most appropriat e opt ions available t o manage t he risk are select ed. I t is possible t o envisage a number
of opt ions t hat may provide different levels of management of a specific risk. Equally, one management
st rat egy may cont rol a number of risks. The Regulat or must be sat isfied t hat t he risks would be managed by
t he proposed opt ions before a licence can be issued. This may include opt ions t hat manage t he risks most
comprehensively and ones t hat are j udged t o provide a sufficient level of management . Any ident ified
uncert aint y in aspect s of t he risk assessment or risk t reat ment measures must be addressed in det ermining
t he appropriat e risk management . Uncert aint y in risk est imat es may be due t o insufficient or conflict ing dat a
regarding t he exposure, likelihood or severit y of pot ent ial adverse out comes. Uncert aint y can also arise from
a lack of experience wit h t he hazard it self. Risk t reat ment measures would be devised t o t ake account of
such uncert aint y, for example, t he size of a reproduct ive isolat ion dist ance for a genet ic modified plant
would be based on t he overall dist ribut ion of pollen, not j ust on t he median dist ance pollen might travel.
Typically t he pat hway for int ent ional release involves a st aged approach t hat st art s in cert ified cont ained
facilit ies and proceeds t hrough st rict ly cont ained, small scale field t rials before larger scale, reduced
cont ainment or commercial release. This enables informat ion t o be collect ed about t he hazard at each st age
of t his st ep-by-st ep process in order t o reduce uncert aint y in risk assessment s, and confirm t he efficacy of
cont ainment measures. The result s of t his research may result in changes t o licence condit ions t o bet t er
manage risk and will inform fut ure evaluat ions of t he same or similar hazards. Result s of such research
might provide t he basis for t he diminut ion in t he scale of risk t reat ment measures necessary t o manage a
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
part icular risk. I n some inst ances ot her agencies will have t he legislat ive mandat e for t he cont rol of risks
from hazards t hat t he Regulat or has also ident ified as requiring management . I n t hese cases t he Regulat or
liaises closely wit h t hat agency t o ensure t hat t he risks are managed sat isfact orily.


M MO ON NI I T TO OR RI I N NG G F FO OR R C CO OM MP PL LI I A AN NC CE E
Monit oring plays a vit al role in ensuring t hat risks t o human healt h and safet y or t he environment posed by
hazards are managed. The Safet y Law gives t he Regulat or ext ensive monit oring power. Where risks
requiring management have been ident ified and t reat ment measures have been imposed by t he legislat ion,
in licence condit ions, or in guidelines, monit oring is import ant t o verify t hat t hose t reat ment measures or
obligat ions are being applied so t hat risks are, in fact , managed. Monit oring is not only undert aken by t he
Regulat or and represent at ives, but also by licence holders, accredit ed organisat ions, t o ensure t hat licence
condit ions and ot her requirement s are implement ed and are effect ive. The licence holder is required t o
provide regular report s t o t he Regulat or and t o report any changes in circumst ances and any unint ended
effect s, new risks or cont ravent ion of condit ions. Specific monit oring and compliance act ivit ies undert aken
direct ly t o risk management include:
(1) Rout ine Monit oring of limit ed and cont rolled environment al releases and cert ified facilit ies, including spot
(unannounced) checks;
(2) Profiling of dealings t o assist st rat egic planning of monit oring act ivit ies (e.g. conduct ing inspections);
(3) Educat ion and awareness act ivit ies t o enhance compliance and risk management planning of licence
holders and organisat ions;
(4) Audit s and Pract ice Reviews in response t o findings of rout ine monit oring;
(5) I ncident reviews in response t o self report ed non-compliance;
(6) I nvest igat ions in response t o allegat ions of non-compliance wit h condit ions or breach of t he legislat ion.

I n t he case of monit oring of limit ed and cont rolled releases of hazards t o t he environment , t he focus of
effort , by bot h t he licence holder, is t o ensure t hat t he dealings are in fact limit ed, including ext ensive post -
release monit oring unt il t he Regulat or is sat isfied t hat hazards have effect ively been removed from t he
release sit e. Where, as a result of monit oring act ivit ies, changes in t he risks associat ed wit h t he dealing are
ident ified, t he Regulat or has a number of opt ions, including direct ive or punit ive measures. The opt ions
adopt ed by t he Regulat or will depend on t he nat ure of t he change in t he risk profile t hat has been ident ified.

Q QU UA AL LI I T TY Y C CO ON NT TR RO OL L A AN ND D R RE EV VI I E EW W
I n addit ion t o t he various risk management processes described above, at t ent ion t o qualit y cont rol and
qualit y assurance by t he Regulat or and official represent at ives in t he conduct of all aspect s of risk analysis
cont ribut es t o achieving t he management of risks posed t o human healt h and safet y and ot her t arget s by
hazards. Qualit y cont rol operat es at administ rat ive, bureaucrat ic and legislat ive levels in t he risk analysis
process under t he safet y regulat ions. There are a number of feedback mechanisms t o maint ain t he
effect iveness and efficiency of risk assessment and risk management , and which consider t he concerns of all
int erest ed and affect ed st akeholders. These comprise bot h int ernal and ext ernal mechanisms. I nt ernal
processes of qualit y cont rol and review include:
(1) St andard operat ing procedures for specific administ rat ive processes;
(2) I nt ernal peer review of risk assessment and risk management programs;
(3) Merit based select ion processes for risk assessment st aff;
(4) Conflict of int erest declarat ions and procedures for Regulat or’s risk assessment st aff and expert
commit t ee members.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

Ext ernal processes of qualit y cont rol and review include:
(1) Expert scrut iny of applicat ions and risk assessment and risk management programs;
(2) Ext ernal scrut iny and review t hrough t he ext ensive consult at ion processes wit h Government agencies
and t he Environment Minist er, St at e government s, relevant councils, int erest ed part ies and t he public;
(3) Ext ernal, independent select ion of t he Regulat or and advisory Commit t ee members, and Minist erial
Council agreement on t hese appoint ment s;
(4) Review by administ rat ive appeals mechanisms.

A crit ical aspect of t his overall qualit y assurance is t hat t he Regulat or and official agencies (or
represent at ives) maint ain t he expert ise and capacit y t o undert ake t he risk analysis of hazards. This is
achieved t hrough t he qualificat ions and skills of st aff, remaining up t o dat e on development s in gene
t echnology and relevant scient ific disciplines by reference t o t he scient ific lit erat ure, and monit oring
det erminat ions, experience and policy development s of agencies regulat ing hazards in ot her count ries. This
qualit y assurance cont ribut es t o ident ifying sit uat ions where t reat ment measures are not adequat ely
managing t he risks, eit her as a result of non-compliance or because of changed circumst ances and
unexpect ed or unint ended effect s; and facilit at es an ongoing review of t he conclusions of risk assessment
and of t he risk t reat ment opt ions. I dent ifying changed circumst ances enables a reassessment of t he risks
posed by t he dealings and t he t reat ment measures in t he light of experience, and for risk management t o be
modified where necessary. Such review act ivit ies may also provide import ant informat ion for t he risk
assessment of subsequent licence applicat ions for t he same or relat ed hazards. Qualit y cont rol forms an
int egral part of all processes and procedures used by t he Regulat or and official represent at ives t o ensure
prot ect ion of human healt h and ot her t arget s (e.g. environment , business int errupt ion, product and
equipment ) according t o t he Safet y Law and int ernat ional regulat ions. Some t ypes of cont rols at disposal of
t he ent erprises and Regulat or are as follows:
(1) Engineering cont rols – These cont rols use engineering met hods t o reduce risks, such as developing new
t echnologies or design feat ures, select ing bet t er mat erials, ident ifying suit able subst it ut e mat erials or
equipment , or adapt ing new t echnologies t o exist ing syst ems. Examples of engineering cont rols t hat
have been employed in t he past include development of aircraft t echnology, int egrat ing global
posit ioning syst em dat a, and development of night vision devices.
(2) Administ rat ive cont rols – These cont rols involve administ rat ive act ions, such as est ablishing writ t en
policies, programs, inst ruct ions, and safet y operat ional procedures (SOP), or limit ing t he exposure t o a
t hreat eit her by reducing t he number of personnel and asset s or lengt h of t ime t hey are exposed.
(3) Educat ional cont rols – These cont rols are based on t he knowledge and skills of t he unit s and individuals.
Effect ive cont rol is implement ed t hrough individual and collect ive t raining t hat ensures performance t o
st andard.
(4) Physical cont rols – These cont rols may t ake t he form of barriers and guards or signs t o warn individuals
and unit s t hat a t hreat exist s. Use of personal prot ect ive equipment , fences around high power high
frequency ant ennas, and special cont roller or oversight personnel responsible for locat ing specific t hreat s
fall int o t his cat egory.
(5) Operat ional cont rols – These cont rols involve operat ional act ions such as pace of operat ions, operat ional
area cont rols (areas of operat ions and boundaries, direct fire cont rol measures, fire support coordinat ing
measures), rules of engagement , operat ional cont rol measures, exercises and rehearsals.



T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Table 4.01 – Examples of risk cont rol opt ions.

TYPE OF CONTROL DESCRI PTI ON OF CONTROL OPTI ONS
Limit energy (small amount of explosives, reduce speeds).
Subst it ut e safer form (use air power, precision guided munit ions).
Prevent release (cont ainment , double or t riple cont ainment ).
Separat e (barriers, dist ance, boundaries).
Engineering Cont rol
Provide special maint enance of cont rols (special procedures, environment al
filt ers).
Core Tasks (especially crit ical t asks define crit ical minimum abilit ies, t rain).
Leader t asks (define essent ial leader t asks and st andards, t rain).
Emergency cont ingency t asks (define, assign, t rain, verify abilit y).
Rehearsals (validat e processes, validat e skills, verify int erfaces).
Educat ional Cont rol
Briefings (refresher warnings, demonst rat e t hreat s, refresh t raining).
Ment al crit eria (essent ial skills and proficiency).
Emot ional crit eria (essent ial st abilit y and mat urit y).
Physical crit eria (essent ial st rengt h, mot or skills, endurance, size).
Experience (demonst rat ed performance abilit ies).
Number of people or it ems (only expose essent ial personnel and it ems).
Emergency medical care (medical facilit ies, personnel, medical evacuat ion).
Personnel (replace inj ured personnel, reinforce unit s, reallocat e).
Administ rat ive Cont rol
Facilit ies and equipment (rest ore key element s t o service).
Barrier (bet ween revet ment s, walls, dist ance, ammunit ion st orage facilit y).
On human or obj ect (personal prot ect ive equipment , energy absorbing mat erials).
Raise t hreshold (acclimat izat ion, reinforcement , physical condit ioning).
Time (minimize exposure and number of it erat ions and rehearsals).
Signs and color coding (warning signs, inst ruct ion signs, t raffic signs).
Physical Cont rol
Audio and visual (ident ificat ion of friendly forces, chemical and biological at t ack
warning).
Sequence of event s (put t ough t asks first before fat igue, do not schedule several
t ough t asks in a row).
Timing (allow sufficient t ime t o perform, pract ice, and t ime bet ween t asks).
Simplify t asks (provide j ob aids, reduce st eps, provide t ools).
Reduce t ask loads (set weight limit s, spread t ask among many)
Backout opt ions (est ablish point s where process reversal is possible when t hreat
is det ect ed).
Cont ingency capabilit ies (combat search and rescue, rescue equipment , helicopt er
rescue, t act ical combat force).
Emergency damage cont rol procedures (emergency responses for ant icipat ed
cont ingencies, coordinat ing agencies).
Backups and redundant capabilit ies (alt ernat e ways t o cont inue t he mission if
primaries are lost ).
Operat ional Cont rol
Mission capabilit ies (rest ore abilit y t o perform t he mission).

A cont rol should avoid or reduce t he risk of a pot ent ial t hreat by accomplishing one or more of t he following:
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(1) Avoiding t he risk – This oft en requires canceling or delaying t he t ask, mission, or operat ion and is,
t herefore, an opt ion rarely exercised because of mission import ance. However, it may be possible t o
avoid specific risks such risks associat ed wit h a night operat ion may be avoided by planning t he
operat ion for dayt ime; t hunderst orm or nat ural risks can be avoided by changing t he geographical
locat ion.
(2) Delay a t ask – I f t here is no t ime deadline or ot her operat ional benefit t o speedy accomplishment of a
t ask, it may be possible t o reduce t he risk by delaying t he t ask. Over t ime, t he sit uat ion may change and
t he risk may be eliminat ed, or addit ional risk cont rol opt ions may become available (resources become
available, new t echnology becomes available, et c.) reducing t he overall risk. For example, a mission can
be post poned unt il more favorable weat her reduces t he risk.
(3) Transferring t he risk – Risk may be reduced by t ransferring a mission, or some port ion of t hat mission,
t o anot her unit or plat form t hat have less risk. Transference decreases t he probabilit y or severit y of t he
risk t o t he act ivit y. For example, t he decision t o fly an unmanned aerial vehicle int o a high-risk
environment inst ead of risking a manned aircraft is risk t ransference.
(4) Assigning redundant capabilit ies – To ensure t he success of crit ical operat ions t o compensat e for
pot ent ial losses assign safet y syst ems wit h redundant capabilit ies. This increases t he probabilit y of
operat ional success but it is cost ly.


D DE ET TE ER RM MI I N NE E R RE ES SI I D DU UA AL L R RI I S SK K
Once t he leader develops and accept s cont rols, he or she det ermines t he residual risk associat ed with each
pot ent ial t hreat and t he overall residual risk for t he t arget . Residual risk is t he risk remaining aft er cont rols
have been ident ified, select ed, and implement ed for t he pot ent ial t hreat . As cont rols for t hreat s are
ident ified and select ed, t he t hreat s are reassessed, and t he level of risk is revised. This process is repeat ed
unt il t he level of residual risk is accept able t o t he safet y manager or cannot be furt her reduced. Overall
residual risk of a t arget must be det ermined when more t han one pot ent ial hazard is ident ified. The residual
risk for each of t hese t hreat s may have a different level, depending on t he assessed exposure, probabilit y,
severit y and safet y level of t he hazardous incident . Overall residual risk should be det ermined based on t he
hazard having t he great est residual risk. Det ermining overall risk by averaging t he risks of all individual is
not valid. I f one hazard has high residual risk, t he overall residual risk of t he hazard is high, no mat t er how
many moderat e or low risks are present . The Risk Assessment Mat rix (see Table 3.11) combines severit y
(loss crit icalit y) coefficient , exposure coefficient and probabilit y (likelihood) coefficient est imat es for a
specific safet y level coefficient t o form a risk assessment for each hazard. Use t he Risk Assessment Mat rix t o
evaluat e t he accept abilit y of a risk, and t he level at which t he decision on accept abilit y will be made. The
mat rix may also be used t o priorit ize resources, t o resolve risks, or t o st andardize pot ent ial t hreat
not ificat ion or response act ions. Severit y, probabilit y, exposure, safet y level and risk assessment should be
recorded t o serve as a record of t he analysis for fut ure use.








T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RI I S SK K C CO OM MM MU UN N I I C CA A T T I I O ON N

There is wide recognit ion t hat communicat ion plays an int egral and import ant part in t he process of risk
analysis. Risk communicat ion is t he int eract ive process of exchange of informat ion and opinion bet ween
individuals, groups and inst it ut ions concerned wit h risk. These exchanges may not be relat ed exclusively t o
risk but may also express concerns, opinions or react ions t o risk messages or t o legal or inst it ut ional
arrangement s for risk management . The aim of risk communicat ion is t o promot e a clear underst anding of
all aspect s of risk and t he part icular posit ions of int erest ed part ies. Specifically, it aims t o provide informat ion
about risk t o help people make up t heir own minds, t o minimise conflict s, t o improve underst anding of
percept ions and posit ions wit h regard t o risk, and t o achieve equit able out comes. I t is t o provide all part ies
wit h a bet t er underst anding of t he issues, it is not t o change basic values and beliefs. This chapt er briefly
discusses t he way risk is perceived, describes t he present communicat ion processes bet ween st akeholders
and t he Regulat or as mandat ed by t he Safet y Law, and set s out a communicat ion chart er t o demonst rat e
t he commit ment of t he Regulat or t o communicat e effect ively wit h st akeholders.


R RI I S SK K P PE ER RC CE EP PT TI I O ON N
Public percept ions of t he risks associat ed wit h hazards range across a wide spect rum of posit ions and
include et hical concerns such as meddling wit h nat ure and social issues, such as claims t hat mult inat ional
corporat ions might seek t o achieve market dominance by cont rolling access t o t he t echnology. Different
societ al organisat ions and individuals perceive risk in different ways and may have different at t it udes t o risk.
Percept ion of risk can be influenced by mat erial fact ors (gender, age, educat ion, income, personal
circumst ances), psychological considerat ions (early experiences, personal beliefs, at t it udes t o nat ure,
religious beliefs) and cult ural mat t ers such as et hnic background. Across a spect rum of risk, at t it udes can be
broadly cat egorised as risk averse, risk neut ral or risk t aking and will be dependent on t he specific risk
involved. Generally t he percept ion of risk by individuals is dependent on a large number of fact ors including
knowledge of t he risk, it s impact on t hat individual, t he pot ent ial for long t erm consequences, t he pot ent ial
for widespread effect s, t he ext ent t he individual can influence t he risk and possible benefit s (if any) t hat
might accrue t o individuals, groups or societ y as a whole. I f t he risk arises as part of a familiar sit uat ion
where fact ors increasing or decreasing t he risk are well known and met hods t o cont rol or reduce t he risk are
readily available, t he risk will probably not be perceived as a t hreat . I f t he risk is unknown, t here is pot ent ial
for long t erm impact over a wide area and t he individual feels powerless in t he sit uat ion, t he risk is likely t o
be perceived as high. The availabilit y of informat ion, t he knowledge t hat concerns will be heard and t he
opport unit y for involvement in decisions are t herefore, all likely t o increase t he accept ance of risk.
There has been considerable research by social scient ist s int o t he way risks are est imat ed and perceived by
different members of t he communit y. Oft en t echnical expert s and scient ist s have very different percept ions
and est imat ions of risks t han ot her people. Alt hough it is accept ed t hat expert s may arrive at a bet t er
quant it at ive assessment of risks where t hey have specialist knowledge, t he way t hey est imat e risks out side
t heir area of expert ise is no different t o t hat of ot her members of t he communit y and can be influenced by
subj ect ive values. Risk percept ion is fundament al t o an individual’s accept ance of risk. For inst ance, t here is
a level of risk associat ed wit h car t ravel but many people cont inue t o drive t o work each day and it is an
accept ed form of t ransport . Commercial air t ravel is also accept ed as a form of t ransport but many people
may perceive it as more risky t han car t ravel alt hough t he probabilit y of deat h is act ually higher wit h car
t ravel. These percept ions arise due t o great er familiarit y wit h cars, great er individual cont rol in operat ing a
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
car and a great er chance t hat any one car accident is less likely t o be fat al t han for any one airline accident .
Therefore, t he percept ion and assessment of risk by an individual is a complex const ruct ion involving a
number of fact ors t hat are weighed and balanced t o achieve a final posit ion. Hist orically a number of
approaches have been employed in endeavouring t o gain communit y underst anding and accept ance of
cert ain risks t hat government or business believe are required for economic prosperit y, cont ribut e to societ y
as a whole or are wort hwhile in some way even t hough some risk may be involved. An underst anding of t he
import ance of risk communicat ion has evolved in parallel wit h t hese at t empt s and has been elegant ly
encapsulat ed. I t is not enough j ust t o present t he fact s, or j ust t o communicat e and explain t he fact s, or t o
demonst rat e t hat similar risks have been accept ed in t he past , or t o bring st akeholders on board; but t hat all
were required for effect ive risk communicat ion. All t hese t hings are import ant and lead t o t he conclusion
t hat st akeholders’ views should be t reat ed wit h respect as t hey provide a valid and required input int o risk
assessment and risk management . The Regulat or recognises and accept s t hat t here are a wide range of
views on gene t echnology across t he communit y and believes t hat all st akeholders have legit imat e posit ions.
I n t erms of risk communicat ion, key out comes of t he consult at ions which are given effect in t he nat ional and
int ernat ional regulat ions are t he est ablishment of Commit t ees t o advise t he Regulat or (scient ific, communit y
and et hics) and public consult at ion during t he assessment of licence applicat ions. The Safet y Law t herefore
provides a direct mechanism for t wo-way int eract ion bet ween a government decision maker, t he Regulat or,
and st akeholders.




























T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
U UN N C CE ER RT T A A I I N N T T Y Y

Uncert aint y and risk analysis is not new. However, as a t ool in business it has hist orically been of limit ed
use. This is surprising considering t hat many business decisions are based on a figure t hat has been
calculat ed from analysis of some kind. A number on it s own is only half t he pict ure. To fully underst and t he
result it is necessary t o have an est imat e of t he uncert aint y relat ed t o t hat figure. Management will need t o
consider carefully t heir at t it ude t o risk before making a decision about whet her t o accept eit her or bot h of
t he proj ect s. I t is frequent ly t he case in proj ect appraisals t hat large amount s of effort go int o generat ing
t he expect ed value, but very lit t le t ime is spent underst anding t he uncert aint y around t hat value. This
document gives an overview of how t o carry out uncert aint y and risk analysis. I n general, t he word
uncert aint y means t hat a number of different values can exist for a quant it y, and risk means t he possibilit y
of loss or gain as a result of uncert aint ies. We have t ended t o use bot h t erms int erchangeably in t his
document , and indeed t his is common pract ice by most pract it ioners. However, it is import ant t o underst and
t he difference, as in some sit uat ions it may be necessary t o apply t he absolut ely correct t erm t o avoid
ambiguit y. One useful t axonomy for uncert aint y dist inguishes at least five t ypes of uncert aint y t hat can be
applied t o risk analysis of hazards. These include:
(1) Epist emic – Uncert aint y of knowledge, it s acquisit ion and validat ion. Examples of epist emic uncert aint y
include incomplet e knowledge, limit ed sample size, measurement error (syst emat ic or random),
sampling error, ambiguous or cont est ed dat a, unreliable dat a (e.g. mislabelled, misclassified,
unrepresent at ive or uncert ain dat a), use of surrogat e dat a (e.g. ext rapolat ion from animal models t o
humans), ignorance of ignorance t hat gives rise t o unexpect ed findings or surprise. Consequent ly,
epist emic uncert aint y is a maj or component of uncert aint y in risk assessment s.
(2) Descript ive – Uncert aint y of descript ions t hat may be in t he form of words (linguist ic uncert aint y),
models, figures, pict ures or symbols (such as t hose used in formal logic, geomet ry and mat hemat ics).
The principal forms of descript ive uncert aint y include vagueness, ambiguit y, underspecificit y, cont ext ual
and undecidabilit y. Qualit at ive risk assessment s can be part icularly suscept ible t o linguist ic uncert aint y.
For example t he word “ low” may be ambiguously applied t o likelihood of harm, magnit ude of a harmful
out come and t o t he overall est imat e of risk. Furt hermore, t he word “ low” may be poorly defined bot h in
meaning (vagueness) and coverage (underspecificit y). cognit ive (including bias, percept ion and sensory
uncert aint y)
(3) Cognit ive – Cognit ive uncert aint y can t ake several forms, including bias, variabilit y in risk percept ion,
uncert aint y due t o limit at ions of our senses (cont ribut ing t o measurement error) and as unreliability.
Cognit ive unreliabilit y can be viewed as guesswork, speculat ion, wishful t hinking, arbit rariness, debat e,
or changeabilit y.
(4) Ent ropic (complexit y) – Uncert aint y t hat is associat ed wit h t he complex nat ure of dynamic syst ems t hat
exist far from t hermodynamic equilibrium, such as a cell, an organism, t he ecosyst em, an organisat ion or
physical syst ems (e.g. t he weat her). Uncert aint y due t o complexit y arises when dealing wit h a syst em in
which t he out come is dependent on t wo or more processes t hat are t o some degree independent .
Complexit y is t ypically coupled t o incomplet e knowledge (epist emic uncert aint y) where t here is an
inabilit y t o est ablish t he complet e causal pat hway. Therefore, addit ional knowledge of t he syst em can
reduce t he degree of uncert aint y. However, complex syst ems are charact erised by non-linear dynamics
t hat may display sensit ive dependence on init ial condit ions. Consequent ly, a det erminist ic syst em can
have unpredict able out comes because t he init ial condit ions cannot be perfect ly specified. Complexit y is
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
list ed as one of t he four cent ral challenges in formulat ing t he European Union (EU) approach t o
precaut ionary risk regulat ion.
(5) I nt rinsic – Uncert aint y t hat expresses t he inherent randomness, variabilit y or indet erminacy of a t hing,
qualit y or process. Randomness can arise from spat ial variat ion, t emporal fluct uat ions, manufact uring
variat ion, genet ic difference or gene expression fluct uat ions. Variabilit y arises from t he observed or
predict ed variat ion of responses t o an ident ical st imulus among t he individual t arget s wit hin a relevant
populat ion such as humans, animals, plant s, micro-organisms, landscapes, et c. I ndet erminacy result s
from a genuine st ochast ic relat ionship bet ween cause and effect (s), apparent ly noncausal or noncyclical
random event s, or badly underst ood nonlinear, chaot ic relat ionships. A crit ical feat ure of int rinsic
uncert aint y is t hat it cannot be reduced by more effort such as more dat a or more accurat e dat a.

I n risk management , safet y fact ors and ot her prot ect ive measures are used t o cover t his t ype of uncert aint y.
All five t ypes of uncert aint y may be encount ered in a risk analysis cont ext . To encompass t his broader
applicat ion, uncert aint y can be defined as “ imperfect abilit y t o assign a charact er st at e t o a t hing or process;
a form or source of doubt ” . Where:
(1) “ I mperfect ” refers t o qualit ies such as incomplet e, inaccurat e, imprecise, inexact , insufficient , error,
vague, ambiguous, under-specified, changeable, cont radict ory or inconsist ent ;
(2) “ Abilit y” refers t o capacit ies such as knowledge, descript ion or underst anding;
(3) “ Assign” refers t o at t ribut es such as t rut hfulness or correct ness;
(4) “ Charact er st at e” may include propert ies such as t ime, number, occurrences, dimensions, scale, location,
magnit ude, qualit y, nat ure, or causalit y;
(5) “ Thing” may include a person, obj ect , propert y or syst em;
(6) “ Process” may include operat ions such as assessment , calculat ion, est imat ion, evaluat ion, j udgement , or
decision.

As t he safet y engineering t radit ion is less developed t han some ot her engineering disciplines, t here are no
met hods available which will reveal whet her cert ain design st rat egies are sufficient ly safe. I n a sit uat ion in
which t he overall safet y depends on, for example, j ust one fire hazard reducing syst em and no sensit ivit y
analysis is performed, t here will be an uncert aint y as t o whet her t he regulat ions are fulfilled or not . Trading,
for example, mult iple escape rout es for an aut omat ic fire alarm wit hout examining t he consequences in
det ail is evidence of t his lack of engineering t radit ion. There is a current t endency t o use many t echnical
syst ems wit hout t horough analysis of t he consequences. I t should, however, be st at ed t hat t his was also
common when prescript ive regulat ions were in force. I t is t herefore not legit imat e t o t ake t he current safet y
engineering pract ice as an argument for discarding t he performance-based regulat ions. Such regulat ions are
vit al for t he rat ional development of building t radit ion, but t his development must be guided in order t o be
efficient . I n addit ion t o t he guidelines, it must be possible t o quant ify t he required obj ect ives in t he
regulat ion.
Safet y can be ensured eit her by comparing t he proposed design wit h accept ed solut ions, or wit h t olerable
levels of risk, or by using design values in t he calculat ions which are based on a specified level of risk. The
first met hod, using accept ed solut ions, is more or less equivalent t o t he prescript ive regulat ion met hod. I t
has normally very lit t le t o do wit h opt imising a solut ion for a specified risk level. The ot her t wo met hods are
based on specified levels of risk. I n t he design process, t he proposed design can be evaluat ed by applying
risk analysis met hods. This can also be done aft er t he building has been complet ed, t o check it s fire safet y.
To be able t o make full use of t he advant ages of performance-based regulat ions, t he design should be
based on risk analysis met hods. One such met hod is called t he St andard Quant it at ive Risk Analysis (SQRA)
met hod. As many variables are associat ed wit h uncert aint y, t he risk analysis should be complement ed by an
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
uncert aint y analysis. Applying uncert aint y analysis t o t he St andard Quant it at ive Risk Analysis met hod will
lead t o t he Ext ended Quant it at ive Risk Analysis (EQRA) met hod. Bot h met hods can be used in t he risk
management process described earlier. The St andard Quant it at ive Risk Analysis met hod has been applied t o
general safet y problems and t o fire safet y problems but on a very limit ed scale only. The Ext ended
Quant it at ive Risk Analysis met hod has, however, never been applied t o fire safet y problems. The St andard
Quant it at ive Risk Analysis has, however, ext ensively been applied t o ot her engineering fields such as for
hazard analysis in chemical process plant s. As bot h Quant it at ive Risk Analysis met hods can be rat her
complex t o use, a more simple met hod using design values in det erminist ic equat ions would be preferable
for safet y design purposes. These design values, based on quant ified risk, should not be confused wit h
values est imat ed based on experience. The lat t er values are t he ones used t oday, as design values based on
risk do not yet exist in t he area of safet y engineering (including fire safet y engineering). I n ot her fields of
engineering, e.g. in st ruct ural engineering, design values based on risk have been developed and are now in
use (Thoft -Christ ensen et al., 1982). The Ext ended Quant it at ive Risk Analysis (EQRA) met hod explicit ly
considers t he inherent uncert aint y as it is part of t he procedure. The St andard Quant it at ive Risk Analysis
(SQRA) met hod does not t ake variable uncert aint y int o account . The St andard Quant it at ive Risk Analysis
met hod should be complement ed by a sensit ivit y or uncert aint y analysis. Anot her aim of t his work is t o
int roduce a met hod t hrough which so-called design values can be obt ained. This met hod is linked t o an
uncert aint y analysis met hod, t he analyt ical First Order Second Moment (FOSM) met hod and is used t o derive
design values assuming a specified risk level.


Q QU UA AL LI I T TA AT TI I V VE E A AN ND D Q QU UA AN NT TI I T TA AT TI I V VE E M ME ET TH HO OD DS S
Qualit at ive met hods are used t o ident ify t he most hazardous event s. The event s are not ranked according t o
degree of hazard. For t he chemical process indust ry, met hods have been developed such as Hazard and
Operabilit y Analysis (HAZOP), What -if and different check-list s (CPQRA, 1989). Qualit at ive met hods may be
used as screening met hods in t he preliminary risk analysis. Semi-quant it at ive met hods are used t o
det ermine t he relat ive hazards associat ed wit h unwant ed event s. The met hods are normally called index
met hods, point scheme met hods, numerical grading, et c., where t he hazards are ranked according t o a
scoring syst em. Bot h frequency and consequences can be considered, and different design st rat egies can be
compared by comparing t he result ing scores. Various point scheme met hods have been developed for fire
safet y analysis, for example, t he Gret ener syst em (BVD, 1980), and t he NFPA 101M Fire Safet y Evaluat ion
Syst em (Nelson et al., 1980 and NFPA 101M, 1987). The Gret ener syst em has been developed by an
insurance company and is mainly int ended for propert y prot ect ion. I t has, however, been widely used and is
rat her ext ensive in t erms of describing t he risk. The maj or drawback of point scheme met hods is t hat t hey
cont ain old dat a. New t echnologies are included rat her slowly. I nfluences on t he met hods from t he aut hors
background and from, for example, building t radit ions, are also unavoidable. The Nat ional Fire Prot ect ion
Assot iat ion (NFPA) met hod favours Nort h American building t radit ions and may not be applicable in Europe.
On t he ot her hand t he simplicit y of t he met hods is an advant age. Usually, only basic skills are required. A
review of different risk ranking met hods for fire safet y is present ed by Wat t s (1995). Anot her semi-
quant it at ive met hod which is used in t his area focuses on risk classificat ion (SRV, 1989). The hazards are
j udged in t erms of t he frequency and expect ed consequences. The frequency and consequences are
select ed from a list consist ing of five levels. By combining t he frequency class and consequence class, a
measure of risk is obt ained. This measure can be used t o compare hazards. This analysis is usually
performed on t he societ al level and is not applicable t o a single building or indust ry. Ot her indust ry specific
index met hods are available, for example, for t he chemical process indust ry (CPQRA, 1989). Typical index
met hods are t he Equivalent Social Cost I ndex and Fat al Accident Rat e (ESCI ). The Equivalent Social Cost
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
I ndex (ESCI ) is an alt ernat ive expression of t he average societ al risk. The difference compared wit h t he
usual form of average societ al risk is t hat a risk aversion fact or (p) is included. Usually risk aversion fact or is
chosen t o a value higher t han 1.0 t o consider t he unwillingness for a large number of fat alit ies as t he
relat ionship t hen becomes non-linear. The Equivalent Social Cost I ndex (ESCI ) can be expressed as,

¯
=
· =
n
1 i
p
i i
N p ESCI [ 5.01]

Suit able values for t he risk aversion fact or (p) have been suggest ed t o be bet ween 1.2 and 2 (Covello et al.,
1993). N
i
is t he number of fat alit ies per year in subscenario (i). The Equivalent Social Cost I ndex is a pure
index for comparison of engineering measures. The relat ion t o monet ary unit s is not meaningful as t he risk
aversion fact or (p) is more or less based on j udgement wit hout any connect ion t o t olerable risk levels. The
Fat al Accident Rat e (FAR) is used in worker accident assessment . Fat al Accident Rat e expresses t he number
of deat hs per 108 hours (approximat ely 1,000 worker lifet imes). I t is a measure t hat combines risk
cont ribut ions from many sources. I t is closely linked t o an average individual risk measure used in t he
chemical process indust ry. The final level of analysis is t he most ext ensive in t erms of quant ifying t he risk. I t
is also t he most labour int ense. On t his level, a dist inct ion can be made bet ween a det erminist ic analysis and
a probabilist ic analysis. The det erminist ic analysis focuses on describing t he hazards in t erms of t he
consequences. No considerat ion is t aken of t he frequency of t he occurrence. A t ypical example is t he
det erminat ion of t he worst case scenario expressed as a risk dist ance. The det erminist ic approach has been
used in est imat ing design equivalency for evacuat ion safet y by Shields et al. (1992). The probabilist ic
approach det ermines t he quant ified risk based on bot h frequency and consequences. The Quant it at ive Risk
Analysis (QRA) met hod uses informat ion regarding t he quest ions:
(1) What can go wrong?
(2) How oft en will it happen?
(3) What are t he consequences if it happens?

This approach has been used in fire spread calculat ions in buildings and on ships (Fit zgerald, 1985). One of
t he more ext ensive fire risk programmes was developed in t he Unit ed St at es of America during t he 1990s
(Bukowski et al., 1990). The met hodology is used t o derive t he expect ed number of fat alit ies per year in
buildings. The main obj ect ive was t o st udy t he influence on t he risk of different t ypes of building
const ruct ion mat erials. A quant it at ive probabilist ic met hod has also been used t o evaluat e risk in healt h care
facilit ies in t he Unit ed Kingdom (Chart ers, 1996). I t is, however, one of t he first at t empt s t o quant ify t he risk
t o pat ient s and st aff in a hospit al. The probabilist ic approach has also been adopt ed in t he proposed
int ernat ional st andard for fire safet y engineering as a procedure for ident ifying fire scenarios for design
purposes (I SO/ CD 13388). For sit uat ions in which t he risk management process is used at t he design st age,
t he Aust ralian Fire Engineering Guide (FEG, 1996), proposes a rat ional st ruct ure of quant it at ive met hods.
Different levels are t o be used depending on t he relat ive benefit s which are possible t o obt ain. Three levels
of quant it at ive analysis are ident ified:
(1) Component and subsyst em equivalence evaluat ion;
(2) Syst em performance evaluat ion;
(3) Syst em risk evaluat ion.

The first level is basically used for comparat ive st udies t o evaluat e equivalency bet ween different design
alt ernat ives on t he component level. Different alarm syst ems can be compared and evaluat ed in t erms of
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
equivalency wit h respect t o a prescribed st andard. The second level considers t he relat ion bet ween t wo or
more subsyst ems. The difference bet ween t he design alt ernat ives is higher t han in t he first level. Evaluat ion
aspect s may include fire growt h, smoke development and occupant evacuat ion. The last level can be seen as
a St andard Quant it at ive Risk Analysis where t he whole building design is considered and measures of risk
are derived.

S SO OU UR RC CE ES S O OF F F FA AI I L LU UR RE E
I n many engineering sit uat ions, most variables used in t he analysis will be associat ed wit h uncert aint y. I n
performing a Quant it at ive Risk Analysis (QRA) it is import ant t o ident ify how t hese uncert aint ies affect t he
result . Therefore, an uncert aint y analysis should complement t he risk analysis. This is, however, seldom t he
case. I t is believed, t hat t he biggest benefit of uncert aint y analysis would be t o illuminat e t he fact t hat
uncert aint ies exist . Variat ion in variable out come, due t o random variabilit y, can result eit her from st ochast ic
uncert aint y or from knowledge uncert aint y. When a risk analysis is t o be performed, one must ask t he
quest ions: “ What can go wrong?", "How likely is it ?" and "What are t he consequences?” . This is one of t he
most fundament al st eps in t he process and result s in a list of possible out comes, some of which result in
people not being able t o evacuat e safely, i.e. t he syst em fails. Looking at t he list of failures, it is possible t o
dist inguish a pat t ern of similarit ies among t he sources of failure. At least t wo t ypes of failure can be
ident ified: failure due t o gross error and failure due t o random variabilit y. For example, when examining t he
evacuat ion from a building, which has t aken place, it is probably rat her easy t o ident ify t he reason why t he
occupant s were not able t o escape safely. But when performing a risk analysis for a fut ure event , or
execut ing an engineering design, sources of failure in t he first cat egory are very difficult t o ident ify. This is
because of t he nat ure of gross errors. They originat e from errors during t he design process or from t he risk
analysis procedures. The division bet ween t he t wo t ypes of failure is made because t he met hods wit h which
t he t wo t ypes of failure are handled are different . There are many ot her ways t o cat egorise different sources
failure, many of which are specific t o a specific area of engineering (Blockley, 1980). The cat egorisat ion of
failures int o t hose caused by gross error and t hose caused by random variabilit y is only one example, but a
rat ional one. Types of failure can be dist inguished by for example t he nat ure of t he error, t he t ype of failure
associat ed wit h t he error, t he consequences of t he failure arising from t he error, t hose responsible for
causing or for not det ect ing t he error, et c.

Gross Errors
Gross error can be defined as fundament al errors which, in some aspect of t he process of planning, design,
analysis, const ruct ion, use or maint enance of t he premises, have t he pot ent ial t o cause failure (Thoft -
Christ ensen et al., 1982). A risk analysis or a design can be performed on condit ion t hat t he models and
basic background informat ion are correct and t hat procedures for design, analysis, maint enance, and so on,
are carried out according t o relevant st at e-of-t he-art st andards. I f t his is not t he case, changes must made.
Eit her ot her st andards or cont rol measures must be used or t he concept ual model must be changed. A
t ypical example of a gross error in fire engineering is neglect ing t o maint ain vit al funct ions such as t he
emergency light ing syst em or alarm syst em. When maint enance is neglect ed, t he reliabilit y of such syst ems
can deviat e from t hat which is specified. Anot her example of gross errors is when changes are made on t he
const ruct ion sit e which are not examined or approved in t he design phase of a proj ect . Changing t o different
product s which might seem harmless t o t he builder can lead t o significant safet y problems when t he specific
prot ect ion product is needed in a real hazardous sit uat ion.



Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Human Error
Many gross errors originat e from human errors. Underlying causes may be, for example, lack of experience,
educat ion or formal qualificat ion. But such errors can also occur due t o incompet ence and negligence.
During evacuat ion, many act ions are t aken by people which aft erwards, may seem irrat ional or inefficient .
The behaviour of people under t he psychological st ress can result in act ions which may not be t he most
rat ional. Act ions such as invest igat ing t he unknown fire cue, alert ing ot hers and helping ot hers are common.
Even act ions such as ignoring t he t hreat have also been observed in fire invest igat ions. Some of t hese
act ions can be considered irrat ional and will not bring t he person int o a safer posit ion. These may be called
human errors. However, t his t ype of human error should not be considered gross errors as it is part of t he
random uncert aint y in people's react ion and behaviour. React ion and behaviour, is one of t he variables in
t he st at e funct ion describing t he evacuat ion process. I t must , however, be not ed t hat all human act ions,
described by t he response and behaviour variable, will sooner or lat er lead t o t he decision t o evacuat e. This
will also be t he case for individuals ignoring t he t hreat , but t hey may realise t his t oo lat e t o be able t o
escape safely. The choice of alt ernat ive design solut ions may be able t o help also such people. An overview
of t he area of human error has been present ed by Reason (1990), who also present s some rat ional
measures t o minimise t he influence of gross error.

Random Variability
The ot her t ype of failure is caused by t he inevit able randomness in nat ure. This randomness result s in a
variabilit y of t he variables describing t he syst em which might cause an error. Variables describing t he syst em
are not always known t o a degree making it possible t o assign t he variable t o a const ant . Uncert aint y is
always present in t he variables and t his is one of t he reasons why risk analysis is performed. Failure occurs
when t he variable values are unfavourable for t he syst em. I f, for example, t he fire growt h in a room is
ext remely rapid and at t he same t ime t he occupant load is also very high, t his may lead t o t he result t hat
not all t he people in t he room can escape. The fire might result in a posit ive out come, i.e. no fat alit ies, if t he
occupant load was not t hat high, but t he combined effect of t he rapid growt h and t he high number of
occupant s, result s in t he accident . The event can be seen as a random combinat ion due t o unfort unat e
circumst ances. These failures are accept able as long as t heir probabilit ies are independent and below t hat
which is t olerable. The import ant mat t er is t hat uncert aint ies in t he variables describing t he syst em can, for
some combinat ions, cause t he syst em t o fail. The uncert aint y due t o random variabilit y can be furt her
divided int o t he subclasses st ochast ic variabilit y and knowledge uncert aint y. Variables which are subj ect t o
uncert aint y are usually described by probabilit y dist ribut ions, and randomness can assign a value t o t he
variable which might be very high or very low, i.e. an unfavourable value. These values can occur due t o
circumst ances which are unlikely t o happen, but st ill which are possible. A very high fire growt h rat e can
occur in a building, even if it might be unlikely. By using probabilit y dist ribut ions, very unlikely event s can
also be considered.

Uncertainty Caused by Randomness
There are at least t wo t ypes of uncert aint y which must be dist inguished as t hey originat e from different
condit ions. St ochast ic uncert aint y or variabilit y is t he inevit able variat ion inherent in a process which is
caused by t he randomness in nat ure. This t ype of uncert aint y can be reduced by exhaust ive st udies and by
st rat ifying t he variable int o more nearly homogeneous subpopulat ions. Knowledge uncert aint y represent s
t he variat ion due t o a lack of knowledge of t he process. This t ype of uncert aint y can be reduced by furt her
analysis of t he problem and experiment s, but it st ill originat es from randomness. Bot h t ypes of uncert aint y
are described by t he same measure, i.e. t he probabilit y dist ribut ion of t he variable. But , t hey are ot herwise
fundament ally different as t hey describe different phenomena. Normally, in uncert aint y analysis, st ochast ic
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
and knowledge uncert aint ies are t reat ed wit hout dist inct ion, bot h cont ribut ing t o t he overall uncert aint y.
There are, however, sit uat ions where t here is an int erest in separat ing st ochast ic uncert aint y from
knowledge uncert aint y. By doing t his, it is possible t o see t he influence of t he t wo t ypes on t he overall
uncert aint y, t o det ermine which arearequires furt her knowledge. I n model validat ion, it is also pract icable t o
separat e variabilit yfrom knowledge uncert aint y. The lat t er is t hen in t he form of model uncert aint y. One of
t he first at t empt s at using t he approach of st ochast ic and knowledge uncert aint ies in an assessment in t he
area of safet y engineering was present ed by Magnusson et al. (1995) and Magnusson et al. (1997). The
analysis was performed on calculat ions of evacuat ion reliabilit y from an assembly room. St ochast ic
uncert aint y and knowledge uncert aint y have also been referred t o as, Type A uncert aint y associat ed wit h
st ochast ic variabilit y wit h respect t o t he reference unit of t he assessment quest ion, and Type B uncert aint y
due t o lack of knowledge about it ems t hat are invariant wit h respect t o t he reference unit in t he assessment
quest ion (I AEA, 1989). Examples of paramet ers t hat are coupled t o t he t wo t ypes of uncert aint y are given
below:
(1) Variabilit y, Type A (wind direct ion, t emperat ure, fire growt h rat e in a part icular class of buildings and
occupant response t imes);
(2) Knowledge uncert aint y, Type B (model uncert aint y, plume flow coefficient , accept able heat dose t o
people and most reliabilit y dat a for syst ems).

I t should be ment ioned t hat several variables may be affect ed by bot h kinds of uncert aint y, and t here is
usually no clear separat ion bet ween t he t wo.

Handling Gross Errors
One cannot t reat gross errors in t he same way as random errors, regarding t hem as ext reme values of a
probabilit y dist ribut ion. Gross errors alt er t he probabilit y of failure by changing t he complet e model
describing t he syst em. Gross errors are reduced by measures such as t raining, int ernal or ext ernal cont rol,
proper organisat ion, maint enance of equipment , at t it ude of t he st aff, et c. As a consequence of t his, gross
errors have not been considered by choosing probabilit y dist ribut ions wit h t ails which are infinit e. Gross
errors are normally considered in qualit at ive review processes. The rest of t his t hesis will be devot ed t o risk
analysis wit h and wit hout t he influence of uncert aint ies. I t is, of course, clear t hat t he complet e risk
management process, must also consider pot ent ial gross errors.

Systematic Errors
Syst emat ic errors can belong t o bot h cat egories of failure, gross error or error due t o random variabilit y,
depending on whet her t he syst emat ic error is known in advance or not . A syst emat ic error is defined as t he
difference bet ween t he t rue value and t he measured or predict ed value. A syst emat ic error can arise from
biases in, for example, model predict ion or expert j udgement s. A known syst emat ic error, such as a model
uncert aint y, can be t reat ed as an uncert ain variable or a const ant correct ion. Unknown syst emat ic errors, on
t he ot her hand, are more difficult t o foresee, and must be considered as pot ent ial gross errors. Effort s must
be made t o minimise t he influence of syst emat ic errors. I n some cases, t hey can be reduced by performing
more experiment s or by using different evaluat ion met hods for expert j udgement predict ions. Using models
out side t he area for which t hey are validat ed will cont ribut e t o t he unknown syst emat ic error. This must
t herefore be avoided. I t is, however, usually not possible t o reduce all syst emat ic errors and some will
remain and be unknown.



Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Uncertainty in Subscenarios
Anot her possible division of t he uncert aint y variables can be made t o dist inguish bet ween uncert ainty in t he
subscenario probabilit y and uncert aint y in t he consequence descript ion for each subscenario. This division is
most relevant when t he risk analysis covers t he whole syst em, i.e. when performing a Quant it at ive Risk
Analysis. The probabilit ies of t he subscenarios are usually also random variables and subj ect t o uncert aint y.
The reliabilit y of, for example, a sprinkler syst em and an aut omat ic fire alarm syst em will, t o some ext ent , be
a random variable and t he out come probabilit y of t he subscenarios will t herefore, also be subj ect t o
uncert aint y. The uncert aint y for each subscenario can be t reat ed as a st ochast ic uncert aint y, but t his does
not mean t hat t he uncert aint y in t he consequence descript ion will be a knowledge uncert aint y. Bot h types of
uncert aint y are included in t he descript ion of t he consequences. An Ext ended Quant it at ive Risk Analysis
(EQRA) can, t herefore, usually not dist inguish bet ween st ochast ic and knowledge uncert aint ies.


T TH HE E U UN NW WA AN NT TE ED D C CO ON NS SE EQ QU UE EN NC CE ES S
I n t he Quant it at ive Risk Analysis of a syst em, t he consequence in each senario and subscenario must be
quant ified. The consequence is expressed, for example, in t erms of t he number of inj ured people or t he
amount of t oxic gas released t o t he at mosphere. The consequence can be formulat ed in t erms of a
performance funct ion or a st at e funct ion for each subscenario in t he event t ree. The st ate funct ion describes
one way or mode, in which t he syst em can fail. The problem can generally be expressed as a mat t er of
supply versus demand. The st at e funct ion is t he formal expression of t he relat ionship bet ween t hese t wo
paramet ers. The simplest expression of a st at e funct ion is basically t he difference,

Y X G ÷ = [ 5.02]

where X is t he supply capacit y and Y t he demand requirement . The purpose of any reliabilit y st udy or design
is t o ensure t he condit ion X > Y t hrough out t he lifet ime of t he syst em, t o a specified level indicat ed by P(X
s Y) s p
t arget
. Failure is defined as when t he st at e funct ion G is less t han or equal t o zero. When t he
t ransit ion occurs, i.e. when G = 0, t he st at e funct ion is denot ed t he limit st at e funct ion in order t o
emphasize t hat it defines t he dist inct ion bet ween failure and success. The limit st at e funct ion is used in risk
analysis and design t o det ermine t he maximum consequences of a failure. I n t his t hesis, it is underst ood
t hat when t he values of t he consequences are derived it is done using t he limit st at e funct ion, i.e. for t he
condit ion t hat supply capacit y equals t he demand requirement . I n t he evacuat ion scenario, t he st at e
funct ion is composed of t wo t ime expressions, t ime available for evacuat ion and t he t ime t aken for
evacuat ion. The variable G can be seen as t he escape t ime margin. I f t he escape t ime margin is positive, all
t he people in t he room will be able t o leave before unt enable condit ions occur. On t he ot her hand, if t he
margin is negat ive for a subscenario, some of t he people cannot leave wit hout being exposed t o t he hazard.
The number of people subj ect ed t o t his condit ion will depend on t he magnit ude of t he t ime margin, t he
dist ance t o t he escape rout e, t he init ial occupant densit y, t he occupant charact erist ics, et c. The component s
in t he st at e funct ion can be funct ions of ot her variables. There is no rest rict ion on t he number of funct ions
or variables in t he st at e funct ion. I n t he analysis in t his t hesis, t he st at e funct ion has t he following general
appearance,

move resp det u
t t t t G ÷ ÷ ÷ = [ 5.03]

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
where t
u
is t he t ime t aken t o reach unt enable condit ions (i.e. t he available escape t ime), t
det
is t he t ime
t aken t o det ect t he fire, t
resp
is t he response and behaviour t ime of t he occupant s, and t
move
is t he t ime
required t o move t o a safe locat ion. The four t ime variables are, in t urn, funct ions of ot her basic variables
and const ant s. A basic variable is one which is subj ect t o uncert aint y. Variables compensat ing for model
error can also be included in t hese funct ions. Addit ional variables can be int roduced for specific subscenarios
t o bet t er describe t he act ual sit uat ion. I t is possible t o express t he risk in t erms of lack of escape t ime
inst ead of number of people. I t is, however, cust omary t o express t he risk by t he number of people not
being able t o escape safely. I n t he risk analysis, t he escape t ime margin is reformulat ed in t erms of t he
number of people not being able t o evacuat e wit hin t he available t ime, i.e. expressed by t he limit st at e
funct ion. This is not necessarily equivalent t o t he number of fat alit ies. The available t ime is det ermined by
t he level set for unt enable condit ions.

Untenable Conditions
For evacuat ion analysis, t he occurrence of t he unt enable condit ions det ermines t he available safe escape
t ime. I n most engineering risk analyses, t he desired consequence should be expressed in t erms of t he
number of fat alit ies, i.e. t he number of people dying from t he exposure. For evacuat ion analysis, t his can be
obt ained by set t ing let hal exposure levels t o what is considered unt enable. Levels ot her t han let hal, can be
chosen. I n t his t hesis, t wo different definit ions of unt enable condit ions were used. I n t he design process in
fire safet y engineering, for example, unt enable condit ions are normally defined as escape rout es becoming
filled wit h smoke t o a cert ain height above floor level. This crit erion is oft en used in combinat ion wit h ot her
crit eria such as t he smoke t emperat ure and t oxic gas concent rat ion. The levels set do not imply t hat people
become fat al vict ims of t he fire, but t hey will have some difficult ies in escaping t hrough smoke and t oxic
gases creat ed by t he fire. These unt enable condit ions are usually assumed t o define t he t ime when t he
escape rout e is no longer available as a safe passage. The levels of exposure are chosen on t he safe side t o
allow most occupant s t o be able t o wit hst and t hem for a period of t ime. The risk measure using t his
definit ion of unt enable condit ions cannot be comparable t o ot her risk measures in societ y, but can be used
for comparat ive st udies bet ween different design solut ions.
The ot her level of unt enable condit ions assumes t hat people will probably become fat al vict ims, e.g. of t he
fire due t o high t emperat ure and smoke exposure. The exposure level is higher t han for t he crit ical level of
unt enable condit ions. Using t his definit ion, t he risk analysis can be compared wit h similar analysis from ot her
engineering fields. This level is denot ed t he let hal level of unt enable condit ions. The problem wit h t his
definit ion lies in det ermining t he let hal condit ions for each specific hazard case, i.e. people are not equally
sensit ive t o fire condit ions and fact ors such as age, sex, physical and psychological healt h st at us play
import ant roles. Limit s on what can be regarded as let hal condit ions must be det ermined, det erminist ically or
be described as probabilit y dist ribut ions. The lat t er will, however, result in an enormous work load if
t radit ional engineering met hods of predict ing t he consequences are used. I n a purely st at ist ical approach,
t his met hod of det ermining t he t olerable human exposure could be used.
Bot h definit ions of unt enable condit ions are based on what humans can st and in t erms of environment al
fact ors such heat and smoke exposure. I n t he fire safet y engineering, t he crit ical level can be relat ed t o t he
acut e exposure t o high t emperat ure in combinat ion wit h irrit at ing smoke. But prolonged exposure can also
be harmful, even at a lower level of exposure. The cumulat ive exposure dose can cause t he occurrence of
what is considered unt enable levels. Work by Purser (1995) has result ed in an ext ensive knowledge base in
t erms of upper limit exposure rat es of humans t o, for example, heat , radiat ion and t oxic gases leading t o
incapacit at ion or deat h. The levels can be expressed as t he inst ant aneous exposure rat e or t he dose. The
dose expression is most common for t he effect s on humans of narcot ic gases, but can also be used for
t hermal exposure responses. I t should be ment ioned t hat most of t his t ype of work are performed on
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
animals and not on humans. Quest ions may be raised t o whet her or not t hese dat a can be used t o
det ermine t he t olerable exposure levels on humans. These dat a are, however, t he only exist ing and
t herefore t hose used. A met hod of deriving t he t ot al exposure effect from different exposure sources is t he
Fract ional Effect ive Dose (FED) met hod, int roduced by Hart zell et al. (1985). The Fract ional Effect ive Dose
met hod sums t he cont ribut ions from t he various sources t o give one variable value. When t he Fract ional
Effect ive Dose has at t ained t he value of 1.0, t he occupant is defined as being incapacit at ed or dead,
depending on t he expressions used. The problem in using t his informat ion is t hat t he product ion t erm for
narcot ic gases in a fire is very uncert ain and depends great ly on t he fire scenario. Therefore, more simple
det erminist ic values are used t o express t he occurrence of unt enable condit ions. The most commonly used
variable is acut e t emperat ure exposure in conj unct ion wit h a limit on t he smoke layer height . Condit ions are
defined as being unt enable as soon as t he condit ions are fulfilled, and it is assumed t hat t he escape rout e is
inst ant aneously blocked. The use of t oxicological dat a in combinat ion wit h t emperat ure and radiat ion
exposure, could in t he fut ure be used as a bet t er predict ion of unt enable levels and for considerat ion of t he
inherent variat ion. This may be possible when bet t er models, capable of predict ing t oxic gas concent rat ions
in t he vicinit y of a hazard, become available. Toxicological dat a for det ermining unt enable condit ions is used
in ot her areas of engineering, for example, in t he predict ion of t he effect s of t oxic gas release t o t he
at mosphere. When det ermining t he consequences of a release of t oxic gas t o t he at mosphere, t he Probit
funct ion is normally used (Finney, 1971). This is a measure t hat considers t he exposure concent rat ion, t he
exposure t ime and also t he t oxicological effect on t he human body. Different exposure effect s can be
st udied, from t he smell of t he gas t o acut e deat h. Different gases and exposure effect s generat e different
values of t he variables, which are used in t he Probit funct ion. These are based on t he est imat ed human
t olerabilit y t o t he gases. I f t he gas concent rat ion at a specified locat ion and exposure t ime is known, t he
number of vict ims, or people being subj ect ed t o it s effect s, can be est imat ed.

The Values of Variables
A st at e expression may cont ain funct ions of random variables as well as independent basic random variables
and const ant s. The response and behaviour t ime is, for example, usually det ermined as a single
det erminist ic value or a dist ribut ion. There are no calculat ion models available t o det ermine t his t ime. The
values used t o calculat e bot h t he probabilit ies and t he consequences should be chosen carefully. This is t he
most crit ical part of t he analysis, regardless of whet her t he t ask is t o design t he escape syst em t o perform a
St andard Quant it at ive Risk Analaysis or t o perform a complet e uncert aint y analysis, an Ext ended
Quant it at ive Risk Analaysis. Many values are not easily det ermined and may be subj ect t o uncert aint y. For
design purposes, values should be chosen t o represent t he credible worst case (I SO 13388, 1997). Taking
t he mean value of, for example, fire growt h rat e for a scenario does not necessarily represent credible
scenarios sufficient ly well. An upper percent ile value could be chosen for t he hazard (e.g. fire) growt h rat e.
I n building design and St andard Quant it at ive Risk Analaysis, single values are used t o det ermine t he
consequences and, if applicable, also t he probabilit ies. I n an explicit uncert aint y analysis, t he variables are
defined by t heir respect ive dist ribut ions. The values for t he St andard Quant it at ive Risk Analaysis can be
chosen in t wo ways. Eit her t he values are chosen t o represent t he best est imat e for t he variables or t hey
can be chosen as conservat ive est imat es, similar t o t hose used for design purposes. Using t he best est imat e
values result s in a measure of risk t hat is also a best est imat e. However, as t here are uncert aint ies involved
in t he variables t he best est imat e measure of risk can be associat ed wit h large uncert aint y. As t he nat ure of
a best est imat e is t o represent t he average sit uat ion many sit uat ions, approximat ely half, will be worse t han
t he est imat ed measure of risk. Performing an Ext ended Quant it at ive Risk Analaysis leads t o a quant ificat ion
of t his uncert aint y. The values for t he St andard Quant it at ive Risk Analaysis can also be chosen as
conservat ive est imat es. Using t hese in t he analysis leads t o a measure of risk t hat is on t he safe side. How
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
safe t he measure is cannot be quant ified wit hout performing an Ext ended St andard Quant it at ive Risk
Analaysis, but t he measure of risk is not underest imat ed compared wit h t he est imat ed average risk measure.
One problem t hat can occur using t hese values is t hat t he choices can be t oo conservat ive. Performing an
uncert aint y analysis or Ext ended Quant it at ive Risk Analaysis can help solving t his problem.
The lat t er met hod of choosing values for t he St andard Quant it at ive Risk Analaysis is always used. The
average measures of risk were also implicit ly derived as t hey can be obt ained from t he Ext ended
Quant it at ive Risk Analaysis as t he average values, for example, as t he average risk profile. Using values
which are slight ly conservat ive, similar t o t hose used for design, in t he St andard Quant it at ive Risk Analaysis
can be int erpret ed as performing a risk analysis on t he design condit ions. I n order t o evaluat e t he influences
from uncert aint ies, t he St andard Quant it at ive Risk Analaysis or t he safet y engineering design process should
be complement ed by a sensit ivit y analysis. I t result in informat ion concerning t he relat ive import ance
bet ween variables.

Sensitivity Analysis
The purpose of t he sensit ivit y analysis is t o ident ify import ant variables, i.e. t hose cont rolling t he result t o a
high degree. Work has been done t o det ermine what should be included in a sensit ivit y analysis (NKB, 1997)
and Fire Engineering Guidelines (FEG, 1996). Fact ors t hat should be invest igat ed wit h respect t o t he impact
on t he final result are:
(1) Variat ions in input dat a;
(2) Dependence on degree of simplificat ion of t he problem;
(3) Dependence on descript ion of scenario, i.e. How t he event t ree is creat ed;
(4) Reliabilit y of t echnical and human syst ems.

The variables ident ified as import ant should perhaps be chosen somewhat more conservat ively t han ot hers.
I f t he safet y is highly dependent on j ust one funct ion, redundancy should be considered. The analysis should
ident ify variables of import ance and what measures should been t aken t o eliminat e or reduce t he
consequences of failure. Sensit ivit y analysis only gives an indicat ion of t he import ance of t he variables
involved in t he analysis of a planned or exist ing building. I f a more det ailed invest igat ion is necessary a
complet e uncert aint y analysis should be performed. All informat ion regarding t he uncert aint y in variables is
t hen considered. Kleij nen (1995) provides a general descript ion of sensit ivit y and uncert aint y analysis.


S SY YS ST TE EM M A AN NA AL LY YS SI I S S
The most simple sit uat ion occurs when t he subscenario problem can be formulat ed as one single equat ion.
The single limit st at e funct ion cont ains all t he informat ion needed t o describe t he consequences of t he
subscenario. I n some cases t his is not sufficient as more t han one failure mode can exist , i.e. t he safet y of
t he occupant s can be j eopardised in more t han one way. When t his is t he case, t he sit uat ion must be
described by more t han one equat ion. I f t hese equat ions are correlat ed, t hey must be linked t oget her t o
form a syst em which describes t he expect ed consequences of t he subsyst em. I n evacuat ion analysis, t he
failure or unsuccessful evacuat ion is det ermined by t he occurrence of t he first failure mode. The evacuat ion
safet y of t he subscenario is expressed as a series syst em, as only one failure mode is required. I f one failure
mode is fulfilled t hen at least one occupant is exposed t o unt enable condit ions at any of t he locat ions
described by t he subscenario. I n t he area of st ruct ural reliabilit y series syst ems, parallel syst ems and
combinat ions of series and parallel syst ems can be ident ified. I n fire safet y engineering, t he int erest is purely
on series syst em as occupant s are prevent ed from furt her evacuat ion as soon as unt enable condit ions have
arisen at least at one locat ion. The series syst em can be illust rat ed by a chain. The st rengt h of t he chain is
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
dependent on t he st rengt h of t he weakest link. The links can be expressed as limit st at e funct ions for t he
different locat ions, for example, fire room and corridor, for one subscenario. I f one syst em fails, t he whole
syst em fails. When numerical analysis met hods are used t o solve series problems, t he limit st at e funct ion
can be expressed in t erms of a number of separat e equat ions. The consequences are derived from sample
calculat ions t hat are repeat ed. This may require several it erat ions before t he subscenario consequences can
be det ermined. For analyt ical met hods such as t he First Order Second Moment (FOSM) met hod (Thoft -
Christ ensen et al., 1982), t he problem must be t reat ed a lit t le different ly. Correlat ed single equat ions have t o
be t reat ed simult aneously t o derive t he probabilit y of int erest . The probabilit y of failure can, in most cases,
not be det ermined in t erms of a single value, but as an int erval. Different met hods are available t o describe
t he bounds of t he int erval.

Response Surface Method
Usually, in a risk analysis t he expressions in t he limit st at e funct ions are derived by t he use of comput er
programs. That is independent on whet her it is a St andard Quant it at ive Risk Analaysis or t he complet e
uncert aint y analysis t hat is t he obj ect ive. I n some cases, more t han one comput er program must be used t o
predict t he consequence for every branch. I f only one consequence value, such as t he number of people not
being able t o escape safely, is calculat ed for each event t ree out come, t he use of t he comput er t ools is
normally rat her st raight forward. The comput er out put result s can be used direct ly, as input , in t he risk
analysis. When considering uncert aint ies, as in t he Ext ended Quant it at ive Risk Analaysis or in uncert aint y
analysis, t he comput er programs must be used different ly. This is because uncert aint y analysis requires t hat
t he problem be formulat ed in a cert ain manner. The uncert aint y analysis can eit her be performed as a
numerical sampling procedure or as an analyt ical procedure. When a numerical simulat ion procedure, such
as a Mont e Carlo met hod is used, a large number, usually more t han 1,000, of calculat ions must be
performed for each event t ree out come. I t is rat her inefficient t o calculat e t he result direct ly for each
subscenario 1,000 t imes. I f t he comput er program is specially designed t o enable t his it erat ive procedure it
may be an int egrat ed part of t he analysis, see I man et al. (1988) and Helt on (1994) for reviews of t he area.
As t his feat ure is rat her uncommon in commercial programs, ot her approaches must be considered. One
approach first approximat es t he comput er out put wit h an analyt ical expression, a response surface, which
t hen, in t he second st ep, easily can be applied in t he Mont e Carlo simulat ion, i.e. t he uncert aint y analysis.
The argument s for using response surface equat ions are also valid if t he uncert aint y analysis is performed
by analyt ical met hods, such as t he First Order Second Moment met hod. The response surface, or met a
model, is used t o est imat e t he values from comput er calculat ions or experiment s on t he basis of only a very
few input variables. A response surface is normally creat ed by using regression analysis. The t erm response
surface is used t o indicat e t hat , when using several variables t o represent t he dat a, a surface is creat ed in n-
dimensional space, where n is t he number of variables. I n a t wo-variable case t he response surface will
become a line which is usually referred t o as a regression line. Having more t han t wo variables, t he
regression result will be a plane, linear or nonlinear, depending on t he relat ionship bet ween t he variables. I n
t his t hesis t he general t erm surface will be used even for t he t wo dimensional sit uat ion. The response
surface equat ion should represent t he dat a as accurat ely as possible, at least in t he region of int erest .
There are ot her advant ages wit h t his met hod, apart from t ime saving, which are wort h ment ioning. As t he
out put is derived from an equat ion, it is rat her obvious which variables det ermine t he result . The analysis is
very t ransparent and easy t o verify and reproduce. The result s will not be det ermined by a black-box
comput er program. I t is also rat her easy t o det ermine t he qualit y of t he out put as only one or a few
equat ions must be considered in asensit ivit y analysis or uncert aint y analysis. The drawback of using t he
response surface t echnique is t hat a new uncert aint y variable is int roduced. The magnit ude of t his new
uncert aint y is usually small and it s influence normally not very significant . To gain an underst anding of how
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
well t he response surface equat ion predict s t he comput er out put , t he coefficient of det erminat ion (R
2
), can
be analysed. The uncert aint y result ing from t he regression analysis can, however, be included in t he t ot al
uncert aint y analysis. Wit h good approximat ion met hods t his uncert aint y will be small, and t he benefit of
having a fast calculat ion model out weighs t his uncert aint y.

Creating the Response Surface Equation
Creat ing t he response surface equat ion for comput er model out put s requires informat ion on bot h t he input
values and t he comput er out put result s. Regression analysis is used t o obt ain t he analyt ical relat ionship
bet ween t he input paramet ers and t heir corresponding out put (Ang et al., 1975). Several met hods are
available t o creat e t his analyt ical equat ion, such as t he met hod of least squares and t he met hod of
maximum likelihood. The response surfaces used in t his t hesis were derived using t he met hod of least
squares. The simplest case of curve fit t ing is t o derive an equat ion t hat represent s dat a by a st raight line,
linear regression analysis. The t ask is t o est imat e ì and o in t he expression,

c + · o + ì = x y [ 5.04]

giving t he est imat e of t he real variable y. The equat ion can also be int erpret ed as providing t he condit ional
est imat e E(y
x
). The fact or c represent s t he uncert aint y in y. The regression equat ion does not have t o be
rest rict ed t o t wo variables. Mult iple variable regression analysis is similar, but t he t heoret ical evidence will
not be present ed here. The regression analysis int roduces new uncert aint ies int o t he paramet ers ì and o as
t hey only can be est imat ed and will t herefore be associat ed wit h uncert aint y, e.g. described by a mean and
a st andard deviat ion. This mean t hat ì, o and c are subj ect t o uncert aint y as a result of t he regression
analysis. The met hod of least squares works wit h any curve charact erist ics as t he only obj ect ive is t o
minimise t he difference bet ween t he sample dat a and t he predict ed surface. The import ant issue is t o find a
relat ion t hat describes t he out put in t he best way and wit h as small a deviat ion from t he dat a as possible.
The vert ical differences bet ween t he dat a and t he regression line, t he residuals, will be evenly dist ribut ed on
bot h sides of t he regression line. This is a result of t he met hod as it minimises t he sum of t he squares of t he
residuals. This means t hat t he sum of t he residuals is equal t o 0. The residual variance (o
r
2
) is a measure of
how well t he regression line fit s t o t he dat a. I t shows t he variat ion around t he regression line. The variable c
in Equat ion [ 5.04] is usually est imat ed by a normal dist ribut ion, N(0,o
r
). The residuals are in t he same unit s
as t he variable y, which means t hat t he values from different regression analyses cannot be compared
direct ly det ermining whet her or not t he regression shows good agreement . A normalised measure of t he
deviat ion is t he correlat ion coefficient . The correlat ion coefficient (r) is a measure of how close t he dat a are
t o a linear relat ionship, and is defined as,

( )( ) | |
( ) ( )
¯ ¯
¯
= =
=
u ÷ u ÷
u ÷ u ÷
=
n
1 i
n
1 i
2
y i
2
x i
n
1 i
y i x i
y x
y x
r [ 5.05]

The correlat ion coefficient can vary bet ween -1 and + 1, and values close t o t he out er limit s of t his int erval
represent good agreement . The sign indicat es whet her t he correlat ion is posit ive or negat ive. I n mult iple
linear regression analysis, t he coefficient of det erminat ion (R
2
) is used inst ead of t he correlat ion coefficient
(r). For t he linear case wit h only one dependent variable r
2
= R
2
.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

( )
¯
¯
=
=
-
u ÷
|
|
.
|

\
|
u ÷
=
n
1 i
y i
n
1 i
y i
2
y
y
R [ 5.06]

The coefficient of det erminat ion is a measure of how much of t he residuals are explained by t he regression
model. The value should be as close as possible t o 1. I t is clear t hat t he uncert aint y in t he predict ion of y will
depend on t he sample size (n). I ncreasing t he sample size decreases t he overall uncert aint y. One of t he
problems t hat may occur when using a response surface inst ead of t he act ual comput er out put , is t hat t he
residuals may increase as t he value of one or more variable is increased. I f t his happens, t he uncert aint y
int roduced by t he regression analysis may have t o be considered import ant . As t he regression analysis is
used t oget her wit h ot her variables t hat are subj ect ed t o uncert aint y, t he uncert aint y variables from t he
regression analysis must be compared t o t he ot her uncert aint ies. For most cases t hese new int roduced
uncert aint ies can be omit t ed as t heir cont ribut ion t o t he overall uncert aint y can be considered small.

Nonlinear Problems
Linear problems are rare in most engineering disciplines. Most models result in nonlinear solut ions and t he
t radit ional linear regression gives a poor represent at ion of t he dat a. There are t wo ways of solving t his
problem: opt imising a nonlinear expression or t ransforming t he model int o a form t hat is linear, at least
locally in t he area of int erest . Most nonlinear solut ions are based on approximat ing t he dat a t o a polynomial
in various degrees, for example a second order polynomial. The curve fit t ing t echnique is more or less t he
same as t hat described above. This approach is normally considered rat her laborious and ot her means are
preferable if t hey are available. The second t echnique t ransforms t he dat a int o a form in which t he
t ransformed variables are linear. One such t ransformat ion is t o use t he logarit hmic values of t he dat a. Ot her
t ransformat ions such as squares or exponent ials can also be considered. I f t he t ransformed values appear t o
be linearly dependent , linear regression analysis can be performed. The coefficient of det erminat ion can be
used t o det ermine t he agreement bet ween t he dat a and t he response surfacefor bot h t he nonlinear and t he
t ransformed solut ions. There are t wo good reasons for using t he logarit hmic values in some engineering
applicat ions:
(1) I n some cases t he variat ion in t he input variables is several orders of magnit ude. The values locat ed
close t o t he upper limit of t he response surface out put , will t hen influence t he paramet ers in t he
equat ion more t han ot hers.
(2) For some paramet er combinat ions, a polynomial relat ionship can result in negat ive responses which are
physically impossible. This must definit ely be avoided.

I t appears t hat t he linear approximat ion of t he logarit hmic dat a in det ermining t he response surfaces is an
appropriat e choice for t he cases considered in t his t hesis. The coefficient of det erminat ion (R
2
) is generally
very high in all equat ions. The large difference in magnit ude of t he variables will be drast ically reduced and
no negat ive responses will be derived using t his approach. The response surface will have t he following
general appearance,

( ) ( )
I
=
o
ì =
n
1 i
i
i
x exp y [ 5.07]
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

where n is t he number of variables, and ì and o
i
are t he linear regression paramet ers. A problem arises
when t he uncert aint ies in ì, o and c are t o be t ransformed. I f a numerical procedure is used for t he
uncert aint y analysis t his will normally not be a problem. For an analyt ical met hod using hand calculat ions,
t hese new uncert aint ies become a problem which might cause exclusion of t he met hod. An approximat e
solut ion can be used, i.e. excluding t hese uncert aint ies, or special soft ware capable of considering regression
paramet er uncert aint y can be used. I n t he risk analysis present ed here, bot h t he St andard Quant it at ive Risk
Analysis and t he Ext ended Quant it at ive Risk Analysis, t hese uncert aint ies are omit t ed, as t hey are small in
comparison wit h t he ot her variable uncert aint ies. To be able t o draw t his conclusion, t he single subscenario
uncert aint y analysis was performed bot h wit h and wit hout t he uncert aint y informat ion in ì, o and c.


D DE ES SC CR RI I B BI I N NG G R RA AN ND DO OM M V VA AR RI I A AB BL LE ES S
When t he uncert aint y is t o be explicit ly included in t he analysis, some of t he variables must be defined as
random variables. This is independent of whet her t he uncert aint y is a st ochast ic or a knowledge uncert aint y.
One way of describing t he variables is t o use t he probabilit y densit y funct ion (PDF) or frequency dist ribut ion
for t he variable, f
X
. A random variable can be represent ed by values wit hin a specified int erval, described by
t he frequency funct ion. The dist ribut ion shows t he probabilit y t hat a specific value will be assigned. The
dist ribut ion int erval can eit her be limit ed by out er bounds, minimum and maximum values or be open,
having no out er limit s. An example of a limit ed frequency funct ion is t he uniform dist ribut ion, having t he
same frequency for all values wit hin t he int erval and defined by t he minimum and maximum values. The
normal dist ribut ion is an example of an open dist ribut ion. Ot her possible represent at ions of a random
variable are t he cumulat ive dist ribut ion funct ion (CDF) and t he complement ary cumulat ive dist ribut ion
funct ion (CCDF). The t hree t ypes of represent at ion, probabilit y densit y funct ion, cumulat ive dist ribut ion
funct ion and complement ary cumulat ive dist ribut ion funct ion, cont ain t he same informat ion expressed in
t hree different ways. The lat t er t wo present t he cumulat ive frequency from t he probabilit y densit y funct ion.
The cumulat ive dist ribut ion funct ion describes t he probabilit y P(X s x) for t he random variable X at any given
x defined in t he int erval -· < x < + ·. I t is import ant t o dist inguish bet ween x and X. The lower case x is t he
argument of t he funct ion F
X
describing t he cumulat ive dist ribut ion funct ion. The mat hemat ical relat ionship
bet ween t he probabilit y densit y funct ion (PDF) and t he cumulat ive dist ribut ion funct ion (CDF) is defined as,

( ) ( )
í
· ÷
=
x
x x
dt t f x F [ 5.08]

I t is furt her assumed t hat t he random variable X is cont inuous in t he int erval of int erest . The complement ary
cumulat ive dist ribut ion funct ion (CCDF) is closely linked t o t he cumulat ive dist ribut ion funct ion and is defined
as

( ) x F 1 CCDF
x
÷ = [ 5.09]

I n risk analysis, t he use of t he cumulat ive dist ribut ion funct ion is quit e common as it answers t he quest ion:
“ How likely is it t hat t he consequences are worse t han a specified value?” . I n mat hemat ical t erms t his can
be expressed as,

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
( ) ( ) ( )
í

= > = ÷
x
x x
dt t f x X P x F 1 [ 5.10]

The probabilit y densit y funct ion (PDF) is t he most common represent at ion of a random cont inuous variable
in quant it at ive risk analysis. Similarly, if t he variable is represent ed by a discret e funct ion it can be described
by it s probabilit y mass funct ion (PMF) in analogy wit h it s cont inuous relat ive. Each random variable is
represent ed by one or more paramet ers. The paramet ers can, for example, be minimum and maximum
values or t he mean value and t he st andard deviat ion. The normal dist ribut ion is, for example, represent ed
by t he mean value and t he st andard deviat ion.

Correlated Variables
The random variables may be linked t oget her by a dependence relat ionship, i.e. t hey are correlat ed. The
correlat ion bet ween variables is import ant in risk calculat ions. The correlat ion can be eit her posit ive or
negat ive. A posit ive correlat ion will t end t o make t he dist ribut ions deviat e in t he same direct ion, a high value
of t he variable X is likely t o follow a high value of Y. The correlat ion can be described by t he covariance,
Cov(X,Y) or by t he correlat ion coefficient , p
xy
. The correlat ion coefficient can be seen as a normalised
covariance. I f X and Y are st at ist ically independent , Cov(X,Y) is zero, which also means t hat t hey are not
correlat ed. Noncorrelat ed variables can, however, not be defined as st at ist ically independent . The correlat ion
coefficient is t he most frequent measure of correlat ion and it is always bet ween -1 and + 1. Not e t he
similarit y t o t he correlat ion coefficient (r).

The Choice of Distribution
One t ask is t o det ermine t he most appropriat e t ype of dist ribut ion for each variable and t he corresponding
paramet er values. The dat a forming t he basis for t he choice of a specific dist ribut ion are usually limit ed. This
leads t o t he quest ion: “ How should t he dist ribut ion be select ed in order t o represent t he variable as
accurat ely as possible?” . First ly, as point ed out by Haimes et al. (1994), t he dist ribut ion is not formally
select ed. The dist ribut ion is evidence of, and a result of, t he underlying dat a. I n many cases t he dist ribut ion
t ype is det ermined by what is previously known about t he variable. For example, a st rengt h variable cannot
have negat ive values, which eliminat es some dist ribut ions. Two cat egories can be defined depending on t he
amount of dat a available separat ed:
(1) I f t he amount of dat a is large;
(2) I f t he amount of dat a is small or irrelevant .

This implies t hat t here are t wo met hods available for t he select ion of a dist ribut ion and t he corresponding
paramet ers. The probabilit y dist ribut ion of t he event can be est imat ed eit her according t o t he classical
approach, or according t o t he subj ect ive approach, also known as t he Bayesian approach.

The Classical Approach
I f t he dat a base is large, t he dist ribut ion can be easily det ermined by fit t ing procedures. The paramet ers of
t he dist ribut ion can be derived by st andard st at ist ical met hods. This is normally referred t o as t he classical
approach. The classical approach defines t he probabilit y on t he basis of t he frequency wit h which different
out come values occur in a long sequence of t rials. This means t hat t he paramet ers, describing t he variable,
are assigned based on past experiment s. There is no j udgement involved in t his est imat ion. I t is based
purely on experiment al dat a. Addit ional t rials will only enhance t he credibilit y of t he est imat e by decreasing
t he variabilit y. The errors of t he est imat e are usually expressed in t erms of confidence limit s. An example of
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
t he frequency defined according t o t he classical approach is illust rat ed by t he calculat ion of t he probabilit y
t hat t hrowing a dice will result in a four. The condit ions of t he experiment are well defined. Throwing t he
dice a t housand t imes will lead t o t he probabilit y of 1/ 6 t hat t he result will be a four. The probabilit y will not
be exact ly 1/ 6 but close t o it . I ncreasing t he number of t rials will improve t he probabilit y.

The Bayesian Approach
I f only a small amount of dat a is available, t his dat a t oget her wit h expert j udgement can be used t o form
t he basis for t he choice of dist ribut ion, which has t he highest degree of belief. The choice will t hus be
part ially subj ect ive. By applying t he met hod of Bayes, t he subj ect ive dist ribut ion can be updat ed in a formal
manner, as soon as new dat a become available. Bayes’ met hod assumes t hat t he paramet ers of t he random
variables are also random variables and can t herefore be combined wit h t he variabilit y of t he basic random
variable in a formal st at ist ical way by using condit ional probabilit ies. This assumpt ion will reflect t he probable
uncert aint y inherent in t he variable. The est imat e of a paramet er which is based on subj ect ive j udgement is
improved by including observat ion dat a in t he est imat e. The new est imat e is a probabilit y, on condit ion t hat
experiment s or ot her observat ions have been performed, and t hat t hese result s are known. The met hod can
be used for bot h discret e probabilit y mass funct ions and cont inuous probabilit y densit y funct ions. Applying
t he dice example t o t his approach means t hat t he person, conduct ing t he experiment , does not have t o
t hrow t he dice at all. He knows from past experience and assumpt ions t hat t he probabilit y will be 1/ 6 if t he
dice is correct ly const ruct ed. He makes t his est imat e by j udgement . I f t he dice is corrupt and favours t he
out come t wo t his will only be seen in t he experiment conduct ed according t o t he classical approach. The
subj ect ive est imat e will, t herefore, be false predict ion of t he t rue probabilit y of t he out come four. However,
he can make a few t hrows t o see if t he dice is correct ly balanced or not . Based on t he out come of t his new
experience, he can updat e his earlier est imat e of t he t rue probabilit y, using Bayes' t heorem. I f subsequent
new t rials are performed and t he probabilit y cont inuously updat ed, subj ect ive met hod will converge t owards
t he classical est imat e of t he probabilit y.
I n t he following, a brief formal descript ion of Bayes' t heorem will be present ed. A more det ailed descript ion
can be found in, for example, Ang et al. (1975). Each variable can be assigned a probabilit y densit y funct ion
(PDF) which t he engineer t hinks represent s t he t rue dist ribut ion reasonably well. This first assumption is
denot ed t he prior densit y funct ion. The improved dist ribut ion, achieved by including new dat a, is denot ed
t he post erior densit y funct ion. For a discret e variable, Bayes' t heorem can be formulat ed as

( )
( ) ( )
( ) ( ) | |
¯
=
u = O · u = O o
u = O · u = O o
= o u = O
n
1 i
i i
i i
i
P , P
P , P
, P [ 5.11]

describing t he post erior probabilit y mass funct ion for t he random variable O expressed by n possible values.
The post erior probabilit y is t he result of considering new experiment al values (o) in combinat ion wit h t he
prior probabilit y P(O = u
i
). The t erm P(o,O = u
i
) is defined as t he condit ional probabilit y t hat new
experiment al values (o) will occur, assuming t hat t he value of t he variable is u
i
.

Distributions Used in Fire Safety Engineering
How should a t ype of prior dist ribut ion and it s corresponding paramet ers be chosen? A number of
researchers have t ried t o est ablish rules governing t he choice of dist ribut ion based on, for example, t he
amount of dat a present . According t o Haimes et al. (1994), for small samples t he mean value should be
calculat ed and combined wit h a subj ect ive est imat e of t he upper and lower bounds and t he shape of t he
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
dist ribut ion. I f large uncert aint ies are suspect ed, log-t ransformed dist ribut ions should be used inst ead of
uniform, t riangular or normal dist ribut ions. For safet y risk analysis, t he first st ep is t o est ablish t he minimum
and maximum limit s for each variable. The next t ask is t o est imat e t he mean values and t he st andard
deviat ion, or ot her paramet ers, for each of t he basic variables. The final st ep is t o choose a dist ribut ion t ype
for t he variables, based on which has t he highest degree of credibilit y. This must be done for each random
variable in t he syst em, such as for t he response t ime, and also for variables such as reliabilit y or availabilit y,
e.g. in t he case of an aut omat ic fire det ect ion syst em. For most variables, such as fire growt h rat e, t here is a
more or less ext ensive dat a base, which provides a credible range (minimum values t o maximum values) for
t he specific paramet er. The dat a are not syst emat ically assembled, but t he informat ion exist s and must be
sought aft er in a number of sources. Collect ing and syst emat ically organising t he relevant dat a is a t ask
which must be given high priorit y in fut ure work. The t ype of dist ribut ion most frequent ly used is the normal
dist ribut ion. I t is believed t o represent t he variables in a suit able way. A lognormal dist ribut ion is chosen for
t he fire growt h rat e as it gives no negat ive values and is believed t o represent t he variable in t he best
possible way.


Q QU UA AN NT TI I T TA AT TI I V VE E A AN NA AL LY YS SI I S S M ME ET TH HO OD DS S
The Quant it at ive Risk Analysis (QRA) is focused on t he combined effect of likelihood (probabilit y) or
frequency, exposure t o t he hazard, consequences (loss crit icalit y) of a possible accident , and safet y level.
The frequency or likelihhod is usually derived using event t ree t echniques somet imes combined wit h fault
t ree analysis. For each branch in t he event t ree, denot ed a subscenario, t he consequences will be
det ermined. The consequence or loss crit icalit y expresses t he value of t he unwant ed event . The likelihood or
frequency, exposure, consequences or loss crit icalit y, and safet y level are formally combined in t he
Quant it at ive Risk Analysis. The first st ep, before st art ing t o quant ify t he risk, is relat ed t o defining and
describing t he syst em. The syst em is defined in t erms of one or more scenarios. I n t he risk analysis t he
syst em must also be defined in t erms of physical limit at ions, i.e. which physical area should be considered in
t he analysis? Aft er t he syst em has been described, t he hazards are ident ified and quant ified, t he next st ep in
t he process is t o evaluat e t he risk, i.e. perform t he quant it at ive risk analysis. The result s of t he analysis are,
for example, t he individual risk and t he societ al risk. Different crit eria can be used in det ermining t he
consequences. I t is not necessarily t he hazard t o humans t hat governs t he analysis. The obj ect ive of t he
analysis could be t o minimise t he maximum allowed release of gas or t o opt imise safet y measures restrict ed
by const raint s such as aut horit y regulat ions or maximum cost levels. The analysis met hod present ed in t his
t hesis uses t he decision crit erion t hat human beings shall be prevent ed from being exposed t o harmful
condit ions. The human beings have a right , det ermined by societ al regulat ions, t o a cert ain degree of
prot ect ion in t he case of any hazard. This t ype of crit erion is classified as a right s-based crit erion according
t o t he classificat ion syst em of Morgan et al. (1990). The risk as defined in t his t hesis is t hen a measurement
of not being able t o sat isfy t his crit erion. The risk is defined in t erms of t he complet e set of quadriplet s (see
Equat ion [ 1.03] ). Ot her decision crit eria t hat may be used are ut ilit y-based crit eria and t echnology-based
crit eria. Ut ilit y-based crit eria are oft en based on a comparison bet ween cost and benefit . The obj ect ive of
t he analysis can t herefore be t o maximise t he ut ilit y. I n order t o choose an opt imum solut ion, bot h t he cost
and t he benefit must be expressed in t he same unit , usually in a monet ary unit . An overview of decision
making can be found in Gärdenfors et al. (1986) and in Klein et al. (1993). Normally, a Quant it at ive Risk
Analysis (QRA) is a rat her complex t ask. I t is difficult t o perform t he analysis as it is labour int ensive and
t he degree of det ail is high. I t is also very difficult t o evaluat e a Quant it at ive Risk Analysis as many of t he
assumpt ions are not well document ed. I n some cases, t he only person able t o reproduce t he analysis is t he
one who carried out t he analysis in t he first place. I t is t herefore advisable t o follow some golden rules for
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
risk analysis. Morgan et al. (1990) defined a set of t en commandment s for risk analysis which can be
summarised as:
(1) Perform t he analysis in an open and t ransparent manner;
(2) Document all relevant assumpt ions and decisions t aken t hroughout t he process;
(3) Describe t he uncert aint ies involved even if no explicit uncert aint y analysis is performed;
(4) Expose t he document t o peer review.

Before cont inuing, it should be clearly st at ed t hat t he t erm risk is not well defined. At t he 1996 Annual
Meet ing of t he Societ y for Risk Analysis, St an Kaplan said: “ The words risk analysis have been, and cont inue
t o be a problem. Many of you here remember t hat when our Societ y for Risk Analysis was brand new, one of
t he first t hings it did was t o est ablish a commit t ee t o define t he word risk. This commit t ee labored for four
years and t hen gave up, saying in it s final report , t hat maybe it is bet t er not t o define risk. Let each aut hor
define it in his own way, only please each should explain clearly what way t hat is” . I n t his t hesis, risk is
defined as t he quant it at ive measure of t he condit ion t hat people are not able t o escape safely before t he
unt enable condit ions have occurred on t he premises. The risk is expressed bot h t o individuals and as t he
societ al risk considering mult iple fat alit ies.

Performing a Quantitative Risk Analysis
I n order t o perform a fully quant it at ive risk analysis, a number of quest ions regarding, for example, t he
ext ent of t he analysis must first be answered. The choice of syst em boundaries and syst em level will have a
fundament al influence on t he choice of analysis approach and met hodology. The opt imal choice of
assessment met hod will be dependent on fact ors such as:
(1) Whet her t he calculat ion t ool is a comput er program or an analyt ical expression;
(2) To what ext ent variable uncert aint y is explicit ly considered;
(3) Whet her t he analysis is concerned wit h a single subscenario or t he whole event t ree.

Different approaches are available for quant it at ive risk analysis. The first fact or is relat ed t o how comput er
result s are used in t he uncert aint y analysis. Comput er program out put can be used eit her direct ly in t he
analysis as an int egrat ed part of t he met hodology or indirect ly providing result s which are used t o creat e
analyt ical response surface equat ions. The second fact or concerns t he ext ent of t he analysis in t erms of
explicit ly considering variable uncert aint y. I f no uncert aint ies are considered in t he definit ion of t he
variables, a st andard quant it at ive risk analysis can be performed. I n a St andard Quant it at ive Risk Analysis,
t he event s will be described in t erms of det erminist ic point est imat es. The subsequent risk result s, bot h
individual risk and t he societ al risk, are also present ed as det erminist ic values wit hout any informat ion on
t he inherent uncert aint y. Simple det erminist ic calculat ions can be performed by hand, but comput er
calculat ion is normally t he most rat ional. I f a more t horough analysis of t he scenario is t he obj ect ive, t he
impact of uncert aint y in t he variables defining t he subscenarios should be examined. Usually, most variables
are associat ed wit h uncert aint y and t he risk measure can be furt her improved by considering such
uncert aint ies. The work load associat ed wit h t he analysis will, however, be drast ically increased. The t hird
fact or is concerned wit h t he level of analysis when considering uncertaint y explicit ly.
Two different approaches can be t aken regarding uncert aint y analysis, depending on t he level of
examinat ion. Only one subscenario at a t ime can be considered, or t he whole event t ree can be regarded as
a syst em. The uncert aint y analysis det ermines how uncert aint ies in out come probabilit y or likelihood,
exposure, consequences or loss crit icalit y, and safet y level are propagat ed. This result s in a more det ailed
descript ion of t he scenario. For t he analysis of one single subscenario, t here are at least t hree met hods
available: one analyt ical met hod and t wo numerical simulat ion met hods. The analyt ical first order reliabilit y
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
met hod is called analyt ical because it is possible t o derive t he result ing risk measure, t he reliabilit y index (|),
analyt ically for simple cases. The t wo numerical met hods, t he single phase and t he t wo-phase met hods, are
based on Mont e Carlo simulat ions in which t he variable dist ribut ions are est imat ed by sampling procedures.
The t wo-phase simulat ion met hod makes it possible t o separat e t wo t ypes of uncert aint y, i.e. st ochast ic
uncert aint y and knowledge uncert aint y. The first numerical met hod is more direct as it does not distinguish
bet ween different t ypes of uncert aint y. The result s of all t hree met hods are, for t he simplest case, t he
probabilit y of failure of t he subsyst em (p
u,i
), assuming t hat t he subscenario has occurred. The probabilit y of
failure can, t oget her wit h t he probabilit y (p
i
), be used t o produce a bet t er est imat e of t he risk cont ribut ion
from subscenario (i). Considering variable uncert aint y on t he syst em level, i.e. performing a Quant it at ive
Risk Analysis, leads t o t he Ext ended Quant it at ive Risk Analysis.

Risk Measures
Before t he different risk analysis met hods are present ed, it is appropriat e t o int roduce the various measures
by which t he risk can be expressed. A more det ailed explanat ion is given as t he risk analysis met hods are
described. I t is possible t o ident ify at least t wo t ypes of risk measures: individual risk (I R) and societ al risk
(SR). Those t wo are t he most frequent risk measures in current risk analyses. But , comparing risk measures
from different risk analyses is a difficult t ask, as t he measures must be based on similar assumpt ions and be
defined in t he same manner. The purpose of t his t hesis is t o illust rat e a basic met hodology for risk analysis,
e.g. in building fires. Simple t reat ment of t he t erm risk is t herefore emphasised.

I ndividual Risk
The individual risk is defined as t he risk t o which any part icular occupant is subj ect ed at on t he locat ion
defined by t he scenario. I f an occupant is inside a building, he or she will be subj ect ed t o a risk in t erms of
t he hazard frequency. The individual risk is usually expressed in t erms of a probabilit y per year of being
subj ect ed t o an undesired event , i.e. t he hazard, considering all subscenarios.

Societal Risk
The societ al risk is concerned wit h t he risk of mult iple fat alit ies. I n t his case, not only t he probabilit y t hat t he
subscenario leads t o t he unwant ed event is considered, but also t he number of people subj ect ed t o t he
hazard. People are t reat ed as a group wit h no considerat ion given t o individuals wit hin t he group, and t he
risk is defined from t he societ al point of view. The societ al risk is oft en described by t he exceedance curve of
t he probabilit y of t he event and t he consequences of t hat event in t erms of t he number of deat hs. This
curve is known as t he Frequency Number curve (FN curve) or risk profile. The curve shows t he probabilit y
(cumulat ive frequency) of consequences being worse t han a specified value on t he horizont al axis. This
measure of risk is of part icular int erest as official aut horit ies do not usually accept serious consequences,
even wit h low probabilit ies. Anot her form in which t he societ al risk can be expressed is as t he average
societ al risk measure, which is an aggregat ed form of t he Frequency Number curve. The average risk is
expressed in t erms of t he expect ed number of fat alit ies per year.

Standard Quantitative Risk Analysis
A quant it at ive risk analysis in safet y engineering should preferably be based on an event t ree descript ion of
t he scenarios. The problem can t hen be analysed in a st ruct ured manner. Considerat ion can be t aken of, for
example, t he reliabilit y of different inst allat ions, processes, facilit ies or human act ivit ies. The St andard
Quant it at ive Risk Analysis (QRA) is most frequent ly used in describing risk in t he process indust ries and in
infrast ruct ure applicat ions. I t has also been applied in t he area of fire safet y engineering, but as part of a
more comprehensive risk assessment of a syst em, for example safet y in railway t unnels. The St andard
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Quant it at ive Risk Analysis (QRA) is based on a high number of det erminist ic subscenario out come est imat es,
but t he met hod is st ill considered probabilist ic. When a large number of subscenarios are t reat ed, each wit h
it s individual probabilit y, t his will lead t o a probabilist ic measure of t he risk. The Frequency Number curve
can, t herefore, be seen as t he empirical complement ary cumulat ive dist ribut ion funct ion (CCDF) for t he
whole event t ree. I n t he St andard Quant it at ive Risk Analysis, t he consequences and probabilit ies of t he
scenarios can be examined individually or t oget her, as a syst em, depending on t he obj ect ive of t he analysis.
The idea of t riplet s is used t o give t he procedure a rat ional st ruct ure. Bot h individual risk and societ al risk
can be calculat ed using t his met hod. The most frequent t ype of risk analysis (St andard Quant it at ive Risk
Analysis) does not explicit ly include any uncert aint y analysis. To st udy t he influence of uncert aint ies in
branch probabilit ies or variables, an Ext ended Quant it at ive Risk Analysis must be performed.
One problem wit h t he St andard Quant it at ive Risk Analysis, when it is used in, for example, t he chemical
indust ry, is t he way it handles act ions t aken by people at t he t ime of t he accident . I f people are exposed t o
a hazardous condit ion t hey will most likely t ry t o leave t he area of danger. This is normally not addressed in
t he t radit ional procedures for a Quant it at ive Risk Analysis. The t radit ional St andard Quant it at ive Risk
Analysis, does not assume t hat people t ry t o evacuat e. This means t hat subscenarios in which people have
evacuat ed before unt enable condit ions have occurred, are also account ed for. The individual and societ al
risk in safet y engineering should not include subscenarios in which people have evacuat ed before unt enable
condit ions have occurred, even if t hese condit ions arise lat er in t he hazard development . This condit ion is a
consequence of t he limit st at e funct ion approach. I t means t hat t he safet y engineering risk measures will be
a bet t er predict ion of t he t rue risk as t hey consider people escaping t he hazard. This, however, introduces a
rest rict ion in t he risk measures compared wit h t radit ional Quant it at ive Risk Analysis. The safet y engineering
risk measures are based on t he condit ion of having a cert ain number of people present in t he hazard sit e
when t he harm st art s. For a small number of people being at t he locat ion, t hey may be able t o leave before
unt enable condit ions arise, and t his subscenario will not add t o t he risk. But if a higher number of people
were at t he same locat ion, some of t hem may not be able t o leave in t ime. This sit uat ion will t herefore
increase t he risk. The risk measure is t herefore dependent on t he number of people present at st art .

Uncertainty Analysis
I n every risk analysis t here are a number of variables which are of random charact er. This means t hat when
single det erminist ic values are used, as in t he St andard Quant it at ive Risk Analysis or in t he rout ine design
process, t here is no way knowing how reliable t he result s are. I n many engineering fields, hist orically
accept ed or calculat ed design values have been derived t o consider t he inherent uncert aint y. Using t hese
values result in a design wit h a specified risk level. I n t he area of safet y engineering, no such values are yet
available and much engineering design is based on subj ect ive j udgement and decisions made by t he
syst em’s archit ect . Values are t hen somet imes chosen on t he conservat ive side and sensit ivit y analysis is
performed t o ident ify import ant variables. A bet t er way of illuminat ing t he uncert aint y in t he result s, is t o
carry out an uncert aint y analysis in which t he variables are described by dist ribut ions inst ead of single
values. The variat ion or uncert aint y in a variable is described by it s probabilit y densit y funct ion (PDF). The
met hods present ed in t his sect ion are used t o propagat e t he uncert aint ies of each variable t hrough the limit
st at e funct ions t o result in an est imat e of t he j oint probabilit y densit y funct ion. The result will be expressed
as dist ribut ions of t he limit st at e funct ion G(X) or as confidence limit s of t he risk profile. The result s of t he
uncert aint y analysis can be used t o improve t he est imat ed risk measures, individual risk and societ al risk.
Depending on t he level of uncert aint y analysis t here is a dist inct ion bet ween how t he met hods can be used
and which are suit able for a specific t ask. Analysis can be performed on t wo levels:
(1) On a single subscenario described by one or more equat ions;
(2) On mult iple subscenarios described by an event t ree.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

The difference is, in principle, whet her analysis is carried out on one of t he subscenarios in t he event t ree or
if it considers t he whole event t ree. I n t he single subscenario analysis, t hree t ypes of met hods can be used:
(1) The analyt ical First Order Second Moment (FOSM) met hod;
(2) A numerical sampling met hod wit hout dist inct ion bet ween t he t ypes of uncert aint y;
(3) A numerical sampling met hod dist inguishing bet ween t wo t ypes of uncert aint y; st ochast ic uncert aint y
and knowledge uncert aint y.

The mult iple scenario analysis is more st raight forward and is basically an ext ension of t he St andard
Quant it at ive Risk Analysis procedure, but t he uncert aint y in t he variables is explicit ly considered. I t is
achieved by numerical sampling procedures. For bot h levels, t he descript ion of t he consequences employs
limit st at e funct ions in which bot h det erminist ic and random variables can be included.

The Single Subscenario
I n t his case, t he consequence limit st at e is described by one or more analyt ical equat ions in random
variables. The met hods det ermine how uncert aint ies in variables are propagat ed t hrough t he limit st at e
funct ions. Usually, only one equat ion is used t o represent t he consequences. The met hods result in t he
probabilit y (p
u,i
) which can be seen as t he probabilit y of failure of t he syst em described by t he analyt ical
equat ion. Probabilit y of failure is t he common t erm in st ruct ural reliabilit y analysis. The t erm failure is usually
equivalent t o t he case when t he load is higher t han t he st rengt h, i.e. generally expressed as G(X)< 0, where
G(X) represent s t he limit st at e funct ion. For evacuat ion scenarios, t his is equivalent t o t he escape t ime
exceeding t he available t ime. I f numerical sampling met hods are used det ailed informat ion is provided on
t he shape of t he result ing dist ribut ion. This means t hat probabilit ies ot her t han P(G(X)< 0) can be obt ained.
This informat ion can be used t o est imat e t he risk of mult iple fat alit ies for t his single subscenario. This is,
however, not common procedure as t he mult iple fat alit y risk is usually derived for t he whole scenario using
t he st andard or t he Ext ended Quant it at ive Risk Analysis t echnique. The analyt ical met hod does not provide
informat ion about t he probabilit y densit y funct ion (PDF) but has ot her advant ages. Apart from t he
probabilit y of failure, it provides informat ion on t he locat ion of t he so-called design point . The design point is
defined by a set of variable values which, when combined in t he limit st at e funct ion, result s in t he highest
probabilit y of failure. The analyt ical met hod can, t herefore, be used t o derive design values based on a
specified probabilit y of failure.

The Analytical Reliability I ndex Method
The reliabilit y index (|) met hod has been used ext ensively in t he area of st ruct ural engineering. I t has also
been applied t o ot her scient ific fields such as in public healt h assessment (Hamed, 1997) and in fire safet y
assessment (Magnusson et al. 1994 and Magnusson et al., 1995; 1997). I t is a supply-versus-demand-based
model and it provides informat ion about t he reliabilit y of t he syst em described by t he limit st at e funct ion.
The t erm reliabilit y is here defined as t he probabilist ic measure of performance and expressed in t erms of
t he reliabilit y index (|). As bot h t he supply and t he demand sides of t he problem are subj ect t o uncert aint y,
some sit uat ions may occur in which t he demand exceeds t he supply capacit y. This int roduct ion will be
limit ed t o t reat ing single limit st at e funct ion represent at ions of a single subscenario. When mult iple failure
modes are present , a similar slight ly modified met hodology can be used. The failure mode describes one
manner in which t he syst em can fail, i.e. when at least one person in a hazard locat ion is unable t o
evacuat e. I n each subscenario t he failure modes are described by t he limit st at e funct ions.
Let t he random variables be defined by supply capacit y (R), demand requirement (S), and t he safet y margin
(M) by,
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

S R M G ÷ = = [ 5.12]

The obj ect ive of t he analysis is t o det ermine t he reliabilit y of t he event R < S in t erms of t he probabilit y,

( )
i , u
p S R P = < [ 5.13]

I f t he probabilit y densit y funct ions of R and S are known and if R and S are st at ist ically independent , t he
probabilit y of failure of t he syst em may be derived as,

( ) ( ) ds s f s F p
S
0
R i , u
· · =
í
·
[ 5.14]

where F denot es t he cumulat ive dist ribut ion funct ion and f t he probabilit y densit y funct ion. I f t he variables R
and S are correlat ed, t he probabilit y of failure can be derived from t he j oint probabilit y densit y funct ion
f
R,S
(r, s). There are, however, only a few cases in which t he j oint probabilit y densit y funct ion can be derived
analyt ically. I n ot her cases it can be derived by numerical int egrat ion met hods or wit h Mont e Carlo sampling
t echnique. There is st ill a need for a simple met hod t o est imat e t he reliabilit y of syst ems described by one
limit st at e funct ion. One such met hod is t he First Order Second Moment (FOSM) met hod. The limit st at e
equat ion is approximat ed by a first order Taylor expansion and t he met hod uses t he t wo first moment s, i.e.
t he mean and t he st andard deviat ion. For design purposes, t he First Order Second Moment met hod can be
used on different levels, depending on t he amount of informat ion available. I n t he lit erat ure concerning t he
reliabilit y of st ruct ural safet y, four levels can be ident ified direct ly or indirect ly linked t o First Order Second
Moment met hods, Thoft -Christ ensen et al. (1982):
(1) Level 1 – Det erminist ic met hod, t he probabilit y of failure is not derived direct ly but t he reliabilit y is
expressed in t erms of one charact erist ic value and safet y fact ors or part ial coefficient s. This is normally
t he level at which design is carried out .
(2) Level 2 – The probabilit y of failure can be approximat ed by describing t he random variables wit h t wo
paramet ers, usually t he mean value and t he st andard deviat ion. No considerat ion is t aken of t he t ype of
dist ribut ion. This level is used when informat ion regarding t he st at ist ical dat a is limit ed and t he
knowledge regarding t he dist ribut ion t ype is lacking (First Order Second Moment met hod).
(3) Level 3 – Analysis on t his level considers t he t ype of random variable dist ribut ion. The “ t rue” probabilit y
of failure can be derived by numerical met hods. I f t he variables are normally or lognormally dist ribut ed,
noncorrelat ed and t he limit st at e funct ion is linear, exact analyt ical met hods are available. Ot herwise, t he
probabilit y of failure will be approximat ed.
(4) Level 4 – On t his level, economical aspect s are also considered in t he analysis in t erms of a cost -benefit
analysis. The analysis in t his t hesis will be execut ed on levels 2 and 3. Higher order levels can be used t o
validat e lower level met hods.

The following condensed present at ion of t he First Order Second Moment met hod will be limit ed t o a Level 2
analysis using a nonlinear limit st at e equat ion, for noncorrelat ed variables. Correlat ed variables and higher
order analysis levels can be t reat ed similarily and t he reader is referred t o more det ailed references (Thoft -
Christ ensen et al., 1982), (Ang et al., 1984) and (Madsen et al., 1986). The reliabilit y or measure of safet y is
defined by t he reliabilit y index (|). This cont ains informat ion regarding bot h t he mean value and t he
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
st andard deviat ion of t he safet y margin. There are different definit ions of t he reliabilit y index (|). The first
was int roduced by Cornell in t he lat e 1960s (Cornell, 1969). The mean and t he st andard deviat ion of t he
margin can be derived as,

S R M
u ÷ u = u [ 5.15]

and

2
S
2
R M
o + o = o [ 5.16]

The reliabilit y index (|) is defined by Cornell as,

M
M
o
u
= | [ 5.17]

Extended Quantitative Risk Analysis
The St andard Quant it at ive Risk Analysis (SQRA) is performed wit hout explicit ly considering t he uncert aint y
which is inevit ably present in each variable. I nst ead, t he variables are assigned values which, for example,
are on t he safe side, i.e. conservat ive est imat es which will cover t he credible worst cases. Ot her possible
values t hat can be used in t he St andard Quant it at ive Risk Analysis are t he most likely values. The result s
from such an analysis are usually present ed as a risk profile, at least for t he societ al risk measure, but such
profiles do not cont ain any informat ion on t he uncert aint y. I f one wishes t o know how cert ain t he calculat ed
risk profiles are t he uncert aint ies in t he variables involved must also be considered. To obt ain t his
informat ion, risk analysis, according t o t he St andard Quant it at ive Risk Analysis met hod, should be combined
wit h an uncert aint y analysis. Formalising t his met hodology result s in t he Ext ended Quant it at ive Risk Analysis
(EQRA). The Ext ended Quant it at ive Risk Analysis can be used t o express t he degree of credibilit y in t he
result ing median risk profile by complement ing t he profile wit h confidence bounds. Similarly, it is possible t o
st at e t he degree of accomplishment of defined goals, for example, expressed in t erms of t olerable risk levels
defined by societ y. The procedure for performing an Ext ended Quant it at ive Risk Analysis is similar to t hat for
t he St andard Quant it at ive Risk Analysis. As t he variables not are const ant but are expressed in t erms of
frequency dist ribut ions, t he propagat ion of uncert aint y must be modelled for all subscenarios
simult aneously. Simply, t he process can be seen as a St andard Quant it at ive Risk Analysis which is repeat ed
a large number of t imes. For each new it erat ion, t he variables are assigned new values according t o t he
frequency dist ribut ion. This result s in a new risk profile for each it erat ion, providing a family of risk profiles.
The family of risk profiles can be used t o describe t he uncert aint y inherent in t he result ing risk measure.
The t echnique employing quadriplet s can also be used for t he Ext ended Quant it at ive Risk Analysis. The
informat ion concerning t he st at e of knowledge of t he variables must be included in t he represent at ion of
bot h likelihood or probabilit y, exposure, consequences or loss crit icalit y and safet y level, i.e. bot h t he branch
probabilit y, exposure, loss crit icalit y and safet y level are subj ect t o uncert aint y. The societ al risk result ing
from t he Ext ended Quant it at ive Risk Analysis can be expressed in t erms of a family of risk profiles. I t is clear
t hat t he informat ion is very ext ensive. Therefore, alt ernat ive present at ion met hods may have t o be used in
order t o be able t o int erpret t he informat ion. A bet t er met hod is t o present t he societ al risk profiles in t erms
of t he median or mean risk profile and t o complement t hese wit h relevant confidence bounds. The
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
confidence int erval can, for example, be t he 80% int erval. The confidence limit s are const ruct ed from t he
family of risk profiles in t he following manner.
Uncert aint y is normally associat ed wit h bot h t he subscenario out come probabilit y and wit h t he descript ion of
t he subscenario consequence. I n defining t he bounds of t he analysis some of t hese uncert aint y variables
may be considered less import ant . Sit uat ions can occur where t he subscenario probabilit y (p
i
) can be t reat ed
as a det erminist ic value. This can be done if t hese probabilit ies are known t o a high degree of confidence. As
a consequence of t his t he ext ended analysis can be divided in t wo subcat egories depending on which
variables are assumed t o be random. The first subcat egory only considers t he uncert aint y in t he descript ion
of t he consequences and t reat s t he branch probabilit ies as det erminist ic values. When t he branch
probabilit ies are fixed bet ween each it erat ion t he probabilit ies do not change. The second subcat egory
considers t he uncert aint ies in bot h branch probabilit y and consequence. The t ot al uncert aint y in t he risk
profile will be increased by adding t he branchs of probabilit y, exposure, consequence, and safet y level. Bot h
subcat egories can, however, be seen as Ext ended Quant it at ive Risk Analysis procedures. I n t he same
manner as for t he St andard Quant it at ive Risk Analysis, t he average risk can be calculat ed. But as t he
variables are subj ect t o uncert aint y t he average risk will also be subj ect t o uncert aint y and will consequent ly
be present ed as a dist ribut ion. Each it erat ion will generat e one sample of t he average. These average risk
values will form t he dist ribut ion of t he average risk.
When a risk analysis is combined wit h an uncert aint y analysis, it is possible t o consider t he uncertaint y in t he
individual risk measure. Some combinat ions of t he variables used t o derive t he consequence in a
subscenario will lead t o condit ions result ing in fat alit ies or blocked escape rout es. Similarly, due t o
randomness, some subscenarios will not always cont ribut e t o t he individual risk measure. Therefore, t here
will be a degree of uncert aint y in t he individual risk originat ing from variable uncert aint y. The individual risk
result ing from t he Ext ended Quant it at ive Risk Analysis can be expressed in t erms of a dist ribut ion, for
example a cumulat ive dist ribut ion funct ion (CDF), inst ead of j ust one single value. The cumulat ive
dist ribut ion funct ion (CDF) can be condensed int o a more easily comparable single value, st ill including
informat ion regarding t he uncert aint y. The dist ribut ion shows, however, t he uncert aint y in individual risk in a
more complet e manner. The condensed individual risk single value can be obt ained as t he mean value from
t he dist ribut ion of individual risk.


I I D DE EN NT TI I F FY YI I N NG G T TH HE E R RI I S SK KS S
The ident ificat ion of risks is best done by means of a brainst orming. The purpose of t he brainst orming
should be purely t he ident ificat ion of risks, and a descript ion of t hem in clear and unambiguous language.
There should be no at t empt t o quant ify risks at t his point , ot her t han invit ing t he group t o consider t he
likelihood of occurrence, t he exposure t o t he hazard, t he consequences (loss crit icalit y) of each out come,
and t he safet y level for each risk. Bot h of t hese should be graded on a scale from negligible t o high or very
high, and t hese assessment s are used t o priorit ise t he quant ificat ion of t he risks lat er in t he process. We
recommend t hat numerically quant ifying t he risks is not done at t he same t ime as ident ifying risks because
quant ificat ion is a complicat ed process, and care must be t aken t o ensure t hat expert s form t heir own views
aft er some t hought . There is a danger t hat t he group dynamics can give rise t o a conformist of point of
view, and t hus a simplificat ion of t reat ment and underest imat ion of t he level of risk. This is part icularly t he
case if t he quant ificat ion is done wit hout sufficient preparat ion and foret hought , and t oo early in t he
process. The ident ificat ion of risks is less prone t o t hese problems, and t he creat ive benefit s of group work
out weigh t he dangers. I n select ing who should at t end, it is oft en a good idea t o choose t hose individuals
who will help in quant ifying t he risks in t he next phase. Also, in order t o achieve buy-in t o t he risk analysis, it
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
can also be helpful t o include t hose t o whom t he final out put report is direct ed, e.g. senior managers, in at
least one session. Some ideas as t o who might be involved are given below:
(1) Const ruct ion expert s, such as archit ect s, designers, and quant it y surveyors;
(2) Proj ect managers;
(3) Operat ional managers;
(4) Technical consult ant s, where specific t echnical issues are relevant ;
(5) Financial and legal advisors;
(6) The risk analyst .

Before beginning t he risk ident ificat ion, it is useful t o explain clearly what t he purpose of t he exercise is, how
t he risks will be used and t he opport unit ies t hat t he part icipant s will have t o review and modify t he out put
from t he session. A useful t ool t o help st ruct ure t he t hinking is a list of t ypical risks t o which the proj ect may
be exposed. There are a number of issues t hat should be borne in mind during t he quant ificat ion process,
namely:
(1) The nat ure of t he variables;
(2) The dangers of double count ing risks;
(3) The danger of missing import ant risks out ;
(4) The inclusion or not of rare event s.

T TH HE EO OR RE ET TI I C CA AL L B BA AC CK KG GR RO OU UN ND D T TO O Q QU UA AN NT TI I F FY YI I N NG G R RI I S SK KS S
Which dist ribut ion is appropriat e? A probabilit y dist ribut ion describes t he probabilit y t hat a variable will have
a given value or occur wit hin a given range. There are t hree ways of classifying probabilist ic risk
dist ribut ions:
(1) Cont inuous or discret e – Smoot h profiles, in which any value wit hin t he limit s can occur, are described
as cont inuous, whereas if t he variable can only represent discret e it ems, for example t he number of
warehouses in use, a discret e dist ribut ion is more appropriat e;
(2) Bounded or unbounded – Unbounded dist ribut ions ext end t o minus infinit y or plus infinit y, for example a
normal dist ribut ion. Alt hough t his can appear ridiculous, t he act ual probabilit y of a value lying a large
dist ance from t he mean may be vanishingly small;
(3) Paramet ric or non-paramet ric – A paramet ric dist ribut ion is one t hat has been t heoret ically derived, for
example an exponent ial dist ribut ion, aft er making assumpt ions about t he nat ure of t he process t hat is
being modelled. Nonparamet ric dist ribut ions are t hose t hat have been art ificially creat ed, for example
t riangular dist ribut ions.

I f hist orical empirical dat a are available for a variable, t hese can be analysed t o det ermine t he correct
dist ribut ion t o represent t he uncert aint y in t he variable. Essent ially t here are t wo approaches t o using
hist orical dat a:
(1) Fit t ing an empirical dist ribut ion, in which t he hist ogram of t he empirical dat a is it self used as t he
probabilit y dist ribut ion;
(2) Fit t ing a t heoret ical dist ribut ion, a dist ribut ion, such as normal, is used t o represent t he dat a. The
paramet ers t hat describe t he dist ribut ion (for example, t he mean and st andard deviat ion for a normal)
must t hen be det ermined from t he dat a. There are various sophist icat ed st at ist ical t echniques for doing
t his, which are beyond t he scope of t his document .

Hist orical dat a about a variable are very useful, and using t hem would seem t o provide a more accurat e
assessment of t he uncert aint y t han asking for expert opinion. However, caut ion should be exercised when
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
doing t his: t he implicit assumpt ion made when using hist orical dat a is t hat t he fut ure will cont inue in t he
same way t hat t he past has. I n cont rast t o t he use of dat a t o det ermine t he dist ribut ion, we oft en rely on
expert opinion t o describe t he uncert aint y. I n t hese cases, it is normal t o use non-paramet ric dist ribut ions
alt hough t hey are rarely t heoret ically j ust ified, t heir simplicit y and immediat e int uit ie nat ure, t oget her wit h
t heir flexibilit y, oft en make t hem t he most appropriat e choice.

What is Correlation?
Some risks are mut ually independent : t he occurrence of eit her is independent of t he occurrence of t he
ot her. Ot hers are correlat ed: t hat is, t he st at e of one variable gives us informat ion about t he likely
occurrence of anot her. A frequent error in uncert aint y and risk analysis is t o ignore t he correlat ion bet ween
risks. This result s in an under-est imat ion of t he overall level of risk. I t can also result in scenarios arising t hat
could not in pract ice occur. Correlat ion can result from one variable being direct ly influenced by anot her.
Correlat ion is one of t he most difficult aspect s of t he quant ificat ion of risk. I t is quant ified t hrough t he
correlat ion coefficient (r) which can vary bet ween -1 and + 1 depending upon t he level of correlat ion. Three
import ant values of t he correlat ion coefficient are:
(1) r = + 1 signifies t hat t wo variables are perfect ly posit ively correlat ed, in ot her words t he t wo variables
always move t oget her;
(2) r = 0 signifies t hat t he t wo variables are complet ely independent ;
(3) r = -1 represent s perfect negat ive correlat ion, where t he t wo variables always move in opposit e
direct ions.

The exact definit ion of correlat ion is complicat ed, and indeed t here are many of t hem. The t wo most
common are t he Pearson's and rank order correlat ion coefficient s. The Pearson's correlat ion coefficient is a
measure of t he degree of linearit y bet ween t wo variables, or t he amount of scat t er if one variable was
plot t ed against anot her. I n ot her words a correlat ion coefficient of + 1 means not only t hat t wo variables
move t oget her, but also t hat t hey move t oget her linearly. The disadvant age of Pearson's correlat ion
coefficient is t hat if t he relat ionship is nonlinear, it does not work. I f one variable is always t he square of
anot her, we would expect t here t o be a correlat ion (bot h variables always move t oget her). This problem is
addressed by using rank order correlat ion. I n rank order correlat ion, t he t wo variables are ranked. I t is t he
Pearson's correlat ion coefficient of t he t wo rankings t hat are t hen compared. There is an import ant
dist inct ion bet ween correlat ion and dependency. An example of dependency is where one event can only
occur provided anot her has. This should not be modelled as a 100% posit ive correlat ion, as t his makes t he
addit ional assumpt ion t hat if t he first should occur, t he second will definit ely occur.

Separating Risks Out
A key t echnique in get t ing t o a more accurat e quant ificat ion of risk is known as disaggregat ion. This means
separat ing risks out int o logical (uncorrelat ed) component s. This has t he advant age of making t he overall
result less dependent upon on t he est imat e of one crit ical component . I f, aft er some preliminary risk
analysis, t he overall level of risk is found t o be overwhelmingly dependent on one or t wo risk element s,
where possible t hese should be separat ed out int o component s I t is useful t o remember when doing t his
t hat t he t ot al variance, or st andard deviat ion (t he dispersion around t he mean) squared, of a number of
uncorrelat ed variables is given by t he sum of t he individual variances. This is useful as a check on t he order
of magnit ude of t he combined effect of t he disaggregat ed risks; t here is a danger in disaggregat ion t hat
when t he risks are recombined t he size of t he t ot al risk can be very different t o t he original risk t hat was
disaggregat ed. I f t his is t he case, it is necessary t o underst and why it has happened, and det ermine which
approach is t he most valid represent at ion of t he uncert aint y.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
T TH HE E E EX XP PR RE ES SS SI I O ON N O OF F U UN NC CE ER RT TA AI I N NT TY Y I I N N R RI I S SK K M ME EA AS SU UR RE EM ME EN NT T
This document is primarily concerned wit h t he expression of uncert aint y in t he measurement of a well-
defined physical quant it y – t he measurand – t hat can be charact erized by an essent ially unique value. I f t he
phenomenon of int erest can be represent ed only as a dist ribut ion of values or is dependent on one or more
paramet ers, such as t ime, t hen t he measurands required for it s descript ion are t he set of quant it ies
describing t hat dist ribut ion or t hat dependence. This t ext is also applicable t o evaluat ing and expressing t he
uncert aint y associat ed wit h t he concept ual design and t heoret ical analysis of experiment s, met hods of
measurement , and complex component s and syst ems. Because a measurement result and it s uncert aint y
may be concept ual and based ent irely on hypot het ical dat a, t he t erm “ result of a measurement ” as used in
t his t ext should be int erpret ed in t his broader cont ext . This document provides general rules for evaluat ing
and expressing uncert aint y in measurement rat her t han det ailed, t echnology-specific inst ruct ions. Furt her, it
does not discuss how t he uncert aint y of a part icular measurement result , once evaluat ed, may be used for
different purposes, for example, t o draw conclusions about t he compat ibilit y of t hat result wit h ot her similar
result s, t o est ablish t olerance limit s in a manufact uring process; or t o decide if a cert ain if a cert ain course of
act ion may be safely undert aken. I t may t herefore be necessary t o develop part icular st andards t hat deal
wit h t he problems peculiar t o specific fields of measurement or wit h t he various uses of quant it at ive
expressions of uncert aint y.
The word “ uncert aint y” means doubt , and t hus in it s broadest sense “ uncert aint y of measurement ” means
doubt about t he validit y of t he result of a measurement . Because of t he lack of different words for t his
general concept of uncert aint y and t he specific quant it ies t hat provide quant it at ive measures of t he concept ,
for example, t he st andard deviat ion, it is necessary t o use t he word “ uncert aint y” in t hese t wo different
senses. The formal definit ion of t he t erm “ uncert aint y of measurement ” developed for use in t his document
is as follows: uncert aint y (of measurement ) paramet er
1
, associat ed wit h t he result of a measurement , t hat
charact erizes t he dispersion of t he values t hat could reasonably be at t ribut ed t o t he measurand. The
definit ion of uncert aint y of measurement given above is an operat ional one t hat focuses on t he
measurement result and it s evaluat ed uncert aint y. However, it is not inconsist ent wit h ot her concepts of
uncert aint y of measurement , such as:
(1) A measure of t he possible error in t he est imat ed value of t he measurand as provided by t he result of a
measurement ;
(2) An est imat e charact erizing t he range of values wit hin which t he t rue value of a measurand lies.

Alt hough t hese t wo t radit ional concept s are valid as ideals, t hey focus on unknowable quant it ies: t he “ error”
of t he result of a measurement and t he “ t rue value” of t he measurand (in cont rast t o it s est imat ed value),
respect ively. Nevert heless, whichever concept of uncert aint y is adopt ed, an uncert aint y component is always
evaluat ed using t he same dat a and relat ed informat ion.

Basic Concepts
The obj ect ive of a measurement is t o det ermine t he value of t he measurand, t hat is, t he value of t he
part icular quant it y t o be measured. A measurement t herefore begins wit h an appropriat e specificat ion of t he

1
Uncert aint y of measurement comprises, in general, many component s. Some of t hese component s may be evaluat ed f rom t he
st at ist ical dist ribut ion of t he result s of series of measurement s and can be charact erized by experiment al st andard deviat ions. The ot her
component s, which also can be charact erized by st andard deviat ions, are evaluat ed f rom assumed probabilit y dist ribut ions based on
experience or ot her inf ormat ion. I t is underst ood t hat t he result of t he measurement is t he best est imat e of t he value of t he
measurand, and t hat all component s of uncert aint y, including t hose arising f rom syst emat ic ef f ect s, such as component s associat ed
wit h correct ions and ref erence st andards, cont ribut e t o t he dispersion.

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
measurand, t he met hod of measurement , and t he measurement procedure. I n general, t he result of a
measurement is only an approximat ion or est imat e of t he value of t he measurand and t hus is complet e only
when accompanied by a st at ement of t he uncert aint y of t he est imate. I n pract ice, t he required specificat ion
or definit ion of t he measurand is dict at ed by t he required accuracy of measurement . The measurand should
be defined wit h sufficient complet eness wit h respect t o t he required accuracy so t hat for all pract ical
purposes associat ed wit h t he measurement it s value is unique. I t is in t his sense t hat t he expression “ value
of t he measurand” is used in t his document . I n many cases, t he result of a measurement is det ermined on
t he basis of series of observat ions obt ained under repeat abilit y condit ions. Variat ions in repeat ed
observat ions are assumed t o arise because influence quant it ies t hat can affect t he measurement result are
not held complet ely const ant . The mat hemat ical model of t he measurement t hat t ransforms t he set of
repeat ed observat ions int o t he measurement result is of crit ical import ance because, in addit ion t o t he
observat ions, it generally includes various influence quant it ies t hat are inexact ly known. This lack of
knowledge cont ribut es t o t he uncert aint y of t he measurement result , as do t he variat ions of t he repeat ed
observat ions and any uncert aint y associat ed wit h t he mat hemat ical model it self.

Errors, Effects, and Corrections
I n general, a measurement has imperfect ions t hat give rise t o an error in t he measurement result .
Tradit ionally, an error is viewed as having t wo component s, namely, a random component and a syst emat ic
component . Random error
2
presumably arises from unpredict able or st ochast ic t emporal and spat ial
variat ions of influence quant it ies. The effect s of such variat ions, hereaft er t ermed random effect s, give rise
t o variat ions in repeat ed observat ions of t he measurand. Alt hough it is not possible t o compensat e for t he
random error of a measurement result , it can usually be reduced by increasing t he number of observat ions;
it s expect at ion or expect ed value is zero. Syst emat ic error, like random error, cannot be eliminat ed but it t oo
can oft en be reduced. I f a syst emat ic error arises from a recognized effect of an influence quant it y on a
measurement result , hereaft er t ermed a syst emat ic effect , t he effect can be quant ified and, if it is significant
in size relat ive t o t he required accuracy of t he measurement , a correct ion or correct ion fact or can be applied
t o compensat e for t he effect . I t is assumed t hat , aft er correct ion, t he expect at ion or expect ed value of t he
error arising from a syst emat ic effect is zero. The uncert aint y of a correct ion applied t o a measurement
result t o compensat e for a syst emat ic effect is not t he syst emat ic error, oft en t ermed bias, in t he
measurement result due t o t he effect as it is somet imes called. I t is inst ead a measure of t he uncert aint y of
t he result due t o incomplet e knowledge of t he required value of t he correct ion. The error arising from
imperfect compensat ion of a syst emat ic effect cannot be exact ly known. The t erms “ error” and “ uncert aint y”
should be used properly and care t aken t o dist inguish bet ween t hem. I t is assumed t hat t he result of a
measurement has been correct ed for all recognized significant syst emat ic effect s and t hat every effort has
been made t o ident ify such effect s.

Uncertainty in Measurement
The uncert aint y of t he result of a measurement reflect s t he lack of exact knowledge of t he value of t he
measurand. The result of a measurement aft er correct ion for recognized syst emat ic effect s is st ill only an
est imat e of t he value of t he measurand because of t he uncert aint y arising from random effect s and from

2
The experiment al st andard deviat ion of t he arit hmet ic mean or average of a series of observat ions is not t he random error of t he
mean, alt hough it is so designat ed in some publicat ions. I t is inst ead a measure of t he uncert aint y of t he mean due t o random ef f ect s.
The exact value of t he error in t he mean arising f rom t hese ef f ect s cannot be known. I n t his document , great care is t aken t o
dist inguish bet ween t he t erms “ error” and “ uncert aint y.” They are not synonyms, but represent complet ely dif f erent concept s; t hey
should not be conf used wit h one anot her or misused.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
imperfect correct ion of t he result for syst emat ic effect s. The result of a measurement (aft er correct ion) can
unknowably be very close t o t he value of t he measurand (and hence have a negligible error) even t hough it
may have a large uncert aint y. Thus t he uncert aint y of t he result of a measurement should not be confused
wit h t he remaining unknown error. I n pract ice, t here are many possible sources of uncert aint y in a
measurement , including:
(1) I ncomplet e definit ion of t he measurand;
(2) I mperfect realizat ion of t he definit ion of t he measurand;
(3) Nonrepresent at ive sampling – t he sample measured may not represent t he defined measurand;
(4) I nadequat e knowledge of t he effect s of environment al condit ions on t he measurement or imperfect
measurement of environment al condit ions;
(5) Personal bias in reading analogue inst rument s;
(6) Finit e inst rument resolut ion or discriminat ion t hreshold;
(7) I nexact values of measurement st andards and reference mat erials;
(8) I nexact values of const ant s and ot her paramet ers obt ained from ext ernal sources and used in t he dat a-
reduct ion algorit hm;
(9) Approximat ions and assumpt ions incorporat ed in t he measurement met hod
(10) And procedure;
(11) Variat ions in repeat ed observat ions of t he measurand under apparent ly ident ical condit ions.

These sources are not necessarily independent . Of course, an unrecognized syst emat ic effect cannot be
t aken int o account in t he evaluat ion of t he uncert aint y of t he result of a measurement but cont ribut es t o it s
error. Recommendat ion I NC-1 (1980) of t he Working Group on t he St at ement of Uncert aint ies groups
uncert aint y component s int o t wo cat egories based on t heir met hod of evaluat ion, “ A” and “ B” . These
cat egories apply t o uncert aint y and are not subst it ut es for t he words “ random” and “ syst emat ic”
3
. The
uncert aint y of a correct ion for a known syst emat ic effect may in some cases be obt ained by a “ Type A”
evaluat ion while in ot her cases by a “ Type B” evaluat ion, as may t he uncert aint y charact erizing a random
effect . The purpose of t he “ Type A” and “ Type B” classificat ion is t o indicat e t he t wo different ways of
evaluat ing uncert aint y component s and is for convenience of discussion only; t he classificat ion is not meant
t o indicat e t hat t here is any difference in t he nat ure of t he component s result ing from t he t wo t ypes of
evaluat ion. Bot h t ypes of evaluat ion are based on probabilit y dist ribut ions, and t he uncert aint y component s
result ing from eit her t ype are quant ified by variances or st andard deviat ions.
The est imat ed variance (u
2
) charact erizing an uncert aint y component obt ained from a Type A evaluat ion is
calculat ed from series of repeat ed observat ions and is t he familiar st at ist ically est imat ed variance (o
2
). The
est imat ed st andard deviat ion (u), t he posit ive square root of u
2
, is t hus u = o and for convenience is
somet imes called a “ Type A” st andard uncert aint y. For an uncert aint y component obt ained from a “ Type B”
evaluat ion, t he est imat ed variance o
u
2
is evaluat ed using available knowledge, and t he est imat ed st andard
deviat ion o
u
is somet imes called a “ Type B” st andard uncert aint y. Thus a “ Type A” st andard uncert aint y is
obt ained from a probabilit y densit y funct ion derived from an observed frequency dist ribut ion, while a “ Type
B” st andard uncert aint y is obt ained from an assumed probabilit y densit y funct ion based on t he degree of

3
I n some publicat ions uncert aint y component s are cat egorized as “ random” and “ syst emat ic” and are associat ed wit h errors arising
f rom random ef f ect s and known syst emat ic ef f ect s, respect ively. Such cat egorizat ion of component s of uncert aint y can be ambiguous
when generally applied. For example, a “ random” component of uncert aint y in one measurement may become a syst emat ic”
component of uncert aint y in anot her measurement in which t he result of t he f irst measurement is used as an input dat um. Cat egorizing
t he met hods of evaluat ing uncert aint y component s rat her t han t he component s t hemselves avoids such ambiguit y. At t he same t ime, it
does not preclude collect ing individual component s t hat have been evaluat ed by t he t wo dif f erent methods int o designat ed groups t o be
used f or a part icular purpose.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
belief t hat an event will occur (oft en called subj ect ive probabilit y). Bot h approaches employ recognized
int erpret at ions of probabilit y.
The st andard uncert aint y of t he result of a measurement , when t hat result is obt ained from t he values of a
number of ot her quant it ies, is t ermed combined st andard uncert aint y and denot ed by u
c
. I t is t he est imat ed
st andard deviat ion associat ed wit h t he result and is equal t o t he posit ive square root of t he combined
variance obt ained from all variance and covariance component s, however evaluat ed, using what is t ermed in
t his document t he law of propagat ion of uncert aint y. To meet t he needs of some indust rial and commercial
applicat ions, as well as requirement s in t he areas of healt h and safet y, an expanded uncert aint y (U) is
obt ained by mult iplying t he combined st andard uncert aint y u
c
by a coverage fact or (k)
4
. The int ended
purpose of expanded uncert aint y is t o provide an int erval about t he result of a measurement t hat may be
expect ed t o encompass a large fract ion of t he dist ribut ion of values t hat could reasonably be at t ribut ed t o
t he measurand. The choice of t he fact or k, which is usually in t he range 2 t o 3, is based on t he coverage
probabilit y or level of confidence required of t he int erval.

Practical Considerations
I f all of t he quant it ies on which t he result of a measurement depends are varied, it s uncert aint y can be
evaluat ed by st at ist ical means. However, because t his is rarely possible in pract ice due t o limit ed t ime and
resources, t he uncert aint y of a measurement result is usually evaluat ed using a mat hemat ical model of t he
measurement and t he law of propagat ion of uncert aint y. Thus implicit in t his document is t he assumpt ion
t hat a measurement can be modeled mat hemat ically t o t he degree imposed by t he required accuracy of the
measurement . Because t he mat hemat ical model may be incomplet e, all relevant quant it ies should be varied
t o t he fullest pract icable ext ent so t hat t he evaluat ion of uncert aint y can be based as much as possible on
observed dat a. Whenever feasible, t he use of empirical models of t he measurement founded on long-t erm
quant it at ive dat a, and t he use of check st andards and cont rol chart s t hat can indicat e if a measurement is
under st at ist ical cont rol, should be part of t he effort t o obt ain reliable evaluat ions of uncert aint y. The
mat hemat ical model should always be revised when t he observed dat a, including t he result of independent
det erminat ions of t he same measurand, demonst rat e t hat t he model is incomplet e. A well-designed
experiment can great ly facilit at e reliable evaluat ions of uncert aint y and is an import ant part of t he art of
measurement . I n order t o decide if a measurement syst em is funct ioning properly, t he experiment ally
observed variabilit y of it s out put values, as measured by t heir observed st andard deviat ion, is oft en
compared wit h t he predict ed st andard deviat ion obt ained by combining t he various uncert aint y component s
t hat charact erize t he measurement . I n such cases, only t hose component s (whet her obt ained from Type A
or Type B evaluat ions) t hat could cont ribut e t o t he experiment ally observed variabilit y of t hese output values
should be considered. Such an analysis may be facilit at ed by gat hering t hose component s t hat cont ribut e t o
t he variabilit y and t hose t hat do not int o t wo separat e and appropriat ely labeled groups.
I n some cases, t he uncert aint y of a correct ion for a syst emat ic effect need not be included in t he evaluat ion
of t he uncert aint y of a measurement result . Alt hough t he uncert aint y has been evaluat ed, it may be ignored
if it s cont ribut ion t o t he combined st andard uncert aint y of t he measurement result is insignificant . I f t he
value of t he correct ion it self is insignificant relat ive t o t he combined st andard uncert aint y, it t oo may be
ignored. I t oft en occurs in pract ice, especially in t he domain of legal met rology, t hat a device is t est ed
t hrough a comparison wit h a measurement st andard and t he uncertaint ies associat ed wit h t he st andard and
t he comparison procedure are negligible relat ive t o t he required accuracy of t he t est . I n such cases, because

4
The coverage f act or ( k) is always t o be st at ed, so t hat t he st andard uncert aint y of t he measured quant it y can be recovered f or use in
calculat ing t he combined st andard uncert aint y of ot her measurement result s t hat may depend on t hat quant it y.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
t he component s of uncert aint y are small enough t o be ignored, t he measurement may be viewed as
det ermining t he error of t he device under t est .
The est imat e of t he value of a measurand provided by t he result of a measurement is somet imes expressed
in t erms of t he adopt ed value of a measurement st andard rat her t han in t erms of t he relevant unit of t he
I nt ernat ional Syst em of Unit s (SI ). I n such cases t he magnit ude of t he uncert aint y ascribable t o t he
measurement result may be significant ly smaller t han when t hat result is expressed in t he relevant
I nt ernat ional Syst em of Unit s unit . I n effect , t he measurand has been redefined t o be t he rat io of t he value
of t he quant it y t o be measured t o t he adopt ed value of t he st andard.

Evaluating Standard Uncertainty
I n most cases a measurand (Y) is not measured direct ly, but is det ermined from ot her quant it ies (X
1
, X
2
,…,
X
n
) t hrough a funct ional relat ionship funct ion,

( )
n 2 1
X ,..., X , X f Y = [ 5.18]

The input quant it ies (X
1
, X
2
,…, X
n
) upon which t he out put quant it y (Y) depends may t hemselves be viewed
as measurands and may t hemselves depend on ot her quant it ies, including correct ions and correct ion fact ors
for syst emat ic effect s, t hereby leading t o a complicat ed funct ional relat ionship f t hat may never be writ t en
down explicit ly. Furt her, t he funct ional relat ionship (f) may be det ermined experiment ally or exist only as an
algorit hm t hat must be evaluat ed numerically. The funct ional relat ionship (f) as it appears in t his document
is t o be int erpret ed in t his broader cont ext , in part icular as t hat funct ion which cont ains every quant it y,
including all correct ions and correct ion fact ors, t hat can cont ribut e a significant component of uncert aint y t o
t he measurement result . Thus, if dat a indicat e t hat t he funct ional relat ionship (f) does not model t he
measurement t o t he degree imposed by t he required accuracy of t he measurement result , addit ional input
quant it ies must be included in funct ional relat ionship (f) t o eliminat e t he inadequacy. This may require
int roducing an input quant it y t o reflect incomplet e knowledge of a phenomenon t hat affect s t he measurand.
The set of input quant it ies (X
1
, X
2
,…, X
n
) may be cat egorized as:
(1) Quant it ies whose values and uncert aint ies are direct ly det ermined in t he current measurement . These
values and uncert aint ies may be obt ained from, for example, a single observat ion, repeat ed
observat ions, or j udgement based on experience, and may involve t he det erminat ion of correct ions t o
inst rument readings and correct ions for influence quant it ies, such as ambient t emperat ure, baromet ric
pressure, and humidit y;
(2) Quant it ies whose values and uncert aint ies are brought int o t he measurement from ext ernal sources,
such as quant it ies associat ed wit h calibrat ed measurement st andards, cert ified reference mat erials, and
reference dat a obt ained from handbooks.

An est imat e of t he measurand (Y) denot ed by y, is obt ained from equat ion (1) using input est imat es (x
1
,
x
2
,…, x
n
) for t he values of t he n quant it ies X
1
, X
2
,…, X
n
. Thus t he out put est imat e (y) which is t he result of
t he measurement is given by,

( )
n 2 1
x ,..., x , x f y = [ 5.19]

I n some cases t he est imat e y may be obt ained from,

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
( )
¯
=
+
· = u =
n
1 i
n 1 i i y
X ,..., X , X f
n
1
y [ 5.20]

That is, y is t aken as t he arit hmet ic mean or average of n independent det erminat ions Y
i
of Y, each
det erminat ion having t he same uncert aint y and each being based on a complet e set of observed values of
t he n input quant it ies X
i
obt ained at t he same t ime. The est imat ed st andard deviat ion associat ed wit h t he
out put est imat e or measurement result (y) t ermed combined st andard uncert aint y and denot ed by u
c
(y), is
det ermined from t he est imat ed st andard deviat ion associat ed wit h each input est imat e (x
i
), t ermed st andard
uncert aint y and denot ed by u(x
i
). Each input est imat e (x
i
) and it s associat ed st andard uncert aint y, u(x
i
), are
obt ained from a dist ribut ion of possible values of t he input quant it y (X
i
). This probabilit y dist ribut ion may be
frequency based, t hat is, based on a series of observat ions of X
i
, or it may be an a priori dist ribut ion. “ Type
A” evaluat ions of st andard uncert aint y component s are founded on frequency dist ribut ions while “ Type B”
evaluat ions are founded on a priori dist ribut ions. I t must be recognized t hat in bot h cases t he dist ribut ions
are models t hat are used t o represent t he st at e of our knowledge.

Type A Evaluation of Standard Uncertainty
I n most cases, t he best available est imat e of t he expect at ion or expect ed value (µ
q
) of a quant it y q t hat
varies randomly and for which n independent observat ions (q
i
) have been obt ained under t he same
condit ions of measurement , is t he arit hmet ic mean or average of t he n observat ions.

¯
=
· = u
n
1 i
i q
q
n
1
[ 5.21]

Thus, for an input quant it y (X
i
) est imat ed from n independent repeat ed observat ions (X
i,k
), t he arit hmet ic
mean (u
X
) obt ained is used as t he input est imat e (x
i
) t o det ermine t he measurement result y; t hat is, x
i
=
u
X
. The individual observat ions (q
i
) differ in value because of random variat ions in t he influence quant it ies,
or random effect s. The experiment al variance of t he observat ions, which est imat es t he variance (o
2
) of t he
probabilit y dist ribut ion of q, is given by,

( ) ( )
¯
=
u ÷ ·
÷
= u o
n
1 i
2
q i q
2
q
1 n
1
[ 5.22]

This est imat e of variance and it s posit ive square root o(u
q
), t ermed t he experiment al st andard deviat ion,
charact erize t he variabilit y of t he observed values (q
i
), or more specifically, t heir dispersion about t heir mean
(u
q
) . The best est imat e of t he variance of t he mean is given by,

( )
( )
n
q
i
2
q
2
o
= u o [ 5.23]

The experiment al variance of t he mean o
2
(u
q
) and t he experiment al st andard deviat ion of t he mean o(u
q
),
equal t o t he posit ive square root of o
2
(u
q
), quant ify how well u
q
est imat es t he expect at ion of q, and eit her
may be used as a measure of t he uncert aint y of u
q
. Thus, for an input quant it y (X
i
) det ermined from n
independent repeat ed observat ions (X
i,k
), t he st andard uncert aint y, u(x
i
), of it s est imat e (x
i
= X
i
) , is u(x
i
) =
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
o(X
i
), calculat ed according t o Equat ion [ 5.23] . For convenience, u
2
(x
i
) = o
2
(X
i
) and u(x
i
) = o(X
i
) are
somet imes called a “ Type A” variance and a “ Type A” st andard uncert aint y, respect ively. The number of
observat ions n should be large enough t o ensure t hat q provides a reliable est imat e of t he expect at ion µ
q
of
t he random variable q and t hat o
2
(u
q
) provides a reliable est imat e of t he variance (see Equat ion [ 5.23] ). I n
t his case, if t he probabilit y dist ribut ion of q is a normal dist ribut ion, t he difference is t aken int o account
t hrough t he t -dist ribut ion. Alt hough t he variance o
2
(u
q
) is t he more fundament al quant it y, t he st andard
deviat ion o(u
q
) is more convenient in pract ice because it has t he same dimension as q and a more easily
comprehended value t han t hat of t he variance.
I f t he random variat ions in t he observat ions of an input quant it y are correlat ed, for example, in t ime, t he
mean and experiment al st andard deviat ion of t he mean may be inappropriat e est imat ors of t he desired
st at ist ics. I n such cases, t he observat ions should be analysed by st at ist ical met hods specially designed t o
t reat a series of correlat ed, randomly-varying measurement s. Such specialized met hods are used t o t reat
measurement s of frequency st andards. However, it is possible t hat as one goes from short -t erm
measurement s t o long-t erm measurement s of ot her met rological quant it ies, t he assumpt ion of uncorrelat ed
random variat ions may no longer be valid and t he specialized met hods could be used t o t reat t hese
measurement s as well.

Type B Evaluation of Standard Uncertainty
For an est imat e (x
i
) of an input quant it y (X
i
) t hat has not been obt ained from repeat ed observat ions, t he
associat ed est imat ed variance u
2
(x
i
) or t he st andard uncert aint y u(x
i
) is evaluat ed by scient ific j udgement
based on all of t he available informat ion on t he possible variabilit y of Xi. The pool of informat ion may
include:
(1) Previous measurement dat a;
(2) Experience wit h or general knowledge of t he behaviour and propert ies of relevant mat erials and
inst rument s;
(3) Manufact urer’s specificat ions;
(4) Uncert aint ies assigned t o reference dat a t aken from handbooks.

For convenience, u
2
(x
i
) and u(x
i
) evaluat ed in t his way are somet imes called a “ Type B” variance and a
“ Type B” st andard uncert aint y, respect ively. When x
i
is obt ained from an a priori dist ribut ion, t he associat ed
variance is appropriat ely writ t en as u
2
(x
i
), but for simplicit y, u
2
(x
i
) and u(x
i
) are used t hroughout t his
document . I t should be recognized t hat a “ Type B” evaluat ion of st andard uncert aint y can be as reliable as a
“ Type A” evaluat ion, especially in a measurement sit uat ion where a “ Type A” evaluat ion is based on a
comparat ively small number of st at ist ically independent observat ions. The quot ed uncert aint y of x
i
is not
necessarily given as a mult iple of a st andard deviat ion. I nst ead, one may find it st at ed t hat t he quot ed
uncert aint y defines an int erval having a 90, 95, 95,45, 99 or 99,73 percent level of confidence. Unless
ot herwise indicat ed, one may assume t hat a normal dist ribut ion was used t o calculat e t he quot ed
uncert aint y, and recover t he st andard uncert aint y of x
i
by dividing t he quot ed uncert aint y by t he appropriat e
fact or for t he normal dist ribut ion. The fact ors corresponding t o t he above t hree levels of confidence are
1,645; 1,960; 2; 2,576; and 3.
For a normal dist ribut ion wit h expect at ion (µ) and st andard deviat ion (o), t he int erval µ±o encompasses
approximat ely 99,73 percent of t he dist ribut ion. Thus, if t he upper (µ+ o) and lower bounds (µ-o), define
99,73 percent limit s rat her t han 100 percent limit s, and X
i
can be assumed t o be approximat ely normally
dist ribut ed rat her t han t here being no specific knowledge about X
i
bet ween t he bounds, t hen we have,

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
( )
( )
9
x u
2
i
2
o ± u
= [ 5.24]

I t is import ant not t o “ double-count ” uncert aint y component s. I f a component s of uncert aint y arising from a
part icular effect is obt ained from a “ Type B” evaluat ion, it should be included as an independent component
of uncert aint y in t he calculat ion of t he combined st andard uncert aint y of t he measurement result only t o t he
ext ent t hat t he effect does not cont ribut e t o t he observed variabilit y of t he observat ions. This is because t he
uncert aint y due t o t hat port ion of t he effect t hat cont ribut es t o t he observed variabilit y is already included in
t he component of uncert aint y obt ained from t he st at ist ical analysis of t he observat ions. The discussion of
“ Type B” evaluat ion of st andard uncert aint y in is meant only t o be indicat ive. Furt her, evaluat ions of
uncert aint y should be based on quant it at ive dat a t o t he maximum ext ent possible.

Determining Combined Standard Uncertainty
This subclause t reat s t he case where all input quant it ies are independent . The st andard uncert aint y of y,
where y is t he est imat e of t he measurand Y and t hus t he result of t he measurement , is obt ained by
appropriat ely combining t he st andard uncert aint ies of t he input est imat es x
1
, x
2
,…, x
n
. This combined
st andard uncert aint y of t he est imat e y is denot ed by u
c
(y). The combined st andard uncert aint y u
c
(y) is t he
posit ive square root of t he combined variance (o
c
2
), which is given by,

( ) ( ) | |
¯
=
· =
n
1 i
2
i i
2
c
x u c y u [ 5.25]

where f is t he funct ion given in Equat ion [ 5.19] . Each u(x
i
) is a st andard uncert aint y evaluat ed as described
in t he “ Type A” uncert aint y evaluat ion or as in “ Type B” uncert ait y evaluat ion. The combined st andard
uncert aint y u
c
(y) is an est imat ed st andard deviat ion and charact erizes t he dispersion of t he values t hat could
reasonably be at t ribut ed t o t he measurand Y. When t he nonlinearit y of f is significant , higher-order t erms in
t he Taylor series expansion must be included in t he expression for u
c
2
(y).
The part ial derivat ives
i
x
f
c
c
are equal t o
i
X
f
c
c
evaluat ed at X
i
= x
i
. These derivat ives, oft en called sensit ivit y
coefficient s, describe how t he out put est imat e y varies wit h changes in t he values of t he input est imat es (x
1
,
x
2
,…, x
n
). I n part icular, t he change in y produced by a small change Ax
i
in input est imat e x
i
is given by,

i
i
i
x
x
f
y A ·
c
c
= A [ 5.26]

I f t his change is generat ed by t he st andard uncert aint y of t he est imat e (x
i
), t he corresponding variat ion in y
is
i
i
x
x
f
A ·
c
c
. The combined variance, u
c
2
(y), can t herefore be viewed as a sum of t erms, each of which
represent s t he est imat ed variance associat ed wit h t he out put est imat e (y) generat ed by t he est imat ed
variance associat ed wit h each input est imat e (x
i
). This suggest s writ ing Equat ion [ 5.26] as u
c
2
(y),

Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
( ) ( ) | | ( )
¯ ¯
= =
÷ · =
n
1 i
2
i
n
1 i
2
i i
2
c
y u x u c y u [ 5.27]

where

i
i
x
f
c
c
c
= [ 5.28]
St rict ly speaking, t he part ial derivat ives are
i i
X
f
x
f
c
c
=
c
c
evaluat ed at t he expect at ions of t he X
i
. However, in
pract ice, t he part ial derivat ives are est imat ed by,

n 2 1
x ,..., x , x
i i
X
f
x
f
c
c
=
c
c
[ 5.29]

I nst ead of being calculat ed from t he funct ion f (Equat ion [ 1] ), sensit ivit y coefficient s
i
x
f
c
c
are somet imes
det ermined experiment ally: one measures t he change in Y produced by a change in a part icular X
i
while
holding t he remaining input quant it ies const ant . I n t his case, t he knowledge of t he funct ion f (or a port ion of
it when only several sensit ivit y coefficient s are so det ermined) is accordingly reduced t o an empirical first -
order Taylor series expansion based on t he measured sensit ivit y coefficient s.

Correlated I nput Quantities
Equat ion [ 5.25] and t hose derived from it such is valid only if t he input quant it ies (X
i
) are independent or
uncorrelat ed (t he random variables, not t he physical quant it ies t hat are assumed t o be invariant s). I f some
of t he X
i
are significant ly correlat ed, t he correlat ions must be t aken int o account . When t he input quant it ies
are correlat ed, t he appropriat e expression for t he combined variance associat ed wit h t he result of a
measurement is,

( ) ( )
¯¯
= =
·
c
c
·
c
c
=
n
1 i
j i
n
1 j j i
2
c
x , x u
x
f
x
f
y u [ 5.30]

where x
i
and x
j
are t he est imat es of X
i
and X
j
and u(x
i
,x
j
) = u(x
j
,x
i
) is t he est imat ed covariance associat ed
wit h x
i
and x
j
. The degree of correlat ion bet ween x
i
and x
j
is charact erized by t he est imat ed correlat ion
coefficient ,

( )
( )
( ) ( )
j i
j i
j i
x u x u
x , x u
x , x r
·
= [ 5.31]

where -1 s r(xi, xj ) s + 1. I f t he est imat es x
i
and x
j
are independent , r(xi, xj ) = 0, and a change in one does
not imply an expect ed change in t he ot her. I n t erms of correlat ion coefficient s, which are more readily
int erpret ed t han covariances, t he covariance t erm of Equat ion [ 5.30] may be writ t en as,
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S

( ) ( ) ( )
j i
1 n
1 i
j i
n
1 j j j i
2
c
x , x r x , x u
x
f
x
f
2 y u · ·
c
c
·
c
c
· =
¯ ¯
÷
= + =
[ 5.32]


Consider t wo arit hmet ic means (u
q
) and (u
r
) t hat est imat e t he expect at ion of t wo randomly varying
quant it ies q and r, and let q and r be calculat ed from n independent pairs of simult aneous observat ions of q
and r made under t he same condit ions of measurement . Then t he covariance of q and r is est imat ed by,

( )
( )
( ) ( )
¯
=
u ÷ · u ÷ ·
÷ ·
= u u o
n
1 i
r i q i r q
r q
1 n n
1
, [ 5.33]

where q
i
and r
i
are t he individual observat ions of t he quant it ies q and r, and u
q
and u
r
are calculat ed from
t he observat ions. I f in fact t he observat ions are uncorrelat ed, t he calculat ed covariance is expect ed t o be
near 0. Thus t he est imat ed covariance of t wo correlat ed input quant it ies X
i
and X
j
t hat are est imat ed by t he
means u(X
i
) and u(X
j
) det ermined from independent pairs of repeat ed simult aneous observat ions is given by
u(x
i
,x
j
) = o(X
i
,X
j
), wit h o(X
i
,X
j
) calculat ed according t o Equat ion [ 5.33] . This applicat ion of Equat ion [ 5.33] is
a “ Type A” evaluat ion of covariance. The est imat ed correlat ion coefficient of X
i
and X
j
is obt ained from t he
following equat ion,

( ) ( )
( )
( ) ( )
( )
( )
( )
( )
( )
j x i x
j x i x
j x i x
,
, r
u o · u o
u u o
= u u [ 5.34]

There may be significant correlat ion bet ween t wo input quant it ies if t he same measuring inst rument ,
physical measurement st andard, or reference dat um having a significant st andard uncert aint y is used in t heir
det erminat ion. For example, if a cert ain t hermomet er is used t o det ermine a t emperat ure correct ion required
in t he est imat ion of t he value of input quant it y X
i
, and t he same t hermomet er is used t o det ermine a similar
t emperat ure correct ion required in t he est imat ion of input quant it y X
i
, t he t wo input quant it ies could be
significant ly correlat ed. However, if X
i
and X
j
in t his example are redefined t o be t he uncorrect ed quant it ies
and t he quant it ies t hat define t he calibrat ion curve for t he t hermomet er are included as addit ional input
quant it ies wit h independent st andard uncert aint ies, t he correlat ion bet ween X
i
and X
j
is removed.
Correlat ions bet ween input quant it ies cannot be ignored if present and significant . The associat ed
covariances should be evaluat ed experiment ally if feasible by varying t he correlat ed input quant it ies, or by
using t he pool of available informat ion on t he correlat ed variabilit y of t he quant it ies in quest ion (Type B
evaluat ion of covariance). I nsight based on experience and general knowledge is especially required when
est imat ing t he degree of correlat ion bet ween input quant it ies arising from t he effect s of common influences,
such as ambient t emperat ure, baromet ric pressure, and humidit y. Fort unat ely, in many cases, t he effect s of
such influences have negligible int erdependence and t he affect ed input quant it ies can be assumed t o be
uncorrelat ed. However, if t hey cannot be assumed t o be uncorrelat ed, t he correlat ions t hemselves can be
avoided if t he common influences are int roduced as addit ional independent input quant it ies.



Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Determining Expanded Uncertainty
Recommendat ion I NC-1 (1980) of t he Working Group on t he St at ement of Uncert aint ies on which t his
document is based, advocat e t he use of t he combined st andard uncert aint y, u
c
(y), as t he paramet er for
expressing quant it at ively t he uncert aint y of t he result of a measurement . Alt hough u
c
(y) can be universally
used t o express t he uncert aint y of a measurement result , in some commercial, indust rial, and regulat ory
applicat ions, and when healt h and safet y are concerned, it is oft en necessary t o give a measure of
uncert aint y t hat defines an int erval about t he measurement result t hat may be expect ed t o encompass a
large fract ion of t he dist ribut ion of values t hat could reasonably be at t ribut ed t o t he measurand.

Expanded Uncertainty
The addit ional measure of uncert aint y t hat meet s t he requirement of providing an int erval of t he kind is
t ermed expanded uncert aint y and is denot ed by U. The expanded uncert aint y (U) is obt ained by mult iplying
t he combined st andard uncert aint y, u
c
(y), by a coverage fact or (k).

( ) y u k U
c
· = [ 5.35]

The result of a measurement is t hen convenient ly expressed as,

U y Y ± = [ 5.36]

which is int erpret ed t o mean t hat t he best est imat e of t he value at t ribut able t o t he measurand Y is y, and
t hat (y–U) t o (y+ U) is an int erval t hat may be expect ed t o encompass a large fract ion of t he dist ribut ion of
values t hat could reasonably be at t ribut ed t o Y. Such an int erval is also expressed as (y–U) s Y s (y+ U). The
t erms confidence int erval and confidence level have specific definit ions in st at istics and are only applicable t o
t he int erval defined by expanded uncert aint y when cert ain condit ions are met , including t hat all component s
of uncert aint y t hat cont ribut e t o u
c
(y) be obt ained from “ Type A” evaluat ions. Thus, in t his document , t he
word “ confidence” is not used t o modify t he word “ int erval” when referring t o t he int erval defined by
expanded uncert aint y (U); and t he t erm “ confidence level” is not used in connect ion wit h t hat int erval but
rat her t he t erm “ level of confidence” . More specifically, expanded uncert aint y is int erpret ed as defining an
int erval about t he measurement result t hat encompasses a large fract ion p of t he probabilit y dist ribut ion
charact erized by t hat result and it s combined st andard uncert aint y, and p is t he coverage probabilit y or level
of confidence of t he int erval. Whenever pract icable, t he level of confidence (p) associat ed wit h t he int erval
define by expanded uncert aint y (U) should be est imat ed and st at ed. I t should be recognized t hat multiplying
u
c
(y) by a const ant provides no new informat ion but present s t he previously available informat ion but
present s t he previously available informat ion in a different form. However, it should also be recognized t hat
in most cases t he level of confidence (especially for values of p near 1) is rat her uncert ain, not only because
of limit ed knowledge of t he probabilit y dist ribut ion charact erized by y and u
c
(y), part icularly in t he ext reme
port ions, but also because of t he uncert aint y of u
c
(y) it self.

Choosing A Coverage Factor
The value of t he coverage fact or (k) is chosen on t he basis of t he level of confidence required of t he int erval
(y–U) t o (y+ U). I n general, t he coverage fact or will be in t he range 2 t o 3. However, for special applicat ions
t he coverage fact or may be out side t his range. Ext ensive experience wit h and full knowledge of t he uses t o
which a measurement result will be put can facilit at e t he select ion of a proper value of t he coverage fact or
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
(k). I deally, one would like t o be able t o choose a specific value of t he coverage fact or (k) t hat would
provide an int erval,

( ) y u k y U y Y
c
· ± = ± = [ 5.37]

corresponding t o a part icular level of confidence (p) such as 95 or 99 percent ; equivalent ly, for a given value
of t he coverage fact or (k), one would like t o be able t o st at e unequivocally t he level of confidence associat ed
wit h t hat int erval. However, t his is not easy t o do in pract ice because it requires ext ensive knowledge of t he
probabilit y dist ribut ion charact erized by t he measurement result y and it s combined st andard uncert aint y,
u
c
(y). Alt hough t hese paramet ers are of crit ical import ance, t hey are by t hemselves insufficient for t he
purpose of est ablishing int ervals having exact ly known levels of confidence. Recommendat ion I NC-1 (1980)
does not specify how t he relat ion bet ween t he coverage fact or (k) and level of confidence (p) should be
est ablished. However, a simpler approach, is oft en adequat e in measurement sit uat ions where t he
probabilit y dist ribut ion charact erized by y and u
c
(y) is approximat ely normal and t he effect ive degrees of
freedom of u
c
(y) is of significant size. When t his is t he case, which frequent ly occurs in pract ice, one can
assume t hat t aking k = 2 produces an int erval having a level of confidence of approximat ely 95 percent , and
t hat t aking k = 3 produces an int erval having a level of confidence of approximat ely 99 percent .





























Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RE EL L I I A A B BI I L L I I T T Y Y

I n t oday's t echnological world nearly everyone depends upon t he cont inued funct ioning of a wide array of
complex machinery and equipment for t heir everyday healt h, safet y, mobilit y and economic welfare. We
expect our cars, comput ers, elect rical appliances, light s, t elevisions, and so on, t o funct ion whenever we
need t hem – day aft er day, year aft er year. When t hey fail t he result s can be cat ast rophic: inj ury, loss of life
and cost ly lawsuit s can occur. More oft en, repeat ed failure leads t o annoyance, inconvenience and a last ing
cust omer dissat isfact ion t hat can play havoc wit h t he responsible company's market place posit ion. I t t akes a
long t ime for a company t o build up a reput at ion for reliabilit y, and only a short t ime t o be branded as
“ unreliable” aft er shipping a flawed product . Cont inual assessment of new product reliabilit y and ongoing
cont rol of t he reliabilit y of everyt hing shipped are crit ical necessit ies in t oday's compet it ive business arena.
Accurat e predict ion and cont rol of reliabilit y plays an import ant role in t he profit abilit y of a product . Service
cost s for product s wit hin t he warrant y period or under a service cont ract are a maj or expense and a
significant pricing fact or. Proper spare part st ocking and support personnel hiring and t raining also depend
upon good reliabilit y fallout predict ions. On t he ot her hand, missing reliabilit y t arget s may invoke cont ract ual
penalt ies and cost fut ure business. Companies t hat can economically design and market product s t hat meet
t heir cust omers' reliabilit y expect at ions have a st rong compet it ive advant age in t oday's market place.
Somet imes equipment failure can have a maj or impact on human safet y and healt h. Aut omobiles, planes,
life support equipment , and power generat ing plant s are a few examples. From t he point of view of
“ assessing product reliabilit y” , we t reat t hese kinds of cat ast rophic failures no different ly from t he failure
t hat occurs when a key paramet er measured on a manufact uring t ool drift s slight ly out of specificat ion,
calling for an unscheduled maint enance act ion. I t is up t o t he reliabilit y engineer (and t he relevant
cust omer) t o define what const it ut es a failure in any reliabilit y st udy. More resource (t est t ime and t est
unit s) should be planned for when an incorrect reliabilit y assessment could negat ively impact safet y and
healt h.


F FA AI I L LU UR RE E O OR R H HA AZ ZA AR RD D R RA AT TE E
The failure rat e is defined for non repairable populat ions as t he (inst ant aneous) rat e of failure for t he
survivors t o t ime (t ) during t he next inst ant of t ime. I t is a rat e per unit of t ime similar in meaning t o reading
a car speedomet er at a part icular inst ant and seeing 60 Km/ h. The next inst ant t he failure rat e may change
and t he unit s t hat have already failed play no furt her role since only t he survivors count . The failure rat e (or
hazard rat e) is denot ed by h(t ) and calculat ed from,

( )
( )
( )
( )
( ) t R
t f
t F 1
t f
t h =
÷
= [ 6.01]

and it is t he inst ant aneous (condit ional) failure rat e. The failure rat e is somet imes called a “ condit ional
failure rat e” since t he denominat or 1÷F(t ), i.e. t he populat ion survivors, convert s t he expression int o a
condit ional rat e, given survival past t ime (t ). Since h(t ) is also equal t o t he negat ive of t he derivat ive of R(t ),

( )
( ) ( ) | |
dt
t R ln d
t h ÷ = [ 6.02]

T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
we have t he useful ident it y,
( ) ( )
|
|
.
|

\
|
· ÷ ÷ =
í
dt t h exp 1 t F
t
o
[ 6.03]

I f we let

( ) ( )
í
· =
t
0
dt t h t H [ 6.04]

be t he Cumulat ive Hazard Funct ion (CHF), we t hen have,

( ) ( ) | | t H exp 1 t F ÷ ÷ = [ 6.05]

One ot her useful ident it y t hat follow from t hese formulas is,

( ) ( ) | | t R ln t H ÷ = [ 6.06]

I t is also somet imes useful t o define an average failure rat e over any int erval t hat “ averages” t he failure rat e
over t hat int erval. This rat e, denot ed by AFR(t
1
; t
2
) is a single number t hat can be used as a specificat ion or
t arget for t he populat ion failure rat e over t hat int erval. I f t
1
is 0, it is dropped from t he expression. Thus, for
example, AFR(40,000) would be t he average failure rat e for t he populat ion over t he first 40,000 hours of
operat ion. The formulas for calculat ing AFR's are,

( )
( ) | | ( ) | |
1 2
2 1
1 2
t t
t R ln t R ln
t ; t AFR
÷
÷
= [ 6.07]

Proportional Hazards Model
The proport ional hazards model, proposed by Cox (1972), has been used primarily in medical t est ing
analysis, t o model t he effect of secondary variables on survival. I t is more like an accelerat ion model t han a
specific life dist ribut ion model, and it s st rengt h lies in it s abilit y t o model and t est many inferences about
survival wit hout making any specific assumpt ions about t he form of t he life dist ribut ion model. Let z = { x,
y,...} be a vect or of one or more explanat ory variables believed t o affect lifet ime. These variables may be
cont inuous (like t emperat ure in engineering st udies, or dosage level of a part icular drug in medical st udies)
or t hey may be indicat or variables wit h t he value one if a given fact or or condit ion is present , and zero
ot herwise. Let t he hazard rat e for a nominal (or baseline) set z
0
= { x
0
,y
0
,...} of t hese variables be given by
h
0
(t ), wit h h
0
(t ) denot ing legit imat e hazard funct ion (failure rat e) for some unspecified life dist ribut ion
model. The proport ional hazards model assumes we can writ e t he changed hazard funct ion for a new value
of z as,

( ) ( ) ( ) t h z g t h
0 z
· = [ 6.08]

I n ot her words, changing z, t he explanat ory variable vect or, result s in a new hazard funct ion t hat is
proport ional t o t he nominal hazard funct ion, and t he proport ionalit y const ant is a funct ion of z, g(z),
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
independent of t he t ime variable (t ). A common and useful form for f(z) is t he Log Linear Model which has
t he equat ion,

( )
x a
e x g
·
= [ 6.09]

for one variable, and t he following equat ion,

( )
y b x a
e y , x g
· + ·
= [ 6.10]

for t wo variables, et c.


S SA AF FE ET TY Y R RE EL LI I A AB BI I L LI I T TY Y
I mport ant fact ors in risk process and safet y syst em select ion and design are peformance and reliabilit y in
meet ing permit requirement s. Two approaches in risk process and safet y syst em select ion and design are
t he use of arbit rary safet y fact ors, and st at ist ical analysis of risk t reat ment , risk qualit y and t he probable
frequency of occurrence. The lat t er approach, t ermed t he reliabilit y concept , is preferred because it provides
a consist ent basis for analysis of uncert aint y and a rat ional basis for t he analysis of performance and
reliabilit y. The applicat ion of t he reliabilit y concept t o process select ion and design is based on mat erial
present e below. Reliabilit y of a safet y syst em may be defined as t he probabilit y of adequat e erformance for
at least a specified period of t ime under specified condit ions, or, in t erms of risk t reat ment , risk
performance, t he percent of t ime t hat risk performance meet t he permit requirement s. For each specific
case where t he reliabilit y concept is t o be employed, t he levels of reliabilit y must be evaluat ed, including t he
cost of safet y syst em maint enance required t o achieve specific levels of reliabilit y, associat ed sust aining and
maint enance cost s, and t he cost of adverse environment al effect s and risk impact s of a violat ion. Because of
t he variat ions in risk qualit y performance, a safet y syst em should be designed t o maint ained an average risk
value below t he permit requirement s.
The following quest ion arises: “ What mean value guarant ees t hat an risk value is consist ent ly less t han a
specified limit wit h a cert ain reliabilit y?” . The approach involves t he use of a coefficient of reliabilit y (.) t hat
relat es mean const it uint alues (or design values) t o t he st andard t hat must be achieved on aprobabilit y
basis. The mean risk est imat e value (u
x
) may be obt ained by t he relat ionship,

. · ; = u
s x
[ 6.11]

where ;
s
is a fixed st andard. The coefficient of reliabilit y is deermined by,

( ) ( )

+ · ÷ · + = .
o ÷
2
1
2
X 1
2
1
2
X
1 CV ln Z exp 1 CV [ 6.12]

where CV
x
is t he rat io of t he st andard deviat ion of exist ig dist ribut ion (o
x
) t o t he mean value of t he exist ing
dist ribut ion (u
x
), and is also t ermed t he coefficient of variat ion; Z
1-o
is t he number of st andard devit ions
away from mean of a normal dist ribut ion, 1÷o is t he cumulat ive probabilit y of occurrence (reliabilit y level).
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Values of Z
1-o
for various cumulat ive probabilit y levels (1÷o) are given in Table 6.01. Select ion of an
appropriat e design value of CV
x
must be based on experience from act ual risk or risk dat a published.

Table 6.01 – Values of st andardized normal dist ribut ion.

1÷o Z
1÷o

99.9 3.090
99.0 2.326
98.0 2.054
95.0 1.645
92.0 1.405
90.0 1.282
80.0 0.842
70.0 0.525
60.0 0.253
50.0 0.000





























Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
R RE EF FE ER RE EN N C CE ES S

@Risk, Risk analysis for spreadsheet s. Palisade Corp., Newfield, 1994.
ACGI H (ed), 1994-1995. Threshold limit values for chemical subst ances and physical agent s in t he work.
Environment al and biological exposure indices wit h int ended changes for 1994-1995.
AI ChE, 1994. Guidelines for prevent ing human error in process safet y. Cent er for Chemical Process Safet y,
New York.
AI ChE, 2000. Guidelines for chemical process risk analysis. Cent er for Chemical Process Safet y, New York.
American I ndust rial Hygiene Associat ion (AI HA). A st rat egy for occupat ional exposure assessment , edit ed by
N. C. Hawkins, S. K. Norwood and J. C. Rock. Akron: American I ndust rial Hygiene Associat ion, 1991.
Andersson, P. Evaluat ion and mit igat ion of indust rial fire hazards. Report 1015, Dept . of Fire Safet y Eng.,
Lund Universit y, Lund, 1997.
Ang, A.H-S., Tang, W.H. Probabilit y concept s in engineering planning and design, Volume 1 – Basic
principles. John Wiley & Sons, New York, 1975.
Ang, A.H-S., Tang, W.H. Probabilit y concept s in engineering planning and design, Volume 2 – Decision, risk
and reliabilit y. John Wiley & Sons, New York, 1984.
AS/ NZS 4360 2004. Risk management . Third Edit ion, St andards Aust ralia/ St andards New Zealand, Sydney,
Aust ralia, Wellingt on, New Zealand.
Ascher, H. (1981), Weibull dist ribut ion versus Weibull process, Proceedings Annual Reliabilit y and
Maint ainabilit y Symposium, pp. 426-431.
At t wood, D.A., Deeb, J.M. and Danz-Reece, M.E., 2004. Ergonomic solut ions for process indust ries. Gulf
Professional Publishing, Oxford.
August i, G., Barat t a, A., Casciat i, F. Probabilist ic met hods in st ruct ural engineering. Chapman and Hall,
London, 1984.
Bain, L.J. and Englehardt , M. (1991), St at ist ical analysis of reliabilit y and life-t est ing models: Theory and
met hods, 2nd ed., Marcel Dekker, New York.
Bare, N. K., 1978. I nt roduct ion t o fire science and fire prot ect ion. John Wiley and Sons, New York.
Barker, T. B. (1985), Qualit y by experiment al design. Marcel Dekker, New York, N. Y.
Barlow, R. E. and Proschan, F. (1975), St at ist ical t heory of reliabilit y and life t est ing, Holt , Rinehart and
Winst on, New York.
Baybut t , P., 1996. Human fact ors in process safet y and risk management : Needs for models, t ools and
t echniques. I nt ernat ional Workshop on Human Fact ors in Offshore Operat ions. US Mineral Management
Service, New Orleans, pp. 412-433.
BBR94, Boverket s Byggregler 1994. BFS 1993: 57 med ändringar BFS 1995: 17, Boverket , Karlskrona 1995.
Bellamy, L.J. et al., 1999. I -RI SK Development of an int egrat ed t echnical and management risk cont rol and
monit oring met hodology for managing and quant ifying on-sit e and off-sit e risks. Cont ract No. ENVA-CT96-
0243. Main Report .
Bley, D., Kaplan, S. and Johnson, D., 1992. The st rengt hs and limit at ions of PSA: Where we st and. Reliabilit y
Engineering and Syst em Safet y, 38: 3-26.
Blockley, D. The nat ure of st ruct ural design and safet y. Ellis Horwood Lt d Chichest er, 1980.
BNQP, 2005. Crit eria for performance excellence. I n: M.B.N.Q. Award (Edit or). American Societ y for Qualit y,
Milwaukee.
Brown, D. B., 1976. Syst ems analysis and design for safet y. Prent ice-Hall I nt ernat ional Series in I ndust rial
and syst ems Engineering, N. J.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
BSI Draft for development DD 240: Fire safet y engineering in buildings. Part 1: Guide t o t he applicat ion of
fire safet y engineering principles. Brit ish St andards I nst it ut ion, London 1997.
Bukowski, R.W. Engineering evaluat ion of building fire safet y performance. CI B W14 TG1, 1997.
Bukowski, R.W., Clarke I I I , F.B., Hall Jr, J.R., St eifel, S.W. Fire risk assessment met hod: Descript ion of
met hodology. Nat ional Fire Prot ect ion Research Foundat ion, Quincy, 1990.
Bukowski, R.W., Peacock, R.D., Jones, W.W., Forney, C.L. Technical reference guide for t he Hazard I fire
hazard assessment met hod. NI ST Handbook 146, Vol. I I . Nat ional I nst it ut e of St andards and Technology,
Gait hersburg, 1989.
Bureau I nt ernat ional des Poids et Measures et al., (ed.), 1993. Guide t o t he expression of uncert aint y in
measurement , 1st edit ion, Géneve: I nt ernat ional Organizat ion for St andardizat ion.
BureaunI nt ernat ional du Travail (ed.). Encyclopédie de médecine, hygiéne et sécurit é du t ravail, 4éme
edit ion en CD-ROM.
BVD (Brand-Verhüt ungs-Dienst für I ndust rie und Gewerbe), Fire risk evaluat ion – Edit ion B: The Gret ener
fire risk quant ificat ion met hod. Draft December 1979, Zürich 1980.
Chapanis, A.R., 1986. Human-fact ors engineering. The new Encyclopaedia Brit annica, 21. Encyclopaedia
Brit annica, Chicago.
Chart ers, D.A. Quant ified Assessment of Hospit al Fire Risks. Proc. I nt erflam 96, pp 641-651, 1996.
Chen, S.-J. and Hwang, C.-L., 1992. Fuzzy mult iple at t ribut e decision making. Springer- Verlag, Berlin.
Cornell, C.A. A Probabilit y-based st ruct ural code. ACI -Journ., Vol. 66, 1969.
Cot e, A. E. (ed.), 1987. Fire prot ect ion handbook, 18
t h
edit ion, NFPA, Quincy, Massachusset s.
Covello, V.T., Merkhofer, M.W. Risk assessment met hods, approaches for assessing healt h and
environment al risks. Plenum Press, New York, 1993.
Cox, A.M., Alwang, J. and Johnson, T.G., 2000. Local preferences for economic development out comes: An
applicat ion of t he analyt ical hierarchy procedure. Journal of Growt h and Change, Vol 31(I ssue 3 summer
2000): 341-366.
CPQRA, Guidelines for chemical process quant it at ive risk analysis. Cent er for Chemical Process Safet y of t he
American I nst it ut e of Chemical Engineers, New York, 1989.
Crow, L.H. (1974), Reliabilit y analysis for complex repairable syst ems, Reliabilit y and Biomet ry, F. Proschan
and R.J. Serfling, eds., SI AM, Philadelphia, pp 379-410.
Cullen, L., 1990. The public inquiry of int o t he piper alpha disast er, HMSO, London.
Davidsson, G., Lindgren, M., Met t , L. Värdering av risk (Evaluat ion of risk). SRV report P21-182/ 97, Karlst ad
1997.
Davies, J.C. 1996. Comparing environment al risks: Tools for set t ing government priorit ies. Resources for t he
Fut ure, Washingt on, DC.
DOD, 1997. MI L-STD-1472d Human engineering design crit eria for milit ary syst ems, Equipment and
Facilit ies. I n: D.o. Defence (Edit or).
Doughert y, E.M., 1990. Human reliabilit y analysis – Where shouldst t hou t urn? Journal of Reliabilit y
Engineering and Syst em Safet y, 29: 283-299.
Dykes, G.J., 1997. The Texaco incident . I n: H.-J. Ut h (Edit or), Workshop on Human Performance in
Chemical Safet y. Umwelt bundesamt , Munich.
Edwards, E., 1988. Human fact ors in aviat ion, I nt roduct ory Overview, San Diego, CA.
Einarsson, S., 1999. Comparison of QRA and vulnerabilit y analysis: Does analysis lead t o more robust and
resilient syst ems? Act a Polyt echnica Scandinavica Civil engineering and building const ruct ion series no. 114,
Espoo, Finland.
Embrey, D.E., 1983. The use of performance shaping fact ors and quant ified expert j udgement in t he
evaluat ion of human reliabilit y: An init ial appraisal, Brookhaven Nat ional Laborat ory.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Embrey, D.E., 1992. I ncorporat ing management and organisat ional fact ors int o probabilist ic safet y
assessment . Engineering & Syst em Safet y, Vol. 38(No. 1-2): 199-208.
Embrey, D.E., Humphreys, P., Rosa, E.A., Kirwan, B. and Rea, K., 1984. SLI M-MAUD: An approach t o
assessing human error probabilit ies using st ruct ured expert j udgement , Nuclear Regulat ory Commission,
Washingt on, DC.
EU, 1996. Council Direct ive 96/ 82/ EC (Seveso I I ) on cont rol of maj or accident hazards involving dangerous
subst ances. European Union.
Evans, D.D., St roup, D.W. Met hods of calculat ing t he response t ime of heat and smoke det ect ors inst alled
below large unobst ruct ed ceilings. NBSI R 85-3167, Nat ional Bureau of St andards, Gait hersburg, 1985.
FAA, 2004. Human Fact ors Awareness Course. www.hf.faa.gov/ webt raining/ index.ht m.
FEG, Fire engineering guidelines. Fire Code Reform Cent re, Sydney, 1996.
Ferry, T. S., 1988. Modern accident invest igat ion and analysis. John Wiley and Sons, New York.
Finney, D.J. Probit analysis. 3rd ed. Cambridge Universit y Press, Cambridge, 1971.
Firenze, R., 1971. Hazard Cont rol. Nat ional Safet y News, 104(2): 39-42.
Fischhoff, B. 1995. Risk percept ion and communicat ion unplugged: Twent y years of process. Risk Analysis
15: 137-145.
Fit zgerald, R. Risk analysis using t he engineering met hod for building fire safet y. WPI , Bost on, 1985.
Frant zich, H., Holmquist , B., Lundin, J., Magnusson, S.E., Rydén, J. Derivat ion of part ial safet y fact ors for
fire safet y evaluat ion using t he reliabilit y index | met hod. Proc. 5t h I nt ernat ional Symposium on Fire Safet y
Science, pp 667-678, 1997.
FULLER, W. A. (1987), Measurement error models. John Wiley and Sons, New York, N.Y.
Gärdenfors, P., Sahlin, N-E. Decision, probabilit y and ut ilit y. Select ed readings. Cambridge Universit y Press
Cambridge, 1986.
Goodst ein, L.P., Anderson, H.B. and Olsen, S.E., 1988. Tasks, errors and ment al models. Taylor and Francis,
Washingt on, DC.
Gough, J.D. 1991. Risk communicat ion: The implicat ions for risk management . I nformat ion Paper No. 33.
Cent re for Resource Management , Lincoln Universit y, Cant ebury, New Zealand.
Groeneweg, J., 2000. Prevent ing human error using audit s, Effect ive Safet y Audit ing, London.
Hacker, W., 1998. Algemeine Arbeit spsychologie – Psychische Regulat ion von Arbeit st aet igkeit en. Verlag
Hans Huber, Bern.
Hagiwara, I ., Tanaka, T. I nt ernat ional comparison of fire safet y provisions for means of escape. Proc. 4t h
I nt ernat ional Symposium on Fire Safet y Science, pp 633-644, 1994.
Hahn, G.J., and Shapiro, S.S. (1967), St at ist ical models in engineering, John Wiley & Sons, I nc., New York.
Haimes, Y.Y., Barry, T., Lambert , J.H., (ed). Edit orial t ext . Workshop proceedings “ When and How Can You
Specify a Probabilit y Dist ribut ion When You Don’t Know Much?” Risk Analysis Vol. 14, No. 5, pp 661-706,
1994.
Hamed, M.M., First -Order Reliabilit y Analysis of Public Healt h Risk Assessment . Risk Analysis, Vol. 17, No. 2,
pp 177-185, 1997.
Harms-Ringdahl, L., 2001. Safet y analysis. Principles and pract ice in occupat ional safet y. Taylor & Francis,
London.
Harris, R. L. (ed.), 2000. Pt t y’s indust rial hygiene, 5
t h
edit ion, Volume 4.
Hart zell, G.E., Priest , D.N., Swit zer, W.G. Modeling of t oxicological effect s of fire gases: Mat hemat ical
modeling of int oxicat ion of rat s by carbon monoxide and hydrogen cyanide. Journal of Fire Science Vol. 3,
No. 2, pp 115 - 128, 1985.
Hasofer, A.M., Lind, N.C. An exact and invariant first order reliabilit y format . Proc. ASCE, J Eng. Mech. Div.
1974.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Healt h and Safet y Execut ive (HSE). The t olerabilit y of risk from nuclear power st at ions. HMSO Publicat ions
Cent re, London, 1997.
Heinrich, H.W., Pet ersen, D. and Roos, N., 1980. I ndust rial accident prevent ion: A safet y management
approach. McGraw Hill, New York.
Helt on, J.C. Treat ment of uncert aint y in performance assessment for complex syst ems. Risk Analysis, Vol.
14, No. 4, 1994.
Helt on, J.C., Anderson, D.R., Mariet t a, M.G., Rechard, R.P. Performance assessment for t he wast e isolat ion
pilot plant : From regulat ion t o calculat ion for 40 CFR 191.13. Op. Res. Vol. 45, No. 2, pp157-177, 1997.
Hirschberg, H. and Dang, V.N., 1996. Crit ical operat or act ions and dat a issues, Task Report by Principal
Working Group 5. OECD/ NEA.
Hollnagel, E., 1998. CREAM – Cognit ive Reliabilit y and Error Analysis Met hod. Elsevier Science Lt d, Oxford.
Holmst edt , G., Kaiser, I . Brand i vårdbäddar. SP-RAPP 1983: 04 St at ens Provningsanst alt , Borås, 1983.
Hourt olou, D. and Salvi, O., 2004. ARAMI S Proj ect : Development of an int egrat ed accident al risk assessment
met hodology for indust ries in t he framework of SEVESO I I direct ive – ESREL 2004. I n: T. Bedford and
P.H.A.J.M.v. Gelder (Edit ors), pp. 829-836.
Hoyland, A., and Rausand, M. (1994), Syst em reliabilit y t heory, John Wiley & Sons, I nc., New York.
HSE, 1999. Reducing error and influencing behaviour. Healt h And Safet y Execut ive, Sudbury.
I LO, 2001. Guidelines on occupat ional safet y and healt h management syst ems, I nt ernat ional Labour Office,
Geneva.
I man, R.L., Helt on, J.C. An invest igat ion of uncert aint y and sensit ivit y analysis t echniques for comput er
models. Risk Analysis, Vol. 8, No. 1, 1988.
I nt egrat ing Human Fact ors int o Chemical Process Quant it at ive Risk Analysis 110. HSE, 2003. Organisat ional
change and maj or accident hazards. HSE I nformat ion sheet CHI S7.
I nt egrat ing Human Fact ors int o Chemical Process Quant it at ive Risk Analysis 112 Reason, J., 1990. Human
error. Cambridge Universit y Press, New York.
I nt ernat ional At omic Energy Agency (I AEA). Evaluat ing t he reliabilit y of predict ions made using
environment al t ransfer models, Safet y Series No. 100, Vienna, 1989.
I nt ernat ional Elect rot echnical Commission (I EC). I nt ernat ional St andard 60300-3-9, Dependabilit y
management – Part 3: Applicat ion guide – Sect ion 9: Risk analysis of t echnological syst ems, Genéve, 1995.
I SO 3534-1: 1993, St at ist ics – Vocabulary and symbols – Part 1: Probabilit y and general st at ist ical t erms,
I nt ernat ional Organizat ion for St andardizat ion, Geneva, Swit zerland.
I SO/ CD 13387 Commit t ee Draft , Fire safet y engineering. The applicat ion of fire performance concept s t o
design obj ect ives, I SO/ TC92/ SC4, 1997.
I SO/ CD 13388 Commit t ee Document , Fire safet y engineering. Design fire scenarios and design fires,
I SO/ TC92/ SC4, 1997.
I t oh, H., Mit omo, N., Mat suoka, T and Murohara, Y., 2004. an Ext ension of m-SHEL model for analysis of
human fact ors at ship operat ion, 3rd I nt ernat ional Conference on Collision and Groundings of Ships, I zu,
Japan, pp. 118-122.
Jeffreys, H. (1983), Theory of probabilit y, 3rd edit ion, Oxford Universit y Press , Oxford.
Joschek, H.I ., 1981. Risk assessment in t he chemical indust ry, Proceeding of t he I nt ernat ional Topical
meet ing on Probabilist ic Risk Assessment . American Nuclear Societ y, New York.
Kalbfleisch, J.D., and Prent ice, R.L. (1980), The st at ist ical analysis of failure dat a, John Wiley & Sons, I nc.,
New York.
Kandel, A. and Avni, E., 1988. Engineering risk and hazard assessment , Vol 1. CRC Press, Boca Rat on,
Florida.
Kaplan, S. The words of risk analysis. Risk Analysis, Vol. 17, No. 4, 1997.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Kaplan, S., Garrick, B.J. 1981. On t he quant it at ive definit ion of risk. Risk Analysis 1: 11-27.
Kaplan, S., Garrick, B.J. On The quant it at ive definit ion of risk. Risk Analysis, Vol. 1, No. 1, pp11-27, 1981.
Kariuki, S.G. and Löwe, K., 2005. I nt egrat ing human fact ors int o process hazard analysis. I n: k. Kolowrocki
(Edit or), Advances in Safet y and Reliabilit y. Taylor and Francis, Tri-Cit y pp. 1029-1035.
Kariuki, S.G. and Löwe, K., 2006. I ncreasing human reliabilit y in t he chemical process indust ry using human
fact ors t echniques. Process Safet y and Environment al Prot ect ion, 84(B3): 200-207.
Kawano, R., 2002. Medical Human Fact or Topics. Websit e:
ht t p: / / www.medicalsaga.ne.j p/ t epsys/ MHFT_t iics103.ht ml.
Kirwan, B., 1996. The validat ion of t hree human reliabilit y quant ificat ion t echniques – THERP, HEART and
JHEDI : Part 1 Journal of Applied Ergonomics, 27(6): 359 - 373.
Kleij nen, J.P.C. Sensit ivit y analysis, uncert aint y analysis, and validat ion: A survey of st at ist ical t echniques
and case st udies. I nt ernat ional Symposium on Sensit ivit y Analysis of Model Out put 95, 1995. Organised by
JRC I spra.
Klein, G., Ovasanu, J., Calderwood, R., Zsambok, C. Decision making in act ion: Models and met hods. Alex
Publishing Corp. Norwood, 1993.
Klet z, T.A., 1999. Hazop and Hazan – I dent ifying and assessing chemical indust ry hazards. I nst it ut ion of
Chemical Engineers, Rugby, UK.
Klet z, T.A., 2001. Learning from accident . Gulf Professional Publishing, Oxford, UK.
Klinke, A., Renn, O. 2002. A new approach t o risk evaluat ion and management : Risk-based, precaut ion-
based, and discourse-based st rat egies. Risk Analysis 22: 1071-1094.
Kovalenko, I .N., Kuznet sov, N.Y., and Pegg, P.A. (1997), Mat hemat ical t heory of reliabilit y of t ime dependent
syst ems wit h pract ical applicat ions, John Wiley & Sons, I nc., New York.
Löwe, K. and Kariuki, S.G., 2004a. Met hods for incorporat ing human fact ors during design phase, Loss
Prevent ion and Safet y Promot ion in t he Process I ndust ries. Loss Prevent ion Prague, pp. 5205-5215
Löwe, K. and Kariuki, S.G., 2004b. Berücksicht igung des Menschen beim Design verfahrenst echnischer
Anlagen, 5. Berliner Werkst at t Mensch-Maschine-Syst eme. VDI -Verlag, Berlin, pp. 88-103.
Löwe, K., Kariuki, S.G., Porcsalmy, L. and Fröhlich, B., 2005. Development and validat ion of a human fact ors
engineering. Guideline for Process I ndust ries Loss Prevent ion Bullet in (lpb)(I ssue 182): 9-14.
MacDonald LA, Karasek RA, Punnet t L, Scharf T (2001). Covariat ion bet ween workplace physical and
psychosocial st ressors: Evidence and implicat ions for occupat ional healt h research and prevent ion.
Ergonomics, 44: 696-718.
MacI nt osh, D.L., Sut er I I , G.W., Hoffman, F.O. Use of probabilist ic exposure models in ecological risk
assessment of cont aminat ed sit es. Risk Analysis, Vol. 14, No. 4, 1994.
Madsen, H.O., Krenk, S., Lind, N.C. Met hods of st ruct ural safet y. Prent ice-Hall, Englewood Cliffs, 1986.
Magnusson, S.E., Frant zich, H., Harada, K. Fire safet y design based on calculat ions: Uncert aint y analysis and
safet y verificat ion. Report 3078, Dept . of Fire Safet y Eng., Lund Universit y, Lund 1995.
Magnusson, S.E., Frant zich, H., Harada, K. Fire safet y design based on calculat ions: Uncert aint y analysis and
safet y verificat ion. Fire Safet y Journal Vol. 27, pp 305-334, 1997.
Magnusson, S.E., Frant zich, H., Karlsson, B., Särdqvist , S. Det erminat ion of safet y fact ors in design based on
performance. Proc. 4t h I nt ernat ional Symposium on Fire Safet y Science, pp 937- 948, 1994.
Malchaire J (2000). St rat egy for prevent ion and cont rol of t he risks due t o noise. Occupat ional and
Environment al Medicine, 57: 361-369.
Mann, N.R., Schafer, R.E. and Singpurwalla, N.D. (1974), Met hods for st at ist ical analysis of reliabilit y and life
dat a, John Wiley & Sons, I nc., New York.
Mart z, H.F., and Waller, R.A. (1982), Bayesian reliabilit y analysis, Krieger Publishing Company, Malabar,
Florida.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
McCaffert y, D.B., 1995. Successful syst em design t hrough int egrat ing engineering and human fact ors.
Process Safet y Progress, 14(2): 147-151.
McCone, T.E. Uncert aint y and variabilit y in human exposures t o soil cont aminant s t hrough home-grown
food: A Mont e Carlo assessment . Risk Analysis, Vol. 14, No. 4, 1994.
McLeod, R., 2004. Human Fact ors Assessment Model Validat ion St udy: Final Report .
McNab, W.B. 2001. Basic principles of risk management and decision analysis. Not es for employees of t he
Minist ry of Agricult ure, Food & Rural Affairs. Draft . Ont ario Minist ry of Agricult ure, Food & Rural Affairs,
Guelph, Canada. pp 1-16.
Meeker, W.Q., and Escobar, L.A. (1998), St at ist ical met hods for reliabilit y dat a, John Wiley & Sons, I nc.,
New York.
Meist er, D., 1966. Report No. AMLR-TR-67-88. Applicat ions of human reliabilit y t o t he product ion process.
I n: W.B. Askren (Edit or), Symposium on Human Performance in Work.
Meist er, D., 1977. Met hods of predict ing human reliabilit y in man-machine syst ems. I n: S. Brown and J.
Mart in (Edit ors), Human Aspect s of Man-Machine Syst ems. Open Universit y Press, Milt on Keynes, UK.
Morgan, G.M., Henrion, M. Uncert aint y – A guide t o dealing wit h uncert aint y in quant it at ive risk and policy
analysis. Cambridge Universit y Press, Cambridge, 1990.
Murphy, D.M., Pat é-Cornell, M.E., The SAM framework: Modeling t he effect s of management fact ors on
human behavior in risk analysis. Risk Analysis, Vol.16, No. 4, 1996.
NASA, 2002. Probabilist ic risk assessment procedures guide for NASA managers and pract it ioners. North
America Space Agency, Washingt on, D.C.
Nelson, H.E., Shibe, A.J. A syst em for fire safet y evaluat ion of healt h care facilit ies. NBSI R 78-1555, Nat ional
Bureau of St andards, Washingt on, 1980.
Nelson, H.E., Tu, K.M. Engineering analysis of t he fire development in t he hillhaven nursing home fire,
Oct ober 5, 1989.
NFPA 101M – Manual on alt ernat ive approaches t o life safet y. Nat ional Fire Prot ect ion Associat ion, Quincy
1987.
Nielsen, L., Sklet , S. and Oien, K., 1996. Use of risk analysis in t he regulat ion of t he norwegian pet roleum
indust ry, proceedings of t he probabilist ic safet y assessment int ernat ional t opical meet ing. American Nuclear
Societ y, I L, USA, pp. 756-762.
NI STI R 4665, Nat ional I nst it ut e of St andards and Technology, Gait hersburg, 1991.
NKB Draft . Teknisk vej ledning for beregningsmoessig eft ervisning af funkt ionsbest emt e brandkrav. NKB
Ut skot t s och arbej t srapport 1996: xx, Nordiska Kommit t én for byggbest ämmelser, NKB, 1997.
Norman, D.A., 1988. The psychology of everyday t hings. Basic Books, New York.
Not arianni, K.A. Measurement of room condit ions and response of sprinklers and smoke det ect ors during a
simulat ed t wo-bed hospit al pat ient room fire. NI STI R 5240. Nat ional I nst it ut e of St andards and Technology,
Gait hersburg, 1993.
NPD, 1992. Regulat ions concerning implement at ion and use of risk analysis in t he pet roleum act ivit ies wit h
guidelines, Norwegian Pet roleum Direct orat e.
NR, Nybyggnadsregler, BFS 1988: 18, Boverket , Karlskrona, 1989.
NUREG, 1983. PRA procedures guide – A guide t o performance of probabilist ic risk assessment s for nuclear
power plant s. U. S. Nuclear Regulat ion Commission, Washingt on, D.C.
NUREG, PEA Procedures guide: A guide t o t he performance of probabilist ic risk assessment for nuclear
power plant s, 2 vols. NUREG/ CR-2300, U.S. Nuclear Regulat ory Commission, Washingt on D.C., 1983.
O'Connor, P.D.T. (1991), Pract ical reliabilit y engineering, 3
rd
edit ion, John Wiley & Sons, I nc., New York.
Ozog, H., 1985. Hazard ident ificat ion, analysis and cont rol. Chemical Engineering Journal: 161-170.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Park, K. S., 1987. Human reliabilit y, analysis, predict ion and prevent ion of human errors. Advances in human
fact ors/ ergonomics. Elsevier, Amst erdam.
Pat e-Cornell, M.E., 1993. Learning from t he piper alpha accident : A post mort em analysis of t echnical and
organisat ional fact ors. Risk Analysis, 13(2): 215-232.
Paust enbach, D. J.: Occupat ional exposure limit s, pharmacokinet ics, and unusual work schedules. I n: Pat t y's
I ndust rial Hygiene and Toxicology, 3rd ed., Vol. I I I , Part A, edit ed by R. L. Harris, L. J. Cralley and L. V.
Cralley. New York: John Wiley & Sons, I nc. 1994. pp. 191-348.
Peacock, R.D., Jones, W.W., Forney, G.G., Port ier, R.W., Reneke, P.A., Bukowski, R.W., Klot e, J.H. An
updat e guide for Hazard I Version 1.2, NI STI R 5410, Nat ional I nst it ut e of St andards and Technology,
Gait hersburg, 1994.
Pet erson, D., 1978. Techniques of safet y management . McGraw-Hill Book, Co., New York.
Pit blado, R.M., Williams, J.C. and Slat er, D.H., 1990. Quant it at ive assessment of process safet y programs.
Plant and Operat ions Progress,, Vol 9(No. 3).
Press, S. J. (1989), Bayesian st at ist ics: Principles, models, and applicat ions. John Wiley and Sons, New York,
N.Y.
Prince MM, St ayner LT, Smit h RJ, Gilbert S J (1997). A re-examinat ion of risk est imat es from t he NI OSH
Occupat ional Noise and Hearing Survey (ONHS). Journal of t he Acoust ic Societ y of America, 101: 950-963.
PRI SM, 2004. I ncorporat ion of human fact ors in t he design process. ht t p: / / www.prism-net work.org.
Purser, D.A., Toxicit y assessment of combust ion product s. The SFPE Handbook of Fire Prot ect ion
Engineering. Nat ional Fire Prot ect ion Associat ion. 2nd ed. Quincy, 1995.
Quinlan M (2002). Workplace healt h and safet y effect s of precarious employment . I n t he Global
Occupat ional Healt h Net work Newslet t er, I ssue No. 2. World Healt h Organizat ion, Geneva.
Quint iere, J.G., Birky, M., McDonald, F., Smit h, G. An analysis of smouldering fires in closed compart ment s
and t heir hazard due t o carbon monoxide. NBSI R 82-2556, Nat ional Bureau of St andards, Washingt on, 1982.
Raj a S, Ganguly G (1983). I mpact of exposure t o noise on t he hearing acuit y of employees in a heavy
engineering indust ry. I ndian Journal of Medical Research, 78: 100-113.
Rasmussen, J., 1981. Models of ment al st rat egies in process st rat egies. I n: J. Rasmussen and W. Rouse
(Edit ors), Human Det ect ion and Diagnosis of Syst em Failures. Plenum Press, New York.
Rasmussen, J., 1983. Skills, rules and knowledge: signals, signs and symbols and ot her dist inct ions in
human performance models. I EEE Transcat ions on Syst ems, Man Cybernet ics, SMC, 3: 257-2666.
Reason, J. Human error. Cambridge Universit y Press, Cambridge, 1990.
Report 3085, Dept . of Fire Safet y Eng., Lund Universit y, Lund 1996.
Riihimäki H (1995a). Back and limb disorders. I n: Epidemiology of work relat ed diseases. McDonald C, ed.
BMJ Publishing Group, London.
Riihimäki H (1995b). Hands up or back t o work-fut ure challenges in epidemiologic research on
musculoskelet al diseases. Scandinavian Journal of Work, Environment and Healt h, 21: 401-403.
Roach S (1992). Healt h risks from hazardous subst ances at work – Assessment , evaluat ion and cont rol.
Pergamon Press, New York.
Rut st ein, R. The est imat ion of t he fire hazard in different occupancies. Fire Surveyor, Vol. 8, No. 2, pp 21-25,
1979.
Saat y, T.L. and Kearns, K.P., 1985. Analyt ic planning – The organizat ion of syst ems. I nt ernat ional Series in
Modern Applied Mat hemat ics and Comput er Science 7. Pergamon Press, Oxford, England.
Saat y, T.L., 1980. The analyt ic hierarchy process. McGraw-Hill, New York.
Saat y, T.L., 2000. Fundament als of decision making and priorit y t heory wit h t he analyt ic hierarchy process.
RWS Publicat ions, Pit t sburgh.
Sanders, M.M. and McCormick, E.J., 1993. Human fact ors in engineering and design. McGraw-Hill, NY.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
Sanderson, P.M. and Harwood, K., 1988. The skills, rules and knowledge classisficat ion: A discussion of it s
emergence and nat ure. I n: L.P. Goodst ein, H.B. Anderson and S.E. Olsen (Edit ors), Tasks, Errors and Ment al
Models. Taylor and Francis, Washingt on DC.
Schein, E.H., 1985. Organizat ional Cult ure and Leadership. Jossey-Bass, San Fransisco.
Shannon HS, Mayr J, Haines T (1997). Overview of t he relat ionship bet ween organizat ional and workplace
fact ors and inj ury rat es. Safet y Science, 26: 201-17.
Shannon HS, Walt ers V, Lewchuk W et al. (1996). Workplace organizat ional correlat es of lost -t ime accident
rat es in manufact uring. American Journal of I ndust rial Medicine, 29: 258-268.
Shields, T.J., Silcock, G.W., Dunlop, K.E. A met hodology for t he det erminat ion of code equivalency wit h
respect t o t he provision of means of escape. Fire Safet y Journal Vol. 19, pp 267-278, 1992.
Silverst ein BA, St et son DS, Keyserling WM, Fine LJ (1997). Work-relat ed musculoskelet al disorders:
comparison of dat a sources for surveillance. American Journal of I ndust rial Medicine, 31: 600-608.
Silverst ein BA, Viikari-Junt ura E, Kalat J (2002). Use of a prevent ion index t o ident ify indust ries at high risk
for work-relat ed musculoskelet al disorders of t he neck, back, and upper ext remit y in Washingt on st at e,
1990–1998. American Journal of I ndust rial Medicine, 41: 149-169.
Simpson M, Bruce R (1981) Noise in America: The ext ent of t he noise problem. (EPA Report No. 550/ 9-81-
101). Environment al Prot ect ion Agency, Washingt on, DC.
Sj öberg, L., Ogander, T. At t rädda liv - Kost nader och effekt er (To safe life-Cost s and effect s), Ds 1994: 14,
St ockholm 1994.
Snyder, H.L., 1973. I mage qualit y and observer performance. I n: L.M. Biberman (Edit or), Percept ion of
Displayed I nformat ion. Plenum, New York.
Sørensen, J.D., Kroon, I .B., Faber, M.H. Opt imal reliabilit y-based code calibrat ion. St ruct ural Safet y, Vol. 15,
pp 197-208, 1994.
SRV. At t skydda och rädda liv, egendom och milj ö. St at ens Räddningsverk, 1989.
St andard for Aut omat ic Wat er-sprinkler Syst ems, RUS 120: 4. The Swedish Associat ion of I nsurance
Companies, St ockholm, 1993.
St einbach, J., 1999. Safet y assessment for chemical processes. Wiley - VCH, Weinheim.
STRUREL, A st ruct ural reliabilit y analysis program syst em. Reliabilit y Consult ing Programs GmbH, München,
1995.
Swain, A.D. and Gut t man, H.E., 1983. Handbook of human reliabilit y wit h emphasis on nuclear power plant s
applicat ions, US Nuclear Regulat ory Commit t ee, Washingt on, DC.
Swain, A.D., 1990. Human reliabilit y analysis: need, st at us, t rends and limit at ions. Reliabilit y Engineering
and Syst em Safet y, 29: 301-313.
Thoft -Christ ensen, P., Baker, M.J. St ruct ural reliabilit y and it s applicat ions. Springer Verlag, Berlin, 1982.
Toren K, Balder B, Brisman J et al. (1999) This risk of ast hma. European Respirat ory Journal, 13: 496-501.
Tsai SP, Gilst rap EL, Cowles SR, Waddell LC, Ross CE (1992). Personal and j ob charact erist ics of
musculoskelet al inj uries in an indust rial populat ion. Journal of Occupat ional Medicine, 34: 606-612.
Turner, B.A., 1978. Man-made disast ers. Wykeham, London.
Tvedt , L. PROBAN Version 2, Theory manual. A.S Verit as Research, Report No.89-2023, Høvik, 1989.
U.S Occupat ional Safet y and Healt h Administ rat ion (OSHA). Depart ment of Labor. 1995. Occupat ional Safet y
and Healt h Administ rat ion Technical Manual, Sect ion I , Chapt er 1, Personal sampling for air cont aminant s.
OSHA I nst ruct ion TED 1.15. Washingt on, D.C.: U.S.
U.S. Environment al Prot ect ion Agency (EPA). Environment al radiat ion prot ect ion st andards for t he
management and disposal of spent nuclear fuel, high-level and t ransuranic radioact ive wast e; Final Rule, 40
CFR Part 191. Federal Regist er, 58, 66398- 66416, 1993.
Q Q U U A A N N T T I I T T A A T T I I V V E E R RI I S S K K A A N N A A L L Y Y S S I I S S
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
U.S. Environment al Prot ect ion Agency (EPA). Environment al st andards for t he management and disposal of
spent nuclear fuel, high-level and t ransuranic radioact ive wast e; Final Rule, 40 CFR Part 191. Federal
Regist er, 50, 38066-38089, 1985.
UN (2000). I nt ernat ional st andard indust rial classificat ion of all economic act ivit ies (I SI C). Third revision.
Unit ed Nat ions publicat ion (St / ESA/ STAT/ SER.M/ 4/ Rev.3). Unit ed Nat ions, New York.
UN (2001). World populat ion prospect s. The 2000 revision highlight s. Populat ion Division. Depart ment of
Economic and Social Affairs, Unit ed Nat ions, New York.
USDHHS (1986). Perspect ives in disease prevent ion and healt h promot ion, leading work-relat ed diseases
and inj uries. Morbidit y and Mort alit y Weekly Report , 35(12).
USDOL OSHA (2000). Docket for t he Federal Regist er. (Vol. 65, No. 220.) U.S. Depart ment of Labor,
Occupat ional Safet y and Healt h Administ rat ion, Washingt on, DC.
USDOL OSHA (2002a). Permissible exposure limit s, codified at 29 CFR 1910.1000. U.S. Depart ment of Labor,
Occupat ional Safet y and Healt h Administ rat ion. Available at ht t p: / / www.osha.gov/ SLTC/ pel/ index.ht ml.
USDOL OSHA (2002b). Noise and hearing conservat ion. U.S. Depart ment of Labor, Occupat ional Safet y and
Healt h Administ rat ion. Available at ht t p: / / www.osha-slc.gov/ SLTC/ noisehearingconservat ion/ index.ht ml.
USEI A (2001). U.S. Energy I nformat ion Administ rat ion, U.S. Depart ment of Energy, I nt ernat ional Energy
Dat abase. Accessed January 2001 at ht t p: / / www.eia.doe.gov/ emeu/ iea/ coal.ht ml.
Ut h, H.J., 1999. Trends in maj or indust rial accident s in Germany. Journal of Loss Prevent ion in Process
I ndust ries, 12: 69-73.
Vaaranen V, Vasama M, Toikkanen J et al. (1994). Occupat ional diseases in Finland l993. I nst it ut e of
Occupat ional Healt h, Helsinki.
Vadillo, E.M., 2006. Development of a human fact ors assessment t echnique for t he chemical process
indust ry. Mast er Thesis, Technical Universit y of Berlin, Berlin.
Vardeman, S.B., St at ist ics for engineering problem solving. PWS Publishing Company, Bost on, 1993.
Venables KM, Chang-Yeung M (1997). Occupat ional ast hma. The Lancet , 349: 1465-1469.
Vest rucci, P., 1988. The logist ic model for assessing human error probabilit ies using SLI M met hod. Reliabilit y
Engineering and Syst em Safet y, 21: 189-196.
Volinn E, Sprat t KF, Magnusson M, Pope MH (2001). The Boeing prospect ive st udy and beyond. Spine,
26: 1613-1622.
Vrij ling, J.K., van Hengel, W., Houben, R.J., A framework for risk evaluat ion. Journ. Haz. Mat . Vol. 43, pp
245-261, 1995.
Vuuren, W.v., Shea, C.E. and Schaaf, T.W.v.d., 1997. The development of an incident analysis t ool for t he
medical field, Eindhoven Universit y of Technology, Eindhoven.
Waddell G (1991). Low back disabilit y: A syndrome of West ern civilizat ion. Neurosurgery Clinics of Nort h
America, 2: 719-738.
Wagner GR, Wegman DH (1998). Occupat ional ast hma: Prevent ion by definit ion. American Journal of
I ndust rial Medicine, 33: 427-429.
Wait zman N, Smit h K (1999). Unsound condit ions: Work-relat ed hearing loss in const ruct ion, 1960-75. The
Cent er t o Prot ect Worker’s Right s. CPWR Publicat ions, Washingt on, DC.
Ward E, Okan A, Ruder A, Fingerhut M, St eenland K (1992). A mort alit y st udy of workers at seven beryllium
processing plant s. American Journal of I ndust rial Medicine, 22: 885-904.
Wat t s, J.M. Fire Risk Ranking. The SFPE handbook of fire prot ect ion engineering, 2nd ed. Nat ional Fire
Prot ect ion Associat ion, Quincy, 1995.
West gaard RH, Jansen T (1992). I ndividual and work relat ed fact ors associat ed wit h sympt oms of
musculoskelet al complaint s: I . A quant it at ive regist rat ion syst em. Brit ish Journal of I ndust rial Medicine,
49: 147-153.
T T H H E E O O R R Y Y A A N N D D M M O O D D E E L L
S SA A F F E E T T Y Y M M A A N N A A G G E E M M E E N N T T S SE E R R I I E E S S
West gaard RH, Winkel J (1997). Ergonomic int ervent ion research for improved musculoskelet al healt h: a
crit ical review. I nt ernat ional Journal of I ndust rial Ergonomics, 20: 463-500.
WHO (1999). I nt ernat ional st at ist ical classificat ion of diseases and relat ed healt h problems (I CD-10) in
occupat ional healt h. Karj alainen A, ed. Prot ect ion of t he Human Environment , Occupat ional and
Environment al Healt h Series, (WHO/ SDE/ OEH/ 99.11). World Healt h Organizat ion, Geneva.
WHO/ FI OSH (2001). Occupat ional exposure t o noise: Evaluat ion, prevent ion and cont rol. Goelzer B, Hansen
CH, Sehrndt GA, eds. On behalf of WHO by t he Federal I nst it ut e for Occupat ional Safet y and Healt h
(FI OSH), Dort mund.
Wickens, C.D. and Hollands, J.G., 2000. Engineering psychology and human performance. Prent ice-Hall,
Upper Saddle River, NJ.
Wikst rom B-O, Kj ellberg A, Landst rom U (1994). Healt h effect s of long-t erm occupat ional exposure t o whole-
body vibrat ion: A review. I nt ernat ional Journal of I ndust rial Ergonomics, 14: 273–292.
World Bank (2001). World development indicat ors 2001. Available at ht t p: / / worldbank.com.
Xia Z, Court ney TK, Sorock GS, Zhu J, Fu H, Liang Y, Christ iani DC (2000). Fat al occupat ional inj uries in a
new development area in t he People’s Republic of China. Occupat ional and Environment al Medicine, 42:
917-922.
Xu X, Christ iani DC, Dockery DW et al. (1992). Exposure-response relat ionships bet ween occupat ional
exposures and chronic respirat ory illness: a communit y-based st udy. American Review of Respirat ory
Disease, 146: 413-418.
Yin SN, Li Q, Liu Y, Tian F, Du C, Jin C (1987). Occupat ional exposure t o benzene in China. Brit ish Journal of
I ndust rial Medicine, 44: 192-195.
Yip YB (2001). A st udy of work st ress, pat ient handling act ivit ies and t he risk of low back pain among nurses
in Hong Kong. Journal of Advanced Nursing, 36: 794-804.

Sign up to vote on this title
UsefulNot useful