A majority of safety practitioners accept the premise that absolute safety is not attainable. Still, some safety practitioners profess that only a risk-free environment is acceptable. These two examples illustrate that view:
- At a recent safety conference, a speaker reviewed the hazard analysis and risk assessment methods used in his company and said the outcome to be achieved through the use of those methods was acceptable risk. During the discussion period, some questioners implied by the nature and tone of their questions that no risk is acceptable. They asked: What do you mean by acceptable risk? Are you suggesting that some risk is acceptable? Acceptable to whom?
- Safety practitioners attending a course on hazard analysis and risk reduction were outspoken in their opposition to the idea that any level of risk is acceptable. They stated their sincere belief that, in the workplace, attaining zero risk is the legitimate goal. The instructor could not convince them otherwise.
Individually and collectively, we are risk acceptors. Variations in the risk levels that individuals and organizations accept in given situations are exceptionally broad. Risk acceptance is situational.
Only Relative Safety Is Achievable
The premise that absolute safety &endash; that is, a zero risk level &endash; is not attainable is becoming internationally recognized, as evidenced by the following examples.
Under the caption "The Concept of Safety" (Section 5), this appears in ISO/IEC Guide 51: Safety Aspects &endash; Guidelines for its inclusion in standards:
"There can be no absolute safety: some risk will remain, defined in this Guide as residual risk. Therefore, a product, process or service can only be relatively safe.
"Safety is achieved by reducing risk to a tolerable level, defined in this Guide as tolerable risk."
One of the most significant and influential publications on the concept of acceptable risk is Of Acceptable Risk: Science and the Determination of Safety by William W. Lowrance. He wrote:
"Nothing can be absolutely free of risk. One can't think of anything that isn't, under some circumstances, able to cause harm. Because nothing can be absolutely free of risk, nothing can be said to be absolutely safe. There are degrees of risk, and consequently there are degrees of safety."
In the real world, attaining zero risk is not possible. Nevertheless, after risk avoidance, elimination or control measures are taken, the residual risk should be acceptable, as judged by the decision-makers. For some situations, the residual risk may be high and still be judged by the participants in an activity to be acceptable.
On the Nature of Risk
Risk is determined by assessing its two components: the severity of outcome of a hazard-related event and the probability that the event could occur. A risk assessment matrix can help show how these two factors are combined to obtain a risk level. A risk matrix lists the occurrence probability (frequent, likely, occasional, remote, improbable) versus the severity of consequences (catastrophic, critical, medium, minimal). Risk levels are listed as high, serious, moderate and low. For example, if the occurrence probability is frequent, and the severity of consequences is high, then the risk level is high. If the occurrence probability is improbable and the severity of consequences is minimal, then the risk level is low.
The purpose of a risk matrix is to provide a logical framework for hazard analysis and risk assessment. In the decision-making process, the implicit goal is to achieve acceptable risk levels. Several standards and guidelines now include the concepts of residual risk and acceptable or tolerable risk (e.g., ANSI B11.TR3-2000, ISO/IEC Guide 51, SEMI S10-1296 &endash; see references for full titles).
Definitions and Comments
The following is typical of what is becoming universally accepted language with respect to hazards, risks and acceptable or tolerable risk. The section numbers appearing after some definitions refer to ISO/IEC Guide 51.
- Hazard: the potential source of harm (3.5). Hazards include the characteristics of things and the actions or inactions of people.
- Probability: the likelihood of a hazard being realized and initiating an event or series of events that could result in harm or damage &endash; for a selected unit of time, events, population, items or activity.
- Residual risk: the risk remaining after protective measures have been taken (3.9).
- Risk: a combination of the probability of occurrence of harm and the severity of that harm (3.2).
- Safety: freedom from unacceptable risk (3.1). To avoid the negative, safety can be defined as that state for which the risks are judged to be acceptable.
- Severity: the worst credible consequence should a hazard-related incident occur.
- Tolerable risk: risk that is accepted in a given context based on the current values of society (3.7). For those who prefer to deal in terms of acceptable risk, it is defined as that risk which is tolerated in a given context based on current values of society.
Examples of Acceptable Risk
Descriptions of acceptable risk levels in use are demonstrated by the following examples.
1. NASA-STD-8719.7, January 1998, defines acceptable risk as follows:
"Loss of life as a result of hazards in this facility is unlikely. Hazards may result in no lost workday injuries or no restricted duty cases, loss of facility operational capability of less than 1 day, or damage to equipment or property less than $25,000."
2. In a major manufacturer of heavy mobile equipment, if it can be reasonably assumed that a user of the equipment can lose a day's work, the risk situation must be dealt with through equipment redesign or through strengthening the operations manual, thus alerting users to the hazard's potential and providing appropriate instructions.
3. In a smaller, light-assembly operation, the design and operation standard for acceptable risk requires that if a hazard presents the potential for injury that may require medical treatment beyond first aid, the risk deriving from that hazard must be reduced.
4. A manufacturer in the metal fabricating industry considers tolerable risk to include risk situations where: 1) the event probability is unlikely (25 percent to 50 percent) that an OSHA recordable injury will occur or that property damage not exceeding $10,000 will result; or 2) the event probability is likely (50 percent to 75 percent) that a first aid injury will occur or property damage not exceeding
$1,000 will result.
5. Reference was made earlier to a speaker who reviewed the hazard analysis and risk assessment methods used in his firm. In that operation, a risk is acceptable if the probability of an incident occurring and the severity of harm that might result are low, as determined by using a risk assessment matrix.
Risk Decision Making
Using determinations from the risk assessment matrix, levels of remedial action or risk acceptance for individual risk categories can be established.
For example, if the risk is high, then the remedial action or acceptance should be that the operation is not permissible. For serious risk, then remedial action should have a high priority. For moderate risk, remedial action should be taken in an appropriate amount of time. For low risk, then the risk is acceptable and remedial action is discretionary.
This is not intended to imply that, in all situations, an activity is to proceed only if the risk is in the low-risk category. Further, for that category, the indication given is "risk is acceptable; remedial action discretionary." That does not mean that action would not be taken to reduce the risk if the remedial action could stand a cost-benefit test. Also, in some such situations, remedial action would be taken to improve personnel relations.
A review of several real-world situations follows to provide examples of the diverse views people have about acceptable risk.
Consider these excerpts from an extensive article on auto racing that appeared in the Chicago Tribune on Feb. 14, 2001:
Mario Andretti is quoted as saying: "At the beginning of a season, I would look around at a drivers' meeting and I would think, 'I wonder who's not going to be here at the end?' There were years when we lost as many as six guys."
The article provides a history of fatalities in auto racing, as well as notable measures taken over the years to make racing less risky. Nevertheless, the number of driver fatalities in relation to the number of drivers involved would be considered unacceptable in other employment settings.
The article continues with a reference to Richard Petty, who in his 35 years of NASCAR racing often admonished his wife: "If I get killed, if you ever sue anybody over it, I will haunt you. I know the risk. I take all the responsibility."
Auto racing is a form of employment. Drivers, auto owners, promoters, television broadcasters and viewers are aware of the risks, and apparently they accept them. No public outcry has risen demanding that this high-risk activity be discontinued. This suggests that, in certain instances, relatively high risks are considered acceptable to individuals and society.
The following appears in a paper titled "Spacecraft Human-Rating System &endash; Beyond the Numbers" by D.F. Kip Mikula.
"In the 21st century, new human-rated spacecraft for Earth-to-orbit, on-orbit transfer and work (including space suits), long-term on-orbit living and return from Earth orbit will be appearing on the horizon. Each of these must, as a minimum due to their human-rating, be designed to be safe for those human operators, passengers and occupants. In particular, these humans must be safe from the risk of death or serious and minor injury (i.e., casualty).
"In defining the human-rating requirements for these vehicles, NASA document JSC 28354 Human Rating Requirements has been published. Among other requirements for such things as crew escape, this document has established a Loss of Crew probability risk requirement of 1 in 10,000 missions. Stated another way, this requirement equates to a probability of success of 0.9999. This means that over a period of time encompassing 10,000 missions of a specific human-rated space vehicle design, only one casualty will occur. In addition, the document also establishes a Loss of Vehicle probability requirement of 1 in 1,000 missions."
Is the risk acceptable? A group of safety practitioners was asked if they considered the risk acceptable, and their overwhelming response was no. Yet, they could not reach consensus to recommend the complete shutdown of space ventures. Those taking part in space ventures are aware of the risks and volunteer for the opportunity to be astronauts &endash; a form of employment. So, too, are the managers at NASA and the congressional committees that provide oversight to NASA aware of the risks. Space ventures will continue.
Of course, the level of acceptable risk in operations where most safety practitioners have influence is much lower than those tolerated in space ventures. For example, a major equipment failure of 1 in 1,000 start-ups would be unacceptable in most organizations.
According to Injury Facts &endash; 2000 Edition, a National Safety Council publication, motor vehicle operation resulted in 41,300 fatalities in the United States in 1999, and 2.2 million persons sustained disabling injuries. Assuming a U.S. population of 280,840,000, the probability of a citizen, on average, being killed in 1999 was 1 in 6,800. The probability of sustaining a disabling injury was 1 in 128.
Those are serious odds on the negative side. No matter how skilled you are as a defensive driver, the risk of fatality or disabling injury is substantial. Always, the probability exists of being injured by the actions of another driver. Nevertheless, we continue to drive and accept the risks.
Designing Beyond Standards
Achieving an acceptable risk level often requires designing to exceed the requirements of published standards. Complying with industry or government standards (e.g., ANSI, the European Union or OSHA) will meet the consensus of the industry or government group that wrote the standard. Complying with such standards, however, will not necessarily achieve an acceptable risk level. For example, a learned colleague frequently reminds us that complying with the National Electrical Code or the OSHA lockout/tagout standard will not ensure that disconnects are placed in locations conducive to employee use. All too often, the design of lockout/tagout systems provokes errors, thus encouraging hazardous human error.
Further, consider OSHA's permissible exposure limits for hazardous substances or the guidelines issued by the American Conference of Governmental Industrial Hygienists. Although exposure limits are established, it is not presumed that all persons will avoid illness at those levels. Thus, companies that intend to achieve world-class safety records have recognized that they must operate at exposure levels lower than the standards. They also recognize, however, that even at these improved levels, some small amount of residual risk remains.
For some safety practitioners, resistance to the concept of acceptable risk derives from the view that imposed risks are objectionable and to be rebelled against. The reality is that in the occupational setting, risks are mostly imposed. Joe Stephenson got it right when he wrote in System Safety 2000:
"The safety of an operation is determined long before the people, procedures, and plant and hardware come together at the work site to perform a given task."
Consider the construction and fitting out of a new facility. Thousands of safety-related decisions are made in the design process that result in an imposed level of risk. Usually, those decisions meet or exceed applicable safety-related codes and standards with respect to &endash; to name but a few &endash; sidewalks and parking lots; facility layout and configuration; floor materials; process selection and design; determination of the work methods; traffic flow; hardware; equipment; lighting, heating and ventilation; fire protection; and environmental concerns.
Designers and engineers make decisions on the foregoing in the original design process. Thus, the risk levels are largely imposed before a facility is in place and operating. W. Edwards Deming's 85-15 Rule has a bearing on this discussion. Mary Walton cites the rule in The Deming Management Method. The rule holds that 85 percent of the problems in any operation are within the system and are the responsibility of management, while only 15 percent lie with the worker.
Although the 85-15 Rule pertains to quality, the concept also applies to safety. Quality, safety and risk problems in a system derive from the decisions made in creating or redesigning the system.
Some safety practitioners may reluctantly accept this realization that, in the occupational setting, risks are largely imposed, but that is the real world.
Universal Definition Elusive
When commencing this article, one intent was to develop a definition of acceptable risk that is universally applicable in all risk situations and more specific than the prevailing general definitions. Unfortunately, the original intent proved to be elusive.
Acceptable risk is a function of many factors and varies considerably across industries (e.g. mining vs. medical devices vs. farming). Local cultures also play an important role in risk acceptability, as has been experienced by our colleagues working in global companies. Risk acceptability is also time-dependent in that what is acceptable today may not be acceptable tomorrow, next year or the next decade.
We believe that developing a single, distinct and commonly accepted definition of an acceptable risk level that is universally applicable is not possible. In general terms, all that can be said is that the residual risk, after determining the severity of outcome of an event and the event probability, and the taking of preventive action, must be acceptable in the particular setting being considered.
A Framework for Acceptable Risk
If the risk for a task or operation is never zero, for what risk level does one strive? An additional excerpt from ISO/IEC Guide 51, Section 5, helps in understanding the process:
"Tolerable risk is determined by the search for an optimal balance between the ideal of absolute safety and the demands to be met by a product, process or service, and factors such as benefit to the user, suitability for purpose, cost effectiveness and conventions of the society concerned."
In the real world of decision-making, benefits represented by the amount of risk reduction to be obtained and the costs to achieve those reductions become important factors. Trade-offs are frequent and necessary. An appropriate goal in those deliberations is for the residual risk to be as low as reasonably achievable.
Based on our study of the concept of acceptable risk, we make the following observations:
1. Safety practitioners should accept that zero risk is not attainable for hazards that cannot be eliminated.
2. Where hazards cannot be eliminated, the goal should be to reduce risks so that the residual risks are acceptable.
3. Safety practitioners should debate and consider accepting the proposed definitions for terms defined herein.
4. Risk assessments and the risk decision process should become more structured and documented in accordance with recent guidelines such as ANSI B11.TR3 2000, SEMI S10-1296 and ANSI/RIA R15.06-1999. This process will advance the understanding and acceptance of the concept of acceptable risk and of residual risks.
5. Safety practitioners should recognize that a universal definition of an acceptable risk level cannot be attained because of the many variables in individual risk situations.
Some safety standards and guidelines issued in recent years include provisions for hazard analysis and risk assessment. That progression will continue, and its impact will be extensively felt. Having knowledge of hazard analysis and risk assessment methods and the concept of acceptable risk has become a necessity for the professional practice of safety.
ANSI B11.TR3-2000. Risk Assessment and Risk Reduction &endash; A Guide to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. McLean, Va.: AMT &endash; The Association For Manufacturing Technology, 2000; www.mfgtech.org .
ANSI/RIA R15.06-1999, Safety Requirements
For Industrial Robots And Robot Systems; www.robotics.org .
Christensen, Wayne C. and Fred A. Manuele, Editors. Safety Through Design. Itasca, Ill.: National Safety Council, 1999.
Injury Facts, 2000 Edition. Itasca, Ill.: National Safety Council, 2000; www.nsc.org .
ISO/IEC Guide 51:1999(E), Second Edition. Geneva, Switzerland: International Organization for Standardization, 1999.
Lewis, Norman. The New Roget's Thesaurus
In Dictionary Form. New York: G.P. Putnam's & Sons, 1978.
Lowrance, William F. Of Acceptable Risk: Science and The Determination Of Safety. Los Altos, Calif.: William Kaufman Inc., 1976.
Mikula, D. F. Kip. "Spacecraft Human-Rating System Safety &endash; Beyond the Numbers." A paper presented at the American Institute of Aeronautics and Astronautics Space 2000 Conference and Exposition. Long Beach, Calif.: September 2000.
NASA-STD-8719.7, January 1998. "Facilities System Safety Handbook." NASA Standard.
SEMI S10-1296, "Safety Guideline for Risk Assessment," Semiconductor Equipment and Materials International; www.semi.org .
Stephenson, Joseph. System Safety 2000. New York: John Wiley & Sons, 1991.
Walton, Mary. The Deming Management Method. New York: The Putnam Publishing Group, 1986.
About the authors: Fred A. Manuele, CSP, PE, is president of Hazards, Limited. When he retired from Marsh & McLennan, he was a managing director and manager of M&M Protection Consultants. He is the author of On the Practice of Safety and co-editor of Safety Through Design (National Safety Council, 1999). He is a member of the Safety and Health Hall of Fame International. Bruce W. Main, PE, CSP, is president of Design Safety Engineering, Ann Arbor, Mich. He serves on the advisory committee for the Institute for Safety through Design and is a member of the ANSI B11 TR3 subcommittee and the SEMI S10 Task Force on Risk Assessment.