Safety and Security Engineering 265

ARAMIS Project: an integrated

risk assessment methodology that
answers the needs of various stakeholders
B. Debray & O. Salvi
INERIS, Direction des Risques Accidentels, France

Abstract
The ARAMIS European project started in January 2002. Its overall objective
was to build up a new Accidental Risk Assessment Methodology for IndustrieS
that combined the strengths of both deterministic and risk-based approaches. It
was co-funded under the 5th EC Framework Programme and involved 15 partners
from 10 European countries. Three years after, the objective is reached and the
methodology is ready to be used. This paper intends to give a very general
description of it and, above all, to show how it answers the needs of various
stakeholders concerned by the safety of industrial plants.
ARAMIS is divided into six major steps, which will be described shortly in
this paper. They are detailed in several papers presented in the same SAFE 2005
conference by the main partners of the project.
The potential end users of ARAMIS are mainly the industry, the competent
authorities and the local authorities. If all of them have an interest in the same
risk management process, their needs are slightly different. Their expectations
are detailed and the way ARAMIS brings an answer is explained in this paper.
Keywords: risk analysis, risk assessment, SEVESO, land use planning, risk
reduction, safety barriers, safety culture, safety management, vulnerability, risk
severity.

1 Introduction
Some recent technological disasters like Enschede (2000), Toulouse (2001) or
Lagos (2002) have led the public to wonder or even mistrust both the industry
and the regulatory authorities in their risk-informed decisions. The communities
want now to be informed and require more transparent decision-making

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
266 Safety and Security Engineering

processes. Risk-based decisions of course require some reliable scientific input

from risk analyses. But from one risk analyst to the next, noteworthy variation
exists in the results, which would affect any relevant and local decision
(ASSURANCE project, [1]). That is why emerged the need for a methodology
giving consistent rules to select accident scenarios and taking into account safety
management effectiveness for risk control demonstration. In the context of
Seveso II directive, there was also an underlying need for a method that could
reach a consensus among risk experts throughout Europe.
ARAMIS overall objective was to build up a new Accidental Risk
Assessment Methodology for IndustrieS that combines the strengths of both
deterministic and risk-based approaches. Co-funded under the 5th EC
Framework Programme, this three-year project started in January 2002. Three
years later, the basic methodology is achieved and aims at becoming a supportive
tool to speed up the harmonised implementation of SEVESO II Directive in
Europe. This paper summarises the major features of the methodology and
shows how the needs of ARAMIS potential users are addressed.

2 Needs of potential ARAMIS users

The potential end users of ARAMIS are numerous but the most concerned are
the industry, the competent authorities and the local authorities. If all of them
have an interest in the same risk management process, their needs are slightly
different. Plant operators need a method to identify, assess and reduce the risk.
This method has to be accepted by the competent authorities. This method also
has to bring useful information about the ways to reduce the risk and to manage
it daily.
The competent authorities need to be able to assess the safety level of the
plant, particularly through the safety report. They need to know why scenarios
have been kept for modelling of consequences. Both need to assess the influence
of the management on the safety level.
The plant operator has to improve its management to reduce the risk and the
competent authority to assess a true risk level which takes into account this
major influencing factor. About 80% of the major accidents have causes related
with human and organisational factors, which is a sufficient reason to take these
aspects specifically into account.
The local authorities are interested in land use planning issues. They need a
clear view about the risks or hazards the population actually faces. They also
want to get information that can be used in decision processes, which now often
involve the population. Basically, their capacity is about reducing vulnerability
either by limiting the number of targets exposed to the risk or by introducing
barriers between the source and these targets. They also need to trust the plant
operator and competent authorities when they propose risk or consequence-based
contours from scenarios.
The aim of ARAMIS is to answer all these needs. It is also to make the
convergence between the deterministic and the probabilistic approaches and to

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
 Safety and Security Engineering 267

resolve some difficulties inherent to each of them [2]. As far as the deterministic
approach is concerned, the limit deals with the difficulty to justify the choices of
the reference scenarios used for land-use planning decisions. For the
probabilistic approach, the difficulty resides both in producing the probability
data and in interpreting the results to take appropriate decisions. ARAMIS does
not completely solve these difficulties but furnishes the tools and the structure to
improve decision-making. It also provides a framework for the definition of
further research programs as discussed in the last paragraph.

3 Main features of the ARAMIS methodology

ARAMIS is divided into six major steps (figure 1 and 2).
1. Identification of the major accident hazards (MIMAH)
2. Definition and evaluation of safety systems
3. Assessment of the management efficiency
4. Definition of the reference accident scenarios (MIRAS)
5. Risk severity mapping from the set of Reference Accident Scenarios
6. Vulnerability mapping of the plant’s surroundings
A last step involves the crossing of this information for decision making.

3.1 Identification of the major accident hazards (MIMAH)

MIMAH [3] is the method for the identification of major accident hazards. It is
based mainly on the use of bow-tie diagrams composed of a fault tree and an
event tree. These turned out to be a very powerful tool to communicate on risks,
in particular towards non-technicians (managers, politicians, etc.). The major
input of ARAMIS was to define a precise bow tie structure and to define
precisely and exhaustively the list of equipment, potential critical events and
their consequences. The critical events were defined to be either losses of
containment for fluids or losses of physical integrity for solids. The complete list
contains twelve critical events including breach, collapse, explosion, etc.
From a description of the plant including the chemical substances used,
produced or stored, it is possible from MIMAH to list all the critical events
susceptible to occur in the plant. For each of these critical events, MIMAH
allows to identify all their consequences in terms of secondary events and
dangerous phenomena.
Then, MIMAH provides the user with a set of generic fault trees, which are
based on the most frequently observed causes. From these generic fault trees, the
user will build specific fault trees that take into account the specificity of the
studied plant: types of process used, presence of equipment, etc.
The specific fault trees are obtained mainly by the suppression of causes and
consequences which are not relevant to the context without any consideration on
probability at this stage. It is important to notice that both the fault and event
trees are considered without safety barriers, which will be defined in the next

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
268 Safety and Security Engineering

step of the method. This has the advantage to make an explicit distinction
between hazard and risk. This first step allows the identification of hazards. The
next one aims at identifying the risks which result from the hazard scenarios and
the failure of safety barriers.

Identify all hazardous equipments

MIMAH
Select pertinent hazardous equipments

Associate CE to each equipment

Build fault trees Build event trees

Build bow ties

Identify safety barriers

Propose new
Define the level of confidence of safety barriers
barriers

Set a risk
Estimate the risk reduction
reduction goal

Classify the barriers

Select the barriers for audit

Audit delivery systems Audit safety culture

Calculate operational LC

Management &
Safety Culture Estimate risk reduction

Establish the complete set of scenarios

To next steps

Figure 1: First steps of the ARAMIS methodology.

3.2 An alternative to classical probabilistic approaches

Classical risk analysis methods propose to assess the probability of major

accident and to decide from this evaluation whether the risk is acceptable or not.

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
 Safety and Security Engineering 269

From previous steps

Collect data about frequencies MIRAS

Estimate frequencies of CE Calculate frequencies of

from generic data CE from the fault trees

Calculate frequencies of Estimate the class of

Dangerous phenomena consequences of the DP

Use risk matrix to define the RAS

Severity Vulnerability
Define the study area

Calculate the consequences of the RAS Divide the study area into meshes

Calculate severity for each CE and each Identify the targets

DP for each mesh

Quantify the targets

Aggregate all the severities into a
global severity index for each mesh
Calculate the vulnerability for
each mesh

Draw the severity map

Draw the vulnerability map

Figure 2: Last steps of the ARAMIS Methodology.

But, during the ARAMIS project, this calculation of the probability was
shown not to be an easy task. An inventory of the probabilistic data sources was
carried out and showed that many of the available data are not adequate for the
tools developed in the first steps of the methodology. Only very generic
frequency ranges could be obtained for causes of the critical events, which
hindered the possibility to rely solely on the probability of events.
However, one main objective of ARAMIS was to valorise through contextual
frequency data the efforts made by the operators both in prevention and
mitigation.
An alternative method was developed, which focuses on generic values for
safety systems and clear guidelines to lower the final frequency of identified

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
270 Safety and Security Engineering

scenarios. First, it aims at helping the user with the definition of the safety
requirements applying to the plant. Then, the method helps the user to define the
safety barriers [4] by promoting the concept of safety function and by providing
different possible strategies of barrier implementation for a given safety function.

3.3 Defining the safety requirements

As it can be understood from the previous paragraph, the definition of the safety
requirements is a keystone of the ARAMIS methodology. The proposed method
is inspired by the IEC 61508 standard [5]. The idea is to guide the user in the
identification of the risk reduction goals that should be associated with different
scenarios. This approach has a triple interest. It helps the user improving the
management of risks by defining clear targets. It helps the competent authorities
checking the risk reduction measures. It provides an evaluation of the residual
risks. The way it was built also reduces the stress put on the quality of
probability values.

10-3/year
<<Unacceptable risk>>
10-4/year
10-5/year
<<Residual risk>>
10-6/year
10-7/year
<<Negligible risk>>
10-8/year
10-9/year

C1 C2 C3 C4
Figure 3: Risk matrix used to rank the dangerous phenomena and to select
the Reference Accident scenarios for the risk severity mapping.

Once this work carried out in risk analysis, the resulting dangerous
phenomena can be ranked according to their classes of probability and
consequences. A Risk Matrix such as the one shown in figure 3 is used for this
purpose. The middle zone highlights the scenarios that can be selected for
quantitative modelling then risk severity mapping. These are called Reference
Accident Scenarios (RAS).
Allocating risk reduction objectives and evaluating explicitly the performance
of each safety barrier is a very fruitful work to be performed in risk analysis,
especially for the operators. It allows for the direct discussion of the safety
strategies onsite through the architecture and implementation of barriers. The
levels of frequency derived from the SIL principles also allow to use quantified
data when these exist but also qualitative estimation from working group when
no data is available. This allows a maximum flexibility but requires anyway at

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
 Safety and Security Engineering 271

some stage a consensus about the initiating event frequencies and levels of
confidence of barriers in order to ensure a minimum variability in the resulting
evaluation of scenario frequencies.

3.4 Assessing the influence of safety management and safety culture

The safety management has a strong influence on the capacity to control the risk.
Here again, the interest of ARAMIS is to provide tools to assess the safety
management system (SMS) and the safety culture and to take them into account
to help the operators identify the opportunities for improvement. The approach in
ARAMIS [6] consists in devising a process-oriented audit protocol focusing on
the activities relating to the life cycle of the safety barriers including design,
installation, use, maintenance and improvement activities. For each, ten
important structural elements are evaluated as requirements for the SMS. The
outcomes of the audit are then combined with the results of a safety climate
questionnaire collected from employees in order to get a contextual level of
confidence, in particular regarding behavioural barriers. The questionnaire is
made up of eight cultural factors that characterise a company’s safety culture.
• learning and willingness to report • felt responsibility
• safety prioritisation, rules and • trust and fairness
compliance
• leadership involvement and • work team atmosphere and
commitment support
• risk and human performance • motivation, influence and
limitation perception involvement
From the previous step, each type of barrier was given a generic level of
confidence indexed on its probability of failure on demand. These indicative
values require then to be adjusted from the local context where they are
implemented and maintained. For instance for a behavioural barrier, the generic
confidence in the barrier is adjusted depending on whether the operator knows
the stakes of his actions, or his decisions require complex diagnosis, conflict
with production. The aim of the project was also to aggregate the results from the
auditing and questionnaires into a final score for adjusting –possibly lowering-
the generic values into contextual ones.
This link and the whole scoring process were obviously an ambitious goal and
still needs to be worked out. The case studies already helped getting some
benchmark between different types of management and enabled eventually to
propose a set of “minimum requirements” for both the culture and management
system in order to anchor a first scoring scale. This remains however an
important area of research.

3.5 Risk severity assessment and mapping

Each reference accident scenario (RAS) is defined by an initiating event that

leads to a critical event, which can potentially lead to different dangerous
phenomena. For each phenomenon, a severity index SDP has been defined [7] in a

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
272 Safety and Security Engineering

single scale ranging from 0 to 100 according to its intensity which varies with
the distance from the plant.
For each RAS the risk severity is defined for one scenario as the combination
of the probability of the phenomena with their specific severity SDPi. Risk
severity can be represented for each scenario in a geographical way, as a function
SRAS(d) of the distance from the source term.
A final mapping of risk severity considering all RAS is then obtained by
multiplying the frequency of each RAS with its specific risk severity index.
Risk severity mapping as it is defined provides an innovative way to
aggregate the information for a decision-maker to elaborate relative priorities for
land-use or emergency planning purposes. However, the range of values
obtained with such an approach still requires to be interpreted and the decision
making process to be adapted to this new approach.

3.6 Assessing the vulnerability

The last innovative attempt from ARAMIS is to address the vulnerability of the
environment independently of the hazardous site [8]. This has the fundamental
interest of allowing the local authorities to take useful decisions to reduce the
global risk level by reducing the vulnerability whereas the plant operator only
can act on the potential hazard or risk of the installation.

Figure 4: Human vulnerability map (right) obtained from the land cover
information (left).

The vulnerability is calculated on the basis of a multicriteria decision-aiding

approach. With the development of new ways of governance involving local
population in risk-informed decisions, the main interest of this approach is to
base the vulnerability study on stakeholder risk perception through expert
judgement elicitation. On a given spot of the environment, the vulnerability is
thus characterised by the number of potential targets and their relative
vulnerability to different phenomena. The global vulnerability is a linear
combination of each target vulnerability to each type of effect for the various
types of impact.

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
 Safety and Security Engineering 273

The application of the methodology has generated a questionnaire that can be

used or adapted very locally to elicit from any stakeholder judgement their own
perception of vulnerability.
The equations have been then interfaced to GIS (Geographical Information
System) tools for easiness of target inventory and quantification. The GIS allow a
very quick mapping of the vulnerability (figure 4).

4 Research issues emerging from the ARAMIS project

ARAMIS methodology, is the result of a voluntary step towards a harmonised
approach of risk analysis for SEVESO II industrial sites. ARAMIS has
succeeded to solve some of the difficulties encountered with traditional
approaches by providing practical tools in an integrated methodology. But the
ARAMIS project already points out the need for additional research effort in a
series of specific fields.
The first of them is linked to the difficulty to find reliable data for the
calculation of accident probabilities. Even if the solution proposed in ARAMIS,
the barrier approach, reduces the consequences of such a lack, a lot could be
done by unifying the efforts of the industry and research institutions to build
accessible databases containing useful information that would be complementary
to traditional reliability databases.
The quantification of the influence of management on the probability of
accidents is a second question, and ARAMIS provides the adequate framework
for such an evolution.
A third field of research relates to the evaluation of vulnerabilities. ARAMIS
already proposes an interesting definition of vulnerability and a set of screening
tools to build vulnerability maps. A next step is to provide more detailed tools to
help decision-makers identifying what can be done to reduce the vulnerability of
the plant’s surroundings.
Another question was raised by the definition of the risk severity index,
which implies to be able to compare different types of effects among them. The
project highlights the problem of discrepancies on effect thresholds between the
countries.
These research topics have to be addressed in future projects that could be
proposed as a follow up of the ARAMIS project.

5 Conclusion
The ARAMIS methodology was briefly described in this paper. It aims at
offering an alternative way to the traditional risk-based and consequence-based
methodologies for risk analysis by providing a series of integrated tools. These
were designed to answer the specific needs of potential ARAMIS users who are
industry, competent authorities and the local authorities. They were also
elaborated to solve some of the difficulties raised by the lack of reliable data,
namely concerning the accident frequencies. By promoting the barrier approach,
ARAMIS helps the users defining the safety requirements, which apply to a

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
274 Safety and Security Engineering

plant, and therefore helps the competent authorities verifying the explicit control
of risk by the operator. This approach also enables an easy and explicit
identification of the reference accident scenarios, making the communication
between the stakeholders easier or at least more straightforward and structured.
The same applies to the approaches of the severity and the vulnerability, which
are exploited through a clearly understandable spatial representation.
Eventually, ARAMIS also sets the framework and the objectives of future
research on diverse specific fields among which are the production of reliable
accident frequency data, the quantification of the influence of management on
the accident probability, the vulnerability reduction options or the effect
threshold definition.

Acknowledgements
The work presented in this paper has been elaborated in the frame of the EU
project ARAMIS “Accidental Risk Assessment Methodology for IndustrieS”,
co-ordinated by INERIS (F) and including EC-JRC-IPSC-MAHB (I), Faculté
Polytechnique de Mons (B), Universitat Politècnica de Catalunya (E),
ARMINES (F), Risø National Laboratory (D), Universita di Roma (I), Central
Mining Institute (PL), Delft University of Technology (NL), European Process
Safety Centre (UK), École des Mines de Paris (F), École des Mines de Saint
Etienne (F), École des Mines d’Alès (F), Technical University of Ostrava (CZ)
and Jozef Stefan Institute (Si). The project is co-funded under the Energy,
Environment and Sustainable Development Programme in the 5th Framework
Programme for Science Research and Technological Development of the
European Commission.

References
[1] Hourtolou, D. 2002. ASSURANCE – Assessment of the Uncertainties in
Risk ANalysis of Chemical Establishments. E.C. Project ENV4-CT97-0627.
Rapport final opération a DRA-07. Ref. INERIS-DHo- 2002-26824
[2] C. Kirchsteiger, On the use of probabilistic and deterministic methods in risk
analysis, Journal of Loss Prevention in the Process Industries 12 (1999) 399–
419
[3] Ch. Delvosalle, C. Fiévez, A. Pipart, H. Londiche, B. Debray, E. Hubert,
Aramis Project: Effect of safety systems on the definition of reference
accident scenarios in SEVESO establishments, LP2004
[4] B. Debray, C. Delvosalle, C. Fiévez, A. Pipart, H. Londiche, E. Hubert,
Defining safety functions and safety barriers from fault and event trees
analysis of major industrial hazards, PSAM7-ESREL2004 conference,
Berlin, June 2004.
[5] IEC. 1998. IEC 61508, Functional safety of electrical, electronic and
programmable electronic safety-related systems, parts 1-7. International
Electrotechnical Commission, Geneva.

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)
 Safety and Security Engineering 275

[6] N. J. Duijm, M. Madsen, H. B. Andersen, L. Goossens, A. Hale, D.

Hourtolou, ARAMIS project: Effect of safety management’s structural and
cultural factors on barrier performance, LP2004
[7] E. Planas, J. Casal, ARAMIS project: application of the severity index,
Proceedings of the LP2004, Loss prevention conference, Prague, May-June
2004.
[8] J. Tixier, A. Dandrieux, G. Dusserre, R. Bubbico, L. G. Luccone, B.
Mazzarotta, B. Silvetti, E. Hubert, Vulnerability of the environment in the
proximity of an industrial site, LP2004

WIT Transactions on The Built Environment, Vol 82, © 2005 WIT Press
www.witpress.com, ISSN 1743-3509 (on-line)