Generic Framework and Methods for Integrated Risk Management in

Generic Framework and Methods for Integrated Risk Management in Water Safety Plans

Techneau, 07. JUNE 2007

© 2006 TECHNEAU TECHNEAU is an Integrated Project Funded by the European Commission under the Sixth Framework Programme, Sustainable Development, Global Change and Ecosystems Thematic Priority Area (contractnumber 018320). All rights reserved. No part of this book may be reproduced, stored in a database or retrieval system, or published, in any form or in any way, electronically, mechanically, by print, photoprint, microfilm or any other means without prior written permission from the publisher

TECHNEAU Generic Framework and Methods for Integrated Risk Management in Water Safety Plans

Techneau, 07. JUNE 2007

This report is: PU = Public

Colofon

Title Generic Framework and Methods for Integrated Risk Management in Water Safety Plans Authors L. Rosén1, P. Hokstad2, A. Lindhe1, S. Sklet2, J. Røstum2

1 Chalmers University of Technology 2 SINTEF Quality Assurance By KIWA and LNEC Deliverable number D 4.1.3 D 4.2.1 D 4.2.2 D 4.2.3

Chalmers & SINTEF Rosén, Hokstad, Lindhe, Sklet & Røstum © TECHNEAU - 1 - June 14, 2007

Summary

In the 3rd edition of the Guidelines for Drinking-water Quality, the World Health Organisation (WHO, 2004) emphasis the preparation of risk-based Water Safety Plans (WSPs) to manage risks to drinking water consumers. WHO, among others, emphasise that the entire supply system, from source to tap, should be considered when managing risks. The WSP framework facilitates a much needed increase in awareness and understanding of risk issues for providing safe drinking water. However, an analysis of the WSP framework indicates that there are opportunities for further development, primarily regarding risks to water quantity and methods for risk identification, risk estimation and risk evaluation. The main objective of Work Area 4 (WA4) – Risk Assessment and Risk Management in TECHNEAU (TECHNEAU, 2005) is: to integrate risk assessments of the separate parts in drinking water supplies into a comprehensive decision support framework for cost-efficient risk management in safe and sustainable drinking water supply. The framework should be regarded as a structure and toolbox for risk assessment and risk management in WSP. It should be applicable to both groundwater and surface water supply systems, with basic as well as more complex designs. The framework should also be applicable on both the operational and strategic levels. A generic framework which forms the basis for further development of risk management procedures and methods in TECHNEAU is presented in this report. The main components of the suggested framework are shown in Figure 1. To provide the necessary basis for integrated risk management for both basic and complex systems on the operational as well as strategic levels, the framework includes all major steps in the risk management process, as defined in established standards, e.g. IEC (1995). To be efficient and functional, the framework must also include a set of reliable and well-established tools, adapted to specific decisions to be made and considering type of water supply system, level of complexity, and level of decisions, i.e. operational or strategic. Principal levels of sophistication of risk assessment tools are:

- Qualitative, e.g. based on checklists and classification of risk levels, providing relative ranking of lists and identification of critical points for risk reduction.

- Quantitative, e.g. based on models for combining and structuring events and chains of events, and estimations of quantitative risk levels. This level of sophistication facilitates quantitative comparison of estimated risk levels with established risk tolerability levels.

- Quantitative including decision analysis methods, facilitating strategic analysis of risk reduction measures, e.g. estimations of the risk reduction – investment trade-offs in prioritisation of risk reduction options.


Risk Analysis

Define Scope

Identify and EstimateRisks

Qualitative

Quantitative

Risk Evaluation

Define tolerability criteria

Water quality

Water quantity

Analyse risk reduction options

Ranking

Cost-efficiency

Cost-benefit

Risk Reduction/ Control

Report risks

Make decisions

Treat risks

Report residual risks

Monitor

Get new information

Update

Develop supporting

programmes

training, hygiene

practices, upgrade and improvement, research and development

Document –assure quality

Communi-cate

Review, approve and

audit

Figure 1. The main components of the TECHNEAU generic framework for integrated risk management in WSP.

The suggested framework cannot provide one single risk management method applicable to all types of water utilities for decisions at both strategic and operational levels. Instead, the framework when fully developed will provide:

- Principles for good risk management practice - The relevant set of tools necessary for performing the risk assessment

and management - Description of these tools, e.g.:

o TECHNEAU Hazard database, THDB o Risk analysis methods description o TECHNEAU Risk reduction options database, TRDB o Decision support tool

- Clear examples of risk assessment applications and testing of these tools.


Contents

Summary 1

Contents 3

1 Introduction 5

2 The risk management process 9 2.1 Introduction 9 2.2 Risk analysis 10 2.3 Risk evaluation 11 2.4 Risk reduction/control 14 2.5 Risk communication 15 2.6 Notation 15 2.7 Generic guides for risk management 16

3 Existing frameworks and national guidelines 19 3.1 Review of existing frameworks for drinking water management 19 3.1.1 The Bonn Charter 19 3.1.2 Hazard Analysis and Critical Control Point 19 3.1.3 Water Safety Plans 22 3.1.4 The Water Framework Directive 25 3.1.5 Integrated Water Resources Management 25 3.1.5.1 Agenda 21 26 3.2 Examples on national guidelines 26 3.2.1 EU - The Directive on the Quality of Water (“Drinking water directive”) 26 3.2.2 Switzerland 26 3.2.3 Germany 27 3.2.4 UK – Yorkshire water 29 3.2.5 Denmark 29 3.2.6 Sweden 30 3.2.7 Norway 30 3.2.8 The Netherlands 30 3.2.9 USA 31 3.2.10 The Canadian Multi-Barrier Approach 31 3.2.11 Australian framework 32 3.2.12 New Zealand Public Health Risk Management Plan 35 3.3 Comparison and discussion 37

4 The TECHNEAU generic framework for integrated risk management 45

5 Review of risk analysis methods 51 5.1 Introduction 51


5.2 Scope definition and system description 51 5.3 Hazard identification 52 5.3.1 HAZID analyses 52 5.3.2 Hazard and operability analysis (HAZOP) 55 5.4 Risk estimation 57 5.4.1 Preliminary hazard analysis (PHA) 57 5.4.2 Failure Modes, Effects, and Criticality Analysis (FMECA) 58 5.4.3 Fault tree analysis 59 5.4.4 Reliability block diagram 60 5.4.5 Event tree analysis 60 5.4.6 Human reliability assessment (HRA) 61 5.4.7 Physical modelling of processes in source, treatment, and distribution 62 5.4.8 Health risk assessment 62 5.4.9 Health impact assessment 64 5.4.10 QMRA (Quantitative Microbiological Risk Assessment) 64 5.4.11 Barriers and Bow-Tie diagrams 66 5.4.12 Tools in risk quantification 68 5.4.12.1 Markov models 68 5.4.12.2 Risk influence diagrams / Bayesian belief networks 68 5.4.12.3 Monte Carlo simulation 68 5.4.13 Risk measures in water supply systems 69 5.4.13.1 Water quality 69 5.4.13.2 Water quantity 70 5.4.13.3 Individual and societal risks 70 5.4.13.4 Economic valuation of risks 71 5.5 Summary of risk analysis methods 73

6 Case examples 77 6.1 Introduction 77 6.2 Göteborg case 77 6.3 Bergen case 78 6.4 Combined use of risk analysis methods 82

7 Risk evaluation approaches 87 7.1 Decision situations 87 7.2 Risk evaluation 88

8 Conclusions and further work 91

9 References 95

Appendix A 101


1 Introduction

In the 3rd edition of the Guidelines for Drinking-water Quality, the World Health Organisation (WHO, 2004) concludes that analyses of water quality in treatment and distribution systems are not sufficient to guarantee safe drinking water to consumers. Such analyses are often completed after the water was consumed and they may not provide correct information regarding the health effects of the water. Instead, WHO (2004) recommends preparation of risk-based Water Safety Plans (WSPs) that consider conditions in source waters, treatment systems and distribution networks. WSP is currently being implemented in several countries and is expected to become an increasingly important framework for water management in both developed and developing countries. The WSP guidelines describe risk assessment on a principal level, based on the Hazard Analysis and Critical Control Point (HACCP) approach. HACCP was originally developed for the food industry (Havelaar, 1994). Because of its origin in HACCP, current WSP practice puts more focus on risk assessments concerning quality and human health than on water quantity, including water security and water supply. The WSP framework facilitates a much needed increase in awareness and understanding of risk issues for providing safe drinking water. The WSP framework, however, offers opportunities for further development regarding considerations of water quantity issues, as well as other stakeholder values. There are also opportunities to further develop WSP regarding more specific methods for risk identification, estimation and evaluation in order to provide cost-effective and sustainable prioritisation of safety measures. The main objective of Work Area 4 (WA4) – Risk Assessment and Risk Management in TECHNEAU (TECHNEAU, 2005) is: to integrate risk assessments of the separate parts in drinking water supplies into a comprehensive decision support framework for cost-efficient risk management in safe and sustainable drinking water supply, see Figure 2.

Source water systems

Treatment systems

Distribution and plumbing

networks

Integrated Risk Assessment and Risk Management

Figure 2. Integrated risk assessment and risk management of a water supply system.


The framework should be regarded as a structure and toolbox for risk assessment and risk management in WSP. It should be applicable to both groundwater and surface water supply systems, with basic as well as more complex designs. The framework should be developed in full concordance with the Bonn Charter strategy (IWA, 2004), which supports and further specifies the use of WSP in water safety assessment. The risk management framework should also be applicable on both the operational and strategic levels, see Figure 3. Here the strategic decisions could relate e.g. to modifications or formulation of maintenance strategy.

Surface water

Ground water

Basic systems Complex systems

Operational

Strategic

Figure 3. Schematic description of the applicability of the integrated framework for risk management in Water Safety Plans (WSPs).

In the initial step of the development, stakeholder values will be limited to water safety, or even only to compliance with regulated limit values. Further values, e.g. ecological and socio-cultural values, will be added in a second step in order to more fully consider sustainability issues. To provide the necessary basis for integrated risk management for both basic and complex systems on the operational as well as strategic levels, the framework must include all major steps in the risk management process, as defined in established standards, e.g. IEC (1995), see Chapter 2. The current WSP guidelines are primarily directed at risk identification and qualitative risk assessment for ranking of risks, whereas quantitative risk estimation, risk evaluation, decision-making and risk communication are not described extensively. To be efficient and functional, the framework must also include a set of reliable and well-established tools, adapted to specific decisions to be made and considering type of water supply system, level of complexity, and level of decisions, i.e. operational or strategic. The current WSP guidelines provide general descriptions of risk identification approaches and qualitative (or semi-quantitative) approaches to risk estimations, but do not give detailed


guidance on specific methods nor quality criteria for risk management. Principal levels of sophistication of risk assessment tools are:

- Qualitative, e.g. based on checklists and classification of risk levels, providing relative ranking of lists and identification of critical points for risk reduction.

- Quantitative, e.g. based on models for combining and structuring events and chains of events, and estimations of quantitative risk levels. This level of sophistication facilitates quantitative comparison of estimated risk levels with established risk tolerability levels.

- Quantitative including decision analysis methods, facilitating strategic analysis of risk reduction measures, e.g. estimations of the risk reduction – investment trade-offs in prioritisation of risk reduction options.

This document provides reviews and descriptions of WSP, other frameworks and specific methods for risk assessment and risk management in water supply. The overall aim of this report is to identify possibilities for further development regarding the structure and specific tools for more comprehensive risk management in WSP. Specific objectives of this document are:

1. To describe a generic framework for integrated risk management in Water Safety Plans (WSPs).

2. To describe specific risk analysis methods suitable for use in integrated risk management of water supplies.

To meet these objectives this report includes the following main sections:

- A description of the general risk management process. - A review of existing frameworks and national guidelines for risk

management in water supply. - An outline of a proposed generic framework for integrated risk

management in WSP. - A review of specific risk analysis methods. - Suggestions of possible risk analysis methods for integrated risk

management. Note that in this report the term water safety comprises both water quality and water quantity. The notation is further discussed in Section 2.6.



2 The risk management process

2.1 Introduction Although some differences can be found in the literature regarding presentation and outline of the risk management process, there is a rather strong consensus regarding the major contents of the process. The outline shown in Figure 4 is commonly used and is often referred to. According to IEC (1995) the objective of the overall process called risk management is to control, prevent or reduce loss of life, illness, injury, damage to property and consequential loss, and environmental impact. It should be emphasized that an efficient risk management not only protects us from hazards, it also creates opportunities. If a risk is unknown this might restrain us from performing a specific project. However, if the risk is analysed and understood, and it is possible to reduce or control the risk, then the project can be performed. The risk management process includes the entire process from the initial description of the scope and purpose of risk management, the identification of hazards, and the estimation of risks, through the evaluation of risk tolerability and identification of potential risk reduction options, to the selection and implementation of appropriate risk reduction measures. Risk management also includes risk monitoring and follow up during operation. So it should be emphasized that risk management is an iterative process of continuous updating as new information becomes available and as the preconditions change. Successful risk management also requires careful communication of risks between the various involved stakeholders.

Figure 4. The risk management process (IEC, 1995).

Risk analysis

• Scope definition • Hazard identification • Risk estimation

Risk evaluation

• Risk tolerability decisions • Analysis of options

Risk reduction/control

• Decision making • Implementation • Monitoring

Risk assessment

Risk management


As stated in Vatn (2004), there is no universally agreed definition of risk. A definition of risk presented by Kaplan (1997) is valuable both when communicating and assessing the risk situation. Kaplan states that the question “What is the risk?” is really three questions; “What can happen?”, “How likely is that to happen?”, and “What are the consequences?”. Risk may then be expressed as a (complete) set of triplets (Si, Li, Xi), where Si denotes scenario i, Li denotes the likelihood, and Xi the consequences. Similarly, according to IEC (1995), risk analysis attempts to answer three fundamental questions:

- What can go wrong? (identification of hazardous events) - How likely is this to happen? - What are the consequences?

This view is in line with Kaplan’s definition of risk. A common description of risk is that it is a combination of the probability and the consequence of a hazardous event, see e.g. ISO (2002), European Commission (2000a) and IEC (1995).

2.2 Risk analysis Risk analysis is a major part of risk management. As seen in Figure 4 the first tasks of a risk analysis are scope definition and identification of hazards/hazardous events. The next step is the estimation of the level of risk resulting from possible hazardous events. This includes both causal analyses/tools to identify the causes and frequencies of these undesired events, and analyses/techniques to investigate their consequences. In Figure 5 a more detailed description of the risk analysis process is presented. The purpose of risk analysis is to obtain information and knowledge about the risk. This information and knowledge are later used when evaluating the risk and in the end, if it is considered necessary, performing risk reduction measures. The risk analysis varies depending on the system that is being analysed and what kind of risk is considered. A risk analysis can be either qualitative or quantitative, depending on its purpose and the risk. The analysis may also be semi-quantitative, which is something between a quantitative and qualitative analysis. When performing a risk analysis it is important to choose which endpoints or consequences to include and also to decide which measures to use. Slovic (2001) emphasize that the choice of one measure or another can make a technology look either more or less risky.


Figure 5. The risk analysis process (after IEC, 1995).

2.3 Risk evaluation The purpose of the risk evaluations is to decide whether or not a risk is tolerable. If the risk is decided to be acceptable it may be enough to control the risk instead of reducing it. However, if the risk is decided to be unacceptable different risk reduction options has to be analysed and compared so that the best risk reduction option can be identified.

Scope definition

• Describe concerns • Define system • Define circumstances • State assumptions • Identify analysis decisions

Documentation

• Risk analysis plan

Hazard identification and initial consequence evaluation

• Identify hazards • Analyse consequences

Start

Stop

Analysis update when appropriate

Risk estimation

• Analyse frequencies and/or probabilities

• Analyse consequences • Calculate risk

Risk estimation required?

Documentation

• Risk analysis report

Analysis verification


Different categories of stakeholders are in different ways and to different extents involved in the risk management process. It is important to realize that stakeholders exposed to the specific risks may not always be those benefiting from the risk generating activities. For example, industries in a catchment area of a water supply will benefit from their production, but they will also contribute to water safety risks to consumers which have no benefit from the industrial activities. Grimvall (1998) described the principal types of stakeholders affected by decision-making involving risks, see Figure 6.

Those exposed to risks

Those benefiting from risk generating

activities

Decision-makers

Figure 6. Main categories of stakeholders affected by decisions on risk (Grimvall, 1998).

Due to the multi-dimensional character of decision-making regarding risk issues, it is of primary importance that the evaluation of risks and the decision-making are made with respect to criteria and principles that are agreed upon among the affected stakeholders. There are different principles described in the literature for evaluation of risks and it is important that the used principle is openly communicated and accepted by the involved stakeholders. The evaluation principles form the basis for defining risk tolerability. An example of a principle currently much referred to is the ALARP (As Low As Reasonably Practicable), see Figure 7. According to this principle, risks that are clearly unacceptable must be reduced or eliminated under any circumstances. Risks that are clearly acceptable can be left without further actions. In between the acceptable and unacceptable risks there are risks that may be accepted if it is economically and/or technically unreasonable to reduce them. A principle closely related to ALARP, and with the same meaning, is ALARA (As Low As Reasonably Achievable) (Davidsson et al., 2002).


Acceptable Risk

ALARP Region The risk can be accepted if it is

economically and technically

unreasonable to reduce it

Unacceptable Risk The risk cannot be accepted

under any circumstances

Figure 7. The ALARP (As Low As Reasonably Practicable) Principle (Melchers, 2001).

Risk tolerability criteria, based e.g. on the ALARP principle, can be showed in risk matrices, where estimated probability and consequences are graphically displayed in relation to the defined risk tolerability levels, see Figure 8.

Probability

Consequences

Figure 8. Risk matrix with ALARP zones.

Also other principles exist and Davidsson et al. (2002) present the following four general approaches that can be used when evaluating risk:

- Principle of reasonableness – If it is reasonable with respect to economical and technical means, the risk shall be reduced regardless the level of risk.

- Principle of proportionality – The overall risk resulting from an activity should not be unreasonably large compared to the benefits.

- Principle of allocation – The allocation of risk in society should be reasonable/fair compared to how the benefits are allocated.


- Principle of avoidance of disasters – Risks with disastrous consequences should be avoided so that the consequences can be managed with accessible resources.

The principle of reasonableness is closely related to the ALARP principle. Risk evaluation is further discussed in Section 7.2. The risk tolerability levels must be defined taking peoples perception and aversion of risks into consideration. The public perception has for example been found to have an important affect on the priorities and legislative agendas of regulatory bodies (Slovic, 2001). Examples on factors affecting peoples risk aversion are:

- Catastrophic potential - Familiarity - Uncertainty - Individual or societal - Controllability - Voluntariness

Renn (1998) mention that technical analyses of risk have drawn much criticism from the social science. One reason to this is that the technical analyses not are considered to include people’s perception of risk and social constructions. Klinke and Renn (2002) present nine criteria to be used for evaluating risk. These criteria are meant to include more than just the extent of damage and probability of occurrence when evaluating risks. The nine criteria are:

- Extent of damage - Probability of occurrence - Incertitude - Ubiquity - Persistency - Reversibility - Delay effect - Violation of equity - Potential of mobilization

2.4 Risk reduction/control If the risk evaluation has the result that risk is not acceptable, it is required to carry out risk reduction, also called risk treatment. If the risk is decided to be acceptable it may be enough to control the risk instead of reducing it. When risk reducing measures are carried out the action plans for risk prevention/mitigation should, according to the Australian-New Zeeland risk management standard (AS/NZS 4360:2004), include:

1. the planned actions;


2. the existing/required resources; 3. the involved responsibilities; 4. their duration; and 5. action tracking and controlling measures.

Suggestions for risk reducing measures should be an outcome of the risk assessment. When reducing the risk different approaches can be used. Based on the description of risk as a combination of the probability and the consequence of a hazardous event, three different approaches can be identified. Two of the approaches are based on reducing one of the parameters, i.e. the consequence or probability. The third approach is based on reducing both parameters at the same time. One risk reduction measure is denoted risk avoidance; i.e. an activity or process being a source of risk is not started or is discontinued. Sometimes we are looking for risk optimization; i.e. implementation of actions to minimize negative consequences/maximize the positive ones, possibly reducing the probability of the occurrence of undesirable events.

2.5 Risk communication According to the Swedish Rescue Services Agency (SRA, 2003) the purpose of risk communication is to increase the public’s knowledge about risk related questions and make them participate in the risk management. Owen et al. (1999) point out that communication of risks related to drinking water between laypeople and experts are complicated due to the difference in knowledge. To be efficient the risk communication has to be a two-way process enabling both parts to contribute. When managing risks to drinking water systems it is important to communicate with all three stakeholders presented in Figure 6. One important part of risk communication is how to present the risk. Slovic (2001) point out that different ways of presenting the same risk information can lead to different evaluations and decisions, even though they are logically equivalent. The fact that peoples perception of risk differs is one of the reasons why risk communication is complicated.

2.6 Notation Integration of risk management requires careful coordination with respect to harmonisation of terminology, commonality in approach, and measurement of risk in comparable units. Terms commonly used in risk management are defined differently by different actors. The following notation and definitions of terms are based on IEC (1995) and are applied in the TECHNEAU project:

- Risk is a combination of the frequency, or probability, of occurrence and the consequence of a specified hazardous event.

- Hazard is a source of potential harm or a situation with a potential of harm.


- Hazardous agent is for example a biological, chemical, physical or radiological agent that has the potential to cause harm.

- Hazardous event is an event which can cause harm. - Hazard identification is the process of recognizing that a hazard exists

and defining its characteristics. - Risk estimation is the process used to produce a measure of the level of

risk being analysed. Risk estimation consists of the following steps; frequency analysis, consequence analysis, and their integration.

- Risk analysis is the systematic use of available information to identify hazards and to estimate the risk to individuals or populations, property or the environment.

- Risk evaluation is the process in which judgements are made on the tolerability of the risk on the basis of risk analysis and taking into account factors such as socio-economic and environmental aspects.

- Risk assessment is the overall process of risk analysis and risk evaluation.

- Risk management is the systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling risk.

Note that WHO defines hazard and risk in the following way (WHO, 2004):

- A hazard is a biological, chemical, physical or radiological agent that has the potential to cause harm.

- Risk is the likelihood of identified hazards causing harm in exposed populations in a specified frame, including the magnitude of that harm and/or the consequences.

The definition of hazard given by WHO is not used in TECHNEAU because it only considers health related hazards. The WHO definition of hazard is similar to how a hazardous agent is defined above. A hazard does not have to be an agent in the water, since other sources of harm exist. The definition of risk given above is similar to the WHO definition; both definitions include probability/likelihood and consequence. However, the WHO definition indicates that only health related risks are considered.

2.7 Generic guides for risk management There are various standards and guidelines for risk management. Some examples are:

- AS/NZS standard 4360:2004. Risk management. ISBN 0733759041 - Standards Australia / Standards New Zealand.

- CEI/IEC (1995). 300-3-9 Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems.

- ISO/IEC (1999). Guide 51 Safety aspects - Guidelines for their inclusion in standards.


- ISO/IEC (2002). Guide 73 Risk management - Vocabulary - Guidelines for use in standards.



3 Existing frameworks and national guidelines

3.1 Review of existing frameworks for drinking water management There exist various strategies and frameworks relevant for water management and some of these are described and discussed below. The frameworks and the more general risk management process have been compared and similarities as well as differences have been identified and are presented.

3.1.1 The Bonn Charter The Bonn Charter for Safe Drinking Water (IWA, 2004) is a high level framework consisting of key principles that are basic requirements for managing water supplies from catchment to consumer. It also provides guidance to the institutional roles and responsibilities. The principles presented in the Bonn Charter are supposed to be applicable from source to tap and the goal is good safe drinking water that has the trust of consumers. According to the document, safe drinking water is fundamental to a healthy community and to its economic development. Drinking water should, according to the Bonn Charter, not just be safe to drink but also have an aesthetic good quality. It is emphasized that risks should be assessed at all points throughout the system and this requires a close co-operation between all stakeholders. The Bonn Charter is a complementary document to the Guidelines for Drinking-water Quality of the World Health Organisation (WHO, 2004) and the use of Water Safety Plans (WSPs) is emphasized. To shortly summarize the Bonn Charter it can be described as a document that clearly states the importance of drinking water to humans and advocates that the entire drinking water system is considered when managing risks.

3.1.2 Hazard Analysis and Critical Control Point The Hazard Analysis and Critical Control Point (HACCP) system was originally conceived by the Pillsbury Company in 1960 to assure food safety when delivering food to the NASA space program, and it has later been used by the food industry to assure safe food production (Dewettinck et al., 2001). The HACCP principles are described by the Codex Alimentarius Commission (Codex, 2003) and Havelaar (1994) describes the application of HACCP to drinking water supply with main emphasis on microbial contamination. According to Havelaar (1994) HACCP had not formally been applied to the drinking water supply before 1994. According to the Codex Alimentarius Commission (2003) HACCP is a science-based and systematic system that identifies specific hazards and measures for their control to ensure safety. Dewettinck et al. (2001) describes HACCP as a preventive system that helps to assure that all products reaching


the consumer are safe for consumption. The system is supposed to be compatible with the ISO 9000 series and other quality management systems (Codex, 2003). The key steps when applying the HACCP approach are presented in Figure 9. The first step is to assemble a team, when doing this it is important to make sure that all necessary knowledge and expertise are available within the team. In this step the scope of the application of HACCP should also be identified. Describing the product and identifying intended use are not as important when applying the HACCP approach to drinking water systems as if it is applied in the food industry. Nevertheless some attention should be paid to the drinking water consumption of the local population (Havelaar, 1994). The next steps are constructing a flow diagram and confirm it against the real system. All the five first steps can be described as preparatory to the following work with hazards. For each step in the drinking water system the HACCP team should list all hazards that may be reasonably expected to occur. The hazard analysis aims at identify which hazards that yields such a risk that they need to be eliminated or reduced to acceptable levels. The Codex Alimentarius Commission (2003) defines a hazard as a biological, chemical or physical agent in, or condition of, food with the potential to cause an adverse health effect. For each hazard control measures must be identified and critical control points (CCPs) determined. In the food industry a CCP is defined as a step at which control can be applied and is essential to prevent or eliminate a food safety hazard or reduce it to an acceptable level. More than one control measure may be required to control a specific hazard and more than one hazard may be controlled by a specified control measure. If no control measure can be identified for a hazard, the system has to be modified in a way that makes a control measure arise. For each CCP critical limits must be established, which are supposed to indicate when something is wrong. A monitoring system including scheduled measurements or observations should be established for each CCP and is supposed to detect loss of control in time to make adjustments. Corrective actions must be specified and documented to make sure the CCP can be brought under control. To make sure the entire HACCP system is working correctly, verification procedures need to be established. Also the documentation and record keeping is important to a successful application of HACCP.


Figure 9. Steps in the HACCP approach (Codex, 2003).

An extract from a generalized HACCP analysis of drinking water production is shown in Table 1. Table 1. Extract from a generalized HACCP analysis of drinking water production (Havelaar, 1994).

Process step Hazards Preventive measures CCP? CCP

parameters Monitoring procedures

Corrective actions

Groundwater abstraction Storage of surface water in reserviors

Transport of pathogens to well-head Short circuiting

Define protection zone and restrict land-use Build reservoirs in series

Yes No

Travelling time -

Tracer injection studies Specific pathogens Tracer studies Conservative parameters Fecal index bacteria

Remove sources of pollution Increase treatment

Even though the HACCP system most commonly is applied by the food industry it may also be applied for water safety. One important question to

Assemble HACCP team

Describe product

Identify intended use

Construct flow diagram

On-site confirmation of flow diagram

List all potential hazards, conduct a hazard analysis and consider control measures

Determine CCPs

Establish a monitoring system for each CCP

Establish corrective actions

Establish verification procedures

Establish documentation and record keeping

Establish critical limits for each CCP


ask is what range of application the HACCP system has in the drinking water system? According to the Australian Drinking Water Guidelines (NHMRC/NRMMC, 2004) HACCP is aligned quite readily on the treatment component of drinking water supply and may not as easily be applied to the important areas of catchment and distribution system. Havelaar (1994) points out that several steps in the system are important to assure the quality of the final water, but cannot be considered as CCPs under the responsibility of the water producer because of a lack of a direct control.

3.1.3 Water Safety Plans In 2004 the WHO presented the 3rd edition of the Guidelines for Drinking-water Quality (WHO, 2004). The guidelines aim to protect public health and are intended to support the development of risk management strategies. Safe drinking water is defined as such that does not represent any significant risk to health over a lifetime of consumption, including different sensitivities that may occur between life stages. The access to safe dinking water is emphasized as essential to health and a basic human right. To ensure safe drinking water a holistic risk assessment and risk management approach is emphasized as well as the importance of considering the entire drinking water system, from catchment to consumer. The WHO presents a so called framework for safe drinking water, consisting of the following five key components:

1. Health-based targets based on an evaluation of health concerns; 2. System assessment to determine whether the drinking water supply

(from source through treatment to the point of consumption) as a whole can deliver water that meets the health-based targets;

3. Operational monitoring of the control measures in the drinking water supply that are of particular importance in securing drinking water safety;

4. Management plans documenting the system assessment and monitoring plans and describing actions to be taken in normal operation and incident conditions, including upgrade and improvement, documentation and communication; and

5. A system of independent surveillance that verifies that the above are operating properly.

A key goal of the framework is to make sure that safety of drinking water is not based solely on end product testing. The health-based targets constitute the basis for the rest of the work and they should be established by a high-level authority in collaboration with water suppliers and affected communities. When the health-based targets are being established a valuation must be done of what is a tolerable risk. In the guidelines four different principal types of health-based targets are presented: health outcome targets, water quality targets, performance targets, and specified technology targets. All four types aim to protect and improve public health. According to the guidelines


the health-based targets must take account of the importance of ensuring access to water. The system assessment, operational monitoring and management plans constitute what is called Water Safety Plans (WSPs). A WSP is guided by the health-based targets and overseen through surveillance. The relationship is described in Figure 10. Surveillance is supposed to complement the quality control function of the drinking water supplier and should be conducted by an independent agency and include all aspects of safety.

Figure 10. Framework for safe drinking water (WHO, 2005).

The WSPs are described as means of ensuring the safety of a drinking water supply through the use of a comprehensive risk assessment and risk management approach that encompasses all steps in the water supply from catchment to consumer (WHO, 2004). Principles and concepts from in particular the multi-barrier approach and the HACCP system have been used when developing the WSP approach. The system assessment is meant to determine if the system is capable of delivering drinking water that meets the health-based targets. If the assessment finds that the system theoretically is capable of meeting the health-based targets, monitoring is the next step in ensuring that it actually meets the targets. If the system is not able to meet the health-based targets it has to be modified in some way to meet the targets. When the assessment is carried through it is important that all parts of the drinking water system are considered concurrently and that interactions and influences between each part and their overall effect are taken into consideration (WHO, 2004). The operational monitoring aims to assess control measures in order to ensure that the drinking water system is operating properly. A control measure is an action that serves to reduce or eliminate contamination and is identified during the system assessment. The applied control measures in a system should together ensure that the drinking water meets the health-based targets.

Framework for Safe Drinking-Water

Water Safety Plans

Independent Surveillance

Health Based Targets

Operational Monitoring

System Assessment

Management plans, Documentation and

communication


The purpose of the management plans are to document and communicate all information regarding the management of drinking water quality. A management plan includes for example information regarding the system assessment and operational monitoring, and it also describes actions in both normal operation and during situations where control of the system is lost. The key steps in developing a WSP are described in Figure 11.

Figure 11. Key steps in developing a Water Safety Plan (WHO, 2004).

The definition of a hazard used by WHO, a biological, chemical, physical or radiological agent that has the potential to cause harm, is very similar to the one given in the description of HACCP. Since the principles of HACCP have been used when developing the WSP approach, this is quite natural. To prioritize and distinguish between important and less important hazards or hazardous events WHO propose the use of a risk matrix. In Figure 12 an example of a risk matrix from WHO (2005) is illustrated. Note that this matrix indicates

Assemble the team to prepare the water safety plan

Document and describe the system

Undertake a hazard assessment and risk characterization to identify and understand how

hazards can enter into the water supply

Assess the existing proposed system (including a description of the system and a flow diagram)

Identify control measures – the means by which risks may be controlled

Define monitoring of control measures – what limits define acceptable performance and

how these are monitored

Establish procedure to verify that the water safety plan is working effectively and will meet

the health-based targets

Develop supporting programmes (e.g., training, hygiene practices, standard operating

procedures, upgrade and improvement, research and development, etc.)

Prepare management procedures (including corrective actions) for normal

and incident conditions

Establish documentation and communication performance


that comparatively high risk levels may be tolerable, e.g. that cases of morbidity in the exposed population due to water consumption may be tolerable every year.

Severity of consequences Likelihood Insignificant Minor Moderate Major Catastrophic Almost certain H H E E E Likely M H H E E Moderate L M H E E Unlikely L L M H E Rare L L M H H Note: The number of categories should reflect the need of the study. E – Extreme risk, immediate action required; H – High risk, management attention needed; M – Moderate risk, management responsibility must be specified; L – Low risk, management by routine procedures. Examples of definitions of likelihood and severity categories that can be used in risk scoring Item Definition Likelihood categories Almost certain Once a day Likely Once per week Moderate Once per month Unlikely Once per year Rare Once every 5 years Severity categories Catastrophic Mortality expected from consuming water Major Morbidity expected from consuming water

Moderate Major aesthetic impact possibly resulting in use of alternative but unsafe water sources

Minor Minor aesthetic impact causing dissatisfaction but not likely to lead to use of alternative less safe sources

Insignificant No detectable impact

Figure 12. Example of a risk matrix and definitions of likelihood and severity categories to be used in risk scoring in WSP (WHO, 2005; AS/NZS, 1999). Classes of relative risk tolerability are shown in grey shades.

3.1.4 The Water Framework Directive The Water Framework Directive (2000/60/EC) is based on natural river basin districts and the purpose is to protect freshwater resources in order to reach a sustainable water use (European Commission, 2000b). Within each river basin all impact on the water environment shall be controlled with the aim to reach good water status for all European waters by 2015. The directive can be described as a European strategy on how to manage freshwater resources, the first part of the drinking water system.

3.1.5 Integrated Water Resources Management Integrated Water Resources Management (IWRM) has according to Agarwal et al. (2000) not been clearly defined but can be described as a process which assists countries in their effort to deal with water issues in a cost-effective and sustainable manner. Al Radif (1999) points out sustainability of water


resources, water policy and integrated management, and management of the resource as key elements in IWRM. The catchment approach characterises IWRM (Nakamura, 2003) and hence the part of a drinking water system considered in IWRM is the source water.

3.1.5.1 Agenda 21 Agenda 21 were adopted at the United Nations Conference on Environment and Development held in Rio de Janerio, Brazil, 1992. Agenda 21 is a comprehensive programme dealing with sustainable development and the protection of quality and supply of freshwater resources is just one part of what Agenda 21 considers. A holistic management of water resources is emphasized in order to ensure long-term development (United Nations, 1992). It is also pointed out that water resources development and management should be planned in an integrated manner based on the principle of sustainability and it should prevent and mitigate hazards.

3.2 Examples on national guidelines

3.2.1 EU - The Directive on the Quality of Water (“Drinking water directive”) The objective of the Council Directive (98/83/EC) on the quality of water intended for human consumption is to protect human health from the adverse effects of any contamination of water intended for human consumption by ensuring that it is wholesome and clean (European Commission, 1998). Because drinking water is very important for human health, essential quality standards which drinking water must comply with have been compiled. The parametric values, which are based on scientific knowledge and the precautionary principle, should ensure that drinking water can be consumed safely on a life-long basis, and thus represent a high level of health protection. It is also emphasized that appropriate water-protection measures should be applied to ensure that surface and groundwater is kept clean. The work should safeguard and promote a sustainable use of drinking water. There is an ongoing project (“Support for the Development of a Framework for the Implementation of Water Safety Plans in the European Region”) funded by the European Commission (EC) related to the planned revision of the Drinking Water Directive (98/83/EC). As a part of this project the status of implementation of WSPs in water services of the EU Member States and other European countries is revealed and the project also gives guidance to the EC on revison of the directive.

3.2.2 Switzerland The safety of drinking water supply is controlled through food legislation in Switzerland. To develop HACCP in all food industry (including drinking water supply) is obligatory in Switzerland. WSP legal based implementation (based on HACCP principles) started in 1995.


Main legal acts relevant to drinking water are:

- Federal Act on Water Protection (source protection zones) - Federal Act on Foodstuff - Ordinance on Drinking Water and Natural Mineral Water - Ordinance on Hygiene - Cantonal ordinances

Swiss Water and Gas Association (SVGW) produced guidelines for simple quality assurance system for water supplies (the first edition in 1997, the second in 2003).

3.2.3 Germany The content of this section is taken from Sturm et al. (2006). In Germany, numerous laws and ordinances form the legal basis of the public drinking water supply. They include for instance the Drinking Water Ordinance (Trinkwasser-verordnung), the Infection Protection Act (Infektionsschutzgesetz) and the Water Management Act (Wasserhaushaltsgesetz). The Drinking Water Ordinance refers to the generally acknowledged rules of technology (state-of-the-art technology) and thus to the DVGW (2006) (Technical and Scientific Association for Gas and Water) System of Technical Standards and corresponding European and German standards. It has to be pointed out that in Germany special attention is paid to resource protection. Apart from the relevant DVGW Technical Standards, the state measures and legal regulations regarding water pollution control and groundwater protection have to be mentioned. They altogether serve the protection of the raw water sources. German water supply has a long-standing tradition in technical self-regulation concerning the field of technical or hygienic safety and quality management based on the principle of precaution. The objectives are often described as multi-barrier approach that combines resource protection with a high standard in technical and hygienic safety in water abstraction, treatment, storage and distribution, see Figure 13.


Figure 13. Multi-barrier approach in German water supply (Sturm, 2006).

The DVGW, as the technical scientific association in the field of water, has already for decades been compiling practical and scientifically based Technical Standards for all areas of water supply, which are recommended to the water suppliers for implementation. The DVGW System of Technical Standards describes the state-of-the-art technology concerning safety and reliability in water supply. The draft standards (codes of practice, Technical Guidelines and Recommendations) are established by working groups of scientists and experts from industry and public authorities. Draft Standards are published for public comment, and all comments are reviewed before final publication. Published Standards are reviewed regularly for continuing relevance, guaranteeing the integration of latest insights, experience and technical-scientific progress. The system of Technical Standards published by DVGW includes more than 300 Codes of Practice, Technical Guidelines, and Recommendations. Several of them are incorporated in the German standards set up by the German Institute for Standardization. Besides these standards there are Technical Guidelines and rules published by other national water supply associations like the Association for Drinking Water from Reservoirs (ATT) or the German association for Water, Wastewater and Waste (DWA). However, they are not designed to regulate every aspect in detail, like a treatment step or a monitoring system, but to provide recommendations and to outline principles. On this basis the technical and hygienic safety in the entire supply chain can be assured. The system of Technical Standards is complemented by the so called Technical Safety Management (TSM). TSM is a voluntary management measure to guarantee the correct implementation of the Technical Standards (see Figure 14). The main target of the Technical Safety Management is to support supply companies in legal certainty of its operational processes. To


guarantee a safe and hygienic water supply the requirements must be fulfilled to the organisational and staff qualifications in the company. The application of the Technical Safety Management in the water supply company is controlled by external consultants. The TSM inspection certificate documents the success of this process and the fulfilment of requirements of technical safety.

Figure 14. Technical Safety Management and the system of Technical Standards (Sturm et al., 2006)

3.2.4 UK – Yorkshire water The United Kingdom has in many environmental and health issues stressed the importance of economic valuation as part of the basis for prioritisation of efforts; see e.g. the UK Treasury Green Book (2003). The Yorkshire Water utility, owned by the Kelda Group, is well-recognized in the UK and internationally for performing efficient risk management where explicit economic risk valuation is an integral part. Yorkshire Water has managed to increase water safety and simultaneously decreasing the water tariffs for consumers, by implementing a well-structured risk management framework based on cost-benefit analysis. Decisions regarding water safety issues are made with respect to the costs for implementing actions to reduce risks compared to the changes in risk level, the number of people affected by the risk, and their willingness to pay for reducing or avoiding the risk (Smith, 2005). The approach is similar in scope to the approach suggested by TECHNEAU in WP 4.4 (see TECHNEAU, 2005).

3.2.5 Denmark The Danish Water and Waste Water Association (DWWA) has developed guidelines for water safety based on the WSP and HACCP principles (DANVA, 2006). The approach includes the complete drinking water system from source to tap, including private installations. The guidelines focus on doing things as simple as possible making it practical also for smaller water companies to carry out the analysis. Lately the number of water utilities (municipalities) in Denmark has been reduced from 271 to 98. A threshold for minimum size of the municipality is about 20 000 inhabitants.


3.2.6 Sweden The Swedish Water and Wastewater Association (SWWA) have in collaboration with the National Food Administration prepared a guidance document on how to apply the HACCP principles to drinking water production and distribution (SWWA, 2005). The purpose of the document is to help the water suppliers to include and make the HACCP approach a part of today’s surveillance work. Even though many water suppliers have not started to apply the HACCP approach yet, it is becoming more frequently used in Sweden.

3.2.7 Norway In 2003 a national investigation pointed out that the water industry in Norway were lacking guidelines on how to carry out Risk and Vulnerability Analysis (RVA). In 2006 new guidelines were published (Mattilsynet, 2006) that focus on identifying events, to rank the undesired events with respect to risk and to assess need for risk reducing measures. The chosen approach was not based directly on WSP/HACCP principles e.g. identifying critical control points are not included. In Norwegian legislation, systems for internal control (IKmat) are required and these systems include the documentation which is a part of the HACCP approach. The internal control systems are sometimes nationally referred to as HACCP light.

3.2.8 The Netherlands In the Netherlands, EU regulations for drinking water quality are endorsed, thus forming the basis of the health based targets. Since the new Drinking Water Decree was issued in the Netherlands in 2001, water companies using surface water or groundwater at risk of contamination with pathogens are required to quantitatively assess whether the infection risk of the finished water meets the standard. To guarantee that infrastructure and operation (automated and manual) comply with design criteria, pilot audits are conducted to assess whether systems are implemented to manage these processes. These audits of the quality system are conducted similar to HACCP audits, although the audit is not just focusing on the critical risk control points. Water companies evaluate all risk management systems, as they are striving to maintain a quality level that, at acceptable costs, should even prevent once in a life time contamination events. A special tool has been developed to guarantee a systematic evaluation and documentation of existing hazards and the risk management systems (control measures). The tool called MaRiskA combines features of HACCP with features of FMEA (Failure Mode and Effect Analysis). Dutch water companies apply an analysis for the vulnerability of supply (referred to as ‘Leveringsplan’). All elements of the supply chain are checked in order to ensure that if they fail, water is still supplied in sufficient quantities. Dutch water companies are executing an analysis to check whether distribution mains could cause risks to external objects (dykes, roads, railways, etc). This is a results of the incident occurred at Stein at February


2004. In addition to this all water companies perform actions against terrorism.

3.2.9 USA The main federal law directed at protecting the drinking water quality in United States is the Safe Drinking Water Act (SDWA, 1996). The United States Environmental Protection Agency (US EPA) is authorized by the SDWA to set health-based standards for drinking water quality and to oversee the implementation by states, localities, and water suppliers. The SDWA is based on a multiple barrier approach including source water protection, treatment, distribution system integrity, and public information. This means that the entire supply system, from source to tap, is considered. To protect areas serving as public sources of drinking water the states are required to develop Source Water Assessment Programs (SWAP). A SWAP intend to (US EPA, 1997):

- identify the areas that supply public tap water; - inventory of contaminants and assess water system susceptibility to

contamination; and - inform the public of the results.

The aim is to use the assessment results when implementing Source Water Protection Programs. Since the September 11, 2001, attacks on World Trade Center in New York, a deliberate contamination intrusion to a water distribution system is now considered one of the most serious threats to public health in the United States (Ostfeld and Salomons, 2005). As a consequence of this the security of United States drinking water and wastewater infrastructures has become a top priority. The Bioterrorism Act (2002) requires that drinking water utilities serving more then 3,300 persons conduct a vulnerability assessment. The assessments should help the water utilities to identify and evaluate potential threats and identify risk reduction options. An emergency response plan describing the actions that a drinking water utility would take in response to a major event also has to be complied. The description above is based on the federal legislation, the implementation by different states may differ and individual states may have additional, more stringent, rules.

3.2.10 The Canadian Multi-Barrier Approach To use multiple barriers when managing risks is a common approach and often included in other approaches. However, the Canadian Council of Ministers of the Environment (CCME, 2004) has described how the multi-barrier approach can be applied to drinking water supplies, see Figure 15. The multi barrier-approach is described as an integrated system of procedures, processes and tools that collectively prevent or reduce the contamination of


drinking water from source to tap, in order to reduce risks to public health. The approach is based on the implementation of multiple barriers throughout the drinking water system, from source to tap. The barriers are supposed to block or control microbiological pathogens and chemical contaminations that may enter the supply system. Since multiple barriers are used the failure of one or more barriers can be compensated by the remaining barriers. The barriers can be physical like a filter or they can be processes or tools linked to the overall management, e.g. training and education.

Clean, safe, reliable drinking

water

Sourcewater

protection

Drinkingwater

treatment

Drinking water distribution

system

Managem

entMon

itorin

gLegislative and policy

frameworks

Guidelines, standards and

objectives

Public involvmentand awareness

Research, sience and technology

Clean, safe, reliable drinking

water

Sourcewater

protection

Drinkingwater

treatment

Drinking water distribution

system

Managem

entMon

itorin

gLegislative and policy

frameworks

Guidelines, standards and

objectives

Public involvmentand awareness

Research, sience and technology

Figure 15. The Multi-Barrier Approach (CCME, 2004).

3.2.11 Australian framework In the Australian Drinking Water Guidelines (ADWG) it is stated that safe drinking water is essential for life and it is therefore of great importance that the safety is assured (NHMRC/NRMMC, 2004). It is also emphasized that a preventive management approach that consider all steps in water production, from catchment to consumer, is the best way to manage the risks to drinking water systems. According to the ADWG drinking water should be safe to drink for people in most stages of normal life, including children over six months of age and the very old. The water is safe to drink when it does not contain any harmful concentrations of chemicals or pathogenic micro-organisms. It is also stated that ideally the drinking water should be aesthetically pleasing in regard to appearance, taste and odour. In the ADWG a framework for management of drinking water quality is presented. The framework is according to Rizak et al. (2003) supposed to provide a comprehensive and preventive strategy from catchment to consumer. Some parts of the framework are based on the HACCP system as well as the two management systems ISO 9001 (Quality Management) and AS/NZS 4360 (Risk Management). Figure 16 is adapted from the risk management standard and is a flowchart illustrating the relation between the activities of the risk assessment process. The flowchart in Figure 16 and the illustration of the risk management process in Figure 4 are very similar.


Figure 16. Relation between activities of the risk assessment process (AS/NZS 4360:2004).

The framework for management of drinking water quality presented in the ADWG consists of four key areas: commitment to drinking water quality management, system analysis and management, supporting requirements, and review. The four areas and the connection between them are described in Figure 17.

No

Start

Hazard Identification and Context definition

Is risk acceptable

?

Risk Estimation

Risk Treatment

Risk Evaluation

End

Yes

Risk Criteria

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view


Figure 17. The ADWG framework for management of drinking water quality (NHMRC/NRMMC, 2004).

It is important that senior executives as well as the entire organisation show commitment to drinking water quality management. Organisational support and long-term commitment is described as a basic requirement to reach an effective management system. When analysing and managing the water supply system, hazards as well as preventive measures should be identified. When doing this it is important that the entire system is understood. The assessment of the drinking water supply system is divided into water supply system analysis, assessment of water quality data and hazard identification and risk assessment. To distinguish between high and low risks the use of a risk matrix is proposed in the ADWG. The proposed risk matrix is similar to the one proposed by WHO (2004), see Figure 12. The importance of using a multi-barrier approach is emphasizes in the ADWG as a part of the preventive measures for drinking water quality management. The protection of source water is considered as the most effective barrier since it is the first part of the system. Another part of the preventive measures is the application of critical control points, based on the HACCP approach. To make sure the management system is working properly a review including evaluation and audit processes are suggested. The review should make it easier to continually improve the work. The communication and involvement of the consumers is also pointed out as an important aspect of the management work. The expectations of the community and the willingness to pay should be used as a basis when making decisions. According to Sinclair and Rizak (2004) compliance monitoring is often used by regulatory structures as a mean to manage drinking water quality. Compliance monitoring, however, has major limitations and are by it self not an efficient manner to manage drinking water quality. An example is that Escherichia Coli or thermotolerant coliforms that are used as indicator organisms when assessing microbiological water quality do not give a good measure of the risks from viruses and protozoa (Sinclair and Rizak, 2004). Even though the compliance monitoring has some limitation it is of great

Commitment to Drinking Water Quality Management

System Analysis and Management Assessment of the drinking water supply

system

Preventive measures for drinking water

quality management

Operational procedures and process

control

Verification of drinking water quality

Management of incidents and

management

Supporting Requirements Employee awareness and training

Community involvement and awareness

Research and development

Documentation and reporting Review

Evaluation and audit

Review and continual

improvement


importance when managing water quality. When applying the framework presented in the ADWG the compliance monitoring is supposed to be viewed in a proper perspective (Sinclair and Rizak, 2004).

3.2.12 New Zealand Public Health Risk Management Plan In New Zealand compliance criteria for water leaving the treatment plant and the distributions system are presented in the Drinking Water Standards for New Zealand (DWSNZ) by the Ministry of Health (2005a). The DWSNZ can be used to verify the quality of the water delivered to the consumers but is not enough to protect the public health against risks from contaminated drinking water. To be able to do this the use of a Public Health Risk Management Plan (PHRMP) is emphasized. The PHRMP is described by the Ministry of Health (2005a) as a management tool for suppliers that will aid them to identify, manage and minimise events that could cause water quality to deteriorate. The DWSNZ as well as the PHRMP focus on health related risks and microbial contaminants are considered the most severe. How to prepare and develop a PHRMP is described by the Ministry of Health (2005b) and a lot of guidance material is available on the Ministry of Health webpage (www.moh.govt.nz). In Figure 18 the main steps when developing a PHRMP are presented and in Figure 19 the main steps when using the PHRMP are presented. The so called guides mentioned in Figure 18 are documents, specific for different supply elements, describing causes of an event, preventive measures, how to check preventive measures, and corrective actions.


Figure 18. Main steps when developing a PHRMP (Ministry of Health, 2005b).

In Figure 18 the steps that have to be performed and the result that should be added to the PHRMP is illustrated. The work can simplified be described as a process that starts with getting to know the system and identifying barriers as well as hazards, preventive measures and corrective actions. This information is later used to identify necessary improvements and in which order they should be accomplished. The process illustrated in Figure 19 describes how the PHRMP should be used when it has been developed. It is a continuous work that aims to increase the safety.

Produce an overview of your supply and decide which Public Health Risk

Management Plan Guides are needed.

Step Add to your PHRMP

Identify the barriers to contamination your supply has.

Use the Guides to identify events that may introduce hazards into the water.

Use the Guides to identify: • possible causes of each event • preventive measures to avoid each event • corrective actions to use if preventive measures fail.

Decide where improvements in your supply should be made.

Decide on the order in which improvement will be made.

Draw up a timetable for making the improvements.

Note links to other quality assurance systems.

Use the Guides to prepare Contingency Plans.

Use the Guide to prepare instructions for checking that your Plan is working properly

- Performance Assessment

Decide on communication policy and needs.

Flow diagram of your supply

Checklist of barriers present

Risk information Table for your supply

Improvement Schedule listing: • improvements needed • their levels of importance • a time table for their introduction • responsibility

Note of other quality assurance systems and their links with the Plan.

Set of Contingency Plans for each supply element.

Set of instructions for review of the performance of the Plan.

Set of instructions for reporting.


Figure 19. Steps when using the PHRMP (Ministry of Health, 2005b).

3.3 Comparison and discussion When comparing the different strategies and frameworks a couple of similarities can be identified. It is pointed out in many documents that drinking water is essential to humans and it is also stated that it is of importance to the economic development. Since drinking water is essential to humans it is obvious that it has to be available in sufficient quantities and safe to drink. In the EU directive on the quality of water, the WHO guidelines, and the Australian guidelines, it is stated that safe drinking water means that the water can be consumed over a life-long period without posing any significant health risk. It is also emphasized that the different sensitivities that may occur between life stages are taken into account. The main focus is on health related risks and it is stated that microbial contamination of drinking water is the most severe risk. Little attention is paid to water quantity and technical risks related to the ability to deliver water to the consumers. The IWRM and Water Framework Directive are the two strategies that focus on water resources and thereby in a clear way emphasize the importance of protecting the source water. It is of great importance that the drinking water can be delivered to the consumers and that it is safe to drink, but as stated in for example the Bonn Charter the water also needs to have an aesthetic good quality. Primarily this means that the water should have an acceptable taste and odour. However, the Australian guidelines advocate the importance of having a safe drinking water rather than an aesthetically good quality. However, if the water does not taste or smell good, people are probably not going to drink it.

Refer to the improvement Schedule prepared in your Plan.

Step

Follow the timetable of the Schedule, put in place: • preventive measures • checks • corrective actions that are needed, but not already present.

Review information gathered by monitoring and maintenance programmes.

Refer to and use the Contingency Plans should this be necessary.

Review how well the Plan is working and make changes where necessary.


The weakness of compliance monitoring is described in many strategies and frameworks, and it is suggested that it is used as a complement and not exclusively to guarantee a safe drinking water. Instead of relying on end-product testing a holistic approach considering risks from source to tap or, more extensively, from catchment to consumer is emphasized. Another element that is described in the strategies and frameworks is the importance of co-operation between stakeholders. The Australian guidelines also emphasize that the expectations of the community and the willingness to pay should be taken under consideration when making decisions. The application of barriers is clearly advocated in the Canadian guidance but the concept is also emphasized in e.g. the WHO guidelines, the New Zealand PHRMP and the Australian guidelines. In the Canadian guidance it is clearly stated that the barriers do not have to be physical barriers or barriers that directly prevent contaminants to enter the system; also training and education are important elements. The multi-barrier approach is commonly used when managing risks of different kinds to various systems and clearly the approach is also applicable to drinking water systems. An interesting question is what range of application the HACCP system has in the drinking water system. According to Havelaar (1994) several steps in the system are important to assure the quality of the final water, but cannot be considered as CCPs under the responsibility of the water producer because of a lack of a direct control. According to the Australian guidelines (NHMRC/NRMMC, 2004) HACCP is aligned quite readily on the treatment component of drinking water supply and may not as easily be applied to the important areas of catchment and distribution system. Also Hrudey (2004) emphasize that the principles of HACCP are most readily applied to the operational control of treatment process. This indicates that some changes are necessary to be able to apply HACCP to the entire drinking water system, from source to tap. When the WSP approach was developed principles and concepts from the HACCP system were used. The WSP approach can be described as a way of adapting the HACCP approach to drinking water systems. When comparing the figures illustrating the different steps in the two approaches close points of similarities can be identified. Since the framework for management of drinking water quality presented in the Australian guidelines also to some extent is based on the HACCP approach, similarities can be found between the Australian framework and HACCP as well as the WSP approach. The development and use of a so called PHRMP, described by the New Zealand Ministry of Health, also has similarities to the frameworks mentioned above. The work can be described as a process that starts with getting to know the system and identifying barriers as well as hazards, preventive measures and corrective actions. These components of the working procedure are similar to the ones that can be found in e.g. the WSP approach. When comparing the steps in developing a WSP with the general risk management process, similarities as well as differences can be identified. First


of all a WSP has a specific intended use, drinking water systems, and is focused on risks related to human health. The risk management process on the other hand is general and illustrates which key steps have to be performed when managing any type of risk. In WHO (2005) the development of a WSP is illustrated somewhat different than in the guidelines (WHO, 2004), see Figure 20. From Figure 20 it can be clearly seen that the supporting programmes are supposed to be available to all other steps. It is also more clearly illustrated that the work should be reviewed and continuously updated when new information is available.

Figure 20. Steps in the development of a WSP (WHO, 2005).

To illustrate the similarities and the differences between WSP and the risk management process a comparison is made in Figure 21. In Figure 21 the steps in WSP, presented in Figure 20, have been compared to the different parts of the risk management process described in Chapter 2. The first step in the WSP development is to assemble a team. This step is part of the preparatory work and can be illustrated as something that is done before the risk management work begins or it can be included as part of the scope definition. However, it is of great importance that the team working with risk management has all the required knowledge and hence people from different parts of the organisation should be included as well as people from outside the organisation if necessary. The reason scope definition is not viewed as a separate step in WSP is most likely because it is understood that a WSP is focused on health risks related to drinking water. If the scope definition is included this broadens the field of application and makes it easier to include also other kind of risks.

Assemble team

Describe water supply

Conduct hazard analysis

Identify control measure

Define operational limits

Establish monitoring

Establish corrective actions and incident response

Establish record keeping

Validation and verification

Supporting Programmes

Reviewing Experience and Future

Needs

Review, approval and audit


The second step in WSP, the description of water supply, can be described as part of the scope definition and the hazard identification. To be able to perform the hazard identification it is necessary to have knowledge about the system and the description of the supply system is part of the documentation of the work. The hazard analysis in WSP (third step) includes the hazard identification and the risk estimation. In the description of WSP in Figure 11 the terms hazard assessment and risk characterisation are used to illustrate what is called hazard analysis in Figure 20. The separation of hazard analysis into hazard assessment and risk characterisation is more similar to the steps in the risk management process. The reason risk tolerability decision is not part of WSP is probably because the WSP work is guided by the health based targets and decisions about tolerable risk are made when the targets are compiled. To be able to deal with risks that can not be controlled using predetermined targets, the risk tolerability decision should be included as a part of the work. The identification of control measures and definition of operational limits (fourth and fifth steps in WSP) can be illustrated as part of the analysis of options, but it is also possible to include them as part of the implementation and monitoring. The next four steps in WSP have been placed next to implementation and monitoring. It is hard to distinguish them but they are all part of the work intended to ensure that everything is working properly and if something happens corrective actions are taken. The supporting programmes are supposed to assist the other steps in WSP and this part is missing in the illustration of the risk management process. It is also more clearly illustrated in the WSP steps that review and new information should be incorporated and a part of the feedback loop.


Figure 21. Comparison between the risk management process and WSP.

Risk analysis

Scope definition Hazard identification Risk estimation

Risk evaluation

Risk tolerability decision Analysis of options


Decision making Implementation Monitoring

Assemble team

Describe water supply

Conduct hazard analysis

Identify control measure

Define operational limits

Establish monitoring

Establish corrective actions and incident response

Establish record keeping

Validation and verification

Supporting Programmes

Reviewing Experience and Future

Needs

Review, approval and audit


From the study of the strategies and frameworks and the comparison with the general risk management process the following main conclusions were made:

- A holistic risk management approach is emphasized and the catchment to consumer or source to tap approach is commonly used to describe the importance of considering the entire drinking water system when managing risks.

- In the directive on the quality of water, the WHO guidelines, and the Australian guidelines, it is stated that safe drinking water means that the water can be consumed over a life-long period without posing any significant health risk. It is also emphasized that the different sensitivities that may occur between life stages are taken into account.

- The weakness of compliance monitoring (end-product testing) is commonly used to illustrate the importance of a preventive risk management strategy.

- There are several similarities between the general risk management process and the WSP and HACCP approach.

- WSP and other frameworks are mainly directed at water quality aspects, and not water quantity.

- The use of multiple barriers (a multi-barrier approach) is emphasized by many strategies and frameworks and can be descried as a basic strategy in the risk management work.

- The importance of constantly reviewing and incorporating new information is emphasized by e.g. WHO and the general risk management process.

- There are parts of the general risk management process not included in WSP and HACCP, e.g. risk acceptance/tolerability assessment and evaluation principles, e.g. ALARP. Also, the use of the risk assessment method in the design of risk reduction measures is not fully considered.

- In WSP there are few guidelines regarding specific methods to use for the risk assessments, depending on the level of application. For example, a WSP for a large water company that is highly developed is very different from small, less developed companies, and requires different methods for e.g. risk identification, risk estimation and monitoring. The most specific guideline is a risk matrix that is recommended to use for scoring identified risks and for identifying risks that may not be acceptable, see Figure 12.

- There are several possibilities for improvement of the existing frameworks to provide more efficient risk assessment and risk management of water supply systems. The improvements can partly be made by further developing existing frameworks into a more full-fledged risk management framework. Improvements can also be made regarding specific methods to structure the assessments, to identify, estimate and evaluate the risks, to design risk-reduction measures and to communicate the risks to involved stakeholders.


It should be emphasized that these conclusions were drawn based on the theoretical framework descriptions. The practical experience from application of these frameworks and associated methods should be the basis for improvements. This is part of further work within TECHNEAU WA4, starting with the implementations of six case studies during 2007.



4 The TECHNEAU generic framework for integrated risk management

As previously described in the introductory chapters, the generic framework for integrated risk management presented here is aimed at application on different levels of sophistication and for both operational and strategic purposes. In order to comply with this goal the framework has to be developed from the widely recognized and accepted general framework for risk management. The purposes of the generic framework are:

- To further improve integrated risk management in Water Safety Plans - To protect public health, societal and private functions - To protect water utilities against hazards and improve its possibilities

to provide the consumers with drinking water of sufficient water quality and quantity

- To facilitate rational decision-making - To provide transparency - To facilitate an iterative process of continuous updating as new

information becomes available and as the preconditions change - To increase awareness and knowledge regarding risk issues among

decision-makers, workers at the utility, and the public - To support communication with involved stakeholders

The framework is thus aimed at improving and providing structure for integrated risk management in Water Safety Plans, considering both water quality and water quantity. Because of the currently less pronounced focus on water quantity in WSP, it is suggested that the description of the WSP framework is slightly modified to more explicitly comprise water quantity aspects, see Figure 22.



Water SafetyPlans

IndependentSurveillance

Health BasedTargets

OperationalMonitoring

SystemAssessment

Management plans,Documentation and

communication

Water QuantityTargets


Water SafetyPlans

IndependentSurveillance

Health BasedTargets

OperationalMonitoring

SystemAssessment

Management plans,Documentation and

communication

Water QuantityTargets

Figure 22. Suggested modification of the description of the WSP framework for more explicit

considerations of water quantity aspects.

To fulfil the aim and purposes, the risk management must enable:

- Compliance with WSP. - Application to groundwater and surface water companies at different

levels of complexity and on the operational as well as the strategic levels.

- A clear definition of the scope of the risk management process. - The use of methods, relevant to the level of application, for

identification of hazards related to both water quality and water quantity, e.g. microbial, chemical, radiological, technical, operational, and administrative hazards.

- The use of methods, relevant to the level of application, for structuring and integrating source water systems, treatment systems, distribution and plumbing network systems into one integrated risk assessment model, e.g. fault tree analysis or structural diagrams.

- The use of methods, relevant to the level of application, for qualitative and quantitative estimations of risk.

- The use of methods, relevant to the level of application, for uncertainty assessment of risk estimations.

- All risks to be expressed in monetary units as far as possible to provide for cost-benefit and/or cost-efficiency considerations in prioritisation of risk reduction efforts.

- The use of agreed risk tolerability criteria, relevant to the level of application, as a basis for risk evaluation.

- Transparency. - The use of methods, relevant to the level of application, for

identification and analysis of the effect of the performance of risk reduction options.

- The use of methods, relevant to the level of application, for prioritisation between different risk reduction options.


- Verification of results, e.g. review approval and audit procedures. - The use of methods, relevant to the level of application, for risk

communication between involved stakeholders. The suggested framework is in full compliance with the general risk management process and in concordance with WSP. The main components of the suggested framework are displayed in Figure 23.

Risk Analysis

Define Scope

Identify and EstimateRisks

Qualitative

Quantitative

Risk Evaluation

Define tolerability criteria

Water quality

Water quantity

Analyse risk reduction options

Ranking

Cost-efficiency

Cost-benefit

Risk Reduction/ Control

Report risks

Make decisions

Treat risks

Report residual risks

Monitor

Get new information

Update

Develop supporting

programmes

training, hygiene

practices, upgrade and improvement, research and development

Document –assure quality

Communi-cate

Review, approve and

audit

Figure 23. The main components of the TECHNEAU generic framework for integrated risk

management in WSP.

A more detailed outline of the generic framework is given in Figure 24. The figure displays possible approaches for the different parts of the risk management process. These methods are further described in Section 5 of this report.


Risk analysis

Example approaches

Scope definitionDescribe concernsDefine systemDefine circumstancesState assumptionsIdentify analysis decision

Hazard identificationIdentify and characterise hazards

Risk estimationAnalyse frequenciesAnalyse consequencesAnalyse other possibleparametersCalculate risk

Risk evaluation

Example approaches

Risk tolerability decisionHealth-based targetsOther water quality targetsWater quantity targetsRisk perception

Analysis of optionsWater qualityWater quantity


Example approaches

Decision makingStrategicOperational- Asset- Project

ImplementationOrganisational plansRisk reduction/controlCorrective actionsEmergency preparednessRedundant systems

MonitoringDirect and indirectOnlineRecord keepingValidation and verification

Society

Collection and processing of

new information

Continuous updating

Development of supporting

programmes (training, hygiene

practices, upgrade and improvement, research and development)

Documentation

Risk communication

Review, approval and

audit

Structured brainstorming

Checklists

Causal modelling

Consequence modelling

Frequency modelling

Quantitative methods

Qualitative methods

Uncertainty analysis

Criteria and principles that are agreed upon among the affected stakeholders

ALARP (As Low As Reasonable Practicable)

Cost-benefit analysis

Cost-efficiency analysis

Reduction

Control

Avoidance

Optimization

Risk analysis

Example approaches

Scope definitionDescribe concernsDefine systemDefine circumstancesState assumptionsIdentify analysis decision

Hazard identificationIdentify and characterise hazards

Risk estimationAnalyse frequenciesAnalyse consequencesAnalyse other possibleparametersCalculate risk

Risk evaluation

Example approaches

Risk tolerability decisionHealth-based targetsOther water quality targetsWater quantity targetsRisk perception

Analysis of optionsWater qualityWater quantity


Example approaches

Decision makingStrategicOperational- Asset- Project

ImplementationOrganisational plansRisk reduction/controlCorrective actionsEmergency preparednessRedundant systems

MonitoringDirect and indirectOnlineRecord keepingValidation and verification

Society

Collection and processing of

new information

Continuous updating

Development of supporting

programmes (training, hygiene

practices, upgrade and improvement, research and development)

Documentation

Risk communication

Review, approval and

audit

Structured brainstorming

Checklists

Causal modelling

Consequence modelling

Frequency modelling

Quantitative methods

Qualitative methods

Uncertainty analysis

Criteria and principles that are agreed upon among the affected stakeholders

ALARP (As Low As Reasonable Practicable)

Cost-benefit analysis

Cost-efficiency analysis

Reduction

Control

Avoidance

Optimization

Figure 24. The TECHNEAU generic framework for integrated risk management in WSP TECHNEAU generic framework.


The framework is intended for managing the following principal types of risks:

- Strategic risks - Operational risks:

o Asset risks o Project risks

The primary target user of the framework is the water company. However, each water company may not be able to perform every step in the risk management process. For example, water companies are typically not in a position to determine health risk tolerability criteria. Nor may the water company be able to implement risk reduction measures in the source water system. It is therefore important to emphasize that the framework must be communicated between involved stakeholders. In a successful risk management, the views and priorities of other stakeholders must be taken into consideration in order to define relevant tolerability criteria and to implement relevant and reasonable risk reduction measures. The framework is developed for comprehensive risk management, thus considering the entire water supply system. The major components of the system and the hazards specific to each part of the system has been described by Beuken et al. (2007), see Figure 25.

Subsystem

Hazardous Event

Hazard

Consequences

Source water

Design-related

Biological

Health

Treatment Operational-

related

Chemical

Economical

Distribution

External-related Radiological or physical

(including turbidity)

Supply failure time

Plumbing

Consequences of a hazard in other

subsystem

Insufficient availability of water supplied to consumers

Social

Safety to personal

External damage to third

parties, including liability

Subsystem

Hazardous Event

Hazard

Consequences

Source water

Design-related

Biological

Health

Treatment Operational-

related

Chemical

Economical

Distribution

External-related Radiological or physical

(including turbidity)

Supply failure time

Plumbing

Consequences of a hazard in other

subsystem

Insufficient availability of water supplied to consumers

Social

Safety to personal

External damage to third

parties, including liability

Figure 25. The subsystems, hazardous events, hazards and consequences to be included in comprehensive risk management of water supply systems.


A final remark on the suggested framework is that it cannot provide one single risk management method applicable to all types of water utilities for decisions at both strategic and operational (asset and project) levels. Instead, the framework when fully developed will provide:

- Principles for good risk management practice - The relevant set of tools necessary for performing the risk assessment

and management - Description of these tools, e.g.:

o TECHNEAU Hazard database, THDB (Beuken et al., 2007) o Risk analysis methods description (Chapter 5 in this report) o TECHNEAU Risk reduction options database, TRDB (will be

developed in WP 4.3) o Decision support tool (will be developed in WP 4.4)

- Clear examples of risk assessment applications and testing of these tools. Case studies are planned to be carried out at six sites (see Chapter 6).

During further work in the TECHNEAU project, including practical applications, the framework will be refined and more detailed descriptions of tools and examples on applications will be further provided.


5 Review of risk analysis methods

5.1 Introduction A wide variety of different methods exist for use in risk analysis, and the different methods are suitable for different purposes. The purpose of the TECHNEAU project is to integrate risk assessment of the separate parts into a comprehensive framework for cost-efficient risk management in safe and sustainable drinking water supply (TECHNEAU, 2005). To fulfil this objective, it may be necessary to carry out risk analysis at various levels:

1. Overall analysis of the total water supply system 2. Specific analysis of the water source, the treatment, distribution,

and/or plumbing system 3. Specific analysis of technical systems/operational activities 4. Analysis of sub functions within the system

The final choice of analysis method, or set of methods, depends on the purpose of the analysis and the analysis object. Several methods for hazard identification and risk analysis are described in the following sections. The methods for hazard identification are presented first. Risk estimation is the process used to produce a number of the level of risks being analysed. Risk estimation consists of frequency analysis (causal analysis), consequence analysis, and their integration. The risk estimation may be quantitative or semi-quantitative (e.g., risk matrixes). The methods for risk estimation are divided in three groups:

- Total or integrated methods (integrates causal and consequence analysis into one method)

- Methods for analysis of causes - Methods for analysis of consequences

Also various ways to measure risk in water supply systems are presented. This will cover measures both for water quality and water quantity as well as economic evaluation.

5.2 Scope definition and system description The scope of the risk analysis should be defined and documented to create a risk analysis plan at the start of the work. The description of the scope of work should at least include:

- A description of the purpose of the risk analysis and the problems that initiated the risk analysis

- A description of the system being analysed including a description of the technical system, system boundaries, operational conditions and the environment


- A description of the assumptions and constraints influencing the analysis.

It is beneficially to identify and describe the decisions that should be based on the results from the risk analysis and the decision-makers. An important aspect of the scope definition and system description is that the risk analysts get familiarised with the analysis object. An illustration of a system description for a water supply system is shown in Figure 26. The figure also is an example of a flowchart of the system which can be used during the risk analysis process.

Surface water

Excess water

Coagulant

UV

Tanks/reservoir on the network

Consumer

pH

Figure 26. Illustration of flowchart from source to consumer.

5.3 Hazard identification There are various techniques for identification of hazards or hazardous events within a system. HAZID (Hazard Identification) is a collective term often for such techniques. A brief description of some of the methods is presented in this section. The descriptions are primarily based on IEC (1995) and USDOE (2004). The HAZID analysis is introduced, and a list of typical hazardous events, related to water quality and quantity is presented. This can be used as a checklist. Finally this section presents the HAZOP (Hazard and Operability) analysis. This is a more comprehensive analysis, which identifies hazards and hazardous events in a very systematic way; in addition to assess probabilities and consequences of these events.

5.3.1 HAZID analyses Some techniques/methods for hazard identification (HAZID) are, see (IEC, 1995; USDOE, 2004):

- use of brainstorming


- experience from the past - “What if” analysis - Checklists

Brainstorming is a main method of problem solving or idea generation in which members of a group contribute ideas spontaneously. In this case, the problem is to identify hazards or hazardous events in a water supply system. Use of experience from the past, i.e., accident and reliability data, may also be used to identify potential problem areas and provide an input into frequency analysis. Experience from the past is often used as input to the methods described in previous sections. What-If analysis, (Nolan, 1994) is a creative brain-storming examination of a system, process, or operation conducted by a group of experienced personnel able to ask question about undesired events. The basic idea is that the team asks questions beginning with “What if”, e.g. What if the pump inlet pipe is blocked? Through this questioning process, an experienced group of personnel identifies possible hazards or accident scenarios. The whole system or process has to be considered and by asking the different questions hazards are identified. During the analysis the likelihood and consequences of different situations that may occur are determined and recommended measures are documented. The questions may address any off-normal condition related to the system, not just component failures or process variations. The What-if analysis may be documented in a tabular form that lists questions and answers that constitute potential accident scenarios, their qualitative consequences and possible risk reduction measures. The principles of the what-if analysis are very simple and possible to apply to the entire drinking water system to identify hazards. The What-if analysis may be combined with use of checklists in order to obtain more systematic hazard identification. A traditional checklist comprises a list of specific items to identify known types of hazards and potential accidents scenarios associated with water supply systems. Checklists may vary widely in level of detail. Checklists are limited by their author’s knowledge and experience and should be viewed as living documents and should be reviewed regularly and updated when necessary. A checklist is easy to use and is a cost-effective way to identify common and customarily recognized hazards. Checklists can be applied at any stage of the life-cycle of a water supply system and can be used to evaluate conformance with codes and standards.


Some typical hazardous events (threats) related to water quality are listed below for the different parts of the drinking water system. 1. Catchment/source:

- Farming - Grazing - Human activity - Large amounts of precipitation causing flushing of pollutants into the

water source - Nitrate contamination - Pesticides contamination - Microbial contamination, e.g. infectious agents origin from faeces - Extensive interruption in delivery due to poor source water quality - Wastewater and storm water reaching and contaminating the source

water trough overflows - Oil spill from water power plants - Climate changes increasing the number of extreme weather events

which can lead to Flooding and release of contamination - Collapse of dam, leading to massive destruction - Accidents with tankers resulting in release of oil - Traffic accidents - Sabotage

2. Water treatment

- Failure in the technical systems - Power failure - Inadequate microbial barriers - Incorrect dosage of chemicals - Internal microbial contamination - Sabotage

3. Distribution

- Contamination due to pipe breakage or other reason to decrease in water pressure

- Pipe brakeage leading to water shortage, especially when the water level in the reservoirs is low

- Sabotage The TECHNEAU Hazard Database (Beuken et al., 2007) presents a comprehensive list of hazards and hazardous events that can serve as a checklist for water utilities.


5.3.2 Hazard and operability analysis (HAZOP) HAZOP is a systematic technique for identifying hazards and operability problems throughout an entire plant/facility, (Nolan, 1994; Wirth and Sieber, 2000). All parts of the systems are evaluated to see how deviations can occur and whether they can cause problems. A HAZOP analysis is particularly useful in identifying unforeseen hazards designed into facilities due to lack of information, or introduced into existing facilities due to changes in process conditions or operating procedures. The basic objectives of the analysis are to:

a. provide a full description of the facility or process, including the intended design conditions;

b. reveal how deviations from the intention of the design can occur; and c. decide whether these deviations can lead to hazards or operability

problems. The approach is briefly described by the following steps:

1. Split the system/process into study nodes 2. At each study node specify a relevant set of process variables

(parameters), such as – temperature, – pressure, – flow level, and – chemical composition.

3. All of the process parameters are used together with a set of predefined guide words (see Table 2) to review of the process in a systematic way in order to identify possible deviations that may affect water quantity or quality.

The steps of a HAZOP analysis are illustrated in Figure 27. Table 2. HAZOP guidewords.

Terms Definitions No or not No part of the intended result is achieved (e.g. no flow) More Quantitative increase (e.g. high pressure) Less Quantitative decrease (e.g. low pressure) As well as Qualitative increase (e.g. additional material) Part of Qualitative decrease (e.g. only one or two components in a mixture) Reverse Opposite (e.g. backflow) Other than No part of the intention is achieved, something completely different

happens (e.g. flow of wrong material)


Figure 27. Flow diagram for the HAZOP analysis

The HAZOP study is documented in a HAZOP worksheet. An example for a water treatment system (chlorination for water disinfection) is given in Table 3. Table 3. HAZOP – Example of analysis (use of guidewords)

Process unit: Water treatment; chlorination 1. Process parameter: Flow Guide word Deviation Causes Consequences Action /solution No No flow 1. Chlorine supply is empty

2. Leaking pipe or tank 3 Valve failed in closed position

Disinfected water

More More (to much) flow

Miscalibration of equipment

High chlorine concentration in water

Less Less flow Limited supply Miscalibration of equipment

Disinfected water

Reverse Flow in opposite direction

A HAZOP study may highlight specific deviations for which mitigating measures need to be developed. It is most suited to be applied to the treatment system and distribution network of a water supply system.


5.4 Risk estimation Various risk estimation methods are presented. Some are mainly used for analysing causes, other for consequences, whilst some are aimed at analysing overall risk. The various ways to measure risk is also discussed. This section ends with a table, summarising main features of the risk analyses which are introduced.

5.4.1 Preliminary hazard analysis (PHA) PHA (IEC, 1995) is an inductive analysis method where the objective is to identify the hazards, hazardous situations and events that can cause harm for a given activity, facility or system. It is most commonly carried out early in the development of a project when there is little information on design details or operating procedures and can often be a precursor to further studies. It can also be useful when analysing existing systems or prioritizing hazards where circumstances prevent a more extensive technique from being used. A PHA formulates a list of hazards and generic hazardous situations by considering characteristics such as; a) materials used or produced and their reactivity, b) equipment employed, c) operating environment, d) layout, e) interfaces among system components, etc. The method is completed with the identification of the possibilities that the accident happens, the qualitative evaluation of the extent of possible injury or damage to health that could result and the identification of possible remedial measures. An example on a PHA-worksheet is shown in Table 4. Table 4. An example on a PHA-worksheet.

System Operating mode: Analyst: Date:

Ref. Hazard Hazardous event

Probable causes

Contingencies/ preventive actions

Probability Severity Comments

Risk and Vulnerability-analysis (RVA) The concept of RVA is a simple risk analysis to be carried out by the company itself (Mattilsynet, 2006). The objectives of the analysis are to identify undesired events, to rank the undesired events with respect to risk and to assess need for risk reducing measures. The method applies forms similar to e.g. the PHA, but also consequences are estimated; thus, providing an overall risk assessment. The basis for the RVA is a description of the water supply system and a list of undesired events that may occur in system. For each event, the probability of occurrence and the consequences are assessed in order to estimate the risk. The probabilities of occurrence are typically defined as small, medium, large or very large. Similarly, the consequences are described as small, medium, large and very large. The risk is expressed as a combination of the probability


of occurrence and the consequence of each event by use of a risk matrix. The results from a RVA and the conclusions from the assessments are summarised in a table as shown in Table 5. Based on such tables, the need for risk reducing measures is discussed. “Green” risk indicates that the risk is tolerable and there is no need for risk reduction measures. “Yellow” risk indicates that the need for risk reducing measures should be discussed, while “red” risk indicates that the risk is not tolerable and there is need for risk reducing measures. Often, the RVA are used to prepare emergency preparedness plans for the water supply companies. Table 5. An example on a summary of a RVA.

Event Consequence category Probability Consequence Risk Reference Failure of pump

A Water quality B Water supply C Reputation/economy

Medium Medium Medium

Small Large Medium

Small (Green) Medium (Yellow) Small (Green)

5.4.2 Failure Modes, Effects, and Criticality Analysis (FMECA) A FMECA is often the first step in a reliability analysis and involves reviewing as many components, assemblies, and subsystems as possible to identify failure modes, causes, and effects of such failures, (Rausand and Høyland, 2004). For each component, the failure modes and their resulting effects on the rest of the system are recorded in a specific FMECA worksheet (see Table 6). The FMECA is usually carried out during the design phase of a system in order to reveal weaknesses and potential failures at an early state. The results from the FMECA may also be useful during modifications of the system and for maintenance planning. A FMECA is mainly a qualitative analysis. However, some semi-quantitative analysis may be carried out by ranking of the criticality of the different failure modes by use of risk matrixes. A variation of FMECA is denoted Failure Mode and Effects Analysis (FMEA). In a FMEA no criticalities or priorities are assigned to the failure mode effects (i.e. there is no severity ranking).


Table 6. Illustration of a FMECA worksheet.

System Ref. drawing no.

Performed by: Date

Page: of

Description of unit Description of failure Effect of failure Ref. no.

Function Operational mode

Failure mode

Failure cause or mechanism

Detection failure

On the subsystem

On the system function

Failure rate

Severity ranking

Risk reducing measures

Comments

5.4.3 Fault tree analysis A fault tree analysis is a method to identify various ways that a system failure or accident may occur, (Rausand and Høyland, 2004; Rosen and Steier, 2006). A fault tree is a logic diagram that displays the interrelationships between a potential “critical event” (e.g. system failure or accident) in a system and the causes of this event. The causes may be technical failures, human errors, normal events, and environmental conditions. A properly constructed fault tree provides a good illustration of the various combinations of (component) failures, human errors, normal events, and environmental factors that may result in a critical event for the system. The critical event is called the top event of the fault tree. The various events in a fault tree are connected through logic gates, and the events on the lowest level are called basic events. A fault tree may be broken down to the preferred level of resolution. A fault tree analysis may be qualitative, quantitative, or both, depending on the objectives of the analysis. The result of a quantitative fault tree analysis may be calculation of the probability that the critical event will occur during a specified time interval. A fault tree analysis is normally carried out in five steps:

1. Definition of the problem and the boundary conditions 2. Construction of the fault tree 3. Identification of minimal cut and/or path sets 4. Qualitative analysis of the fault tree 5. Quantitative analysis of the fault tree

An example of a fault tree is shown in Figure 28.


Figure 28. Illustration of a fault tree.

5.4.4 Reliability block diagram A reliability block diagram is a success-oriented network describing the function of the system (Rausand and Høyland, 2004). It shows the logical connections of (functioning) components needed to fulfil a specified system function. If the system has more than one function, each function must be considered individually, and a separate reliability block diagram has to be established for each system function. The way n components are interconnected to fulfil a specified system function may be illustrated by a reliability block diagram as illustrated in Figure 29. Each of the components is illustrated by a block in the diagram. When we have connection between the end points a and b, we say that the specified system function is achieved. Two important structures of a reliability block diagram are a series structure and a parallel structure. A system that is functioning if and only if all of its n components are functioning is called a series structure. A parallel structure is a system that is functioning if at least one if its n components is functioning.

Figure 29. Illustration of a reliability block diagram.

5.4.5 Event tree analysis An event tree is a logic tree diagram that starts from a basic initiating event and provides a systematic coverage of the time sequence of event propagation to its potential outcomes or consequences, (Rausand and Høyland, 2004; Rosén and Friberg, 2003). The event sequence is influenced by safety barriers


(or control measures) and the consequences are determined by assuming failure or success of the existing safety barriers (or control measures). Each event in the tree will be conditional on the occurrence of the previous events in the event chain. The outcomes of each event are most often assumed to be binary (true or false), but may also include multiple outcomes /e.g., yes, partly, and no).

Figure 30. Illustration of an event tree.

An example of an event tree is shown in Figure 30. Here there are two control measures (disinfection and monitoring). Upper branch represents success, lower branch failure.

5.4.6 Human reliability assessment (HRA) Human reliability assessment (HRA) deals with the impact of human operators and maintainers on system performance and can be used to evaluate human error influences on water safety and water quantity in the water supply system. HRA is a collective term for various methods (see e.g., (Kirwan, 1994) for descriptions of HRA-methods). The main steps of HRA-methods are:

1. Task analysis 2. Human error identification 3. Human reliability quantification

Task analysis is the study of what an operator (or team of operators) is required to do, in terms of actions and/or cognitive processes, to achieve a system goal (Kirwan & Ainsworth, 1992). Task analysis methods can also document the information and control facilities used to carry out the task. Task analysis covers a range of techniques used to describe, and in some cases to evaluate, the human-machine and human-human interaction in systems.


The objective of the task analysis is to describe and characterize the task to be analysed in sufficient detail to perform human error identification and/or human error quantification. The human error identification identifies and describes possible erroneous actions while the human reliability quantification estimates the probability of erroneous actions.

5.4.7 Physical modelling of processes in source, treatment, and distribution There already exist tools for modelling processes both for the water source (e.g. lake, groundwater reservoir), water treatment plant (different techniques and different tools) and water distribution network (e.g. hydraulic network simulation models). For all these aspects the (hydraulic) simulation tools can be used for analysis of consequences of different hazardous events. Several tools for simulation of water treatment plants exist. With such tools virtual water treatment plants can be constructed and the performance can be tested in advance. Within TECHNEAU (WA5) a common plant simulator platform is being developed based on elements from existing simulation systems (Otter and Stimela). For the water distribution systems there exist simulations tools for calculating the quantity of water supply. The mean number of water interruptions (e.g. per year) resulting from pipe failures can also be estimated (e.g. CARE-W REL, http://care-w.unife.it/). In the approach the hydraulic simulation program EPANET (www.epa.gov) is used and the effect of pipe breaks is simulated by closing links/pipes one by one. The results are aggregated and summarised by using standard reliability theory. In this approach only the quantity aspect is covered and not water quality issues. Network models may be used to analyse the reliability/quantity of water supply/distribution systems. An example is Aquarel that is used to calculate the reliability of water distribution networks taking simultaneous failures of equipment into consideration (Røstum, 2001). Aquarel is based on hydrostatic simulations of the conditions in the network combined with standard reliability calculation techniques. The model also takes into account the volume-effect of the elevated reservoirs (tanks). The system reliability is dependent of the hydraulics in the network, the failures rates and the repair rates of the components in the network. The integration and following evaluation of these elements lead to a water network reliability analysis. Water quality issues related to network modelling are further developed in WA5 in TECHNEAU.

5.4.8 Health risk assessment This method has been developed by the US EPA1 in 1980s as a general tool to assess human health risks from environmental exposure to chemical substances (US EPA, 1989). Although the method was formally introduced as a basic framework for health risk assessment at Superfund sites (see e.g. 1 See http://www.epa.gov/oswer/riskassessment/ragsa/index.htm


manual Risk Assessment Guidance Manual for Superfund. The Human Health Evaluation Manual – Volume I), it has been commonly and widely used as standard tool for quantitative risk assessment of chemical exposure from food and environment (air, water, soil). Health risk assessment is the system consisting of four inevitable steps:

1. Hazard identification Known or potential health effects associated with a particular agent as well as agent properties are identified and described. Data collection (from literature, epidemiological investigations, animal studies) and data evaluation are also included.

2. Exposure assessment It comprises the identification and estimation of likely and potential routes of human exposure to contaminants with its source, magnitude, duration and frequency and the contact rate of each agent. The characteristics of the potentially exposed population should also be described as well as the uncertainty and variability in the assessment.

3. Dose-response assessment Relationships between the magnitude of exposure dose to an agent and the severity or frequency of associated adverse health effects (= response) are developed in this stage. While data on exposure assessment are “site-specific” and “population-specific”, the data on dose-response are usually taken from existing databases, like e.g. IRIS database available at the US EPA website.

4. Risk characterization It integrates the results from exposure and dose-response assessment in order to obtain quantitative risk estimates evaluating the magnitude of the public health problem, variability and uncertainty.

More detailed information on the method and its applications is provided in another TECHNEAU document (Kirchner et al., 2006): Application of risk assessment methods in the drinking water sector. Two examples are provided how to use this method in drinking water sector:

a. Ashbolt (2004) used the method to compare and prioritize the risks from disinfection by-products and pathogens, especially the health risk from Cryptosporidium in the drinking water versus bromate produced by eliminating oocysts with ozonation.

b. Codd et al. (2005) used the method to calculate possible limit values for several new cyanobacterial toxins which are not yet regulated and information on health-based limits in drinking water not available.

Health risk assessments are often focused on a specific pathogen, which exemplifies a limitation in this method. A holistic approach is needed in order to assess the impact on public health of a whole water system; cf. Section 5.4.10.


5.4.9 Health impact assessment WHO has developed a tool how to assess possible health impact of the policies or other plans considered for future implementation. See guideline document “Evaluation and use of epidemiological evidence for environmental health risk assessment” (WHO, 2000)2. The guidelines identify a set of processes and general approaches to assess available epidemiological information in a clear, consistent and explicit manner and should help in the evaluation of epidemiological studies with respect to their ability to support risk assessment. Despite of using partially different terminology, the core mechanisms how to quantify (characterize) the risk is very close to the one used by health risk assessment methodology according to the US EPA. Additional important step is the concept of DALY (Disability Adjusted Life Years), which allows to combine and compare different health outcomes. Several examples of interesting use of this tool may be provided:

a. Fehr et al. (2003) assessed the number of additional cases of cancer relating to higher carcinogens level in drinking water in Germany caused by water supply privatization.

b. Fewtrell (2004) assessed the global burden of disease caused by drinking water nitrate.

5.4.10 QMRA (Quantitative Microbiological Risk Assessment) While health risk assessment as mentioned above has been originally developed for assessment of chemical exposure, recently the QMRA (Quantitative Microbiological Risk Assessment) was developed to quantify the risk to human health from pathogens (related e.g. to water supply systems). The method requires the following data for the risk calculation:

- the pathogen concentration in drinking water, - the daily intake of un-boiled drinking water, - exposure frequency (number of days per year with exposure) , and - dose-response information of selected organism.

These data are then combined to characterize the risks. For example, a risk of illness for Campylobacter of 2.5 x 10-4 per year indicates that, on average, 1 out of 4000 consumers would contract Campylobacteriosis from drinking-water (WHO, 2004). The Microrisk project, see www.microrisk.com resulted in a number on reports on QMRA, see http://217.77.141.80/clueadeau/microrisk/uploads/microrisk_how_to_implement_qmra.pdf. QMRA was applied to 12 systems across Europe and Australia.

2 See http://www.euro.who.int/document/e68940.pdf


The probability of an adverse health effect following exposure to one or more pathogenic organisms is derived from a dose–response model. Available dose–response data have been obtained mainly from studies using healthy adult volunteers. As the concentration of pathogens in treated water often cannot be often detected due to detection limits of the current techniques and direct measurements of exposure levels are therefore not possible, an indirect approach has to be used. Such an approach can be based on measurements of concentrations of pathogens in the raw water and treatment efficiency (Havelaar, 1993; WHO, 2004), on mathematical models estimating the distribution of contaminants or on application of index organisms The QMRA method has the same steps as described for the health risk assessment (see above), i.e. Hazard identification, Exposure assessment, Dose-response assessment and Risk characterisation. Some important topics as regards QMRA are (Westrell, 2004):

1. Micro-organisms differ from chemicals in many was and the concept of QMRA has been further developed from QCRA to assess the microbial hazards. Important characteristics for micro-organisms are, for example, that they are affected by their environment to a high degree and under unfavourable conditions can be inactivated or die, while under favourable conditions some may multiply. The response in humans and animals after ingestion of pathogenic micro-organisms varies widely due to many factors, for example strain or species of the micro-organisms, health of humans and animals, prior exposure (immunity) etc.

2. QMRA is today applied to establishing standards, guidelines and other recommendations regarding drinking water and consumer health. It has a central role in the drinking water guidelines of the WHO for assessment of the accomplishment of established health targets and for the evaluation of Water Safety Plans. In the latter, it is used to support decisions regarding barriers and treatments necessary to safeguard public health in water supply systems.

3. QMRA is an appropriate tool for estimating the associated risks when implementing new reuse strategies.

4. Microbial risk assessment has both been used to qualitatively and quantitatively assess the health risks of recreational swimming and it is incorporated in the WHO Guidelines for Safe recreational waters.

5. A variety of fields includes examples on the applicability of the risk assessment method. In Sweden, QMRA have been performed on source-separating sanitary systems, namely the use of urine as fertiliser in agriculture and local greywater treatment. Drinking water applications can be found from the Göteborg system (Rosén and Friberg, 2003; Westrell et al., 2003; Åström et al., 2006), and the method is applied in an on-going project in Stockholm.


6. Many variables in a QMRA are subjected to regional differences, which may be tricky to find variable values that are valid at the specific site. The incidence of diseases in the human and animal population is known to differ between countries, resulting in differences in the occurrence and concentrations of pathogens in surface waters, wastewaters etc. The survival of pathogens in the environment is highly affected by climatic factors, e.g. temperature and solar irradiation, therefore differing between tropical and temperate regions. Different water and wastewater treatment steps may be used in different regions, e.g. ozonation that is more commonly used in the Netherlands compare to Sweden.

7. QMRA are often focused on a specific pathogen or pathogen ground and only consider one exposure pathways. This exemplifies limitations in this RA-method. A holistic approach is needed in order to assess the impact on public health of a whole water system and in order to make comparisons of different systems.

5.4.11 Barriers and Bow-Tie diagrams Bow-Tie diagrams are often used to illustrate scenarios that may lead to accidents. A Bow-Tie diagram comprises an undesired event (“deviation”, often denoted the initiating event), the underlying causes to this event and the possible consequences. Further, safety barriers are introduced, that can either prevent the undesired event to occur, help to regain control (prevent an accident to occur), or mitigate the consequences of the accident. The Bow-Tie model is illustrated in Figure 31.

Figure 31. Illustration of a Bow-Tie diagram.

A practical use of a Bow-Tie diagram is shown in Figure 32 for the case of an epidemic spread of Giardia.


Figure 32. Bow-Tie diagram – practical example.

With respect to safety barriers, the following definition is proposed by Sklet (2006); “Safety barriers are physical and/or non-physical means planned to prevent, control, or mitigate undesired events or accidents.” The means may range from a single technical unit or human action, to a complex socio-technical system. Planned implies that at least one of the purposes of the means is to reduce the risk. Further the terms barrier function and barrier system are defined by Sklet (2006). A barrier function describes the purpose of the safety barrier, and tells what the safety barriers shall do in order to prevent, control, or mitigate undesired events or accidents. If a barrier function is performed successfully, it should have a direct and significant effect on the occurrence and/or consequences of an undesired event or accident. A barrier system is a system that has been designed and implemented to perform one or more barrier functions. A barrier system describes how a barrier function is realized or executed. If the barrier system is functioning, the barrier function is performed. The effect of the safety barriers is influenced by the performance of the safety barriers, and it is recommended to address the following attributes to characterize the performance of safety barriers (Sklet, 2006):

a. Functionality/effectiveness b. Reliability/availability c. Response time d. Robustness e. Triggering event or condition

For some types of barriers, not all the attributes are relevant or necessary in order to describe the barrier performance. The barrier functionality/effectiveness is the ability to perform a specified function under given technical, environmental, and operational conditions. The barrier functionality deals with the effect the barrier has on the event or accident sequence. The specified function should be stated as a functional requirement (deterministic requirement). The barrier reliability/availability is the ability to perform a function with an actual functionality and response time while


needed, or on demand. The barrier reliability/availability may be expressed as the probability of failure (on demand) to carry out a function. The response time of a safety barrier is the time from a deviation occurs that should have activated a safety barrier, to the fulfilment of the specified barrier function. Barrier robustness is the ability to resist given accident loads and function as specified during accident sequences. The triggering event or condition is the event or condition that triggers the activation of a barrier. It is not itself part of a barrier, however, it is an important attribute in order to fully understand how a barrier may be activated.

5.4.12 Tools in risk quantification A few other (more advanced) methods/tools that could be relevant to support risk analysis are shortly reviewed below.

5.4.12.1 Markov models These allow a rather detailed modelling of a system, by considering the transition between various “states” of the system, e.g. see Rausand and Høyland (2004). If we want to investigate the behaviour of an important (sub)system, possibly with some redundancy, we could define the system states as “OK”, “failed”, and various degrees of degradation (e.g. some redundant unit being failed). The Markov modelling is relevant e.g. for a more detailed investigation of the availability/functioning of the system or the effect of various types of maintenance on the system.

5.4.12.2 Risk influence diagrams / Bayesian belief networks These models consider the interactions between a numbers of variables, (Jensen, 2001; Langseth and Portinale, 2007). They could be applied if we for instance would like to investigate which factors/variables affect the occurrence a certain unwanted event. Formally the Bayesian Belief Network will provide the joint (conditional) distributions of the variables. The Risk influence diagram has various nodes, also related to decisions.

5.4.12.3 Monte Carlo simulation These models simulate the behaviour of a (complex) system which is subject to random events. The probabilistic distributions of the relevant variables (e.g. times to various failures, time to repair, etc) are specified in the model. By randomly drawing variables from these distribution we simulate the behaviour/state, (specified e.g. by the amount of delivered clean water to various customers), at each instant over a certain time period. By making a lot of such simulation we may achieve statistical means of the variables (performance measures) we are interested in (Rausand and Høyland, 2004). Monte Carlo simulation is often applied in QMRA.


5.4.13 Risk measures in water supply systems Both the quantity and the quality of the water supply are essential, and the TECHNEAU project focuses on these two aspects (“dimensions”) of the consumers’ risk, and there are various ways to measure these risks. We also introduce the concept of societal risk and discuss the economic evaluation of risk. When an overall evaluation of risk is carried out it is beneficial to measure the various aspects of risk in the same unit. But it is difficult to measure say loss of water supply for a large number of consumers over some days and various health problems for another group of consumers in the same unit. One solution often chosen is to try to transfer all losses to economic values. But that is rather controversial, in particular when it comes to giving values on human lives.

5.4.13.1 Water quality The quality aspect can be expressed in terms of both:

1. Actual water quality, which can be measured for instance by the no. of certain bacteria per ml water; and

2. By specific health outcomes on the consumers. Various measurements of the actual water quality will be carried out, e.g. at source, before/after treatment or even at tap. These measurements on the contents of bacteria are important means of controlling the water quality. And the acceptable limits that are decided for these contaminations will have a significant impact on the level of risk for the consumers. Such limits and the average values actually measured also represent a (somewhat indirect) measure of the actual health risk. Now there is a range of water-related illnesses with differing severities, including acute, delayed and chronic effects and both morbidity and mortality. So a more direct measure of the health risk is the mean number (or frequency) of diarrhoeal disease or infection (but not necessarily disease) with a specific pathogen. The potential for long term health effects, e.g. the no. of cancer incidents due to unhealthy water should also be included in the risk measure of health effects. In their Guidelines for Drinking-water Quality, WHO (2004) applies the Disability-Adjusted Life-Years (DALYs) as a risk measure. The basic principle of the DALY is to weight each health effect for its severity from 0 (normal good health) to 1 (death). The DALY is the sum of years of life lost by premature mortality (YLL) and years of healthy life lost in states of less than full health, i.e., years lived with a disability (YLD), which is standardized by means of severity weights. Thus:

DALY = YLL + YLD


So note that the years lived with disability (YLD) are downscaled, according to the severity of the disability. The key advantage of DALY is its aggregation of different health effects, and that it can be used to compare the health impact of different agents in water. Note that it even combines health with loss of life, which is a rather controversial topic, as many will hesitate to put a value on a life; (i.e. a “statistical life” not the life of a specific person).

5.4.13.2 Water quantity For the consumer it is important to have water of good quality, but there should also be enough water. Regarding interruptions in the supply (of sufficient quantity and quality of water) it could be important to record both the frequency and the duration of interruptions. For a specific type of industry a short interruption might have as high consequences as a longer one, even though the interruption’s contribution to the yearly quantity (% of time where the water supply is sufficient) can be small compared to a more long-lasting one. Thus, measuring water quantity by the average quantity of supply may not be sufficient; both the frequency and durations of interruptions should be given. The risk measures on quantity are typically calculated for the distribution network Then number of consumers affected (both regarding frequency and duration) are estimated. As a resulting risk measure we suggest a third term in the DALY formula (see above). This term could be a standardised expression of “years lived without water supply” (YLS). This is in its simplest form obtained by multiplying number of consumers affected by the duration (number of days) of the interruption. One should also agree on some scaling factor; as limitations in water quantity is typically less serious than health effects. A more advanced definition of YLS could distinguish between long and short of interruptions (see above). In this way we can combine all losses to consumers in one single measure. It could be a task for TECHNEAU to specify such a generalised definition of DALY (=YLL+YLD+YLS). This will be elaborated in further TECHNEAU reports.

5.4.13.3 Individual and societal risks Often we distinguish between the individual risk and the societal risk; e.g. see definition in IChemE (1992). Individual risk is for instance expressed by the frequency that an individual experiences a given level of loss of service due to various hazards. When we know the number of persons, N, depending on supply from a given water utility, and also have calculated the DALY of this water utility, the DALY/N would be a measure of the (average) individual risk for these consumers. Societal risk measures overall risks/effects on society, focusing on risks that come in addition to the individual risks. The risk of major accidents (with respect to loss of lives) is often expressed by FN-curves. This curve gives the


frequency (F) of accidents where the number of fatalities exceeds a number N. The idea often is that if the consequence (i.e. N) is high, then the frequency (F) should be very low, (aversion against major accidents). So, one accident with 20 fatalities could then be considered even worse than four accidents each with 5 fatalities (in the same time period). It is possible to define an analogous measure based e.g. on the number affected by bad water quality, instead of the number of fatalities (N). Then the serious events that alone give high a number of affected consumers should be identified. When the frequency of these events are estimated, the result can be presented in a “FN-like” diagram. This type of evaluations, based on the “number of consumers affected” in the events, will be further investigated in future TECHNEAU reports.

5.4.13.4 Economic valuation of risks In economic valuation of reduced risks to water resources, several considerations must be taken regarding the purpose of the valuation, and thus the selection of method. An important aspect regarding economic valuation methods is whether a particular method is capable of assessing the total economic value (TEV), or just a part of the total value (Swedish EPA, 1997). The TEV can be divided into use values and non-use values, and it has been suggested that the non-use values can be further divided into (1) option values, (2) bequest values, and (3) existence values (National Research Council, 1997), though in particular the definition of the option value category is debated (Freeman, 2003). Use values refer to values of direct use of the water resource, e.g. for drinking water or industrial production. Option values may exist for resources that are not used today, but could be used by us sometime in the future; e.g. protecting a water resource for use in case the main source of water is not possible to use due to pollution. Bequest values, on the other hand, consider that the resource could be used by future generations. Existence values are not related to any use of the resource at all, only to its mere existence; e.g. protecting a water resource just for the knowledge of having an undisturbed resource, without any intentions to ever use it. Economic valuation of market goods, i.e. good traded in the common market, does usually not constitute any large problems. Economic valuation of non-market goods, such as the reduced risks to human health and ecological systems, is generally more problematic. Freeman (2003), US EPA (2000), and Johansson (1993; 1995) provide detailed and extensive information on economic valuation methods of non-market goods. A common feature for all economic valuation methods is that they are only capable of measuring the change in well-being of humans. Three groups of valuation methods for non-market goods can be distinguished (Rosén et al., 2006):

1. Revealed preference methods


2. Stated preference methods 3. Methods that are less strongly founded in economic theory

Revealed preference methods (RPMs) are based on individuals’ actual behaviour on an existing market, making use of a relation between the market and the non-market goods. Thus, the relationship between goods on a market and for example the reduced risk to a water resource is used for indirect valuation of the risk reduction. Revealed preference methods include (a) the production function method, (b) the travel cost method, (c) the hedonic price method, and (d) the replacement cost method and the restoration cost method. The production function method is based on the assumption that the value of a natural resource is what it produces, for example the fish production of a lake, the wood production of a forest, and the meat production of grassland. In the travel cost method, the travel costs to recreational areas are used for the valuation. Many people and high travelling costs indicate that the area has a high value. The assumption in the hedonic price method is that health and environmental effects influence real estate prices. For example, it is reasonable to believe that a house close to a clean lake has a higher value than a similar house next to a polluted lake. The replacement cost method, or the defensive expenditure method, can be used when the non-market good to some degree can be substituted with a market good. One example is when the water cleaning capacity of a destroyed wetland can be substituted by a wastewater plant. The replacement cost method handles issues on a societal level, whereas the defensive expenditure method is concerned with individuals protecting themselves by trying to compensate for a loss. An important advantage of RPMs is that they consider individuals’ actual trade-offs at markets. A disadvantage is that just a part of the economic value is assessed, not the TEV. The principle of stated preference methods (SPMs) is that a scenario is presented for a randomly selected group of individuals. Each individual has to decide on the scenario through interviews or questionnaires. The most common SPM is the contingent valuation method, where the individuals are asked about their willingness to pay (WTP) for a suggested change in the scenario. A closely related SPM is choice experiments where the individuals have to make a choice among different situations, e.g. how much they are willing to pay for different well-defined levels of drinking water service. Based on these experiments, it is possible to derive a WTP. A disadvantage of SPMs is that the results depend on how the scenarios are presented and how questions are formulated. Valuation methods that are less strongly founded in economic theory include the human capital approach and the political WTP method. The human capital approach is based in the view that the value of a human being is what the person produces. The political WTP method is based on the amount of money spent to adhere to political decisions on environmental issues. Benefit transfer methods could also be mentioned as a valuation method. It refers to procedures to transfer


the results of previously performed economic valuation studies to a new situation. Economic valuation of non-market goods is still to some extent controversial. However, extensive research and applications in the field of environmental economics over the last decades have resulted in greatly increased knowledge regarding the possibilities and limitations of valuations of e.g. saving a statistical life and ecological improvements. For example, important improvements have been made on various types of SPMs; see e.g. Carson et al. (2001).

5.5 Summary of risk analysis methods One of the goals of TECHNEAU is to relate the risk analysis methods as support tool for relevant decisions with respect to risk in the water supply system. One should use the correct/relevant methods for the decisions in question. The choice of risk analysis methods will depend on a number of factors, such as

- Life cycle phase of water company development, (e.g. design or operation)

- Type (complexity) of water company, (basic or more complex) - Part of system: source, treatment, or distribution - Stakeholder values, (water quality, water quantity, security, economy

etc.) - Decisions on strategic or operational level

The future catalogue of risk analysis techniques to be defined in TECHNEAU should be able to adapt the methods to such factors, and should provide a comprehensive set of methods, which satisfies the needs of the various stakeholders. An analysis could include hazard identification, causal analysis and consequence analysis, or just one of these analyses. Some main features of the different risk analysis methods are summarized in Table 7.

- Risk analysis method (see Section 5 for further description) - Stage in the risk analysis process (whether the method is applicable

for hazard identification or risk estimation) - Whether the methods are applicable for qualitative or quantitative

analysis - Part of water supply system - Whether the methods are suitable for analysis of the water quality or

the water quantity (or both) - Data requirement - The need for education and training for the risk analysts are assessed.

The terms “Expert”, “Specialist” and “Novice” are used. Expert indicates that formal education and training are required before


people are able to use the methods in a proper way. Novice indicates that people are able to use the methods after an introduction to the methods without hands-on training or experience. Specialist is somewhere between expert and novice.

Observe that the main RA methods also are listed in Appendix A. This table specifies to what degree the RA methods are applied today / are possible applications in analyses of drinking water. This Table in Appendix A also gives major literature references.


Table 7. Relevant risk analysis methods for total system evaluations – from source to tap.

Risk analysis method

Section Stage in risk analysis process Qualitative / quantitative

Part of water supply system

Water quality/ Water quantity

Data requirements

Need of training

HAZID 5.3.1 Hazard identification Qualitative All Both Low Novice HAZOP 5.3.2 Hazard identification Qualitative Treatment

Distribution Both Medium Specialist

PHA / RVA

5.4.1 Hazard identification Risk estimation

Qualitative All Both Medium Novice

FMECA 5.4.2 Hazard identification Risk estimation

Qualitative Treatment Distribution

Both High Specialist

Fault tree analysis 5.4.3 Risk estimation (causes)

Qualitative/ quantitative

All Both High Expert

Reliability block diagram

5.4.4 Risk estimation (causes)


All Both High Expert

Event tree analysis 5.4.5 Risk estimation (consequences) Qualitative/ quantitative

All Both High Specialist

HRA 5.4.6 Risk estimation (causes)


Treatment Distribution

Both High Expert

Physical models 5.4.7 Risk estimation (consequences)

Quantitative All Both High Expert

QMRA/QCRA 5.4.10 Risk estimation (consequences)

Quantitative All Quality High Expert

Barriers and Bow-Tie diagram

5.4.11 Risk estimation Qualitative/ quantitative

All Both Low Specialist



6 Case examples

6.1 Introduction This chapter presents two examples of actual risk analyses of water utilities. The first case comprises a fault tree and event tree analysis of the water utility of Göteborg in Sweden. The second case comprises of an RVA carried out for the water utilities of the Norwegian city, Bergen. At the end of this chapter, a hypothetical case where several risk analyses methods are combined is described. The Bergen and Göteborg case are two out of six case studies that are carried out during 2007 within WA4 and they aim to apply and evaluate the applicability of different methods for risk analysis (i.e. hazard identification and risk estimation) and risk evaluation of drinking water supplies. The case studies will also provide examples on how risks to drinking water systems can be analysed and evaluated. The drinking water supplies in the following six locations constitute case study sites where risk assessments will be performed in WA4:

- Göteborg, Sweden - Bergen, Norway - Amsterdam, The Netherlands - Freiburg-Ebnet, Germany - Březnice, Czech Republic - Upper Nyameni, Eastern Cape, South Africa

Detailed reporting of the case studies is planned to December 2007.

6.2 Göteborg case Göteborg is the second largest city in Sweden and the drinking water system is supplying approximately 700 000 people. The raw water is taken from the river Göta älv, which is considered as one of the most contaminated source waters in Sweden. Also a reserve supply system consisting of a number of interconnected lakes are used to supply Göteborg with raw water. Two water treatment plants, with highly similar treatment trains, are treating all drinking water for Göteborg. During normal conditions when both water treatment plants are fully operating they supply different delivery zones, the north and in the south part of Göteborg. Göteborg is also supplying some adjacent municipalities with drinking water. The risk assessment focuses on supply failure and intends to answer if the level of risk related to supply failure is tolerable or not, referring to the acceptable level of risk defined by the local water utility, Göteborg Water. To analyse the risk a fault tree and event tree analysis is performed and the parameters used to estimate the level of risk are: (1) probability of failure; (2) the number of people affected; and (3) duration of failure.


Risk methods applied The risks in Göteborg’s drinking water system are analysed based on an integrated – ‘from source to tap’ – approach. This means that the entire system is considered when hazards are identified and the risk related to supply failure is estimated. The hazard identification is conducted based on the TECHNEAU Hazard Database (Beuken et al., 2007), brainstorming and experience from the past. The collaboration with the personnel at the water utility is of primary importance when identifying hazards and describing the system. To perform the risk analysis a combination of a fault tree and an event tree analysis is used. The fault tree is used to conduct causal modelling yielding estimations of the probability of supply failure. A fault tree illustrates how different events are connected and how they may cause a critical event, called top event, to occur. The top event in this fault tree analysis is supply failure, which refers to two categories of failure: (1) quantity failure, i.e. no water is delivered; and (2) quality failure, i.e. water is delivered but does not comply with existing quality standards Since the fault tree is built up on hazardous events and the physical structure of the drinking water system, the hazard identification is done simultaneously as the fault tree is constructed. The entire system (i.e. source water, treatment and distribution) is considered in the fault tree of Göteborg’s drinking water supply. To illustrate the likelihood of the events in the fault tree, probability distributions are used. The distributions describe the uncertainty of the likelihood and are based on hard data, expert opinions and combinations of these. The experts involved are water utility personnel. As mentioned above the fault tree is used to model the causes of hazards, but the consequence modelling will build on an event tree analysis. The event tree will be used to model consequences that may arise given a supply failure, e.g. the number of people affected from different types of failure events. Göteborg Water has worked out an action plan which, among other things, contains performance targets regarding the supply of drinking water. These targets can be considered as tolerable levels of risk and will be used in the risk evaluation phase of the study.

6.3 Bergen case Bergen is the second largest city in Norway with a population of approximately 250 000 inhabitants. The water supply is owned by the municipality and operated by a public water company, Bergen Water, (which is 100% owned by the municipality). Bergen Water abstracts water from 5 different surface water sources. At each source there are independent water treatment plants (WTP) with more or less the same treatment techniques (coagulation, filtration, UV, chlorination). Figure 26 illustrates the typical components in the water supply system in Bergen. The WTPs feed water into the water distribution systems at different


places of the network resulting in a more redundant system. The network is built and operated in such a way, that if one of the WTPs is out of service then the remaining WTPs have enough capacity to supply the whole city. From the summer 2007 all WTPs have two hygienic barriers (multiple barriers) in the treatment step. In autumn 2004 the city experienced a waterborne outbreak of Giardiasis where as much as 4 000-6 000 people were infected by the parasite, and 200-400 persons still have long lasting effects. After the outbreak the municipality has focused on proactive risk management of the complete water supply system, from source to tap. Risk methods applied The analysis includes hazard identification for all sources, WTPs and the complete transport system. The analysis is based on the existing Norwegian guidelines on RVA (i.e. special version of PHA) for water supply. The guidelines are not specially dedicated to WSP and HACCP principles, so the chosen analysis has been modified in order to include aspects from the HACCP approach. In this case there is a focus is on identifying hazardous events, evaluating risk using risk matrix, and identifying risk reducing options and control points. The RVA is based on an investigation of the identified hazardous events. This can be summarized in a form (Table 8) giving:

- Hazardous event number - Hazardous event - Cause of hazardous event - Probability of hazardous event - Consequence of hazardous event (both with respect to water quality

and water quantity) - Risk reducing measures / Critical Control Points - Comments / Further description of event

A list of hazardous events is created, (being supplemented based on input from relevant water utilities). There is one list for each distinct part of the water supply system (source, treatment and distribution). The list is adapted to the actual system and does not cover e.g. events relevant for groundwater.


Table 8. Form for RVA.

Subsystem: UV Disinfection Consequence (C) Ev.

no. Hazardous

events Cause Proba-

bility (P) Quality Quantity Measure

/CCP Comment

1 Too low UV dose

Condensation of water inside quartz tube

P2 C2 C1 Online- measure of UV intensity to verify intensity above threshold.

In place

2 Too low UV dose

Insufficient control of flow for each UV-reactor

P3 C2 C1 Install flow-control valves on all UV reactors in parallel

Poor design

3 Too low UV dose

Water leakage into UV sensor

P2 C2 C1 Control sensors regularly

3 sensors standard installation

4 Non continuous operation of UV-reactor

Power interruptions

P2 C3 C2 Install backup- power supply and or uninterruptible power supply (i.e. battery)

The probabilities and consequences are given in terms of the following classes. Probability Classes: P1 = Small probability P2 = Medium probability P3 = High probability P4 = Very High probability Consequence Classes (both quality and quantity): C1 = Small consequence C2 = Medium consequence C3 = High consequence C4 = Very High consequence As a support to assign consequence class it is a possible first to specify duration and exposure. Duration (of illness or lack of supply) can be classified as:

- 0-6 hrs - 6-24 hrs - 1-7 days - 1-4 weeks - 1-6 months - > 6 months


Exposure, i.e. number of affected, can be given as:

- 1-10 - 10-100 - 100-1 000 - 1000-10 000 - 10 000-100 000 - > 100 000

So one outcome of the analysis of a specific hazardous event is the risk, given by probability, P, and consequence, C. This set (P, C), is to be inserted in a Risk matrix, see Figure 33; the event here being identified through the hazardous event no. There will be one risk related to quality and one to quantity. For hazardous events with risk in the red area, control measures have to be initiated; for risks in the yellow area, it is required to search for cost-effective risk reducing measures.

C1 C2 C3 C4

P4

P3 2

P2 1, 3 4

P1

Figure 33. Risk matrix with risk related to hazardous events 1-4.

In order to carry more detailed analysis of special parts of the system, other risk methods might be applied. For example, for identifying critical pipes in the network, a hydraulic based network reliability tool will be applied (Figure 34). The pipes with the largest consequences in case of pipe failures are then identified. Results from the municipality The most important results for Bergen municipality will be a list of hazardous events and risk reducing options including suggestions for critical control points (CCP). These are listed for all elements from source to tap.


Criticality

0.01

0.02

0.52

2.35

Figure 34. Illustration of critical pipes calculated by hydraulic reliability models.

6.4 Combined use of risk analysis methods This section describes a combined use of different risk analysis methods. The hazard identification is part of a RVA (see e.g., Section 6.3). Relevant hazards should be identified for the source, the treatment and the distribution system, and evaluation of these may be presented in a risk matrix as illustrated in Figure 33. The RVA may be combined with a Quantitative Microbial Risk Assessment (QMRA), giving a detailed analysis of the consequences of distribution of contaminated water for human beings (adverse health effects). This includes a hazard characterization, exposure assessment and risk characterization. The hazard characterization provides a qualitative and quantitative description of the severity and duration of adverse effects of contaminated water. Preferably, a dose-response analysis should be carried out in order to determine the relationship between the magnitudes of exposure (dose) and the severity and/or frequency of associated adverse health effects (response). The exposure assessment includes an assessment of the extent of human exposure to contaminated water.


The risk characterization represents the integration of hazard identification, hazard characterization and the exposure assessment to obtain a risk estimate. The results are a quantitative estimate of the likelihood and the severity of the adverse effects which could occur in a given population. To translate the risk of developing a specific illness to disease burden per case, the metric DALY (Disability-Adjusted Life-Years) may be used (WHO, 2004) (see also Section 5.4.13.1). Further, assume that main results of this RVA is that UV is found most critical regarding water quality, and water quantity is most vulnerable regarding part of distribution network. Therefore separate risk analyses are used to analyse these problem areas in detail. First a fault tree analysis may be used to analyse causes of failure of the UV-system. A top-level fault tree for this system is shown in Figure 35. The top event is defined as ”UV-system delivers water not treated according to requirements”. For this top event to occur we must have that both:

- UV applies a too low dose, and - Automatic shut-down fails (there are sensors that shall activate a

valve to shut-down water production if UV-dose is too low)

Figure 35. Top level fault tree for the top event ”UV-system delivers water not treated according to requirements”.

Too low UV dose can occur if either:

- Sensors measuring the UV-dose gives too high values, or - Water flow is too high (so that water does not stay long enough to get

sufficient UV radiation), or - UV intensity is too low.

These three events can then be evaluated further as indicated.


The automatic shut down fails if either:

- Shut-down system is disabled by operator (e.g. after a wash), or - Sensor measures a too high UV-intensity, or - Control system fails to activate shut-down valve, or - Shut-down fails to shut down when required by sensor/control

system. (Also these could be further developed) This fault tree can be further analysed to give the “cut sets”, i.e. combinations of the basic events that result in the top event. This is helpful to identify the most critical failures. We observe that “Sensor(s) giving too high values” can result in both “Too low UV dose applied” and “Automatic shut down fails”. Therefore the sensors appear as a very critical component. Further, the fault tree is also used to quantify the probability of the top event. Next, a detailed analysis of the probability of reduced water quantity due to failures in the piping network may be carried out by use of CARE-W REL. The results from such an analysis are shown in Figure 36. The analysis identifies the most critical pipes for the whole water distribution system.

Figure 36. Critical pipes for the whole water distribution system.

A detailed analysis of this figure (zoom) can be used for evaluating possible measures to reduce the vulnerability of the distribution system (see Figure


37). Possible alternatives might be: increase the pipe diameter, install parallel pipes, renovate/rehabilitate the pipe (reducing probability of failure) and modify valve settings/change pressure zones etc.

HCIHCI

Identification of critical pipes within a smaller area which is one criteria for rehabilitation planning

Figure 37. Identification of critical pipes within a smaller area.



7 Risk evaluation approaches

Obviously a lot of risk models/approaches are available. These can be used for the various parts of the water utility, see Figure 26. However, as seen from some surveys, (Appendix A) the use of the various techniques within water management today seems rather limited. In order to arrive at a “TECHNEAU approach” for risk analysis we should identify the most relevant decision situations for water companies, where risk analyses provide important input. So in this chapter we describe some typical decision situations were there is a need to carry out such analyses. Further, we discuss the second step of risk assessment (Figure 4), that is risk evaluation, incl. the use of risk acceptance criteria.

7.1 Decision situations There are various decision situations were the use of risk analysis is highly relevant for water companies. In the following list we present typical situations:

- Initial analyses required prior to the start up (e.g. during design) of a plant/water utility; (acceptance requiring hazard identification, risk estimation and risk evaluation)

- Analyses initiated due to a specific problem encountered during operation:

o Delivered water is observed not to maintain required quality (e.g. to high density of some bacteria)

o Observed limitations in water delivery (to some group of users)

o Observed security problems o Accident investigation

- General updating of previous analyses, to include possible new hazards or account for changes in operating or environmental conditions or of the technical standard (cf. maintenance) of equipment, etc.

- Risk analyses required when there is need for rebuilding/expanding the plant (modification, life extension, and end of life problems)

Of course, the risk analyses which are relevant to use will depend heavily on which of these situations is causing the need of a risk analysis. We observe that there are different problems in different phases/life cycles.


7.2 Risk evaluation When the risk analyses have been carried out, the decision makers must perform a risk evaluation (cf. Figure 4). A main question is whether the risks are acceptable (or rather tolerable), and so the risks should be compared to predefined risk acceptance criteria (RAC). Considering various options for the water utility, the decision makers have to evaluate the risks (i.e. water safety) and also relevant costs (e.g. of undesired events and of risk reducing measures). The ALARP principle. When the risks related to a specific option are evaluated, we may apply the ALARP (As Low As Reasonably Practicable) principle to arrive at an acceptable solution, see Figure 7. The ALARP principle applies two limits. An upper acceptance limit is specified, and if a solution shall be acceptable the risk must be below this limit. But also a lower limit is specified, Risks below this limits are considered acceptable, and do not need to be investigated further. However, risks in between these two limits (in the “ALARP region”) should be investigated further and reduced “as far as reasonably practicable”. This means that risk reducing measures should be investigated and their cost effectiveness be evaluated. Unless a risk reducing measures is unreasonably expensive relative to its effect on the risk, it should be implemented. Thus, a systematic discussion should be carried out for any risk in the ALARP region. Observe that the risk matrix – when we have defined green, yellow and red fields (cf. Figure 12 and Figure 33) – could be seen as a simple application of the ALARP principle. But most often use of the risk matrix is just a rather informal way to categorise various risks, and the limits between red and yellow, and between yellow and green are specified somewhat arbitrarily, without investigating the effects on the overall risk. Risk acceptance criteria (RAC) can be defined at various “levels”. Note that RAC can be applied at different “levels”. Various RAC at a "lower" level could be related to specific equipment or processes. For instance, we could have a RAC related to the frequency of raw water contamination. There could also be safety requirements for the acceptance of the various safety functions/barriers of the utility. The risk matrix is often used at a “low level”. Then the risk contributions of various unwanted (hazardous) events are investigated, in order to identify which of them are unacceptable, and thus require that risk reducing measures are implemented. However, we should also merge the risks in order to measure the overall total risk of the water utility (both with respect to quality and quantity). Usually we define a “top level” RAC for this overall risk. These RAC can be given as upper limits for the probabilities of some unwanted “end events”, as yearly probability of loss of life, as mean number of persons infected (or diseased) per year, as DALY, etc. Such overall measures of safety require detailed analyses and are often hard to estimate. The ALARP principle could be


applied at this “top level”, and then the choices of the upper and lower risk acceptance limits must be properly discussed. Normative issues The risk evaluation has obvious ethical aspects. Which risks can we actually tolerate? The following are main normative issues in the decision process, say of a water utility, (Hokstad et al., 2004):

- Which dimensions (aspects) of risk shall be evaluated? Shall decision makers restrict to consider water quality and water quantity? Should special/additional attention be given e.g. to major accidents or environmental issues?

- What are the preferences and trade offs between the various dimensions of risk (as water quality and water quantity)? That is, when we know the costs of two risk reducing measures, which of them should be given priority? And could different stakeholders/consumers be treated differently, etc.?

- How shall we arrive at a RAC (the actual acceptance limits) for various risks?

It is obvious that a discussion is needed to define the dimensions of risk to evaluate. For example, shall we only deal with “average risk values” for the total population, or do we focus on high risk groups (cf. Stallen et al., 1996). Another topic is the question of public’s perceived risks (fears). To what extend shall that be taken into consideration? So a RAC-approach should have an "ethical foundation", securing that safety is not compromised. Use of RAC should be seen as a means to reduce risk, and management commitment is essential in the process. Use of RAC in the decision process The RAC shall support the decision makers. In the outset it may not be obvious which risks are tolerable, and decision makers can benefit from a line of arguments that is documented, e.g. by comparisons to existing risk levels. This could promote consistency in various decisions. The decision process itself could also benefit from having specific normative discussions (as choosing the RAC). So the rationale behind using RAC in the decision process could be to improve:

1. Risk control: The undesired consequences of the planned activity shall be properly evaluated, and also controlled to a level that is acceptable to all affected parties.

2. Efficiency of the decision process: Use of RAC may be an efficient way to structure the tasks of the decision process. Even if the RAC should be tailored to the specific situation, it may not be necessary to repeat all arguments every time.

The use of RAC should contribute to more focus and involvement regarding safety issues for affected parties. But unfortunately the use of RAC could also


lead to somewhat "automatic" decisions. So a possible problem with the use of RAC is that setting a target does not give drive for improvements beyond this level. The creative process of finding even better arrangements and measures is in practice limited to meeting the criteria. In that case the use of RAC does not play an active role in the risk management process. This has caused some authors to advice against the use of RAC (Aven and Vinnem, 2005). However, applied in a proper way, the use of RAC in combination with other incentives would often prove useful for the decision process. Key words are involvement and risk reduction. Principles for establishing RAC How should we decide on the actual limit between "acceptable” and “non-acceptable” risk? The following are two general principles to assist in attaining a numerical limit for acceptance.

1. "The Comparison criteria” (e.g. NORSOK Z-13, NORSOK (2001)) is essentially the same as the French GAMAB (“Globalement Au Moins Aussi Bon“) principle. This is primarily used when non-standard solutions, e.g. new technology, are to be implemented. Then the acceptance will require that the solution shall give at least as low risk as the present accepted practice/solution. In general the Comparison Criteria seem the most helpful approach by modifications of systems, e.g. by introduction of new technology, and when new utilities shall be built.

2. "The Additional risk" criteria, which can be seen as a version of the (German) MEM (Minimum Endogenous Mortality) principle. Roughly speaking, this principle starts from an existing “basic risk”. Then a new activity shall not significantly increase this. By specifying such an underlying basic risk, we are assisted in also specifying a RAC. We can require that the increase in risk due to an (increase in a specific) activity shall be less than a certain percentage of the “basic risk”. In general, the following are useful input, when the actual limit of a RAC shall be specified:

- Historical risk data and acceptability of risk in similar activities; (i.e. we utilise accumulated knowledge)

- Assessment of perceived risk of stakeholders, - Willingness to accept the risks by involved parties.

Finally, when RAC shall be decided, one should have the ambition to achieve continuous risk reduction.


8 Conclusions and further work

The following conclusions are made from this work:

• The generic framework described here aims at providing support and structure for risk management in the preparation of Water Safety Plans. It is intended for use at both strategic and operational (asset and project) levels and for basic and complex groundwater and surface water systems. Application on different levels and different types of systems will not be possible using a single method, but rather combinations of methods suitable for each specific situation at hand for identification, estimation, valuation, reduction and control of risks. The future work in TECHNEAU will therefore be directed at describing a toolbox of methods and examples of successful applications of these methods.

• Successful risk management of drinking water supply systems must

include all parts of the water production system, from source to tap.

• Further, successful risk management must have:

- Clear objectives - Agreed terminology - A clear process according to which risk management can be

carried out - Organisatorial structure for risk management - Recognition of both upside and downside aspects of risk - Recognition of activities as well as stakeholders affected by

decisions

• The framework comprises the full risk management process and all necessary steps that must be carried out to achieve a successful risk management. It must, however, be emphasized that, as indicated above, a successful management requires an organisational structure as well as awareness and appreciation of the possibilities of risk management. It must be recognized that there are both upside and downside aspects of risk, i.e. understanding that risks associated with a specific activity may require risk reduction measures but also that these measures can be designed to make water production more efficient and with higher safety to consumers.

• It is also necessary to recognize the need of communication and

involvement with stakeholders affected by risk management decisions. A well organised risk management process provides transparency and a clear basis for communication with involved stakeholders, such as authorities and consumers.


• A successful risk management framework must have efficient tools for identifying, estimating, evaluating and reducing risks. The catalogue of methods described here displays many approaches with different levels of sophistication.

• Methods must be carefully selected and combined to be optimally

adapted to the purpose of the risk management. One of the goals of TECHNEAU is therefore to relate the risk analysis methods as support tools for relevant decisions with respect to risk in the water supply system. One should use the correct/relevant methods for the decisions in question. The choice of risk analysis methods will depend on a number of factors, such as:

- Life cycle phase of water company development, (e.g. design or operation)

- Type (complexity) of water company, (basic or more complex) - Part of system: source, treatment, or distribution - Stakeholder values, (water quality, water quantity, security,

economy etc.) - Decisions on strategic or operational level

A future “TECHNEAU catalogue” of risk analysis techniques should be able to adapt the methods to such factors, and should provide a comprehensive set of methods, which satisfies the needs of the various stakeholders.

For development of the framework and to gain experiences from various risk analysis tools, practical applications and evaluations need to be performed. Several case studies will therefore be performed within TECHNEAU WA4 with applications of different types of tools; from the simple (RVA) to the more complex, e.g. quantitative fault tree analysis. The Bergen and Göteborg cases have been shortly described in this report. Main purposes of the applications are:

- To gain further knowledge regarding the applicability of different methods.

- Evaluate experiences of different end-users. - Apply different methods to one system to see how end-result differ

(impact of choice of method). - Perform elaborate assessments of ‘standard’ simple systems to

provide a basis for simple and efficient assessment of simple/small systems.

- To develop good examples on integrated risk management of water supply systems, which will help in promoting risk management and Water Safety Plans.


For cost-efficient risk management, valuation of risks should consider the economic aspects. Economic risk valuation will therefore be an important part of further development of the framework. Availability of data is essential for carrying out the risk analyses. Efficient risk management would benefit largely from a data base, including e.g.:

- (Undesired) events - Failures of various components/equipment, (incl. failure mode, repair

time etc.) - Inventory of equipment, giving number of various types of

components, operational times, etc. - Various environmental and operational data that are (assumed)

relevant for the performance of the systems/components. It is therefore intended that further work in TECHNEAU includes:

- Establishing a common format for such a data base (making it easy to transfer data).

- Encouraging the exchange of data across water utilities (and countries).

- Developing analysis techniques to better utilise the information provided by such a data base.



9 References

Agarwal, A., M. S. delos Angeles, R. Bhatia, I. Chéret, S. Davila-Poblete, M. Falkenmark, F. Gonzalez Villarreal, T. Jønch-Clausen, M. A. Kadi, J. Kindler, J. Rees, P. Roberts, P. Rogers, M. Solanes, and A. Wright (2000). Integrated Water Resources Management, Stockholm, Technical Advisory Committee background papers No. 4, Global Water Partnership.

Al Radif, A. (1999). Integrated water resources management (IWRM): an approach to face the challenges of the next century and to avert future crises, Desalination, 124, 145-153.

AS/NZS (1999). Risk Management Standard, AS/NZS 4360:1999. ISBN 0-7337-2647-X, Standards Australia / Standards New Zealand.

AS/NZS (2004). Risk Management Standard, AS/NZS 4360:2004. ISBN 0733759041, Standards Australia / Standards New Zealand.

Ashbolt, N.J. (2004). Risk analysis of drinking water microbial contamination versus disinfection by-products (DBPs), Toxicology 198, 255-262

Åström, J., S. Petterson, O. Bergstedt, T. Pettersson, and T. A. Stenström (2006). Microbial risk reduction by active choice of raw water for drinking water treatment, Journal of Water and Health Supplement (submitted).

Aven, T. and Vinnem J.E. (2005). On the use of risk acceptance criteria in the offshore oil and gas industry. Reliability Engineering & System Safety, 92, 1, 15-24.

Beuken, R., S. Sturm, J. Kiefer, M. Bondelind, J. Åström, A. Lindhe, I. Machenbach, E. Melin, T. Thorsen, B. Eikebrokk, C. Niewersch, D. Kirchner, F. Kozisek, D. Weyessa Gari, and C. Swartz (2007). Identification and description of hazards for water supply systems – A catalogue of today’s hazards and possible future hazards, TECHNEAU.

Bioterrorism Act (2002). Public health security and bioterrorism preparedness and response Act of 2002, Public Law 107-188 107th Congress.

Carson, R. T., N. E. Flores, and N. F. Meade (2001). Contingent Valuation: Controversies and Evidence, Environmental and Resource Economics, 19(2001): 173-210.

CCME (2004). From Source to Tap: Guidance on the Multi-Barrier Approach to Safe Drinking Water, http://www.ccme.ca/sourcetotap/mba.html, Canadian Council of Ministers of the Environment.

Codex (2003). Hazard and Critical Control Point (HACCP) System and Guidelines for its Application, Annex to the Recommended International Code of Practice - General Principle of Food Hygiene, Codex Alimentarius Commission.


Codd, G.A., L. Morrison, and S. Metcalf (2005). Cyanobacterial toxins: risk management for health protection, Toxicology and Applied Pharmacology, 203, 264-272.

DANVA (2006). Guidelines for water safety, Vejledning i sikring af drikkevandskvalitet (Dokumenteret DrikkevandsSikkerhed - DDS), Danish Water and Waste Water Association, In Danish, www.danva.dk.

Davidsson, G., M. Lindgren, and L. Mett (2002). Evaluation of risk, Swedish Rescue Services Agency, Report P21-182/97, ISBN 91-88890-82-1, In Swedish, Karlstad, Sweden.

Dewettinck, T., E. Van Houtte, D. Geenens, K. Van Hege, and W. Verstraete (2001). HACCP (Hazard Analysis and Critical Control Points) to guarantee safe water reuse and drinking water production - A case study, Water Science and Technology, 43, 31-38.

DVGW (2006). Richtlinien für Trinkwasserschutzgebiete; I. Teil: Schutzgebiete für Grundwasser. Technische Regel, Arbeitsblatt W 101, Draft W-TK1.2/06-005.

European Commission (EC) (1998). The Council Directive (98/83/EC) on the quality of water intended for human consumption (the Drinking water directive).

European Commission (EC) (2000a). First report on the harmonisation of risk assessment procedures, Part 2: Appendices 26-27 October 2000 (published on the internet on 20.12.2000).

European Commission (EC) (2000b). Directive 2000/60/EC of the European Parliament and of the council of 23 October 2000 establishing a framework for Community action in the field of water policy, Official Journal of the European Communities, L327/1, European Union.

Fehr, R., O. Mekel, M. Lacombe, and U. Wolf (2003). Towards health impact assessment of drinking-water privatisation – the example of waterborne carcinogens in North Rhine-Westphalia (Germany), Bulletin of the World Health Organisation, 81 (6), 408-414.

Fewtrell, L., and J. Bartram (2001). Water Quality: Guidelines, Standards and Health, London, World Health Organization, IWA Publishing.

Fewtrell, L. (2004) Drinking-water nitrate, methemoglobinemia, and global burden of disease: a discussion, Environ Health Perspect, 112: 1371–1374.

Freeman III AM. (2003). The Measurement of Environmental and Resource Values: Theory and Methods. Resources for the Future: Washington DC.

Grimvall, G., P. Jacobsson, and T. Thedeén (1998). Risker i tekniska system, 1 ed., 312 pp., In Swedish, Utbildningsradion, Stockholm.

Havelaar, A. H. (1994). Application of HACCP to drinking water supply, Food Control, 5, 145-152.

Hokstad, P., J. Vatn, T. Aven, and M. Sørum (2004). Use of risk acceptance criteria in Norwegian offshore industry: Dilemmas and challenges, Risk Decisin and Policy, Vol 9 No. 3, 193-206, 2004.


Hrudey, S. E., and E. J. Hrudey (2004). Safe Drinking Water – Lessons from recent Outbreaks in Affluent Nations, IWA Publishing, London.

IChemE (1992). Nomenclature for Hazard and Risk Assessment in the Process Industry, Institution of Chemical Engineers.

IEC (1995). IEC60300-3-9, Risk Management - Part 3: guide to risk analysis of technological systems, International Electrotechnical Commission.

ISO/IEC (1999). Guide 51 Safety aspects – Guidelines for their inclusion in standards.

ISO/IEC (2002). Guide 73 Risk management - Vocabulary - Guidelines for use in standards.

Jensen, F. (2001). Bayesian Networks and Decision Graphs. Springer-Verlag, New York, Berlin, Heidelberg.

IWA (2004). The Bonn Charter for Safe Drinking Water, www.iwahq.org.uk/template.cfm?name=bonn_charter, International Water Association.

Johansson P-O. (1993). Cost-Benefit Analysis of Environmental Change. Cambridge University Press: Cambridge.

Johansson P-O. (1995). Evaluating Health Risks: An Economic Approach. Cambridge University Press: Cambridge.

Kaplan, S. (1997). The Words of Risk Analysis, Risk Analysis 17, 407-417.

Kirchner, D., C. Niewerschg, and T. Wintgens (2006). Application of risk assessment methods in the drinking water sector. Literature review, TECHNEAU.

Kirwan, B. (1994). A guide to practical human reliability assessment. Taylor & Francis, London.

Kirwan, B., and L. K. Ainsworth (1992). A Guide to task analysis. Taylor & Francis, London.

Klinke A., and O. Renn (2001). Precautionary principle and discursive strategies: classifying and managing risk, Journal of Risk Research, 4 (2): 159-173.

Klinke, A., and O. Renn (2002). A new approach to risk evaluation and management: Risk-based, precaution-based, and discourse-based strategies, Risk analysis, 22, 1071-1094.

Langseth, H., and L. Portinale (2007). Bayesian networks in reliability, Reliability Engineering & System Safety, 92, 1, 92-108.

Lindqvist, B.G., P.A Malmqvist, and M. Stenberg (1987). Riskhantering i VA-system med tillämpning i Linköping, Gothenburg, Consulting report, VIAK.

Maganga, F. P., J. A. Butterworth, and P. Moriarty (2002). Domestic water supply, competition for water resources and IWRM in Tanzania: A review and discussion paper, Physics and Chemistry of the Earth, 27, 919-926.


Mattilsynet (2006). Økt sikkerhet og beredskap i vannforsyningen - Veiledning (Improved safety and emergency preparedness in water supply - Guidance), In Norwegian, Oslo.

Melchers, R.E. (2001). On the ALARP approach to risk management. Reliability Engineering and System Safety, 71(2001): 201-208.

Ministry of Health (2005a). The Drinking Water Standards for New Zealand (DWSNZ).

Ministry of Health (2005b). Guidelines for Public Health Risk Management Plan (PHRMP).

Nakamura, T. (2003). Ecosystem-based River Basin Management: Its approach and policy-level application, Hydrological Processes, 17, 2711-2725.

National Research Council (1997). Valuing Ground Water. Economic Concepts and Approaches. National Academy Press: Washington DC.

NHMRC/NRMMC (2004). Australian Drinking Water Guidelines, National Health and Medical Research Council/Natural Resource Management Ministerial Council.

Nolan, D. P. (1994). Application of HAZOP and What-If safety reviews to the petroleum, petrochemical and chemical industries. William Andrew Publishing/Noyes, New Jersey.

NORSOK (2001). NORSOK Standard Z-013. Risk and Emergency Preparedness Analysis.

Ostfeld, A., and E. Salomons (2005). Securing Water Distribution Systems Using Online Contamination Monitoring, Journal of Water Resources Planning and Management, 131, 402-405.

Owen, A. J., J. S. Colbourne, C. R. I. Clayton, and C. Fife-Schaw (1999). Risk communication of hazardous processes associated with drinking water quality - a mental models approach to customer perception, Part 1 - a methodology, Water Science and Technology, 39, 183-188.

Rausand, M., and A. Høyland (2004). System reliability theory: models, statistical methods, and applications. Wiley-Interscience, Hoboken, N.J.

Renn, O. (1998). The role of risk perception for risk management, Reliability Engineering and System Safety, 59, 49-62.

Rizak, S., D. Cunliffe, M. Sinclair, R. Vulcano, J. Howard, S. Hrudey, and P. Callan (2003). Drinking water quality management: A holistic approach, Water Science and Technology, 47, 31-36.

Rosén, L., and J. Friberg (2003). Impact on water quality from waterfront cattle pasture - case study river Göta älv, Gothenburg, VA-Forsk Report 2003-36, In Swedish, Svenskt Vatten.

Rosén, L., and K. Steier (2006). Risk assessment of water quantity, Gothenburg, In Swedish, Consulting report SWECO VIAK.


Rosén, L., T. Söderqvist, Å. Soutukorva, P-E. Back, L. Grahn, and H. Eklund, (2006). Risk valuation in selection of remedial strategies. Description of methods and examples (summary in English). Report 5537, Swedish Environmental Protection Agency, Stockholm.

Røstum, J. (2001). Sikkerhet og pålitelighet i vannforsyning. Dokumentasjon for Aquarel, Trondheim, SINTEF.

SDWA (1996). Amdendments to the Safe Drinking Water Act, Public Law 104-182 104th Congress.

Sinclair, M., and S. Rizak (2004). Drinking-water Quality Management: The Australian Framework, Journal of Toxicology & Environmental Health: Part A, 67, 1567-1580.

Sklet, S. (2006). Safety barriers: Definition, classification, and performance, Journal of Loss Prevention in the Process Industries 19 (494-506).

Slovic, P. (2001). The risk game, Journal of Hazardous Materials, 86, 17-24.

Smith, A. (2005). Capital maintenance: a good practice guide. Leading Edge Asset Decisions Assessment (LEADA). Water Asset Management International, 15, 1.1 - MARCH 2005.

SRSA (Swedish Rescue Services Agency) (2003), Handbook for Risk Analysis. In Swedish. Karlstad, Sweden.

Stallen, P., R. Geerts, and H. K. Vrijling (1996). Three conceptions of quantified societal risk. Risk analysis, 16: 635-644.

Sturm, S., C. Baus, J. Kiefer, D. Kirchner, C. Niewerschg, and T. Wintgens (2006). Risk assessment practice at German water utilities. RWT Aachen & TZW Karlsruhe, Paper_TZW_RWTH_061009.doc.

Sturm, S. (2006). Hazard Identification & Risk Assessment in Source Waters, Contributions for discussion WA4 meeting Göteborg March 2006.

SVGW (2003). Guidelines for simple quality assurance system for water supplies (the first edition in 1997, the second in 2003).

Swedish EPA (1997). Economic valuation of the environment (in Swedish). Report 4827, Swedish Environmental Protection Agency, Stockholm.

SWWA (Swedish Water and Wastewater Association) (2005). Drinking water: Production and Distribution – Handbook on surveillance including HACCP, (In Swedish).

TECHNEAU (2005). Technology enabled universal access to safe water (TECHNEAU). Annex I: Description of work. Proposal/Contract no.: 018320-02. EU Sixth Framework programme.

United Nations (1992). Agenda 21, The United Nations Conference on Environment and Development held in Rio de Janerio, Brazil.

U.K. HM Treasury (2003). The Green Book. Appraisal and Evaluation in Central Government. Treasury Guidance.

US EPA (2000). Guidelines for Preparing Economic Analyses. EPA 240-R-00-003.


US EPA (1989). Risk assessment Guidance for Superfund. Vol. I Human Health Evaluation Manual (Part A).

US EPA (1997). State Source Water Assessment and Protection Programs - Final Guidance, EPA 816-R-97-009.

USDOE (United States Department of Energy) (2004). DOE Handbook chemical process hazard analysis, DOE-HDBK-1100-2004, U.S. Department of Energy, Washington D.C.

Vatn, J. (2004). Risk analysis, ROSS (NTNU) 20040x, Norwegian University of Science and Technology, Trondheim.

Westrell, T. (2004). Microbial risk assessment and its implications for risk management in urban water systems, 1. ed., vi, 84 s. pp., Univ., Linköping.

Westrell, T., O. Bergstedt, T. A. Stenström, and N. J. Ashbolt (2003). A theoretical approach to assess microbial risk due to failures in drinking water systems. Int. Journal of Environmental Health Research, 13 (2), 181-197.

WHO (2000). Evaluation and Use of Epidemiological Evidence for Environmental Health Risk Assessment, Copenhagen, Guideline Document. World Health Organization, Regional Office for Europe.

WHO (2004). Guidelines for Drinking-water Quality Third Edition Volume 1 Recommendations, World health Organization, Geneva.

WHO (2005). Water Safety Plans – Managing drinking-water quality from catchment to consumer, World health Organization, Geneva.

Wirth, N., and A. J. Siebert (2000). Identifying and evaluation hazards, Pollution Engineering, 32, 13, 38-40.


Appendix A

As part of the work in W.P. 4.2, different risk analysis methods suitable for application within the field of water supply have been identified. The methods are listed in Table 9. Structure of the table:

- Top level approaches/strategies - Methods for hazard identification - Methods for risk estimation

Table 9. Overview of methods for risk analyses.

Areas of application No. Name of method Ref. Appli-

cation Source water

Treatment Distri-bution

Section

Top level approaches / strategies 1 (IWA, 2004) Today X X X

The Bonn Charter Possible X X X 3.1.1

2 Today X X X

Hazard Analysis and Critical Control Point (HACCP)

(Codex, 2003; Dewettinck, 2001; Havelaar, 1994)

Possible X X X 3.1.2

3 (WHO, 2004) Today X X X

Water Safety Plan (WSP) Possible X X X 3.1.3

4 (EC, 2000b) Today X X X

The Water Framework Directive (WFD) Possible X X X 3.1.4

5 Today X

Integrated Water Resources Management (IWRM)

(Agarwal et al., 2000; Maganga et al., 2002)

Possible X 3.1.5

6 (CCME, 2004) Today X X X

The Multi-Barrier Approach Possible X X X 3.2.3

7 Sklet (2006) Today X X

Bow-Tie Approach and barriers Possible X X X 5.4.11

Methods for hazard identification 8 Today X X X

Hazard Identification (HAZID)

(IEC, 1995; USDOE, 2004) Possible X X X 5.3.1

9 (Nolan, 1994) Today X

What-If Analysis Possible X X X 5.3.1

10 Today X

Hazard and Operability Studies (HAZOP)

(Nolan, 1994; Wirth, N. & Siebert, A.J., 2000)


Methods for risk estimation (causal and consequence modelling) 11 (IEC, 1995) Today X X X

Preliminary Hazard Analysis (PHA) Possible X X X 5.4.1

12 Today X X X

Risk and Vulnerability Analysis (RVA)

(Mattilsynet, 2006) Possible X X X 5.4.1


Areas of application No. Name of method Ref. Appli-

cation Source water

Treatment Distri-bution

Section

13 Today X

Failure Mode, Effect and Criticality Analysis (FMECA)

(Rausand & Høyland, 2004; Wirth, N. & Siebert, A.J., 2000)

Possible X X 5.4.2

14 Today X X X

Fault Tree Analysis (FTA) (Rausand & Høyland, 2004; Lindqvist et al., 1987; Rosén & Steier, 2006; Wirth, N & Siebert, A.J., 2000)


15 Today X X X

Reliability Block Diagram (RBD)

(Rausand & Høyland, 2004) Possible X X X 5.4.4

16 Today X X X

Event Tree Analysis (ETA)

(Rausand & Høyland, 2004; Rosén & Friberg, 2003)


17 Task Analysis Today

(Kirwan & Ainsworth, 1992) Possible X 5.4.6

18 Today

Human Reliability Analysis (HRA)

(Kirwan, 1994) Possible X 5.4.6

19 Today X X X

Physical models (e.g., EPANET, CARE-W)

http://www.epa.gov; http://care-w.unife.it/


20 (US EPA, 1989) Today X X X

Health Risk Assessment/ Quantitative Chemical Risk Assessment (QCRA)


21 (WHO, 2000) Today X

Health Impact Assessment Possible X 5.4.9

22 Today X X X

Quantitative Microbial Risk Assessment (QMRA)

(Fewtrell & Bartram, 2001; Westrell et al, 2003; Westrell, 2004; Rosén & Friberg, 2003; WHO 2004; Åström et al 2006)


23 Markov models Today

(Rausand & Høyland, 2004) Possible X X 5.4.12.1

24 Today

Risk Influence Diagrams/ Bayesian Belief Networks

(Jensen 2001, Langseth & Portinale, 2007)

Possible X X X 5.4.12.2

25 Today

Monte Carlo simulation (Rausand & Høyland, 2004) Possible X X X 5.4.12.3

Documents

Generic Framework and Methods for Integrated Risk Management in