Risk is of all time

Pełen tekst


Risk is of all time

prof.dr.ir. Ben Ale

1. Introduction

It is said that the present society is a risk society [1]. And indeed some risks are new. And because of the global connectivity of our societies, many risks are shared by all. That does not take away though, that may ancient risks have had a similar standing in the society in which they where dominant. They formed a threat to the whole – known – world and all – known – societies were exposed.

Between 1347 and 1350 the plague or the black death wiped out one third of the population of Europe [2,3]. In the 17th century the average life expectancy was 25 years and to become 45 was an exception.

Also what now is called industrial risk has roots in the early centuries. Already Plinius described illnes-ses among slaves [4]. In 1472 Dr U Ellenbog from Augsburg wrote an eight page note on the hazards of silver, mercury and vapours of lead [5]. Ailments of the lungs found in miners were described extensi-vely by Georg Bauer. [6]. In the seventeenth century a signifi cant part of the crew of ships sailing the East and West Indies never made it home.

As recent as 1918 the Spanish fl ue killed 170000 people in the Netherlands alone.

The Netherlands has a long history of having to deal with the threat of fl oods. In the middle ages several groups, such as Hugenotes and Jews, fl ed to the Netherlands because they were oppressed by their government. These people literally stepped down from the Central European Plane into the Low Lands, the swamp the now is the Netherlands. The only authorities that were accepted for a long time were the “waterboards”. These were deemed necessary to manage the flood defences. The oldest waterboards were those of Schieland (1273), Rijnland (1286), and Delfl and (1319). Now with 478 people per km2 one of the densest populated area’s in the world and housing a harbour of Rotterdam, Schiphol Airport and a third of the refi nery capacity of Europe managing the risks of resulting from the close proximity of people and industry has become

Risicomanagement en/of innovatie? prof.dr.ir. B.J.M. Ale Hoogleraar Veiligheid en

Rampenbestrij-ding, TU Delft


just as important an activity as managing the risks of fl ooding.

Attempts to avoid unnecessary risk also has been part of human activities from as long as history is written. Those who had something to loose sur-rounded themselves and their possessions with walls, castles, guards and armies. If you had enough money you went outside of the city to escape the plague [7]. And societies have put people into power in order to protect them from a long time ago. This does not take away that worldwide and in absolute numbers the number of disasters and the associated costs increase. At the same time the population of the earth increases, suggesting that people more and more live in less and less suitable locations [8]

This raises the question why risk management looks so different today and why we have so much diffi culty getting to an organised policy on risk, whether we are in public offi ce, in government or in private enterprise. For this we fi rst look at the evolution of risk especially in the 20th century. We look at the development of risk perception research and fi ndings and then we look at methodologies to understand the genesis of accidents and strategies to eliminate them or reduce the probability.

2. Industrial


In the Netherlands some large scale accidents with explosives materials occurred as well. In 1654 the centre of Delft was demolished by the explosion of a powder tower. This explosion, which could be heard 80 km away, created the “horse market”, which still exists as an open space. (Figure 1)

In 1807 a similar explosion took place. Now a barge laden with black powder exploded in the centre of Leiden. The van der Werf park today is still witness of this event. 150 people were killed among who 50 children, whose school was demolished by the blast.

This explosion led to an imperial decree by Napoleon. The emperor stated that from then on a permit was needed for having an industrial facility. Three classes of industry were designated:

Industries that were considered too dangerous to be inside a city. The authorities would indicate a location

Industries for which location inside a city could be considered if it could be demonstrated that there was no danger for the community Industries that always could be located inside city limits.

In addition Napoleon stated that objections of future neighbours should be noted and addressed by the authority who made a decision.

As the explosion in Leiden involved a ship, similar measures were taken with regards to the transporta-tion of explosives and other dangerous materials. Interestingly the safety regulations in France can be traced back to the same imperial decree.

3. Risk


The origin of modern risk management lies in the industrial accidents after World War II. In 1966 a fi re in a storage facility for LPG in Feyzin, France killed 18 and wounded 81. This accident led to re-empha-sis on design rules for bottom valves on pressure vessels. In the realm of physical planning no actions from the French or the European authorities seemed to have resulted from that accident.

Ten years later a number of similar accidents occur-red: Flixborough (1974, 28 dead), Beek (1975, 14 dead) and Los Alfaques (1978, 216 dead). These accidents showed that the Feyzin accident was not a unique freak accident. Apparently LPG and other fl ammable substances could pose a serious threat to the workforce and to the surroundings. In 1979 Prime-Minister van Agt, just as his pre-decessors, wrote a letter to parliament about the development of environmental policies as integral


part of the nations policies. In this letter he intro-duced “External Safety” as separate from occupa-tional safety. The Prime-Minister introduced and announced three elements of a new policy:

appointment of the minister of environment as co-ordinator for hazardous materials;

founding of a new separate policy body dealing with external safety and

announcement of new legislation covering exter-nal safety.

At the same time a major change in the energy market appeared imminent. This among other lead to a major market push for LPG as motor fuel. In 1978 a tank car exploded in a tank station. Although nobody was hurt in this accident, it became appa-rent that the population around the stations should be limited. The chief inspector for the environment decided not to wait for legislation. He issued an instruction for his inspectors to not approve a permit unless the conditions for distances and population densities as indicated in the Table 1 were satisfi ed [9]. This was the fi rst explicit zoning measure around a hazardous activity.

A further potential increase in the transport of LPG through the Netherlands resulted from the desire to use LPG as feedstock for the production of ethylene. A committee was charged with developing a policy. A study was commissioned into the safety of the whole chain from import to fi nal use. It became apparent that a policy aimed at insuring that no accident ever would harm the population would not be compatible with the limited space in the Netherlands. The com-mittee decided that there should be a level of risk below which it is neither desirable nor economical to strive for further reduction. This statement implied that the level of risk should be established and that acceptability limits should be set.

At the same time authorities in the Rijnmond area started to be worried about the safety of the popula-tion around the large petro-chemical complexes in the

area. Taking the Canvey Island study as an example [10,11], the Rijnmond authority embarked on a study to establish whether quantifi cation of risk was feasible and would give results that would be useful in deci-sion-making. The results [12] were promising with regards to the usefulness of the results. The quanti-fi cation of risk as a routine exercise was judged not to be feasible unless information technology could be used to take away the burden of the many complica-ted calculations and reduce the time needed. The Rijnmond Authority together with the ministry of environment embarked on the venture towards an automated method for quantifi cation of risk. Now, twenty plus years later the process still is not fully automated. Such a level of automation no longer is desired either. But the techniques developed since together with the rapid development of computa-tional capability has lead to workable systems with reasonable return times.

3.1 Risk matrices

The division of risk in three bands introduced by Napoleon can be found back in the risk matrices that are used frequently to support and structure deci-sion making (Figure 2). In these matrices the two dimensions of risk: probability and consequences are separated out and plotted against each other. Any combination of consequence and probability is a point in this two dimensional space. Alternatively the risk profi le of any activity can be plotted as a

Distance to tank and/or fi llingpoint (m)

Allowed building Houses Offi ces

0 – 25 none none

25 – 50 max 2 max 10 people 50 – 100 max 8 max 30 people 100 – 150 max 15 max 60 people

> 150 no limit no limit

Table 1 - Zoning around LPG stations


so-called complementary cumulative distribution curve (CCDC). In such a curve the probability of exceeding certain consequences are given as a function of these consequences.

The plot area can be divided into three areas: accep-table, conditionally acceptable and unacceptable. Whenever the risk is not in the acceptable area measures have to be taken or at last contempla-ted. Of particular interest is the region in the lower right hand corner of the matrix where those risks are located of which the consequences cannot be borne. These risks have to be transferred e.g. by insurance, or have to be eliminated – regardless how low the probability - as the consequences would lead to ruin.

In practice any consequence proves to be accep-table when the probability is suffi ciently remote and the advantages to be gained by embarking the risky activity are suffi ciently large. Therefore the red or unacceptable area is seldom demarcated by a ver-tical line. Rather the limit is some sort of sloping line as depicted by the dotted line in the fi gure. The use of risk matrices is not restricted any more to the chemical industry. Many applications are found in fi nance and insurance industries [13]

3.2 Criteria

Having decided that risk quantifi cation is the way to go the inseparable counterpart had to be developed as well. Questions to be answered included were what to do with the results, and how to make sure the analyses would actually be made and used in decision making.

Regional and local authorities as well as industry asked for guidance regarding the acceptability of risk. The bases for this guidance was found in documents and decisions taken earlier.

An important base line was found in decisions made regarding the sea defences of the Netherlands. In 1953 a large part of the south west of the Netherlands was fl ooded as a result of a combi-nation of heavy storms, high tides and insuffi cient strength and maintenance of the diking system. Almost two thousand people lost their lives and the material damage was enormous especially because the Netherlands was still recovering from World War II. The Netherlands embarked on a project to strengthen the sea defences, including a drastic

shortening of the coastline by damming off all but one of the major estuaries of the Rhine/Maas delta. The design criteria were determined on the basis of a proposal of the so-called “Delta Committee” who proposed that the dikes should be so high that the sea would only reach the top once every 10000 years. [14]. The probability of the dike collapsing is a factor of 10 lower. The probability of drowning is another factor of 10 lower, so that the recommen-dation of the Delta Committee implies an individual risk of drowning in the areas at risk of 1 in a million per year. This recommendation was subsequently converted into law.

This value of risk was reaffi rmed when a decision had to be taken about the construction of the clo-sure of the Oosterschelde estuary. For reasons of preserving the ecosystems the design was changed from a closed solid dam, to a movable barrier. This barrier should give the same protection as the dams. In this manner Dutch parliament had a history of debating safety in terms of probabilistic expectati-ons, which came in handy when industrial risk had to be discussed.

The value of 1 in a million per year corresponds to about 1% of the probability of being killed on the road in the mid 80-ties. This became the maximum acceptable addition to the risk of death for any indi-vidual resulting from industrial accidents.

For societal risk the anchor point was found in the “interim viewpoint” regarding LPG points of sale mentioned above. When combined with value already chosen for individual risk this led to the point 10 people killed at a frequency of 1 in 100000 per year. As societal risk usually is depicted as an FN curve having the frequency of exceeding N victims as a function of N, the limit had to be given the same form. Thus the slope of the limit line had to be determined.

It was decided to incorporate the apparent aversion against large disasters in de the national limit by having the slope steeper than –1. Several values circulated in literature at the time, ranging from –1.2 to –2 [15,16,17,18,19,20,21,22]. In the end it was decided to adopt a slope of –2 for the limit line. In order to bind the decision space at the lower end of the risk spectrum limits of negligibility were set for individual risk and societal risk alike at 1% of value of the acceptability limit.


The resulting complex of limit values was laid down in a policy document called “premises for risk management” [23].

The accident in Bhopal, where some 3000 people were killed as a result of a release of methyl isocy-anate, helped to promote the adoption of European legislation. The SEVESO directive, named after a small village in Italy where dioxine was released in an accident, became the vehicle to implement these policies into law in the Netherlands just as in many other members of the EU. The “Hazards of Major Accidents Decree” [24] demanded that top tier esta-blishments would submit a safety report, in which a quantifi ed risk analysis performed according to the set standards, would be presented. This information then subsequently could be used by local planners for zoning decision and by the emergency services for disaster abatement planning.

On 13 may 2000 an explosion occurred in a fi re-works storage and trading facility in Enschede, the Netherlands. Twenty-two people were killed and some 900 injured. The material damage was approximately 400 MEuro. This lead to a further re-enforcement of the policy in the Decree on External Safety of Establishments (BEVI) [25], in which the risk limits were again specifi ed (Figure 3).

4. Perception

A major factor infl uencing the people’s reaction to potentially hazardous activities is what generally is described as risk perception.

In part these perceptions are driven by the way, by which information is processed by our brain. One of the features is that information that strengthens

existing ideas is more readily absorbed than infor-mation to the contrary.[26]. In Table 2 the mortality of various activities is given. The numbers are appli-cable for the Netherlands. From the table it can be seen that the probability of any Dutchman to be killed by an accident in a chemical plant not being an employee is 6 orders of magnitude smaller than the probability of dying of a smoking induced illness (if he or she is a smoker).

On the basis of these numbers a decision maker has a fair point when assuming that the probability of him being confronted with a disaster in the chemical industry is remote and hardly probable. Especially when one notes that the present Netherlands are only some 20 years old

In the table also the probabilities are given of win-ning the main prize for fi ve of the nations lotteries. One can see that winning the “sponsorlottery” is three orders of magnitude smaller than being the victim of a chemical accident. Nevertheless these lottery tickets are readily sold and there regularly is a winner. Apparently the probability of winning this lottery is considered by many remote but possible, or even probable. This difference in appreciation of the numerical information is closely related to the psycho-social theories of risk perception. According go these theories there are many factors shaping the perception of risky activities [27,28,29]. The top 10 of the most listed are:

Extent and probability of damage Catastrophic potential

Involuntariness Non-equity Uncontrollability Lack of confi dence

Figure 3 - Risk triangle and criteria

Activity Winning a lottery Probabilty (/yr)

Smoking 5*10-3 Traffi c 8*10-5 Lightning 5*10-7 Bee-Sting 2*10-7 Flood 1*10-7 Staatsloterij 1*10-7 Bankgiroloterij 4*10-8 Lotto 2*10-8 Falling Aircraft 2*10-8 Postcodeloterij 1*10-8 Chemical Industry 6*10-9 Sponsorloterij 3*10-12

Table 2 - Probabilities of death and probabilities of win-ning lotteries


New technology

Non-clarity about advantages Familiarity with the victims Harmful intent

Combining these factors with the mortality discus-sed above reinforces that people are more willing to accept a certain small loss than an uncertain large loss. And because the probability of a large disaster is small, long periods of time may elapse after one disaster before another strikes. In this period the notion that improbable equals impos-sible is steadily reinforced and thus the impetus that exists shortly after a disaster to do something about it disappears.

As the factors that infl uence the judgement of a risky activity are different for differing activities it cannot be expected that a single set of risk criteria is applicable to all activities. Nevertheless a policy may look more organized as the set of applicable criteria is small.

On the other hand it is argued that these factors make it impossible to set general standards, as every situation and every activity is different. In a more extreme stance it is argued that risk is a social construct rather than something that in prin-ciple can be determined scientifi cally. In this view there are so many subjective choices made in risk analyses that they cannot be called objective sci-ence at all. [30]. Scientists are just other lay-people. There judgement is infl uenced by the same factors, but in addition they let their science infl uence by their political judgements. It is no surprise that the more objectivist risk analysts argue that scientifi c judgements and political judgements are not the same thing and that objective quantifi cation of risk is a scientifi c exercise. Indeed such objectivity is necessary make cost benefi t based decisions. In such argumentation the value of the risk should be as objective as the – monetary – value of potential risk reducing measures [31].

Any policy should conform to general principles of justice and democracy, be it setting a speed limit or a limit on risk. The results should be predic-table for the stakeholders and for the public and execution should be measurable against objective standards. This holds even when arguments are formulated in more qualitative terms such as “As Low As Reasonably Achievable” or “gross

dispro-portionality”. It should always be borne in mind that any stakeholder in any regulatory system can resort to getting a dispute settled in court.

How valid the arguments may be, they neverthe-less are of great help to stakeholders that have no interest in having risks limited by a government policy in the short run. And as the last accident disappears in past history the pressure to be fi rm on risk dissolves.

4.1 Bow-ties

Whenever a strategy or policy is defi ned that asks for reduction of risk, an analysis has to be made of what would be the optimal place to interfere with the causal chain from cause to accident and con-sequences in order to obtain the desired reduction. Bowtie models are tools for integrating broad clas-ses of cause-consequence models. The familiar fault and tree-event tree models are ‘bowtied’ in this way; indeed, attaching the fault tree’s ‘top event’ with the event tree’s ‘initiating event’ originally sug-gested the bowtie metaphor. The bowtie may be conceived as a ‘lens’ for focusing on causal chains and ‘projecting’ these onto the space of consequen-ces. These consequences will ultimately be factored into decision problems for risk management. Hence the bowtie’s consequence side forms an interface with the decision models. Decisions taken will refl ect backwards to causes. This structure not only has proven a worthwhile concept in accident predic-tion, it also has proven its worth in analysing past accidents and suggesting improvements to prevent further re-occurrence [32] (Figure 4)

The selection of the centre of the bow-tie is cru-cial for the analysis. Any event can be taken as


this centre. The causes and consequences of this event form the bow-tie and form a slice out of all the things that happen in this world.. Any event can be considered a cause and any event can be considered a consequence. Events can therefore serve as causes and as consequences in many bow-ties, each with its own centre. However: once the centre is chosen, no other events will be visible in the bow-tie than those which are in the causal chains running through the centre.

This could raise some interesting questions. What has to be considered as the centre event of a – let-hal – accident of a parachute jumper. The moment that his parachute did not open, the moment that his parachute was packed in the wrong way or the moment that the reserve parachute failed to open. Any of these three approaches leads to a valid bow-tie, and to a valid quantifi cation of his risk of falling, but the analysis will be much more detailed on some aspects and much less detailed on others depen-ding on the choice of the centre event. As a result the options for remedial action will be different.

4.2 Events as barriers

When the a certain consequence is deemed unac-ceptable or when the probability of a certain out-come is deemed too high, measures have to be taken to either take away the causes or block the progression from cause to accident. The classical way of presenting this and handling this in a mathe-matical way is to combine the path originating from a cause with a path from a safeguard into an “AND”-gate, which means that the cause and the failure of the safeguard have to occur simultaneously to result in the consequence. This concept however proved to be diffi cult to grasp for decision makers. Therefore these safeguards are often depicted as barriers in the path from cause to consequence (Figure 5), an idea originally developed by Haddon, who introdu-ced the barrier concept in 1973 [33]. The number of

barriers in the path then could form the basis for a layer of protection analysis (LOPA) [34] In an case this way of presenting layers of protection proves to be helpful for decision makers [35]. When in an analysis a path is detected that does not have any barriers in it, it constitutes a – latent – defi ciency in the system that according to Murphy’s law will sooner or later lead to ruin [26].

5. Managing


After the accidents in the chemical industry in de mid eighties, it became apparent that risks cannot be eliminated and that technology just as any other human enterprise has its risks together with the advantages[36,37]. This lead to the further deve-lopment of risk management theorie and applicati-ons for process industries. The fi nancial disasters of the 1990ies led to a similar development in the fi nancial industry. [38]. Risk management is another implementation of a cybernetic control cycle aimed at keeping the risks in a certain situation or the risks associated with a technology within acceptable or desired bounds.

In the management of risk four stages can be dis-tinguished (Figure 6) identifi cation quantifi cation decision reduction control

In these the decision is not so much a phase, but a demarcation between the more analytical part of the process and the more managerial part of the process.

In the identifi cation stage it is determined what the hazards and threats are against which one may desire to be protected. In the quantifi cation stage it is assessed which hazards are the most threa-tening. After a decision has been made measures may be taken to reduce the risk and subsequently it is necessary to monitor the situation to keep the risk at the agreed level. A risk management cycle therefore does not differ in principle form any other control cycle. An unwanted situation has to be noted, for instance because it differs from what is considered normal or because an alarm is raised;

Figure 5 - And-gate representation (A) and barrier repre-sentation (B) of the same casual confi gura-tion


a proper analysis has to be made and necessary actions have to be defi ned and executed, and after normality has returned continued vigilance is nee-ded to detect any new deviations from normal.

5.1 Measures

Measures have to be designed especially for the purpose. But there are a number of design features that enhance the inherent safety of systems and at the same time prevent the system to be used or exploited for malicious purposes. These can be grouped under four general headings as described below.

5.1.1 What you don’t have cannot leak

This statement made by Trevor Kletz [39] some three decades ago still holds. You cannot have an ammonium-nitrate explosion if you do not have ammonium nitrate (as in Toulouse [40]), You can-not have large scale Methyl-Isocyanate poisening if you do not store massive quantities (as in Bhopal [41]), you cannot have a fi reworks explosion without fi reworks [42,43]. Without these inventories acci-dental disasters are avoided. The absence of these chemicals also prevents their use in a malicious act, by sabotage or theft and later use.

5.1.2 If you don’t need a human: don’t let him near the equipment

People are inherently fallible. [44]. People are not very good in routine operation of plants. Their fai-lure probability is even bigger under stress and in an emergency [45]. Therefore if a system can run or operate without human intervention do not even let people near. This also prevents illegal tampering with equipment or planting devices where they are unwanted. However: there are many instances where the human operator is indispensable. In that case the next action can be of great benefi t 5.1.3 Make the safest way also the easiest way Taking a short cut is tempting when people are in a hurry, stressed, distracted. When there is pres-sure to deliver. If such a short-cut is unsafe, unsafe acts and their consequences are unavoidable. The existence of a short-cut is one of the ende-mic pathogens that can exist in a design. If such unsafe paths exist this also forms an easy recipe for a malicious individual to use the system for his purposes. Sometimes however the safe way has to be more cumbersome. Obeying red lights, following a checklist, these things take time and in many systems they are necessary to keep operations safe. In that case the fourth and last action of this series is important:

5.1.4 Supervise

People generally will not on purpose violate the rules. They want to act responsibly and safe. But they can be pressed with time, the can be distracted by events at work or at home, they overlook things. A check and monitor cycle helps to catch failures before they become a disaster. And they help iden-tifying unwanted elements that may compromise safety on purpose.

6. Emergency


Once the unwanted event has taken place there still are possibilities to limit the consequences. These mitigating actions can range from simple medical treatment to full scale emergency intervention. These emergency actions can be divided into fi ve major groups imaging the temporal stages in


gency management. In the terminology current in emergency management in the Netherlands these are called pro-action, prevention, preparation, repression and after-care. The various modes of intervention have their counterpart in the emergency management chain of pro-action, prevention, pre-paration, repression and after care [46].

There are many communalities in emergency management regarding accidents and malicious acts and a few but nevertheless important diffe-rences.

The Pro-action phase regards everything that can be done to prevent an accident from happening. This is also known as providing barriers against progression of the causes towards the accident. In case of – industrial – accidents these may include abandoning the activity altogether and providing safety features such as emergency relief valves, system shutdown procedures etc. In the case of malicious acts these could include catching the potential perpetrator before the act, but also making it harder to get to vital systems and infrastructures. It should be noted however that in the case of acci-dent hazards as in the case of malicious acts it is much easier to fi nd the cause that belongs to an accident after the accident has occurred, than to fi nd an accident that belongs to a certain cause before anything has happened. In fact it has proven to be sometimes extremely diffi cult to identify something as a potential cause of a disaster that looked obvi-ous in hindsight. Therefore complete elimination of mishaps is virtually impossible. Therefore the next steps in the chain are evenly important.

In the prevention step it is tried to reduce potential losses as much as possible. In chemical process plants this includes for instance not having any unnecessary personnel on the premises during operation. In houses and public buildings prevention includes among other things fi re resistant construc-tion and the use of shatter free glass. It also includes maintaining separation distances between installa-tion and houses and other vulnerable object with the objective to limit damage as much as possible. In the preparation step the plans are drawn, tested and exercised to act in case of an emergency. As resulted from evaluations of various recent disas-ters and exercises [47] a number of issues warrant special interest. These are communications and the

way to cope with the breakdown thereof and self-reliance of the public and of the intervention units. This also includes plans on how to deal with the identifi cation and apprehension of guilty parties and plans on how to cope with new or continued threats existing during the rescue operation.

In the repression step the disaster is confronted, the casualties treated and the damage repaired. After care comprises clearing the site and recon-struction. More important however is dealing with the victims and their relatives and taking care of the after effects that the confrontation with a large scale disaster can have on victims and on the emergency relief workers. These effects cab by physical and psychological and proper handling these effects can make the difference between quick recovery and decades of misery.

In prepare for disasters in a systematic way the Dutch government has issued guidelines for local and regional authorities to help them assess the necessary level of preparedness measured against the potential threats in the region.[48,49]. In the guidance 18 different types of disasters are distin-guished (Table 3). Each region has to assess the relevant level of threat for each of these disaster types in the region. A region below sea-sea level (in the Netherlands there are only a few that are not) have to consider the fl ood risk. An area with transport of dangerous materials has to consider road accidents with toxic and fl ammable materials. Subsequently each region can evaluate what the

1 Airplane crash 2 Accident on water 3 Traffi c accident on land

4 Accident with fl ammable/explosive material 5 Accident with toxic material

6 Nuclear accident 7 Threat to public health 8 Epidemic/pandemic 9 Accident in tunnel 10 Fire in large building 11 Collapse of large building 12 Panic in crowd 13 Large scale riots 14 Flood 15 Fire in nature 16 Extreme weather

17 Disruption public services (electricity/gas/water) 18 Distant disaster


current capacity is for dealing with the sort of emer-gencies that they can expect. This will tell them the discrepancies and thus the necessary action. An example of a disaster type profi le and a response capacity profi le is given in Figure 7.

6.1 Risks and capacity

For the Netherlands as a whole, the disaster poten-tial from man made activities is depicted in literature 50. Also in the fi gure is the estimated risk from fl oo-ding for “dike-ring 1”, which is the largest continuous fl ood-prone area in the Netherlands. If this area would fl ood between 100,000 and 400,000 people could lose their life and the material damage would amount to 400 billion Euro, 1,3 times the yearly governmental budget. [51] Flood risks obviously can be are dominant in the Netherlands. From the man made risks however, the dominant contribu-tion differs depending on the size of the possible disaster. In the 1000+ people killed area the domi-nant distribution is from accidents with hazardous – manly toxic – materials on railroad marshalling yards in city centres. In the 10 - 100 people killed area the dominant risk is air-transport. Also the current level of emergency response capabilities of most cities is given. As can be seen this level is by far not suffi cient for the sort of disasters that could happen. This means that should a disaster happen, emergency services from neighboring cities and regions have to be called in. This obviously delays repression and therefore a signifi cant residual risk remains. Whether such risks are acceptable is a political decision, and as these risks continue to exist the Netherlands society apparently accepts these risks.

In as far as malicious acts are concerned the ques-tion can be raised whether recent geo-political

circumstances indeed signifi cantly increase the probability of events that are beyond the capabilities of local emergency services and whether additional efforts should be devoted to strengthen the emer-gency forces beyond the efforts already undertaken since the disasters in Enschede and Volendam in 2000 [52].A complication in maliciously caused emergencies is the possibility that the emergency relief workers themselves may be a target. This has profound implications for the planning and the execution of the relief effort. These discussions are part of the more general discussion about reducing the vulnerability of society against malicious acts. It should be noted how-ever that the current capacity already would be overtaxed by accidental disasters of moderate size. Therefore signifi cantly more would have to be spent on preparation and readiness and the debate whether this is worthwhile remains unde-cided for now. This makes it even more important than it always has been that prevention is better than curing.

7. Conclusion

Modern times are not necessarily more risky than earlier times. There have been many threats to humanity that indeed wiped out signifi cant portions of the known population. Life expectancy has not been as high as it is today, at least in the “fi rst” world. There are some new risks and may be contrary to historic times it is now known for sure that the known world is all the world there is. But the historic people thought the same.

All over history it has been diffi cult to maintain risk containment or risk management strategies for prolonged periods of time. For low probability large consequence type risks this is to a signifi cant extent inherent to the way the human brain processes infor-mation. Every day a disaster does not happen the idea gets reinforced that it cannot happen at all. Nevertheless there are many good methods to systematically deal with risks and many are part of the policy of governments. Due to the dense population and the intensive use of space in the Netherlands, the Dutch authorities have an advan-ced position in governmental risk management, which combines the use of quantitative analytical

Figure 7 - Emergency profi le and emergency relief capa-city for a region (example)


methods with set criteria and rules for justifying risk taking by authorities.

Risk analysts have a role to play in the discussion about risks. They are in a position to point out that the absence so far of an accident does not mean its impossibility. And they should do so in the interest of the innocent bystanders, who are the people of who the lives, health and property are at stake.


1 Ulrich Beck, “Risikogesellschaft. Auf dem Weg in eine andere Moderne”, Suhrkamp, Frankfurt am Main, eerste druk, 1986

2 www.20eeuwennederland.nl

3 Nederland langs de Europese meetlat, Centraal Bureau voor de Statistiek, Den Haag, 2004 4 Ramazzini, De morbis artifi cum deatriba, 1700 5 Rosen 1976, A History of public health, MD

publications, New York 6 Agricola, Re metallica, 1556

7 Chauser, Canterbury Tales, Chanceller Press, Londobn, ISBN 1 85152 585 8

8 OECD, Emerging Risks in the 21st Century, An OECD International Futures Project, September 2003, ISBN 9264199270

9 Het interim standpunt LPGstations, HIMH, The Netherlands, 1978.

10 HSE , Canvey: An investigation of Potential Hazards from Operations in the Canvey Island/ Thurrock Area, Londen (HMSO) 1978

11 HSE, Canvey: Second Report, A Review of the Potential Hazards from Operations in the Canvey Island Thurrock Area Three Years after Publi-cation of the Canvey Report, Londen (HMSO) 1981

12 Cremer and Warner, Risk Analysis of Six Poten-tially Hazardous Objects in the Rijnmond Area, Londen 1981.

13 M.P. MaCarthy and T.P.Flynn, Risk from the CEO and Board Perspective, McGaw-Hill New York, 2004, ISBN 0-07-143471-2

14 Rapport van de Delta Commissie, 1960, Delta wet 1957.

15 R. Wilson, The Cost of Safety, New Scientist, 68 (1975) 274-275

16 J. Okrent, Industrial Risk, Proc. R. Soc. 372 (1981) 133-149, Londen

17 Ph Hubert, M.H. Barni, J.P. Moatti, Elicitation of criteria for management of major hazards, 2nd SRA conference, April 2-3 1990, Laxenburg, Austria.

18 F.R. Farmer, Reactor Safety and Siting, a pro-posed risk-criterium, Nuclear Safety, 8 (1967) 539

19 W.C. Turkenburg, Reactorveiligheid en risico-analyse, De Ingenieur, vol 86 nr 10 (1974) 189-192.

20 M. Meleis and R.C. Erdman, The development of reactor siting criteria based upon risk probability. Nuclear Safety, 13 (1972) 22.

21 D.J. Rasbash, Criteria for Acceptability for Use with Quantitative Approaches to Fire Safety, Fire Safety Journal, 8 (1984/85) 141-158

22 H. Smets, Compensation for Exceptional Envi-ronmental Damage Caused by Industrial Acti-vities, Conference on Transportation, Storage and Disposal of Hazardous Materials, IIASA, Laxenburg, 1985

23 Omgaan met Risico’s, Tweede Kamer, ver-gaderjaar 1988-1989, 21137, nr 5. Under the same number the translation in English is titled: Premises for Risk Management.

24 Besluit Risico’s Zware Ongevallen, Staatsblad 1988, 432, Staatsdrukkerij, The Hague, The Netherlands.

25 Staatsblad van het Koninkrijk der Nederlanden 2004 nr 250 Besluit van 27 mei 2004, houdende milieukwaliteitseisen voor externe veiligheid van inrichtingen milieubeheer (Besluit externe veilig-heid inrichtingen)

26 reason

27 P. Slovic, Emotion, sex, politics and science: surveying the risk assessment battlefi eld, Risk Anal, vol 19 nr 4 (1999) pp 689-701

28 L. Sjoberg, Factors in Risk Perception, Risk Anal, vol 20 nr 1 (2000) pp 1-11

29 C. Vlek, A multi-stage, multi-level and multi-attri-bute perspective on risk assessment decision making and risk control, Risk Decision Policy vol 1 (1996) pp 9-31

30 M.B.A. van Asselt, Perspectives on uncertainty and risk, The PRIMA approach to decision sup-port, Kluwer, 2000.


31 T.O. Tengs, M.E. Adams, J.S. Pliskin, D.G. Safran, J.E. Siegel, M. Weinstein, J.D. Graham, Five hundred life saving interventions and their cost effectiveness, Risk Anal, 15 (1995) 369-390.

32 J. Groeneweg, Controlling the Controllable, DSWO press , Leiden, 1998, ISBN 90 6695 140 0

33 1973, Haddon Jr, W. Energy Damage and the Ten Counter Measure Strategies Human Factors Journal, August 1972

34 Center for Chemical Process Safety, Layer of Protection Analysis - Simplifi ed Process Risk Assessment, ISBN, (IEC61511) 0-8169-0811-7

35 aramis

36 W.D. Rowe, an Anatomy of Risk, John Whily and Sons, 1977, ISBN 0-89874-784-4

37 B.J.M. Ale, Risk Assessment practices in the Netherlands, Safety Science 40 (2002) 105-126, ISSN 0925-7535

38 M.P. McCarthy and T.P.Flynn, Risk from the CEO and Board perspective,Mc Graw Hill, 2004, ISBN 0-07-143471-2

39 Trevor Kletz, What Went Wrong, Case Histories of Process Plant Disasters, 4th ed, Butterworth Heinemann, 1999, Woburn MA, ISBN 0-88415-920-5

40 www.cnn.com

41 Union Carbide: Disaster at Bhopal, by Jackson B. Browning, Retired Vice President, Health, Safety, and Environmental Programs, Union Carbide Corporation, Copyright 1993

42 P.A.M. Uijt de Haag, G.M.H. Laheij, and B.J.M. Ale, RISK ANALYSIS OF A FIREWORKS STORAGE FACILITY, PSAM6, 6th International Conference on Probabilistic Safety Assessment and Management, pp 79-85 San Juan, Puerto Rico, USA, June 23-28, Elsevier, Oxford, ISBN: 0-0804-4120-3, 2002

43 B.J.M. Ale, The explosion of a fi reworks storage facility and its causes, , PSAM6, 6th International Conference on Probabilistic Safety Assessment and Management, pp 87-98, San Juan, Puerto Rico, USA, June 23-28, Elsevier, Oxford, ISBN: 0-0804-4120-3, 2002

44 C. Perrow, Noraml Accidents, Princeton, 1984, ISBN 0-691-00412-9

45 Swain A.D. and Guttman, H.E., .Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. (NUREG/CR-1278, SAND800 200, RX, AN), Sandia National Laboratories, Albuquerque, NM, August 1983. 46 Handboek Voorbereiding Rampenbestrijding,

Ministerie BZK, The Netherlands June 2003 47 Op de grens van werkelijkheid

Observatierap-portage oefening Bonfi re Instituut voor Veilig-heids- en Crisismanagement (COT) in opdracht van Het Ministerie van Binnenlandse Zaken en Koninkrijksrelaties

48 AVD-SAVE-NIvU-Nibra Leidraad Operationele Prestaties uitgave van Minsterie van Binnen-landse Zaken en Koninkrijkrelaties, The Nether-lands, 20 augustus 2001

49 AVD, SAVE, Leidraad maatramp uitgave van Minsterie van Binnenlandse Zaken en Konink-rijkrelaties, The Netherlands, 2000.

50 RIVM, Milieubalans ‘02, Kluwer, ISBN 90-14-08867-1

51 RIVM, Risico’s is bedijkte termen, RIVM, Biltho-ven 2005, ISBN 90-6960-110-9

52 B.J.M. Ale, Living with Risk: a management question, Reliability Engineering and System Safety, Reliability Engineering and System Safety, 90 (2005) 196-205





Powiązane tematy :