Anda di halaman 1dari 11

Risk Acceptance Criteria and Regulatory Aspects OMMI (Vol.

1 Issue 2) December 2002

Risk Acceptance Criteria and Regulatory Aspects
Robert Kauer, Luciano Fabbri, Remy Giribone, Jan Heerings

Robert Kauer (Ph.D., 1965) is head of the Structural Reliability

department at TÜV-Süddeutschland, Munich. He is responsible for
all services concerning Risk-Informed Maintenance (ROI) with the
goal to optimize inspection and maintenance resources to increase
customers profitability, reliability, and safety. He has worked within
and lead several national and international projects in this field. He
is member of RIMAP RTD and TN.

Dr Luciano Fabbri works in the European Commission’s Joint

Research Centre, Ispra, Italy. He has a longstanding experience in
running international expert groups and networks in the field of risk
assessment for inspection and maintenance planning.


By applying any risk based inspection and maintenance strategy it is strictly necessary to
understand what are the specific acceptance criteria and relevant regulatory aspects. In many
situations accepted risk values are not given. This paper attempts to provide information on
existing acceptance criteria. Amongst them are those governed by SHE-aspects (Safety, Health,
and Environment) which are mainly consequence related, others governed by failure associated
issues are reliability related, and others that are directly associated to risk. In addition, it is
possible to introduce cost factors to assess economic aspects.

If safety issues are included in the analysis, regulatory aspects will be concerned. Here, the
influences of changing European attitudes are discussed, as well as the required depth and
quality of risk analyses.

Some of the work presented was developed within RIMAP, which is an EU project with the following participants: Det
Norske Veritas, Bureau Veritas, Staatliche Materialprüfungsanstalt Stuttgart, TÜV Süddeutschland - Munich, VTT Industrial
Systems,, TNO, Hydro Agri (Norsk Hydro), Mitsui-Babcock LTD, ExxonMobil Chemical, Energie Baden-Württemberg AG,
Siemens AG, Joint Research Centre of the European Commission – Petten, Electricity Supply Board (ESB), Corus, The Dow
Chemical Company (DOW), Solvay technology.
The authors would like to acknowledge the financial support by the European Commission for the "GROWTH Programme,
Research Project RIMAP Risk Based Inspection and Maintenance Procedures for European Industry"; Contract Number

Robert Kauer Jan Heerings Remy Giribone Luciano Fabbri
TÜV Süddeutschland Bau und Betrieb TNO (Netherlands Org. Bureau Veritas EC Joint Research Centre
Westendstr. 199 f. Appl. Scientific Research 17 bis, Place des Reflets Major Accident Hazards Bureau
D-80686 München NL-7300 AM Apeldoorn F-92400 Courbevoie I-TP 670, 21020 Ispra (VA), Italy
Phone: +49 89 / 57 91-12 77 +31 55 5493 614 +33 1 42 91 54 27 +39 0332 78 5801
Fax: +49 89 / 57 91-26 40 +31 55 5493 272 +33 1 42 91 53 45 +39 0332 78 9007
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 2


In asking the question why new inspection and maintenance strategies have to be developed
one can often be made aware that there is always a continuing demand for cost reduction and
optimisation. In this framework, cost cutting trends involving staff reduction, outsourcing,
benchmarking etc. can often be observed almost everywhere. Since inspection and maintenance
are amongst the few cost factors, which can be actively influenced in the short term, this in
combination with the recent regulatory fundamental changes (for example the EU Pressure
Equipment Directive) yielding to considerably greater responsibilities for the operator of a
plant, also the demand for documentation and comprehensibility of measures will increase.

In this context it is strictly necessary to define transparent procedures such as “top-down” (e. g.
ranking, benchmarking), and “bottom-up” (defence of measures and capital expenditure to the
management), for those involved in decision making. Outside of the company, authorities and
the public need to be informed in a proper and formal way as well.

In addition, the use of specific procedures (e.g. RIMAP-procedure), which allows us to address
relevant influence parameters, requires the establishment of acceptance criteria to assess the
results of a risk-based study and to identify adequate measures for inspection and maintenance. In
some cases only internal (company related) acceptance is necessary, in others internal and
external acceptance (e.g. by outside authorities) is required. For most levels of acceptance it is
also necessary to have these procedures embedded in an organisational framework (e.g. RIMAP-
framework) to ensure the ability to adapt and modify the system and to ensure that the system is
up to date.


In order to put the idea of risk based maintenance and inspection (RBMI) into action it is
necessary to install proper procedures and tools within an adequate framework to ensure the
required quality, transparency, and documentation.

In Fig. 1 the general RIMAP framework, which consists of the RIMAP working process, and
the RIMAP procedure is shown.
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 3

Fig. 1. General RIMAP-Framework

Within the work process, several issues must be addressed, so that the entire process and the
used procedures and techniques should be embedded in a quality or safety management system.
Within this, the main goals, tasks, and responsibilities should be clearly identified and
documented. As risk based inspection and maintenance planning is a multidisciplinary task, it
requires a team where many competencies are represented and expertises are available (e.g. as
specified within EN 45004 [1]). These include:
• Inspection
• Maintenance
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 4

• Specific equipment disciplines (e. g. materials, corrosion, electrical, fixed and rotating)
• Safety
• Plant operation and process
• Reliability

It is also necessary to monitor all influencing parameters (e. g. process parameters like pressure
and temperature) with respect to the boundary conditions chosen for the original analysis, and
to ensure that any changes should be evaluated by the responsible and trained individuals.
Another important issue is the need to re-evaluate at specified intervals any modifications,
which have been made, and new data, which becomes available, making sure that the entire
procedure is well organised and is done in the right sequence.

Fig. 2. RIMAP-Procedure

In Fig. 2 the RIMAP procedure is shown. This needs to be generic, since it must be industry
independent and applicable to different equipment types (static, safety systems, etc.). The steps
in the procedure are the same for different industrial sectors (chemical, petro-chemical and
power) and for different equipment types even if the techniques, that is the tools for assessing
probability or consequence of failure may vary from one application to one other.
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 5

So, within the generic RIMAP procedure it is possible to meet the requirements of other
already existing risk related programmes like EN 1050 [2] for machinery or IEC 61 508 [3] for
electrical safety systems. As it can be seen from Fig. 2, the core of the procedure – the
multilevel risk analyses – includes a seamless transition from screening to detailed analysis.
Here it is obvious that for a certain level of acceptance a sufficient depth of the analysis and
available data is required.


It should be clear that no unique measure of risk exists. Many such measures have been
proposed and are currently in use, each providing a different view on a particular situation. The
main types of risks are:

• Impact on personnel and public safety and health,

• Impact on the environment,
• Impact on economical concerns (costs and profits).

Regarding safety, health, and environment (SHE) aspects several generally accepted definitions
and methods already exist (e.g. [4]and [5]). A selection of these are summarized below. Where
cost considerations need to be included within the scope of the risk analysis, the parameters,
which need to be included, are usually determined by the RBMI performing company itself.

Individual Risk
A formal definition of Individual Risk is expressed by the I.Chem.E. [4] as the frequency at
which an individual may be expected to sustain a given level of harm from the realization of
specific hazards. It is usually taken to be the risk of death, and normally expressed as risk per

Individual Risk is the risk experienced by a single individual in a given time period. It reflects
the severity of hazards and the amount of time the individual is proximity to them. There are
typically three different types of Individual Risks:

• Location-Specific Individual Risk (LSIR)

Risk for an individual who is present at a particular location 24 hours per day, and
365 day per year. LSIR is not a realistic risk measure as an individual does not
usually remain at the same location all the time and is not exposed to the same risk
all the time.
• Individual-Specific Individual Risk (ISIR)
Risk for an individual who is present at different locations during different periods.
ISIR is more realistic than LSIR.
• Average Individual Risk (ASR)
AIR is calculated from historical data a number of fatalities per year divided by the
number of people at risk.

Individual Risks are also commonly expressed by means of the Fatal Accident Rate (FAR),
which is the number of fatalities per 108 hours of exposure. FARs are typically in the range
from 1 to 30, and are more convenient and more readily understandable than Individual Risks
per year.
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 6

Societal Risk
A formal definition of the Societal Risk is given in [4] as the frequency and the number of
people suffering a given level of harm from the realisation of specified hazards. It usually
refers to the risk of death, and expressed as risk per year.

This expression of risk is useful to limit the risks of catastrophes affecting many people at one
time. Societal risks may be expressed in the form of
• F-N curves showing the relationship between the cumulative frequency (F) and the
number (N) of fatalities (see also Fig. 1).
• Annual fatality rates, in which the frequency and fatality data are combined into a
convenient single measure of risk. This is known as potential loss of life (PLL) per

Area Risk
A third often-used measure of risk is the Area Risk. This measure is very useful when more
than one source contribute to the overall risk of a certain geographical area. An important tool
for the Area Risk is the I-N histogram. It gives the number of persons (N) in the impact area
exposed to an Individual Risk within the range I.

Environmental Risk
Environmental Risk includes short term and long-term effects to the biosphere. Here the
affected area in m² (soil, ground and surface water, seawater) or the amount of released
dangerous substances to the environment per year can be an adequate measure. Due to the fact
that there are also financial aspects linked to the environmental risk, which can be measured in
money (like cleanup costs, penalties, negative media publicity, etc.), these are best covered
when evaluating the Economic Risk.

Economic Risk
Concerning the Economic Risk, the risk for direct and indirect cost should be addressed. To
quantify the costs related with a certain failure (undesirable event) and a certain probability the
direct costs include
• Costs of lost production (including shutdown and start-up costs)
• Repair costs (spare parts, material and labour costs for primary and secondary
damaged equipment)
• Cleanup costs (if not tackled within the environmental part)

The indirect costs are much more difficult to estimate. Similarly, the effects of negative media
publicity are not easy to quantify. Finally the consequences of a specific type of accident may
vary from industry to industry.


In a regulatory context requirements for acceptance criteria are usually kept very general.
Basically, there are only qualitative definitions of the risk acceptability limit such as:
• the industrial activity should not impose any risks which can be reasonably avoided,
• the costs of avoiding risks should not be disproportionate to the benefits,
• the risks of catastrophic accidents should be a small proportion of the total.
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 7

Risk contains, by definition, both the Probability of Failure (PoF) and Consequence of Failure
(CoF) aspects. For the regulatory perspective the introduction of the consequence element
enables a risk-based inspection or maintenance procedure to get acceptance by the authorities.
This is not true for a reliability centred inspection or maintenance approach.

ISO-Risk Line


Fig. 3. Societal Risk (from [6])

In a risk matrix, iso-risk lines represent the same level of risk. Usually the plotted risk is linked
to the type of consequences on the horizontal axis (in Fig. 3 the Societal Risk). For more details
how to evaluate the applicable consequences see the methods described in [7]. Normally the
impact on the following should be investigated:
• safety and health of plant personnel and people outside the facility,
• the environment (short term and long term), and
• economical effects (lost production, repair, …)

Whether some or all of the impacts can be summarized within one risk matrix depends on the
type of application. In the most cases it may be reasonable to distinguish at least between the
SHE aspects in one matrix (for internal and external acceptance) and the financial aspects (for
internal purposes acceptance) in a separate one.

The simplest approach for the definition of risk criteria is to define a single risk level, which
separates the acceptable risk from the unacceptable risk areas. In this framework only a few
countries and industrial organisations have actually accepted and endorsed specific numerical
values for this risk level. For instance the Netherlands and the United Kingdom, give the values
reported below:
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 8

The Netherlands UK

Individual Tolerable Risk: Individual Tolerable Risk:

Existing Situations: 10-5 per year Workers: 10-3 per year
New Situations: 10-6 per year Public: 10-4 per year
Broadly Accepted: 10-6 per year
Societal Tolerable Risk:
1 or more fatalities: 10-3 per year

A more flexible approach is show in Fig. 3. Here the risk area is divided in three bands:

• An upper band (unacceptable area) where risks are considered unacceptable and
need to be reduced, whatever the costs might be.
• A middle band (ALARP: as low as reasonably possible) where risk-reducing
measures are desirable, but may not be implemented if their costs exceed the
benefits gained in reducing risks.
• A lower band (negligible risk) where risks are considered acceptable and so only
minor or no risk remedial measures are required.

While in Fig. 3 the decision-making process is based only on the risk itself, in Fig. 4 a
generalised decision-making procedure can be seen, which is based on a combination of
probability driven, consequence driven and risk driven procedure. It also can be seen in Fig. 4
that the risk ranking should include the uncertainties linked to the evaluation procedure,
relevance of the data basis to be used, or the assumptions and simplifications that are made.
The way in which uncertainty shall be treated in risk estimates, should be defined before to
perform the risk analysis.

Fig. 4. Generalised Decision Making

Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 9


The development in the regulations concerning In-Service Inspection (ISI) in the European
Union is mainly driven by the European Pressure Equipment Directive (PED) –97/23/EC [8],
which is now mandatory since May 2002 for all member countries.

As is shown Fig. 5, only the requirements for the construction and design of pressure vessel
equipment is standardized for EU-member states, while all the legislation for the in-service
inspection is still with the national authorities. The only requirement is that the national
regulation must be adapted to the basics of the PED.

Fig. 5. PED and ISI

Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 10

Fig. 6. PED – Classification (example)

The main classification of pressure equipment in the PED (see for an example Fig. 6) with its
influence on the construction and design requirements is adapted in several national ISI codes
(e. g. German BetriebssicherheitsV [9]). In these cases, the expenditure on ISI is linked to the
consequence classification in the PED. Whilst in the PED the word “risk” is avoided (the
requirements are only consequence related) in comments to the ISI codes one can often find
implicit expression for risk where the prescribed (or specified) have to be extended or reduced.
Here, it is often stated that efforts have to be adapted to the extent (that is the consequences)
and the likelihood of what can happen. The use of words like “extent” and “likelihood” is
basically the definition for “risk”.

In other countries, for instance in the Netherlands [10], risk-based procedures are already in
place as a possible alternative to a prescribed interval based methodology for inspection. To get
the acceptance from the authority it is necessary to report the complete method specification
(incl. at least three pilot determinations of the interval of risk-based inspection).


In order to establish a successful RBI programme, it is strictly necessary to properly understand

which risks have to be measured and the acceptance criteria that should be used to get external
(authorities, public, etc.) and internal (management, operation department, inspection
department, financial department, etc.) acceptance. This should be decided at the earliest stage
of the risk-based decision-making process, and relevant criteria for actions and assessment be
developed. Any actions taken and the results which follow must be based on these criteria.
Risk Acceptance Criteria & Regulatory Aspects OMMI (Vol. 1 Issue 2) Dec. 2002 11

It should be clear that there is a difference in using risk assessment to minimize the expenditure
on maintenance and in using it to reduce overall safety, health, and environmental risks for the
personnel and the public, without overspending. For this reason, acceptance criteria and risk
matrices should be available for the SHE-aspects and for financial aspects.


[1] EN 45004, “General criteria for the operation of various types of bodies performing
inspection,” 01.03.1995.

[2] EN 1050, “Safety of machinery - Principles for risk assessment,” 01.11.1996.

[3] IEC 61 508, “Functional safety of electrical/electronic/programmable electronic safety

related systems,” 01.12.1998.

[4] I.Chem.E: Nomenclature for Hazard and Risk Assessment in the Process Industries,
Institution on Chemical Engineers, UK, 1992.

[5] Seveso II Directive: Council Directive 96/82/EC of December 1996 on the Control of
Major-Accident Hazards involving dangerous Substances.

[6] Kirchsteiger, Ch. (Editor), Risk Assessment and Management in the Context of the
Seveso II Directive, Elsevier, 1998.

[7] Angelsen, S., Johansson, M. and Vage, G., Consequence of failure in the RIMAP project
– overall model, RBM-Conference, International Seminar on Risk Based Management of
Power Plant Equipment, London, 21-23 October 2002.

[8] Pressure Equipment Directive 97/23/EG.

[9] BetriebssicherheitsV (ISI Directive for Germany), 2002.

[10] The Netherlands rules for pressure vessels, „Risk-based inspection“, T 0260, March 2002.