Safety Science 40 (2002) 105–126

www.elsevier.com/locate/ssci

Risk assessment practices in The Netherlands

B.J.M. Ale
RIVM, PO Box 1, 3720 BA Bilthoven, The Netherlands

Keywords: Risk; Management; Risk analysis; Acceptance criteria; Risk perception; Policy

1. Introduction

The assessment of management and risk is an activity that has a growing interest.
As a consequence of the introduction of the revised Seveso directive the interest in
risk management is increasing in the European Union as well. In a guidance docu-
ment, prepared by the Joint Research Centre (JRC; and summarised in the ‘‘Pre-
face’’ of this special issue), the matter is raised whether a standardised approach
would be helpful. In addition, a large number of questions have been put, which
serve to make the current status in various fields of interest and in various countries
more explicit. The structure of the JRC document and the structure of the risk
management approach taken therein strongly resemble the approach taken by the
OECD in the CARAT system (Ale et al., 1998). However, the interpretation seems
to differ in some details from the intentions of CARAT. These matters will be dis-
cussed in more detail at the appropriate places in this document. This document
serves to give a survey of the historical development and the present status of the
management of the risks of major hazard installations and the transport of danger-
ous materials in the Netherlands and to answer the questions in the JRC document.
Where useful and appropriate, similarities and differences with the CARAT system
will be addressed.

2. History and general principles

In this section, the historic development of risk assessment practices is described.

The general principles are given. Some issues of general applicability raised in the
guidance document are addressed in this section.

E-mail address: [email protected] (B.J.M. Ale).

0925-7535/01/$ - see front matter # 2001 Elsevier Science Ltd. All rights reserved.
PII: S0925-7535(01)00044-3
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

106 B.J.M. Ale / Safety Science 40 (2002) 105–126

2.1. History

In the Netherlands, the concern for safety in industrial activities, both inside the
establishments and in the surroundings, has a long history. As a result, many laws
and regulations apply. The use of risk assessment techniques is fairly widespread in
policy and regulations for such fields as design criteria for the dike system along the
rivers, the introduction and use of chemicals and the transport of hazardous mate-
rials. Several attempts have been made to harmonise the techniques and the criteria
over the different fields. This has proven unsuccessful to date. Especially the field of
toxic chemical agents stands out both in methodology and in assessment procedures.
In the field of major hazards the methodology and the procedures are closely related
to those used in engineering and in the nuclear industry. The systematic use of
quantitative techniques to support the management of risks in industry and in reg-
ulation really started in the mid-1970s. It is this field which is the subject of the
remainder of this paper. In the Netherlands, the regulation of major hazards has a
long history, which for a major part explains the current regulatory structure.
As early as in 1810 the emperor Napoleon issued a decree, in which it was stated
that a permit was needed to operate an industry. In the imperial decree three cate-
gories of activities were distinguished:

1. activities that were only allowed at certain distances outside housing develop-
ments and for which the authorities determined the location;
2. activities that could only be allowed in the neighbourhood of houses when it
was certain that no hazard or nuisance would be caused; and
3. activities that could not cause hazards or nuisance and therefore were allowed
inside cities.

On the basis of the imperial decree a general ordinance was issued in 1814, the
purpose of which was to protect the surroundings of an establishment against
hazards, damage and nuisance.
It was stated in both the imperial decree and the general ordinance that a permit
could only be granted, after the people were asked for potential objections against
the founding of an establishment or a factory. In the general decree, it was also
regulated that these objections should be put on record and that conditions could be
imposed when a permit was granted.
In 1875 the general ordinance was transformed into the ‘‘Fabriekswet’’ (The Law
on Factories).
In 1886 a state committee concluded in their report to the government:
‘‘. . .regulations and laws are indispensable in the protection of the health and safety
of employees; the employees do not on their own account take these sufficiently into
consideration, when they design and construct their establishments’’
In 1896 the Labour Safety Law came into force. The ‘‘Factory Law’’ changed
name to Nuisance Act. With these developments the systems of labour-safety reg-
ulation and third party safety regulation became separated and have developed
along their own paths since.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 107

In 1934 the Labour Safety Law was renewed. It was aimed at prevention and
abatement of the danger of accidents and the promotion of health and hygiene at
work. The legislation assumes that the employee has to be protected but the health
and safety of the employees and the prevention of accidents remains the responsi-
bility of the employer.
The Labour Safety Law became the ‘‘ARBO wet’’ (Conditions at Work Act) in
1982. According to this Law certain categories of establishments have to issue a
Labour Safety Report to the authorities.
The transport of dangerous materials is also a potentially dangerous activity. In
1807 a barge laden with gunpowder exploded in the centre of Leiden. There were
151 people killed and more than 2000 wounded. A large part of the city was
destroyed. The city-park is a witness of this accident to this day. As a reaction to this
disaster, a Law on Explosives was issued in 1814, followed in 1815 by a Law on the
Transportation of Gunpowder. In 1876 a law on toxic materials is adopted by par-
liament. This law in 1963 transformed into the Law on Dangerous Materials, in
which the transportation of all dangerous materials is regulated.

2.2. Recent history

Although some risk management concepts were introduced in public policies

associated with nuclear power generation, most of the development resulted from
some major disasters in the chemical industry in the mid-1970s (Lees, 1980). Among
these were the vapour cloud explosions in Flixborough and Beek, the release of
Dioxin in Seveso and the disaster in Bhopal in 1984 (Bahwar and Trehan, 1984),
where as a result of an accidental release of some 40 tons of methyl-iso-cyanate more
than 3000 people were killed.
In the Netherlands these led to a growing concern about hazardous installations
(Bomhof and Metz, 1981), which became apparent by the growing number of formal
protests and court cases against points of sale of LPG as motor fuel. In 1978 the
Chief Inspector for the Environment issued a measure limiting the number of houses
and people in offices in a circle of 150m around such road filling stations, based on a
crude estimate of potential consequences.
These accidents lead to the introduction of legislation in many countries and in the
European Union. The Directive on Major Hazards [European European Union
Directives 82/5OIIEEG (Pb EG 1982, L 230) and 87/2I6IEEG (Pb EG 1987, L85)]
or ‘Post-Seveso Directive’ as it is commonly referred to, obliged all members of the
European Union to take the hazards of industrial activities explicitly into account,
to assemble information and report to the EU. Through a number of amendments a
new revised directive was issued in 1996.
The external safety policy has been developed as a reaction to large-scale accidents
in which the human casualties were the most prominent effects. It is, therefore, not
surprising that the risks for life and health of humans has attracted the most atten-
tion until now.
Nevertheless, the accidents in Basel (Sandoz) and Chernobyl made clear that
considerable damage could be done to the environment.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

108 B.J.M. Ale / Safety Science 40 (2002) 105–126

The regulation in the Netherlands was shaped by the regulation on LPG (Integrale
Nota LPG, Tweede Kamer der Staten General, vergaderjaar 1983–1984, 18233 nrs
1–2, SDU, Den Haag, The Netherlands) and follows a risk based approach.
The introduction of a risk-based approach in environmental policy to a certain
extent was a breach with the general opinion until then that no kind of pollution or
risk was acceptable.
On the other hand, a risk-based policy was adopted already in the early 1960s
regarding the height and the construction of the flood defences along the Nether-
lands coast (Delta Commssion, 1960).
The principle considerations in a risk-based approach are
1. risk is not zero and cannot be made zero;
2. risk policy should be transparent, predictable and controllable;
3. risk policy should focus on the largest risk; and
4. risk policy would be equitable.
Risks are non-zero and cannot be made zero. Regulation risks on the basis of this
principle, creates the necessity to know the magnitude of risks and to limit the
acceptability of these risks by setting finite, non-zero standards. The systematic
dealing with risks is called risk management.
Risk management in this context is divided into four phases (Fig. 1)
1. identification;
2. quantification;
3. decision;
4. reduction; and
5. control.
In these, the decision is not so much a phase, but a demarcation between the more
analytical part of the process and the more managerial part of the process.

Fig. 1. The risk management process.

Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 109

2.3. Methodology

In the risk-management process, quantification plays a central role. It has there-

fore been necessary to standardise to a certain extent the metrics by which risk is
expressed and the methodology, which is to be used to quantify risks and to manage
these.
Risk has two dimensions, which have to be determined separately:
1. the extent of the consequences; and
2. the probability that the consequences will arrive.
In the quantification of risk in the context of the external safety policy in the
Netherlands three measures of risk are used: the individual risk (IR), the societal
risk (SR) and the expectation value of the number of people killed per year also
called the potential loss of life (PLL).
IR is defined as the probability that a person who permanently is present at a
certain location in the vicinity of a hazardous activity will be killed as a consequence of
an accident with that activity. Usually IR is expressed for a period of a year. It can be
pictured on a map by connecting point of equal IR around a facility, the risk contours.
SR is defined as the probability that in an accident more than a certain number of
people are killed. Societal risk usually is represented as a graph in which the prob-
ability or frequency F is given as a function of N, the number killed. This graph is
called the FN curve.
For the policy regarding the risk for the environment similar measures have been
developed. In the document Premises for Risk Management, which is part of the
Dutch National Environmental Policy Plan these issues are discussed extensively.1
The calculation of risks often is not very difficult, but for a chemical installation of
more than minimal size it can be time-consuming. In the COVO study,2 in which six
industrial installations in the Rijnmond Area were analysed extensively, this was
already established in 1979. A considerable number of systems have been developed
to automate the necessary calculations. Many of these developments lead to com-
mercially available systems. The SAFETI package,3 which was originally developed
under contracts from the Directorate General for Environment and the Rijnmond
Authority (Ale and Whitehouse, 1984) is an example. At the moment, it is the most
comprehensive but also the most expensive package available (Fig. 2). The risks for
the major hazard establishments in the Netherlands is reported each year by the
National Institute for Health and Environment (RIVM).
Whether risks are calculated by hand or with the use of computer programs, the
procedure is always similar.
From a description of the process and the associated flow diagrams and
other technical material it is established which vessels and pipes are present in the

1
Premises for risk management, Second Chamber of the States General, session 1988–1989, 21137 nr 1–2.
2
Report on the COVO study to the Rijnmond Authority, Reidel, 1990.
3
The SAFETI package, reports to the Ministry of Housing, Physical Planning and Environment,
Technica, London, 1984–1986.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

110 B.J.M. Ale / Safety Science 40 (2002) 105–126

Fig. 2. Risk contours in the Netherlands (RIVM, Yearly environmental report 1998; red: 10 5, yellow
10 6, white 10 7, green 10 8).

installation. For each part it is determined how it can fail, how much of the con-
tents are released and how this release takes place. Because the number of ways by
which a release can occur are endless, a choice is made of what events or scenarios
can be taken to be representative for the hole gamut of releases possible in the
installation. When computer programs are used to do the calculation the number of
events taken into consideration is usually much larger than when the calculations
are done by hand. In the former case, the results usually are more accurate and
better defined.
Subsequently the dispersion into the surroundings of the released chemical is
determined. For a flammable material the explosive force and the heat radiation
levels are calculated. For a toxic, the toxic load in the surroundings. The results
are combined with data on population density, weather and wind and the failure
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 111

frequencies pertinent for the installation to calculate the individual risk and the
societal risk.
A series of handbooks has been issued by the Committee for the Prevention of
Disasters that together form the guideline for quantified risk analysis in the Neth-
erlands (Directoraat Generaal van de Arbeid, 1985, 1988, 1990; Ale and Uitdehaag,
1999). Guidance can also be found in international literature (Anon., 1989)
With these books, the methodology for the quantification of risks for hazardous
installations and for the transport of dangerous materials is covered. In other area’s
similar standardisation has taken place. For the calculation of airport risk the
method used by NLR (Ale and Piers, 1999, 2000) serves as the ‘‘de facto’’ standard
in the Netherlands, although other methods are used elsewhere (Smith, 1998; Cowell
et al., 2000). Similarly, standard methods exist in the construction of bridges and
other civil engineering objects. These methods are also probabilistic in nature (CUR,
1997).

2.4. General issues

In the JRC document some issues are raised which pertain to all stages of the risk
analysis process. These are discussed in the following paragraphs.

2.4.1. Expert judgement

To a certain extent expert judgement is embedded in all activities pertaining to risk
analysis and assessment. Simple choices as to the relevance of certain data are often
a matter of judgement. It should be borne in mind that these judgements are not
necessarily objective or impartial, and therefore careful scrutiny is required. Judge-
ments as to the acceptability or tolerability of risks should not be implicit in the risk
estimates nor should they cloud the opinion of the experts. If a result is obtained by
judgement rather than rigorous scientific analysis it should be reported.

2.4.2. Uncertainty
All estimates are uncertain. Some uncertainties can be assessed by systematic
methods others cannot. The biggest uncertainty is that analyses are based on present
knowledge and that there may be a lot that is unknown. We cannot know what we
don’t know. In the Netherlands, when risk assessments and judgements are made
quantitatively, they are based on best estimates. Several reports have been dealing
with the residual overall uncertainty in the estimates, which could be larger than an
order of magnitude in the frequency.

2.4.3. State of the art

The methodologies used in the management of major chemical hazards are put
under the guardianship of the committee for the prevention of disasters (CPR), who
issues guidelines and other documents to assure proper scientific procedures, where
possible, and state of the art methodology where needed. The CPR usually seeks
advice of the national Institute of Health and Environment for matters of technical
nature.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

112 B.J.M. Ale / Safety Science 40 (2002) 105–126

3. Purpose of risk sssesment

With the implementation of the SEVESO directive in the Dutch legislation, it

became obligatory to submit a report on the External safety. Part of this report is
the quantitative risk analysis. The report also contains qualitative descriptions,
which serve to give insight into the backgrounds of the safety study in the report.
The External Safety Report is part of the documents to be submitted for a permit
application and therefore is public.
The qualitative descriptions have to be made for the whole of the establishment.
The quantitative risk analysis only has to be performed for those parts of the
establishment that have been selected according to a prescribed system.
For other activities such as the transportation of dangerous materials or the
operation of an airfield, quantified risk assessments are demanded either by law or
by authority of the decision maker.
These assessments always serve two purposes:
1. to find the safest way of executing the activity given the economic constraints;
and
2. to find the necessary safety zoning distances and other measures in the sur-
roundings of the activity given the residual risk.
This information is subsequently used in licensing procedures and land use plan-
ning, depending on the activity and on the applicable legislative regime.

4. Terminology

The terminology used in the Netherlands is for obvious reasons in Dutch. It has
been discovered (the hard way) that translating the terminology in another language
is difficult. In fact a whole system is developed under the auspices of the OECD to
cope with the language problem and the ensuing problem of misunderstanding
between states with different languages and even sometimes different states having
the same language (Rosental et al., 1997; Ale et al., 1998). Therefore, it is very dif-
ficult to convey the exact meaning of the terminology in Dutch into another lang-
uage. In this sense, all the descriptions given in this paper are a compromise.
The terminology used in the Netherlands has been chosen to fit the mathematical
framework used in the analytical methods. Therefore, the following terminology
applies:
Hazard: the hazard is the intrinsic property of the substance or system to do harm
of some sort.
Consequence: the consequence is the result of the materialisation of the hazard. As
such it is always a concrete harm like x persons killed, property of x million destroyed.
Frequency: the expectation value of the number of times the specified consequence
will arrive in a specified period of time. It is tried to stay out of the discussion about
probability in frequentistic and Bayesian sense and other more philosophical issues
regarding chance, although that is not really possible in the public debate. Usually
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 113

the period is a year. When the numbers are low, as is usually the case in risk analyses
in the area of Major Hazards, frequency and probability are numerically equal. The
fundamental difference between the two in that case has little consequence for the
final results of an analysis.
Risk: risk is defined as the combination of consequence(s) and the frequency(ies)
that it arrives (they arrive). That risk is NOT defined as the (sum of) consequence
multiplied by frequency is on purpose. Such a definition is regarded as a metric of
risk, of which many are possible. In the Netherlands, these are IR and SR and the
PLL (see Section 2.3). Risk under this definition thus is a two-dimensional quantity.
It should be noted that many definitions of risk exist, in which some form of per-
ception or aspects thereof are made part of the definition. Well known are the many
attribute definitions of risk in psycho-social studies of risk (Anon., 1995). However
valuable these are, they tend to blur the distinction between risk analysis and risk
assessment. In the context of major hazard policy and regulation, risk has the nar-
row definition as given earlier.

4.1. Hazard

The definition of hazard as ‘‘the intrinsic property of a dangerous substance of

physical situation, with a potential for creating damage to human health or the
environment’’ conforms to the way it is used in the Dutch context.

4.2. Risk

The definition of risk as a likelihood would not fit the Dutch context. Moreover, it
is illogical as risk has two components: extent of the damage and the probability or
likelihood that such damage will occur. It would be much more logical to use like-
lihood or chance or probability or frequency for this term and reserve the word risk
for the compound entity.

4.3. Structure

The structure chosen in the Netherlands separates the different processes that can
be taken to constitute the risk management process: The first two stages: identifica-
tion and quantification together constitute the assessment. The quantification may
be qualitative, i.e. in terms of large or small in case suitable quantification meth-
odologies are not available.
The terminology as given in the guideline (Kirchsteiger, 1999) in Table 1 (repro-
duced as Table 2 in the ‘‘Preface’’ of this special issue) does not completely line up
with the practices in the Netherlands.
Although the quality of the estimate of risk is important, it cannot logically be
part of the estimate itself.
In the definition of risk comparison, the notion of the assumptions is introduced.
These assumptions, however, pertain to the estimates made in earlier steps and can
better be treated as a separate item.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

114 B.J.M. Ale / Safety Science 40 (2002) 105–126

Table 1

Risk perception criteria Low Medium High Not sure

Probability of occurrence x
Extent of Potential damage x
Incertitude of risk estimate x
Ubiquity of potential damage x
Persistency of potential damage x
Reversibility of post-damage x
Delay between initial event and impact x
Potential of mobilization x

In general it would be much more advisable to separate the analysis from the
assessment, and to separate ‘‘taking stock’’ from control. The set of definitions and
the structure of the OECD dictionary/thesaurus on risk, CARAT, serve this purpose
very well. In this way the commonalties and the differences between practices of the
Netherlands and of other member states of the EU could be made much clearer.
Clarity will contribute to decisions such as what to harmonise and to what extent.

4.4. Remarks

From the above it is probably obvious that the Netherlands approach differs in the
framework and in terminology supplied from the approach taken by JRC. On
the other hand, it is recognised that any attempt towards a common approach can
only succeed if all parties concerned adopt some form of communality in expression.
Therefore, an attempt has been made to fit the descriptions of the risk management
activities in the realm of Major Technological Hazards in the Netherlands to
the framework supplied by JRC as far as possible. Previous experience with the
CARAT system and the introduction of many documents and definitions was a
great advantage.

5. Performance of risk assessment

In the Netherlands, risk assessments are carried out as part of safety reporting
studies under the SEVESO directive, as part of permit applications, environmental
impact assessment and policy development. The methodology is well established and
documentation on preferred practices is extensive.

5.1. Hazard identification

Hazard identification is the process in which it is investigated what threats or

potential harm exist for the subjects of concern. The subjects of concern primarily
are humans, but the recent revision of the major hazards decree (BRZO, 1999) also
specifically addresses the environment in general and surface water in particular.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 115

Since the hazard in the context of major technological (chemical) hazards has at
least a chemical as component, the hazardous events are releases or losses of con-
tainment. These releases are also designated initial events or base events.
In the context of the CARAT system one could designate the ‘‘source’’ as
those situations that have the potential to produce the initial events identified in this
step.
There are numerous ways in which these initial events can be defined. The hazard
of a chemical plant is in the release of the hazardous chemicals in them. It is, there-
fore, a good choice to take releases of material as initial events. These releases can be
any size and any duration. They can be the instantaneous release of the contents of a
vessel or a long duration leak from a small hole in a pipe. The whole range of pos-
sible releases is, therefore, represented by a limited number of releases, which are
considered representative for the whole of the range. These typical events or Exem-
plified Discrete Failures represent the failure behaviour of the plant in the rest of the
analysis. It should be well noted that this stage is of great importance. Although in a
later stage certain releases may be discounted as giving too insignificant effects, no
release will be added to the list in later stages of the analysis (unless one goes back to
this stage). For small plants, it already possible to decide in this stage which events
will dominate the risk results, but usually a fairly large number of releases have to be
considered. A well-proven choice is:
1. catastrophic failure of each tank;
2. a leak in each tank with the size of the largest connection to it;
3. a full bore rupture of each pipe at either end and in the middle section; and
4. a hole in size 10% of the cross-section of each pipe in the middle of the pipe
section.
When the inventory of a vessel varies greatly in time, like storage vessels, separate
events should be specified for a 10, 50 and 90% fill, for example. When the pipes are
very long, separate events should be specified at distances along the pipe equal to
about 10% of the size of the whole plant to get a reasonable spatial resolution of the
final risk results.
With a list of events thus compiled, the next stage of the analysis can be entered,
the calculation of physical effects.

5.1.1. Sources
The sources of risk, or harm are the hazardous activities. These cover hazardous
installations as covered by the SEVESO directive, but also other installations, not
covered, but considered hazardous by the licensing authority. Also, the transporta-
tion of dangerous materials, be it by rail, road or water and by truck, car, ship or
pipeline, is considered as a source.
In some instances, e.g. when a road is under study. The physical impact of the
means of transport itself is taken into account.
Finally, but of a different nature, air transport is considered a source. Here it is
not the inventory or the cargo that creates the hazard, but the means of transport,
i.e. the airplane itself is considered the source of potential harm.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

116 B.J.M. Ale / Safety Science 40 (2002) 105–126

5.1.2. The notion of potential

In principle, potential harm is considered at any time that there is no law of
nature that makes the materialisation of the hazard or harm impossible.
Obviously there is a limit to what is considered, but what is still conceivable or
not is mainly a matter of judgement by the analyst. Nevertheless, some rules
exist. All scenarios leading to harm as mentioned in the purple book have to be
considered. Other scenarios brought up by the competent authorities, the sur-
rounding population or any other party involved can only be dismissed with
argument.
In general, for a chemical plant scenarios with (cumulative) frequencies below
once in a million per year are not considered. The argument here is of a mathe-
matical nature. Individual risks below 10 8/year or disasters with frequencies of
less than 10 9/year, are not considered by the authorities. There is roughly a factor
of 100 attenuation between the event frequency and the individual risk scenarios
with a small frequency will not contribute to the risk considered in the decision
making.

5.1.3. Undesired outcomes

The undesired outcome primarily is death of humans. Other undesired outcomes
considered are wounded, material damage and (long term) pollution, but whether
these are considered depends on the circumstances: the particular plant or activity in
relation to its particular surroundings.

5.1.4. Subjects of concern

In the Netherlands, the regulation in the field of major hazards primarily addres-
ses humans. This does not mean that other subjects are not of concern. Other sub-
jects of concern are surface water, ground water and soil, and material damage.
However, the techniques to quantify risks are most advanced for lethal effects for
humans, and the regulations are most specific for humans.
In the field of nuclear power, studies were performed to investigate whether the
current criteria in the legislation, which address immediate death only, were suffi-
cient to cover the long-term effects of radiation in case of a nuclear power accident.
It was concluded that no additional regulation was required (Ravenzwaaij et al.,
1992).
Nevertheless, both the regulation and the guidance-books address the problems of
environmental pollution and material damage and techniques to at least partially
cover them are suggested.

5.1.5. Likelihood
As likelihood is addressed explicitly both in the techniques use as in the regula-
tion, it is of little concern in the stage of hazard identification. If fact in this stage it
is paramount to create a list of threats as complete as possible and not dismiss any
potential harm lightly. Anything not identified in this stage will not be analysed
later. In a later stage, when probability or likelihood is addressed explicitly, threats
may be dismissed as too unlikely to further consider.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 117

5.1.6. Completeness
As has been described in the previous paragraph maximum completeness is aimed
at. However, it should be recognised that completeness cannot be achieved in full.
The issue of unforeseen threats, which in practise materialises as unforeseen acci-
dents or accident sequences will be addressed in the sections dealing with the
analysis of probability and risk more fully.

5.1.7. Authorities, guidance and standardisation

The authorities may wish that certain events are specifically addressed. In that
case they will express their view in the initial stages of the relevant process. In this
stage the process is mainly creative and any contribution must be welcomed.
Several documents have been issued in the Netherlands to further guide the ana-
lyst. The main source of guidance is the purple book (Ale and Uitdehaag, 1999).
Other documents are also relevant (Anon., 1998; RIB, 1999). These lead to a certain
level of standardisation. But because every plant or source of harm may have unique
properties full standardisation is neither achievable nor desirable.

5.2. Event scenario assessment (assessment of distribution of potential harm)

The event scenario assessment as defined in the JRC document in the Netherlands
is usually divided into two separate stages. The stage leading up to the loss of con-
tainment event and the sequences of events following the loss of containment. This
way of dealing with the universe of events in all their relationships is also referred to
as the bow-tie model (see Fig. 3).
The sequences of events leading up to these events can be analysed in detail.
Rather than using inventory type techniques such as Hazard and Operability studies
and similar techniques, a full fault-tree analysis can also be performed. In the con-
text of the Major Hazard regulation for chemical plants in the Netherlands this is
only rarely done. The most applicable frequencies are given in the ‘‘purple book’’
(Ale and Uitdehaag, 1999). A detailed analysis, therefore, only is warranted if it is
judged that the standard frequencies do not apply or events are studied which are
not covered by the guidance documents.
In the stage addressing the events that follow the loss of containment, the dis-
tribution of chemicals and energy in the surroundings is quantified. In the Nether-
lands this is usually referred to as consequence analysis, a term reserved in the
guidance document for assessment of damage.
In terms of the CARAT system this stage ends with the ‘‘distribution of the
potential of harm’’. In terms of the JRC document, this is the spatial and temporal
distribution in the surroundings of a chemical, a pressure-wave, heat radiation or
any other potentially harmful agent.

5.2.1. Scenarios
The sequences of events to be described after the loss of containment has occur-
red, is identified in guidance documents and in the literature. A comprehensive list of
items to be considered is as follows:
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

118 B.J.M. Ale / Safety Science 40 (2002) 105–126

Fig. 3. Bow tie model.

rate of the release

liquid flow
gas flow
two-phase flow
the rate of vaporisation
flash evaporation
pool evaporation
on land
on water
mist formation
dispersion
neutral or Gaussian dispersion
dispersion of a heavy gas
dispersion of a light gas
formation of a jet
heat radiation
jet fires
pool fires
fire balls and BLEVEs
pressure and shock waves
unconfined vapour cloud explosions
confined/semi confined explosions
physical explosions
Fragments
All these effects should considered in their proper sequence as is indicated in Fig. 4.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 119

Fig. 4. Sequences of effects considered in the purple book.

The domain into which these effects enter follow from the calculations. In general,
this will be the air surrounding the source in the case of chemicals and the space in
the case of heat radiation and pressure-waves.
The result of this stage is the distribution of potential harm in the surroundings of
the source as a consequence of loss of containment events.

5.2.2. Likelihood
Likelihood is also addressed explicitly in this stage. Not only with respect to the
probability of the initial event but also with respect to the probability that the event
will develop in a certain direction, depending on such aspects as the presence of
ignition sources and the presence of obstacles in a cloud.

5.2.3. Completeness, authorities, guidance and standards.

The effects to be regarded in the course of establishing the distribution of harm are
well covered in the ‘‘coloured books’’ as described earlier. There is no specific defi-
ciency present.

5.2.4. Fault-tree analysis

The frequency of occurrence of the initial events can be obtained from their asso-
ciated failure trees. In risk analysis of nuclear power stations, this is the pre-
dominant method. For chemical plants, however, there is hardly enough
information about precursor events to do this reliably. There is, however, quite
often sufficient information on the occurrence of the event. This information is
referred to as Generic Failure Rates. In a risk analysis of a chemical plant, the fre-
quency of the base events of the event-trees, usually loss of containment events
(LOCA), usually is taken from a database or from some list of standard values or set
by expert judgement. Only rarely a fault-tree, with such a LOCA as the top event, is
used to develop the frequency of a LOCA from initiating events.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

120 B.J.M. Ale / Safety Science 40 (2002) 105–126

In the Netherlands a substantial range of event frequencies is given in the ‘‘purple

book’’.
However, when specific events have been dealt with or some plant specific safety
measures have to be taken into account, a fault-tree analysis may be performed.
Guidance on the available techniques can be found in the ‘‘red book’’ (Directoraat
Generaal van de Arbeid, 1990).
Such analysis is also necessary when specific management factors have to be taken
into account. It is not customary to take management factors into account in such a
quantified risk analysis. If it is done at all, it is done by multiplication of the fre-
quency of the top event by a constant number. Techniques to do this more rigor-
ously are under development.

5.3. Consequence assessment

In the previous section it has been described how the scenario’s developing from a
loss of containment accident are evaluated resulting in a distribution of concentra-
tion of chemicals, a distribution of heat radiation or a distribution of pressure-
waves, whatever is appropriate given the material released and characteristics of the
release event. In the Netherlands this is usually referred to as consequence assess-
ment. However, in the terminology of the JRC document this is called event sce-
nario assessment. The consequence assessment as apparently meant in the JRC
document is usually referred to as damage assessment. The ‘‘green book’’ is espe-
cially assembled to describe the available methodology (Directoraat Generaal can de
Arbeid, 1990).
In the CARAT system, this stage is damage assessment as well. An essential piece
of information in this stage in the dose–effect relationship. This is the relationship
between the exposure to a potentially harmful agent and the actual damage done to
the subject of concern.

5.3.1. Target information

To calculate the damage from the physical effects, information is needed about the
vulnerability of the objects to which the damage has to be calculated. These are
primarily human beings. In some analyses damage to structures like houses and
offices has been quantified. Damage to surface water is increasingly calculated. The
damage to ecosystems is rarely included in the quantitative analysis of a chemical
plant, although the interest in this kind of calculations is rapidly growing. In the
case that the target is a human, the effects of heat radiation and exposure to toxic
materials by inhalation or through the skin should be quantified. Relationships
between the dose and the effect are taken from literature. Information about the
vulnerability of people to various physical effects was first systematically assembled
by Eisenberg et al. in the Vulnerability Model, developed for the US Coast Guard in
1975. It is based originally on the Vulnerability Model of the US coast guard
(Eisenberg et al., 1975). Based on this work extensive research has been done and is
ongoing into the various relevant dose–response relationships. The results are given
in a guidance document called the green book (Directoraat Generaal can de Arbeid,
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 121

1990). The green book is the result of almost two decades of close cooperation
between various institutes. These institutes were government, private and industry.
The dose–response relationships can have two forms:
1. A threshold value, below which the damage is nil and above which the damage
is total. This is, for instance, the case for explosion effects. When people are
subjected to an overpressure of more than a certain value (typically 0.3 bar
overpressure) they are considered dead, otherwise they are considered to sur-
vive.
2. A relationship between the dose or the exposure and the fraction of people that
get killed or will suffer some other predefined, harmful, effect. This is, for
instance, the case when calculating the damage of a toxic cloud or a jet fire.
These relationships are often referred to as Probit Equations, since they
employ a mathematical entity called the Probit, which converts the generally S-
shaped relationship between dose and fraction of people into a straight line.
With these kinds of relationships, the physical effects can be converted into
damage. A useful way of expressing this damage is the fraction of population in a
certain area, that will be killed or the chance that in individual in a certain place will
be killed, or will suffer some other effect, given the initial event has happened.
Similar relationships are available for material damage, although they usually are
less probabilistic in nature (Ale and Uitdehaag, 1999). Nevertheless, some recent
work addresses the probability aspect for material damage.

5.3.2. Methodology
The methodology to assess the damage is straightforward given the assessment of
the distribution of potential evaluated as described in Section 5.2.
An essential piece of information is the presence and distribution of the targets,
whether these are people, buildings, infrastructure, ecosystems or any other subject
of concern as well as the associated dose–effect relationships as described in the
previous paragraph.
Just as for the hazard analysis and the event scenario assessment, the purple book
gives detailed guidance of how to do this and there are many computer tools that
will perform the necessary operations. It should be noted, however, that probabil-
istic relationships between potential and harm, such as the probit relation, associates
a probability with the level of harm. This probability has to be taken into account
when addressing the likelihood of damage later in the process.
Other factors, such as the probability of weather and wind, which may have a
significant influence on the damage, are considered when building the final risk pic-
ture.

5.4. Risk estimation

In this final step of the risk assessment or risk quantification process, the infor-
mation gathered in the previous steps is combined with probabilistic information on
the surroundings into a complete description of the risk.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

122 B.J.M. Ale / Safety Science 40 (2002) 105–126

5.4.1. Likelihood
All items in the chain of events that lead from the initial event to the damage have
a chance associated with them. The initial event has a chance of occurrence; the
weather has a certain frequency distribution of stability, wind speed and direction; a
flammable cloud may be ignited but does not have to be; an ignited cloud may
explode or just burn.
The whole field of chance associated with risk is most conveniently split into the
chances or frequencies associated with happenings that contribute to the emergence
of the initiating event and the chances or frequencies of the happenings that result
from this event. The latter is called the event tree, the former the failure tree.
How the necessary data to build and quantify fault-trees and event-trees is accu-
mulated has been discussed earlier. The frequency data are combined with the con-
sequence and damage data as well as the data on weather and wind to arrive at the
risk picture (Fig. 5).
In the quantification of risk in the context of the external safety policy in the
Netherlands risk is expressed in three metrics: individual risk, societal risk and
the expectation value of the number of people killed per year also called the poten-
tial loss of life.
The individual risk is defined as the probability that a person who permanently is
present at a certain location in the vicinity of a hazardous activity will be killed as a
consequence of an accident with that activity. Usually IR is expressed for a period of
a year. It can be pictured on a map by connecting point of equal IR around a facil-
ity, the risk contours.
Societal risk is defined as the probability that in an accident more than a certain
number of people are killed. Societal risk is usually represented as a graph in which
the probability or frequency F is given as a function of N, the number killed. This
graph is called the FN curve.

Fig. 5. Risk calculation. Scheme in principle.

Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 123

The potential loss of life is the expectation value of the number of people killed. It
is the sum of all individual risks and it is the area under the FN curve.
The results thus can be given in the form of FN curves, risk contours and the PLL
number, whatever is required for the current decision.
As has been described before, risks are quantified for the general population. The
completeness is assured by the provisions of the purple book, by which the author-
ities check the analyses submitted.

5.4.2. Uncertainty and sensitivity

Uncertainty and sensitivity is addressed in detail in the various guidelines. The
submitter of a safety report is not obliged or encouraged to address this issue expli-
citly. The possibility of special vulnerabilities has been addressed in the dose–effect
relationships, which are meant to be valid for the general population.
This does not take away that the competent authorities may demand that special
attention is given to certain aspects if the situation gives rise to it.

5.5. Risk comparison and decision making

Several regulatory documents address the acceptability of risk and the criteria to
be used to judge risks. These are formulated depending on the current state of risk
quantification methodology and a cost–benefit analysis, which is either explicit or
implicit in the political debate where the limits were set.
For individual risk an upper acceptability in new situations or new developments
of 10 6/year holds for establishments and for the transport of dangerous materials.
In existing situations, a sanitation limit of 10 5/year is upheld. For Schiphol airport,
these limits are 10 5/year and 510 5/year, respectively. These last limits are under
debate and thus subject to change.
These limits have been developing gradually and are described in several docu-
ments.1,4,5 For the preparation of these documents extensive studies have been per-
formed into the perceptions of stake holders; the potential predictability of these
perceptions and the possible use in standard setting. The desirability of standards
itself has been subject of considerations since the late 1970s.
The legal status of the current limits depends largely on the persistence of com-
petent authorities and the State Council. A new general ordinance is in preparation,
in which these risk limits are given full legal status.
For societal risk, an advisory limit is given for establishments and transport as is
depicted in Fig. 6. It should be noted that in spatial planning the limit for transport
will only be observed within 200 m from the route.
For air transport and other sources of risk, no limit has been set. The decision to
accept a hazardous activity is the discretion of the local or provincial authority,

4
NN Risico-normering venvoer gevaarlijke stoffen, MinVrom & Mm V&W, The Netherlands, feb-
ruani 1996.
5
Letter of the minister of Housing, Physical Planning and Environment to the Second Chamber if
Parliament of 13 June 1994, DGMISVS/025940l0
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

124 B.J.M. Ale / Safety Science 40 (2002) 105–126

Fig. 6. Advisory societal risk limits in the Netherlands.

which gives a license. The granting of a license can be appealed against by civilians
and interest groups. This appeal has to be directed to the State Council.
Although the process as described in the Law on the Environment has a strict
flavour, in practice a lot of discussion and negotiation precedes the granting or
refusal of a license. Risk analyses may play a role here, as these are used to optimise
the layout of a proposed installation or a proposed building plan.
On a national scale, comparison of risks can focus attention as to which risks are
more threatening than others and which risks involve most people (Fig. 7).

6. Impact of the generic standard

The OECD Expert Group on Chemical Accidents set out the Project’s goals
rather clearly:

In summary, the workshop participants concluded that standardization of the risk

assessment process, and approaches/methodologies used in each step of the pro-
cess, is neither desirable nor feasible. Nonetheless, enhancing the mutual under-
standing of risk assessment in the context of chemical accidents, can be furthered
by, e.g., efforts to map out the steps in the risk assessment process and the
approaches/methodologies used therein and an elaboration of the indicators
influencing choices of particular approaches/methodologies. It must be empha-
sised that this is not intended to direct, still less to prescribe, a particular approach.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

B.J.M. Ale / Safety Science 40 (2002) 105–126 125

Fig. 7. Societal risk in the Netherlands (Yearly Environmental Report, RIVM, 1999).

The objective of these efforts should be to help stakeholders see more clearly the
range of possibilities and to assist them in decisions which only they can make.

This statement seems equally valid for the risk management activities in the Euro-
pean Union. A systematic analysis of risks along similar or even harmonised pro-
cedures helps to understand the decisions made in other countries or other domains
of activities. This understanding, in turn, helps to make decisions in different coun-
tries and different domains. It brings the aspects to consider in focus and promotes a
transparent decision making process, in which citizens can take their own responsi-
bility. It may also, to a certain extent, level the playing field for industry and popu-
lation alike, because the demands with respect to the amount of information that
has to be supplied before a decision is taken may be similar as well as the procedure
by which risks are assessed.
The CARAT system proves to be a generally applicable framework, which could
be the template for all kinds of risk management activities. It could form the basis
for a more harmonised approach in the EU.
This does not take away that risk acceptance and the judgement on hazardous
activities is a highly contextual exercise (Stirling, 1999; Piers and Ale, 2000). The use of
criteria, methods and the level of risk depend on country, time, activity, risks and benefits.

References
Anon., 1989. Guidelines for Chemical Process Quantitative Risk Analysis, CCPS, AICHE, ISBN 0-8169-
0402-2.
Anon., 1995. Niet alle risico’s zijn gelijk, rapport van de Gezondheidsraad, 1995/06, 20 April 1995, Den
Haag, the Netherlands.
Version 7, No. pages 22
SAFETY 1185p Disk used DTD=4.2.0

126 B.J.M. Ale / Safety Science 40 (2002) 105–126

Anon, 1998. Checklist processing plants, Labour Inspectorate, V 11 E, Den Haag.

Ale, B.J.M., Whitehouse, R.J., 1994. A computer based system for risk analysis of process plants. In:
Hartwig, D. (Ed.), Heavy Gas and Risk Assessment III, 5. Reidel, Dordrecht, The Netherlands.
Ale, B.J.M., Uitdehaag, P.A.M., 1999. Guidelines for Quantitative Risk Analysis, (CPR18) RIVM.
Ale, B.J.M., Piers, W., 1999. Dealing with third party risk around a major airport. In: Goossens, L.H.J.
(Ed.), Risk Analysis, Facing the New Millennium. Delft University Press, Delft.
Ale, B.J.M., Piers, M., 2000. The assessment and management of third party risk around a major airport.
JHazMat 71 (l–3)1–16.
Ale, B.J.M., Rosenthal, I., Helsing, L., 1998. Comparison of interpretations of risk related regulations
using the OECD dictionary/thesaurus of ‘‘Risk Assessment’’ terminology. Hazardous Materials Spills
Conference, EPA, Chicago (6–10 April).
Bahwar, I., Trehan, M., 1984. Bhopal: city of death. India Today 31 Dec., 4–25.
Bomhof, L., Metz, B., 1981. Instrumenten ten behoeve van de externe veiligheid, Tijdschrift voor Open-
baar Bestuur jrg 7(6) (l9 maart).
BRZO, 1999. Besluit Risico’s Zware Ongevallen 1999. Staatsblad 234.
Cowell P.G., Foot, P.B., Gerrard, R.J., Kent, D., Manson, S.M., Rrivoire, A., 2000. A methodology for
calculating individual risk due to aircraft accidents near airports (NATS R&D Report 0007).
CUR, 1997. Civieltechnisch Centrum Uitvoering Research en Regelgeving, Kansen in de civiele Techniek.
Uitgave Directoraat Generaal Rijkswaterstaat, Den Haag.
Delta Commission, 1960. Report of the Deltacmmissee. The Hague (in Dutch).
Directoraat Generaal van de Arbeid, 1988. Methoden voor het berekenen van fysische effecten, (CPR12)
tweede druk, Directoraat Generaal van de Arbeid, 1988.
Directoraat Generaal van de Arbeid, 1990. Methoden voor het berekenen van Schade, (CPRI4) Direc-
toraat Generaal van de Arbeid, 1990.
Directoraat Generaal van de Arbeid, 1985. Methoden voor het bepalen en verwerken van kansen
(CPR16), Directoraat Generaal van de Arbeid, 1985.
Eisenbeng, N.A., Lynch, C.J., Breeding, R.J., 1975. Vulnerability Model: A Simulation System for
Assessing Damage Resulting from marine Spills. US Coast Guards, AD/A-015 245, NTIS report nr
CG-D-137-75.
Kirchsteiger, C., 1999. Promotion of Technical Harmonization on Risk Based Decision Making, Guide-
line for Invited Experts. JRC, Ispra.
Lees, F.P., 1980. Loss Prevention in the Process Industries. Butterworths, London.
Piers, M.A., Ale, B.J.M., 2000. Policy Options for managing societal risk around Schiphol, NLR-CR-
2000-084/RIVM 610066011, 24 februari 2000.
RIB, 1999. Rapport Informatie-Eisen BRZO-99, CPR2O. Commissie Preventie van Rampen, Den Haag.
Rosental, I., Ale, B., Helsing, L., 1997. An outline of the approach being used in developing the OECD
dictionary/thesaurus of ‘‘Risk Assessment’’ terminology. In: RISK 97, Amsterdam (21–24 October).
Smith, E., 1998. Risks to third parties in the vicinity of airports — the aircrash program. In Mosleh, A.,
Ban, R.A. (Eds.), Probabilistic Safety Assesment and Managment. Springer.
Stirling, A., 1999. On Science and Precaution in the Management of Technological Risk Van. EU, Joint
Research center, ISPRA, Italy.
van Ravenzwaaij, A., Groot, N.H., Worrell, C.W., van Eijndhoven, J.C.M., Turkenburg, W.C., 1992.
Aanvullende Criteria ter Beperking van Maatschappelijke Ontwrichting Vakgroep Natuurwetenchap en
Samenleving. Rijks Universiteit Utrecht, Utrecht.