Sie sind auf Seite 1von 3512



Safety, Reliability and Risk Analysis:

Theory, Methods and Applications

Sebastián Martorell
Department of Chemical and Nuclear Engineering,
Universidad Politécnica de Valencia, Spain

C. Guedes Soares
Instituto Superior Técnico, Technical University of Lisbon, Lisbon, Portugal

Julie Barnett
Department of Psychology, University of Surrey, UK

Cover picture designed by Centro de Formación Permanente - Universidad Politécnica de Valencia

CRC Press/Balkema is an imprint of the Taylor & Francis Group, an informa business

© 2009 Taylor & Francis Group, London, UK

Typeset by Vikatan Publishing Solutions (P) Ltd., Chennai, India

Printed and bound in Great Britain by Antony Rowe (A CPI-group Company), Chippenham, Wiltshire.

All rights reserved. No part of this publication or the information contained herein may be reproduced, stored
in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, by photocopying,
recording or otherwise, without written prior permission from the publisher.

Although all care is taken to ensure integrity and the quality of this publication and the information herein, no
responsibility is assumed by the publishers nor the author for any damage to the property or persons as a result
of operation or use of this publication and/or the information contained herein.

Published by: CRC Press/Balkema

P.O. Box 447, 2300 AK Leiden, The Netherlands
e-mail: – –

ISBN: 978-0-415-48513-5 (set of 4 volumes + CD-ROM)

ISBN: 978-0-415-48514-2 (vol 1)
ISBN: 978-0-415-48515-9 (vol 2)
ISBN: 978-0-415-48516-6 (vol 3)
ISBN: 978-0-415-48792-4 (vol 4)
ISBN: 978-0-203-88297-9 (e-book)
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Table of contents

Preface XXIV
Organization XXXI
Acknowledgment XXXV
Introduction XXXVII


Thematic areas
Accident and incident investigation
A code for the simulation of human failure events in nuclear power plants: SIMPROC 3
J. Gil, J. Esperón, L. Gamo, I. Fernández, P. González, J. Moreno, A. Expósito,
C. Queral, G. Rodríguez & J. Hortal
A preliminary analysis of the ‘Tlahuac’ incident by applying the MORT technique 11
J.R. Santos-Reyes, S. Olmos-Peña & L.M. Hernández-Simón
Comparing a multi-linear (STEP) and systemic (FRAM) method for accident analysis 19
I.A. Herrera & R. Woltjer
Development of a database for reporting and analysis of near misses in the Italian
chemical industry 27
R.V. Gagliardi & G. Astarita
Development of incident report analysis system based on m-SHEL ontology 33
Y. Asada, T. Kanno & K. Furuta
Forklifts overturn incidents and prevention in Taiwan 39
K.Y. Chen, S.-H. Wu & C.-M. Shu
Formal modelling of incidents and accidents as a means for enriching training material
for satellite control operations 45
S. Basnyat, P. Palanque, R. Bernhaupt & E. Poupart
Hazard factors analysis in regional traffic records 57
M. Mlynczak & J. Sipa
Organizational analysis of availability: What are the lessons for a high risk industrial company? 63
M. Voirin, S. Pierlot & Y. Dien
Thermal explosion analysis of methyl ethyl ketone peroxide by non-isothermal
and isothermal calorimetry application 71
S.H. Wu, J.M. Tseng & C.M. Shu

Crisis and emergency management
A mathematical model for risk analysis of disaster chains 79
A. Xuewei Ji, B. Wenguo Weng & Pan Li
Effective learning from emergency responses 83
K. Eriksson & J. Borell
On the constructive role of multi-criteria analysis in complex decision-making:
An application in radiological emergency management 89
C. Turcanu, B. Carlé, J. Paridaens & F. Hardeman

Decision support systems and software tools for safety and reliability
Complex, expert based multi-role assessment system for small and medium enterprises 99
S.G. Kovacs & M. Costescu
DETECT: A novel framework for the detection of attacks to critical infrastructures 105
F. Flammini, A. Gaglione, N. Mazzocca & C. Pragliola
Methodology and software platform for multi-layer causal modeling 113
K.M. Groth, C. Wang, D. Zhu & A. Mosleh
SCAIS (Simulation Code System for Integrated Safety Assessment): Current
status and applications 121
J.M. Izquierdo, J. Hortal, M. Sánchez, E. Meléndez, R. Herrero, J. Gil, L. Gamo,
I. Fernández, J. Esperón, P. González, C. Queral, A. Expósito & G. Rodríguez
Using GIS and multivariate analyses to visualize risk levels and spatial patterns
of severe accidents in the energy sector 129
P. Burgherr
Weak signals of potential accidents at ‘‘Seveso’’ establishments 137
P.A. Bragatto, P. Agnello, S. Ansaldi & P. Pittiglio

Dynamic reliability
A dynamic fault classification scheme 147
B. Fechner
Importance factors in dynamic reliability 155
R. Eymard, S. Mercier & M. Roussignol
TSD, a SCAIS suitable variant of the SDTPD 163
J.M. Izquierdo & I. Cañamón

Fault identification and diagnostics

Application of a vapour compression chiller lumped model for fault detection 175
J. Navarro-Esbrí, A. Real, D. Ginestar & S. Martorell
Automatic source code analysis of failure modes causing error propagation 183
S. Sarshar & R. Winther
Development of a prognostic tool to perform reliability analysis 191
M. El-Koujok, R. Gouriveau & N. Zerhouni
Fault detection and diagnosis in monitoring a hot dip galvanizing line using
multivariate statistical process control 201
J.C. García-Díaz
Fault identification, diagnosis and compensation of flatness errors in hard turning
of tool steels 205
F. Veiga, J. Fernández, E. Viles, M. Arizmendi, A. Gil & M.L. Penalva

From diagnosis to prognosis: A maintenance experience for an electric locomotive 211
O. Borgia, F. De Carlo & M. Tucci

Human factors
A study on the validity of R-TACOM measure by comparing operator response
time data 221
J. Park & W. Jung
An evaluation of the Enhanced Bayesian THERP method using simulator data 227
K. Bladh, J.-E. Holmberg & P. Pyy
Comparing CESA-Q human reliability analysis with evidence from simulator:
A first attempt 233
L. Podofillini & B. Reer
Exploratory and confirmatory analysis of the relationship between social norms
and safety behavior 243
C. Fugas, S.A. da Silva & J.L. Melià
Functional safety and layer of protection analysis with regard to human factors 249
K.T. Kosmowski
How employees’ use of information technology systems shape reliable operations
of large scale technological systems 259
T.K. Andersen, P. Næsje, H. Torvatn & K. Skarholt
Incorporating simulator evidence into HRA: Insights from the data analysis of the
international HRA empirical study 267
S. Massaiu, P.Ø. Braarud & M. Hildebrandt
Insights from the ‘‘HRA international empirical study’’: How to link data
and HRA with MERMOS 275
H. Pesme, P. Le Bot & P. Meyer
Operators’ response time estimation for a critical task using the fuzzy logic theory 281
M. Konstandinidou, Z. Nivolianitou, G. Simos, C. Kiranoudis & N. Markatos
The concept of organizational supportiveness 291
J. Nicholls, J. Harvey & G. Erdos
The influence of personal variables on changes in driver behaviour 299
S. Heslop, J. Harvey, N. Thorpe & C. Mulley
The key role of expert judgment in CO2 underground storage projects 305
C. Vivalda & L. Jammes

Integrated risk management and risk—informed decision-making

All-hazards risk framework—An architecture model 315
S. Verga
Comparisons and discussion of different integrated risk approaches 323
R. Steen & T. Aven
Management of risk caused by domino effect resulting from design
system dysfunctions 331
S. Sperandio, V. Robin & Ph. Girard
On some aspects related to the use of integrated risk analyses for the decision
making process, including its use in the non-nuclear applications 341
D. Serbanescu, A.L. Vetere Arellano & A. Colli
On the usage of weather derivatives in Austria—An empirical study 351
M. Bank & R. Wiesner

Precaution in practice? The case of nanomaterial industry 361
H. Kastenholz, A. Helland & M. Siegrist
Risk based maintenance prioritisation 365
G. Birkeland, S. Eisinger & T. Aven
Shifts in environmental health risk governance: An analytical framework 369
H.A.C. Runhaar, J.P. van der Sluijs & P.P.J. Driessen
What does ‘‘safety margin’’ really mean? 379
J. Hortal, R. Mendizábal & F. Pelayo

Legislative dimensions of risk management

Accidents, risk analysis and safety management—Different perspective at a
Swedish safety authority 391
O. Harrami, M. Strömgren, U. Postgård & R. All
Evaluation of risk and safety issues at the Swedish Rescue Services Agency 399
O. Harrami, U. Postgård & M. Strömgren
Regulation of information security and the impact on top management commitment—
A comparative study of the electric power supply sector and the finance sector 407
J.M. Hagen & E. Albrechtsen
The unintended consequences of risk regulation 415
B.H. MacGillivray, R.E. Alcock & J.S. Busby

Maintenance modelling and optimisation

A hybrid age-based maintenance policy for heterogeneous items 423
P.A. Scarf, C.A.V. Cavalcante, R.W. Dwight & P. Gordon
A stochastic process model for computing the cost of a condition-based maintenance plan 431
J.A.M. van der Weide, M.D. Pandey & J.M. van Noortwijk
A study about influence of uncertain distribution inputs in maintenance optimization 441
R. Mullor, S. Martorell, A. Sánchez & N. Martinez-Alzamora
Aging processes as a primary aspect of predicting reliability and life of aeronautical hardware 449
J. Żurek, M. Zieja, G. Kowalczyk & T. Niezgoda
An alternative imperfect preventive maintenance model 455
J. Clavareau & P.E. Labeau
An imperfect preventive maintenance model with dependent failure modes 463
I.T. Castro
Condition-based maintenance approaches for deteriorating system influenced
by environmental conditions 469
E. Deloux, B. Castanier & C. Bérenguer
Condition-based maintenance by particle filtering 477
F. Cadini, E. Zio & D. Avram
Corrective maintenance for aging air conditioning systems 483
I. Frenkel, L. Khvatskin & A. Lisnianski
Exact reliability quantification of highly reliable systems with maintenance 489
R. Briš
Genetic algorithm optimization of preventive maintenance scheduling for repairable
systems modeled by generalized renewal process 497
P.A.A. Garcia, M.C. Sant’Ana, V.C. Damaso & P.F. Frutuoso e Melo

Maintenance modelling integrating human and material resources 505
S. Martorell, M. Villamizar, A. Sánchez & G. Clemente
Modelling competing risks and opportunistic maintenance with expert judgement 515
T. Bedford & B.M. Alkali
Modelling different types of failure and residual life estimation for condition-based maintenance 523
M.J. Carr & W. Wang
Multi-component systems modeling for quantifying complex maintenance strategies 531
V. Zille, C. Bérenguer, A. Grall, A. Despujols & J. Lonchampt
Multiobjective optimization of redundancy allocation in systems with imperfect repairs via
ant colony and discrete event simulation 541
I.D. Lins & E. López Droguett
Non-homogeneous Markov reward model for aging multi-state system under corrective
maintenance 551
A. Lisnianski & I. Frenkel
On the modeling of ageing using Weibull models: Case studies 559
P. Praks, H. Fernandez Bacarizo & P.-E. Labeau
On-line condition-based maintenance for systems with several modes of degradation 567
A. Ponchet, M. Fouladirad & A. Grall
Opportunity-based age replacement for a system under two types of failures 575
F.G. Badía & M.D. Berrade
Optimal inspection intervals for maintainable equipment 581
O. Hryniewicz
Optimal periodic inspection of series systems with revealed and unrevealed failures 587
M. Carvalho, E. Nunes & J. Telhada
Optimal periodic inspection/replacement policy for deteriorating systems with explanatory
variables 593
X. Zhao, M. Fouladirad, C. Bérenguer & L. Bordes
Optimal replacement policy for components with general failure rates submitted to obsolescence 603
S. Mercier
Optimization of the maintenance function at a company 611
S. Adjabi, K. Adel-Aissanou & M. Azi
Planning and scheduling maintenance resources in a complex system 619
M. Newby & C. Barker
Preventive maintenance planning using prior expert knowledge and multicriteria method
F.A. Figueiredo, C.A.V. Cavalcante & A.T. de Almeida
Profitability assessment of outsourcing maintenance from the producer (big rotary machine study) 635
P. Fuchs & J. Zajicek
Simulated annealing method for the selective maintenance optimization of multi-mission
series-parallel systems 641
A. Khatab, D. Ait-Kadi & A. Artiba
Study on the availability of a k-out-of-N System given limited spares under (m, NG )
maintenance policy 649
T. Zhang, H.T. Lei & B. Guo
System value trajectories, maintenance, and its present value 659
K.B. Marais & J.H. Saleh

The maintenance management framework: A practical view to maintenance management 669
A. Crespo Márquez, P. Moreu de León, J.F. Gómez Fernández, C. Parra Márquez & V. González
Workplace occupation and equipment availability and utilization, in the context of maintenance
float systems 675
I.S. Lopes, A.F. Leitão & G.A.B. Pereira

Monte Carlo methods in system safety and reliability

Availability and reliability assessment of industrial complex systems: A practical view
applied on a bioethanol plant simulation 687
V. González, C. Parra, J.F. Gómez, A. Crespo & P. Moreu de León
Handling dependencies between variables with imprecise probabilistic models 697
S. Destercke & E. Chojnacki
Monte Carlo simulation for investigating the influence of maintenance strategies on the production
availability of offshore installations 703
K.P. Chang, D. Chang, T.J. Rhee & E. Zio
Reliability analysis of discrete multi-state systems by means of subset simulation 709
E. Zio & N. Pedroni
The application of Bayesian interpolation in Monte Carlo simulations 717
M. Rajabalinejad, P.H.A.J.M. van Gelder & N. van Erp

Occupational safety
Application of virtual reality technologies to improve occupational & industrial safety
in industrial processes 727
J. Rubio, B. Rubio, C. Vaquero, N. Galarza, A. Pelaz, J.L. Ipiña, D. Sagasti & L. Jordá
Applying the resilience concept in practice: A case study from the oil and gas industry 733
L. Hansson, I. Andrade Herrera, T. Kongsvik & G. Solberg
Development of an assessment tool to facilitate OHS management based upon the safe
place, safe person, safe systems framework 739
A.-M. Makin & C. Winder
Exploring knowledge translation in occupational health using the mental models approach:
A case study of machine shops 749
A.-M. Nicol & A.C. Hurrell
Mathematical modelling of risk factors concerning work-related traffic accidents 757
C. Santamaría, G. Rubio, B. García & E. Navarro
New performance indicators for the health and safety domain: A benchmarking use perspective 761
H.V. Neto, P.M. Arezes & S.D. Sousa
Occupational risk management for fall from height 767
O.N. Aneziris, M. Konstandinidou, I.A. Papazoglou, M. Mud, M. Damen, J. Kuiper, H. Baksteen,
L.J. Bellamy, J.G. Post & J. Oh
Occupational risk management for vapour/gas explosions 777
I.A. Papazoglou, O.N. Aneziris, M. Konstandinidou, M. Mud, M. Damen, J. Kuiper, A. Bloemhoff,
H. Baksteen, L.J. Bellamy, J.G. Post & J. Oh
Occupational risk of an aluminium industry 787
O.N. Aneziris, I.A. Papazoglou & O. Doudakmani
Risk regulation bureaucracies in EU accession states: Drinking water safety in Estonia 797
K. Kangur

Organization learning
Can organisational learning improve safety and resilience during changes? 805
S.O. Johnsen & S. Håbrekke
Consequence analysis as organizational development 813
B. Moltu, A. Jarl Ringstad & G. Guttormsen
Integrated operations and leadership—How virtual cooperation influences leadership practice 821
K. Skarholt, P. Næsje, V. Hepsø & A.S. Bye
Outsourcing maintenance in services providers 829
J.F. Gómez, C. Parra, V. González, A. Crespo & P. Moreu de León
Revising rules and reviving knowledge in the Norwegian railway system 839
H.C. Blakstad, R. Rosness & J. Hovden

Risk Management in systems: Learning to recognize and respond to weak signals 847
E. Guillaume
Author index 853


Reliability and safety data collection and analysis

A new step-stress Accelerated Life Testing approach: Step-Down-Stress 863
C. Zhang, Y. Wang, X. Chen & Y. Jiang
Application of a generalized lognormal distribution to engineering data fitting 869
J. Martín & C.J. Pérez
Collection and analysis of reliability data over the whole product lifetime of vehicles 875
T. Leopold & B. Bertsche
Comparison of phase-type distributions with mixed and additive Weibull models 881
M.C. Segovia & C. Guedes Soares
Evaluation methodology of industry equipment functional reliability 891
J. Kamenický
Evaluation of device reliability based on accelerated tests 899
E. Nogueira Díaz, M. Vázquez López & D. Rodríguez Cano
Evaluation, analysis and synthesis of multiple source information: An application to nuclear
computer codes 905
S. Destercke & E. Chojnacki
Improving reliability using new processes and methods 913
S.J. Park, S.D. Park & K.T. Jo
Life test applied to Brazilian friction-resistant low alloy-high strength steel rails 919
D.I. De Souza, A. Naked Haddad & D. Rocha Fonseca
Non-homogeneous Poisson Process (NHPP), stochastic model applied to evaluate the economic
impact of the failure in the Life Cycle Cost Analysis (LCCA) 929
C. Parra Márquez, A. Crespo Márquez, P. Moreu de León, J. Gómez Fernández & V. González Díaz
Risk trends, indicators and learning rates: A new case study of North sea oil and gas 941
R.B. Duffey & A.B. Skjerve
Robust estimation for an imperfect test and repair model using Gaussian mixtures 949
S.P. Wilson & S. Goyal

Risk and evidence based policy making
Environmental reliability as a requirement for defining environmental impact limits
in critical areas 957
E. Calixto & E. Lèbre La Rovere
Hazardous aid? The crowding-out effect of international charity 965
P.A. Raschky & M. Schwindt
Individual risk-taking and external effects—An empirical examination 973
S. Borsky & P.A. Raschky
Licensing a Biofuel plan transforming animal fats 981
J.-F. David
Modelling incident escalation in explosives storage 987
G. Hardman, T. Bedford, J. Quigley & L. Walls
The measurement and management of Deca-BDE—Why the continued certainty of uncertainty? 993
R.E. Alcock, B.H. McGillivray & J.S. Busby

Risk and hazard analysis

A contribution to accelerated testing implementation 1001
S. Hossein Mohammadian M., D. Aït-Kadi, A. Coulibaly & B. Mutel
A decomposition method to analyze complex fault trees 1009
S. Contini
A quantitative methodology for risk assessment of explosive atmospheres according to the
ATEX directive 1019
R. Lisi, M.F. Milazzo & G. Maschio
A risk theory based on hyperbolic parallel curves and risk assessment in time 1027
N. Popoviciu & F. Baicu
Accident occurrence evaluation of phased-mission systems composed of components
with multiple failure modes 1035
T. Kohda
Added value in fault tree analyses 1041
T. Norberg, L. Rosén & A. Lindhe
Alarm prioritization at plant design stage—A simplified approach 1049
P. Barbarini, G. Franzoni & E. Kulot
Analysis of possibilities of timing dependencies modeling—Example of logistic support system 1055
J. Magott, T. Nowakowski, P. Skrobanek & S. Werbinska
Applications of supply process reliability model 1065
A. Jodejko & T. Nowakowski
Applying optimization criteria to risk analysis 1073
H. Medina, J. Arnaldos & J. Casal
Chemical risk assessment for inspection teams during CTBT on-site inspections of sites
potentially contaminated with industrial chemicals 1081
G. Malich & C. Winder
Comparison of different methodologies to estimate the evacuation radius in the case
of a toxic release 1089
M.I. Montoya & E. Planas
Conceptualizing and managing risk networks. New insights for risk management 1097
R.W. Schröder

Developments in fault tree techniques and importance measures 1103
J.K. Vaurio
Dutch registration of risk situations 1113
J.P. van’t Sant, H.J. Manuel & A. van den Berg
Experimental study of jet fires 1119
M. Gómez-Mares, A. Palacios, A. Peiretti, M. Muñoz & J. Casal
Failure mode and effect analysis algorithm for tunneling projects 1125
K. Rezaie, V. Ebrahimipour & S. Shokravi
Fuzzy FMEA: A study case on a discontinuous distillation plant 1129
S.S. Rivera & J.E. Núñez Mc Leod
Risk analysis in extreme environmental conditions for Aconcagua Mountain station 1135
J.E. Núñez Mc Leod & S.S. Rivera
Geographic information system for evaluation of technical condition and residual life of pipelines 1141
P. Yukhymets, R. Spitsa & S. Kobelsky
Inherent safety indices for the design of layout plans 1147
A. Tugnoli, V. Cozzani, F.I. Khan & P.R. Amyotte
Minmax defense strategy for multi-state systems 1157
G. Levitin & K. Hausken
Multicriteria risk assessment for risk ranking of natural gas pipelines 1165
A.J. de M. Brito, C.A.V. Cavalcante, R.J.P. Ferreira & A.T. de Almeida
New insight into PFDavg and PFH 1173
F. Innal, Y. Dutuit, A. Rauzy & J.-P. Signoret
On causes and dependencies of errors in human and organizational barriers against major
accidents 1181
J.E. Vinnem
Quantitative risk analysis method for warehouses with packaged hazardous materials 1191
D. Riedstra, G.M.H. Laheij & A.A.C. van Vliet
Ranking the attractiveness of industrial plants to external acts of interference 1199
M. Sabatini, S. Zanelli, S. Ganapini, S. Bonvicini & V. Cozzani
Review and discussion of uncertainty taxonomies used in risk analysis 1207
T.E. Nøkland & T. Aven
Risk analysis in the frame of the ATEX Directive and the preparation of an Explosion Protection
Document 1217
A. Pey, G. Suter, M. Glor, P. Lerena & J. Campos
Risk reduction by use of a buffer zone 1223
S.I. Wijnant-Timmerman & T. Wiersma
Safety in engineering practice 1231
Z. Smalko & J. Szpytko
Why ISO 13702 and NFPA 15 standards may lead to unsafe design 1239
S. Medonos & R. Raman

Risk control in complex environments

Is there an optimal type for high reliability organization? A study of the UK offshore industry 1251
J.S. Busby, A. Collins & R. Miles
The optimization of system safety: Rationality, insurance, and optimal protection 1259
R.B. Jongejan & J.K. Vrijling

Thermal characteristic analysis of Y type zeolite by differential scanning calorimetry 1267
S.H. Wu, W.P. Weng, C.C. Hsieh & C.M. Shu
Using network methodology to define emergency response team location: The Brazilian
refinery case study 1273
E. Calixto, E. Lèbre La Rovere & J. Eustáquio Beraldo

Risk perception and communication

(Mis-)conceptions of safety principles 1283
J.-T. Gayen & H. Schäbe
Climate change in the British press: The role of the visual 1293
N.W. Smith & H. Joffe
Do the people exposed to a technological risk always want more information about it?
Some observations on cases of rejection 1301
J. Espluga, J. Farré, J. Gonzalo, T. Horlick-Jones, A. Prades, C. Oltra & J. Navajas
Media coverage, imaginary of risks and technological organizations 1309
F. Fodor & G. Deleuze
Media disaster coverage over time: Methodological issues and results 1317
M. Kuttschreuter & J.M. Gutteling
Risk amplification and zoonosis 1325
D.G. Duckett & J.S. Busby
Risk communication and addressing uncertainties in risk assessments—Presentation of a framework 1335
J. Stian Østrem, H. Thevik, R. Flage & T. Aven
Risk communication for industrial plants and radioactive waste repositories 1341
F. Gugliermetti & G. Guidi
Risk management measurement methodology: Practical procedures and approaches for risk
assessment and prediction 1351
R.B. Duffey & J.W. Saull
Risk perception and cultural theory: Criticism and methodological orientation 1357
C. Kermisch & P.-E. Labeau
Standing in the shoes of hazard managers: An experiment on avalanche risk perception 1365
C.M. Rheinberger
The social perception of nuclear fusion: Investigating lay understanding and reasoning about
the technology 1371
A. Prades, C. Oltra, J. Navajas, T. Horlick-Jones & J. Espluga

Safety culture
‘‘Us’’ and ‘‘Them’’: The impact of group identity on safety critical behaviour 1377
R.J. Bye, S. Antonsen & K.M. Vikland
Does change challenge safety? Complexity in the civil aviation transport system 1385
S. Høyland & K. Aase
Electromagnetic fields in the industrial enviroment 1395
J. Fernández, A. Quijano, M.L. Soriano & V. Fuster
Electrostatic charges in industrial environments 1401
P. LLovera, A. Quijano, A. Soria & V. Fuster
Empowering operations and maintenance: Safe operations with the ‘‘one directed team’’
organizational model at the Kristin asset 1407
P. Næsje, K. Skarholt, V. Hepsø & A.S. Bye

Leadership and safety climate in the construction industry 1415
J.L. Meliá, M. Becerril, S.A. Silva & K. Mearns
Local management and its impact on safety culture and safety within Norwegian shipping 1423
H.A Oltedal & O.A. Engen
Quantitative analysis of the anatomy and effectiveness of occupational safety culture 1431
P. Trucco, M. De Ambroggi & O. Grande
Safety management and safety culture assessment in Germany 1439
H.P. Berg
The potential for error in communications between engineering designers 1447
J. Harvey, R. Jamieson & K. Pearce

Safety management systems

Designing the safety policy of IT system on the example of a chosen company 1455
I.J. Jóźwiak, T. Nowakowski & K. Jóźwiak
Determining and verifying the safety integrity level of the control and protection systems
under uncertainty 1463
T. Barnert, K.T. Kosmowski & M. Sliwinski
Drawing up and running a Security Plan in an SME type company—An easy task? 1473
M. Gerbec
Efficient safety management for subcontractor at construction sites 1481
K.S. Son & J.J. Park
Production assurance and reliability management—A new international standard 1489
H. Kortner, K.-E. Haugen & L. Sunde
Risk management model for industrial plants maintenance 1495
N. Napolitano, M. De Minicis, G. Di Gravio & M. Tronci
Some safety aspects on multi-agent and CBTC implementation for subway control systems 1503
F.M. Rachel & P.S. Cugnasca

Software reliability
Assessment of software reliability and the efficiency of corrective actions during the software
development process 1513
R. Savić
ERTMS, deals on wheels? An inquiry into a major railway project 1519
J.A. Stoop, J.H. Baggen, J.M. Vleugel & J.L.M. Vrancken
Guaranteed resource availability in a website 1525
V.P. Koutras & A.N. Platis
Reliability oriented electronic design automation tool 1533
J. Marcos, D. Bóveda, A. Fernández & E. Soto
Reliable software for partitionable networked environments—An experience report 1539
S. Beyer, J.C. García Ortiz, F.D. Muñoz-Escoí, P. Galdámez, L. Froihofer,
K.M. Goeschka & J. Osrael
SysML aided functional safety assessment 1547
M. Larisch, A. Hänle, U. Siebold & I. Häring
UML safety requirement specification and verification 1555
A. Hänle & I. Häring

Stakeholder and public involvement in risk governance
Assessment and monitoring of reliability and robustness of offshore wind energy converters 1567
S. Thöns, M.H. Faber, W. Rücker & R. Rohrmann
Building resilience to natural hazards. Practices and policies on governance and mitigation
in the central region of Portugal 1577
J.M. Mendes & A.T. Tavares
Governance of flood risks in The Netherlands: Interdisciplinary research into the role and
meaning of risk perception 1585
M.S. de Wit, H. van der Most, J.M. Gutteling & M. Bočkarjova
Public intervention for better governance—Does it matter? A study of the ‘‘Leros Strength’’ case 1595
P.H. Lindøe & J.E. Karlsen
Reasoning about safety management policy in everyday terms 1601
T. Horlick-Jones
Using stakeholders’ expertise in EMF and soil contamination to improve the management
of public policies dealing with modern risk: When uncertainty is on the agenda 1609
C. Fallon, G. Joris & C. Zwetkoff

Structural reliability and design codes

Adaptive discretization of 1D homogeneous random fields 1621
D.L. Allaix, V.I. Carbone & G. Mancini
Comparison of methods for estimation of concrete strength 1629
M. Holicky, K. Jung & M. Sykora
Design of structures for accidental design situations 1635
J. Marková & K. Jung
Developing fragility function for a timber structure subjected to fire 1641
E.R. Vaidogas, Virm. Juocevičius & Virg. Juocevičius
Estimations in the random fatigue-limit model 1651
C.-H. Chiu & W.-T. Huang
Limitations of the Weibull distribution related to predicting the probability of failure
initiated by flaws 1655
M.T. Todinov
Simulation techniques of non-gaussian random loadings in structural reliability analysis 1663
Y. Jiang, C. Zhang, X. Chen & J. Tao
Special features of the collection and analysis of snow loads 1671
Z. Sadovský, P. Faško, K. Mikulová, J. Pecho & M. Vojtek
Structural safety under extreme construction loads 1677
V. Juocevičius & A. Kudzys
The modeling of time-dependent reliability of deteriorating structures 1685
A. Kudzys & O. Lukoševiciene
Author index 1695


System reliability analysis

A copula-based approach for dependability analyses of fault-tolerant systems with
interdependent basic events 1705
M. Walter, S. Esch & P. Limbourg

A depth first search algorithm for optimal arrangements in a circular
consecutive-k-out-of-n:F system 1715
K. Shingyochi & H. Yamamoto
A joint reliability-redundancy optimization approach for multi-state series-parallel systems 1723
Z. Tian, G. Levitin & M.J. Zuo
A new approach to assess the reliability of a multi-state system with dependent components 1731
M. Samrout & E. Chatelet
A reliability analysis and decision making process for autonomous systems 1739
R. Remenyte-Prescott, J.D. Andrews, P.W.H. Chung & C.G. Downes
Advanced discrete event simulation methods with application to importance measure
estimation 1747
A.B. Huseby, K.A. Eide, S.L. Isaksen, B. Natvig & J. Gåsemyr
Algorithmic and computational analysis of a multi-component complex system 1755
J.E. Ruiz-Castro, R. Pérez-Ocón & G. Fernández-Villodre
An efficient reliability computation of generalized multi-state k-out-of-n systems 1763
S.V. Amari
Application of the fault tree analysis for assessment of the power system reliability 1771
A. Volkanovski, M. Čepin & B. Mavko
BDMP (Boolean logic driven Markov processes) as an alternative to event trees 1779
M. Bouissou
Bivariate distribution based passive system performance assessment 1787
L. Burgazzi
Calculating steady state reliability indices of multi-state systems using dual number algebra 1795
E. Korczak
Concordance analysis of importance measure 1803
C.M. Rocco S.
Contribution to availability assessment of systems with one shot items 1807
D. Valis & M. Koucky
Contribution to modeling of complex weapon systems reliability 1813
D. Valis, Z. Vintr & M. Koucky
Delayed system reliability and uncertainty analysis 1819
R. Alzbutas, V. Janilionis & J. Rimas
Efficient generation and representation of failure lists out of an information flux model
for modeling safety critical systems 1829
M. Pock, H. Belhadaoui, O. Malassé & M. Walter
Evaluating algorithms for the system state distribution of multi-state k-out-of-n:F system 1839
T. Akiba, H. Yamamoto, T. Yamaguchi, K. Shingyochi & Y. Tsujimura
First-passage time analysis for Markovian deteriorating model 1847
G. Dohnal
Model of logistic support system with time dependency 1851
S. Werbinska
Modeling failure cascades in network systems due to distributed random disturbances 1861
E. Zio & G. Sansavini
Modeling of the changes of graphite bore in RBMK-1500 type nuclear reactor 1867
I. Žutautaite-Šeputiene, J. Augutis & E. Ušpuras

Modelling multi-platform phased mission system reliability 1873
D.R. Prescott, J.D. Andrews & C.G. Downes
Modelling test strategies effects on the probability of failure on demand for safety
instrumented systems 1881
A.C. Torres-Echeverria, S. Martorell & H.A. Thompson
New insight into measures of component importance in production systems 1891
S.L. Isaksen
New virtual age models for bathtub shaped failure intensities 1901
Y. Dijoux & E. Idée
On some approaches to defining virtual age of non-repairable objects 1909
M.S. Finkelstein
On the application and extension of system signatures in engineering reliability 1915
J. Navarro, F.J. Samaniego, N. Balakrishnan & D. Bhattacharya
PFD of higher-order configurations of SIS with partial stroke testing capability 1919
L.F.S. Oliveira
Power quality as accompanying factor in reliability research of electric engines 1929
I.J. Jóźwiak, K. Kujawski & T. Nowakowski
RAMS and performance analysis 1937
X. Quayzin, E. Arbaretier, Z. Brik & A. Rauzy
Reliability evaluation of complex system based on equivalent fault tree 1943
Z. Yufang, Y. Hong & L. Jun
Reliability evaluation of III-V Concentrator solar cells 1949
N. Núñez, J.R. González, M. Vázquez, C. Algora & I. Rey-Stolle
Reliability of a degrading system under inspections 1955
D. Montoro-Cazorla, R. Pérez-Ocón & M.C. Segovia
Reliability prediction using petri nets for on-demand safety systems with fault detection 1961
A.V. Kleyner & V. Volovoi
Reliability, availability and cost analysis of large multi-state systems with ageing components 1969
K. Kolowrocki
Reliability, availability and risk evaluation of technical systems in variable operation conditions 1985
K. Kolowrocki & J. Soszynska
Representation and estimation of multi-state system reliability by decision diagrams 1995
E. Zaitseva & S. Puuronen
Safety instrumented system reliability evaluation with influencing factors 2003
F. Brissaud, D. Charpentier, M. Fouladirad, A. Barros & C. Bérenguer
Smooth estimation of the availability function of a repairable system 2013
M.L. Gámiz & Y. Román
System design optimisation involving phased missions 2021
D. Astapenko & L.M. Bartlett
The Natvig measures of component importance in repairable systems applied to an offshore
oil and gas production system 2029
B. Natvig, K.A. Eide, J. Gåsemyr, A.B. Huseby & S.L. Isaksen
The operation quality assessment as an initial part of reliability improvement and low cost
automation of the system 2037
L. Muslewski, M. Woropay & G. Hoppe

Three-state modelling of dependent component failures with domino effects 2045
U.K. Rakowsky
Variable ordering techniques for the application of Binary Decision Diagrams on PSA
linked Fault Tree models 2051
C. Ibáñez-Llano, A. Rauzy, E. Meléndez & F. Nieto
Weaknesses of classic availability calculations for interlinked production systems
and their overcoming 2061
D. Achermann

Uncertainty and sensitivity analysis

A critique of Info-Gap’s robustness model 2071
M. Sniedovich
Alternative representations of uncertainty in system reliability and risk analysis—Review
and discussion 2081
R. Flage, T. Aven & E. Zio
Dependence modelling with copula in probabilistic studies, a practical approach
based on numerical experiments 2093
A. Dutfoy & R. Lebrun
Event tree uncertainty analysis by Monte Carlo and possibility theory 2101
P. Baraldi & E. Zio
Global sensitivity analysis based on entropy 2107
B. Auder & B. Iooss
Impact of uncertainty affecting reliability models on warranty contracts 2117
G. Fleurquin, P. Dehombreux & P. Dersin
Influence of epistemic uncertainties on the probabilistic assessment of an emergency operating
procedure in a nuclear power plant 2125
M. Kloos & J. Peschke
Numerical study of algorithms for metamodel construction and validation 2135
B. Iooss, L. Boussouf, A. Marrel & V. Feuillard
On the variance upper bound theorem and its applications 2143
M.T. Todinov
Reliability assessment under Uncertainty Using Dempster-Shafer and Vague Set Theories 2151
S. Pashazadeh & N. Grachorloo
Types and sources of uncertainties in environmental accidental risk assessment: A case study
for a chemical factory in the Alpine region of Slovenia 2157
M. Gerbec & B. Kontic
Uncertainty estimation for monotone and binary systems 2167
A.P. Ulmeanu & N. Limnios

Industrial and service sectors

Aeronautics and aerospace
Condition based operational risk assessment for improved aircraft operability 2175
A. Arnaiz, M. Buderath & S. Ferreiro
Is optimized design of satellites possible? 2185
J. Faure, R. Laulheret & A. Cabarbaye

Model of air traffic in terminal area for ATFM safety analysis 2191
J. Skorupski & A.W. Stelmach
Predicting airport runway conditions based on weather data 2199
A.B. Huseby & M. Rabbe
Safety considerations in complex airborne systems 2207
M.J.R. Lemes & J.B. Camargo Jr
The Preliminary Risk Analysis approach: Merging space and aeronautics methods 2217
J. Faure, R. Laulheret & A. Cabarbaye
Using a Causal model for Air Transport Safety (CATS) for the evaluation of alternatives 2223
B.J.M. Ale, L.J. Bellamy, R.P. van der Boom, J. Cooper, R.M. Cooke, D. Kurowicka, P.H. Lin,
O. Morales, A.L.C. Roelen & J. Spouge

Automotive engineering
An approach to describe interactions in and between mechatronic systems 2233
J. Gäng & B. Bertsche
Influence of the mileage distribution on reliability prognosis models 2239
A. Braasch, D. Althaus & A. Meyna
Reliability prediction for automotive components using Real-Parameter Genetic Algorithm 2245
J. Hauschild, A. Kazeminia & A. Braasch
Stochastic modeling and prediction of catalytic converters degradation 2251
S. Barone, M. Giorgio, M. Guida & G. Pulcini
Towards a better interaction between design and dependability analysis: FMEA derived from
UML/SysML models 2259
P. David, V. Idasiak & F. Kratz

Biotechnology and food industry

Application of tertiary mathematical models for evaluating the presence of staphylococcal
enterotoxin in lactic acid cheese 2269
I. Steinka & A. Blokus-Roszkowska
Assessment of the risk to company revenue due to deviations in honey quality 2275
E. Doménech, I. Escriche & S. Martorell
Attitudes of Japanese and Hawaiian toward labeling genetically modified fruits 2285
S. Shehata
Ensuring honey quality by means of effective pasteurization 2289
E. Doménech, I. Escriche & S. Martorell
Exposure assessment model to combine thermal inactivation (log reduction) and thermal injury
(heat-treated spore lag time) effects on non-proteolytic Clostridium botulinum 2295
J.-M. Membrë, E. Wemmenhove & P. McClure
Public information requirements on health risk of mercury in fish (1): Perception
and knowledge of the public about food safety and the risk of mercury 2305
M. Kosugi & H. Kubota
Public information requirements on health risks of mercury in fish (2): A comparison of mental
models of experts and public in Japan 2311
H. Kubota & M. Kosugi
Review of diffusion models for the social amplification of risk of food-borne zoonoses 2317
J.P. Mehers, H.E. Clough & R.M. Christley

Risk perception and communication of food safety and food technologies in Flanders,
The Netherlands, and the United Kingdom 2325
U. Maris
Synthesis of reliable digital microfluidic biochips using Monte Carlo simulation 2333
E. Maftei, P. Pop & F. Popenţiu Vlădicescu

Chemical process industry

Accidental scenarios in the loss of control of chemical processes: Screening the impact
profile of secondary substances 2345
M. Cordella, A. Tugnoli, P. Morra, V. Cozzani & F. Barontini
Adapting the EU Seveso II Directive for GHS: Initial UK study on acute toxicity to people 2353
M.T. Trainor, A.J. Wilday, M. Moonis, A.L. Rowbotham, S.J. Fraser, J.L. Saw & D.A. Bosworth
An advanced model for spreading and evaporation of accidentally released hazardous
liquids on land 2363
I.J.M. Trijssenaar-Buhre, R.P. Sterkenburg & S.I. Wijnant-Timmerman
Influence of safety systems on land use planning around seveso sites; example of measures
chosen for a fertiliser company located close to a village 2369
C. Fiévez, C. Delvosalle, N. Cornil, L. Servranckx, F. Tambour, B. Yannart & F. Benjelloun
Performance evaluation of manufacturing systems based on dependability management
indicators-case study: Chemical industry 2379
K. Rezaie, M. Dehghanbaghi & V. Ebrahimipour
Protection of chemical industrial installations from intentional adversary acts: Comparison
of the new security challenges with the existing safety practices in Europe 2389
M.D. Christou
Quantitative assessment of domino effect in an extended industrial area 2397
G. Antonioni, G. Spadoni, V. Cozzani, C. Dondi & D. Egidi
Reaction hazard of cumene hydroperoxide with sodium hydroxide by isothermal calorimetry 2405
Y.-P. Chou, S.-H. Wu, C.-M. Shu & H.-Y. Hou
Reliability study of shutdown process through the analysis of decision making in chemical plants.
Case of study: South America, Spain and Portugal 2409
L. Amendola, M.A. Artacho & T. Depool
Study of the application of risk management practices in shutdown chemical process 2415
L. Amendola, M.A. Artacho & T. Depool
Thirty years after the first HAZOP guideline publication. Considerations 2421
J. Dunjó, J.A. Vílchez & J. Arnaldos

Civil engineering
Decision tools for risk management support in construction industry 2431
S. Mehicic Eberhardt, S. Moeller, M. Missler-Behr & W. Kalusche
Definition of safety and the existence of ‘‘optimal safety’’ 2441
D. Proske
Failure risk analysis in Water Supply Networks 2447
A. Carrión, A. Debón, E. Cabrera, M.L. Gamiz & H. Solano
Hurricane vulnerability of multi-story residential buildings in Florida 2453
G.L. Pita, J.-P. Pinelli, C.S. Subramanian, K. Gurley & S. Hamid
Risk management system in water-pipe network functioning 2463
B. Tchórzewska-Cieślak

Use of extreme value theory in engineering design 2473
E. Castillo, C. Castillo & R. Mínguez

Critical infrastructures
A model for vulnerability analysis of interdependent infrastructure networks 2491
J. Johansson & H. Jönsson
Exploiting stochastic indicators of interdependent infrastructures: The service availability of
interconnected networks 2501
G. Bonanni, E. Ciancamerla, M. Minichino, R. Clemente, A. Iacomini, A. Scarlatti,
E. Zendri & R. Terruggia
Proactive risk assessment of critical infrastructures 2511
T. Uusitalo, R. Koivisto & W. Schmitz
Seismic assessment of utility systems: Application to water, electric power and transportation
networks 2519
C. Nuti, A. Rasulo & I. Vanzi
Author index 2531


Electrical and electronic engineering

Balancing safety and availability for an electronic protection system 2541
S. Wagner, I. Eusgeld, W. Kröger & G. Guaglio
Evaluation of important reliability parameters using VHDL-RTL modelling and information
flow approach 2549
M. Jallouli, C. Diou, F. Monteiro, A. Dandache, H. Belhadaoui, O. Malassé, G. Buchheit,
J.F. Aubry & H. Medromi

Energy production and distribution

Application of Bayesian networks for risk assessment in electricity distribution system
maintenance management 2561
D.E. Nordgård & K. Sand
Incorporation of ageing effects into reliability model for power transmission network 2569
V. Matuzas & J. Augutis
Mathematical simulation of energy supply disturbances 2575
J. Augutis, R. Krikštolaitis, V. Matuzienė & S. Pečiulytė
Risk analysis of the electric power transmission grid 2581
L.M. Pedersen & H.H. Thorstad
Security of gas supply to a gas plant from cave storage using discrete-event simulation 2587
J.D. Amaral Netto, L.F.S. Oliveira & D. Faertes
SES RISK a new framework to support decisions on energy supply 2593
D. Serbanescu & A.L. Vetere Arellano
Specification of reliability benchmarks for offshore wind farms 2601
D. McMillan & G.W. Ault

Health and medicine

Bayesian statistical meta-analysis of epidemiological data for QRA 2609
I. Albert, E. Espié, A. Gallay, H. De Valk, E. Grenier & J.-B. Denis

Cyanotoxins and health risk assessment 2613
J. Kellner, F. Božek, J. Navrátil & J. Dvořák
The estimation of health effect risks based on different sampling intervals of meteorological data 2619
J. Jeong & S. Hoon Han

Information technology and telecommunications

A bi-objective model for routing and wavelength assignment in resilient WDM networks 2627
T. Gomes, J. Craveirinha, C. Simões & J. Clímaco
Formal reasoning regarding error propagation in multi-process software architectures 2635
F. Sætre & R. Winther
Implementation of risk and reliability analysis techniques in ICT 2641
R. Mock, E. Kollmann & E. Bünzli
Information security measures influencing user performance 2649
E. Albrechtsen & J.M. Hagen
Reliable network server assignment using an ant colony approach 2657
S. Kulturel-Konak & A. Konak
Risk and safety as system-theoretic concepts—A formal view on system-theory
by means of petri-nets 2665
J. Rudolf Müller & E. Schnieder

Insurance and finance

Behaviouristic approaches to insurance decisions in the context of natural hazards 2675
M. Bank & M. Gruber
Gaming tool as a method of natural disaster risk education: Educating the relationship
between risk and insurance 2685
T. Unagami, T. Motoyoshi & J. Takai
Reliability-based risk-metric computation for energy trading 2689
R. Mínguez, A.J. Conejo, R. García-Bertrand & E. Castillo

A decision model for preventing knock-on risk inside industrial plant 2701
M. Grazia Gnoni, G. Lettera & P. Angelo Bragatto
Condition based maintenance optimization under cost and profit criteria for manufacturing
equipment 2707
A. Sánchez, A. Goti & V. Rodríguez
PRA-type study adapted to the multi-crystalline silicon photovoltaic cells manufacture
process 2715
A. Colli, D. Serbanescu & B.J.M. Ale

Mechanical engineering
Developing a new methodology for OHS assessment in small and medium enterprises 2727
C. Pantanali, A. Meneghetti, C. Bianco & M. Lirussi
Optimal Pre-control as a tool to monitor the reliability of a manufacturing system 2735
S. San Matías & V. Giner-Bosch
The respirable crystalline silica in the ceramic industries—Sampling, exposure
and toxicology 2743
E. Monfort, M.J. Ibáñez & A. Escrig

Natural hazards
A framework for the assessment of the industrial risk caused by floods 2749
M. Campedel, G. Antonioni, V. Cozzani & G. Di Baldassarre
A simple method of risk potential analysis for post-earthquake fires 2757
J.L. Su, C.C. Wu, K.S. Fan & J.R. Chen
Applying the SDMS model to manage natural disasters in Mexico 2765
J.R. Santos-Reyes & A.N. Beard
Decision making tools for natural hazard risk management—Examples from Switzerland 2773
M. Bründl, B. Krummenacher & H.M. Merz
How to motivate people to assume responsibility and act upon their own protection from flood
risk in The Netherlands if they think they are perfectly safe? 2781
M. Bočkarjova, A. van der Veen & P.A.T.M. Geurts
Integral risk management of natural hazards—A system analysis of operational application
to rapid mass movements 2789
N. Bischof, H. Romang & M. Bründl
Risk based approach for a long-term solution of coastal flood defences—A Vietnam case 2797
C. Mai Van, P.H.A.J.M. van Gelder & J.K. Vrijling
River system behaviour effects on flood risk 2807
T. Schweckendiek, A.C.W.M. Vrouwenvelder, M.C.L.M. van Mierlo, E.O.F. Calle & W.M.G. Courage
Valuation of flood risk in The Netherlands: Some preliminary results 2817
M. Bočkarjova, P. Rietveld & E.T. Verhoef

Nuclear engineering
An approach to integrate thermal-hydraulic and probabilistic analyses in addressing
safety margins estimation accounting for uncertainties 2827
S. Martorell, Y. Nebot, J.F. Villanueva, S. Carlos, V. Serradell, F. Pelayo & R. Mendizábal
Availability of alternative sources for heat removal in case of failure of the RHRS during
midloop conditions addressed in LPSA 2837
J.F. Villanueva, S. Carlos, S. Martorell, V. Serradell, F. Pelayo & R. Mendizábal
Complexity measures of emergency operating procedures: A comparison study with data
from a simulated computerized procedure experiment 2845
L.Q. Yu, Z.Z. Li, X.L. Dong & S. Xu
Distinction impossible!: Comparing risks between Radioactive Wastes Facilities and Nuclear
Power Stations 2851
S. Kim & S. Cho
Heat-up calculation to screen out the room cooling failure function from a PSA model 2861
M. Hwang, C. Yoon & J.-E. Yang
Investigating the material limits on social construction: Practical reasoning about nuclear
fusion and other technologies 2867
T. Horlick-Jones, A. Prades, C. Oltra, J. Navajas & J. Espluga
Neural networks and order statistics for quantifying nuclear power plants safety margins 2873
E. Zio, F. Di Maio, S. Martorell & Y. Nebot
Probabilistic safety assessment for other modes than power operation 2883
M. Čepin & R. Prosen
Probabilistic safety margins: Definition and calculation 2891
R. Mendizábal

Reliability assessment of the thermal hydraulic phenomena related to a CAREM-like
passive RHR System 2899
G. Lorenzo, P. Zanocco, M. Giménez, M. Marquès, B. Iooss, R. Bolado Lavín, F. Pierro,
G. Galassi, F. D’Auria & L. Burgazzi
Some insights from the observation of nuclear power plant operators’ management of simulated
abnormal situations 2909
M.C. Kim & J. Park
Vital area identification using fire PRA and RI-ISI results in UCN 4 nuclear power plant 2913
K.Y. Kim, Y. Choi & W.S. Jung

Offshore oil and gas

A new approach for follow-up of safety instrumented systems in the oil and gas industry 2921
S. Hauge & M.A. Lundteigen
Consequence based methodology to determine acceptable leakage rate through closed safety
critical valves 2929
W. Røed, K. Haver, H.S. Wiencke & T.E. Nøkland
FAMUS: Applying a new tool for integrating flow assurance and RAM analysis 2937
Ø. Grande, S. Eisinger & S.L. Isaksen
Fuzzy reliability analysis of corroded oil and gas pipes 2945
M. Singh & T. Markeset
Life cycle cost analysis in design of oil and gas production facilities to be used in harsh,
remote and sensitive environments 2955
D. Kayrbekova & T. Markeset
Line pack management for improved regularity in pipeline gas transportation networks 2963
L. Frimannslund & D. Haugland
Optimization of proof test policies for safety instrumented systems using multi-objective
genetic algorithms 2971
A.C. Torres-Echeverria, S. Martorell & H.A. Thompson
Paperwork, management, and safety: Towards a bureaucratization of working life
and a lack of hands-on supervision 2981
G.M. Lamvik, P.C. Næsje, K. Skarholt & H. Torvatn
Preliminary probabilistic study for risk management associated to casing long-term integrity
in the context of CO2 geological sequestration—Recommendations for cement plug geometry 2987
Y. Le Guen, O. Poupard, J.-B. Giraud & M. Loizzo
Risk images in integrated operations 2997
C.K. Tveiten & P.M. Schiefloe

Policy decisions
Dealing with nanotechnology: Do the boundaries matter? 3007
S. Brunet, P. Delvenne, C. Fallon & P. Gillon
Factors influencing the public acceptability of the LILW repository 3015
N. Železnik, M. Polič & D. Kos
Risk futures in Europe: Perspectives for future research and governance. Insights from a EU
funded project 3023
S. Menoni
Risk management strategies under climatic uncertainties 3031
U.S. Brandt

Safety representative and managers: Partners in health and safety? 3039
T. Kvernberg Andersen, H. Torvatn & U. Forseth
Stop in the name of safety—The right of the safety representative to halt dangerous work 3047
U. Forseth, H. Torvatn & T. Kvernberg Andersen
The VDI guideline on requirements for the qualification of reliability engineers—Curriculum
and certification process 3055
U.K. Rakowsky

Public planning
Analysing analyses—An approach to combining several risk and vulnerability analyses 3061
J. Borell & K. Eriksson
Land use planning methodology used in Walloon region (Belgium) for tank farms of gasoline
and diesel oil 3067
F. Tambour, N. Cornil, C. Delvosalle, C. Fiévez, L. Servranckx, B. Yannart & F. Benjelloun

Security and protection

‘‘Protection from half-criminal windows breakers to mass murderers with nuclear weapons’’:
Changes in the Norwegian authorities’ discourses on the terrorism threat 3077
S.H. Jore & O. Njå
A preliminary analysis of volcanic Na-Tech risks in the Vesuvius area 3085
E. Salzano & A. Basco
Are safety and security in industrial systems antagonistic or complementary issues? 3093
G. Deleuze, E. Chatelet, P. Laclemence, J. Piwowar & B. Affeltranger
Assesment of energy supply security indicators for Lithuania 3101
J. Augutis, R. Krikštolaitis, V. Matuziene & S. Pečiulytė
Enforcing application security—Fixing vulnerabilities with aspect oriented programming 3109
J. Wang & J. Bigham
Governmental risk communication: Communication guidelines in the context of terrorism
as a new risk 3117
I. Stevens & G. Verleye
On combination of Safety Integrity Levels (SILs) according to IEC61508 merging rules 3125
Y. Langeron, A. Barros, A. Grall & C. Bérenguer
On the methods to model and analyze attack scenarios with Fault Trees 3135
G. Renda, S. Contini & G.G.M. Cojazzi
Risk management for terrorist actions using geoevents 3143
G. Maschio, M.F. Milazzo, G. Ancione & R. Lisi

Surface transportation (road and train)

A modelling approach to assess the effectiveness of BLEVE prevention measures on LPG tanks 3153
G. Landucci, M. Molag, J. Reinders & V. Cozzani
Availability assessment of ALSTOM’s safety-relevant trainborne odometry sub-system 3163
B.B. Stamenković & P. Dersin
Dynamic maintenance policies for civil infrastructure to minimize cost and manage safety risk 3171
T.G. Yeung & B. Castanier
FAI: Model of business intelligence for projects in metrorailway system 3177
A. Oliveira & J.R. Almeida Jr.

Impact of preventive grinding on maintenance costs and determination of an optimal grinding cycle 3183
C. Meier-Hirmer & Ph. Pouligny
Logistics of dangerous goods: A GLOBAL risk assessment approach 3191
C. Mazri, C. Deust, B. Nedelec, C. Bouissou, J.C. Lecoze & B. Debray
Optimal design of control systems using a dependability criteria and temporal sequences
evaluation—Application to a railroad transportation system 3199
J. Clarhaut, S. Hayat, B. Conrard & V. Cocquempot
RAM assurance programme carried out by the Swiss Federal Railways SA-NBS project 3209
B.B. Stamenković
RAMS specification for an urban transit Maglev system 3217
A. Raffetti, B. Faragona, E. Carfagna & F. Vaccaro
Safety analysis methodology application into two industrial cases: A new mechatronical system
and during the life cycle of a CAF’s high speed train 3223
O. Revilla, A. Arnaiz, L. Susperregui & U. Zubeldia
The ageing of signalling equipment and the impact on maintenance strategies 3231
M. Antoni, N. Zilber, F. Lejette & C. Meier-Hirmer
The development of semi-Markov transportation model 3237
Z. Mateusz & B. Tymoteusz
Valuation of operational architecture dependability using Safe-SADT formalism: Application
to a railway braking system 3245
D. Renaux, L. Cauffriez, M. Bayart & V. Benard

Waterborne transportation
A simulation based risk analysis study of maritime traffic in the Strait of Istanbul 3257
B. Özbaş, I. Or, T. Altiok & O.S. Ulusçu
Analysis of maritime accident data with BBN models 3265
P. Antão, C. Guedes Soares, O. Grande & P. Trucco
Collision risk analyses of waterborne transportation 3275
E. Vanem, R. Skjong & U. Langbecker
Complex model of navigational accident probability assessment based on real time
simulation and manoeuvring cycle concept 3285
L. Gucma
Design of the ship power plant with regard to the operator safety 3289
A. Podsiadlo & W. Tarelko
Human fatigue model at maritime transport 3295
L. Smolarek & J. Soliwoda
Modeling of hazards, consequences and risk for safety assessment of ships in damaged
conditions in operation 3303
M. Gerigk
Numerical and experimental study of a reliability measure for dynamic control of floating vessels 3311
B.J. Leira, P.I.B. Berntsen & O.M. Aamo
Reliability of overtaking maneuvers between ships in restricted area 3319
P. Lizakowski
Risk analysis of ports and harbors—Application of reliability engineering techniques 3323
B.B. Dutta & A.R. Kar

Subjective propulsion risk of a seagoing ship estimation 3331
A. Brandowski, W. Frackowiak, H. Nguyen & A. Podsiadlo
The analysis of SAR action effectiveness parameters with respect to drifting search area model 3337
Z. Smalko & Z. Burciu
The risk analysis of harbour operations 3343
T. Abramowicz-Gerigk
Author index 3351

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5


This Conference stems from a European initiative merging the ESRA (European Safety and Reliability
Association) and SRA-Europe (Society for Risk Analysis—Europe) annual conferences into the major safety,
reliability and risk analysis conference in Europe during 2008. This is the second joint ESREL (European Safety
and Reliability) and SRA-Europe Conference after the 2000 event held in Edinburg, Scotland.
ESREL is an annual conference series promoted by the European Safety and Reliability Association. The
conference dates back to 1989, but was not referred to as an ESREL conference before 1992. The Conference
has become well established in the international community, attracting a good mix of academics and industry
participants that present and discuss subjects of interest and application across various industries in the fields of
Safety and Reliability.
The Society for Risk Analysis—Europe (SRA-E) was founded in 1987, as a section of SRA international
founded in 1981, to develop a special focus on risk related issues in Europe. SRA-E aims to bring together
individuals and organisations with an academic interest in risk assessment, risk management and risk commu-
nication in Europe and emphasises the European dimension in the promotion of interdisciplinary approaches of
risk analysis in science. The annual conferences take place in various countries in Europe in order to enhance the
access to SRA-E for both members and other interested parties. Recent conferences have been held in Stockholm,
Paris, Rotterdam, Lisbon, Berlin, Como, Ljubljana and the Hague.
These conferences come for the first time to Spain and the venue is Valencia, situated in the East coast close
to the Mediterranean Sea, which represents a meeting point of many cultures. The host of the conference is the
Universidad Politécnica de Valencia.
This year the theme of the Conference is "Safety, Reliability and Risk Analysis. Theory, Methods and
Applications". The Conference covers a number of topics within safety, reliability and risk, and provides a
forum for presentation and discussion of scientific papers covering theory, methods and applications to a wide
range of sectors and problem areas. Special focus has been placed on strengthening the bonds between the safety,
reliability and risk analysis communities with an aim at learning from the past building the future.
The Conferences have been growing with time and this year the program of the Joint Conference includes 416
papers from prestigious authors coming from all over the world. Originally, about 890 abstracts were submitted.
After the review by the Technical Programme Committee of the full papers, 416 have been selected and included
in these Proceedings. The effort of authors and the peers guarantee the quality of the work. The initiative and
planning carried out by Technical Area Coordinators have resulted in a number of interesting sessions covering
a broad spectre of topics.
Sebastián Martorell
C. Guedes Soares
Julie Barnett

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5


Conference Chairman
Dr. Sebastián Martorell Alsina Universidad Politécnica de Valencia, Spain

Conference Co-Chairman
Dr. Blás Galván González University of Las Palmas de Gran Canaria, Spain

Conference Technical Chairs

Prof. Carlos Guedes Soares Technical University of Lisbon—IST, Portugal
Dr. Julie Barnett University of Surrey, United Kingdom

Board of Institution Representatives

Prof. Gumersindo Verdú Vice-Rector for International Actions—
Universidad Politécnica de Valencia, Spain
Dr. Ioanis Papazoglou ESRA Chairman
Dr. Roberto Bubbico SRA-Europe Chairman

Technical Area Coordinators

Aven, Terje—Norway Leira, Bert—Norway
Bedford, Tim—United Kingdom Levitin, Gregory—Israel
Berenguer, Christophe—France Merad, Myriam—France
Bubbico, Roberto—Italy Palanque, Philippe—France
Cepin, Marco—Slovenia Papazoglou, Ioannis—Greece
Christou, Michalis—Italy Preyssl, Christian—The Netherlands
Colombo, Simone—Italy Rackwitz, Ruediger—Germany
Dien, Yves—France Rosqvist, Tony—Finland
Doménech, Eva—Spain Salvi, Olivier—Germany
Eisinger, Siegfried—Norway Skjong, Rolf—Norway
Enander, Ann—Sweden Spadoni, Gigliola—Italy
Felici, Massimo—United Kingdom Tarantola, Stefano—Italy
Finkelstein, Maxim—South Africa Thalmann, Andrea—Germany
Goossens, Louis—The Netherlands Thunem, Atoosa P-J—Norway
Hessami, Ali—United Kingdom Van Gelder, Pieter—The Netherlands
Johnson, Chris—United Kingdom Vrouwenvelder, Ton—The Netherlands
Kirchsteiger, Christian—Luxembourg Wolfgang, Kröger—Switzerland

Technical Programme Committee

Ale B, The Netherlands Badia G, Spain
Alemano A, Luxembourg Barros A, France
Amari S, United States Bartlett L, United Kingdom
Andersen H, Denmark Basnyat S, France
Aneziris O, Greece Birkeland G, Norway
Antao P, Portugal Bladh K, Sweden
Arnaiz A, Spain Boehm G, Norway

Bris R, Czech Republic Le Bot P, France
Bründl M, Switzerland Limbourg P, Germany
Burgherr P, Switzerland Lisnianski A, Israel
Bye R, Norway Lucas D, United Kingdom
Carlos S, Spain Luxhoj J, United States
Castanier B, France Ma T, United Kingdom
Castillo E, Spain Makin A, Australia
Cojazzi G, Italy Massaiu S, Norway
Contini S, Italy Mercier S, France
Cozzani V, Italy Navarre D, France
Cha J, Korea Navarro J, Spain
Chozos N, United Kingdom Nelson W, United States
De Wit S, The Netherlands Newby M, United Kingdom
Droguett E, Brazil Nikulin M, France
Drottz-Sjoberg B, Norway Nivolianitou Z, Greece
Dutuit Y, France Pérez-Ocón R, Spain
Escriche I, Spain Pesme H, France
Faber M, Switzerland Piero B, Italy
Fouladirad M, France Pierson J, France
Garbatov Y, Portugal Podofillini L, Italy
Ginestar D, Spain Proske D, Austria
Grall A, France Re A, Italy
Gucma L, Poland Revie M, United Kingdom
Hardman G, United Kingdom Rocco C, Venezuela
Harvey J, United Kingdom Rouhiainen V, Finland
Hokstad P, Norway Roussignol M, France
Holicky M, Czech Republic Sadovsky Z, Slovakia
Holloway M, United States Salzano E, Italy
Iooss B, France Sanchez A, Spain
Iung B, France Sanchez-Arcilla A, Spain
Jonkman B, The Netherlands Scarf P, United Kingdom
Kafka P, Germany Siegrist M, Switzerland
Kahle W, Germany Sørensen J, Denmark
Kleyner A, United States Storer T, United Kingdom
Kolowrocki K, Poland Sudret B, France
Konak A, United States Teixeira A, Portugal
Korczak E, Poland Tian Z, Canada
Kortner H, Norway Tint P, Estonia
Kosmowski K, Poland Trbojevic V, United Kingdom
Kozine I, Denmark Valis D, Czech Republic
Kulturel-Konak S, United States Vaurio J, Finland
Kurowicka D, The Netherlands Yeh W, Taiwan
Labeau P, Belgium Zaitseva E, Slovakia
Zio E, Italy

Webpage Administration
Alexandre Janeiro Instituto Superior Técnico, Portugal

Local Organizing Committee

Sofía Carlos Alberola Universidad Politécnica de Valencia
Eva Ma Doménech Antich Universidad Politécnica de Valencia
Antonio José Fernandez Iberinco, Chairman Reliability Committee AEC
Blás Galván González Universidad de Las Palmas de Gran Canaria
Aitor Goti Elordi Universidad de Mondragón
Sebastián Martorell Alsina Universidad Politécnica de Valencia
Rubén Mullor Ibañez Universidad de Alicante

Rafael Pérez Ocón Universidad de Granada
Ana Isabel Sánchez Galdón Universidad Politécnica de Valencia
Vicente Serradell García Universidad Politécnica de Valencia
Gabriel Winter Althaus Universidad de Las Palmas de Gran Canaria

Conference Secretariat and Technical Support at Universidad Politécnica de Valencia

Gemma Cabrelles López
Teresa Casquero García
Luisa Cerezuela Bravo
Fanny Collado López
María Lucía Ferreres Alba
Angeles Garzón Salas
María De Rus Fuentes Manzanero
Beatriz Gómez Martínez
José Luis Pitarch Catalá
Ester Srougi Ramón
Isabel Martón Lluch
Alfredo Moreno Manteca
Maryory Villamizar Leon
José Felipe Villanueva López

Sponsored by
Ajuntament de Valencia
Asociación Española para la Calidad (Comité de Fiabilidad)
Generalitat Valenciana
Ministerio de Educación y Ciencia
PMM Institute for Learning
Universidad de Las Palmas de Gran Canaria
Universidad Politécnica de Valencia

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5


The conference is organized jointly by Universidad Politécnica de Valencia, ESRA (European Safety and
Reliability Association) and SRA-Europe (Society for Risk Analysis—Europe), under the high patronage of
the Ministerio de Educación y Ciencia, Generalitat Valenciana and Ajuntament de Valencia.
Thanks also to the support of our sponsors Iberdrola, PMM Institute for Learning, Tekniker, Asociación
Española para la Calidad (Comité de Fiabilidad), CEANI and Universidad de Las Palmas de Gran Canaria. The
support of all is greatly appreciated.
The work and effort of the peers involved in the Technical Program Committee in helping the authors to
improve their papers are greatly appreciated. Special thanks go to the Technical Area Coordinators and organisers
of the Special Sessions of the Conference, for their initiative and planning which have resulted in a number of
interesting sessions. Thanks to authors as well as reviewers for their contributions in the review process. The
review process has been conducted electronically through the Conference web page. The support to the web
page was provided by the Instituto Superior Técnico.
We would like to acknowledge specially the local organising committee and the conference secretariat and tech-
nical support at the Universidad Politécnica de Valencia for their careful planning of the practical arrangements.
Their many hours of work are greatly appreciated.
These conference proceedings have been partially financed by the Ministerio de Educación y Ciencia
de España (DPI2007-29009-E), the Generalitat Valenciana (AORG/2007/091 and AORG/2008/135) and the
Universidad Politécnica de Valencia (PAID-03-07-2499).

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5


The Conference covers a number of topics within safety, reliability and risk, and provides a forum for presentation
and discussion of scientific papers covering theory, methods and applications to a wide range of sectors and
problem areas.

Thematic Areas
• Accident and Incident Investigation
• Crisis and Emergency Management
• Decision Support Systems and Software Tools for Safety and Reliability
• Dynamic Reliability
• Fault Identification and Diagnostics
• Human Factors
• Integrated Risk Management and Risk-Informed Decision-making
• Legislative dimensions of risk management
• Maintenance Modelling and Optimisation
• Monte Carlo Methods in System Safety and Reliability
• Occupational Safety
• Organizational Learning
• Reliability and Safety Data Collection and Analysis
• Risk and Evidence Based Policy Making
• Risk and Hazard Analysis
• Risk Control in Complex Environments
• Risk Perception and Communication
• Safety Culture
• Safety Management Systems
• Software Reliability
• Stakeholder and public involvement in risk governance
• Structural Reliability and Design Codes
• System Reliability Analysis
• Uncertainty and Sensitivity Analysis

Industrial and Service Sectors

• Aeronautics and Aerospace
• Automotive Engineering
• Biotechnology and Food Industry
• Chemical Process Industry
• Civil Engineering
• Critical Infrastructures
• Electrical and Electronic Engineering
• Energy Production and Distribution
• Health and Medicine
• Information Technology and Telecommunications
• Insurance and Finance
• Manufacturing
• Mechanical Engineering
• Natural Hazards

• Nuclear Engineering
• Offshore Oil and Gas
• Policy Decisions
• Public Planning
• Security and Protection
• Surface Transportation (road and train)
• Waterborne Transportation

Thematic areas

Accident and incident investigation

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

A code for the simulation of human failure events in nuclear

power plants: SIMPROC

J. Gil, J. Esperón, L. Gamo, I. Fernández, P. González & J. Moreno

Indizen Technologies S.L., Madrid, Spain

A. Expósito, C. Queral & G. Rodríguez

Universidad Politénica de Madrid (UPM), Madrid, Spain

J. Hortal
Spanish Nuclear Safety Council (CSN), Madrid, Spain

ABSTRACT: Over the past years, many Nuclear Power Plant (NPP) organizations have performed Probabilistic
Safety Assessments (PSAs) to identify and understand key plant vulnerabilities. As part of enhancing the PSA
quality, the Human Reliability Analysis (HRA) is key to a realistic evaluation of safety and of the potential
weaknesses of a facility. Moreover, it has to be noted that HRA continues to be a large source of uncertainly in
the PSAs. We developed SIMulator of PROCedures (SIMPROC) as a tool to simulate events related with human
actions and to help the analyst to quantify the importance of human actions in the final plant state. Among others,
the main goal of SIMPROC is to check if Emergency Operating Procedures (EOPs) lead to safe shutdown plant
state. First pilot cases simulated have been MBLOCA scenarios simulated by MAAP4 severe accident code
coupled with SIMPROC.

1 INTRODUCTION Also, this software tool is part of SCAIS software

package, (Izquierdo 2003), (Izquierdo et al. 2000) and
In addition to the traditional methods for verifying pro- (Izquierdo et al. 2008), which is a simulation system
cedures, integrated simulations of operator and plant able to generate dynamic event trees stemming from an
response may be useful to: initiating event, based on a technique able to efficiently
simulate all branches and taking into account different
1. Verify that the plant operating procedures can be factors which may affect the dynamic plant behavior
understood and performed by the operators. in each sequence. The development of SIMPROC is
2. Verify that the response based on these procedures described in detail in this paper.
leads to the intended results.
3. Identify potential situations where judgment of
operators concerning the appropriate response is
inconsistent with the procedures. 2 WHY SIMPROC?
4. Study the consequences of errors of commission
and the possibilities for recovering from such The ascribing of a large number of accidents to human
errors, (CSNI 1998) and (CSNI-PWG1 and CSNI- error meant that there was a need to consider it in
PWG5 1997). risk assessment. In the context of nuclear safety stud-
5. Study time availability factors related with proce- ies (Rasmussen 1975) concluded that human error
dures execution. contributed to 65% of the considered accidents. This
contribution is as great or even greater than the con-
Indizen Technologies, in cooperation with the tribution associated to system failures. The NRC esti-
Department of Energy Systems of Technical Univer- mates human error is directly or indirectly involved in
sity of Madrid and the Spanish Nuclear Safety Council approximately 65% of the abnormal incidents (Trager
(CSN), has developed during the last two years a tool 1985). According to the data of the Incident Reporting
known as SIMPROC. This tool, coupled with a plant System of the International Atomic Energy Agency
simulator, is able to incorporate the effect of opera- (IAEA), 48% of the registered events are related
tor actions in plant accident sequences simulations. to failures in human performances. Out of those,

63% were into power operation and the remaining 37% 3 BABIECA-SIMPROC ARCHITECTURE
into shutdown operation. Additionally, analyzing the
events reported using the International Nuclear Event The final objective of the BABIECA-SIMPROC sys-
Scale (INES) during the last decade, most of the major tem is to simulate accidental transients in NPPs con-
incidents of Level 2 or higher could be attributed to sidering human actions. For this purpose is necessary
causes related to human performance. Moreover, a to develop an integrated tool that simulates the dynam-
study based on a broad set of PSA data states that ics of the system. To achieve this we will use the
between 15 and 80% of Core Damage Frequency is BABIECA Simulation Engine to calculate the time
related with execution failure of some operator action evolution state of the plant. Finally we will model
(NEA 2004). Reason (Reason 1990), in a study of a the influence of human operator actions by means of
dozen meaningful accidents in the 15 years prior to SIMPROC. We have modeled the operators influence
their publication, including Three Mile Island (TMI), over the plant state as a separate module to empha-
Chernobyl, Bhopal and the fire of London under- size the significance of operator actions in the final
ground, concludes that at least 80% of the system state of the plant. It is possible to plug or unplug
failures were caused by humans, specially by inad- SIMPROC to consider the operator influence over the
equate management of maintenance supervision. In simulation state of the plant in order to compare end
addition, it determines that other aspects have rel- states in both cases. The final goal of the BABIECA-
evance, mainly technical inaccuracy or incomplete SIMPROC overall system, integrated in SCAIS, is to
training in operation procedures. This last aspect is of simulate Dynamic Event Trees (DET) to describe the
great importance in multiple sectors whose optimiza- time evolution scheme of accidental sequences gen-
tion of operation in abnormal or emergency situations erated from a trigger event. During this calculation it
is based on strict operation procedures. In this case, must be taken into account potential degradations of
it stands out that four of the investigations carried out the systems associating them with probabilistic calcu-
by the NRC and nearly 20 of the additional investiga- lations in each sequence. Additionally EOPs execution
tions from Three Miles Island (TMI) concluded that influence is defined for each plant and each sequence.
intolerable violations of procedures took place. The In order to achieve this objective the integrated scheme
TMI accident illustrated clearly how the interaction must fit the following features:
of technical aspects with human and organizational
factors can help the progression of events. After the 1. The calculation framework must be able to integrate
incident, big efforts on investigation and develop- other Simulation Codes (MAAP, TRACE, . . . ). In
ment have focused on the study of human factors in this case, BABIECA-SIMPROC acts as a wrapper
accidents management. The management of accidents to external codes. This will allow to work with dif-
includes the actions that the operation group must per- ferent codes in the same time line sequence. In case
form during beyond design basis accidents, with the the simulation reaches core damage conditions, it is
objective of maintaining the basic functions of reac- possible to unplug the best estimate code and plug
tor safety. Two phases in emergencies management a severe accident code to accurately describe the
are distinguished: The preventive phase, in which per- dynamic state of the plant.
formances of the operator are centered in avoiding 2. Be able to automatically generate the DET associ-
damage to the core and maintaining the integrity of the ated to an event initiator, simulating the dynamic
installation, and the phase of mitigation, in which once plant evolution.
core damage occurs, operator actions are oriented to 3. Obtain the probability associated to every possible
reduce the amount of radioactive material that is going evolution sequence of the plant.
to be released. Management of accidents is carried out All the system is being developing in C++ code
by following EOPs and Severe Accident Management in order to meet the requirements of speed and
Guides (SAMGs), and its improvement was one of performance needed in this kind of simulations. Paral-
the activities carried out after TMI accident. The acci- lelization was implemented by means of a PVM archi-
dent sequence provides the basis for determining the tecture. The communication with the PostGresSQL
frequencies and uncertainties of consequences. The database is carried out by the libpq++ library. All the
essential outcome of a PSA is a quantitative expres- input desk needed to initialize the system is done using
sion of the overall risks in probabilistic terms. The standard XML.
initial approach to import human factor concerns into The main components of the Global System Archi-
engineering practices was to use existing PSA meth- tecture can be summarized as follows:
ods and extend them to include human actions. We will
use SIMPROC to extend this functionality to include 1. DENDROS event scheduler. It is in charge of
the human factors into the plant evolution simulation. opening branches of the simulation tree depending
This is done in a dynamic way instead of the static on the plant simulation state. DENDROS allows
point of view carried out by PSA studies. the modularization and parallelization of the tree

generation. Calculation of the probability for each
branch is based on the true condition of certain
logical functions. The scheduler arranges for the
opening of the branch whenever certain conditions
are met, and stops the simulation of any particu-
lar branch that has reached an absorbing state. The
time when the opening of the new branch occurs can
be deterministically fixed by the dynamic condi-
tions (setpoint crossing) or randomly delayed with
respect to the time when the branching conditions
are reached. The latter option especially applies
to operator actions and may include the capabil-
ity to use several values of the delay time within
the same dynamic event tree. The scheduler must
know the probability of each branch, calculated
in a separate process called Probability Wrapper,
in order to decide which branch is suitable for Figure 1. BABIECA-SIMPROC architecture.
further development. The applications of a tree
structured computation extend beyond the scope
of the DETs. In fact, the branch opening and cutoff
can obey any set of criteria not necessarily given by modules allow us to represent relevant plant systems
a probability calculation as, for instance, sensitiv- in great detail. In this publication we will focus our
ity studies or automatic initialization for Accident attention on the MAAP4 Wrapper, which allows us to
Management Strategy analyses. More details on connect BABIECA with this severe accident code. The
how dynamic event trees are generated and handled SIMPROC interaction over the system is illustrated in
and their advantages for safety analysis applica- 2. The process can be summarized in the following
tions are given in another paper presented in this steps:
conference (Izquierdo et al. 2008).
2. BABIECA plant simulator. It is adapted to exe- 1. BABIECA starts the simulation and SIMPROC
cute the sequence simulation launched by Den- is created when a EOP execution is demanded
dros Event Scheduler. As mentioned previously, according to a set of conditions over plant variables
BABIECA can wrap other nuclear simulation codes previously defined.
(i.e., MAAP). This simulation code is able to 2. SIMPROC is initialized with the plant state vari-
extend the simulation capacities of BABIECA to ables at that time instant. As a previous step the
the context of severe accidents. computerized XML version of the set of EOPs must
3. SIMPROC procedures simulator. This simulation be introduced in the SIMPROC database.
module allows us to interact with the Simulation 3. The BABIECA calculation loop starts and the out-
Engine BABIECA to implement the EOPs. come of EOPs executions are modeled as bound-
4. Probability engine. It calculates the probabilities ary conditions over the system. Each topology
and delays associated with the set points of the block can modify its state according to the spe-
DET. The initial implementation will be based in cific actions of SIMPROC EOPs execution. Once
PSA calculations, but we have developed a proba- boundary conditions are defined for the current
bility wrapper able to use calculations from BDDs step, the solution for the next step is calculated
structures in the future. for each topology block. The calculation sequence
5. Global database. It will be used to save data from includes continuous variables, discrete variables
the different simulation modules, providing restart and events recollection for the current time step.
capability to the whole system and allowing an Finally, all variables information are saved in the
easier handling of the simulation results. database and, depending on the system configura-
tion, a simulation restart point is set.
If we focus our attention on the SIMPROC inte- 4. The procedures simulator SIMPROC does not have
gration of the system, the BABIECA-SIMPROC its own time step but adapts its execution to the
architecture can be illustrated accordingly (Fig. 1). BABIECA pace. Additionally, it is possible to set
BABIECA acts as a master code to encapsulate a default communication time between BABIECA
different simulation codes in order to build a robust and SIMPROC. This time represents the average
system with a broad range of application and great time the operator needs to recognize the state of
flexibility. BABIECA Driver has its own topology, the plant, which is higher than the time step of the
named BABIECA Internal Modules in Fig. 1. These simulation.

Figure 3. SIMPROC-BABIECA-MAAP4 connection.

Figure 2. BABIECA-SIMPROC calculation flow.

feature allows for a better modelling of the distri-
bution of the operation duties among the members
5. Once BABIECA reaches the defined simulation of the operation team.
end time, it sends a message to SIMPROC to quit As shown in Fig. 3, BABIECA implements a block
procedure execution (if it has not already ended) topology to represent control systems that model oper-
and saves the overall plant state in the database. ator actions over the plant. SIMPROC has access to
those blocks and can change its variables according
to the directives associated with the active EOPs. The
block outputs will be the time dependent boundary
4 SIMPROC-BABIECA-MAAP4 CONNECTION conditions for MAAP4 calculation during the cur-
SCHEME rent time step. It can also be seen in Fig. 3 that
BABIECA has another type of blocks: SndCode and
Providing system connectivity between BABIECA, RcvCode. These blocks were designed to communi-
SIMPROC and MAAP4 is one of the primary targets. cate BABIECA with external codes through a PVM
This allows to simulate severe accident sequences in interface. SndCode gathers all the information gen-
NPPs integrating operator actions simulated by SIM- erated by control systems simulation and sends it
PROC into the plant model. In order to simulate the to MAAP4 wrapper, which conforms all the data
operator actions over the plant with MAAP, the user to be MAAP4 readable. Then, MAAP4 will calcu-
has to define these actions in the XML input file late the next simulation time step. When this cal-
used as a plant model, considering logical conditions culation ends, MAAP4 sends the calculated outputs
(SCRAM, SI, . . .) to trigger EOPs execution. MAAP4 again to MAAP4 wrapper and then the outputs reach
can simulate operator functions, although in a very the RcvCode block of the topology. At this point,
rudimentary way. The key advantages of using the any BABIECA component, especially control sys-
integrated simulator SIMPROC-BABIECA-MAAP4 tems, has the MAAP4 calculated variables available.
as opposed of using MAAP4 alone are: A new BABIECA-SIMPROC synchronization point
1. The actions take a certain time while being exe- occurs and the BABIECA variable values will be the
cuted, whereas in MAAP4 they are instantaneous. boundary conditions for SIMPROC execution.
This delay can be modelled by taking into account
different parameters. For example, the number of
simultaneous actions the operator is executing must 5 APPLICATION EXAMPLE
influence his ability to start new required actions.
2. Actions must follow a sequence established by the The example used to validate the new simulation pack-
active EOPs. In MAAP, operator actions have no age simulates the operator actions related with the level
order. They are executed as logical signals are control of steam generators during MBLOCA tran-
triggered during plant evolution. sient in a PWR Westinghouse design. These operator
3. Although SIMPROC does not contain an operator actions are included in several EOPs, like ES-1.2 pro-
model, it allows for the use of pre-defined opera- cedure, Post LOCA cooldown and depressurization,
tor skills, such as ‘‘reactor operator’’ or ‘‘turbine which is associated with primary cooling depressur-
operator’’, each one with specific attributes. This ization. The first step in this validation is to run

the mentioned transient using MAAP4 alone. After
that, the same simulation was run using BABIECA-
SIMPROC system. Finally, the results from both
simulations are compared.

5.1 SG water level control with MAAP

Level control of steam generator is accomplished by
either of two modes of operation, automatic and man-
ual. In the automatic mode, the main feed water control
system senses the steam flow rate, Ws , and the down-
comer water level, z, and adjusts the feed water control
valves to bring the water level to a program (desired) Figure 4. Representation of the key parameters to imple-
water level, z0 . If the water level is very low, z < 0.9z0 , ment the narrow-band control over SGWL.
the control valve is assumed to be fully open, that is,

W = Wmax (1) The first step is to define the topology file for
BABIECA to work. In this file we need to set the block
where W is the feed water flow rate. structure of the systems we want to simulate and we
If the water level is above 0.9z0 , the model applied need to specify which blocks are going to be used by
a limited proportional control in two steps: SIMPROC to model Operator actions over the plant
1. Proportional control. The resulting feed water flow simulation. The EOP has a unique code to identify it
rate, W, returns the water level to z0 at a rate in the database, and some tags to include a description
proportional to the mismatch, of the actions we are going to execute. Moreover it has
a load-delay parameter designed to take into account
(W − Ws ) = α(z − z0 ). (2) the time the operator needs since the EOP demand
trigger starts until the operator is ready to execute the
The coefficient of proportionality, α in eq. 2 proper actions.
is chosen so that the steam generator inventory This simple EOP has only one step designed to
becomes correct after a time interval τ , which is control the Steam Generator Water Level. The main
set to 100 s at present. parameters of this step are:
2. A limited flow rate. The feed water flow rate is
limited to values between 0 (valve closed) and Wmax • Skill. Sets the operator profile we want to execute
(valve fully opened). the action. In this example there is a REACTOR
The other control mode is manual. In this mode, • Texec. Defines the time the operator is going to be
the control tries to hold the water level within an enve- busy each time he executes an action.
lope defined by a user-supplied deadband zDEAD . The • Taskload. Defines a percentage to take account of
feedwater flow rate is set as follows: the attention that the operator needs to execute an
⎧ action properly. The sum of all the taskload parame-

⎪ Wmax , if z < z0 − zDEAD ters of the actions the operator is executing must be
⎪0, if z > z0 + zDEAD 2

⎨ less than 100%. In future works, Texec and Taskload
Wmin , if z0 + zDEAD <z parameters will be obtained from the Probability
W = 2 (3)

⎪ < z0 + z DEAD Engine in executing time according probability dis-

⎪W , if z0 z− 2 < z
⎩ tributions of human actuation times for the different
< z0 + DEAD 2 actions required by EOPs. These time distributions
could be obtained from experimental studies.
where Wmin is the flow rate used on the decreasing part • Time window. Sets the temporal interval during
of the cycle. which the MONITOR is active.
Operation in manual mode results in a sawtooth- • Targets. Sentences that define the logical behavior
like level trajectory which oscillates about the desired of the MONITOR. We tell the MONITOR what it
level z0 . has to do, when and where.
The parameters used to implement the narrow-
band control over the steam generator water level are In more complex applications, a great effort must
illustrated in Fig. 4. be made in computerizing the specific EOPs of each
To simulate the BABIECA-SIMPROC version of nuclear plant under study, (Expósito and Queral
the same transient we must create the XML files 2003a) and (Expósito and Queral 2003b). This topic
needed to define the input desk of the overall system. is beyond the scope of this paper.

Finally, it is necessary to define the XML simu-
lation files for BABIECA and SIMPROC. The main
difference with the previous XML files is that they do
not need to be parsed and introduced in the database
prior to the simulation execution. They are parsed
and stored in memory during runtime execution of the
The BABIECA simulation file parameters are:
• Simulation code. Must be unique in the database.
• Start input. Informs about the XML BABIECA
Topology file linked with the simulation.
• Simulation type. It is the type of simulation: restart,
transient or steady.
• Total time. Final time of the simulation.
• Delta. Time step of the master simulation.
• Save output frequency. Frequency to save the out- Figure 5. Steam Generator Water Level comparison (black
puts in the database. line: MAAP4 output; dashed red line: BABIECA-SIMPROC
• Initial time. Initial time for the simulation. output).
• Initial topology mode. Topology block can be in
multiple operation modes. During a simulation exe-
cution some triggers can lead to mode changes that
modify the calculation loop of a block.
• Save restart frequency. Frequency we want to save
restart points to back up simulation evolution.
• SIMPROC active. Flag that allow us to switch on
SIMPROC influence over the simulation.
The main parameters described in the XML SIM-
PROC simulation file are:
• Initial and end time. These parameters can be dif-
ferent to the ones used for the simulation file and
define a time interval for SIMPROC to work.
• Operator parameters. These are id, skill and slow-
ness. The first two identify the operator and his type
and the latter takes account of his speed to execute
the required actions. It is known that this parameter Figure 6. Mass Flow Rate to the Cold Leg (red line: MAAP4
depends on multiple factors like operator experience output; dashed black line: BABIECA-SIMPROC output).
and training.
• Initial variables. These are the variables that are
monitored continuously to identify the main param-
eters to evaluate the plant state. Each variable has a
the simulation. Then water level starts to raise going
procedure code to be used in the EOP description,
through the defined dead band until the level reaches
a BABIECA code to identify the variable inside the
12.5 m. At this point we set FWFR to its minimum
topology and a set of logical states.
• Variables. These variables are not monitored in a value (7.36 kgs ). When SGWL is higher than 15 m, the
continuous way but have the same structure as Initial flow rate is set to zero.
Variables. They are only updated under SIMPROC The concordance between MAAP4 and BABIECA-
request. SIMPROC results is good in general. The differences
can be explained due to different time steps of both
Once we have defined the XML input files, we have codes. MAAP4 chooses its time step according to con-
met all the required conditions to run the BABIECA- vergence criteria, while BABIECA-SIMPROC has a
SIMPROC simulation. fixed time step set in the XML BABIECA Simula-
Compared simulation results of MAAP4 simulation tion File. Additionally, BABIECA-SIMPROC takes
and BABIECA-SIMPROC simulation can be seen in into consideration the time needed by the operator to
Fig. 5 and Fig. 6. As shown in the figures, feed water execute each action whereas MAAP4 implementation
flow rate is set to 9,9 kgs when SGWL is lower than of the operator automatically execute the requested
7.5 m. This situation occurs in the very first part of actions.

6 CONCLUSIONS CSN Spanish Nuclear Safety Council
EOP Emergency Operation Procedure
The software tool BABIECA-SIMPROC is being SAMG Severe Accident Management Guide
developed. This software package incorporates oper- LOCA Loss of Coolant Accident
ator actions in accidental sequences simulations in DET Dynamic Event Tree
NPP. This simulation tool is not intended to evalu- PVM Parallel Virtual Machine
ate the probability of human errors, but to incorporate BDD Binary Decision Diagram
in the plant dynamics the effects of those actions per- XML Extensible Markup Language
formed by the operators while following the operating SGWL Steam Generator Water Level
procedures. Nonetheless, human errors probabilities FWFR Feed Water Flow Rate
calculated by external HRA models can be taken into
account in the generation of dynamic event trees under
the control of DENDROS. We have tested this applica- REFERENCES
tion with a pilot case related with the steam generator
water level control during a MBLOCA transient in a CSNI (Ed.) (1998). Proceedings from Specialists Meeting
PWR Westinghouse NPP. The results have been satis- Organized: Human performance in operational events,
factory although further testing is needed. At this stage CSNI.
we are in this process of validation to simulate a com- CSNI-PWG1, and CSNI-PWG5 (1997). Research strategies
for human performance. Technical Report 24, CSNI.
plete set of EOPs that are used in a PWR Westinghouse Expósito, A. and C. Queral (2003a). Generic questions about
NPP. Moreover, we are extending the capabilities of the computerization of the Almaraz NPP EOPs. Technical
the system to incorporate TRACE as an external code report, DSE-13/2003, UPM.
with its corresponding BABIECA wrapper. When this Expósito, A. and C. Queral (2003b). PWR EOPs computeri-
part of the work is completed, a wider simulation will zation. Technical report, DSE-14/2003, UPM.
be available. This will allow to analyze the impact of Izquierdo, J.M. (2003). An integrated PSA approach to inde-
EOPs execution by operators in the final state of the pendent regulatory evaluations of nuclear safety assess-
plant as well as the evaluation of the allowable response ment of Spanish nuclear power stations. In EUROSAFE
times for the manual actions. Forum 2003.
Izquierdo, J.M., J. Hortal, M. Sanchez-perea, E. Meléndez,
R. Herrero, J. Gil, L. Gamo, I. Fernández, J. Esperón,
P. González, C. Queral, A. Expósito, and G. Rodríguez
ACKNOWLEDGMENTS (2008). SCAIS (Simulation Code System for Integrated
Safety Assesment): Current status and applications. Pro-
SIMPROC project is partially funded by the Spanish ceedings of ESREL 08.
Ministry of Industry (PROFIT Program) and SCAIS Izquierdo, J.M., C. Queral, R. Herrero, J. Hortal, M. Sanchez-
project by the Spanish Ministry of Education and Sci- perea, E. Melandez, and R. Muñoz (2000). Role of fast
ence (CYCIT Program). Their support is gratefully Running TH Codes and Their Coupling with PSA Tools,
acknowledged. in Advanced Thermal-hydraulic and Neutronic Codes:
Current and Future Applications. In NEA/CSNI/R(2001)2,
We want to show our appreciation to the people Volume 2.
who in one way or another, have contributed to the NEA (2004). Nuclear regulatory challenges related to human
accomplishment project. performance. Isbn 92-64-02089-6, NEA.
Rasmussen, N.C. (1975). Reactor safety study, an assessment
of accident risks in u. s. nuclear power plants. In NUREG
Reason, J. (1990). Human Error. Cambridge University
ISA Integrated Safety Analysis Press.
SCAIS Simulation Codes System for Integrated Safety Trager, E.A. (1985). Case study report on loss of safety sys-
tem function events. Technical Report AEOD/C504, ffice
Assessment for Analysis and Evaluation of Operational Data. Nuclear
PSA Probabilistic Safety Analysis Regulatory Commission (NRC).
HRA Human Reliability Analysis

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

A preliminary analysis of the ‘Tlahuac’ incident by applying

the MORT technique

J.R. Santos-Reyes, S. Olmos-Peña & L.M. Hernández-Simón

Safety, Risk & Reliability Group, SEPI-ESIME, IPN, Mexico

ABSTRACT: Crime may be regarded as a major source of social concern in the modern world. Very often
increases in crime rates will be treated as headline news, and many people see the ‘law and order’ issue as
one of the most pressing in modern society. An example of such issues has been highlighted by the ‘‘Tláhuac’’
incident which occurred in Mexico City on 23 November 2004. The fatal incident occurred when an angry
crowd burnt alive two police officers and seriously injured another after mistaking them for child kidnappers.
The third policeman who was finally rescued by colleagues (three and half hours after the attack began) suffered
serious injuries. The paper presents some preliminary results of the analysis of the above incident by applying the
MORT (Management Over-sight Risk Three) technique. The MORT technique may be regarded as a structured
checklist in the form of a complex ‘fault tree’ model that is intended to ensure that all aspects of an organization’s
management are looked into when assessing the possible causes of an incident. Some other accident analysis
approaches may be adopted in the future for further analysis. It is hoped that by conducting such analysis lessons
can be learnt so that incidents such as the case of ‘Tláhuac’ can be prevented in the future.

1 INTRODUCTION other hand, rape is generally defined, in the literature,

as a sexual act imposed to the victim by means of
Crime and disorder may comprise a ‘‘vast set of events violence or threats of violence (Griffiths 2004, Puglia
involving behaviour formally deemed against the law et al. 2005). It is recognised that the most common
and usually committed with ‘evil intent’’’ (Ekblom motives for rape include power, opportunity, pervasive
2005). These events range from murder to fraud, theft, anger, sexual gratification, and vindictiveness. Also,
vandalism, dealing in drugs, kidnappings and terrorist it is emphasised that is important to understand the
atrocities that threaten the public safety. Public safety behavioural characteristics of rapists, and the attitudes
may be defined as ‘‘a state of existence in which peo- towards rape victims.
ple, individually and collectively, are sufficiently free
from a range or real and perceived risks centering on 1.1.2 Murdering
crime and disorder, are sufficiently able to cope with Very often murdering is a product of conflict between
those they nevertheless experience, and where unable acquaintances or family members or a by-product
to cope unaided, are sufficiently-well protected from of other type of crime such as burglary or rob-
the consequences of these risks’’ (Ekblom 2005). bery (McCabe & Wauchope 2005, Elklit 2002). It
is generally recognised that the role of cultural atti-
tudes, reflected in and perpetuated by the mass media
1.1 The nature of crime accounts, has a very significant influence in the public
1.1.1 Sexual and rape perception of crime.
It is well documented that sexual assault and abuse
have a profound effect on the victim’s emotional func- 1.1.3 Organized crime
tions, such as grief, fear, self-blame, emotional liabil- The phenomenon of organised crime, such as smug-
ity, including cognitive reactions such as flashbacks, gling or trafficking, is a kind of enterprise driven
intrusive thoughts, blocking of significant details of as a business: i.e., the pursuit of profits (Tucker
the assault and difficulties with concentration (Alaggia 2004, Klein 2005). Smuggling or trafficking is usu-
et al. 2006). The offenders on the other hand display ally understood as the organised trade of weapons or
problems with empathy, perception about others, and drugs, women and children, including refugees, but
management of negative emotions, interpersonal rela- unlike the legal trade, smuggling or trafficking pro-
tionships, and world views (Alalehto 2002). On the vides goods or services, based on market demand

and the possibilities of realising it, that are illegal much more sophisticated. This role includes such as
or socially unacceptable. Lampe and Johansen (2004) developments as DNA testing and evidence, the use
attempt to develop a thorough understanding of organ- of less-than-lethal weapons, increasingly sophisticated
ised crime, by clarifying and specifying the concept forms of identification, and crimes such as identity
of thrust in organise crime networks. They propose theft and a variety of frauds and scams. The use of
four typologies that categorise trust as: (a) individ- scientific evidence and expert witnesses is also a sig-
ualised trust, (b) trust based on reputation, (c) trust nificant issue in the prosecution and adjudication of
based on generalisations, and (d) abstract trust. They offenders. Third, he puts emphasis on public security
show that the existence of these types of trust through and terrorism. This has shaped, and will continue to
the examination of illegal markets. shape, criminal justice in a variety of ways.
Ratcliffe (2005) emphasises on the practice of intel-
1.1.4 Battering ligence driven policing as a paradigm in modern law
Chiffriller et al. (2006) discuss the phenomenon enforcement in various countries (e.g., UK, USA,
called battering, as well as batterer personality and Australia & New Zealand). The author proposes a
behavioural characteristics. Based on cluster analysis, conceptual model of intelligence driven policing; the
they developed five distinct profiles of men who batter model essentially entails three stages: (1) law enforce-
women. And based on the behavioural and personality ment interpret the criminal environment, (2) influence
characteristics that define each cluster, they establish decision-makers, and (3) decision-makers impact on
five categories: (1) pathological batterers, (2) sexu- the criminal environment.
ally violent batterers, (3) generally violent batterers,
(4) psychologically violent batterers, and (5) family-
only batterers. The authors discuss the implications for 1.2 Crime in Mexico City
intervention of these categories. In 1989 the International Crime Victim Survey
(ICVS) was born and since then it has contributed to
1.1.5 Bullying the international knowledge of crime trends in several
Burgess et al. (2006) argue that bullying has become a countries. It is believed that since its conception stan-
major public health issue, because of its connection to dardized victimization surveys have been conducted in
violent and aggressive behaviours that result in seri- more than 70 countries worldwide. The ICVS has been
ous injury to self and to others. The authors define surrounded by a growing interest by both the crime
bullying as a relationship problem in which power research community and the policy makers. A part for
and aggression are inflicted on a vulnerable person providing an internationally standardized indicators
to cause distress. They further emphasise that teasing for the perception and fear of crime across different
and bullying can turn deadly. socio-economic contexts; it also has contributed to
an alternative source of data on crime. Similarly, in
1.1.6 Law enforcement Mexico, four National Crime Victim Surveys (known
Finckenauer (2004) emphasizes that a major push of as ENSI-1, 2, 3 & 4 respectively) have been conducted
the expansion of higher education in crime and justice since 2001. The surveys are intended to help to pro-
studies came particularly from the desire to profes- vide a better knowledge of the levels of crime which
sionalise the police—with the aim of improving police affect the safety of the Mexican citizens (ICESI 2008).
performance. He suggests new and expanded subject- Some key findings of the fourth (i.e., ENSI-4) are
matter coverage. First, criminal-justice educators must summarized in Tables 1 & 2.
recognise that the face of crime has changed—it has
become increasingly international in nature. Examples
include cyber-crime, drug trafficking, human traf- Table 1. Victimization (ICESI 2008).
ficking, other forms of trafficking and smuggling,
Types of crime Percentage (%)
and money laundering. Although global in nature,
these sorts of crimes have significant state and local Robbery 56.3
impact. The author argues that those impacts need to Other types of robbery 25.8
be recognised and understood by twenty-first-century Assault 7.2
criminal-justice professors and students. Increasingly, Theft of items from cars (e.g., accessories) 2.9
crime and criminals do not respect national borders. Burglary 2.4
As a result, law enforcement and criminal justice can- Theft of cars 1.5
not be bond and limited by national borders. Second, Other types of crime 0.4
Kidnappings 2.1
he emphasises the need to recognise that the role Sexual offences 0.8
of science in law enforcement and the administra- Other assaults/threat to citizens 0.6
tion of justice has become increasingly pervasive and

Table 2. Public’s perceptions of crime (ICESI 2008). 18:25 hrs. One of the PFP-police officers tried to
communicate with his superiors at the Headquarters
Activities that have been given but failed in the attempt. It is believe that the reason
up by the public in Mexico City Percentage (%) was because there was a meeting going on at the time
and his superior was unable to assist the call. At about
The Public have been given up:
• going out at night 49.1 the same time, the crowd cheered, chanted obscenities
• going to the football stadium 17.1 as they attacked the officers.
• going to dinner out 19.8 18:30 hrs. A first live TV coverage is being
• going to the cinema/Theater 21.3 broadcasted.
• carrying cash with them 45.4 19:30 hrs. Again, one of the PFP-police officers
• taking public transport 28.1 attempted for the second time to communicate with
• wearing jewellery 56.0 their superiors and it was broadcasted live, and he
• taking taxis 37.0 said ‘‘They are not allowing us to get out, come and
• carrying credit cards with them 38.0
rescue us’’.
• visiting friends or relatives 30.5
• other 1.6 21:20 hrs the regional police director from the
regional police headquarters (it will be called here
as RPHQ) was acknowledged that two police officers
have been burnt alive, he ordered the back-up units to
Overall, the public’s perception of crime shows that 9 intervene and rescue the officers.
out of 10 citizens feel unsafe in Mexico City. More than 22:30 hrs after three and a half hours the bodies of
half of the population believes that crime has affected the two PFP-police officers were recovered.
their quality of life; for example, Table 2 shows that
one in two citizens gave up wearing jewellery, going
out at night and taking cash with them. 3 THE MANAGEMENT OVERSIGHT RISK

2 THE ‘TLAHUAC’ INCIDENT 3.1 Overview of the MORT method

On 23 November 2004 an angry crowd burnt a live The Management Oversight and Risk Tree (MORT)
two police officers and seriously injured another after is an analytical procedure for determining causes and
mistaken them for child kidnappers. The third police contributing factors (NRI-1 2002).
officer was finally rescued by colleagues three and In MORT, accidents are defined as ‘‘unplanned
half hours after the attack began. (The three police events that produce harm or damage, that is, losses’’
officers were members of the branch called ‘‘Fed- (NRI-1 2002). Losses occur when a harmful agent
eral Preventive Police’’, known as ‘‘PFP’’. They were comes into contact with a person or asset. This con-
under the management of the Federal Police Head- tact can occur either because of a failure of prevention
quarters; here it will be called FPHQ). The incident or, as an unfortunate but acceptable outcome of a
occurred at San Juan Ixtayoapan, a neighborhood of risk that has been properly assessed and acted-on (a
approximately 35,000 people on Mexico City’s south- so-called ‘‘assumed risk’’). MORT analysis always
ern outskirts; however, the incident is better known evaluates the ‘‘failure’’ route before considering the
as the ‘Tláhuac’ case. It is believed that the police ‘‘assumed risk’’ hypothesis. In MORT analysis, most
officers were taken photographs of pupils at a pri- of the effort is directed at identifying problems in the
mary school, where two children had recently gone control of a work/process and deficiencies in the pro-
missing. TV reporters reached the scene before police tective barriers associated with it. These problems are
reinforcements, and live cameras caught a mob beat- then analysed for their origins in planning, design,
ing the police officers. However, the head of the FPHQ policy, etc. In order to use MORT key episodes in
said that back-up units were unable to get through for the sequence of events should be identified first; each
more than three and a half hours because of heavy traf- episode can be characterised as: {a} a vulnerable target
fic. The main events are thought to be the following exposed to; {b} an agent of harm in the; {c} absence
(FIA 2004, 2005): of adequate barriers.
MORT analysis can be applied to any one or more
November 23rd 2004 of the episodes identified; it is a choice for you to
17:55 hrs. Residents caught the PFP-police officers make in the light of the circumstances particular to
in plain clothes taking photographs of pupils leaving your investigation. To identify these key episodes, you
the school in the San Juan Ixtlayopan neighbourhood. will need to undertake a barrier analysis (or ‘‘Energy
18:10 hrs. The crowd was told that the three PFP- Trace and Barrier Analysis’’ to give it its full title).
police officers were kidnappers. Barrier analysis allows MORT analysis to be focussed;

it is very difficult to use MORT, even in a superficial
way, without it.

Oversights Assumed
and omissions risks 3.2 Barrier analysis
The ‘‘Barrier analysis’’ is intended to produce a clear
set of episodes for MORT analysis. It is an essential
R1 R2 Rn preparation for MORT analysis. The barrier analysis
Specific Management
Control factors system factors embraces three key concepts, namely: {a} ‘‘energy’’;
LTA LTA {b} ‘‘target’’; and {c} ‘‘barrier’’.
‘‘Energy’’ refers to the harmful agent that threatens
or actually damages a ‘‘Target’’ that is exposed to it.
‘‘Targets’’ can be people, things or processes—any-
Incident Mitigation Policy Implemen- Risk
LTA LTA tation of Assessment thing, in fact, that should be protected or would be
policy LTA System LTA better undisturbed by the ‘‘Energy’’. In MORT, an inci-
MA2 MA3 dent can result either from exposure to an energy flow
Potentially Controls & Energy flows
without injuries or damage, or the damage of a tar-
Vulnerable get with no intrinsic value. ‘‘Barrier’’ part of the title
Harmful Barriers leading
condition LTA accident/incident refers to the means by which ‘‘Targets’’ are kept safe
from ‘‘Energies’’.

Inform- Inspec- Operational Main- Super Supervi-

ation tion readiness tenance vision sion sup-
systems LTA LTA LTA LTA port LTA Table 3. Barrier analysis for the ‘Tlahuac’ incident.
Energy flow Target Barrier
Figure 1. Basic MORT structure.
3-PFP ‘Tlahuac’ PFP-police officers in plain-
(Police Suburb clothes taking pictures of pupils
Officers) leaving school.
Opera- PFP-police officers did not have
tions an official ID or equivalent to
demonstrate that they were
effectively members of the PFP.
No communication between the
PFP-police officers and the local
& regional authorities of the
purpose of their operations in
the neighborhood.
Angry 3-PFP PFP-police officers in plain-
crowd clothes taking pictures of pupils
leaving school.
PFP-police officers did not have
an official ID or equivalent to
demonstrate that they were
effectively PFP-police officers.
Failure to investigate previous
kidnappings by the Police or
Crowd 3-PFP PFP-police officers in plain-
attack clothes taking pictures of pupils
leaving school.
PFP-police officers did not have
an official ID or equivalent to
demonstrate that they were
Figure 2. SB1 branch—‘‘Potentially harmful energy flow or effectively PFP-police officers.
condition’’. (Red: problems that contributed to the outcome; No back-up units.
Green: is judged to have been satisfactory)

3.3 MORT structure On the other hand, the ‘‘Specific and Management’’
branches are regarded as the two main branches in
Figure 1 shows the basic MORT structure. The top
MORT (see Fig. 2). Specific control factors are broken
event in MORT is labelled ‘‘Losses’’, beneath which
down in to two main classes: {a} those related to the
are its two alternative causes; i.e., {1} ‘‘Oversights &
Omissions’’, {2} ‘‘Assumed risks’’. In MORT all
the contributing factors in the accident sequence are
treated as ‘‘oversights and omissions’’ unless they are
transferred to the ‘‘Assumed risk’’ branch. Input to
the ‘‘Oversights and Omissions’’ event is through and
AND logic gate. This means that problems manifest
in the specific control of work activities, necessarily
involve issues in the management process that govern

Figure 5. SC2 branch—‘‘Barriers LTA’’. (Red: problems

that contributed to the outcome; Blue: need more informa-
tion. Green: is judged to have been satisfactory).

Figure 3. SB2 branch—‘‘Vulnerable people’’. (Red: prob-

lems that contributed to the outcome; Blue: need more
information. Green: is judged to have been satisfactory).

Figure 6. SD1 branch—‘‘technical information LTA’’.

Figure 4. SB3 branch—‘‘Barriers & Controls’’. (Red: prob- (Red: problems that contributed to the outcome; Green: is
lems that contributed to the outcome). judged to have been satisfactory).

Figure 7. SD1 branch—‘‘Communication LTA’’. (Red:
problems that contributed to the outcome; Green: is judged
to have been satisfactory).

Figure 9. SD6 branch—‘‘Support of supervision LTA’’.

(Red: problems that contributed to the outcome; Green: is
judged to have been satisfactory).

Figure 8. SD1 branch—‘‘Data collection LTA’’. (Red: prob-

lems that contributed to the outcome; Blue: need more
information. Green: is judged to have been satisfactory).

Figure 10. MB1 branch—‘‘Hazard analysis process LTA’’.

incident or accident (SA1), and {b} those related to
(Red: problems that contributed to the outcome; Blue:
restoring control following an accident (SA2). Both need more information. Green: is judged to have been
of them are under an OR logic gate because either can satisfactory).
be a cause of losses.

energy flow (‘‘crowd attack’’) was considered for the

4 ANALYSIS & RESULTS analysis.
The results of the MORT analysis are presented in
A barrier analysis for the ‘‘Tlahuac’’ incident has been two ways, i.e., the MORT chart and brief notes on
conducted and Table 3 shows the three possible phases the MORT chart. Both need to be read in conjunc-
or episodes. At this stage of the investigation the third tion with the NRI MORT User’s manual (NRI-12002).

blue, to indicate where there is a need to find more
information to properly assess it. Figures 2–11 show
several branches of the MORT chart for the ‘Tlahuac’
Table 4 summarizes some of the findings in brief
of the third phase identified by the Barrier analysis.


A preliminary analysis of the ‘Tlahuac’ incident has

been conducted by applying the MORT technique.
Some preliminary conclusions have been highlighted.
However, it should be pointed out that some of the
branches of the Tree were not relevant or difficult
to interpret in the present case; for example: ‘‘SD2-
Operational readiness LTA’’, ‘‘SD3-Inspection LTA’’,
‘‘SD4-Maintenance LTA’’, etc. It may be argued that
these branches are designed to identify weaknesses in
a socio-technical system; however it may be the case
that they are not suitable for the case of a human activ-
ity system; such as crime. A constraint of the present
Figure 11. MB1 branch— ‘‘Management system factors’’.
study was the difficulty of gathering reliable informa-
(Red: problems that contributed to the outcome; Blue:
need more information. Green: is judged to have been tion of the chain of command within the police force
satisfactory). at the time of the incident.
More work is needed to draw some final conclu-
sions of this fatal incident. The future work includes:
Table 4. Summary of main failures that were highlighted. {1} the circles shown in blue in the chart MORT need
further investigation; {2} the other two ‘‘energy flows’’
• Poor attitude from management (i.e., federal Police & identified by the Barrier analysis should be investi-
Mexico City’s Police organizations) gated; i.e., ‘‘Angry crowd’’ & ‘‘PFP-police officer
• Management laid responsibility to the traffic jams pre- operations’’. Other ‘energy flows’ may be identi-
venting them sending reinforcements to rescue the POs.
fied and investigated. Finally, other accident analysis
• A hazard assessment was not conducted. Even if it was
conducted it did not highlight this scenario. approaches should be adopted for further analysis;
• No one in management responsible for the POs safety these include for example, PRISMA (Van der Schaaf
• Management presumed/assumed that the three POs were 1996), STAMP (Levenson et al. 2003), SSMS model
enough for this operation and did not provide reinforce- (Santos-Reyes & Beard 2008), and others that may be
ments relevant. It is hoped that by conducting such analysis
• Both the Pos and the management did not learn from lessons can be learnt so that incidents such as the case
previous incidents of ‘Tláhuac’ can be prevented in the future.
• Lack of training. The Pos did not know what to do in such
• Lack of support from the management
• No internal checks/monitoring ACKNOWLEDGEMENTS
• No independent checks/monitoring
• Lack of coordination between the Federal & Local police This project was funded by CONACYT & SIP-IPN
organizations under the following grants: CONACYT: No-52914 &
• Lack of an emergency plan of such scenarios. It took four SIP-IPN: No-20082804.
hours to rescue the bodies of two POs and rescue the third


Alaggia, R., & Regehr, C. 2006. Perspectives of justice

In practice, to make the process of making brief notes for victims of sexual violence. Victims and Offenders 1:
on the MORT chart easier to review, it is customary 33–46.
to colour-code the chart as follows: {a} red, where Alalehto, T. 2002. Eastern prostitution from Russia to
a problem is found; {b} green, where a relevant Sweden and Finland. Journal of Scandinavian Studies in
issue is judged to have been satisfactory, and; {c} Criminology and Crime Prevention 3: 96–111.

Burgess, A.W., Garbarino, C., & Carlson, M.I. 2006. Patho- Levenson, N.G., Daouk, M., Dulac, N., & Marais, K. 2003.
logical teasing and bulling turned deadly: shooters and Applying STAMP in accident analysis. Workshop on the
suicide. Victims and Offenders 1: 1–14. investigation and reporting of accidents.
Chiffriller, S.H., Hennessy, J.J., & Zappone, M. 2006. Under- McCabe, M.P., & Wauchope, M. 2005. Behavioural charac-
standing a new typology of batterers: implications for teristics of rapists. Journal of Sexual Aggression 11 (3):
treatment. Victims and Offenders 1: 79–97. 235–247.
Davis, P.K., & Jenkins, B.M. 2004. A systems approach to NRI-1. 2002. MORT User’s Manual. For use with the Man-
deterring and influencing terrorists. Conflict Management agement Oversight and Risk Tree analytical logic diagram.
and Peace Science 21: 3–15. Generic edition. Noordwijk Risk Initiative Foundation.
Ekblom, P. 2005. How to police the future: scanning for ISBN 90-77284-01-X.
scientific and technological innovations which generate Puglia, M., Stough, C., Carter, J.D., & Joseph, M. 2005.
potential threats & opportunities in crime, policing & The emotional intelligence of adult sex offenders: ability
crime reduction (Chapter 2). M.J. Smith & N. Tilley (eds), based EI assessment. Journal of Sexual Aggression 11 (3):
Crime Science—new approaches to prevent & detecting 249–258.
crime: 27–55. Willan Publishing. Ratcliffe, J. 2005. The effectiveness of police intelli-
Elklit, A. 2002. Attitudes toward rape victims—an empirical gence management: A New Zealand case study. Police
study of the attitudes of Danish website visitors. Jour- Practice & Research 6 (5): 435–451.
nal of Scandinavian Studies in Criminology and Crime Santos-Reyes, J., & Beard, A.N. 2008. A systemic approach
Prevention 3: 73–83. to managing safety. Journal of Loss Prevention in the
FIA, 2004. Linchan a agentes de la PFP en Tláhuac. Fuerza Process Industries 21 (1): 15–28.
Informativa Azteca (FIA), Schmid, A.P. 2005. Root Causes of Terrorism: Some concep-
noticias (24/11/2004). tual Notes, a Set of Indicators, and a Model, Democracy
FIA, 2005. Linchamiento en Tláhuac parecía celebración. and Security 1: 127–136.
Fuerza Informativa Azteca (FIA), http://www.tvazteca. The international Crime Victim Survey (ICVS). Online
com/noticias (10/01/2005).
Finckenauer, J.O. 2005. The quest for quality in criminal Tucker, J. 2004. How not to explain murder: a sociological
justice education. Justice Quarterly 22 (4): 413–426. critique of bowling for columbine. Global Crime 6 (2):
Griffiths, H. 2004. Smoking guns: European cigarette 241–249.
smuggling in the 1990’s. Global Crime 6 (2): 185–200. Van der Schaaf, T.W. 1996. A risk management tool based
Instituto Ciudadano de Estudios Sobre la Inseguridad on incident analysis. International Workshop on Process
(ICESI), online Safety Management and Inherently Safer process, Proc.
Klein, J. 2005. Teaching her a lesson: media misses boys’ Inter. Conf. 8–11 October, Orlando, Florida, USA:
rage relating to girls in school shootings. Crime Media 242–251.
Culture 1 (1): 90–97.
Lampe, K.V., & Johansen, P.O. 2004. Organized crime and
trust: on the conceptualization and empirical relevance of
trust in the context of criminal networks. Global Crime
6 (2): 159–184.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Comparing a multi-linear (STEP) and systemic (FRAM) method

for accident analysis

I.A. Herrera
Department of Production and Quality Engineering, Norwegian University of Science and Technology,
Trondheim, Norway

R. Woltjer
Department of Computer and Information Science, Cognitive Systems Engineering Lab,
Linköping University, Linköping, Sweden

ABSTRACT: Accident models and analysis methods affect what accident investigators look for, which con-
tributing factors are found, and which recommendations are issued. This paper contrasts the Sequentially Timed
Events Plotting (STEP) method and the Functional Resonance Analysis Method (FRAM) for accident analy-
sis and modelling. The main issues addressed in this paper are comparing the established multi-linear method
(STEP) with the systemic method (FRAM) and evaluating which new insights the latter systemic method pro-
vides for accident analysis in comparison to the former established multi-linear method. Since STEP and FRAM
are based on a different understandings of the nature of accidents, the comparison of the methods focuses on
what we can learn from both methods, how, when, and why to apply them. The main finding is that STEP helps
to illustrate what happened, whereas FRAM illustrates the dynamic interactions within socio-technical systems
and lets the analyst understand the how and why by describing non-linear dependencies, performance conditions,
variability, and their resonance across functions.

1 INTRODUCTION Researchers have argued that linear approaches fail

to represent the complex dynamics and interdependen-
Analysing and attempting to understand accidents is an cies commonly observed in socio-technical systems
essential part of the safety management and accident (Amalberti, 2001; Dekker, 2004; Hollnagel, 2004;
prevention process. Many methods may be used for Leveson, 2001; Rochlin, 1999; Woods & Cook, 2002).
this, however they often implicitly reflects a specific Recently, systemic models and methods have been
view on accidents. Analysis methods—and thus their proposed that consider the system as a whole and
underlying accident models—affect what investigators emphasize the interaction of the functional elements.
look for, which contributing factors are found, and FRAM (Hollnagel, 2004) is such a systemic
which recommendations are made. Two such methods model. FRAM is based on four principles (Hollnagel,
with underlying models are the Sequentially Timed Pruchnicki, Woltjer & Etcher, 2008). First, the prin-
Events Plotting method (STEP; Hendrick & Benner, ciple that both successes and failures result from the
1987) and the Functional Resonance Accident Model adaptations that organizations, groups and individu-
with the associated Functional Resonance Analysis als perform in order to cope with complexity. Success
Method (FRAM; Hollnagel, 2004, 2008a). depends on their ability to anticipate, recognise, and
Multi-linear event sequence models and methods manage risk. Failure is due to the absence of that abil-
(such as STEP) have been used in accident analysis ity (temporarily or permanently), rather than to the
to overcome the limitations of simple linear cause- inability of a system component (human or technical)
effect approaches to accident analysis. In STEP, an to function normally. Second, complex socio-technical
accident is a special class of process where a pertur- systems are by necessity underspecified and only
bation transforms a dynamically stable activity into partly predictable. Procedures and tools are adapted
unintended interacting changes of states with a harm- to the situation, to meet multiple, possibly conflicting
ful outcome. In this multi-linear approach, an accident goals, and hence, performance variability is both nor-
is viewed as several sequences of events and the system mal and necessary. The variability of one function is
is decomposed by its structure. seldom large enough to result in an accident. However,

the third principle states that the variability of multiple by the co-pilot as ‘‘Pilot-Flying’’ (PF) and the captain
functions may combine in unexpected ways, lead- as ‘‘Pilot Non-Flying’’ (PNF). Shortly after clearance
ing to disproportionately large consequences. Normal to 4000 ft, the crew was informed that runway 19R
performance and failure are therefore emergent phe- was closed because of sweeping and that the landing
nomena that cannot be explained by solely looking at should take place on runway 19L. The aircraft was
the performance of system components. Fourth, the guided by air traffic control to land on 19L. Changing
variability of a number of functions may resonate, of the runway from 19R to 19L resulted in change in
causing the variability of some functions to exceed the go-around-altitude from 4000 ft at 19R to 3000 ft
normal limits, the consequence of which may be an at 19L. The crew performed a quick briefing for a new
accident. FRAM as a model emphasizes the dynam- final approach.
ics and non-linearity of this functional resonance, but During the last part of the flight, while the air-
also its non-randomness. FRAM as a method there- craft was established on the localizer (LLZ) and glide
fore aims to support the analysis and prediction of slope (GS) for runway 19L, the glide slope signal
functional resonance in order to understand and avoid failed. It took some time to understand this for the
accidents. pilots, who had not yet switched to tower (TWR) fre-
quency from APP frequency after acknowledging the
new frequency. Immediately after the glide path sig-
nal disappeared the aircraft increased its descent rate to
2 RESEARCH QUESTIONS AND APPROACH 2200 ft/min while being flown manually towards LLZ-
minima. The aircraft followed a significantly lower
The main question addressed in this paper is which approach than intended and was at its lowest only 460 ft
new insights this latter systemic method provides for over ground level at DME 4,8. The altitude at this dis-
accident analysis in comparison to the former estab- tance from the runway should have been 1100 ft higher.
lished multi-linear method. Since the accident analysis The crew initiated go-around (GA) because the aircraft
methods compared in this paper are based on a dif- was still in dense clouds and it drifted a little from the
ferent understanding of the nature of accidents, the LLZ at OSL. However, the crew did not notice the
comparison of the methods focuses on what we can below-normal altitude during approach. Later a new
learn from both methods, how, when, and why to apply normal landing was carried out.
them, and which aspects of these methods may need The executive summary of the Norwegian Accident
improvement. Investigation Board (AIBN) explains that the investi-
The paper compares STEP and FRAM in relation gation was focused on the glide slope transmission,
to a specific incident to illustrate the lessons learned its technical status and information significance for
from each method. The starting point of the study the cockpit instrument systems combined with cockpit
is the incident investigation report. A short descrip- human factors. The AIBN understanding of the situ-
tion of STEP and FRAM is included. For a more ation attributes the main cause of the incident to the
comprehensive description, the reader is referred to pilots’ incorrect mental picture of aircraft movements
Hendrick and Benner (1987; STEP) and Hollnagel and position. The report concludes that the in-cockpit
(2004; FRAM). Since different methods invite for glide slope capture representation was inadequate. In
different questions to be asked, it was necessary to addition, the report points to a deficiency in the pro-
interview air traffic controllers, pilots, and accident cedure for transfer of responsibility between approach
investigators to acquire more information. The infor- and tower air traffic control. (AIBN, 2004)
mation in this paper was collected through interviews Five recommendations resulted from the AIBN
and workshops involving a total of 50 people. The anal- investigation. The first recommendation is that the
ysis with STEP and FRAM was an iterative process responsibility between controls centres should be
between researchers and operative personnel. transferred 8 NM before landing or at acceptance
of radar hand-over. The second recommendation is
related to the certification of avionics displays, advis-
ing the verification of the information provided to
3 SUMMARY OF THE INCIDENT pilots, with special attention to glide slope and auto-
pilot status information. Third, training should take
A Norwegian Air Shuttle Boeing 737-36N with call- into account glide slope failures after glide slope cap-
sign NAX541 was en-route from Stavanger Sola air- ture under ILS approach. Fourth, Oslo airport should
port to Oslo Gardermoen airport (OSL). The aircraft consider the possibility of providing radar information
was close to Gardermoen and was controlled by Oslo to the tower controller to be able to identify approach
Approach (APP). The runway in use at Gardermoen paths deviations. The last recommendation is for the
was 19R. The aircraft was cleared to reduce altitude to airline to consider situational awareness aspects in the
4000 ft. The approach and the landing were carried out crew resource management (CRM) training.

14:42:36 14:42:55 14:42:57 14:44:02 TIME LINE


TWR FRQ 14:42:36

CONTROL 14:42:57






TO TWR 14:44:02
A/P 14:43:27

Figure 1. STEP applied to NAX541 incident (simplified example).

4 SEQUENTIAL TIMED EVENTS PLOTTING represented in STEP are related to normal work and
help to predict future risks. The safety problems are
STEP provides a comprehensive framework for acci- identified by analysing the worksheet to find events
dent investigation from the description of the accident sets that constitute the safety problem. The identi-
process, through the identification of safety problems, fied safety problems are marked as triangles in the
to the development of safety recommendations. The worksheet. These problems are evaluated in terms of
first key concept in STEP is the multi-linear event severity. Then, they are assessed as candidates for rec-
sequence, aimed at overcoming the limitations of the ommendations. A STEP change analysis procedure
single linear description of events. This is imple- is proposed to evaluate recommendations. Five activ-
mented in a worksheet with a procedure to construct a ities constitute this procedure. The identification of
flowchart to store and illustrate the accident process. countermeasures to safety problems, the ranking of the
The STEP worksheet is a simple matrix. The rows are safety effects, assessment of the trade-off involved the
labelled with the names of the actors on the left side. selection of the best recommendations and a quality
The columns are labelled with marks across a time line. check.
Secondly, the description of the accident is per-
formed by universal events building blocks. An event
is defined as one actor performing one action. To 5 APPLICATION OF STEP TO NAX541
ensure that there is a clear description the events are
broken down until it is possible to visualize the pro- The incident is illustrated by a STEP diagram. Due
cess and be able to understand its proper control. In to page and paper limitations, Figure 1 illustrates a
addition, it is necessary to compare the actual accident small part of the STEP diagram that was created based
events with what was expected to happen. on the incident report. In Figure 1, the time line is
A third concept is that the events flow logically in on along the X-axis and the actors are on the Y-axis.
a process. This concept is achieved by linking arrows An event is considered to mean an actor performing
to show proceed/follow and logical relations between one action. The events are described in event building
events. The result of the third concept is a cascading blocks, for example ‘‘APP request to A/C to change
flow of events representing the accident process from to TWR frequency’’. An arrow is used to link events.
the beginning of the first unplanned change event to the Safety problems are illustrated on the top line by tri-
last connected harmful event on the STEP worksheet. angles in the incident process. Three such problems
The organization of the events is developed and were identified: 1) no communication between air-
visualized as a ‘‘mental motion picture’’. The com- craft 1 (NAX541) and tower (triangle 1 in Figure 1);
pleteness of the sequence is validated with three tests. 2) changed roles between PF and PNF not coordinated;
The row test verifies that there is a complete picture of and 3) pilots not aware of low altitude (2 and 3 not
each actor’s actions through the accident. The column shown in simplified figure).
test verifies that the events in the individual actor rows
are placed correctly in relation to other actors’ actions.
The necessary and sufficient test verifies that the early 6 FUNCTIONAL RESONANCE ANALYSIS
action was indeed sufficient to produce the later event, METHOD
otherwise more actions are necessary.
The STEP worksheet is used to have a link between FRAM promotes a systemic view for accident anal-
the recommended actions and the accident. The events ysis. The purpose of the analysis is to understand

the characteristics of system functions. This method The description of the aspects defines the potential
takes into account the non-linear propagation of events links among the functions. For example, the output of
based on the concepts of normal performance variabil- one function may be an input to another function, or
ity and functional resonance. The analysis consists of produce a resource, fulfil a pre-condition, or enforce
four steps (that may be iterated): a control or time constraint. Depending on the con-
Step 1: Identifying essential system functions, and ditions at a given point in time, potential links may
characterizing each function by six basic parame- become actual links; hence produce an instantiation
ters. The functions are described through six aspects, of the model for those conditions. The potential links
in terms of their input (I, that which the func- among functions may be combined with the results of
tion uses or transforms), output (O, that which the step 2, the characterization of variability. That is, the
function produces), preconditions (P, conditions that links specify where the variability of one function may
must be fulfilled to perform a function), resources have an impact, or may propagate. This analysis thus
(R, that which the function needs or consumes), time determines how resonance can develop among func-
(T, that which affects time availability), and control tions in the system. For example, if the output of a
(C, that which supervises or adjusts the function), and function is unpredictably variable, another function
may be described in a table and subsequently visual- that requires this output as a resource may be per-
ized in a hexagonal representation (FRAM module, formed unpredictably as a consequence. Many such
Figure 2). The main result from this step is a FRAM occurrences and propagations of variability may have
‘‘model’’ with all basic functions identified. the effect of resonance; the added variability under the
Step 2: Characterizing the (context dependent) normal detection threshold becomes a ‘signal’, a high
potential variability through common performance risk or vulnerability.
conditions. Eleven common performance conditions Step 4: Identifying barriers for variability (damping
(CPCs) are identified in the FRAM method to be factors) and specifying required performance moni-
used to elicit the potential variability: 1) availability toring. Barriers are hindrances that may either prevent
of personnel and equipment, 2) training, preparation, an unwanted event to take place, or protect against
competence, 3) communication quality, 4) human- the consequences of an unwanted event. Barriers can
machine interaction, operational support, 5) availabil- be described in terms of barrier systems (the orga-
ity of procedures, 6) work conditions, 7) goals, number nizational and/or physical structure of the barrier)
and conflicts, 8) available time, 9) circadian rhythm, and barrier functions (the manner by which the bar-
stress, 10) team collaboration, and 11) organizational rier achieves its purpose). In FRAM, four categories
quality. These CPCs address the combined human, of barrier systems are identified: 1) physical bar-
technological, and organizational aspects of each func- rier systems block the movement or transportation
tion. After identifying the CPCs, the variability needs of mass, energy, or information, 2) functional bar-
to be determined in a qualitative way in terms of sta- rier systems set up pre-conditions that need to be
bility, predictability, sufficiency, and boundaries of met before an action (by human and/or machine)
performance. can be undertaken, 3) symbolic barrier systems are
Step 3: Defining the functional resonance based on indications of constraints on action that are physi-
possible dependencies/couplings among functions and cally present and 4) incorporeal barrier systems are
the potential for functional variability. The output of indications of constraints on action that are not phys-
the functional description of step 1 is a list of functions ically present. Besides recommendations for barriers,
each with their six aspects. Step 3 identifies instantia- FRAM is aimed at specifying recommendations for
tions, which are sets of couplings among functions for the monitoring of performance and variability, to be
specified time intervals. The instantiations illustrate able to detect undesired variability.
how different functions are active in a defined context.


Step 1 is related to the identification and characteri-

zation of functions: A total of 19 essential functions
Input I O Output were identified and grouped in accordance to the area
of operation. There are no specified rules for the ‘level
of granularity’, instead functions are included or split
up when the explanation of variability requires. In this
Precondition P R Resource particular analysis some higher level functions, e.g.
‘Oslo APP control’, and some lower level functions,
Figure 2. A FRAM module. e.g. ‘Change frq to TWR control’.

The operative areas and functions for this particular Table 2. Manual Flight Approach CPCs.
incident are:
Function: Performance
– Crew operations: Change Runway (RWY) to 19L, Manual approach conditions Rating
New final approach briefing, Auto-pilot approach
(APP), Change APP frequency (frq) to TWR Availability Adequate
frq, Manual approach, GO-AROUND, Landing, of resources
Approach, Receiving radio communication, Trans- (personnel,
mitting radio communication
Training, PF little Temporarily
– Avionics Functions: Disconnect Autopilot (A/P), preparation, experience on type inadequate
Electronic Flight Instrument (EFIS), Ground Prox- competence
imity Warning System (GPWS) Communication Delay to contact Inefficient
– Air traffic control: Oslo APP control, RWY sweep- quality tower
ing, Glideslope transmission, Gardermoen TWR HMI operational Unclear alerts Inadequate
control support
– Aircraft in the vicinity: AC-2 communication, AC-3 Avail. procedures Adequate
communication Work conditions Interruptions? Temporarily
The NAX541 incident report contains information # Goals, conflicts Overloaded More than
that helps to define aspects of functional performance. capacity
Essential functions are described with these aspects. Available time Task synchronisation Temporarily
Table 1 shows an example of the aspects of the function
Circadian rhythm Adjusted
‘‘Manual Approach’’. Similar tables were developed Team collaboration Switched roles Inefficient
for 18 other functions. Org. quality
In step 2 the potential for variability is described using
a list of common performance conditions (CPCs).
Table 2 presents an example of CPCs for the function
‘‘Manual Approach’’.
The description of variability is based on the infor- it is normal and correct to request a runway change
mation registered in the incident report combined with with such a short notice? The interviews identified
a set of questions based on the CPCs. Since little of that there are no formal operational limits for tower
this information regarding variability was available, air traffic controllers, but for pilots there are. Thus
it was necessary to interview operational personnel an understanding of performance and variability was
(air traffic controllers, pilots). An example is for CPC obtained.
‘HMI, operational support’, a question was how aware In step 3 links among functions are identified for
pilots are of these EFIS, GPWS discrepancies, a pilot certain time intervals. States are identified to be valid
stated ‘‘Boeing manuals explain which information is during specific time intervals, which define links
displayed, it is normal to have contradictory informa- among the aspects of functions, hence instantiate
tion. In this case an understanding of the system as a the model. An example instantiation is presented in
whole is required. Pilots needs to judge relevant infor- Figure 3, where some of the links during the time inter-
mation for each situation.’’ An additional example of val 14:42:37–14:43:27 of the incident are described as
questions for the function ‘‘Runway change’’, was if an instantiation of the FRAM that resulted from step
1. Many more such instantiations may be generated,
but here only one example can be shown.
Table 1. A FRAM module function description. To understand the events in relation to links and
functions in this instantiation, numbers 1–5 and letters
Function: a-d have been used to illustrate two parallel processes.
Manual approach Aspect description
Following the numbers first, the APP controller com-
Input GPWS alarms, municates to the pilot that they should contact TWR
pilot informed of G/S failure at the TWR frequency (1). This is an output of ‘Oslo
Output Altitude in accordance with APP control’, and an input to ‘Receiving radio com-
approach path, Altitude lower/ munication’. This latter function thus has as output the
higher than flight path state that transfer is requested to the TWR frequency
Preconditions A/P disconnected (2), which matches the preconditions of ‘Change APP
Resources Pilot Flying, Pilot Non Flying frq to TWR frq’, and ‘Transmitting radio communi-
Time Efficiency Thoroughness Trade- cation’. The fulfilment of this precondition triggers
Off, time available varies
Control SOPs
the pilots to acknowledge the transfer to TWR to the
APP controller (3), an output of transmitting function,

A/C-1 pilot & A/C functions
A/C-1 avionics ept Change
I APP frq to O I
Oslo APP control approach approach
TWR frq
Gardermoen TWR control
Ground equipment P R P R P R
of G/S failure
2)Transfer requested

T C 4) Frequency still
set to APP T C
c) A/P d isconn ected
I ting radio O
comm I O
rad io comm

1) APP -Pilot:
3) Pilot-APP :
con tact TWR I Auto-p ilot O
on TWR frq
to TWR frq 6) Pilot-TWR : b)TWR-pilot:
Fligh t on TWRfrq informa/cof
T C T C G/Sfailure P R

Oslo APP Gardermoen a) G/S lost

con trol I TWR O 14:42:55
con trol

Glide slope

X) Proactive TWR -APP comm:
a) no G/S sign al
check frequency change

Figure 3. A FRAM instantiation during the time interval 14:42:37–14:43:27 with incident data.

input to ‘Oslo APP control’. The pilots however do (d). Concurrently, the loss of G/S no longer fulfils the
not switch immediately after the transfer is requested, precondition of the auto-pilot function, with the result-
hence the output is that the frequency still is set to ing output of A/P being disconnected (c) about half a
APP, for a much longer time than would be intended minute after G/S loss. This in turn no longer fulfils
(indicated by the red ‘O’), and the pilots do not contact the precondition of an auto-pilot approach and instead
TWR (6) until much later. This has consequences for matches the precondition for a manual approach. All
the precondition of receiving/transmitting (4), which of this in turn results in variability on the manual
is being on the same frequency with the control centre approach, e.g. with decreased availability of time,
that has responsibility for the flight. With the delay in inadequate control because of PF-PNF collaboration
frequency change, the link that the pilot is informed problems, and inadequate resources (e.g. displays
of the G/S failure (5) is also delayed. unclear indications of A/P and G/S) resulting in highly
At about the same time, following the letters in variable performance (output) of the manual approach.
Figure 3, ‘Glide slope transmission’ changes output to Step 4 addresses barriers to dampen unwanted vari-
that there is no G/S signal at 14:42:55 (a), because of a ability and performance variability monitoring where
failure of the G/S transmitting equipment (a resource, variability should not be dampened. AIBN recom-
R in red). This makes the TWR controller inform mendations could be modelled as barrier systems and
pilots on the TWR frequency of the G/S failure (b), barrier functions, e.g. ‘‘Responsibility between con-
excluding the incident aircraft crew because of the trol centres should be transferred 8 NM before landing,
unfulfilled precondition because of link (4), delay- or at acceptance by radar hand over.’’ (AIBN, p. 31,
ing the point that the pilot is informed of G/S failure our translation). In FRAM terminology this can be

described as an incorporeal prescribing barrier. This performance varied becomes apparent: For example,
barrier would have an effect on the variability of the the operational limits for runway change for different
APP and TWR control functions through the aspect operators were discussed; the question of why the fre-
of control and the links between input and output in quency change was delayed gets answered based on
various instantiations describing communication and the normal variability in pilot-first-officer-interaction
transfer of responsibility. New suggestions for barriers patterns in cases of experience difference; the pilots’
also result from the FRAM. For example, a proac- unawareness of the low altitude is understandable with
tive communication from TWR to APP when a flight regard to variability related to e.g. team collaboration
does not report on frequency would link their out- and human-machine interface issues.
put and input (see link (X) in Figure 3), triggering STEP provides a ‘‘mental motion picture’’
instantiations of links 1–6 so that control and contact (Hendrick & Benner, 1987, p. 75) illustrating
is re-established. This barrier may be implemented in sequences of events and interactions between pro-
various systems and functions, such as through reg- cesses, indicating what happened when. FRAM
ulation, training, procedures, checklists and display instead sketches a ‘functional slide show’ with its
design, etc. The FRAM also points to the intercon- illustrations of functions, aspects, and emerging links
nectivity of air traffic control and pilot functions, between them in instances, indicating the what and
suggesting joint training of these operators with a wide when, and common performance conditions, vari-
range of variability in the identified functions. As with ability, and functional resonance, indicating why.
any method, FRAM enables the suggestion of barriers FRAM’s qualitative descriptions of variability pro-
(recommendations), which need to be evaluated by vide more gradations in the description of functions
domain experts in terms of feasibility, acceptability, than the bimodal (success/failure) descriptions typical
and cost effectiveness, among other factors. for STEP.
The FRAM and the instantiations that were created In relation to the question of when each method
here also point to the future development of indicators should be used, the type of incident and system to
for matters such as overload and loss of control when be analysed needs to be taken into account. STEP
cockpit crew has significant experience differences. is suited to describe tractable systems, where it is
possible to completely describe the system, the prin-
ciples of functioning are known and there is sufficient
8 COMPARISON knowledge of key parameters. FRAM is better suited
for describing tightly coupled, less tractable systems
Accident models, implicitly underlying an analysis or (Hollnagel, 2008b), of which the system described in
explicitly modelling an adverse event, influence the this paper is an example. Because FRAM does not
elicitation, filtering, and aggregation of information. focus only on weaknesses but also on normal per-
Then, what can we learn from the applications of STEP formance variability, this provides a more thorough
and FRAM to this incident? understanding of the incident in relation to how work
STEP is relatively simple to understand and pro- is normally performed. Therefore the application of
vides a clear picture of the course of the events. FRAM may lead to a more accurate assessment of
However, STEP only asks the question of which events the impact of recommendations and the identifica-
happened in the specific sequence of events under tion of previously unexplored factors that may have
analysis. This means that events mapped in STEP are a safety impact in the future. While the chain of events
separated from descriptions of the normal function- is suited for component failures or when one or more
ing of socio-technical systems and their contexts. For components failed, they are less adequate to explain
example, the STEP diagram illustrates that the PNF’s systems accidents (Leveson, 2001). This can be seen
switch to TWR frequency was delayed, but not why. in the STEP-FRAM comparison here. The STEP dia-
Instead, STEP only looks for failures and safety prob- gram focuses on events and does not describe the
lems, and highlights sequence and interaction between systems aspects: the understanding of underlying sys-
events. FRAM refrains from looking for human errors temic factors affecting performance is left to experts’
and safety problems but tries to understand why the interpretation. FRAM enables analysts to model these
incident happened. Since FRAM addresses both nor- systemic factors explicitly.
mal performance variability and the specifics of an
adverse event, FRAM broadens data collection of the
analysis compared to a STEP-driven analysis: Thus 9 CONCLUSIONS AND PRACTICAL
the development of the incident is contextualized in a IMPLICATIONS
normal socio-technical environment. Through asking
questions based on the common performance condi- This paper presented two accident analysis methods:
tions and linking functions in instantiations, FRAM The multi-sequential STEP and systemic FRAM. The
identified additional factors and the context of why question of how to apply these methods was addressed

by discussing the steps of the methods, illustrated by ACKNOWLEDGEMENTS
applying these methods to a missed approach incident.
This paper concluded that FRAM provides a different This work has benefited greatly from the help and sup-
explanation about how events are a result of variabil- port of several aviation experts and the participants in
ity of normal performance and functional resonance, the 2nd FRAM workshop. We are particularly grateful
compared to STEP. The main finding is that STEP to the investigators and managers of the Norwegian
helps to illustrate what happened, whereas FRAM cov- Accident Investigation Board who commented on a
ers what happened and also illustrates the dynamic draft of the model. Thanks to Ranveig K. Tinmannsvik,
interactions within the socio-technical system and lets Erik Jersin, Erik Hollnagel, Jørn Vatn, Karl Rollen-
the analyst understand the how and why by describ- hagen, Kip Smith, Jan Hovden and the conference
ing non-linear dependencies, performance conditions reviewers for their comments on our work.
and variability, and their resonance across functions.
Another important finding is that it was possible to
identify additional factors with FRAM. STEP inter- REFERENCES
pretations and analysis depends on investigator experi-
ence, FRAM introduces questions for systemic factors AIBN. 2004. Rapport etter alvorlig luftfartshendelse ved
and enables the explicit identification of other relevant Oslo Lufthavn Gardermoen 9. Februar 2003 med Boe-
aspects of the accident. The example also illustrates ing 737-36N, NAX541, operert av Norwegian Air Shuttle.
how unwanted variability propagates such as the infor- Aircraft Investigation Board Norway, SL RAP.:20/2004.
mation about G/S failure and the undesired resonance Amalberti, R. 2001. The paradoxes of almost totally safe
with the differences in pilots’ experience. However, transportation systems. Safety Science, 37, 109–126.
Dekker, S.W.A. 2004. Ten questions about human error: A
several incidents in different contexts would need to new view of human factors and system safety. Mahwah,
be analysed to validate and generalize these findings. NJ: Lawrence Erlbaum.
Two practical implications are found. The first is Hendrick, K., Benner, L. 1987. Investigating accidents with
that FRAM provides new ways of understanding fail- STEP. Marcel Dekker Inc. New York.
ures and successes, which encourages investigators to Hollnagel, E. 2004. Barriers and accident prevention. Alder-
look beyond the specifics of the failure under analysis shot, UK: Ashgate.
into the conditions of normal work. The second is that Hollnagel, E. 2008a. From FRAM to FRAM. 2nd FRAM
it models and analyses an intractable socio-technical Workshop, Sophia-Antipolis, France.
system within a specific context. While FRAM as a Hollnagel, E. 2008b. The changing nature of risks. Ecole des
Mines de Paris, Sophia Antipolis, France.
model has been accepted in the majority of discussions Hollnagel, E., Pruchnicki, S., Woltjer, R., & Etcher, S. 2008.
with practitioners, and seems to fill a need for under- Analysis of Comair flight 5191 with the Functional Res-
standing intractable systems, FRAM as a method is onance Accident Model. Proc. of the 8th Int. Symp. of
still young and needs further development. This paper the Australian Aviation Psychology Association, Sydney,
has contributed to the development of the method by Australia.
outlining a way to illustrate instantiations for a limited Leveson, N. 2001. Evaluating accident models using recent
time interval. An additional need is the identification aerospace accidents. Technical Report, MIT Dept. of
of normal and abnormal variability which this paper Aeronautics and Astronautics.
has addressed briefly. Remaining challenges include Perrow, C. 1999. Normal accidents. Living with high risk
technologies. Princeton: Princeton University Press. (First
a more structured approach to generating recommen- issued in 1984).
dations in terms of barriers and indicators, as well Rochlin, G.I. 1999. Safe operation as a social construct.
as evaluating how well FRAM is suited as a method Ergonomics, 42, 1549–1560.
to collect and organize data during early stages of Woods, D.D., & Cook, R.I. 2002. Nine steps to move forward
accident investigation. from error. Cognition, Technology & Work, 4, 137–144.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Development of a database for reporting and analysis of near misses

in the Italian chemical industry

R.V. Gagliardi
ISPESL Department of Industrial Plants and Human Settlements, Rome, Italy

G. Astarita
Federchimica Italian Federation of Chemical Industries, Milan, Italy

ABSTRACT: Near misses are considered to be an important warning that an accident may occur and therefore
their reporting and analysis may have a significant impact on industrial safety performances, above all for those
industrial sectors involving major accident hazards. From this perspective, the use of a specific information
system, including a database ad hoc designed for near misses, constitutes an appropriate software platform
that can support company management in collecting, storing and analyzing data on near misses, and also
implementing solutions to prevent future accidents. This paper describes the design and the implementation of
such a system, developed in the context of a cooperation agreement with the Italian Chemical Industry Federation.
This paper also illustrates the main characteristics and utilities of the system, together with future improvements
that will be made.

1 INTRODUCTION large number of minor accidents and even more near

misses, representing the lower portion of the pyramid.
The importance of post-accident investigation is As a consequence, reducing the near misses should
widely recognized in industrial sectors involving the mean reducing the incidence of major accidents. In
threat of major accident hazards, as defined in the addition, due to the fact that near misses frequently
European Directive 96/82/CE ‘‘Seveso II’’ (Seveso II, occur in large facilities, they represent a large pool of
1997): in fact, by examining the dynamics and data which is statistically more significant than major
potential causes of accidents, lessons can be learned accidents. This data could be classified and analyzed
which could be used to identify technical and man- in order to extract information which is significant in
agerial improvements which need to be implemented improving safety.
in an industrial context. This is in order to pre- The reporting of near misses, therefore, takes on
vent the occurrence of accidents and/or mitigate their an important role in industrial safety, because it is
consequences. the preliminary step of subsequent investigative activ-
Such investigations are even more significant in the ities aimed at identifying the causes of near misses and
case of near misses, that is, ‘‘those hazardous situ- implementing solutions to prevent future near misses,
ations (events or unsafe acts) that could lead to an as well as more serious accidents. However, a real
accident if the sequence of events is not interrupted’’ improvement in industrial safety level as a whole can
(Jones & al. 1999). Philley & al. 2003, also stated that only be reached if these solutions are disseminated
‘‘a near miss can be considered as an event in which as widely as possible. They must also be in a form
property loss, human loss, or operational difficul- that can be easily and quickly retrieved by all per-
ties could have plausibly resulted if circumstances had sonnel involved at any stage of the industrial process.
been slightly different’’. Their significance, according From this perspective, the use of a specific and widely
to a shared awareness in the scientific world, is due to accessible software system, which is designed for
the fact that near misses are an important warning that facilitating near miss data collection, storage and anal-
a more serious accident may occur. In fact, several ysis, constitutes an effective tool for updating process
studies (CCPS Guidelines, 2003), using the ‘‘pyramid safety requirements.
model’’, suggest a relationship between the number This paper describes the design and implementa-
of near misses and major accidents: for each major tion of such a system, carried out in the context of
accident located at the top of the pyramid there are a a cooperation agreement with the Italian Chemical

Industry Federation. The various steps undertaken for the assumption that a similar approach can benefit
the development of such a system, involved in record- the whole industrial sector involving major accident
ing near misses in the Italian chemical industry, are hazards, the development of an informative system
presented below. for the collection and analysis of near misses in the
chemical process industry, has been undertaken at a
national level. This is thanks to a strong cooperation
2 FRAMEWORK FOR A NATIONWIDE agreement between the Italian National Institute for
APPROACH Prevention and Safety at Work (ISPESL), and Feder-
chimica. ISPESL is a technical-scientific institution
2.1 Legislative background within the Ministry of Health, which supports Ital-
ian Competent Authorities for the implementation of
As a preliminary remark, from a legislative perspec- the Seveso legislation in Italy; in recent decades it
tive, the recommendation that Member States report has acquired wide expertise in post major accidents
near misses to the Commission’s Major Accident investigations and reporting activities, as well as in
Reporting System (MARS) on a voluntary basis has the inspection of establishments which are subject to
been introduced by the European Directive 96/82/EC the Seveso legislation. Federchimica is the Italian fed-
‘‘Seveso II’’. This is in addition to the manda- eration of chemical industries and is comprised of
tory requirements of major accident reporting. More more than 1300 companies, including several estab-
specifically, in annex VI of the Directive, in which lishments which are subject to the Seveso legislation.
the criteria for the notification of an accident to the In Italy, Federchimica leads the ‘‘Responsible Care’’
Commission are specified, is included a recommen- voluntary worldwide programme for the improvement
dation that near misses of particular technical interest of health, safety and environmental performances
for preventing major accidents and limiting their con- in the chemical industry. The authors of this paper
sequences should be notified to the Commission. This hope that a joint effort in the field of near misses
recommendation is included in the Legislative Decree reporting and investigation, incorporating different
n. 334/99 (Legislative Decree n. 334, 1999), the expertises and perspectives from ISPESL and Feder-
national law implementing the Seveso II Directive in chimica, could result in a real step forward in industrial
Italy. safety enhancement.
In addiction further clauses regarding near misses
are included in the above mentioned decree, refer-
ring to the provisions concerning the contents of the 3 SYSTEM DESIGN AND REQUIRED
Safety Management System in Seveso sites. In fact, ATTRIBUTES
the Decree states that one of the issues to be addressed
by operators in the Safety Management System is In the context of the above mentioned cooperation
the monitoring of safety performances; this must be agreement, an informative system has been devel-
reached by taking into consideration, among other oped consisting of a web based software and a
things, the analysis of near misses, functional anoma- database designed for near misses. The system is
lies, and corrective actions assumed as a consequence specifically directed towards companies belonging to
of near misses. Federchimica which have scientific knowledge and
operating experience in the prevention of accidents and
safety control; moreover ISPESL personnel, who are
2.2 State of the art
involved in inspection activities on Seveso sites, are
Although legislation clearly introduces the request for authorized to enter the system in order to acquire all
the reporting of near misses, the present situation, elements useful for enhancing its performances in pre-
in Italy, is that this activity is carried out not on a vention and safety issues. Two main goals have been
general basis but only by a number of companies, taken into account with regard to the project design:
which use their own databases to share learning inter- first, gather as much information as possible on near
nally. It should also be noted that similar initiatives misses events occurring in the national chemical pro-
in this field have been undertaken by public author- cess industry. This is in order to build a reliable and
ities, in some cases, at a regional level. However exhaustive database on this issue. Second, provide
a wider, more systematic and nationwide approach a tool which is effective in the examination of near
for the identification, reporting and analysis of near misses and extraction of lesson learned, and which
misses is lacking. To fill this gap a common software aims to improve industrial safety performances.
platform, not specifically for each individual situation, To meet these requirements a preliminary analysis
facilitating the dissemination of information between of specific attributes to be assigned to the system has
different establishments as well as different industrial been carried out in order to define its essential charac-
sectors, must be implemented. Therefore, based on teristics. The first attribute which has been considered

is accessibility: To allow a wider diffusion, the sys-
tem has been developed in such a way that it is easy
to access when needed. A web-version has therefore near miss
been built, which assures security, confidentiality and
integrity criteria of the data handled. Secondly, in order
to guarantee that the system can be used by both expert reporting phase
and non-expert users, the importance of the system
being ‘‘user-friendly’’ has been an important consid-
eration in its design. The user must have easy access
to the data in the system and be able to draw data from
it by means of pull-down menus, which allow several
options to be chosen; moreover, ‘‘help icons’’ clarify
the meaning of each field of the database to facili- consultation phase
tate data entry. Third, the system must be designed in
such a way as to allow the user to extract information lesson
from the database; to this end it has been provided learned
with a search engine. By database queries and the
subsequent elaboration of results, the main causes of
the near misses and the most important safety mea-
sures adopted to avoid a repetition of the anomaly can Figure 1. Concept of the software system.
be singled out. In this way the system receives data
on near misses from the user and, in return, provides
information to the user regarding the adoption of cor-
of the near misses, and the second is the consultation
rective actions aimed at preventing similar situations
phase, for the extraction of the lessons learned from the
and/or mitigating their consequences. Lastly, the sys-
database, both described in the following paragraphs.
tem must guarantee confidentiality: this is absolutely
necessary, otherwise companies would not be will-
ing to provide sensitive information regarding their 4.1 Near misses reporting phase
activities. In order to ensure confidentiality, the data
are archived in the database in an anonymous form. This part contains all data regarding the near miss and
More precisely, when the user consults the database, is divided into two sections: the first contains all the
the only accessible information on the geographical information about the specific event (time, place, sub-
location of the event regards three macro-areas, North- stances involved etc.); the second provides the causes,
ern, Central and Southern Italy respectively; this is in the post accident measures put into place, and the
order to avoid that the geographical data inserted in the lessons learned. It is worth noting that, in order to
database (municipality and province) in the reporting encourage use of the database, in the selection of fields
phase could lead to the identification of the establish- to be filled in, a compromise was reached between the
ment in which near misses have occurred. Another need to collect as much information as possible, so
factor which assures confidentiality is the use of user- as to enrich the database and the need to simplify the
names and passwords to enter the system. These are completion of the form by the user.
provided by Federchimica, after credentials have been These forms are filled in on a voluntary basis, in
vetted, to any company of the Federation, which has fact. The contents of the two sections are described
scientific knowledge and operating experience in pre- in paragraph 4.1.1 and 4.1.2 respectively. A print-
vention and safety control. In this way, any company, out illustrating the fields contained in section 1 is
fulfilling the above conditions, is permitted to enter the presented in Fig. 2, in which the fields and the
system, in order to load near misses data and consult explanations are shown in Italian.
the database, and have the guarantee of data security
and confidentiality. 4.1.1 Section 1
Geographical location: Municipality and province
where the near miss occurred.
4 DATABASE STRUCTURE Date: The date when the near miss took place.
Time: The time when the near miss took place.
On the basis of the above defined attributes, which Seveso classification: Upper or lower tier establish-
are assigned to the system, the software platform sup- ments.
porting the near misses database has been created and Location: The location where the near miss occurred,
performs two main functions, as illustrated in Fig. 1: either inside the production units, or in the logistic
The first is the reporting phase, for the description units, internal or external.

Figure 2. Section 1 of the near misses database.

Area: Area of establishment in which the near miss Causes: The analysis of causes, including equipment
took place, including production, storage, services, failure, procedural deficiencies or human factors.
utilities or transport units. Each near miss may be triggered by more than
Unit: Depending on the area selected, unit directly one cause. The operational status of the estab-
involved in the near miss. lishment (normal operation, shut down, restart,
Accident description: The description of the accident maintenance), when the near miss took place must
as it was given by the compiler. be specified.
Substances: The substance or the substances involved Damages: The cost of damages provoked by the near
in the near miss. miss.
Corrective actions: Corrective actions that have been
put in place after the near miss in order to avoid a
4.1.2 Section 2 repetition of the event; these actions can be immedi-
Type of event: The types of events which occurred after ate or delayed, and if delayed, can be further divided
a near miss; this is a multi-check field allowing the into technical, procedural or training.
user to select more options simultaneously. Lessons learned: Descriptions of what we have learned
Potential danger: Dangers that could have stemmed from the near miss and what improvements have
from a near miss and that could have resulted in been introduced as a consequence.
more serious consequences if the circumstances had Annex: It is possible to complete the record of any near
been slightly different. miss, adding files in pdf, gif o jpeg format.
Safety measures in place: The kind of safety measures
which are in place, if any, specifying if they have Once this descriptive part is completed, a classifi-
been activated and, if this is the case, if they are cation code will be attributed to any near miss, in order
adequate. that identification is univocal.

Figure 3. Near misses search criteria.

4.2 Near misses consultation phase thus supporting effective training activities. In this
initial phase of the project the first priority has been the
As specified at the beginning of the previous para-
collection of as much near misses data as possible. In
graph, the second part of the software platform
order to reach this goal, the use of the database has been
concerns the extraction of lessons learned by the con-
encouraged among the partners of Federchimica, who
sultation of the database contents. In fact, one of the
are, in fact the main contributors of the data entered.
main objectives of the database is the transfer of tech-
To publicize the use of the software system both the
nical and managerial corrective actions throughout the
institutions responsible for the project, ISPESL and
chemical process industry. The database has therefore
Federchimica, have organized a number of workshops
been supplied with a search engine which aids nav-
in different Italian cities to illustrate the performances
igation through near miss reports, allowing several
and potentialities of the database. The feedback from
options. First, the user is able to visualize all near
the industries with respect to the initiative promoted
misses collected in the database in a summary table,
by ISPESL and Federchimica can be considered, on
illustrating the most important fields, that are, respec-
the whole, positive, at least for those bigger com-
tively, event code, submitter data, event description,
panies which already dedicate economic and human
damages, immediate or delayed corrective actions,
resources to the industrial safety; further efforts are
lessons learned, annex; second, the details of a specific
required to motivate also the smaller enterprises to use
event can be selected by clicking on the correspond-
the database.
ing code. It is also possible to visualize any additional
The system is currently in a ‘‘running in’’ phase,
documents, within the record of the specific event, by
which will provide an in-depth evaluation of its per-
clicking on ‘‘Annex’’. Third, to extract a specific near
formance and identify potential improvements. This
miss from the database, on the basis of one or more
phase involves the analysis of the (approximately) 70
search criteria, a query system has been included in
near misses which are now stored in the database.
the software utilities. This is done by typing a key-
A preliminary analysis of the first data collected shows
word, relevant, for example, to the location, unit,
that, for any near misses reported, all fields contained
year of occurrence, potential danger, etc, as shown
in the database have been filled; this fact represents a
in Fig. 3.
good starting point for an assessment on the quality of
the technical and managerial information gathered, as
well as on the reported lessons learned, which will be
5 RESULTS AND DISCUSSION carried out in the next future. Further distribution to the
competent authorities and to other industrial sectors
Thanks to these functions, the analysis of the database will be considered in a second stage.
contents can provide company management with
the information required to identify weaknesses in the
safety of the industrial facilities, study corrective 6 CONCLUDING REMARKS
actions performed to prevent the occurrence of acci-
dents, prioritize preventive and/or mitigating measures A software system for the collection, storage and anal-
needed, and better understand the danger of specific ysis of near misses in the Italian chemical industry has
situations. Another important function is the transfer been developed for multiple purposes. It allows infor-
of knowledge and expertise to a younger workforce, mation regarding the different factors involved in a

near miss event to be shared and information regarding training activities implemented in the chemical
lessons learned among all interested stakeholders to industry; they should be for all personnel involved
be disseminated in a confidential manner. The sys- in the use of the software system. These training
tem which has been developed attempts to fill a gap activities, to which both ISPESL and Federchimica
which exists in the wide range of databases devoted to may vigorously contribute, are expected to lead to an
process industry accidents. The system also can fulfil enhancement in the quality of the retrieval of the under-
the legal requirements for the implementation of the lying causes of near misses. They should also lead to
Safety Management System; in fact, it offers indus- an increase in the reliability of data stored as well as
try management the possibility of verifying its safety of lessons learned extracted from the database.
performances by analyzing near miss results. Its user-
friendly character can stimulate the reporting of near
misses as well as the sharing of lessons learned, sup- REFERENCES
porting industry management in the enhancement of
safety performances. It is the intention of the authors to Center for Chemical Process Safety, 2003. Investigating
Chemical Process Incidents. New York, American Insti-
continue the work undertaken, creating a wider range tute of Chemical Engineers.
of functions and keeping the database up to date. From European, Council 1997. Council Directive 96/82/EC on
a preliminary analysis carried out on the data collected, the major accident hazard of certain industrial activ-
we realized that, in the near future, a number of aspects ities (‘‘Seveso II’’). Official Journal of the European
regarding the management of near misses will need Communities. Luxembourg.
to be investigated in more depth. For example, the Jones, S., Kirchsteiger, C. & Bjierke, W. 1999. The impor-
screening criteria for the selection of near misses must tance of near miss reporting to further improve safety
be defined. These criteria are necessary for identifying performance. Journal of Loss prevention in the Process
near misses of particular technical interest for prevent- Industries, 12, 59–67.
Legislative Decree 17 August 1999, n. 224 on the control of
ing major accidents and limiting their consequences, major accident hazards involving dangerous substances.
as required by the Seveso legislation. Another element Gazzetta Ufficiale n. 228, 28 September 1999 Italy.
which requires in-depth analysis is the root causes of Philley, J., Pearson, K. & Sepeda, A. 2003. Updated CCPS
near misses, and the corrective measures needed. All Investigation Guidelines book, Journal of Hazardous
the above mentioned issues can benefit from specific Materials, 104, 137–147.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Development of incident report analysis system

based on m-SHEL ontology

Yoshikazu Asada, Taro Kanno & Kazuo Furuta

Department of Quantum Engineering and Systems Science, The University of Tokyo, Japan

ABSTRACT: As increase of complex systems, simple mistakes or failures may cause serious accidents. One
of measures against this situation is to understand the mechanism of accidents and to use the knowledge for
accident prevention. However, analyzing incident reports is not kept up with the pace of their accumulation
at present, and a database of incident reports is utilized insufficiently. In this research, an analysis system of
incident reports is to be developed based on the m-SHEL ontology. This system is able to process incident reports
and to obtain knowledge relevant for accident prevention efficiently.


Recently, the number of complex systems, such as

nuclear systems, air traffic control systems or medical
treatment systems, is increasing with progress in sci-
ence and technology. This change makes our life easy,
but it makes the causes of system failures differently.
With advanced technology, simple mistakes or inci-
dents may cause serious accidents. In other words, it
is important to understand the mechanism of incidents
for avoiding major accidents.
Small accidents or mistakes that occur behind a
huge accident are called incidents. Heinrich found
the relationship between huge accidents and incidents
(Heinrich, 1980). His study showed that there are 29 Figure 1. Heinrich’s law.
small accidents with light injury and 300 near misses
behind one big accident with seriously-injured people
(Figure 1). Bird also found the importance of near-
misses or incidents for accident prevention (Bird & inspection results or incident reports in nuclear power
George, 1969). plants is available to the public.
Of course this ratio will change among different sit- This is an example of good practice for safety
uations, but the important point is the fact that there management. However, though incident reports are
are a lot of non-safety conditions behind a serious collected, they are not always analyzed rightly.
problem. There are several reasons, but main reasons are as
For this reason, to reduce the number of inci- follows:
dents also contributes to decrease the number of major
1. Insufficient expertise for incident analysis
accidents. Nowadays many companies are operating
2. Inconsistent quality of incident reports
an incident reporting system. NUClear Information
Archives (NUCIA), a good example of such a system, Even though a lot of incident reports are com-
is a web site operated by the Japan Nuclear Technology piled, in most cases they are only stored in the
Institute [3]. In this site, lots of information such as database. It is important to solve this problem by

analyzing incident reports using advanced information
processing technologies.
In this study, a conceptual design of an analysis
system of incident reports is proposed, and its verifica-
tion is conducted experimentally. We adopted nuclear
industry as a particular application domain because of
availability of NUCIA.


Figure 2. Diagram of m-SHEL model.
A number of incident reporting systems are now oper-
ated in various areas, but there are some problems. The
problems are twofold.
The first problem is how to make the report. interested person, and the bottom one is other people in
There are two types of reporting schemes: multiple- relation with the central person. This model is shown
choice and freestyle description. Multiple-choice is in Figure 2.
easy to report, because the reporter only have to In Figure 2, there are some gaps between two ele-
choose one or a few items from alternatives already ments. This means that mismatches between different
given. It saves the time of reporting. For this rea- elements may cause an accident. For example, mis-
son, many of existing reporting systems use this understanding of the operation manual may happen
type. But, some important information may be lost in the gap between S and L. To fill the gaps, the
with this reporting scheme. The purpose of incident interface that connects different elements plays an
reporting is to analyze the cause of an incident and important role.
to share the obtained knowledge. If the reports are
ambiguous, it is hard to know the real causes of an
incident. 3.2 COCOM
Second problem is about the error of the contents.
An estimation of the cause or investigation of pre- There are many incidents caused by human behavior,
ventative measures is the very important part of the such as carelessness or rule violation. For this reason,
report. However, there are sometimes mistake of anal- the liveware in the m-SHEL model must be focused on.
ysis. Of course, these parts are complicated, but exact In this study, the COCOM model is applied to incident
description must be needed. analysis.
It is not easy to get rid of these problems, and in The COCOM model was proposed by E. Hollnagel
this study it is assumed that no incident reports are free (Hollnagel, 1993). Hollnagel categorized the state
from these problems. The influence of these problems of human consciousness into the following four
will be discussed later. classes:

• Strategic control (high attention)

• Tactical control
3 ANALYSIS OF HUMAN FACTORS • Opportunistic control
• Scrambled control (low attention)
3.1 m-SHEL model
For analysis of accidents, it is necessary to break According to this model, human consciousness
the whole view of an incident down into elementary changes by the attention level to the task. When work-
factors, such as troubles in devices, lack of mutual ers have high attention to the task, they know well
understanding among staffs, or misunderstanding of how to do the task, and there are no environmental
an operator. Some frameworks for accident analysis causes of an accident. They are doing the task in a
have been proposed such as m-SHEL or 4M-4E. They strategic way.
are originally proposed for risk management, and they Once some problem happens, however, the situa-
can support understanding incidents. tion will change. Workers may lose their countenance,
The m-SHEL model was proposed by Kawano, and sometimes they become scrambled. Under such
et al. (Kawano, 2002). This model classifies acci- situation, it is difficult for them to be able to do the
dent factors into five elements of a system. They task in a strategic or tactical manner.
are m (management), S (software), H (hardware), By focusing on human consciousness based on
E (environment), and L (liveware). In the m-SHEL COCOM, it is able to make a short list of incident
model, there are two livewares. The central one is the causes. It is useful both for causal analysis and for risk

prediction of a similar incident by checking specific 2. Hierarchical structure by is-a link between two
factors. concepts, like ‘‘BMW is a car’’ or ‘‘dog is a
3. Some relationships between different concepts
3.3 Nuclear Information Archives (NUCIA) other than ‘‘is-a link’’, like ‘‘car has an engine’’.
Here, let us look into an example of an incident report 4. Axiom that defines or constrains concepts or
database. links.
In NUCIA, lots of information such as inspection In this study, ontology is defined for analysis of
results or incident reports in nuclear power plants are incidents occurred in nuclear systems as follows:
available to the public. Disclosure of the information
is conducted under the following ideas. 1. A set of concepts necessary for analysis of incidents
in nuclear power plants.
• Various opinions not only from electric power sup- 2. Hierarchical structure. In nuclear engineering, the
pliers but also from industry-government-academia structure of a nuclear power plant and the organi-
communities are useful to solve problems in nuclear zational framework are described.
safety. 3. Relationships. Causality information is defined in
• Increasing transparency to the society contributes this part.
to obtain trust from the public. 4. Definition of axioms. Synonyms are also defined.
Collected information, however, is not utilized An ontology-based system is different from knowl-
enough at present. There are several reasons as edge base systems, expert systems or artificial intel-
follows. ligence. These traditional ways have some problems.
They are:
• The amount of data is enough, but no effective
methods of analysis are available. • Little knowledge is usable in common between
• While some reports are detailed, others are not. different fields.
There is little uniformity in description method. • New information cannot be added to the existent
knowledge base easily.
Under such circumstances, even though there is a
lot of useful information in the database, analysis and Compared with knowledge based system, ontology
application are not kept up with accumulation of data. is meta-level knowledge. In this research, the inci-
dent ontology contains not only detailed knowledge
or case examples (which are traditional knowledge-
3.4 Ontology base), but also association of incidents or causality
information (which are meta-level information). For
Ontology here means relations between concepts like this reason, analysis by ontology based system is more
synonyms or sub concepts. Mizoguchi defines ontol- multidirectional.
ogy as a theory of vocabulary/concepts used for build-
ing artificial systems (Mizoguchi, Kozaki, Sano &
Kitamura). Figure 3 shows an example of ontology. 3.5 m-SHEL ontology
There are four elements in ontology. They are: There are some previous works for computer based
1. A conceptual set which consists of elementally analysis. Chris was proposed case based retrieval
concepts of the intended field. with Semantic Network (Johnson 2003). In his
research, network were made by basic verbal phrases,
such as is_a, makes or resolved_by. David did
document synthesis with techniques like XML or
Semantic Web systems (Cavalcanti & Robertson
In this study, an m-SHEL ontology is developed
using XML (eXtensive Markup Language) (Tim et al.
1998). The m-SHEL ontology is based on incident
reports of NUCIA. In this ontology, each element has
at least one m-SHEL attribution, such as Software or
Environment. All of construction processes, like tag-
ging of attribution or making a hierarchical structure
were done manually. There is an example of XML
description of a concept contained in the m-SHEL
Figure 3. An example of ontology. ontology.

(Information about concept.
This label is for readability.)
(Information about what is this
This is used for searching)
(id of the concept which cause No. 143)
(id of the concept which is caused by No. 143)

The m-SHEL ontology has not only information of Figure 4. A part of m-SHEL ontology.
a hierarchical structure of elements, but also of causal
association. Causality is defined by a link orthogonal There is a weighing factor in the causality. It is
to the concept hierarchy. defined by how many cases are there which have the
Causality is described by XML as follows: same cause in the reports. This weighing factor is used
to decide which causality leads to the most or the least
<causality> likely outcome.
<label> Figure 4 shows a part of the m-SHEL ontology.
(Information about causality.
This label is for readability.)
C-13 After having made the m-SHEL ontology, an analy-
</causality-id> sis system was developed. The flow of this system is
<cause-id> shown below:
147 1. Input an incident data in a text form. This step can
(id of the element which cause C-13) be done both manually and by importing from XML
</cause-id> style files.
<effect-id> 2. In Japanese language, since no spaces are placed
258 between words, morphological analysis is done to
(id of the element which is caused by C-13) the input text. It is explained in Chapter 4.1.
</effect-id> 3. Keywords from the text are selected and mapped
<weight> onto the ontology. Keywords are the words included
0.3 (weighing factor) in the m-SHEL ontology.
</weight> 4. Required information of the incident is structur-
</causality> ized both in the concept hierarchy and causality
In this example, causality labeled 13 is caused by
the concept No.147, and it causes the concept No. 258. Figure 5 shows an example of mapping result. For
These concept numbers are the same as the id of each visualization, only specific elements related to the
element of ontology. incident are shown here.

Figure 5. An example of mapping result.

Visual output function is not implemented in the

current system. Only output in an XML format is avail-
able now. Figure 5 was generated by another diagram
drawing software.

4.1 Morphological analysis

Japanese language is different from English. In
Japanese, no spaces are inserted between two words. If
English sentence is written like Japanese, it is written Figure 6. Fraction of compound nouns detected.
as follows:
This is a sample text. (a) From these points, a following rule is added: con-
In the m-SHEL ontology, it is necessary to separate tinuous Kanji nouns are combined to form a single
each word before applying text mining methods. For technical word. This is very simple change, but around
this step, Mecab (Yet Another Part-of-Speech and 60% of keywords can be found by this rule. Figure 4
Morphological Analyzer) is used [6]. Mecab is able shows the percentage of compound nouns detected for
to convert Japanese style sentences like (a) into to ten arbitrary sample cases of incident reports.
English style sentences like (b).
This is a sample text. (b) 4.2 Deletion of unnecessary parts
Mecab has an original dictionary for morphological Another change to the algorithm is for deletion of
analysis. The default dictionary does not have many unnecessarypartsofreports. Incidentreportssometimes
technical terms. If no improvements have been made, contain information additional to causal analysis.
analysis by Mecab does not work well for incident Exampleofsuchadditionalinformationisonhorizontal
reports, which include a lot of technical words or development, which is to develop lessons learned from
uncommon words. an incident horizontally throughout the company or the
To solve this problem, some change has been made industry. Additional information may sometimes work
to the dictionary and the algorithm of morphological as noises for causal analysis; it is eliminated therefore
analysis. fromreportsbeforeprocessing, ifthepurposeofanalysis
Firstly, some terms used in nuclear engineering does not include horizontal development.
or human factor analysis were added. This way of
improvement is most simple and reliable, but there still 5 VERIFICATION EXPERIMENT
remain some problems. Even though the fields of text
which is dealt with is specialized (in this case, nuclear In this chapter, test analysis of incident reports has
engineering), there are so many necessary words. It is been done using the proposed system. Sample reports
hard to add all of these terms. were from the NUCIA database, which is open to
Moreover, this improvement is required every time the public. Verification experiment was done by the
as the field of application is to be changed, i.e., following steps:
important technical words are different in different
application fields. 1. Before making the m-SHEL ontology, some inci-
Secondly, the algorithm to extract technical words dent reports are set aside. These reports are used
has been adjusted. In Japanese, many technical terms for verification.
are compound nouns, which are formed with more 2. Some reports were analyzed with the system auto-
than two nouns. From a grammatical viewpoint, two matically.
nouns are rarely appeared continuously. Moreover, 3. An expert analyzed the same reports manually to
Japanese Kanji is often used in those words. check the adequacy of analysis by the system.

Table 1. Result of verification test. Another reason for the high ratio is a trend of report-
ing incidents in nuclear industry of Japan that incidents
Case Case Case Case Case Case Case are reported from a viewpoint of failure mechanism of
1 2 3 4 5 6 7 hardware rather than human factors.
This trend also resulted in the low presence of Envi-
m 0/0 1/2 0/1 4/7 2/2 0/1 2/4
S 2/6 3/7 5/6 2/4 1/3 1/2 4/7 ronment or management items. Not only the result of
H 7/18 5/12 6/13 5/12 9/10 0/8 5/7 the system, but also that of the expert marked low
E 0/1 0/0 0/0 2/2 0/1 3/3 0/1 counts for these items. It means that the low scores are
L 2/4 1/5 2/4 2/5 3/4 3/5 4/3 attributable not to the system but to some problems in
c∗ 1/4 0/3 2/4 3/6 4/5 0/2 1/2 the original reports.
On the other hand, the results for Liveware and
∗ Number of causal association. causal association are different from those for Envi-
ronment and management. The results of automatic
analysis for Liveware and causal association also
4. Two results were compared. At this step, we
marked low scores. However, the expert did not mark
focused how many elements and causality relations
so low as the system. It seems this outcome is caused
are extracted automatically.
by some defects in the m-SHEL ontology.
In this study, seven reports were used for verification.
The incidents analyzed are briefly described below:
• automatic trip of the turbine generator due to
breakdown of the excitation equipment, An analysis system of incident reports has been devel-
• automatic trip of the reactor due to high neutron flux oped for nuclear power plants. The method of analysis
of the Intermediate Range Monitor (IRM), adopted is based on the m-SHEL ontology. The result
• impaired power generation due to switching over of of automatic analysis failed to mark high scores in
the Reactor Feed Pump (RFP), and assessment, but it is partly because of the contents
• manual trip of the reactor because of degradation of of the original incident report data. Though there is
vacuum in a condenser. a room for improvement of the m-SHEL ontology,
Result of the test is shown in Table 1. In this table, the system is useful to process incident reports and
each number shows how many concepts contained in to obtain knowledge useful for accident prevention.
the ontology were identified in the input report. The
numbers on the left represent the result obtained by the
system and those on the right the result by the expert. REFERENCES
For example, 3/7 means three concepts were identified
H.W. Heinrich. 1980. Industrial accident prevention: A safety
by the system, and seven by the expert. management approach, McGraw-Hill.
It should be noted here that not the numbers them- Frank E. Bird Jr. & George L. Germain. 1969. Practical Loss
selves are important, but coincidence of the both Control Leadership, Intl Loss Control Inst.
numbers is significant for judging validity of analy- NUCIA: Nuclear Information Archives,
sis by the system. In this research, since the algorithm R. Kawano. 2002. Medical Human Factor Topics. http://
of the system is quite simply designed it is reasonable
to think that analysis by the expert is the reference. If E. Hollnagel. 1993. Human reliability analysis: Context and
the system identified more concepts than the expert, control. Academic Press.
it is probable that the system picked up some noises Riichiro Mizoguchi, Kouji Kozaki, Toshinobu Sano & Yoshi-
nobu Kitamura. 2000. Construction and Deployment of a
rather than the system could analyze more accurately Plant Ontology. Proc. of the 12th International Confer-
than the expert. ence Knowledge Engineering and Knowledge Manage-
ment (EKAW2000). 113–128.
C.W. Johnson. 2003. Failure in Safety-Critical Systems:
6 DISCUSSION A Handbook of Accident and Incident Reporting,
University of Glasgow Press,∼
In Table 1, Hardware elements are relatively well johnson/book/
extracted. Plenty of information related to some parts J. Cavalcanti & D. Robertson. 2003. Web Site Synthesis based
of a power plant, such as CR (control rod) or coolant on Computational Logic. Knowledge and Information
Systems Journal, 5(3):263–287.
water, are included in incident reports. These words MeCab: Yet Another Part-of-Speech and Morphological
are all categorized as Hardware items, so the number Analyzer,
of Hardware items is larger than others. This is the Tim Bray, Jean Paoli, C.M. Sperberg-McQueen (ed.), 1998.
reason why Hardware has a high ratio of appearance. Extensible Markup Language (XML) 1.0: W3C Recom-
A similar tendency is shown with Software elements. mendation 10-Feb-1998. W3C.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Forklifts overturn incidents and prevention in Taiwan

K.Y. Chen & Sheng-Hung Wu

Graduate School of Engineering Science and Technology, National Yunlin University of Science and Technology,
Douliou, Yunlin, Taiwan, ROC

Chi-Min Shu
Process Safety and Disaster Prevention Laboratory, Department of Safety, Health, and Environmental
Engineering, National Yunlin University of Science and Technology, Douliou, Yunlin, Taiwan, ROC

ABSTRACT: Forklifts are so maneuverable that they can move almost everywhere. With stack board, fork-
lifts also have the capability of loading, unloading, lifting and transporting materials. Forklifts are not only
widely used in various fields and regions, but are common in industry for materials handling. Because they are
used frequently, for any incidents such as incorrect forklift structures, inadequate maintenance, poor working
conditions, the wrong operations by forklift operators, and so on, may result in property damages and casual-
ties. The forklifts, for example, may be operated (1) over speed, (2) in reverse or rotating, (3) overloaded, (4)
lifting a worker, (5) on an inclined road, or (6) with obscured vision and so on, which may result in overturn-
ing, crushing the operator, hitting pedestrian workers, causing loads to collapse, lifting a worker high to fall
and so on. The above–mentioned, therefore, will result in adjacent labor accidents and the loss of property.
According to the significant professional disaster statistical data of the Council of Labor Affairs, Executive
Yuan, Taiwan, approximately 10 laborers perish in Taiwan due to forklift accidents annually. This obviously
shows that forklift risk is extremely high. If the operational site, the operator, the forklifts and the work environ-
ment are not able to meet the safety criterion, it can possibly cause a labor accident. As far as loss prevention
is concerned, care should be taken to guard handling, especially for forklift operation. This study provides
some methods for field applications, in order to prevent forklift overturn accidents and any related casualties
as well.

1 INTRODUCTION 1.1 Being struck by forklifts

The driver was obscured by goods piled too high, driv-
According to the significant occupational disaster sta-
ing, reversing or turning the forklift too fast, forgetting
tistical data of the Council of Labor Affairs (CLA),
to use alarm device, turn signal, head lamp, rear lamp
Executive Yuan, Taiwan, forklifts cause approximately
or other signals while driving or reversing, not noticed
10 fatalities annually from 1997 to 2007, as listed
by pedestrian workers or cyclists, or disturbed by the
in Fig. 1 (, 2008). The man-
work environment such as corner, exit and entrance,
ufacturing industry, the transportation, warehousing
shortage of illumination, noise, rain, etc., causing
and communication industry, construction industry
laborers to be struck by forklifts.
are the three most common sectors sharing the high-
est occupational accidents of forklifts in Taiwan, as
listed in Fig. 2. In addition, the forklift accidents were 1.2 Falling from forklifts
ascribed to being struck by forklifts, falling off a fork- The forklift driver lifted the worker high to work by
lift, being crushed by a forklift and overturning, in truck forks, the stack board or other materials but not
order. Similar to the normal cases in the USA, forklift established a work table, used the safety belt, safe
overturns are the leading cause of fatalities involving guard equipment and so on, causing the worker fall
forklift accidents. They represent about 25% of all off the forklifts easily.
forklift–related deaths (NIOSH alert, 2001). Figure 3
reveals that the forklift occupational accidents could 1.3 Collapsing and crushed
be classified into five main occupational accident
types, explained as follows (Collins et al., 1999; Yang, The material handling was not suitable so that the
2006). loads were piled up too high to stabilize well. The mast

Year include collisions with workplace materials, resulting
2007 6 in the collapse of the materials and wounding operators
2006 7 nearby.
2005 10
2004 13
1.4 Collapsing and crushed
2003 10
Because of the high speed of the forklift’s reverse or
rotation, or because of the ascending, the descend-
2001 4
ing, uneven ground, wet slippery ground, soft ground,
2000 16
overly high lifted truck forks, or overloads, the forklifts
1999 10 overturned to crush the operator.
1998 9
1997 12
0 2 4 6 8 10 12 14 16
1.5 Becoming stuck or pinned
Number of fatalities Getting stuck or pinned between the truck forks and
mast or the tires while repairing or maintaining the
Figure 1. Fatalities of forklift accidents in Taiwan, from
1997 to 2007.
forklifts. In other instances, the operator forgot to turn
the forklift off in advance and adjust the goods on
the truck fork, or got off and stood in front of the
forklift and next to the forklift’s dashboard to adjust
the goods. Therefore, when the operator returned to
the driver seat, he (or she) touched the mast operating
Construction 10 lever carelessly, causing the mast backward, and got
his or her head or chest stuck between the mast and
Transportation, overhead guard.
warehousing and 27
communication This study focused on reporting forklifts overturn
accidents and preventing them from occurring. Two
forklifts overturn accidents were described as below
(, 2008;
0 10 20 30 40 50 60 tw/, 2008).
Figure 2. Fatalities from forklift accidents are distributed
in different industries, Taiwan, from 1997 to 2007.

40 Struck 2.1 Case one

35 On December 4, 2005 ca. 1 p.m., a 34-year-old laborer
who drove a forklift to discharge mineral water was
crushed to death by the forklifts. The laborer reversed
25 the forklift into a trailer on a board. The forklift slipped
Number of deaths

Falling and because the wheel deviated from the board. It, then,
17 Crushed Overturn Stuck was turned over, crushing the driver to death, as shown
16 and
15 Pinned in Fig. 4.
Hitting 2.2 Case two
5 4 Others
2 Figure 5 shows that on September 27, 2005 about
11:00 am, an 18-year-old laborer had engaged in
forklift operation, but accidentally hit against the con-
Figure 3. The number of deaths in forklift—accidents is
necting rod of the shelf while driving, and then the
divided into different types, Taiwan, from 1997 to 2007.
forklift overturned, crushing him, and he passed away.
The laborer operated the forklift to lift the cargo up
inclined while the forklift operator was driving so a to a shelf. After laying aside the cargo 7 meters
worker stood on the forklift to assist material han- high, the forklift left the shelf. The forklift moved
dling by holding the goods with hands and so on, without the truck fork being lowered. The forklift’s
which easily made the goods collapse and crushed the mast accidentally hit against the connecting rod and
assistant worker or pedestrians nearby; other disasters inclined. The operator was shocked by the disaster

and escaped quickly from the driver’s seat to the ware-
house entrance. However, the forklift was unable to
stop, decelerate its movement, but was still moving
forward to the warehouse entrance. After the forklift
mast hit against the connecting rod, its center of grav-
ity was changed to the driver seat side. The forklift
reversed in the direction of the warehouse entrance.
The laborer was hit and killed. A similar accident of a
forklift overturning and tipping is pictured in Fig. 6.


The CLA has promulgated the rule of labor safety and

health facilities (CLA, 2007), and the machine tool
Figure 4. Forklift overturns from the ladder. protection standard (CLA, 2001), which became effec-
tive and last modified in 2007 and 2001 for forklift
equipment, measures and maintenance, respectively.
The CLA also has the Rules of Labor Safety Health
Organization Management and Automatic Inspection
(CLA, 2002) for forklifts inspection. The standard
regulates operator training and licensing as well as
periodic evaluations of operator performance. The
standard also addresses specific training require-
ments for forklift operations, loading, seat belts,
overhead protective structures, alarms, and mainte-
nance. Refresher training is required if the operator is
(a) observed operating the truck in an unsafe manner,
(b) involved in an accident or mistake, or (c) assigned
a different type of forklift.

3.1 Forklift equipment, measure and maintenance

Figure 5. Forklift overturns due to hitting against the
connecting rod of the cargo. a. The employer should have safe protective equip-
ment for the moving forklifts and its setup should
be carried out according to the provision of the
machine apparatus protection standard.
b. The employer should make sure that the forklifts
cannot carry the laborer by the pallet or skid of
goods on the forks of forklifts or other part of fork-
lifts (right outside the driver seat), and the driver or
relevant personnel should be responsible for it. But
forklifts those have been stopped, or have equip-
ment or measures to keep laborers from falling, are
not subject to the restriction.
c. The pallet or skid at fork of forklifts, used by the
employer, should be able to carry weight of the
d. The employer should assure that the forks etc. are
placed on the ground and the power of the forklift
is shut off when the forklift operator alights.
e. The employer should not use a forklift without plac-
ing the back racket. The mast inclines and goods
fall off the forklift but do not endanger a laborer,
which is not subjected to the restriction.
f. The employer should have necessary safety and
Figure 6. Forklift overturning and tipping due to overloads. health equipment and measures when the employee

uses a forklift in the place with dangerous which are supplied by all equipment manufacturers
goods. and described the safe operation and maintenance of
g. The employer can not exceed the biggest load that forklifts.
forklifts can bear for the operation, and it trans-
ports of the goods should keep a firmness status
and prevent to turn over. 4 CONCLUSION AND RECOMMENDATIONS

The statistics on fatalities indicate that the three most

3.2 Forklift operation and inspection
common forklift—related fatalities involve overturns,
Under national regulations, CLA requirements for workers being struck or crushed by forklifts, and work-
forklifts operation and inspection are as follows: ers falling from forklifts. The case studies of overturns
indicate that the forklifts, the operating environment,
a. The employer should assign someone who has gone
and the actions of the operator all contribute to fatal
through the special safety and health education and
incidents related to forklifts. Furthermore, these fatal-
personnel’s operation training to operate a fork-
ities reveal that many workers and employers are not
lift with over one metric ton load. The employer
using, or even may be unaware of, safety procedures,
ordering personnel to operate more than one met-
not to mention the proper use of forklifts to reduce
ric ton load forklift should assure that she or he
the risk of injury and death. Reducing the risk of
had accepted 18 hours special training courses for
forklift incidents requires a safe work environment, a
safety and health.
sound forklift, secure work practices, comprehensive
b. The employer should periodically check for the
worker training, and systematic traffic management.
whole of the machine once every year to the
This study recommends that employers and work-
forklifts. The employer should carefully and regu-
ers comply with national regulations and consensus
larly inspected and maintained the brakes, steering
standards, and take the following measures to pre-
mechanisms, control mechanisms, the oil pressure
vent injury when operating or working near forklifts,
equipment, warning devices, lights, governors,
especially avoiding overturn accidents.
overload devices, guard, back racket and safety
devices, lift and tilt mechanisms, articulating axle
4.1 Worker training—employer event
stops, and frame members should be in a safe con-
dition, at least periodically checked once monthly. a. Ensure that a worker does not operate a forklift
c. Based on the rule of labor safe health organiza- unless she or he has been trained and licensed.
tion management and automatic inspection (CLA, b. Develop, implement, and enforce a comprehen-
2002), CLA requires that industrial forklifts must sive written safety program that includes worker
be inspected before being placed in service. They training, operator licensing, and a timetable for
should not be placed in service if the examination reviewing and revising the program. A comprehen-
shows any condition adversely affecting the safety sive training program is important for preventing
of the vehicle. Such examination should be made injury and death. Operator training should address
at least daily. When defects are found, they should factors that affect the stability of a forklift—such
be immediately reported and corrected. as the weight and symmetry of the load, the speed
d. Under all travel conditions, the forklift should be at which the forklift is traveling, operating surface,
operated at a speed that will permit it to be brought tire pressure, driving behavior, and the like.
safely to a stop. c. Train operators to handle asymmetrical loads when
e. The operator should slow down and sound the horn their work includes such an activity.
at cross aisles and other locations where vision is d. Inform laborers that when the forklift overturns
obstructed. jumping out the cockpit could possibly lead to being
f. Unauthorized personnel should not be permitted to crushed by the mast, the roof board, the back racket,
ride on forklifts. A safe place to ride should be the guard rail and the fuselage equipment. In an
provided and authorized. overturn, the laborer should remain in the cockpit,
g. An operator should avoid turning, if possible, and and incline his or her body in the reverse direction
should be alert on grades, ramps, or inclines. Nor- to which the forklift will turn over.
mally, the operator should travel straight up and
down. 4.2 Forklift inspection, maintenance
h. The operator of a forklift should stay with the truck and lifting—employer event
if it tips over. The operator should hold on firmly
and lean away from the point of impact. a. Establish a vehicle inspection and maintenance
In addition to the above regulations, employers b. Ensure that operators use only an approved lift-
and workers should follow operator’s manuals, ing cage and adhere to general safety practices for

elevating personnel with a forklift. Also, secure the c. Do not jump from an overturning forklift. Stay
platform to the lifting carriage or forks. there, hold on firmly and lean in the opposite
c. Provide means for personnel on the platform to shut direction of the overturn, if a lateral tip over occurs.
power off whenever the forklift is equipped with d. Use extreme caution on grades, ramps, or inclines.
vertical only or vertical and horizontal controls for In general, the operator should travel only straight
lifting personnel. up and down.
d. When work is being performed from an elevated e. Do not raise or lower the forks while the forklift is
platform, a restraining means such as rails, chains, moving.
and so on, should be in place, or a safety belt with f. Do not handle loads that are heavier than the weight
lanyard or deceleration device should be worn by capacity of the forklift.
the person on the platform. g. Operate the forklift at a speed that will permit it to
be stopped safely.
h. Look toward the path of travel and keep a clear view
4.3 Workers near forklifts—employer event
of it.
a. Separate forklift traffic from other workers where i. Do not allow passengers to ride on a forklift unless
possible. a seat is provided.
b. Limit some aisles to workers either on foot or by j. When dismounting from a forklift, always set the
forklifts. parking brake, lower the forks, and turn the power
c. Restrict the use of forklifts near time clocks, break off to neutralize the controls.
rooms, cafeterias, and main exits, particularly when k. Do not use a forklift to elevate a worker who is
the flow of workers on foot is at a peak (such as at standing on the forks.
the end of a shift or during breaks). l. Whenever a truck is used to elevate personnel,
d. Install physical barriers where practical to ensure secure the elevating platform to the lifting carriage
that workstations are isolated from aisles traveled or forks of the forklift.
by forklifts.
e. Evaluate intersections and other blind corners to
determine whether overhead dome mirrors could ACKNOWLEDGMENTS
improve the visibility of forklift operators or work-
ers on foot. The authors are deeply grateful to the Institute of Occu-
f. Make every effort to alert workers when a forklift pational Safety and Health, Council of Labor Affairs,
is nearby. Use horns, audible backup alarms, and Executive Yuan, Taiwan, for supplying related data.
flashing lights to warn workers and other forklift
operators in the area. Flashing lights are especially
important in areas where the ambient noise level REFERENCES
is high., 2008;
tw, 2008
4.4 Work environment—employer event U.S. National Institute for Occupational Safety and Health,
a. Ensure that workplace safety inspections are rou- 2001 ‘‘NIOSH alert: preventing injuries and deaths of
workers who operate or work near forklift’’, NIOSH
tinely conducted by a person who can identify Publication Number 2001-109.
hazards and conditions that are dangerous to work- Collins, J.W., Landen, D.D., Kisner, S.M., Johnston, J.J.,
ers. Hazards include obstructions in the aisle, blind Chin, S.F., and Kennedy, R.D., 1999. ‘‘Fatal occupa-
corners and intersections, and forklifts that come tional injuries associated with forklifts, United States,
too close to workers on foot. The person who con- 1980–1994’’, American Journal of Industrial Medicine,
ducts the inspections should have the authority to Vol. 36, 504–512.
implement prompt corrective measures. Yang, Z.Z., 2006. Forklifts accidents analysis and prevention,
b. Enforce safe driving practices, such as obeying Industry Safety Technology, 26–30.
speed limits, stopping at stop signs, and slowing The Rule of Labor Safety and Health Facilities, 2007.
Chapter 5, Council of Labor Affairs, Executive Yuan,
down and blowing the horn at intersections. Taipei, Taiwan, ROC.
c. Repair and maintain cracks, crumbling edges, and The Machine Tool Protection Standard, 2001. Chapter 5,
other defects on loading docks, aisles, and other Council of Labor Affairs, Executive Yuan, Taipei, Taiwan,
operating surfaces. ROC.
The Rule of Labor Safety Health Organization Management
and Automatic Inspection, 2002. Chapters 4 and 5, Coun-
4.5 Workers—labor event cil of Labor Affairs, Executive Yuan, Taipei, Taiwan,
a. Do not operate a forklift unless trained and licensed. ROC.
b. Use seat belts if they are available.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Formal modelling of incidents and accidents as a means for enriching

training material for satellite control operations

S. Basnyat, P. Palanque & R. Bernhaupt

IHCS-IRIT, University Paul Sabatier, Toulouse, France

E. Poupart
Products and Ground Systems Directorate/Generic Ground Systems Office, CNES, Toulouse, France

ABSTRACT: This paper presents a model-based approach for improving the training of satellite control room
operators. By identifying hazardous system states and potential scenarios leading to those states, suggestions
are made highlighting the required focus of training material. Our approach is grounded on current knowledge
in the field of interactive systems modeling and barrier analysis. Its application is shown on a satellite control
room incident.

1 INTRODUCTION 1990) argues that operator training must be supported

by the development of ‘appropriate’ displays. While
Preventing incidents and accidents from recurring is this is true, an appropriate interface of a safety-critical
a way of improving safety and reliability of safety- system may not deter an incident or accident from
critical systems. When iterations of the development occurring (as shown in this paper) if operator training
process can be rapid (as for instance for most web does not accentuate critical actions.
applications), the system can be easily modified and The most efficient way to effectively alter operator
redeployed integrating behavioural changes that would behaviour is through training. However, the design of
prevent the same incident or accident from recurring. the training material faces the same constraints as the
When the development process is more resource con- design of the system itself i.e. that usability, function-
suming by, for instance, the addition of certification ality coverage, task-based structuring, . . . are critical
phases and the need to abide by standards, the design to make training efficient. Indeed, training opera-
and implementation of barriers (Hollnagel 2004) is tors with the wrong information or designing training
considered. Previous research (Basnyat et al. 2007) material that only offers partial coverage of available
proposes the specification and integration of barri- system functions will certainly lead to further failures.
ers to existing systems in order to prevent undesired We have defined a formal description technique
consequences. Such barriers are designed so that they dedicated to the specification of safety-critical interac-
can be considered as patches over an already exist- tive systems. Initial attempts to deal with incidents and
ing and deployed system. These two aforementioned accidents was by means of reducing development time
approaches are potentially complementary (typically, to a minimum making it possible to iterate quickly and
one would be preferred to the other depending on the thus modify an exiting model of the system in a RAD
severity of the failures or incidents that occurred), (Rapid Application Development) way (Navarre et al.
putting the system at the centre of the preoccupations 2001). Less formal approaches to informing operator
of the developers. training have been presented in (Shang et al. 2006) in
Another less common possibility is to adopt an which the authors use 3D technology and scenarios as
operator-centred view and to act on their behaviour a means of improving process safety.
leaving the system as it is. This approach is contradic- As shown in Table 1, certain categories of sys-
tory to typical Human-Computer Interaction philoso- tems cannot accommodate iterative re-designs and
phies (that promote user-centred design approaches thus require the definition and the integration of barri-
which aim to produce systems adapted to the tasks ers on top of the existent degraded system. In (Schupp
and knowledge of the operators) but may be necessary et al. 2006), (Basnyat and Palanque 2006), we pre-
if the system is hard to modify (too expensive, too sented how the formal description technique could
time consuming, unreachable . . .). Norman (Norman be applied to the description of system and human

Table 1. Categorization of types of users and systems.
Identification Examples Barrier
of users Types of users of systems Training availability Response to failure implementation

Anonymous General public Walk-up-and-use None Software/hardware patch Technical barrier

Many General public Microsoft Office Online documentation Software/hardware + online Technical barrier
identifiable only—training offered documentation patch
by third parties
Few Specialists Software Optional—In house and Software/hardware + Technical barrier
identifiable development third parties documentation patch
Pilots Aircraft cockpits Trained—in house only Software/hardware/documen- Socio-technical
tation patch & training barrier
Very few Satellite Satellite control Trained—in house only Software/hardware patch Human barrier
identifiable operators room (unlikely) training

barriers and how the model-level integration allows Modifications to an error-prone version of the training
to assess, a priori, the adequacy and efficiency of the material (both the actual document and its ICO model)
barrier. are performed, so that operator behaviour that led to
The current paper focuses on a new problem cor- the incident/accident is substituted by safer behaviour.
responding to the highlighted lower row of Table 1. As for the work on barriers, the formal descrip-
It corresponds to a research project in collaboration tion technique allows for verifying that the training
with CNES (the French Space Agency) and deals with material covers all the system states including the ones
command and control systems for spacecraft ground known to lead to the accident/incident. We will pro-
segments. In such systems, modifications to the space- vide examples of models based on an example of an
craft are extremely rare and limited in scope which operational procedure in a spacecraft control room.
significantly changes incident and accident manage- The approach provides a systematic way to deal with
ment with respect to systems we have formally worked the necessary increase of reliability of the operations
on such as Air Traffic Control workstations (Palanque of safety-critical interactive systems.
et al. 1997) or aircraft cockpit applications (Barboni The approach uses the following foundations.
et al. 2007), (Navarre et al. 2004). A system model is produced, using the ICO notation,
For the space systems we are currently considering, representing the behaviour and all possible states of the
only the ground system is partly modifiable while the currently unreliable system on which an incident was
embedded system remains mostly unreachable. identified. Using formal analysis techniques, such as
To address the issue of managing incidents and marking graphs for Petri nets, an extraction of all pos-
accidents in the space domain we promote a formal sible scenarios leading to the same hazardous state in
methods approach focussing on operators. This paper which the incident occurred is performed. This ensures
presents an approach that shows how incidents and that not only the actual scenario is identified, but any
accidents can be prevented from recurring by defining additional scenarios as well. A barrier analysis is then
adequate training material to alter operator behaviour. performed, in order to identify which technical, human
The paper illustrates how to exploit a graphical formal and/or socio-technical barriers must be implemented
description technique called Interactive Cooperative in order to avoid such a scenario from reoccurring.
Objects (ICOs) (Navarre et al. 2003), based on high- This however, depends on whether or not the system
level Petri nets, for describing training material and is reachable and modifiable. In the case of technical
operators’ tasks. Using such a formal method ensures barriers, the system model is modified and the same
knowledge of complete coverage of system states as a hazardous scenarios are run on the improved system
means of informing training material. When we talk model as a means of verification. The human barri-
about complete coverage of system states, or unam- ers, based on identification of hazardous states, must
biguous descriptions, we refer to the software part of be realised via modifications to training material and
the global system, which alone can be considered as an selective training.
improvement to what is currently achieved with for- The following section presents related work in the
mal methods for describing states and events which field of model-based training. We then present the
are at the core of any interactive system. Verification case study and an incident in section 3, followed by
techniques can then be used to confront such our training approach to safety in section 4. Section 5
models with the system model of the subsection of briefly presents the ICO formalism and the Petshop
the ground segment and the model of a subsection of support tool used for the formal description of the
the spacecraft in order to assess their compatibility. interactive system. We present in section 6 system

models relating to the reported incident and discuss
how these models can be used to inform training
material in section 7. We then conclude in the final



Though there are few industrial methodological

model-based training systems, this section is dedi-
cated to theoretical approaches and two established
industrial frameworks. Related fields of research that
have dedicated annual international conferences are
Intelligent Tutoring Systems (ITS), Knowledge Based Figure 1. Example of a training scenario (from (Lin 2001)).
Systems and Artificial Intelligence etc.
Such model-based approaches focus on a wide
range of models, including cognitive processes, the While Kontogiannis targets safety and productivity
physical device, user tasks, knowledge, domain etc. in process control, Lin (Lin 2001) presents a Petri-
It appears that the system models, a key factor in net based approach, again focusing on task models,
determining hazardous scenarios and states, are often for dealing with online training systems, showing
omitted or under specified. This will be exemplified that modelled training tasks and training scenarios
in the following paragraphs. analysis can facilitate creating a knowledge base of
The Volpe Center (National Transportation Sys- online training systems. Training plans (TP) and Train-
tems Centre) has designed and implemented training ing scenarios (TS) are proposed. The TS-nets are
programs to satisfy many different types of needs, separated into four areas (see Figure 1).
including systems use training, workforce skills train-
ing, awareness training, change management training, – Simulation area: for simulating the online training
and mission critical training. environment
Although modeling operator knowledge does not – Interface area: for trainee-system interaction
guarantee the safety of an application (Johnson 1997), – Evaluation sub-net: for monitoring and recording
Chris Johnson argues that epistemic logics (a form trainee performance
of textual representation of operator knowledge) can – Instruction area (the focus of the research)
be recruited to represent knowledge requirements for Elizale (Elizalde et al. 2006) presents an Intelli-
safety-critical interfaces. Similarly to our approach, gent Assistant for Operator’s Training (IAOT). The
the formalism highlights hazardous situations but does approach, based on Petri nets takes a derived action
not suggest how to represent this on the interface plan, indicating the correct sequence of actions nec-
to inform and support the operator. Interface design, essary to reach an optimum operation and translates it
based on usability principles, design guidelines, Fitt’s into a Petri net. The Petri net is used to follow the opera-
law (Fitts 1954) etc. is a discipline in its own right and tor’s action and provide advice in the case of a deviation
should be applied after system analysis. from recommended actions. What is different in this
approach, is that the recommended actions are not
user-centred, as with task modeling approaches, but
2.1 Petri-net based methods system-centred as designed by a ‘‘decision-theoretic
In the introduction, Petri nets were advocated as a planner’’.
means of formal graphical representation of a sys-
tem behavior. Within the literature are several Petri
2.2 Frameworks
net-based methods for training purposes.
Kontogiannis (Kontogiannis 2005) uses coloured Within the Model Based Industrial Training (MOBIT)
Petri nets for integrating task and cognitive models project, Keith Brown (Brown 1999) developed Model-
in order to analyse how operators process informa- based adaptive training framework (MOBAT). The
tion, make decisions or cope with suspended tasks and framework consists of a set of specification and real-
errors. The aim is to enhance safety at work. While the isation methods, for model-based intelligent training
approach is based on formal methods, there is no pro- agents in changing industrial training situations. After
posed means of verifying that the identified tasks and a specification of training problem requirements, a
workload are supported by the intended system as no detailed analysis splits into three separate areas for:
system model is presented. (a) a specification of the tasks a trainee is expected

to learn; (b) the specification of expertise and (c) a
specification of the target trainees.
The MOBAT framework includes multiple mod-
els, such as the task model, cognitive model, physical
model and domain model. The closest representation
of a system model in the framework (physical model)
(modeled using specific notations), does not provide
explicit representation of all the system states or of the
human-computer interaction. It does however provide
the facility for a user to request information relating
to past, present and future states (Khan et al. 1998).
A second model-based framework dedicated to
safety-critical domains, is NASA’s Man Machine
Design and Analysis System (MIDAS). MIDAS is a
‘‘a 3D rapid prototyping human performance mod-
eling and simulation environment that facilitates the Figure 2. Typical application interface for sending telecom-
design, visualization, and computational evaluation mands.
of complex man-machine system concepts in simu-
lated operational environments’’ (NASA 2005). The
framework has several embedded models including,
an anthropometric model of human figure, visual
perception, Updatable World Representation (UWR),
decisions, task loading, mission activities. . .
While the related work discussed in this section
focus on model-based training, they do not specifically
target post-incident improvements. For this reason, we
argue that an explicit system model is required, as a
means of identifying hazardous states and scenarios
leading to those states for informing training material
with intention to improve operator awareness.


Figure 3. CNES Octave application interface for sending
Satellites and spacecraft, are monitored and controlled
via ground segment applications in control centres
with which satellite operators implement operational
procedures. A procedure contains instructions such Software Engineering Services Company) and is to
as send telecommand, check telemeasure, wait etc. be used with future satellites such as JASON-2 and
Figure 2 and Figure 3 provide illustrations of typical MeghaTropique. It has the similar interface sections as
applications for managing and sending telecommands the previous example, 1) toolbar, 2) information and
(TC) to spacecraft. To give the reader an idea, the triggering area (detailed information about the TC and
figures have been separated into sections for explana- triggering button for TCs), 3) the current procedure
tory purposes. In Figure 2, section 1 indicates the and 4) the history.
current view type, i.e. the commander, the monitor, the Certain procedures contain ‘‘telecommand that may
support engineer etc as well as the toolbar. Section 2 have potential catastrophic consequences or critical
gives the configuration of the current telecommand consequences e.g. loss of mission, negative inci-
and the mode that the operator must be in, in order to dence on the mission (halt maneuver e.g. and/or on
send that telecommand. Section 3 shows the history the vehicle (switch off of an equipment e.g.). These
of the current procedure and the current mode (opera- telecommands need an individual confirmation by
tional or preparation). Section 4 details the active stack the telecommand operator. This classification is per-
(current procedure). formed at flight segment level and related commands
The second example (Figure 3) is of Octave, A are adequately flagged (‘‘catastrophic’’) in the MDB
Portable, Distributed, Opened Platform for Interopera- (mission database). These hazardous telecommands
ble Monitoring Services (Cortiade and Cros 2008) and have a specific presentation (for example a different
(Pipo and Cros 2006) developed by SSII-CS (French color) in the local stack display.

Figure 4. Hazardous telecommand icon.

The sending of a hazardous TC requires 3 mouse

clicks (as opposed to 2 for non-hazardous telecom-
mands). ‘‘With the exception of the Red Button CAM
command, all operator initiated commands involving
Figure 5. Example of an intercom system.
functions that could lead to catastrophic consequences
shall be three step operations with feedback from the
function initiator after each step prior to the acceptance from the Flight Director. The Commander was thus
of the command.’’ That requirement is extracted from clicking numerous times to send the hazardous TCs.
a specification document at CNES not referenced for The Commander was distracted by technical conversa-
confidentiality reasons. tion regarding a forthcoming operation; his vigilance
Before presenting the incident, we describe here the (see research on situation awareness (Lee 2005 and
correct behaviour for sending a hazardous telecom- Eiff 1999)) was therefore reduced. The Comman-
mand based on the example Monitoring and Control der was involved in this conversation because there
application in Figure 2. The Commanding operator were only 2 team operators at that time as opposed
highlights the TC to be sent and clicks on the send to 3 or 4 that would have been necessary for the
button. The operator should note that the icon inline workload. Two additional operators were holding
with the TC has a yellow ‘‘!’’ indicating that it is a TC technical discussions at less than a meter from the
is classified as hazardous (see lower line of Figure 4). Commander resulting in perturbation to the auditory
After clicking send, a Telecommand Inspection environment.
window appears detailing the TC’s parameters. The A parallel can be drawn between the reduced num-
Commanding operator verifies that the parameters ber of operators in the test phase of the case study,
appear to be correct and clicks on the send TC button. and the situation in ACC Zurich during the Ueberlin-
Following this 2nd click, a red window called Con- gen accident (Johnson 2006). Our approach does not
firmation appears, in the top left hand corner of the attempt to encompass such aspects as we mainly focus
application. At this point, the Commanding operator on the computer part of such a complex socio technical
must use a dedicated channel on the intercom system to system and even more restrictively, its software part.
request confirmation from the Flight Director before As opposed to current research in the field of computer
sending a hazardous TC from the Flight Director. The science we take into account user related aspects of the
communication is similar to ‘‘FLIGHT from COM- computer system including input devices, interaction
MANDER on OPS EXEC: The next TC is hazardous, and visualisation techniques.
do you confirm its sending?’’ and the reply would be
‘‘Commander from FLIGHT on OPS EXEX: GO for
the TC which performs x, y, z. . .’’. After receiving the 4 TRAINING APPROACH TO SAFETY
go-ahead, the Commander can send the TC.
The introduction and related work sections argued for
the use of formal methods and more particularly model-
3.1 The incident
based design for supporting training of operators as
The incident described in this section occurred dur- a means of encompassing all possible system states
ing the test phase of a satellite development. The and identifying hazardous states. Furthermore, it has
Commanding operator sent a TC without receiving been identified (Table 1) that in response to an inci-
confirmation from the Flight Director. There was no dent, such a satellite control room application can
impact on the satellite involved in the tests. often only be made safer via training (a human bar-
The circumstances surrounding the incident were rier), as making modifications to the ground system
the following. Several minutes prior to the incident, can be a lengthy procedure after satellite deploy-
45 hazardous TCs were sent with a global go-ahead ment. We propose, in the following two paragraphs,

two model-based approaches for improving safety
following the hazardous TC incident reported in
section 3.1.

4.1 Changing operator behaviour without system

This approach assumes that modifications to the sys-
tem are not possible. Therefore, changes to operator
behavior are necessary. Using a model representing the
behavior of the system, it is possible to clearly iden-
tify the hazardous state within which operators must
be wary and intentionally avoid the known problem.
The system model will also indicate the pre-conditions
(system and/or external events) that must be met in
order to reach a particular hazardous state providing
an indicator of which actions the operator must not
The advantages of this human-barrier approach lie
in the fact that no modifications to the system are
necessary (no technical barriers required) and is effi-
cient if only several operators lie in the fact that
no modifications to the system are necessary (no
technical barriers required) and is efficient if only
several users are involved (as within a control cen-
tre). We would argue that this is not an ideal solution
to the problem, but that the company would have
to make do with it as a last resort if the system is

4.2 Changing operator behaviour with system Figure 6. Approach to formal modelling of incidents and
modification accidents as a means for enriching training material.
The second proposed approach assumes that the
ground system is modifiable. In the same way as
before, the hazardous state is identified using the The point here is not to force the operator to avoid
system model and preconditions are identified after an action, but to accurately make them learn the new
running scenarios on the system model. A barrier anal- system behavior.
ysis and implementation is then performed (Basnyat,
Palanque, Schupp, and Wright 2007). This implies
localised changes (not spread throughout entire sys- 5 INTERACTIVE COOPERATIVE
tem) to the system behavior. The existing training OBJECTS & PETSHOP
material (if any) must then be updated to reflect the
change in behaviour due to the technical barrier imple- The Interactive Cooperative Objects (ICOs) formal-
mentation. Similarly, localized changes to the train- ism is a formal description technique dedicated
ing material are made from an identified hazardous to the specification of interactive systems (Bastide
system state. et al. 2000). It uses concepts borrowed from the
While modifications to the ground segment may object-oriented approach (dynamic instantiation, clas-
have an impact on the onboard system, it can be con- sification, encapsulation, inheritance, client/server
sidered more reliable as the system will block the relationship) to describe the structural or static aspects
identified hazardous situation. The operators would of systems, and uses high-level Petri nets (Gen-
receive additional differential training (selective train- rich 1991) to describe heir dynamic or behavioural
ing since the behaviour of the system before and aspects.
after modifications is known) for the new behav- An ICO specification fully describes the potential
ior but even if they do not remember, or slip into interactions that users may have with the applica-
old routines, the improved system will block the tion. The specification encompasses both the ‘‘input’’
actions. aspects of the interaction (i.e. how user actions impact

Figure 7. An ICO model for procedure management.

on the inner state of the application, and which models to enable designers to break-down complexity
actions are enabled at any given time) and its ‘‘output’’ into several communicating models. This feature of
aspects (i.e. when and how the application displays the ICO notation has not been exploited in this paper
information relevant to the user). as explanation through one single (even fairly illegi-
An ICO specification is fully executable, which ble model) is better choice for explanatory purposes,
gives the possibility to prototype and test an appli- especially as on paper a model cannot be manipulated.
cation before it is fully implemented (Navarre et al. The diagram has been segregated for explanatory pur-
2000). The specification can also be validated using poses. Part A represents the behavior of an available
analysis and proof tools developed within the Petri list of instructions contained within the procedure.
nets community. In subsequent sections, we use the In this case they are CheckTM (check telemeasure),
following symbols (see Figure 7). Switch (an operator choice), Wait, Warning and TC
(telecommand). These instructions can be seen glob-
– States of the system are represented by the distribu-
ally in part B read from left to right. Parts C and D
tion of tokens into places (the focus of the incident) describe the behaviour for
– Actions triggered in an autonomous way by the sending of a TC (normal and hazardous). For brevity,
system are called transitions these are the only sections of the model that will be
– Actions triggered by users are represented by half discussed in detail.
bordered transition The model is such that the operator may select any
instruction before selecting the instruction he wishes
to implement. However, the instructions must be car-
6 SYSTEM MODEL OF PROCEDURE ried out in a given order defined within the procedure
BEHAVIOUR and correctly restricted by the application. While the
operator is effectuating an instruction (usually on a
Using the ICO formalism and its CASE tool, Pet- separate window superimposed on the list of instruc-
shop (Navarre, Palanque, and Bastide 2003), a model tions), he cannot click on or select another instruction
describing the behavior of a ground segment applica- until his current instruction is terminated. This behav-
tion for the monitoring and control of a non-realistic ior of instruction order restriction is represented with
procedure, including the sending of a hazardous a place OrderX after the terminating click of each
telecommand has been designed. Figure 7 illustrates instruction, a transition Next/Ok.
this ICO model. It can be seen, that as the complexity The ICO tool, Petshop, provides a novel feature
of the system increases, so does the Petri net model. with respect to common Petri nets, called ‘‘virtual
This is the reason why the ICO notation that we use places’’, to increase the ‘‘explainability’’ of models
involves various communication mechanisms between (by reducing the number of crossing arcs in the net).

A virtual place is a partial copy of a normal place. It ‘‘x.equals(‘‘tc’’)’’ and ‘‘x.equals(‘‘tchaza’’)’’ in transi-
adopts the display properties (such as markings) but tions SendTc2_1, SendTc2_2 respectively. If a normal
not the arc connections. The arcs can be connected TC is being treated, only transitions SendTc2_1 and
to normal places or to virtual places. The display is Cancel2 will be fireable. A click on the SendTC button
therefore modified allowing easier reorganisation of (Transition SendTC_1) will terminate the instruc-
models (see (Barboni et al. 2006)). In the ICO pro- tion, sending a token in place Past_instructions. If
cedure model, there are 3 uses of the virtual place; the operator clicks CANCEL, transition Cancel2,
Instruction_List, a place containing tokens represent- the TC is returned to the instruction list ready for
ing the available instructions, Block_Selection, a place reimplementation.
restricting the operator from selecting an instruction
while manipulating another and Past_Instructions, a
place containing the tokens representing instructions 6.2 Sending a hazardous telecommand
that have terminated.
If the TC (token) is of type hazardous, only transitions
Referring back to the incident described, we are
SendTc2_2 and Cancel2 will be fireable. Respect-
particularly interested in the sending of a hazardous
ing the requirements, a 3rd confirmation click is
telecommand. Once the operator has terminated all of
required. After transition SendTc2_2 is fired, place
the instructions preceding the telecommand instruc-
Display_Confirmation receives a token. The key to
tion, transition becomes fireable TC (see upper tran-
the incident described in section 3.1 lies in this
sition of Figure 8) and parts C and D of the model
become the focus of the simulation.
Before clicking for the 3rd time to send the haz-
ardous TC, the operator should verbally request the
Go-Ahead from the Flight Director. The application
6.1 Sending a telecommand modelled allows the operator to click SEND (or
CANCEL) without the Go-Ahead. It is therefore up
When transition Tc is fired, place ReadyToSendTc to the operator to recall the fact that dialogue must be
receives a token. From here, the application allows initiated.
the operator can click SEND (the red button next to Part D in Figure 7 represents the potential scenarios
number 2 in Figure 2). This is represented by transition available, if transition DialogWithFD is fired, a token
SendTc1. After this external event has been received, is received in place RequestPending (representing the
place Display_TC_inspection receives a token. In operator initiating dialogue with the Flight Director).
this state, the application displays a pop-up window This part of the complete model is shown in Figure 9.
and the operator can either click SEND or CAN- For improved legibility, the virtual places represent-
CEL. In the model, transitions SendTc2_1, SendTc2_2 ing Block_selection and Past_instructions_have been
and Cancel2 become fireable. The two Send transi- removed from the diagram. For simulation purposes,
tions identify the value of the token (x) currently in the transition DialogWithFD is represented using the
place Display_TC_inspection, to determine whether autonomous type of transition even though the event
it is a normal TC or a hazardous TC. The code is external to the system behaviour. The action does

Figure 8. Send TC section of complete model (part C of

Figure 7). Figure 9. Request go-ahead (part D of Figure 7).

not involve the operator clicking a button on the inter- improvements to the modelled application assuming
face. Rather, this action can be considered as a human system modifications cannot and subsequently can
cognitive task and subsequently physical interac- be made. Each suggestion includes a barrier classi-
tion with an independent communication system (see fication according to Hollnagel’s Barrier systems and
Figure 5). barrier functions (Hollnagel 1999).
Tokens in places RequestPending and FlightDirec-
tor allow transition RequestGoAheadFD to be fire-
able. This transition contains the statement y=fd. 7.1 Without system modifications
If the application cannot be modified, training should
It is important to note, that data from the token
focus on operator behaviour between the 2nd and
in place FlightDirector would come from a sepa-
3rd click for sending a hazardous TC. Section 6.2
rate model representing the behaviour of the Flight
identifies that the process of establishing dialogue
Director (his interactions with control room mem-
with the Flight Director as being potentially com-
bers etc). Once place Result receives a token,
pletely excluded from the operational procedure. This
4 transitions to be fireable: Go, WaitTimeAndGo,
is why part D of Figure 7 is intentionally segre-
WaitDataAndGo and NoGo, representing the possi-
ble responses from the Flight Director. Again, these
Training of operators concerning this behaviour
transitions (apart from the one involving time) are
should explicitly highlight the fact that although they
represented using autonomous transitions. While they
can click the SEND button without actually receiv-
are external events; they are not events existing
ing the Go-Ahead from the Flight Director, that it is
in the modelled application (i.e. interface buttons).
imperative to request the Go-Ahead. A ‘‘go-around’’
These are verbal communications. In the case of each
and potential support technique would be to use a
result, the operator can still click on both SEND
paper checklist. This suggestion is an immaterial bar-
and FAIL on the interface, transitions SendTc3_x and
rier system with barrier functions Monitoring and
Cancel3_ x in Figure 9. We provide here the expla-
nation of one scenario. If the token (x) from the
FlightDirector place contains the data ‘‘WaitTime’’,
then transition WaitTimeAndGo, (containing the state-
ment y==‘‘WaitTime’’) is fireable taking the value 7.2 With system modifications
of ‘‘y’’. Assuming the application is modifiable, an improve-
Within the scenario in which the operator must ment in system reliability could be achieved using
wait for data (from an external source) before clicking several technical (software) barriers.
SEND, the model contains references to an exter-
nal service (small arrows on places SIP_getData, – Support or replace the current verbal Go-Ahead
SOP_getData and SEP_getData, Service Input, Out- with an exchange of data between the two parties.
put and Exception Port respectively. When in state Functional barrier system with hindering barrier
WaitingForData a second model, representing the ser- function
vice getData would interact with the current procedure – Modify the application so that the Go-Ahead data is
model. requested and sent via interaction with the interface,
the packet would contain information necessary for
the Flight Director to make a decision. Functional
7 MODEL-BASED SUPPORT FOR TRAINING barrier system with soft preventing barrier function.
– Change the 3rd SEND button behaviour, so that it
The aim of the approach presented in this paper, is is disabled pending receipt of the Go-Ahead packet
to use a model-based representation of current system (including timer and additional data if necessary).
behaviour (in this case after an incident) to support Functional barrier system with soft preventing bar-
training of operators in order to improve reliability in rier function.
a satellite control room. – Although the application analysed has a very vis-
The analysis and modelling of the monitoring ible red window providing the 3rd SEND but-
and control application including operator interac- ton (as demanded in the system requirements),
tions, and reported incident enables us to identify a it does not include any form of reminder to
hazardous state: After transition SendTc2_2 is fired the operator that dialogue with Flight Direc-
(2nd confirmation of a hazardous TC) and place tor must established. The 3rd pop-up window
Display_Confirmation contains a token. should thus display text informing the opera-
Table 1 highlights that the only likely response to tor of the data exchange process. Symbolic bar-
a failure in a satellite control room is to modify oper- rier system with regulating and indicating barrier
ator training. The following two subsections provide functions.

8 CONCLUSIONS AND FURTHER WORK Cortiade, E. and PA Cros. 2008. OCTAVE: a data model-
driven Monitoring and Control system in accordance
We have presented a model-based approach for with emerging CCSDS standards such as XTCE and
identifying human-computer interaction hazards and SM&C architecture. SpaceOps 2008 12–16 May 2008,
their related mitigating human (training) and tech- Heidelberg, Germany.
Eiff, G.M. 1999. Organizational safety culture. In R.S. Jensen
nical (software) barriers, classified according to (Ed.). Tenth International Symposium on Aviation Psy-
Hollnagel’s barrier systems and barrier functions chology (pp. 778–783). Columbus. OH: The Ohio State
(Hollnagel 1999). University.
The approach, applied to a satellite ground segment Elizalde, Francisco, Enrique Sucar, and Pablo deBuen. 2006.
control room incident, aids in identifying barriers such ‘‘An Intelligent Assistant for Training of Power Plant
as symbolic and immaterial barriers, necessary in the Operators.’’ pp. 205–207 in Proceedings of the Sixth
case where the degraded system is not modifiable. IEEE International Conference on Advanced Learning
These barriers may not have been considered within Technologies. IEEE Computer Society.
the development process, but have been identified Fitts, P.M. 1954. ‘‘The Information Capacity of the
Human Motor System in Controlling the Amplitude of
using the system model. Movement. . .’’.
We have used the ICO formal description technique Genrich, H.J. 1991. ‘‘Predicate/Transitions Nets, High-
(a Petri net based formalism dedicated to the mod- Levels Petri-Nets: Theory and Application.’’ pp. 3–43 in.
elling of interactive systems) to model the monitoring Springer Verlag.
and control of an operational procedure using a satel- Hollnagel, E. 1999. ‘‘Accidents and barriers.’’ pp. 175–180
lite ground segment application. The model provides in Proceedings CSAPC’99, In J.M. Hoc, P. Millot,
explicit representation of all possible system states, E. Hollnagel & P.C. Cacciabue (Eds.). Villeneuve d’Asq,
taking into account human interactions, internal and France: Presses Universitaires de Valenciennes.
external events, in order to accurately identify haz- Hollnagel, E. 2004. ‘‘Barriers and Accident Prevention.’’
ardous states and scenarios leading to those states via
Johnson, C.W. 1997. ‘‘Beyond Belief: Representing
human-computer interactions. Knowledge Requirements For The Operation of Safety-
Critical Interfaces.’’ pp. 315–322 in Proceedings of
the IFIP TC13 International Conference on Human-
Computer Interaction. Chapman & Hall, Ltd http://portal.
This research was financed by the CNES R&T Tortuga (Accessed February 26, 2008).
project, R-S08/BS-0003-029. Johnson, C.W. 2006. Understanding the Interaction Between
Safety Management and the ‘Can Do’ Attitude in
Air Traffic Management: Modelling the Causes of
the Ueberlingen Mid-Air Collision. Proceedings of
REFERENCES Human-Computer Interaction in Aerospace 2006, Seat-
tle, USA, 20–22 September 2006. EDITORS F. Reuzeau
Barboni, E, D Navarre, P Palanque, and S Basnyat. 2007. and K. Corker.Cepadues Editions Toulouse, France.
‘‘A Formal Description Technique for the Behavioural pp. 105–113. ISBN 285428-748-7.
Description of Interactive Applications Compliant with Khan, Paul, Brown, and Leitch. 1998. ‘‘Model-Based Expla-
ARINC Specification 661.’’ Hotel Costa da Caparica, nations in Simulation-Based Training.’’ Intelligent Tutor-
Lisbon, Portugal. ing Systems.
Barboni, E, D Navarre, P Palanque, and S Basnyat. 2006. (Accessed February 20, 2008).
‘‘Addressing Issues Raised by the Exploitation of For- Kontogiannis, Tom. 2005. ‘‘Integration of task networks and
mal Specification Techniques for Interactive Cockpit cognitive user models using coloured Petri nets and its
Applications.’’ application to job design for safety and productivity.’’
Basnyat, S, and P Palanque. 2006. ‘‘A Barrier-based Cogn. Technol. Work 7:241–261.
Approach for the Design of Safety Critical Interactive Lee, Jang R, Fanjoy, Richard O, Dillman, Brian G. The
Application.’’ vol. Guedes Soares & Zio (eds). Estoril, Effects of Safety Information on Aeronautical Decision
Portugal: Taylor & Francis Group. Making. Journal of Air Transportation.
Basnyat, S, P Palanque, B Schupp, and P Wright. 2007. ‘‘For- Lin, Fuhua. 2001. ‘‘Modeling online instruction knowledge
mal socio-technical barrier modelling for safety-critical using Petri nets.’’ pp. 212–215 vol.1 in Communications,
interactive systems design.’’ Special Edition of Elsevier’s Computers and signal Processing, 2001. PACRIM. 2001
Safety Science. Special Issue safety in design 45:545–565. IEEE Pacific Rim Conference on, vol. 1.
Bastide, R, O Sy, P Palanque, and D Navarre. 2000. ‘‘Formal NASA. 2005. ‘‘Man-machine Integration Design and
specification of CORBA services: experience and lessons Analysis System (MIDAS).’’ http://human-factors.arc.
learned. . .’’ ACM Press. (Accessed Febru-
Brown, Keith. 1999. ‘‘MOBIT a model-based framework for ary 19, 2008).
intelligent training.’’ pp. 6/1–6/4 in Invited paper at the Navarre, D, P Palanque, and R Bastide. 2004. ‘‘A Formal
IEEE Colloqium on AI. Description Technique for the Behavioural Description

of Interactive Applications Compliant with ARINC 661 Palanque, P, R Bastide, F Paterno, R Bastide, and F Paterno.
Specification.’’ 1997. ‘‘Formal Specification as a Tool for Objective
Navarre, D, P Palanque, and R Bastide. 2003. ‘‘A Tool- Assessment of Safety-Critical Interactive Systems. . . ’’
Supported Design Framework for Safety Critical Interac- Sydney, Australia: Chapman et Hall.
tive Systems.’’ Interacting with computers 15/3:309–328. Pipo, C, and C.A Cros. 2006. ‘‘Octave: A Portable, Dis-
Navarre, D, P Palanque, R Bastide, and O Sy. 2001. ‘‘A tributed, Opened Platform for Interoperable Monitoring
Model-Based Tool for Interactive Prototyping of Highly Services.’’ Rome, Italy.
Interactive Applications.’’ Schupp, B, S Basnyat, P Palanque, and P Wright. 2006.
Navarre, D, P Palanque, R Bastide, and O Sy. 2000. ‘‘A Barrier-Approach to Inform Model-Based Design of
‘‘Structuring Interactive Systems Specifications for Exe- Safety-Critical Interactive Systems.’’
cutability and Prototypability.’’ pp. 97–109 in, vol. no, Shang, P.W.H., L Chung, K Vezzadini, K Loupos, and
1946. Lecture Notes in Computer Science, Springer. W Hoekstra. 2006. ‘‘Integrating VR and knowledge-
Norman, D.A. 1990. ‘‘The ‘Problem’ with Automation: based technologies to facilitate the development of oper-
Inappropriate Feedback and Interaction, not ‘Over- ator training systems and scenarios to improve process
Automation Philosophical Transactions of the Royal Soci- safety.’’ vol. Guedes Soares & Zio (eds). Estoril, Portugal:
ety of London. Series B, Biological Sciences 327:585–593. Taylor & Francis Group.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Hazard factors analysis in regional traffic records

M. Mlynczak & J. Sipa

Wroclaw University of Technology, Poland

ABSTRACT: Road safety depends mainly on traffic intensity and conditions of road infrastructure. More
precisely, one may found many more factors influencing safety in road transportation but process of their
perception, processing and drawing conclusions by the driver while driving is usually difficult and in many cases
fall behind the reality. Diagnostic Aided Driving System (DADS) is an idea of supporting system which provides
driver with selected, most useful information which reduces risk due to environment, weather conditions as well as
statistics of past hazardous events corresponding to given road segment. Paper presents part of the project aiming
to describe relations and dependencies among different traffic conditions influencing number of road accidents.

1 FOREWORD Undesired road events are described and stored in

reports created by rescue services consisting mainly
Road traffic is defined as movement of road vehicles, by fire brigade and police divisions. Precise accident
bicycles and pedestrians. The most important features identification requires giving the following facts:
of the traffic is effective and safe transportation of
passengers and goods. Traffic takes place in complex • exact date and time of the event (day time, week day,
system consisting of road infrastructure, vehicle oper- month, season),
ators, vehicles and weather conditions. Each of these • place of the event (number of lanes and traffic dir-
factors is complex and undergoes systematic and ran- ections, compact/dispersed development, straight/
dom changes. Safety is provided in that system by the bend road segment, dangerous turn, dangerous
means of safety in soft (law, regulations, and local slope, top of the road elevation, road crossing
rules) and hard form (traffic signals, barriers, etc.). In region, of equal importance or subordinated, round-
this light an accident is a fact of violation of certain about, pedestrian crossing, public transport stop,
safety condition. In the idea of MORT (Wixon 1992) it tram crossing, railway sub grade, railway crossing
might be understood as releasing some energy stored unguarded/guarded, bridge, viaduct, trestle bridge,
in transportation system. pavement, pedestrian way, bike lane, shoulder,
Analysis of accident reports, databases and papers median strip, road switch-over, property exit),
creates an image of necessary and sufficient conditions • severity of consequences (collision, crash, catastro-
leading to undesired road event. phe),
• collision mode (collision in motion [front, side,
rear], run over [a pedestrian, stopped car, tree,
lamp-post, gate arm, pot-hole/hump/hole, animal],
vehicle turn-over, accident with passenger, other),
• cause/accident culprit (driver, pedestrian, passen-
2.1 Accident description
ger, other reasons, complicity of traffic actors),
Polish road rescue system is based on fire service. • accidents caused by pedestrian (standing, lying in
In emergency the suitable database is created. The the road, walking wrong lane, road crossing by
database described in this paper concerns the south- red light, careless road entrance [before driving
western region of Poland, Lower Silesia. Period con- car; from behind the car or obstacle], wrong road
tained in work-sheets covers years 1999–2005. From crossing [stopping, going back, running], crossing
thousands of records information dealing with road at forbidden place, passing along railway, jumping
accidents was selected. in to vehicle in motion, children before 7 year old
The most important element of an accident descrip- [playing in the street, running into the street], other),
tion is its identification in time and road space. An • cause/vehicle maneuver (not adjusting speed to traf-
accident description includes always the same type of fic conditions, not observing regulations not giving
information. free way, wrong [overtaking, passing by, passing,

driving over pedestrian crossing, turning, stopping,
parking, reverse a car], driving wrong lane, driv-
ing by red light, not observing other signs and
signals, not maintaining safe distance between vehi-
cles, rapid breaking, driving without required lights,
tiredness, falling asleep, decreasing of psychomotor
efficiency, other),
• driver gender and experience,
• age (age interval: 0–6, 7–14, 15–17, 18–24, 25–39,
40–59, 60 and over),
• culprit due to the influence of alcohol (because of
driver, pedestrian, passenger, other, complicity of
traffic actors),
• weather conditions (sunshine, clouds, wind, rain/ Figure 2. Ratio of number of people injured or victims in
snow, fog/smog), total number of accidents.
• type of vehicle (bicycle, moped/scooter, motorbike,
car, tuck, bus, farm tractor, horse-drawn vehicle,
tram, train, other), It is seen that over 87% of accidents happen between
• vehicle fault (self damage, damage of the other 6 a.m. and 10 p.m. with the highest frequency range
vehicle), between 8 a.m. and 6 p.m. Within observed period, the
• event consequences (environment [soil, water, air], frequency and distribution of accidents in day hours is
road, road infrastructure [road facilities, buildings], stable and does not change much despite from rising
cargo [own, foreign]), motorization index in Poland. The average rate of traf-
• necessary actions (first-aid service, road rescue, fic flow, according to the entire analyzed road segment
chemical neutralization, fire extinguishing, rebuild). at motorway A-4, is presented in Fig. 4. It is shown
that since year 2001, volume of traffic is growing year
by year mainly due to economic development.
2.2 Analysis of accidents conditions Similar analysis of accidents distribution in time
General analysis of the database is directed on main was done in relation to months over the year (Fig. 5)
factors attendant circumstances. Major accidents con- and week days (Fig. 6).
sequences are caused proportionally by cars (over 80%
of injured and victims) but almost 30% of losses result
from trucks and road machines (tractors, combine 3 MODELLING OF ROAD EVENT NUMBER
harvesters end the like) accidents (Fig. 1).
The worst consequences of accident dealing with 3.1 Regression models
human life are usually death or bodily harm. Over Statistical number of accidents along certain road
the entire observation period an average ratio of vic- segments is a random number depending on many fac-
tims per accident is 0,22 and lies between 0,35 and tors described precisely above. Randomness means
0,07. Average number of injured is about 1,8 per each in this case that the number of expected accidents
accident (Fig. 2). may vary according to random events and is corre-
Analysis of accidents taking place within day time lated to some other factors. Regression models allow
is shown in Fig. 3. taking into consideration several factors influencing
accident number. Variation of accident number is
described as pure random and systematic variation
depending on some accident factors (Baruya 1999,
Evans 2005).
Two main regression models exist which are gener-
ally based on Poisson distribution (Fricker & Whitford
2004). Poisson model is adequate to random events
(accident number in a given road segment) providing
that randomness is independent for all variables taken
into account (Evans 2005, Kutz 2004, Miaou & Lum
Poisson regression function of accent number is:
Figure 1. Accident consequences fraction caused by differ-
ent type of vehicle. λ = e(β0 +β1 x1 +β2 x2 +···+βk xk ) (1)


07:00 17:00

Figure 3. Frequency of accidents in day time.





week day




Figure 4. Traffic volume in analyzed motorway segment in Figure 6. Distribution of accidents in week days over the
years 1999–2005. period 1999–2005.

120 accidents appropriate. Otherwise the Pascal model (2) should
be considered, because it assumes randomness of λ
parameter itself (Michener & Tighe 1999).

λ = e(β0 +β1 x1 +β2 x2 +···+βk xk +ξ )


where: ξ is the Gamma distributed error term.
1 2 3 4 5 6 7 8 9 10 11 12

3.2 Application of regression models

Figure 5. Distribution of accidents and victims in months to the database
over the period 1999–2005.
Regression analysis of road events uses database
of Provincial Command of the State Fire Service.
From that database the motorway segment of the
where: βi = coefficients of regression, xi = indepen- total length l = 131 km was selected and from
dent variables. the period of 1999–2005 about 1015 accidents were
Poisson distribution assumes that variance is equal extracted.
to mean number of events occurrence so that mean Motorway segment is divided in 11 subsegments
and variance may be taken as measure of statistical of given length li = x1 and daily traffic volume
confidence. If variance is calculated as in the follow- tvi = x2 . To the analysis are also taken into account
ing formula σ = λ(1 + θ · λ), and θ (overdispersion the following casual variables:
parameter) is not significantly different from 0, then
the regression analysis based on the Poisson model is – hvi = x3 —heavy vehicle rate in traffic flow [%],

Ta ble 1. Regression models for all road events.

Independent variable
rn rc
J rj Number Number of rl
ln l ln tv Hv Number Number of road road junc- Number of rp rm
Length Daily Heavy of all of road junctions tions road junc- Number of Number of
of road traffic vehicle junc- junc- (national (commu- tions (lo- exits to moderni-
Model segment volume rate tions tions roads) nal roads) cal roads) parking zation

1 –7,06 1,65 0,56 – – – – – – – –

2 –7,23 1,55 0,89 –0,09 – – – – – – –
3 –9,22 1,49 0,82 – 0,01* – – – – – –
4 –5,19 2,25 0,60 –0,11 –0,05 – – – – – –
5 –6,75 1,68 0,83 –0,09 – –0,02* – – – – –
6 –2,33 2,45 0,22* –0,09 – – 0,05* –0,16 –0,13 – –
7 –4,56 2,60 0,43* –0,10 – – –0,02* –0,08* –0,07 –0,09* –
8 –9,35 2,16 0,90 –0,05 –0,05 – – – – – –0,77
9 –9,94 2,15 0,99 –0,06 – –0,09 – – – – –0,86
10 –9,83 2,26 0,95 –0,06 – – –0,07 –0,10 –0,10 – –0,85
11 –11,49 2,36 1,12 –0,06 – – –0,12 –0,04 –0,06* –0,06* –0,80
12 –9,91 1,59 1,06 –0,05 – – – – – – –0,65

* Insignificant parameters are written in italics.

Table 2. Significance analysis of selected regression models.

Multiple correlation coefficient Model deviance θ parameter

Model R2 R2p R2w R2wp R2ft R2ftp MD p θ p

8 0,72 0,88 0,69 0,87 0,69 0,87 261,26 10−5 0,034 0,1936
9 0,74 0,90 0,70 0,88 0,70 0,90 267,63 10−5 0,027 0,2617
10 0,76 0,92 0,72 0,91 0,72 0,92 269,76 10−5 0,020 0,3763
11 0,78 0,95 0,75 0,94 0,75 0,96 269,83 10−5 0,011 0,6067
12 0,70 0,85 0,67 0,84 0,67 0,85 248,61 10−5 0,053 0,1054

Table 3. Comparison of regression models for number of road events, accidents, injured and fatalities.

Model β0 ln l ln tv hv j rj rn Rc rl rp rm

Number of road events 0,0001 2,26 0,953 −0,056 – – −0,071 −0,099 −0,1 – −0,854
Number of accidents 0,0004 2,769 0,681 −0,083 – – −0,128 −0,209 −0,152 0,053 −1,005
Number of injured 0,0028 3,759 0,18 −0,065 – – −0,104 −0,077 −0,093 −0,114 −1
Number of fatalities 2203,9357 5,885 −1,972 −0,055 −0,209 – – – – – −1,718

– ji = x4 —number of all junctions (exits and – rmi = x10 —time fraction of the year with mod-
approaches of motorway), ernization road works of subsection (value from
– rji = x5 —number of all types road junctions, 0 to 1).
– rni = x6 —number of road junctions with national
roads, Accident database and construction data obtained
– rci = x7 —number of road junctions with communal from the company managing motorway allowed for
roads, building general regression model in the following
– rli = x8 —number of road junctions with local form (3):
– rpi = x9 —number of exits and approaches of 
λi = li 1 · tvi 2 · e (β0 +βj xji ) ;
β β
parking places, j>2 (3)

14 number of road events

avg. number of road events, accidents,

number of accidents
number of injured
injured, fatalities
10 number of fatalities

0 3000 6000 9000 12000 15000 18000 21000 24000 27000
traffic volume [veh./24h]

Figure 7. Regression functions of number of road events, accidents, injured and fatalities in function of traffic volume (all
remaining independent variables are constant). Shaded area relates to the range of traffic volume analyzed in database.

Twelve regression models were created on the pr = 1, rm = 1. Fig. 7 shows number of road events,
basis of the formula (3) and 10 independent variables number of accident, number of injured and number of
described above. In the Table 1 the successive models fatalities in function of daily traffic flow.
are presented containing logical combination of vari- These theoretical functions are valid in the inter-
ables x3 to x10 . Regression functions were obtained and val of traffic flow 9000–24000 veh./24 hours (shaded
selected using the squared multiple correlation coeffi- area) what was observed in the database in the period
cient R, the weighted multiple correlation coefficient of years 1999–2005. Regression functions may be
Rw and the Freeman-Tukey correlation coefficient Rft . extended on wider range of traffic flow to predict
Five models no. 8–12 (marked in shaded records) number of interesting events in other conditions. The
are considered as models of good statistical signifi- phenomenon of decreasing number of fatalities in traf-
cance. In that models parameters β are estimated prop- fic flow may be explained that within seven years of
erly and parameter θ is insignificantly different from 0. observation average quality of cars has risen. Traffic
In the estimated models number of accidents follows flow is here strongly correlated with time. ‘‘Better’’
Poisson distribution. Models significance analysis is cars move faster and generate higher traffic flow and
shown in Table 2. Regression coefficients denoted on the other hand may rise traffic culture and provide
with index p deal with adjusted models that describe higher safety level through installed passive and active
portion of explained systematic randomness. safety means. Estimation of victim number is bur-
Probability values given in Table 2 for parameter θ den higher randomness and proper and precise models
greater then 0,05 prove that θ is insignificant and cer- have not been elaborated jet.
tify correct assumption of Poisson rather than Pascal
model for number of accidents.
Described calculation method and regression model 4 CONCLUSIONS
gave the basis of evaluating theoretical number of road
events. There are four important events discussed in Two main subjects are discussed in the paper: the-
road safety: road event, accident with human losses, oretical modeling of traffic events and elaborating
accident with injured and fatalities. Having known his- of regression models on the basis of real accident
torical data, these events were analyzed and created database. Proposed model consists in developing of
regression models. In Table 3 parameters of regres- prediction function for various road events. There
sion models are put together to describe numbers of were four types of road events concerning: all road
the mentioned events. It is seen that some independent events, accidents, injuries and fatalities. Verification
variables does not influence on calculated number, of the assessment that number of, so called, rare
especially on number of fatalities. events undergoes Poisson distribution was done com-
In order to check the behavior of the obtained model paring elaborated real data with Poisson model with
it is has been proposed that all independent variables parameter λ calculated as regression function of ten
are constant contrary to traffic volume. It will give independent variables. Conformity of five proposed
regression function of number of certain events in rela- models was checked calculating statistical signifi-
tion to traffic volume. It is assumed that: l = 10 km, cance of parameter θ. Regression models applied to
hv = 0, 25, j = 3, rj = 1, rn = 1, rc = 0, rl = 1, online collected data are seen to be a part of active

supporting system for drivers, warning them about Fricker J.D. & Whitford R.K. 2004. Fundamentals of Trans-
rising accident risk at given road segment in certain portation Engineering. A Multimodal System Approach.
environmental conditions. Further development of the Pearson. Prentice Hall.
models would be possible to use in road design process Kutz M. (ed.). 2004. Handbook of Transportation Engineer-
especially in risk analysis and assessment. ing. McGraw-Hill Co.
Miaou S.P. & Lum H. 1993. Modeling Vehicle Accidents
And Highway Geometric Design Relationships. Accident
Analysis & Prevention, no. 25.
REFERENCES Michener R. & Tighe C. 1999. A Poisson Regression Model
of Highway Fatalities. The American Economic Review.
Baruya A. 1998. Speed-accident Relationships on European vol. 82, no. 2, pp. 452–456.
Roads. Transport Research Laboratory, U.K. Wixson J.R. 1992. The Development Of An Es&H Compli-
Evans A.W. 2003. Estimating Transport Fatality Risk From ance Action Plan Using Management Oversight, Risk Tree
Past Accident Data. Accident Analysis & Prevention, Analysis And Function Analysis System Technique. SAVE
no. 35. Annual Proceedings.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Organizational analysis of availability: What are the lessons

for a high risk industrial company?

M. Voirin, S. Pierlot & Y. Dien

EDF R&D—Industrial Risk Management Department, Clamart, France

ABSTRACT: EDF R&D has developed an organisational analysis method. This method which was designed
from in depth examination of numerous industrial accidents, incidents and crises and from main scholar find-
ings in the domain of safety, is to be applied for industrial safety purpose. After some thoughts regarding
(dis)connections between ‘‘Safety’’ and ‘‘Availability’’, this paper analyses to what extend this method could be
used for event availability oriented analysis.

1 INTRODUCTION Table 1. Examples of events analyzed by EDF R&D.

EDF Research & Development has been leading since Event

several years a ‘‘sentinel system’’ dedicated to the
Texas City Explosion, March 23, 2005
study of worldwide cross-sectorial industrial events.
Columbia Accident, February 1, 2003
One purpose of this ‘‘sentinel system’’ is to define an Airplane Crashes above the Constance Lake, July 1, 2002
investigation method allowing to go beyond direct and Crash of the Avianca Company’s Boeing near JFK Airport,
immediate causes of events, i.e. to find organizational New York, January 25, 1990
in-depth causes. Failures of NASA’s Mars Climate Orbiter and Mars Polar
Based upon (i) studies of more than twenty indus- Lander engines, 1999
trial accidents, incidents and crises carried out in Explosion of the Longford Gas Plant, Australia,
the frame of this sentinel system (see table 1), September 25, 1998
(ii) knowledge of more than fifty industrial disasters, Crisis at the Millstone NPP from 1995 to 1999
Corrosion of the Davis Besse’s Vessel Head, March 2002
(iii) analysis of investigation methods used for sev-
Tokaïmura reprocessing plant’s accident,
eral events (by ‘‘event’’ we mean accident or incident September 30, 1999
or crisis, e.g. Cullen, 2000; Cullen, 2001; Columbia Fire in the Mont Blanc tunnel, March 24, 1999
Accident Investigation Board, 2003; US Chemical Trains collision in the Paddington railways station (near
Safety and Hazard Investigation Board, 2007) and London), October 5, 1999
findings of scholars in domains of industrial safety and
accidents (e.g. Turner, 1978; Perrow, 1984; Roberts,
1993; Sagan, 1993; Sagan, 1994; Reason, 1997;
Vaughan, 1996; Vaughan, 1997; Vaughan, 1999; . . .),
EDF-R&D has drawn up a method for Organisational
Analysis. This method is safety oriented and can 2 MAIN FEATURES OF ORGANISATIONAL
be used for event investigation and for diagnosis of ANALYSIS METHOD
organisational safety of an industrial plant as well.
After a brief description of main features of the This section gives an overview of the method. More
method and some remarks about similarities and dif- detailed information is available (Dien, 2006; Pierlot
ferences between ‘‘safety’’ and ‘‘availability’’, we will et al., 2007).
examine to which extend the method could also be The method is grounded on an empirical basis (see
used in case of events dealing with availability (versus figure 1). But it is also based on scholar findings, and
safety). more specifically on Reason work.

2.1 Historical dimension
As Llory states (1998): ‘‘accident does not start
with triggering of final accidental sequence; there-
fore, analysis require to go back in time, [. . .]’’ in
order to put in prominent place deterioration phenom-
ena. Analysis has to ‘‘go upstream’’ in the History
of the organisations involved for highlighting signifi-
Figure 1. General description of the method building (from cant malfunctioning aspects: what was not appreciated
Dien & Llory, 2006). in real time has to ‘‘make sense’’ when risk was
confirmed (i.e. when event has happened). Vaughan
reminds (2005): ‘‘The O-ring erosion that caused the
loss of Challenger and the foam debris problem that
took Columbia out of the sky both had a long history.’’
Early warning signs has to be looked for and detected
long before time event occurrence.
Numerous industrial events show that weakness
of operational feedback could be incriminated for
their occurrence—i.e. that previous relevant event(s)
was/were not taken into account or poorly treated after
their occurrence—. Analysts have to pay a specific
attention at incidents, faults, malfunctioning occurred
prior to the event.
Analysis of the ‘‘historical dimension’’ is parallel
to detailed examination of parameters, of variables of
Figure 2. The organizational analysis three main axis.
context which allow understanding of events. It has
to avoid a ‘‘retrospective error’’. Fine knowledge of
According to Reason (1997), causes of an event is event scenario—i.e. sequences of actions and deci-
made of three levels: sions which led to it—allows to assess actual mid and
long term effects of each action and decision. Analysts
• The person (having carried out the unsafe acts, the have to keep in mind that this evaluation is easier to
errors); make after the event than in real time. In other words,
• The workplace (local error-provoking conditions); analysts have to avoid a blame approach.
• The organization (organizational factors inducing
the event).
Development of event is ‘‘bottom-up’’, i.e. direc-
tion causality is from organizational factors to person. 2.2 Organizational network
In the event analysis, direction is opposite. Starting Within an organisation, entities communicate (‘‘Entity’’
point of analysis is direct and immediate causes of means a part of organisation more or less important in
bad outcome (event). Then, step by step, analysis con- terms of size, staffing. It could be a small amount
siders, as far as possible, how and when defences of people or even an isolated person, for instance a
failed. whistle blower): entities exchange data, they make
In addition to results obtained by scholars in the common decisions—or at least they discuss for mak-
field of organisational studies, real event organisa- ing a decision—, they collaborate, . . . So it is of the
tional analyses carried out allow us to define the three first importance to ‘‘draw’’ organisational network’’
main dimensions of an organisational approach, help- between entities concerned in the event. This network
ing to go from direct causes to root organisational is not the formal organisation chart of entities. It is a
causes (see figure 2): tool for showing numerous and complex interactions
involved for occurrence of event. It is a guideline for
• Historical dimension;
carrying out the analysis; it is built all along analysis
• Organizational network;
• ‘‘Vertical relationships’’ in the organization (from
Organisational network is hardly defined once and
field operators to plant top management).
for all for a given organisation. It is draft according to
We have to note that, if these dimensions are intro- the analysis goals. Parts of organisation can be ignored
duced in a independent way, they are interacting and because they were not involved in the event.
an analysis has to deal with them in parallel (and in Organisational network allows visualising com-
interaction). plexity of functional relationships between entities,

and sometimes, it highlights absence of relationships Table 2. The seven Pathogenic Organizational Factors
which had to be present. (POF).

Production Pressures (Rupture of the equilibrium between

2.3 ‘‘Vertical relationships’’ in the organization availability and safety to the detriment of safety)
Difficulty in implementing feedback experience
This dimension is a part of organisational network Short comings of control bodies
on which a specific focus is needed: It has to be Short comings in the safety organizational culture
specifically studied because it helps to figure out Poor handling of the organizational complexity
interactions between different hierarchical layers and No re-examining of design hypothesis
between managers and experts. Failure in daily safety management
It covers top-down and bottom-up communications.
It is essential to isolate it since it makes easier under-
standing of interactions between various management
levels, experts and ‘‘field operators’’. We have to complexity of the event-causing phenomena, a fac-
remind an obviousness often forgotten during event tor in a certain situation may be deemed to be a
analysis: organisation is a hierarchical system. consequence in another situation.
The main interests of this dimension are: modes of POFs are useful during event analysis since they
relationships, of communication, of information flows allow to define goals/phenomena to look for.
and modes of co-operation between hierarchical lay- A least, purpose of an organisational analysis is to
ers. Real events show that deterioration of these modes understand how organisation is working: it leads to (try
are cause of their occurrence. to) understand weaknesses and vulnerabilities, but also
At least, thanks to this dimension, causes of an event resilience aspects. Its goal is not necessarily to explain
cannot be focussed only on field operators. event from an expert point of view resulting in a list
Some other concepts have to be kept in mind while of (more or less numerous) direct causes leading to
an organizational analysis is carried out as for instance: consequences (with, at the end the fatal consequence).
‘‘incubation period’’ of an event (Turner, 1978), exis- This approach leads, in addition of collecting and anal-
tence or not of ‘‘weak signals’’ prior to occurrence ysis of objective data, to take account of employee’s
of the event and connected to it (Vaughan, 1996) and speeches. In order to collect ‘‘true’’ information ana-
existence or not of whistle blower(s), active and latent lysts have to have an empathic attitude toward people
defaults (Reason, 1997). Regarding these defaults, met during analysis (collecting ‘‘true’’ information
analyses of events have shown that some organiza- does not mean to take what it is said as ‘‘holly words’’.
tional flaws (latent defaults) were present and that they Analysts have to understand speeches according to the
are part of the root causes of the event. context, the role of the speaker(s), . . . Information
collected has to be cross-examined as well).
2.4 The Pathogenic Organizational Factors
Analyses have also shown some repetition of orga- 2.5 The Organizational Analysis Methodology
nizational root causes of events. We have defined, As stated above, this methodology has been already
according to Reason’s terminology (1997) these causes fully described (Pierlot et al., 2007; Voirin et al., 2007).
as ‘‘Pathogenic Organizational Factors’’ (POFs). Just let us recall here the main points of the
POFs cover a certain number of processes and phe- methodology:
nomena in the organization with a negative impact
on safety. They may be identified by their various • Organizational Analysis relies on background
effects within the organisation, which can be assim- knowledge made of study cases, findings of schol-
ilated into symptoms. Their effects may be objective ars, definition of Pathogenic Organizational Fac-
or even quantifiable, or they could be subjective and so tors,
only felt and suggested by employees. POFs represent • Organizational Analysis explores the three main
the formalisation of repetitive, recurrent or exemplary axis described above,
phenomena detected in the occurrence of multiple • Analysts use both written evidences and interviews.
events. These factors can be described as the hidden The interviews are performed under a compre-
factors which lead to an accident. hensive approach, in which, not only the causes
A list of seven POFs was defined (Pierlot, 2007). are searched, but also the reasons, the intentions,
Table 2 gives a list of this seven POFs. This list should the motivations and the reasoning of the people
not be considered to be definitive since new case stud- involved,
ies findings could add some findings even though • Analysts have to bring a judgment on the studied
it is relatively stable. Classification of the factors is situation, so that the ‘‘puzzle’’ of the situation could
somewhat arbitrary since, given the multiplicity and be rebuilt,

• Results of the Organizational Analysis are built with also a safety mission because they are part of the sec-
the help of a ‘‘thick description’’ (Geertz, 1998) and ond barrier against radioactive material leakage, and
then summarized. also because their cooling capacities are necessary to
deal with some accidental events.
But all of these systems could have both an impact
3 SAFETY AND AVAILABILITY: HOW on safety and availability. It is clear for systems deal-
CLOSE OR DIFFERENT ARE THESE TWO ing both with Safety and Availability, but, in case of
CONCEPTS? failures, some of the systems dealing only with avail-
ability could have clearly an impact on safety, as some
Although the method described above was built for of the systems dealing only with safety could have
safety purposes, considering the potential impacts of clearly an impact on availability (Voirin et al., 2007).
the Pathogenic Organizational Factors on the safety For example, if there is a turbine trip while the plant is
of a given complex system, the first applications of operating at full power, the normal way to evacuate the
this method within EDF were dedicated to availability energy produced by the nuclear fuel is no longer avail-
events. able without the help of other systems, and that may
According to the CEI 60050-191 standard, the sys- endanger safety even if the turbine is only dedicated
tem availability is the capacity of a system to feed its to availability.
expected mission, within given operating conditions at Safety and availability have then complex rela-
a given time. Availability must not be confused with tionships: This is not because short term or medium
reliability which has the same definition, excepted term availability is ensured that neither long term
that the time dimension is not at a given time, but availability or safety are also insured.
during a time interval. And we shall never forget that, before the acci-
Therefore Availability addresses two different dent, the Chernobyl nuclear power plant as the Bhopal
issues: the system capacity to avoid an damageable chemical factory had records of very good availability
event, and, if such an event had to occur, the system levels, even if, in the Bhopal case, these records were
capacity to recover from the event so that its initial obtained with safety devices out of order since many
performances are fully met again. months (Voirin et al., 2007).
Safety can be described as the system capacity to
avoid catastrophic failures, potentially hazardous for
workers, for the environment or for the public (Llory 4 CAN AN ORGANIZATIONAL ANALYSIS
Safety and Availability seem then, at the first view, ORIENTED EVENT?
to be two un-related characteristics. But this is only
an impression. In fact, Availability and Safety are not Due to this strong relationship between availability and
independent. safety, is it possible to perform an Organisational Anal-
This is due to the fact that the equipment being ysis of an Availability event in the same way Safety
parts of a complex high risk system can deal, either oriented Organisational Analysis are performed?
only with Availability, either only with Safety, either We already gave a positive answer to that ques-
with Safety and Availability (Voirin et al., 2007). tion (Voirin et al., 2007), even if they are noticeable
For instance, in a nuclear power plant, there sys- differences.
tems dealing only with the plant availability, such as The POFs were established on the study of many
the generator group which allows to produce elec- Safety Events (Pierlot et al., 2007), they rely on a
tricity thanks to the steam coming from the Steam strong empirical basis However, the transposition of
Generators. such Safety oriented POFs into Availability oriented
There are also systems dealing only with safety. Pathogenic Organisational Factors was performed only
These systems are not required to produce electricity from the theoretical point of view, with the help of
and are not operating: Their purpose is only to fulfil a our knowledge of some study cases (Voirin et al.,
safety action if needed. For example, the Safety Injec- 2007).
tion System in a nuclear power plant has for mission The main point is that, during an Availability Organ-
to insure the water quantity within the primary circuit, isational Analysis, particular attention must be paid
so that decay heat could be still evacuated, even in case to the equilibrium between Availability and Safety,
of a water pipe break. knowing that one of the Safety oriented POFs (produc-
At last, they are systems dealing both with safety tion pressures) leads to the rupture of such a balance
and availability. For example, the Steam Generators (Dien et al., 2006; Pierlot et al., 2007).
of a nuclear power plant have an availability mission, It is with such a background knowledge that we
because they produce the sufficient steam to make the performed in 2007 the Organisational Analysis of an
generator group working; but Steam Generators fulfil event that occurred in one power plant. This event

was originally chosen because of its impact on the most of them were reluctant to give materials to the
Availability records of the plant. analysts.
We have checked these assumptions by carrying out It can be pointed out that the few managers who
an Organizational Analysis of a real case occurred in a agree to be interviewed were mainly managing entities
power plant. This is discuss in the following chapters. which could be seen, at first, in that case, as ‘‘vic-
tims’’. In that case, managers appeared to be opened
because they thought that the organisational analysis
was the opportunity for them to let the entire organ-
5 MAIN FINDINGS REGARDING. . . isation know that they can not be blamed for what
happened. . .
5.1 . . . Organizational analysis method These reaction of defence of the managers could
5.1.1 The three main dimensions have been forecasted. It can be over passed, knowing
The event we studied was chosen for Availability rea- that the analysts have to adopt a empathic attitude dur-
sons, but it appeared very early in the analysis that ing the interviews but also, that they have to bring a
it had also a Safety dimension. This event involved judgment of the information given by the interviewees.
different technical teams of the power plant where it The second fact that could be bring out to explain the
occurred, but also several engineering divisions. difficulty in that case to address the vertical dimension
The Organization Analysis methodology requires is the analysts position. In this analysis, the analysts
to address three dimensions: a historical one, a cross- were closed to the analysis sponsor. But, as analysts
functional one, and the ‘‘vertical relationships’’ in the can be stopped in their investigation by implicit stop
organisation. rules (Hopkins, 2003), and as the organisation cul-
ture and/or analyst’s interests could have effects on the
• The organizational network analysis results, the closer of the organisation the ana-
We have interviewed people working in each of lysts are, the more difficult will be for them to address
the concerned entities and involved in the related the vertical dimension.
event. We also succeeded in recovering official and However these difficulties to address the vertical
un-official (e-mails, power point presentations) data dimension are not blocking points: in this case study,
written by members of these entities. even if this dimension is not treated with the extent
The combination of interviews and the study of the it should have been, it is nevertheless explored suf-
written documents allowed us to draw the organisa- ficiently so that, in the end, the analysts were able to
tional network (Pierlot et al., 2007), describing how give a ‘‘thick description’’ of the event, and then a syn-
all these entities really worked together on the issues thesis, which have been accepted by the people who
related to this event: We were able then to address the ordered the study.
cross functional dimension.
• The historical dimension 5.1.2 The thick description
It was easily possible to address the historical dimen- The thick description (Geertz, 1998) appears to be a
sion, and then, to obtain not only a chronology of added value in the analysis process as in the restitution
related facts on a time scale, but also to draw a three phase. It allows the analysts to clearly formulate their
dimension organisational network, made of the usual assumptions, to make sure that all the pieces of the
cross functional plan and a time dimension, allow- puzzle fit the overall picture. In this way, this thick
ing then to put in obvious place the evolution of these description is elaborated by a succession of ‘‘tries and
cross functional dimension over the years before the errors’’, until the general sense of the studied issue is
event occurrence. In this sense, we could make ours made clear to the analysts.
the title of one chapter of the CAIB report ‘‘History as The first attempts to build this thick description
A Cause’’ (CAIB, 2003). were not made at the end of the analysis but during
• The vertical dimension the analysis. As a result, we can say that the analysis is
The study of the third dimension, the vertical one, over when the collection of new data doesn’t change
was more difficult to address. We could give several anymore this thick description, when these new data
explanations of this fact. don’t change the picture given in the description.
This thick description is a necessary step in the anal-
The first one is due to the position of the managers. ysis process, but it isn’t the final result of the analysis.
As organisational analysis has for purpose to point out As Pierlot mentioned it (Pierlot, 2006), there is a need
the organisational dysfunctions of a given organisa- to establish a synthesis of this thick description so that
tion, as one of the manager’s missions is to make sure general learning could be deduced from the analysis.
that the organisation works smoothly, he/she could Going from the thick description to this synthesis
have had a ‘‘protection’’ reaction that may explain why requires the analysts to bring a judgment so that the

main conclusions of the analysis could be understood also an impact on Availability. In that way, we can
and accepted by the concerned organisation and its say then that we are dealing with POFs having a
managers. potential impact on the overall results of a complex
In this sense, the writing of the synthesis is an high-risk system because these factors could lead to
important part of the analysis that may use, in a cer- a decrease of the results on the safety scale or on the
tain way, the same narrative techniques that are used availability scale. This is more specifically the case
by the ‘‘storytelling’’ approaches although the goals to for the factors ‘‘Poor handling of the organisational
be fulfilled are dramatically different: to give a general complexity’’ and ‘‘failures of operational feedback
sense to the collected data in the case of the organi- system’’.
sational analysis; to meet propaganda purposes in the However, the performed analysis was focused on
case of the ‘‘pure’’ storytelling (Salmon, 2007). the event occurrence. The analysis did not have for
During the building of the thick description and the purpose to look at the way the organisation recovered
writing of the synthesis, a specific focus has to be from the situation. If it had, we can make the realistic
paid to the status that has to be given to the collected assumption that the Safety oriented POFs might not
data. As stated above, the data come from two differ- be useful to study this issue. It is then a possibility that
ent paths: written documents and specific information there are also some pathogenic organisational factors
given by interviewees. that could describe the different dysfunctions ways for
an organisation to recover from an Availability (and
perhaps Safety) event.
5.1.3 The collected data status
If the reality of written documents cannot be discussed,
there could be always doubts on the quality, the reality
of information collected during interviews. In order
to overcome this difficulty, a written report of each
The performed Organisational Analysis on the occur-
interview was established and submitted to the appro-
rence of an Availability event confirms that the method
bation of the interviewees. Each specific information
designed for a Safety purpose can be used for an event
was also cross-checked, either with the collected writ-
dealing with Availability.
ten documents, or with information collected during
The three main dimensions approach (historical,
other interviews.
cross-functional, and vertical), the data collection and
But, there is still the case where a specific infor-
checking (written data as information given by inter-
mation cannot be confirmed or denied by written
viewees), the use of the thick description allow to
documents or during other interviews. What has to be
perform the analysis of an Availability event and to
done in that case? There is no generic answer. A ‘‘pro-
give a general sense to all the collected data.
tective’’ choice could be to say that, in this case, the
The knowledge of the Organisational Analysis
related information is never considered by the analysts.
of many different safety events, of the different
This could protect the analysts against the criticism to
Safety oriented Pathogenic Organisational Factors is a
use un-verified (and perhaps even false) data. How-
required background for the analysts so that they could
ever, such a solution could deprive the analysts of
know what must be looked for and where it must be
interesting and ‘‘valuable’’ materials.
done, or which interpretation could be done from the
We believe then, that the use of ‘‘single’’ subjective
collected data.
data relies only on the analysts judgment. If the data
This case confirms also that the usual difficul-
fits the overall picture, if it fits the general idea that the
ties encountered during the Organisational Analysis
analysts have of the situation, it can be used. However,
of a Safety event are also present for the Organisa-
if this data doesn’t cope with the frame of the analysis
tional Analysis of an Availability event : the vertical
results, the best solution is to avoid using it.
dimension is more difficult to address, the question
of ‘‘single’’ data is a tough issue that could deserve
deepener thoughts.
5.2 . . . The FOPs
The performed analysis proves also that most of
We remind that the performed analysis was launched the Safety oriented Pathogenic Organisational Factors
due to Availability reasons, but that it had also a Safety could be also seen as Availability oriented Pathogenic
dimension. Organisation Factors. However, these factors are
Let us recall also that most of the Safety POFs focused only on the event occurrence; they do not
(Pierlot et al., 2007) can be seen also, from a theoret- intend to deal with the organisation capacity to recover
ical point of view, as Availability oriented Pathogenic from the availability event. We believe that this
Organisational Factors (Voirin et al., 2007). particular point must also be studied more carefully.
The performed analysis confirms this theoretical The last point is that an Availability event
approach: most of the Safety oriented POFs have Organisational Analysis must be performed with a

close look on safety issues, and more specifically, Llory, M., Dien. Y. 2006–2007. Les systèmes socio-
on the balance between Safety and Availability. Here techniques à risques : une nécessaire distinction entre
again, we believe that the complex relationships fiabilité et sécurité. Performances. Issue No. 30 (Sept–Oct
between Availability and Safety deserves a closer look 2006); 31 (Nov–Dec 2006); 32 (Janv–fev 2007)
and that some research based on field studies should Perrow, C. (ed.) 1984. Normal Accidents. Living with High-
Risk Technology. New York: Basic Books.
be carried out. Pierlot, S. 2006. Risques industriels et sécurité: les
Eventually this case reinforces what we foresaw, organisations en question. Proc. Premier Séminaire de
i.e. if an organization is malfunctioning, impacts can Saint—André. 26–27 Septembre 2006, 19–35.
be either on Safety or on Availability (or both) and Pierlot, S., Dien, Y., Llory M. 2007. From organizational
so, a method designed and used for a Safety purpose factors to an organizational diagnosis of the safety. Pro-
can also be used, to a large extent, for Availability ceedings, European Safety and Reliability conference, T.
purpose. Aven & J.E. Vinnem, Eds., Taylor and Francis Group,
London, UK, Vol. 2, 1329–1335.
Reason, J (Ed.). 1997. Managing the Risks of Organizational
Accidents. Aldershot: Ashgate Publishing Limited.
REFERENCES Roberts, K. (Ed.). 1993. New challenges to Understand-
ing Organizations. New York: Macmillan Publishing
Columbia Accident Investigation Board 2003. Columbia Company.
Accident Investigation Board. Report Volume 1. Sagan, S. (Ed.). 1993. The Limits of Safety: Organizations,
Cullen, W. D. [Lord] 2000. The Ladbroke Grove Rail Inquiry, Accidents and Nuclear Weapons. Princeton: Princeton
Part 1 Report. Norwich: HSE Books, Her Majesty’s University Press.
Stationery Office. Sagan, S. 1994. Toward a Political Theory of Organiza-
Cullen, W. D. [Lord] 2001. The Ladbroke Grove Rail Inquiry, tional Reliability. Journal of Contingencies and Crisis
Part 2 Report. Norwich: HSE Books, Her Majesty’s Management, Vol. 2, No. 4: 228–240.
Stationery Office. Salmon, C. (Ed.). 2007. Storytelling, la machine à fabriquer
Dien, Y. 2006. Les facteurs organisationnels des acci- des histoires et à formater les esprits. Paris: Éditions La
dents industriels, In: Magne, L. et Vasseur, D. (Ed.), Découverte.
Risques industriels—Complexité, incertitude et décision: Turner, B. (Ed.). 1978. Man-Made Disasters. London:
une approche interdisciplinaire, 133–174. Paris: Éditions Wykeham Publications.
TED & DOC, Lavoisier. U.S. Chemical Safety and Hazard Investigation Board. 2007.
Dien, Y., Llory, M., Pierlot, S. 2006. Sécurité et perfor- Investigation Report, Refinery Explosion and Fire, BP –
mance: antagonisme ou harmonie? Ce que nous appren- Texas City, Texas, March 23, 2005, Report No. 2005-04-
nent les accidents industriels. Proc. Congrès λμ15—Lille, I-TX.
October 2006. Vaughan, D. (Ed.). 1996. The Challenger Launch Deci-
Dien, Y., Llory M. 2006. Méthode d’analyse et de diagnostic sion. Risky Technology, Culture, and Deviance at NASA.
organisationnel de la sûreté. EDF R&D internal report. Chicago: The Chicago University Press.
Dien, Y., Llory, M. & Pierlot, S. 2007. L’accident à la raf- Vaughan, D. 1997. The Trickle-Down Effect: Policy Deci-
finerie BP de Texas City (23 Mars 2005)—Analyse et sions, Risky Work, and the Challenger Tragedy. Califor-
première synthèse. EDF R&D internal report. nia Management Review, Vol. 39, No. 2, 80–102.
Geertz C. 1998. La description épaisse. In Revue Enquête. Vaughan, D. 1999. The Dark Side of Organizations: Mistake,
La Description, Vol. 1, 73–105. Marseille: Editions Misconduct, and Disaster. Annual Review of Sociology,
Parenthèses. vol. 25, 271–305.
Hollnagel, E., Woods, D.D., et Leveson, N.G. (Ed.) 2006. Vaughan, D. 2005. System Effects: On Slippery Slopes,
Resilience Engineering: Concepts and Precepts. Alder- Repeating Negative Patterns, and Learning from Mis-
shot: Ashgate Publishing Limited. take, In: Starbuck W., Farjoun M. (Ed.), Organization at
Hopkins, A. 2003. Lessons from Longford. The Esso Gas the Limit. Lessons from the Columbia Disaster. Oxford:
Plant Explosion. CCH Australia Limited, Sydney, 7th Blackwell Publishing Ltd.
Edition (1st edition 2000). Voirin, M., Pierlot, S. & Llory, M. 2007. Availability
Llory, M. 1998. Ce que nous apprennent les accidents indus- organisational analysis: is it hazard for safety? Proc.
triels. Revue Générale Nucléaire. Vol. 1, janvier-février, 33rd ESREDA Seminar—Future challenges of accident
63–68. investigation, Ispra, 13–14 November 2007.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Thermal explosion analysis of methyl ethyl ketone peroxide by

non-isothermal and isothermal calorimetry application

S.H. Wu
Graduate School of Engineering Science and Technology, National Yunlin University of Science and Technology,
Douliou, Yunlin, Taiwan, ROC

J.M. Tseng
Graduate School of Engineering Science and Technology, National Yunlin University of Science
and Technology, Douliou, Yunlin, Taiwan, ROC

C.M. Shu
Department of Safety, Health, and Environmental Engineering, National Yunlin University of Science
and Technology, Douliou, Yunlin, Taiwan, ROC

ABSTRACT: In the past, process accidents incurred by Organic Peroxides (OPs) that involved near miss,
over-pressure, runaway reaction, thermal explosion, and so on occurred because of poor training, human error,
incorrect kinetic assumptions, insufficient change management, inadequate chemical knowledge, and so on, in
the manufacturing process. Calorimetric applications were employed broadly to test small-scale organic peroxides
materials because of its thermal hazards, such as exothermic behavior and self-accelerating decomposition in the
laboratory. In essence, methyl ethyl ketone peroxide (MEKPO) has a highly reactive and unstable exothermal
feature. In recent years, it has many thermal explosions and runaway reaction accidents in the manufacturing
process. Differential Scanning Calorimetry (DSC), Vent Sizing Package 2 (VSP2), and thermal activity monitor
(TAM) were employed to analyze thermokinetic parameters and safety index and to facilitate various auto-alarm
equipment, such as over-pressure, over-temperature, hazardous materials leak, etc., during a whole spectrum of
operations. Results indicated that MEKPO decomposed at lower temperature (30–40◦ C) and was exposed on
exponential development. Time to Maximum Rate (TMR), self-accelerating decomposition temperature (SADT),
maximum of temperature (Tmax ), exothermic onset temperature (T0 ), and heat of decomposition (Hd ) etc.,
were necessary and mandatory to discover early-stage runaway reactions effectively for industries.

1 INTRODUCTION peroxide (BPO), hydrogen peroxide (H2 O2 ), lauroyl

peroxide (LPO), tert-butyl perbenzoate (TBPBZ), tert-
The behavior of thermal explosions or runaway reac- butyl peroxybenzoate (TBPB), etc. are usually applied
tions has been widely studied for many years. A reactor as initiators and cross-linking agents for polymeriza-
with an exothermic reaction is susceptible to accumu- tion reactions. One reason for accidents involves the
lating energy and temperature when the heat genera- peroxy group (-O-O-) of organic peroxides, due to
tion rate exceeds the heat removal rate by Semenov its thermal instability and high sensitivity for thermal
theory (Semenov, 1984). Unsafe actions and behav- sources. The calorimetric technique is applied to eval-
iors by operators, such as poor training, human error, uate the fundamental exothermic behavior of small-
incorrect kinetic assumptions, insufficient change scale reactive materials during the stage of research
management, inadequate chemical knowledge etc., and development (R&D). Many thermal explosions
lead to runaway reactions, thermal explosions, and and runaway reactions have been caused globally by
release of toxic chemicals, as have sporadically MEKPO resulting in a large number of injuries and
occurred in industrial processes (Smith, 1982). Methyl even death, as shown in Table 1 (Yeh et al., 2003;
ethyl ketone peroxide (MEKPO), cumene hydroper- Chang et al., 2006; Tseng et al., 2006; Tseng et al.,
oxide (CHP), di-tert-butyl peroxide (DTBP), tert-butyl 2007; MHIDAS, 2006). Major Hazard Incident Data

Table 1. Thermal explosion accidents caused by MEKPO

Year Nation Frequency I F Worst case

1953–1978 Japan 14 115 23 Tokyo

1980–2004 China 14 13 14 Honan
1984–2001 Taiwan 5 156 55 Taipei
2000 Korea 1 11 3 Yosu Figure 1 (a). The aftermath Figure 1 (b). Reactor
1973–1986 Australia∗ 2 0 0 NA of the Yung-Hsin explosion bursts incurred by
1962 UK∗ 1 0 0 NA which devastated the entire thermal runaway.
plant, including all buildings
I: Injuries; F: Fatalities. within 100 m.
∗ Data from MHIDAS (MHIDAS, 2006).
NA: Not applicable.
Methyl Dimethyl Hydrogen
ethyl phthalate peroxide
Service (MHIDAS) was employed to investigate three
ketone (DMP) (H2O2)
accidents for MEKPO in Australia and UK (MHIDAS,
A thermal explosion and runaway reaction of MEKPO
occurred at Taoyuan County (the so-called Yung-
Hsin explosion) that killed 10 people and injured 47 Reactor
in Taiwan in 1996. Figures 1 (a) and 1 (b) show
the accident damage situation from the Institute of
Occupational Safety and Health in Taiwan. Crystallization Cooling
Accident development was investigated by a report H3PO4 tank to lower
from the High Court in Taiwan. Unsafe actions (wrong
dosing, dosing too rapidly, errors in operation, cooling
failure) caused an exothermic reaction and the first Dehydration tank
thermal explosion of MEKPO.
Simultaneously, a great deal of explosion pressure
led to the top of the tank bursting and the hot concrete Drying tank
being broken and shot to the 10-ton hydrogen perox-
ide (H2 O2 ) storage tank (d = 1, h = 3). Under this
circumstance, the 10-ton H2 O2 storage tank incurred MEKPO in storage
the second explosion and conflagration that caused tank
10 people to perish (including employees and fire
fighters) and 47 injuries. Many plants near Yung-Hsin
Co. were also affected by the conflagration caused Figure 2. Typical manufacturing process for MEKPO in
by the H2 O2 tank. H2 O2 , dimethyl phthalate (DMP), Taiwan.
and methyl ethyl ketone (MEK) were applied to man-
ufacture the MEKPO product. Figure 2 depicts the
MEKPO manufacture process flowchart. To prevent in terms of industrial applications. In view of loss
any further such casualties, the aim of this study was prevention, emergency response plan is mandatory
to simulate an emergency response process. Differen- and necessary for corporations to cope with reactive
tial scanning calorimetry (DSC), vent sizing package chemicals under upset scenarios.
2 (VSP2), and thermal activity monitor (TAM) were
employed to integrate thermal hazard development.
Due to MEKPO decomposing at low temperature
(30–40◦ C) (Yuan et al., 2005; Fu et al., 2003) and
exploding with exponential development, developing
2.1 Fundamental thermal detection by DSC
or creating an adequate emergency response procedure
is very important. DSC has been employed widely for evaluating ther-
The safety parameters, such as temperature of no mal hazards (Ando et al., 1991; ASTM, 1976) in
return (TNR ), and time to maximum rate (TMR), various industries. It is easy to operate, gives quanti-
self-accelerating decomposition temperature (SADT), tative results, and provides information on sensitivity
maximum temperature (Tmax ), etc., are necessary and (exothermic onset temperature, T0 ) and severity (heat
useful for studying emergency response procedures of decomposition, Hd ) at the same time. DSC was

Table 2. Thermokinetics and safety parameters of 31 mass% MEKPO and 20 mass% H2 O2 by DSC under β at 4◦ C min−1 .

Mass (mg) T1 (◦ C) Hd (J g−1 ) T2 (◦ C) Tmax (◦ C) Hd (J g−1 ) T3 (◦ C) Tmax (◦ C) Hd (J g−1 ) Htotal (J g−1 )

1 4.00 42 41 83 135 304 160 200 768 1,113

2 2.47 67 100 395 395

1 MEKPO; 2 H O .
2 2

applied to detect the fundamental exothermic behav-

ior of 31 mass% MEKPO in DMP that was purchased
directly from the Fluka Co. Density was measured and 20 mass% H2O2
provided directly from the Fluka Co. ca. 1.025 g cm−3 .
31 mass% MEKPO
It was, in turn, stored in a refrigerator at 4◦ C (Liao

Heat flow (W g-1)

et al., 2006; Fessas et al., 2005; Miyakel et al., 2005;
Marti et al., 2004; Sivapirakasam et al., 2004; Hou 1.0
et al., 2001). DSC is regarded as a useful tool for the
evaluation of thermal hazards and for the investigation 0.5
of decomposition mechanisms of reactive chemicals if
the experiments are carried out carefully. 0.0

0 50 100 150 200 250 300

2.2 Adiabatic tests by VSP2 Temperature (˚C)

VSP2, a PC-controlled adiabatic calorimeter, manu-

factured by Fauske & Associates, Inc. (Wang et al., Figure 3. Heat flow vs. temperature of 31 mass% and 20
2001), was applied to obtain thermokinetic and ther- mass% H2 O2 under 4◦ C min−1 heating rate by DSC.
mal hazard data, such as temperature and pressure
traces versus time. The low heat capacity of the
cell ensured that almost all the reaction heat that
was released remained within the tested sample. 3 RESULTS AND DISCUSSION
Thermokinetic and pressure behavior in the same test
cell (112 mL) usually could be tested, without any 3.1 Thermal decomposition analysis of 31 mass%
difficult extrapolation to the process scale due to a MEKPO and 20 mass% H2 O2 for DSC
low thermal inertia factor () of about 1.05 and 1.32 Table 2 summarizes the thermodynamic data by the
(Chervin & Bodman, 2003). The low  allows for DSC STAR e program for the runaway assessment.
bench scale simulation of the worst credible case, such MEKPO could decompose slowly at 30–32◦ C, as
as incorrect dosing, cooling failure, or external fire disclosed by our previous study for monomer. We
conditions. In addition, to avoid bursting the test cell surveyed MEKPO decomposing at 30◦ C, shown in
and missing all the exothermic data, the VSP2 tests Figure 3. We used various scanning rates by DSC to
were run with low concentration or smaller amount survey the initial decomposition circumstances. As a
of reactants. VSP2 was used to evaluate the essential result, a quick temperature rise may cause violent ini-
thermokinetics for 20 mass% MEKPO and 20 mass% tial decomposition (the first peak) of MEKPO under
H2 O2 . The standard operating procedure was repeated external fire condition. Table 2 shows the emergency
by automatic heat-wait-search (H–W–S) mode. index, such as T0 , H, Tmax , of 31 mass% MEKPO
by DSC under heating rate (β) 4◦ C min−1 . The ini-
tial decomposition peak usually releases little thermal
2.3 Isothermal tests by TAM
energy, so it is often disregarded. The T2 of mainly
Isothermal microcalorimetry (TAM) represents a decomposition was about 83◦ C. The total heat of reac-
range of products for thermal measurements manufac- tion (Htotal ) was about 1,113 J g−1 . DSC was applied
tured by Thermometric in Sweden. Reactions can be to evaluate the Ea and frequency factor (A). The Ea
investigated within 12–90◦ C, the working temperature under DSC dynamic test was about 168 kJ mol−1 and
range of this thermostat. The spear-head products are A was about 3.5 · 1019 (s−1 ).
highly sensitive microcalorimeters for stability test- Figure 3 displays the exothermic reaction of 20
ing of various types of materials (19). Measurements mass% H2 O2 under 4◦ C min−1 of β by the DSC.
were conducted isothermally in the temperature range Due to H2 O2 being a highly reactive chemical, oper-
from 60 to 80◦ C (The Isothermal Calorimetric Manual, ators must carefully control flow and temperature.
1998). H2 O2 was controlled at 10◦ C when it precipitated the

Table 3. Thermokinetic parameters of MEKPO and H2 O2 from adiabatic tests of VSP2.

T0 (◦ C) Tmax (◦ C) Pmax (psi) (dT dt−1 )max (◦ C min−1 ) (dP dt−1 )max (psi min−1 ) Tad (◦ C) Ea(kJ mol−1 )

1 90 263 530 394.7 140.0 178 97.54

2 80 158 841 7.8 100.0 78 NA

1 MEKPO; 2 H2 O2 .

280 (dT dt-1)max = 395˚C min -1

Tmax = 263°C 400
240 300
220 200
200 100 20 mass% MEKPO
Temperature (°C)

180 0
160 Tmax = 158°C

dT dt-1 (˚C min -1)

-3.6 -3.4 -3.2 -3.0 -2.8 -2.6 -2.4 -2.2 -2.0 -1.8
120 14
100 (dT dt-1)max = 7˚C min -1
80 8
60 20 mass% MEKPO 6
40 20 mass% H2O2 4 20 mass H2O2
0 50 100 150 200 250 -3.6 -3.4 -3.2 -3.0 -2.8 -2.6 -2.4 -2.2 -2.0 -1.8
Time (min) -1000/T (K-1)

Figure 4. Temperature vs. time for thermal decomposition Figure 6. Dependence of rate of temperature rise on temper-
of 20 mass% MEKPO and H2 O2 by VSP2. ature from VSP2 experimental data for 20 mass% MEKPO
and H2 O2 .
900 Pmax = 841 psi 160
800 120
Pmax = 530 psi 60
Pressu re (psig)

600 20 mass% MEKPO

500 20
400 -20
20 mass% MEKPO
160 -3.6 -3.4 -3.2 -3.0 -2.8 -2.6 -2.4 -2.2 -2.0 -1.8
300 20 mass% H2O2 140
200 100 max

100 80
0 40 20 mass H2O2
-100 0
0 50 100 150 200 250 -20
-3.6 -3.4 -3.2 -3.0 -2.8 -2.6 -2.4 -2.2 -2.0 -1.8
Time (min)

Figure 5. Pressure vs. time for thermal decomposition of

Figure 7. Dependence of rate of pressure rise on temper-
20 mass% MEKPO and H2 O2 by VSP2.
ature from VSP2 experimental data for 20 mass% MEKPO
and H2 O2 .

reaction. H2 O2 exothermic decomposition hazards are

shown in Table 2.
mass% MEKPO by VSP2 was more dangerous in
Figure 4 because it began self–heating at 90◦ C and
3.2 Thermal decomposition analysis for VSP2
Tmax reached 263◦ C. H2 O2 decomposed at 80◦ C and
Table 3 indicates T0 , Tmax , Pmax , (dT dt−1 )max , increased to 158◦ C. In parallel, H2 O2 decomposed
(dP dt−1 )max for 20 mass% MEKPO and H2 O2 by suddenly and was transferred to vapor pressure. Pmax
VSP2. Figure 4 displays temperature versus time was detected from Figure 5. Figures 6 and 7 show
by VSP2 with 20 mass% MEKPO and H2 O2 . The the rate of temperature increase in temperature and
pressure versus time by VSP2 under 20 mass% pressure from VSP2 experimental data for 20 mass%
MEKPO and H2 O2 is displayed in Figure 5. Twenty MEKPO and H2 O2 . According to the maximum of

Table 4. Scanning data of the thermal runaway decom- were about 263◦ C and 34.7 bar, respectively. Under 20
position of 31 mass% MEKPO by TAM. mass% MEKPO by VSP2 test, the (dT dt−1 )max and
(dP dt−1 )max were about 394.7◦ C min−1 and 140.0 bar
Isothermal min−1 , respectively. During storage and transporta-
temperature Mass Reaction time TMR Hd
tion, a low concentration (<40 mass%) and a small
(◦ C) (mg) (hr) (hr) (Jg−1 )
amount of MEKPO should be controlled. H2 O2 was
60 0.05008 800 200 784 controlled 10◦ C when it joined a MEKPO manufactur-
70 0.05100 300 80 915 ing reaction. This is very dangerous for the MEKPO
80 0.05224 250 40 1,015 manufacturing process, so the reaction was a concern
and controlled at less than 20◦ C in the reactor.

Isothermal test for 60˚ C

0.00000 The authors would like to thank Dr. Kuo-Ming Luo for
Heat flux (Wg-1)

0.00015 0 200 400 600 800 1000 1200 valuable suggestions on experiments and the measure-
0.00010 Isothermal test for 70˚ C
ments of a runaway reaction. In addition, the authors
0.00005 are grateful for professional operating techniques and
0 50 100 150 200 250 300 350
Isothermal test for 80˚ C REFERENCES
0 50 100 150 200 250 300 350
Ando, T., Fujimoto, Y., & Morisaki, S. 1991. J. of Hazard.
Time (hr) Mater., 28: 251–280.
ASTM E537-76, 1976. Thermal Stability of Chemical by
Figure 8. Thermal curves for 31 mass% MEKPO by TAM Methods of Differential Thermal Analysis.
at 60–80◦ C isothermal temperature. Chervin, S. & Bodman, G.T. 2003. Process Saf. Prog, 22:
Chang, R.H., Tseng, J.M., Jehng, J.M., Shu, C.M. & Hou,
temperature rise rate ((dT dt−1 )max ) and temperature H.Y. 2006. J. Therm. Anal. Calorim., 83, 1: 57–62.
rise rate maximum of pressure rise rate ((dP dt−1 )max ) Fu, Z.M., Li, X.R., Koseki, H.K., & Mok, Y.S. 2003. J. Loss
from Figures 6 and 7, MEKPO is more dangerous Prev. Process Ind., 16: 389–393. Semenov, N.N. 1984. Z.
than H2 O2 . According to Figure 2, the MEKPO and Phys. Chem., 48: 571.
H2 O2 were the Ops that may cause a violent reactivity Fessas, D. Signorelli, M. & Schiraldi, A. 2005. J. Therm.
behavior in the batch reactor. Anal. Cal., 82: 691.
Hou, H.Y., Shu, C.M. & Duh, Y.S. 2001. AIChE J., 47(8):
3.3 Thermal decomposition analysis of 31 Liao, C.C., Wu, S.H., Su, T.S., Shyu, M.L. & Shu, C.M.
mass% MEKPO for TAM 2006. J. Therm. Anal. Cal., 85: 65.
Marti, E., Kaisersberger, E. & Emmerich, W.D. 2004. J.
TAM was employed to determine the reaction behav- Therm. Anal. Cal., 77: 905.
ior for isothermal circumstance. Table 4 displays Miyakel, A., Kimura, A., Ogawa, T., Satoh, Y. & Inano, M.
the thermal runaway decomposition of 31 mass% 2005. J. Therm. Anal. Cal., 80: 515.
MEKPO under various isothermal environment by MHIDAS, 2006. Mayor Hazard Incident Data Service,
TAM. Results showed the TMR for isothermal tem- OHS_ROM, Reference Manual.
Sivapirakasam, S.P. Surianarayanan, M. Chandrasekaran, F.
perature at 60, 70, and 80◦ C that were about 200,
& Swaminathan, G. 2004. J. Therm. Anal. Cal., 78: 799.
80, and 40 hrs, respectively. From data investigations, Smith, D.W. 1982. ‘‘Runaway Reaction, and Thermal Explo-
isothermal temperature was rise, and then emergency sion’’, Chemical Engineering, 13: 79–84.
response time was short. The Isothermal Calorimetric Manual for Thermometric AB,
1998, Jarfalla, Sweden.
Tseng, J.M., Chang, R.H., Horng, J.J., Chang, M.K., &
4 CONCLUSIONS Shu, C.M. 2006. ibid, 85 (1) : 189–194.
Tseng, J.M., Chang, Y.Y., Su, T.S., & Shu, C.M. 2007. J.
According to the DSC experimental data, MEKPO Hazard. Mater., 142: 765–770.
Wang, W.Y., Shu, C.M., Duh, Y.S. & Kao, C.S. 2001. Ind.
decomposes at 30–40◦ C. Under external fire Eng. Chem. Res., 40: 1125.
circumstances, MEKPO can decompose quickly and Yeh, P.Y., Duh, Y.S., & Shu, C.M. 2003. Ind. Eng. Chem.
cause a runaway reaction and thermal explosion. On Res., 43: 1– 5.
the other hand, for 20 mass% MEKPO by VSP2, Yuan, M.H., Shu, C.H., & Kossoy, A.A. 2005. Thermo-
the maximum temperature (Tmax ) and pressure (Pmax ) chimica Acta,430: 67–71.

Crisis and emergency management
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

A mathematical model for risk analysis of disaster chains

A. Xuewei Ji
Center for Public Safety Research, Tsinghua University, Beijing, China
School of Aerospace, Tsinghua University, Beijing, China

B. Wenguo Weng & Pan Li

Center for Public Safety Research, Tsinghua University, Beijing, China

ABSTRACT: A disaster often causes a series of derivative disasters. The spreading of disasters can often form
disaster chains. A mathematical model for risk analysis of disaster chains is proposed in causality network,
in which each node represent one disaster and the arc represent interdependence between them. The nodes of
the network are classified into two categories, active nodes and passive nodes. The term inoperability risk,
expressing the possible consequences of each passive node due to the influences of all other nodes, is cited
to assess the risk of disaster chains. An example which may occur in real life is solved to show how to apply
the mathematical model. The results show that the model can describe the interaction and interdependence of
mutually affecting emergencies, and it also can estimate the risk of disaster chains.

1 INTRODUCTION of chain of losses and failures to the simple couple

hazardous event damages. Glickman et al. proposed
Nowadays, on account of increasing congestion in hazard networks to describe the interdependencies
industrial complexes and increasing density of human among the hazards and determine risk reduction strate-
population around such complexes, any disaster is not gies. Some studies about risk assessment of domino
isolated and static, and many disasters are interactional effect based physical models and quantitative area risk
and interdependent. A disaster often causes a series of analysis have been made great progress as for instance
derivative disasters. In many cases, derivative disasters Khan et al. and Spadoni et al.
can cause greater losses than the original disaster itself. The purpose of the paper is to present a mathemat-
The spreading of disasters can often be described by ical model in causality network allowing to study the
interconnected causality chain, which is called disas- interaction and interdependence of mutually affecting
ter chains here. Disaster chains reflect how one factor among disasters and to conduct risk analysis of disaster
or sector of a system affects others. These cascade- chains.
like chain-reactions, by which a localized event in time
and space causes a large-scale disaster, may affect the
whole system. The recent example is the snowstorm
in several provinces of southern China this year. The
rare snowstorm made highways, railways, and ship-
2.1 Some concepts and assumptions
ping lines blocked leading to the poor transportation
of coal, which brought the strain of electricity in many Disaster chains mean that one critical situation triggers
regions. All of these formed typical disaster chains. another one and so on, so that the situation worsens
Therefore, a great effort is necessary to prevent the even more. It is a complex system which consists of
chain effect of disasters and to improve the ability interacting disasters. All the disasters forms a causality
of emergency management. Researchers have made network, in which each node represent one disaster
some contribution to understand the domino effect and and the arc represent interdependence between them.
chain effect behind disasters. For example, Gitis et al. In this section, a mathematical model is set up based
studied catastrophe chains and hazard assessment, on the causality network (see Figure 1) for risk analysis
and they suggested a mathematical model describ- of disaster chains.
ing mutually affecting catastrophes. Menoni et al. In the causality network above, we classify the
analyzed the direct and indirect effects of the Kobe nodes of the network into two categories, active nodes
earthquake and suggested to substitute the concept and passive nodes. The term active nodes will be used

For each active node j = 1, 2, . . ., m, a random
variable ξi is used to represent the state, which takes
values 1 or 0 provided the node occurs or not. For each
passive node k(k = m +1, m+ 2, . . . , n) inoperability
is cited to represent its state, which is assumed to be a
continuous variable (ζk ) evaluated between 0 and 1,
with 0 corresponding to a normal state and 1 cor-
responding to completely destroyed state. We shall
consider conditional distribution of ξi and postulate
the Markov property: this distribution depends only on
the influence of the direct connected nodes. We pos-
tulate the following expressions for these conditional
Figure 1. Causality network of disaster chains. P(ξj = 1|ξi = xi , ζk = yk ) = πj + xi aij + yk akj
i k

i, j = 1, . . . , m, k = m + 1, . . . , n (2)
to refer to the nodes whose consequences (loss or dam-
age) are embodied through passive nodes, for example, where πi denotes the probability of spontaneous
the loss of earthquake comes from the damage of some occurrence of the active node j. In the above equation,
anthropogenic structures caused by it. Likewise, pas- it is supposed that
sive nodes will be used to refer to the nodes whose
consequences are possible loss events and are embod- 
ied by themselves. Taking power system as an exam- πj + xi aij + yk akj ≤ 1 (3)
ple, the disaster is the consequence of inability of part i=1 k=m+1
of its functions (called inoperability here). Risk is the
integration of possibility and consequence. Therefore, Equation (2) means that the conditional probability
the inoperability risk proposed by Haimes et al. which of the event ξi = 1 with given ξi = xi , ζk = yk is a lin-
expresses the possible consequences of each passive ear combination of xi plus constant. Only the nodes i
node due to the influences of other nodes (including directly connected with the nodes j are involved in this
passive and active), is cited to assess the risk of disaster linear combination. This hypothesis forms the basis of
chains. the mathematical theory of the voter model (Malyshev
The proposed model is based on an assumption that et al.). Let us denote by Pi the unconditional proba-
the state of active node is binary. That means that bility P(ξi = 1). It is interpreted as the probability
active node has only two states (occurrence of nonoc- of the occurrence of the active node j. If we take the
currence). The magnitude of active node (disaster) is expectation value of (2), we get the equations:
not taken into consideration in the model. In contrast
to that, the state of passive nodes can be in continu- 

ous states from normal state to completely destroyed Pj = πj + Pi aij + Rk akj (4)
state. i=1 k=m+1

Pj = min πj + Pi aij + Rk akj , 1 (5)
2.2 The model i=1 k=m+1

Let us define certain active node with certain occur- where Rk denotes the inoperability of the passive
rence probability as the start point of disaster chains. node k. Next, we use the quantity bjk to represent
Let us index all nodes i = 1, 2, . . . , m, m + 1, m + the inoperability of each passive node k caused by
2, . . . , n. The nodes represent active nodes if i = active node i. So we have the inoperability (Ck ) of pas-
1, 2, . . . , n, and passive nodes if i = m + 1, m + sive node k due to all the active nodes that are directly
2, . . . , n. We shall denote by aij the probability for any connected with the passive node:
node i to induce directly the active node j, and aij > 0
in case of the existence of an arrow from node i to node 
j, otherwise aij = 0. By definition, we put aii = 0. So Ck = Pi bik (6)
we get the matrix: i=1

To assess the risk of disaster chains, we pro-

A = (aij ), i = 1, 2, . . . , n, j = 1, 2, . . . , m (1) pose a quantity Mij called direct influence coefficient.


⎪ m n
It expresses the influence of inoperability between pas- ⎪
⎪ Pj = πj + Pi aij + Rk akj
sive i and j, which are directly connected. We get direct ⎪

i=1 k=m+1
influence coefficient matrix: ⎪
⎪ m n

⎪ Rk = Pi bki + Ri Mik

⎨ i=1 i=m+1
M = (Mij ), i, j = m + 1, m + 2, . . . , n (7) s.t.

⎪ P = min π +



⎪ j j Pi aij R k a kj , 1
The expression M k reflects all influences over k −1 ⎪

m i=1

nodes and k links, i.e. k = 1 corresponds to direct ⎪


⎪ Rk = min Pi bki + Ri Mik , 1
influences, k = 2 to feedback loops with one interme- ⎪

⎩ i=1 i=m+1
diate node, etc. So, total influence coefficient matrix for j = 1, 2, . . . , m, k = m + 1, m + 2 . . . , n
(Tij ) can be expressed:

 Finally, in the mathematical model, we need to
T = M + M2 + M3 + · · · + Mk + · · · = Mk determine three matrix, i.e. the A matrix, the B matrix
k=1 and the M matrix. For the matrix A, several physical
(8) models and probability models have been developed
to give the probability that a disaster induces another
As this converges only for the existence of the one (Salzano et al.). Extensive data collecting, data
matrix (I − M )−1 , we will obtain the formula: mining and expert knowledge or experience may be
required to help determine the M matrix. We can use
T = (I − M )−1 − I (9) historical data, empirical data and experience to give
the matrix B.
where I denotes the unity matrix. Besides, the total
inoperability risk of the passive node k due to the
influence of all the nodes (active and passive) can be
expressed as:
To show how to apply the mathematical model, we
solve the following example. We consider the disaster

chains consisting of eight nodes and earthquake is con-
Rk = Ci Tik (10) sidered as spontaneous with a known probability π1 .
i=m+1 The causality network of the disaster chains is illus-
trated by Figure 2. We think that D1 ∼D4 are active
Based on the above equations, we can get: nodes and D5 ∼D8 are passive nodes.
In principle, the matrix A, B and M are obtained

n from expert data and historical data. For simplicity,
Rk = Ck + Ri Mik (11) all the elements of the three matrixes are regarded as
i=m+1 constant. We have:
⎡ ⎤ ⎡ ⎤
0 0.4 0.6 0.2 0.6 0 0.5 0.3
That is also: ⎢
⎢ 0 0.1 0⎥⎥ B = ⎢0.9 0 0 0⎥ ⎥
⎢0 0.4 0 0⎥ ⎣0 0 0 0⎦

n ⎢ ⎥
⎢0 0 0 0⎥ 0.5 0 0.1 0
Rk = Pi bki + Ri Mik (12) A=⎢
⎥ ⎡ ⎤
⎢ 0 0 0⎥⎥ 0 0 0 0
i=1 i=m+1 ⎢0 0 0 0⎥ ⎢ 0.3 0 0 0⎥
⎢ ⎥ M =⎢ ⎥
⎣0 0 0 0⎦ ⎣0 0.4 0 0.9⎦
It is important to notice that, due to the constraint 0 0.3 0 0 0 0.2 0.5 0
0 ≤ Rk ≤ 1, equation (12) sometimes does not have
a solution. If this is the case, we will have to solve an
alternative problem, i.e. Now, suppose π1 = 0.3. Due to the earthquake,
fires in commercial area, hazardous materials release
 m  and social crisis are induced, and commercial area,
public transportation system and power supply system
Rk = min Pi bki + Ri Mik , 1 (13)
are impacted. We can get the results:
i=1 i=m+1

(P1 , P2 , P3 , P4 ) = (0.30, 0.33, 0.21, 0.06)

To sum up, the mathematical model for risk analysis
of disaster chains can be summarized as: (R5 , R6 , R7 , R8 ) = (0.58, 0.23, 0.37, 0.42)

Thus, because of the possible influences of the 4 CONCLUSIONS
earthquake and a series of disasters (fires and haz-
ardous materials release) induced by it, the commer- The mathematical model proposed here can be used to
cial area and power plant loss 58% and 42% of each study the interaction and interdependence of mutually
functionality, the economic situation deteriorate 23% affecting among disasters and to conduct risk analysis
of its normal state, and the transportation system loses of disaster chains. It can also be used to analyze which
63% of its operability. We conclude that the interde- disaster is more important compared to other disasters,
pendences make the influence of the earthquake be and to provide scientific basis for disaster chains emer-
amplified according to the results above. From the gency management. However, disaster chains are so
viewpoint of disaster chains, the interdependences can complex that developing a meaningful mathematical
be taken into consideration. model capable of study disaster chains is an arduous
We can also evaluate the impact of the earthquake task. The work here is only a preliminary attempt to
of varying occurrence probability on the risk distri- contribute to the gigantic efforts.
bution. Solving the problem can yield the following In order to construct a mathematical model to study
results. When π1 is 0.52, the value of R5 reaches 1. disaster chains in causality network, we think that the
The value of R8 reaches 1, when π1 increases to 0.72. following steps are needed:
This means the operability of commercial area and
• Enumerate all possible disasters in the causality
economic situation is 0.55 and 0.87 at π1 = 0.72,
while the other two systems have been in completely
• For each node of the network, define a list of
destroyed. When π1 increases to 0.97, all of the sys-
other nodes which can be directly induced by it
tems completely fail except economic situation. The
and directly induce it, and define the interdependent
results are shown in Fig. 3.
relationships between them.
• Define appropriate quantities to describe the risk of
disaster chains.
Then risk analysis process of disaster chains can be
described by the model presented above.


Gitis, V.G., Petrova, E.N. & Pirogov, S.A. 1994. Catastrophe

chains: hazard assessment, Natural hazards 10: 117–121.
Glickmanand, T.S. & Khamooshi, H. 2005. Using hazard
networks to determine risk reduction strategies, Journal
of the operational research society 56: 1265–1272.
Haimes, Y.Y. & Pu Jiang. 2001. Leontief-based model of
risk in complex interconnected infrastructures, Journal of
Figure 2. Causality network of our example. infrastructure systems 7(1): 1–12.
Khan, F.I. & Abbasi, S.A. 2001. An assessment of the likeli-
hood of occurrence, and the damage potential of domino
effect (chain of accidents) in a typical cluster of indus-
power plant tries, Journal of loss prevention in the process industries
14: 283–306.
0.8 Malyshev, V.A., Ignatyuk, I.A. & Molchanov, S.A. 1989.
commercial area
inoperability risk

public transportation Momentum closed processes with local interaction,

0.6 Selecta mathematica Sovietica 8(4): 351–384.
Salzano, E., Lervolino, I. & Fabbrocino, G. 2003. Seismic
economic situation risk of atmospheric storage tanks in the framework of
quantitative risk analysis, Journal of loss prevention in
the process industries 16: 403–409.
Scira Menoni. 2001. Chains of damages and failures in
a metropolitan environment: some observations on the
0.0 Kobe earthquake in 1995, Journal of hazardous materials
0.0 0.2 0.4 0.6 0.8 1.0
86: 101–119.
Probability of earthquake Spadoni, G., Egidi, D. & Contini, S. 2000. Through ARIPAR-
GIS the quantified area risk analysis supports land-use
Figure 3. Inoperability risk as function of the probability of planning activities, Journal of hazardous materials 71:
earthquake. 423–437.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Effective learning from emergency responses

K. Eriksson
LUCRAM (Lund University Centre for Risk Analysis and Management),
Department of Fire Safety Engineering and Systems Safety, Lund University, Lund, Sweden

J. Borell
LUCRAM (Lund University Centre for Risk Analysis and Management),
Department of Design Sciences, Lund University, Lund, Sweden

ABSTRACT: During recent years a couple of emergencies have affected the city of Malmo and its inhabitants
and forced the city management to initiate emergency responses. These emergencies, as well as other incidents,
are situations with a great potential for learning emergency response effectiveness. There are several methods
available for evaluating responses to emergencies. However, such methods do not always use the full potential
for drawing lessons from the occurred emergency situations. Constructive use of principles or rules gained
during one experience (in this case an emergency response) in another situation is sometimes referred to as
‘positive transfer’. The objective of this paper is to develop and demonstrate an approach for improving learning
from the evaluation of specific response experiences through strengthening transfer. The essential principle in
the suggested approach is to facilitate transfer through designing evaluation processes so that dimensions of
variation are revealed and given adequate attention.

1 INTRODUCTION During the last four years three larger emergencies

have affected the city of Malmo. In 2004 the Box-
During recent years there has been an increased ing Day Tsunami resulted in an evacuation of people
demand from the public that society should prevent to Sweden and thus also to Malmo, which received a
emergencies to occur or at least minimize their nega- substantial number of evacuees. In the middle of July
tive outcomes. The demand for a more and more robust 2006 an armed conflict between Lebanon and Israel
society also enhances the need for the society to learn broke out. Also this incident resulted in an evacuation
from past experience. Experience and evaluations of of Swedish citizens, of whom many were connected
instances of emergency response are two possible to Malmo. Both these incidents resulted in a need
inputs to an emergency management preparedness for the city of Malmo to use their central emergency
process. Other important inputs are risk analyses, response organisation to support the people evacuated
exercises as well as experience from everyday work. from another part of the world. In April 2007 a riot
Ideally the result from an evaluation improves the broke out in a district of the city. Also during this
organisations ability to handle future incidents. Fur- incident there was a need for the city to initiate their
thermore, experience of a real emergency situation emergency response organisation but this time only
commonly creates awareness and willingness to pre- in the affected district. After each of these incidents
pare for future emergencies (Tierney et al. 2001; Boin Malmo has performed evaluations. A central question
et al. 2005). It is of central interest to question whether is: How can organisations be trained to face future
the full potential of an evaluation of an emergency unknown incidents based on known cases?
situation is used. Sometimes there is a tendency to The objective of this paper is to develop and
plan for the current situation (Carley & Harrald 1997). demonstrate an approach for strengthening emer-
For example Lagadec (2006 p. 489) mention that it is gency response capability through improving learning
essential to ‘‘. . . not prepare to fight the last war’’ but from the evaluation of specific emergency response
for future emergencies. For an overview of possible experiences. An approach has been developed based
barriers against learning from experience concerning on learning theories. The approach has been applied
emergency management, see for example Smith & to evaluations of emergency responses in Malmo.
Elliott (2007). The preliminary findings indicate that the developed

approach can improve experience-based learning in 3.2 Transfer
Constructive use of principles or rules that a per-
son gained during one experience (in this case an
emergency response operation) in another situation
2 METHOD is sometimes referred to as ‘positive transfer’ (Reber
1995). Transfer may be quite specific when two sit-
From theories of learning a first hypothetical approach uations are similar (positive or negative transfer), but
for improving learning from evaluations of emergency also more general, e.g. ‘learning how to learn’. The
responses was created. To further examine and refine concept of transfer is also discussed within organisa-
the approach it was tested through application on tional theory. At an organisational level the concept
an evaluation of emergency response in the city of transfer involves transfer at an individual level but
Malmo. The evaluation concerned the management also transfer between different individuals or organisa-
of emergency response activities during the Lebanon tions. Transfer at an organisational level can be defined
war in July 2006. In addition, evaluations of the as ‘‘ . . . the process through which one unit (e.g. group,
Boxing Day Tsunami in 2004 and the emergency man- department, or division) is affected by experience of
agement organisations handling of a riot that broke another’’ (Argote & Ingram 2000 p. 151).
out in a district of the Malmo during April 2007
are used for further demonstration of the approach.
The evaluations are based on analyses of interviews 3.3 Variation
and collected documents. The interviews were car- One essential principle for facilitating the transfer
ried out with mainly municipal actors involved during process, established in the literature on learning, is
the incidents. In total 19 interviews have been com- to design the learning process so that the dimen-
pleted. The documents analysed were for example sions of possible variation become visible to the
notes from the response organisations’ information learners (Pang 2003, Marton & Booth 1999). Suc-
systems, notes and minutes from managerial meet- cessful transfer for strengthening future capability
ings during the events, written preparedness plans demands that critical dimensions of possible varia-
and newspaper articles. The use of the three eval- tion specific for the domain of interest are considered
uations can be seen as a first test of the approach (Runesson 2006).
for improved learning from evolutions of emergency When studying an emergency scenario two differ-
situations. ent kinds of variation are possible; variation of the
parameter values and variation of the set of param-
eters that build up the scenario. The first kind of
variation is thus the variation of the values of the
specific parameters that build up the scenario. In prac-
tice, it is not possible to vary all possible parameter
3.1 Organisational learning
values. A central challenge is how to know which
For maintaining a response capability in an organisa- parameters are critical in the particular scenario and
tion over time there is a need that not only separate thus worth closer examination by simulated varia-
individuals but the entire organisation has the neces- tion of their values. The variation of parameter values
sary knowledge. According to Senge (2006 p. 129) can be likened to the concept of single-loop learning
‘‘. . . Organizations learn only through individuals who (Argyris & Schön 1996). When the value of a given
learn. Individual learning does not guarantee orga- parameter in a scenario is altered, that is analogous
nizational learning. But without it no organizational to when a difference between expected and obtained
learning occurs’’. Also Argyris & Schön (1996) point outcome is detected and a change of behaviour is
out that organisational learning is when the individ- made.
ual members learn for the organisation. Argyris & The second kind of variation is variation of the
Schön (1996) also discuss two types of organisational set of parameters. This kind of variation may be dis-
learning: single-loop learning and double-loop learn- cerned through e.g. discussing similarities as well as
ing. Single-loop learning occurs when an organisation dissimilarities of parameter sets between different sce-
modifies its performance due to a difference between narios. The variation of the set of parameters can be
expected and obtained outcome, without questioning likened to the concept of double-loop learning (Argyris
and changing the underlying program (e.g. changes & Schön 1996), wherein the system itself is altered
in values, norms and objectives). If the underly- due to an observed difference between expected
ing program that led to the behaviour in the first and obtained outcome. A central question is what
place is questioned and the organisation modifies it, the possible sets of parameters in future emergency
double-loop learning has taken place. scenarios are.

3.4 Scenario 4.2 Variation of the values of the parameters
A specific emergency situation can be described as The second step is to vary the value of the parame-
a scenario, here seen as a description of a series of ters that build up the scenario. This may be carried out
occurred or future events arranged along a timeline. through imagining variation of the included param-
Scenarios describing past emergencies ‘‘. . . answers eters (that are seen as relevant) within the scenario
the question: ‘What happened?’ ’’ (Alexander 2000 description. Typical examples of parameters can be
pp. 89–90). An emergency scenario can further be the length of forewarning or the number of people
seen as consisting of various parameters. The con- involved in an emergency response.
cept parameter is here defined in very broad terms and Variation of parameter values makes the parameters
every aspect with a potential for variation in a scenario themselves as well as the possible variation of their
is seen as a parameter. For example the duration of a values visible. This can function as a foundation for
scenario or the quantity of recourses that is needed positive transfer to future emergency situations with
can be viewed as parameters. Alexander (2000 p. 90) similar sets of relevant parameters. This in turn may
further mentions that when imagining the future the strengthen the capability to handle future emergencies
question to ask is ‘‘What if . . . ?’’. of the same kind as the one evaluated, but with for
One kind of parameters suitable for imagined example greater impact.
variation that is discussed in the literature is the
different needs or problems that arise during an emer-
gency situation. Dynes (1994) discusses two differ- 4.3 Variation of the set of parameters
ent types of needs or problems that requires to be The third step is the variation of the set of parameters.
responded to during an emergency. These are the By comparing the current case with other cases both
response generated and the agent generated needs. occurred (e.g. earlier emergencies) and imagined (e.g.
The response generated needs are quite general and results from risk and vulnerability analyses) different
often occur during emergencies. They are results of sets of parameters can be discussed.
the particular organisational response to the emer- Obviously it is not possible to decide the ultimate
gency, e.g. the needs for communication and coor- set of parameters to prepare for with general validity.
dination. The agent generated needs (Dynes et al. There is always a need for adaption to the situation.
1981) are the needs and problems that the emer- Yet it is often possible for an organisation to observe a
gency in itself creates, for example search, rescue, pattern of similarities in the parameters after a couple
care of injured and dead as well as protection against of evaluations. Even if two emergency scenarios dif-
continuing threats. These needs tend to differ more fer when it comes to physical characteristics there are
between emergencies than the response generated often similarities in the managing of the scenarios.
needs do. A possible way to vary the set of parameter is to
be inspired by Dynes (1994) different types of needs
or problems that arise during an emergency situa-
4 THE PROPOSED APPROACH tion. Commonly similarities are found when studying
response generated needs and it is thus wise to prepare
The main goal of this paper is to develop and to handle them. Even if agent generated needs tend to
demonstrate an approach to strengthening emergency differ more between emergencies, paying them some
response capability through improving learning from attention too may be worthwhile.
the evaluation of response experiences. Greater experience means more opportunities for
positive transfer. Furthermore, with increasing expe-
rience of thinking in terms of varying the set of
4.1 Description of the emergency scenario parameters and their values, it is probable that the
The first step in the approach is to construct a descrip- organisation and its employees also develop the ability
tion of the emergency scenario, i.e. create and docu- to more general transfer, through the abstract ability
ment a description of an occurred emergency situation. to think of variation of parameters.
The description of the occurred scenario is needed for
further discussions on the organisation’s ability to han-
4.4 Transferring information and knowledge
dle future emergencies. By describing the series of
events that build up the scenario, the most relevant A step that is often given inadequate attention is the
parameters can be identified. From this description transferring of information and knowledge obtained
it is then possible to vary the possible parameters as during the managing and the evaluation of an emer-
well as the set of parameters that build up the scenario, gency to the entire organisation. Thus there is a need
and thus answer Alexander’s (2000) question: ‘‘what for creating organisational learning (Carley & Harrald
if . . . ?’’. 1997). This task is not an easy one, and requires serious

resources. Therefore it is essential for organisations Malmo also had an administrative diary system that
to create a planned structure or process for this task. was supposed to be used as a way to spread informa-
This step also includes activities such as education and tion within the organisation. During the managing of
exercises. In the end it is essential that the findings are the Lebanon war this system was not used as intended.
carried by the individuals as well as codified in suitable Among other things, this depended on that some peo-
artefacts of the organisation. ple had problems using it. The critical question to ask
In addition, to create a better transfer and organisa- is thus: If the situation had been worse, how would they
tional learning it is throughout all steps of the approach then disseminate information within the organisation?
recommendable to work in groups. One reason for this In a worse situation, with many more people involved,
is that more people can be potential messengers to the it is probably not manageable to only use direct contact.
rest of the organisation. Would Malmo have managed such a situation?
By asking what if-questions concerning these two
critical aspects or parameters (as well as others), and in
5 DEMONSTRATING THE APPROACH that way varying the parameters, the organisation and
its employees might get an improved understanding of
The main goal of this paper was to develop and their capability to manage future emergencies. When
demonstrate an approach for strengthening emergency Malmo used the proposed approach and asked those
response capability through improving learning from critical questions several problems became visible and
the evaluation of specific response experiences. From discussed. Due to this, Malmo has later developed
theories of learning a hypothetical approach has been new routines for staffing their emergency response
constructed. Below the constructed approach will be organisation.
demonstrated through application on the evaluation of
the city of Malmo’s response to the Lebanon war. In
5.3 Variation of the set of parameters
addition, the evaluations of Malmo’s managing of the
tsunami and the riot will be used in the demonstration. The second step was to vary the set of parameters
by e.g. comparing the evaluated scenario to other
5.1 Description of the emergency scenario
During the interviews many people compared
The test of the approach started from a construction Malmo’s managing of the Lebanon war with the
of the emergency scenario. During this work critical managing of the Tsunami. During both emergencies
parameters for the response of the managing of the the Swedish government evacuated Swedish people
Lebanon war were observed. to Sweden from other countries. Individuals arriv-
ing to Malmo caused Malmo to initiate emergency
responses. Malmo’s work during both the situations
5.2 Variation of the values of the parameters
aimed at helping the evacuated. During both situations
During the evaluation of the Lebanon war two param- it is possible to identify more or less the same response
eters were identified as especially critical. These were generated needs. Both situations required e.g. commu-
the staffing of the central staff group and the spreading nication within the organisation and the creation of a
of information within the operative organisation. staff group to coordinate the municipal response.
During the emergency situation the strained staffing Also the agent generated needs were similar in
situation was a problem for the people working in the the two situations. Some of the affected individuals
central staff group. There was no plan for long-term arriving to Sweden needed support and help from the
staffing. A problem was that the crisis happened dur- authorities. But the type of support needed varied. For
ing the period of summer when most of the people example, after the tsunami there were great needs for
that usually work in the organisation were on vaca- psychosocial support, while the people returning from
tion. In addition, there seems to have been a hesitation Lebanon instead needed housing and food.
to bring in more than a minimum of staff. This resulted After the riot in 2007 a comparison with the man-
in that some individuals on duty were overloaded with aging of the Malmo consequences of the Lebanon war
tasks. After a week these individuals were exhausted. was carried out. This comparison showed much more
This was an obvious threat to the organisation’s ability dissimilarities than the comparison mentioned above,
to continue operations. Critical questions to ask are: especially when discussing in terms of agent gener-
What if the situation was even worse, would Malmo ated needs. For example, during the riot efforts were
have managed it? What if it would have been even concentrated on informing the inhabitants on what the
more difficult to staff the response organisation? city was doing and on providing constructive activities
The spreading of information within the opera- for youths. The response generated needs, e.g. a need
tive central organisation was primarily done by direct to initiate some form of emergency response organi-
contact between people either by telephone or mail. sation and communication with media, were the same

as during Malmo’s managing of the Lebanon related unproductive. But if we can do those things in a rea-
events. sonably disciplined way, we can be smarter and more
Really interesting question to ask are: What will imaginative’’ (Clarke 2005 p. 84).
happen in the future? What if Malmo will be hit by a The application of the approach during the eval-
storm or a terrorist attack? How would that influence uation of the managing of the Lebanon war conse-
the city? Who will need help? Will there be any need quences appears to have strengthened the learning in
for social support or just a need for technical help? the organisation. This statement is partly based on
Will people die or get hurt? Obviously, this is a never opinions expressed by the individuals in the organi-
ending discussion. The main idea is not to find all sation involved in the discussions during and after the
possible future scenarios, but to create a capability for evaluation. During the reception of the written report
this way of thinking. There is a need to always expect as well as during seminars and presentations of the sub-
the unexpected. ject we found that the organisation understood and had
use of the way of thinking generated by using the pro-
posed approach. Subsequently the organisation used
5.4 Transferring information and knowledge the findings from the use of this way of thinking in
their revision of their emergency management plan.
To support transfer of the result throughout the organ-
The new way of thinking seems to have resulted
isation the evaluation of the Lebanon war resulted in
in providing the organisation a more effective way
seminars for different groups of people within the
of identifying critical aspects. Consequently, it comes
organisation, e.g. the preparedness planners and the
down to being sensitive to the critical dimensions of
persons responsible for information during an emer-
variation of these parameters. There is still a need to
gency. These seminars resulted in thorough discus-
further study how an organisation knows which the
sions in the organisation on emergency management
critical dimensions are. It is also needed to further
capability. In addition, an evaluation report was made
evaluate and refine the approach in other organisations
and distributed throughout the organisation. The dis-
and on other forms of emergencies.
cussions during and after the evaluation of the Lebanon
war also led to changes in Malmo’s emergency man-
agement planning and plans. Some of these changes 7 CONCLUSION
can be considered examples of double-loop learning,
with altering of parameters, expected to improve future Seeing scenarios as sets of parameters, and elaborat-
emergency responses. ing on the variation of parameter values as well as
the set of parameters, seems to offer possibilities for
strengthening transfer. It may thus support emergency
6 DISCUSSION response organisations in developing rich and many-
sided emergency management capabilities based on
This paper has focused on the construction of an evaluations of occurred emergency events.
approach for strengthening emergency response capa-
bility through improving learning from the evaluation
of specific response experiences. REFERENCES
We have described how imaginary variation of sets
of parameters and parameter values can be used in Alexander, D. 2000. Scenario methodology for teaching prin-
evaluation processes around scenarios. Discussing in ciples of emergency management. Disaster Prevention
terms of such variation has shown to be useful. This and Management: An International Journal 9(2): 89–97.
Argote, L. & Ingram, P. 2000. Knowledge Transfer: A
holds for written reports as well as presentations. Sim- Basis for Competitive Advantage in Firms. Organiza-
ilar views are discussed in the literature. For example tional Behavior and Human Decision Processes 82(1):
Weick & Sutcliffe (2001) discuss how to manage the 150–169.
unexpected. They describe certain attitudes within an Argyris, C. & Schön, D.A. 1996. Organizational Learning II:
organisation, e.g. that the organisation is preoccupied Theory, Method, and Practice. Reading, Massachusetts:
with failures and reluctant to simplify interpreta- Addison-Wesley Publishing Company.
tions, that help the organisation to create mindfulness. Boin, A., ’t Hart, P., Stern, E. & Sundelius, B. 2005. The
A mindful organisation continues to question and Politics of Crisis Management: Public Leadership Under
reconsider conceptualisations and models and thus Pressure. Cambridge: Cambridge University Press.
Carley, K.M. & Harrald, J.R. 1997. Organizational Learn-
increases the reliability of their operations. Like- ing Under Fire. The American Behavioral Scientist 40(3):
wise Clarke (2005) discusses the need for playing 310–332.
with scenarios and imagines different possible futures. Clarke, L. 2005. Worst cases: terror and catastrophe in
‘‘It is sometimes said that playing with hypotheti- the popular imagination. Chicago: University of Chicago
cal scenarios and concentrating on consequences is Press.

Dynes, R.R. 1994. Community Emergency Planning: False Reber, A.S. 1995. The Penguin dictionary of psychology.
Assumptions and Inappropriate Analogies. International London: Penguin Books.
Journal of Mass Emergencies and Disasters 12(2): Runesson, U. 2006. What is it Possible to Learn? On Varia-
141–158. tion as a Necessary Condition for Learning. Scandinavian
Dynes, R.R., Quarantelli, E.L. & Kreps, G.A. 1981. A per- Journal of Educational Research 50(4): 397–410.
spective on disaster planning, 3rd edition (DRC Research Senge, P.M. 2006. The Fifth Discipline: The Art and Practice
Notes/Report Series No. 11). Delaware: University of of the Learning Organization. London: Random House
Delaware, Disaster Research Center. Business.
Lagadec, P. 2006. Crisis Management in the Twenty-First Smith, D. & Elliott, D. 2007. Exploring the Barriers to
Century: ‘‘Unthinkable’’ Events in ‘‘Inconceivable’’ Con- Learning from Crisis: Organizational Learning and Crisis.
texts. In H. Rodriguez, E.L. Quarantelli & R. Dynes (eds), Management Learning 38(5): 519–538.
Handbook of Disaster Research: 489–507. New York: Tierney, K.J., Lindell, M.K. & Perry, R.W. 2001. Facing the
Springer. unexpected: Disaster preparedness and response in the
Marton, F. & Booth, S. 1999. Learning and Awareness. United States. Washington, D.C.: Joseph Henry Press.
Mahawa NJ: Erlbaum. Weick, K.E. & Sutcliffe, K.M. 2001. Managing the Unex-
Pang, M.F. 2003. Two Faces of Variation: on continuity in pected: Assuring High Performance in an Age of Com-
the phenomenographic movement. Scandinavian Journal plexity. San Francisco: Jossey-Bass.
of Educational Research 47(2): 145–156.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

On the constructive role of multi-criteria analysis in complex

decision-making: An application in radiological emergency management

C. Turcanu, B. Carlé, J. Paridaens & F. Hardeman

SCK·CEN Belgian Nuclear Research Centre, Inst. Environment, Health and Safety, Mol, Belgium

ABSTRACT: In this paper we discuss about the use of multi-criteria analysis in complex societal problems and
we illustrate our findings from a case study concerning the management of radioactively contaminated milk. We
show that application of multi-criteria analysis as an iterative process can benefit not only the decision-making
process in the crisis management phase, but also the activities associated with planning and preparedness. New
areas of investigation (e.g. zoning of affected areas or public acceptance of countermeasures) are tackled in
order to gain more insight in the factors contributing to a successful implementation of protective actions and
the stakeholders’ values coming into play. We follow the structured approach of multi-criteria analysis and we
point out some practical implications for the decision-making process.

1 INTRODUCTION structuring the decision process and achieving a com-

mon understanding of the decision problem and the
Management of nuclear or radiological events lead- values at stake.
ing to contamination in the environment is a complex Using MCDA in an iterative fashion (as recom-
societal problem, as proven by a number of events mended e.g. by Dodgson et al. 2005) brings about
ranging from nuclear power plant accidents to loss of also an important learning dimension, especially for
radioactive sources. In addition to the radiological con- an application field such as nuclear or radiological
sequences and the technical feasibility, an effective emergency management, where planning and pre-
response strategy must also take into account pub- paredness are two essential factors contributing to
lic acceptability, communication needs, ethical and an effective response. An elaborated exercise pol-
environmental aspects, the spatial variation of con- icy will serve as a cycle addressing all the steps of
tamination and the socio-demographic background of the emergency management process: accident sce-
the affected people. This has been highlighted in the nario definition, emergency planning, training and
international projects in the 1990’s (French et al. 1992, communication, exercising and response evaluation,
Allen et al. 1996) and reinforced in recent Euro- fine-tuning of plans, etc (see Fig. 1).
pean projects—e.g. STRATEGY, for site restoration
(Howard et al. 2005) and FARMING, for extending
the stakeholders’ involvement in the management of Risk management
Mitigation Exercise
contaminated food production systems (Nisbet et al. cycle
2005)—as well as in reports by the International cycle
Atomic Energy Agency (IAEA 2006, p. 86). Risk Assessment &
accident scenarios Emergency
In this context, multi-criteria decision aid (MCDA)
appears as a promising paradigm since it can deal planning and response
Post crisis interventions, scenarios
with multiple, often conflicting, factors and value recovery & rehabilitation
systems. It also helps overcoming the shortcomings Training &
of traditional Cost-Benefit Analysis, especially when Exercises communication
Evaluations &
dealing with values that cannot be easily quantified lessons learned Simulated
or even less, translated in monetary terms due to their response
intangible nature.
A number of nuclear emergency management deci- Response, interventions
and crisis management Accident
sion workshops (e.g. French 1996, Hämäläinen et al.
2000a, Geldermann et al. 2005) substantiate the role
of MCDA as a useful tool in stimulating discussions, Figure 1. The emergency management cycle.

It is therefore of interest to extend the study of of MAVT software in decision conferences can be
potential applications of MCDA in this particular field more successful provided there is a careful planning in
and to try to integrate it into the socio-political con- advance, particularly for use in emergency exercises.
text specific to each country. Drawing on these ideas, In what concerns the aggregation function used, the
the research reported in this paper aimed at adding usual choice is an additive aggregation. The use of
the knowledge and experience from key stakeholders a utility function of exponential form had been ear-
in Belgium to the multi-criteria analysis tools devel- lier proposed by Papamichail & French (2000), but
oped for decision-support, and at exploring various it proved non-operational due to missing information
MCDA methods. The management of contaminated on the variance of actions’ scores. It is interesting to
milk after a radioactive release to the environment has notice that although risk aversion could seem as a nat-
been chosen as case study. ural attitude, Hämäläinen et al. (2000b) report a case
In Section 2 we discuss about the use of multi- study where half of the participants were risk averse
criteria analysis in nuclear emergency management. and half were risk seeking, possibly due to a different
In Section 3 we outline the Belgian decision-making perception of the decision problem. Related to this,
context. This will set the framework for Section 4 in the authors of this case study refer to the hypothesis
which we elaborate on the results from a stakeholder of Kahneman & Tversky (1979) that people are often
process carried out in Belgium in order to set up a risk seeking when it comes to losses (e.g. lives lost) and
theoretical and operational framework for an MCDA risk averse when it comes to gains (e.g. lives saved).
model for the management of contaminated milk. The Another type of MCDA approach, addressing at the
constructive role of multi-criteria analysis, the conclu- same time the definition of countermeasure strategies
sions and lessons learnt are summarised in the final as potential actions, as well as the exploration of the
section. efficient ones is due to Perny & Vanderpooten (1998).
In their interactive MCDA model, the affected area is
assumed to be a priori divided in a number of zones,
2 MCDA IN NUCLEAR EMERGENCY whereas the treatment of food products in each zone
MANAGEMENT can be again divided among various individual coun-
termeasures. The practical implementation makes use
MCDA provides a better approach than CBA for of a multi-objective linear programming model having
nuclear emergency management and site restoration, as objective functions cost, averted collective dose and
first and foremost because the consequences of poten- public acceptability. This modelling, although ques-
tial decisions are of a heterogeneous nature, which tionable as far as public acceptability—and qualitative
impedes coding them on a unique, e.g. monetary, factors in general—is concerned, allows a great deal
scale. In an overwhelming majority (e.g. French 1996, of flexibility at the level of defining constraints and
Zeevaert et al. 2001, Geldermann et al. 2005, Panov exploration of efficient, feasible strategies.
et al. 2006, Gallego et al. 2000), the MCDA methods The various degrees of acceptance of such decision
used up to now in connection with the management aid tools in the different countries suggest however that
of radiological contaminations mainly draw from the the processes envisaged must be tuned to fully accom-
multi-attribute value/utility theory (MAU/VT). modate the stakeholders’ needs (Carter & French
Research in this application field for MCDA has 2005). At the same time, the role of such analyses
started in the early 90’s in the aftermath of the in a real crisis is still a subject of debate (Hämäläinen
Chernobyl accident (French et al. 1992) and sub- et al. 2000a, Mustajoki et al. 2007).
sequently linked to the European decision-support Early stakeholder involvement in the design of
system RODOS (Ehrhardt & Weiss. 2000), as reported models developed for decision support is needed in
e.g. in French (1996), Hämäläinen et al. (1998) and order to accommodate their use to the national context,
more recently in Geldermann et al. (2006). e.g. to ensure that the hypotheses assumed, the mod-
The reported use of MAU/VT for comparing and els and the type of reasoning used reflect the actual
ranking countermeasure strategies suggests that it needs of the decision-making process. From an oper-
facilitates the identification of the most important ational viewpoint, the MCDA process can be used to
attributes, contributing thus to a shared understand- check if the existing models fit e.g. the databases and
ing of the problem between the different stakeholders decision practices in place and, at the same time, if
concerned by the decision-making process. Among they are sufficiently flexible at all levels: from defini-
the drawbacks revealed was the informational bur- tion of potential actions and evaluation criteria, up to
den of setting criteria weights, especially for socio- modelling of comprehensive preferences.
psychological attributes (e.g. Hämäläinen et al. 1998), In what concerns the general use of MCDA meth-
or even evaluating the impact of potential actions for ods, some authors (Belton & Stewart 2002) suggest
such non-quantifiable factors. Some recent studies that value functions methods are well suited ‘‘within
(Mustajoki et al. 2007) suggest that the application workshop settings, facilitating the construction of

preferences by working groups who mainly represent agricultural countermeasures in case of a radioactive
stakeholder interests’’. Outranking methods and contamination in the food chain is to reduce the radio-
what/if experiments with value functions might instead logical risk for people consuming contaminated food-
be better ‘‘fitted for informing political decision- stuff. For such cases, maximum permitted radioactiv-
makers regarding the consequences of a particular ity levels for food products, also called the European
course of action’’. Council Food Intervention Levels—CFIL—(CEC,
The exploration of an outranking methodology is 1989), have been laid down and are adopted by the
motivated by some particularities of our decision prob- Belgian legislation as well.
lem (Turcanu 2007). Firstly, the units of the evaluation The experience from the European project FARM-
criteria (e.g. averted dose, cost, and public accep- ING (Vandecasteele et al. 2005) clearly showed how-
tance) are heterogeneous and coding them into one ever that the characteristics of the agriculture and the
common scale appears difficult and not entirely natu- political environment, as well as the past experiences
ral. Secondly, the compensation issues between gains of food chain contamination crises are also important
on some criteria and losses on other criteria are not factors to be taken into account. This explains why
readily quantifiable. In general, Kottemann & Davis some countermeasures aiming at reducing the con-
(1991) suggest that the degree to which the preference tamination in food products were considered hardly
elicitation technique employed requires explicit trade- acceptable by the stakeholders, if at all, even when
off judgments influences the ‘‘decisional conflict’’ that supported by scientific and technical arguments.
can negatively affect the overall perception of a multi- Decisions taken have potentially far-reaching con-
criteria decision support system. Thirdly, the process sequences, yet they often have to be made under time
of weighting and judging seems in general more quali- pressure and conditions of uncertainty. Also in case of
tative than quantitative. When it comes to factors such food countermeasures, time may become an important
as social or psychological impact, the process of giving issue. For example in case of milk, the large amounts
weights to these non-quantifiable factors may appear produced daily vs. the limited storage facilities of
questionable. Furthermore, outranking methods relax diaries make it necessary to rapidly take a decision
some the key assumptions of the MAUT approach, for for management of contaminated milk (processing,
example comparability between any two actions and disposal, etc).
transitivity of preferences and indifferences.
In the following sections, the focus is laid on
the management of contaminated milk. The con- 4 MCDA MODEL FRAMEWORK
tinuous production of milk requires indeed urgent
decisions due to the limited storage facilities. More- In this section we discuss the multi-criteria decision
over, dairy products are an important element of the aid framework developed for the management of con-
diet, especially for children, who constitute the most taminated milk. We describe the stakeholder process
radiosensitive population group. Finally, for certain and the key elements of the MCDA model. Additional
radionuclides with high radiotoxicity such as radio- details on the stakeholder process and its results can
caesium and radioiodine, maximum levels of activity be found in Turcanu et al. (2006); in the following we
concentration in milk are reached within few days point out the new areas of investigation opened by this
after the ground deposition of the radioactive material research and we underline the constructive dimension
(Nisbet, 2002). brought by the use of MCDA.

4.1 The stakeholder process

EMERGENCY MANAGEMENT IN BELGIUM In the stakeholders process (Turcanu et al. 2006),
we carried out 18 individual interviews with gov-
In the context of the Belgian radiological emergency ernmental and non-governmental key actors for the
plan (Royal Decree, 2003 and subsequent amend- management of contaminated milk: decision-makers,
ments), the decision maker, also called the ‘‘Emer- experts and practitioners. This included various areas
gency Director’’ is the Minister of Interior or his of activity: decision making (Ministry of Interior);
representative. He is chairman of the decision cell, radiation protection and emergency planning; radioe-
i.e. the Federal Co-ordination Committee. The deci- cology; safety of the food chain; public health; dairy
sion cell is advised by the radiological evaluation cell, industry; farmers’ association; communication; local
mainly in charge with the technical and feasibility decision making; social science; and management of
aspects, and by the socio-economic evaluation cell. radioactive waste.
Various other organisations and stakeholders have We have decided to make use of individual inter-
a direct or indirect impact on the efficiency of the views rather than focus group discussions or question-
chosen strategies. The primary goal of food and naires in order to allow sufficient time for discussions,

to cover in a consistent way a range of stakeholders as fast calculation of e.g. the amount of production in
complete as possible and to facilitate free expression the selected zone, the implementation costs for the
of opinions. The discussion protocol used followed the selected countermeasure, the collective doses and
main steps described below. maximal individual doses due to ingestion of contam-
inated foodstuff (the dose is an objective measure of
4.2 Potential actions the detriment to health), helping the decision makers
or advisers in choosing the set of potential actions to
Several individual or combined countermeasures can be further evaluated.
be employed for the management of contaminated
milk (Howard et al. 2005), for instance disposal of
contaminated milk; prevention or reduction of activity 4.3 Evaluation criteria
in milk (clean feeding, feed additives) and/or storage
and processing to dairy products with low radioactivity The evaluation criteria were built through a process
retention factors. The need to make available a more combining a top-down and a bottom-up approach
flexible way to generate potential actions, require- (Turcanu et al. 2006).
ment which came out from the stakeholder process, The stakeholders interviewed were first asked to
led to the development of a prototype tool allowing identify all the relevant effects, attributes and con-
the integration of various types of data: data from the sequences of potential actions. Subsequently, they
food agency (e.g. location of dairy farms and local commented on a list of evaluation criteria derived from
production), modelling and measurement data (e.g. the literature and amended it, if felt necessary. Based
ground depositions of radioactive material at the loca- on the resulting list, a number of evaluation criteria
tion of dairy farms), other data such as administrative was built taking account, as much as possible, of the
boundaries, etc (see Fig. 2). properties of exhaustiveness, cohesiveness and non-
Simulated deposition data, for example for iodine redundancy (see Roy 1996 for a description of these
and caesium, were generated in discrete points of a grid concepts), in order to arrive at a consistent set of eval-
using dispersion and deposition models, e.g. as exist- uation criteria. The example discussed at the end of
ing in the RODOS decision-support system (Ehrhardt this section illustrates the list of criteria proposed.
and Weiss 2000) and introduced into a geographi- Here we should mention that one of the evalua-
cal information system (GIS). Here, the data were tion criteria highlighted by all stakeholders as very
converted into continuous deposition data through a important is public acceptance. To have a better
simple natural neighbour algorithm. Next, the deposi- assessment of it, we included in a public survey in
tion data were evaluated at the locations of dairy farms, Belgium (Turcanu et al. 2007) a number of issues
and combined with production data, both provided relevant for the decision-making process: i) public
by the federal food agency. The GIS allows overlay- acceptance of various countermeasures; ii) consumer’s
ing these data with other spatial information such as behaviour. The results showed that clean feeding
administrative boundaries, topological maps, selected of dairy cattle and disposal of contaminated milk
zones, population data, etc. are the preferred options in case of contaminations
A data fusion tool was subsequently implemented above legal norms. For contaminations below legal
in spreadsheet form. This tool can be used for a norms, normal consumption of milk seemed better
accepted than disposal. Nonetheless, the expressed
consumer’s behaviour revealed a precautionary ten-
dency: the presence of radioactivity at some step
GIS data in the food chain could lead to avoiding purchas-
ing products from affected areas. Finally, public trust
building was revealed as a key element of a successful
countermeasure strategy.
Food Agency The resulting distributions of acceptance degrees
data (from ‘‘strong disagreement’’ to ‘‘strong agreement’’)
on the sample of respondents can be compared in sev-
eral ways (Turcanu et al. 2007). To make use of all
information available, an outranking relation S (with
the meaning ‘‘at least as good as’’) can be defined on
Model and the set of individual countermeasures, e.g. based on
measurement data stochastic dominance:
Figure 2. Integration of various types of data and selection
aSb ⇔ aj ≤ bj + θ, ∀i = 1, . . . , 5
of areas and countermeasures. j≤i j≤i

where aj , bj are the percentages of respondents using be better fitted for a given criterion gi ,the following
the j-th qualitative label to evaluate countermeasures discrimination thresholds were chosen:
a and b, respectively, and θ is a parameter linked
to the uncertainty in the evaluation of aj and bj . A qi (gi (a)) = max {qi , q0i · gi (a)} and
simpler approach, but with loss of information, is to
pi (gi (a)) = p0 · qi (gi (a)),
derive a countermeasure’s public acceptance score as
e.g. the percentage of respondents agreeing with a ref
countermeasure. with p0 > 1, a fixed value and qi ≥ 0 and 0 ≤ q0i < 1
Despite the inherent uncertainty connected to parameters depending on the criterion gi .
assessing the public acceptance of countermeasures
in ‘‘peace time’’ we consider that such a study is use- 4.5 Comprehensive preferences
ful for emergency planning purposes, especially for
situations when there is a time constraint as it is the In order to derive comprehensive preferences, we dis-
case for the management of contaminated milk. cussed with the stakeholders interviewed about the
relative importance of evaluation criteria. This notion
can be interpreted differently (Roy & Mousseau 1996),
4.4 Formal modelling of evaluation criteria depending on the type of preference aggregation
method used.
The preferences with respect to each criterion were We investigated the adequacy for our application of
modelled with "double threshold" model (Vincke four types of inter-criteria information: i) substitution
1992). Each criterion was thus represented by a real- rates (tradeoffs) between criteria; ii) criteria weights as
valued positive function associated with two types of intrinsic importance coefficients; iii) criteria ranking
discrimination thresholds: an indifference threshold with possible ties; iv) a partial ranking of subfamilies
q(·) and a preference threshold p(·). For a criterion g of criteria.
to be maximised and two potential actions a and b, we For each of these we asked the stakeholders inter-
can define the following relations: viewed if such a way to express priorities is suit-
able and, most importantly, if they are willing and
accept to provide/receive such information. Our dis-
a I b (a indifferent to b) cussions revealed a higher acceptance of the qualitative
⇔ g(a) ≤ g(b) + q(g(b)) and approaches, which indicates that outranking methods
might be better suited. The concept of weights as
g(b) ≤ g(a) + q(g(a)); intrinsic importance coefficients proved hard to under-
a P b (a strictly preferred to b) stand, but encountered a smaller number of opponents
than weights associated with substitution rates. The
⇔ g(a) > g(b) + p(g(b)); main argument against the latter can be seen in ethi-
a Q b (a weakly preferred to b) cal motivations, e.g. the difficulty to argue for a value
trade-off between the doses received and the economic
⇔ g(b) + q(g(b)) < g(a) and cost. Methods of outranking type that can exploit a
g(a) ≤ g(b) + p(g(b)). qualitative expression of inter-criteria information are
for instance the MELCHIOR method (Leclerq 1984)
or ELECTRE IV (Roy 1996).
Under certain consistency conditions for p and q, Let us consider in the following the case when the
this criterion model corresponds to what is called a inter-criteria information is incomplete -because the
pseudo-criterion (see Roy 1996). decision-maker is not able or not willing to give this
The choice of the double threshold model is moti- information- is the following. Let’s suppose that the
vated by the fact that for certain criteria (e.g. economic information about the relative importance of criteria is
cost) it might not be possible to conclude a strict available in the form of a function assumed irreflexive
preference between two actions scoring similar val- and asymmetric:
ues, e.g. due to the uncertainties involved, while an
intermediary zone exists between indifference and ι : G × G → {0, 1}, such that
strict preference. The double threshold model is a
ι(gm , gp ) = 1 ⇔ criterion gm is ‘‘more important
general one, easy to particularise for other types
of criteria. For example, by setting both thresholds than’’ criterion gp ,
to zero, one obtains the traditional, no-threshold
model. where G is the complete set of evaluation criteria.
In order to account in an intuitive way for both the The function ι, comparing the relative importance
situations when a fixed or a variable threshold could of individual criteria, can be extended to subsets of

criteria in a manner inspired from the MELCHIOR Table 2. Evaluation criteria: Example.
method: we test if favourable criteria are more impor-
tant than the unfavourable criteria. Variable Minimal
Formally stated, we define recursively a mapping indifference indifference
ι∗ : ℘ (G) × ℘ (G) → {0, 1} as: threshold threshold Optimis.
Criterion (q0i ) (qi ref ) direction

ι (F, ø) = 1, ∀ø = F ⊂ G, C1 Residual collective 10% 10 person min
ι∗ (ø, F) = 0, ∀ F ⊂ G, effective dose Sv
(person . Sv)
ι∗ ({gm }, {gp }) = 1 ⇔ ι(gm , gp ) = 1, C2 Maximal individual 0.5 mSv min
∗ 5% (thyroid)
ι ({gm } ∪ F, H) = 1, with {gm } ∪ F ⊂ G and dose (mSv)
∗ C3 Implementation 10% 20 kC
= min
H ⊂ G ⇔ ι (F, H) = 1 or ∃ gp ∈ H: ι(gm , gp ) = 1
cost (kC
and ι∗ (F, H\{gp }) = 1. C4 Waste (tonnes) 10% 1t min
C5 Public 0 0 max
We further define a binary relation R represent-
C6 (Geographical) 0 0 max
ing comprehensive preferences on the set of potential feasibility
actions A as follows: C7 Dairy industry’s 0 0 max
∀a, b ∈ A, R(a, b) = ι∗ (F, H), where C8 Uncertainty of 0 0 min
F = {gi ∈ G|aPi b}, H = {gi ∈ G|b(Pi ∪ Qi )a}, C9 Farmers’ 0 0 max
and (Pi , Qi , Ii ) is the preference structure associated C10 Environmental 0 0 min
with criterion gi . impact
C11 Reversibility 0 0 max
4.6 An illustrative example ∗ p0 = 2 for all cases.
In this section we discuss a hypothetical (limited scale)
I milk contamination. The potential actions (suit-
able decision alternatives) are described in Table 1. Table 3. Impact of potential actions∗ .
Table 2 gives the complete list of evaluation criteria
and Table 3 summarises the impact of potential actions Criterion C1 C2 C3 C4 C5 C6 C7 C8
with respect to these criteria.
When inter-criteria information is not available, Person
Action Sv mSv kC
= t – – – –
the comprehensive preferences resulting from the
aggregation method given above are illustrated in A1 4 100 0 0 0 1 0 3
Fig. 3. For instance, the arrow A4 → A3 means that A2 0.1 3.6 240 16 3 1 2 1
action A4 is globally preferred to action A3 . We can A3 0.3 4.6 17 16 3 1 2 1
see that there are also actions which are incomparable, A4 0.3 4.6 27 16 3 2 2 1
A5 0.8 20 1.3 0 2 1 1 2
Table 1. Potential actions: Example. A6 0.8 20 2.5 0 2 2 1 2
∗ On criteria C –C
Action Description 9 11 all actions score the same, therefore
they are not mentioned in the table.
A1 Do Nothing
A2 Clean feed in area defined by sector
(100◦ , 119◦ , 25 km):
A3 Clean feed in area where deposit activity for instance actions A4 and A6 ; the situation changes
>4000 Bq/m2 : however, when some information is given concerning
A4 Clean feed in area where deposited activity the relative importance of criteria.
>4000 Bq/m2 , extended to full Let us assume that the decision-maker states that
administrative zones the maximal individual dose is more important than
A5 Storage for 32 days in area where deposited any other criterion and that public acceptance is more
activity >4000 Bq/m2
important than the cost of implementation and the
A6 Storage for 32 days in area where deposited
geographical feasibility. We then obtain the results pre-
activity >4000 Bq/m2 , extended to full
administrative zones sented in Fig. 4, highlighting both actions A4 and A2
as possibly interesting choices.

Table 4. Results from the multi-criteria analysis.
A2 A4 A6
Multi-criteria analysis Stakeholder process results

Decision context Learn about the different

A3 A5 viewpoints.
Potential actions New modelling tools connecting
decision-support tools with
existing databases.
A1 Evaluation criteria Set of evaluation criteria that can
serve as basis in future exercises.
Better assessment of public accep-
Figure 3. Comprehensive preferences without inter-criteria tance (public opinion survey).
information. Preference Revealed tendency towards a quali-
aggregation tative inter-criteria information.
Outranking methods highlighted
as potentially useful for future

makers and decision advisers, as well as practition-
ers in the field (e.g. from dairy industry or farmers’
union) contributed to a better understanding of many
aspects of the problem considered. For our case study,
A6 A2
this process triggered further research in two direc-
tions: flexible tools for generating potential actions
A5 and social research in the field of public acceptance of
food chain countermeasures.
MCDA can be thus viewed as bridging between var-
ious sciences—decision science, radiation protection,
A1 radioecological modelling and social science—and a
useful tool in all emergency management phases.
The research presented here represents one step in
Figure 4. Comprehensive preferences with inter-criteria an iterative cycle. Further feedback from exercises and
information. workshops will contribute to improving the proposed
Naturally, results such as those presented above
must be subjected to a detailed robustness analysis
(Dias 2006) as they depend on the specific val-
ues chosen for the parameters used in the model, REFERENCES
i.e. discrimination thresholds. For instance, if
q2 ref = 1 mSv, instead of 0.5 mSv as set initially (see Allen, P., Archangelskaya, G., Belayev, S., Demin, V.,
Drotz-Sjöberg, B.-M., Hedemann-Jensen, P., Morrey, M.,
Table 2), while the rest of the parameters remain at Prilipko, V., Ramsaev, P., Rumyantseva, G., Savkin, M.,
their initial value, both actions A4 and A3 would be Sharp, C. & Skryabin, A. 1996. Optimisation of health
globally preferred to action A2 . protection of the public following a major nuclear
accident: interaction between radiation protection and
social and psychological factors. Health Physics 71(5):
5 CONCLUSIONS 763–765.
Belton, V. & Stewart, T.J. 2002. Multiple Criteria Decision
In this paper we have discussed the application of Analysis: An integrated approach. Kluwer: Dordrecht.
multi-criteria analysis for a case study dealing with the Carter, E. & French, S. 2005. Nuclear Emergency Manage-
management of contaminated milk. Our main findings ment in Europe: A Review of Approaches to Decision
are summarised in Table 4. Making, Proc. 2nd Int. Conf. on Information Systems for
Crisis Response and Management, 18–20 April, Brussels,
One important conclusion is that consultation with Belgium, ISBN 9076971099, pp. 247–259.
concerned stakeholders is a key factor that can lead Dias, L.C. 2006. A note on the role of robustness analy-
to a more pragmatic decision aid approach and pre- sis in decision aiding processes. Working paper, Institute
sumably to an increased acceptance of the resulting of Systems Engineering and Computers INESC-Coimbra,
models. The stakeholder process, involving decision Portugal.

Dodgson, J., Spackman, M., Pearman, A. & Phillips, L. 2000. Leclercq, J.P. 1984. Propositions d’extension de la notion
Multi-Criteria Analysis: A Manual. London: Depart- de dominance en présence de relations d’ordre sur les
ment of the Environment, Transport and the Regions, pseudo-critères: MELCHIOR. Revue Belge de Recherche Opérationnelle, de Statistique et d’Informatique 24(1):
Ehrhardt, J. & Weiss, A. 2000. RODOS: Decision Support 32–46.
for Off-Site Nuclear Emergency Management in Europe. Mustajoki, J., Hämäläinen, R.P. & Sinkko, K. 2007. Interac-
EUR19144EN. European Community: Luxembourg. tive computer support in decision conferencing: Two cases
French, S. 1996. Multi-attribute decision support in the event on off-site nuclear emergency management. Decision
of a nuclear accident. J Multi-Crit Decis Anal 5: 39–57. Support Systems 42: 2247–2260.
French, S., Kelly, G.N. & Morrey, M. 1992. Decision confer- Nisbet, A.F., Mercer, J.A., Rantavaara, A., Hanninen, R.,
encing and the International Chernobyl Project. J Radiol Vandecasteele, C., Carlé, B., Hardeman, F., Ioannides,
Prot 12: 17–28. K.G., Papachristodoulou, C., Tzialla, C., Ollagnon, H.,
Gallego, E., Brittain, J., Håkanson, L., Heling, R., Jullien, T. & Pupin, V. 2005. Achievements, difficulties
Hofman, D. & Monte, L. 2000. MOIRA: A Computerised and future challenges for the FARMING network. J Env
Decision Support System for the Restoration of Radionu- Rad 83: 263–274.
clide Contaminated Freshwater Ecosystems. Proc. 10th Panov, A.V., Fesenko, S.V. & Alexakhin, R.M. 2006. Method-
Int. IRPA Congress, May 14–19, Hiroshima, Japan. ology for assessing the effectiveness of countermeasures
( in rural settlements in the long term after the Cher-
Geldermann, J., Treitz, M., Bertsch, V. & Rentz, O. 2005. nobyl accident on the multi-attribute analysis basis. Proc.
Moderated Decision Support and Countermeasure Plan- 2nd Eur. IPRA Congress, Paris, 15–19 May, France.
ning for Off-site Emergency Management. In: Loulou, R.,
Waaub, J.-P. & Zaccour, G. (eds) Energy and Envi- Papamichail, K.N. & French, S. 2000. Decision support in
ronment: Modelling and Analysis. Kluwer: Dordrecht, nuclear emergencies, J. Hazard. Mater. 71: 321–342.
pp. 63–81. Perny, P. & Vanderpooten, D. 1998. An interactive multiob-
Geldermann, J., Bertsch, V., Treitz, M., French, S., jective procedure for selecting medium-term countermea-
Papamichail, K.N. & Hämäläinen, R.P. 2006. Multi- sures after nuclear accidents, J. Multi-Crit. Decis. Anal.
criteria decision-support and evaluation of strategies for 7: 48–60.
nuclear remediation management. OMEGA—The Inter- Roy, B. 1996. Multicriteria Methodology for Decision Aid-
national Journal of Management Science (in press). Also ing. Kluwer: Dordrecht.
downloadable at Roy, B. & Mousseau, V. 1996. A theoretical framework for
MGEL05a.doc. analysing the notion of relative importance of criteria.
Hämäläinen, R.P., Sinkko, K., Lindstedt, M.R.K., Amman, J Multi-Crit Decis Anal 5: 145–159.
M. & Salo, A. 1998. RODOS and decision conferencing Royal Decree, 2003. Plan d’Urgence Nucléaire et Radi-
on early phase protective actions in Finland. STUK-A 159 ologique pour le Territoire Belge, Moniteur Belge,
Report, STUK—Radiation and Nuclear Safety Authority, 20.11.2003.
Helsinki, Finland, ISBN 951-712-238-7. Turcanu, C. 2007. Multi-criteria decision aiding model for
Hämäläinen, R.P., Lindstedt, M.R.K. & Sinkko, K. 2000a. the evaluation of agricultural countermeasures after an
Multi-attribute risk analysis in nuclear emergency man- accidental release of radionuclides to the environment.
agement. Risk Analysis 20(4): 455–468. PhD Thesis. Université Libre de Bruxelles: Belgium.
Hämäläinen, R.P., Sinkko, K., Lindstedt, M.R.K., Amman, Turcanu, C., Carlé, B. & Hardeman, F. 2006. Agri-
M. & Salo, A. 2000b. Decision analysis interviews on cultural countermeasures in nuclear emergency man-
protective actions in Finland supported by the RODOS agement: a stakeholders’ survey for multi-criteria
system. STUK-A 173 Report, STUK—Radiation and model development. J Oper Res Soc. DOI 10.1057/
Nuclear Safety Authority, Helsinki, Finland. ISBN 951- palgrave.jors.2602337
712-361-2. Turcanu, C., Carlé, B., Hardeman, F., Bombaerts, G. & Van
Howard, B.J., Beresford, N.A., Nisbet, A., Cox, G., Oughton, Aeken, K. 2007. Food safety and acceptance of manage-
D.H., Hunt, J., Alvarez, B., Andersson, K.G., Liland, A. & ment options after radiological contaminations of the food
Voigt, G. 2005. The STRATEGY project: decision tools chain. Food Qual Pref 18(8): 1085–1095.
to aid sustainable restoration and long-term management Vandecasteele, C., Hardeman, F., Pauwels, O., Bernaerts, M.,
of contaminated agricultural ecosystems. J Env Rad 83: Carlé, B. & Sombré, L. 2005. Attitude of a group of
275–295. Belgian stakeholders towards proposed agricultural coun-
IAEA. 2006. Environmental consequences of the Chernobyl termeasures after a radioactive contamination: synthesis
accident and their remediation: twenty years of experi- of the discussions within the Belgian EC-FARMING
ence/report of the Chernobyl Forum Expert Group ‘Envi- group. J. Env. Rad. 83: 319–332.
ronment’. STI/PUB/1239, International Atomic Energy Vincke, P. 1992. Multicriteria decision aid. John Wiley &
Agency. Vienna: Austria. Sons, Chichester.
Kahneman, D. & Tversky, A. 1979. A. Prospect Theory: An Zeevaert, T., Bousher, A., Brendler, V., Hedemann Jensen, P. &
Analysis of Decision under Risk. Econometrica 47(2): Nordlinder, S. 2001. Evaluation and ranking of restoration
263–291. strategies for radioactively contaminated sites. J. Env. Rad.
Kottemann, J.E. & Davis, F.D. 1991. Decisional conflict and 56: 33–50.
user acceptance of multi-criteria decision-making aids.
Dec Sci 22(4): 918–927.

Decision support systems and software tools for safety and reliability
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Complex, expert based multi-role assessment system for small

and medium enterprises

S.G. Kovacs & M. Costescu

INCDPM ‘‘Alexandru Darabont’’, Bucharest, Romania

ABSTRACT: The paper presents a complex assessment system developed for Small and Medium Enterprises.
It assesses quality, safety and environment on three layers starting from basic to complete assessment (including
management and organizational culture). It presents the most interesting attributes of this system together with
some of the results obtained by testing this system on a statistical lot of 250 Romanian SME.


In Romania, Small and Medium Enterprises (SME’s)

were somehow, from objective and subjective rea-
sons, the Cinderella of safety activities. Complex
safety assessment procedures, like Hazop are too
complicated for SME’s. On the other side, more sim-
ple assessment systems are considered as too biased.
SME’s need not just to assess safety but quality and
environment as well.
The paper presents a three-layered multi-role
assessment system, based on expert-decision assist-
ing structures (Kovacs 2003b)—system developed
especially for SME and known as MRAS.
The system is conceived on three levels of complex- Figure 2. MRAS structure.
ity, from basic to extra. In this way, all the requests
regarding safety assessment are satisfied. Moreover,
on the third level, a dual, safety-quality assessment is center of all the safety solutions for a SME. In this
performed, together with a safety culture analysis. respect it optimises the informational flows assuring
The system is integrated into the Integrated Safety an efficient usage of all these tools in order to prevent
Management Unit (ISMU) which is the management risks or mitigate them.
ISMU schema is presented in Figure 1.
The general structure of the system is shown in
Figure 2.


In our assessment system vulnerability analysis is the

first step to understand how exposed are SME’s to
operational (safety) threats that could lead to loss
and accidents (Kovacs 2004).Vulnerability analysis
could be defined as a process that defines, identi-
Figure 1. ISMU structure. fies and classifies the vulnerabilities (security holes)

in an enterprise infrastructure. In adition vulnerabil- Table 1. Vulnerability scores.
ity analysis can forecast the effectiveness of proposed
prevention measures and evaluate their actual effec- Mark Semnification
tiveness after they are put into use. Our vulnerability
0 Non-vulnerable
analysis is performed in the basic safety assessment
1 Minimal
layer and consist mainly on the next steps: 2 Medium
1. Definition and analysis of the existing (and avail- 3 Severe vulnerability-loss
able) human and material resources; 4 Severe vulnerability-accidents
5 Extreme vulnerability
2. Assignment of relative levels of importance to the
3. Identification of potential safety threats for each
4. Identification of the potential impact of the threat Past Incident Coefficient.
on the specific resource (will be later used in
scenario analysis). Ov = Av ∗ Pik (1)
5. Development of a strategy for solving the threats
hierarchically, from the most important to the last where
6. Defining ways to minimise the consequences if a Pik = 0—if there were no previous incidents;
threat is acting(TechDir 2006). Pik = 1.5—if there were near misses, loss incidents
and/or minor accidents;
We have considered a mirrored vulnerability Pik = 2—if there were severe accidents before.
(Kovacs 2006b)—this analysis of the vulnerability
being oriented inwards and outwards of the assessed
workplace. The Figure 3 shows this aspect.
So, the main attributes for which vulnerability is
assessed are:
The pre-audit phase of the basic safety assessment
1. the human operator: plays many roles (Mahinda 2006). The most important
2. the operation of these are connected with the need to have regu-
3. the process; larly a preliminary safety assessment (Kovacs 2001a)
The mirrored vulnerability analysis follows not just
how much are these three elements vulnerable but also – identifies the most serious hazards;
how much they affect the vulnerability of the whole – maps the weak spots of the SME, where these
SME. hazards could act more often and more severly;
Vulnerability is estimated in our system on a 0 to 5 – estimates the impact of the hazards action upon man
scale like in Table 1. and property;
We are also performing a cross-over analysis taking – verifies basic conformity with safety law and basic
into account past five year incident statistical data. safety provisions;
So we are computing an Operational Vulnerability • assures consistency to the following assessments,
as means of Assessed Vulnerability multiplied by an recordings and also the management of previous
Pre-audit is centered around two attributes of the
Pre-audit of the human operator(Kovacs 2001b)—its
findings leads to two main measures: the improvement
of training or the change of workplace for the operator
which performance could endanger the safety at the
Pre-audit of machines and the technological pro-
cess—the findings of this part of safety pre-audit
could lead to machine/process improvement or to
machine/process revision or to the improvement
of machines maintenance or if necessary to the
elimination of the machine—if the machine is beyond
Figure 3. Vulnerability analysis schema. repair.

Table 2. Pre-audit scores. The pre-audit assessment system uses the rating
presented in the Table 2.
Level of Pre-audit main guideline is represented by ISO
Pre- Minimum Pre- transition to 9001.
audit corresponding level audit move to next Pre-audit main instruments are checklists. A very
score of safety ranges level
short example of such a checklist is presented in the
0 Nothing in place 0–1 Identification of Table 3.
basic safety
needs, some
1 Demonstrate a basic 1–2 Local safety
knowledge and procedures
As SME’s are performing often routine activities it is
willingness to developed and possible to develop and use as a safety improvement
implement safety implemented tool safety scenarios in order to be aware of what could
policies/procedures/ happen if risks are acting (TUV 2008).
guidelines A schema of our scenario analysis module is given
2 Responsibility and 2–3 Responsibility in the Figure 4.
accountability documented and The previous safety assessment data is used in order
identified for most communicated for to build a scenario plan—firstly. For example, in a
safety related tasks the main safety specific area of the SME were recorded frequent near
3 OHS Policies/ 3–4 Significant level
misses in a very short period of time. The previ-
Procedures and of implementation ous assessment data is used in order to estimate the
Guidelines through audit site trend of components and their attributes. One of such
implemented components is represented by the Human Operator
4 Comprehensive level 4–5 Complete
of implementation implementation
across audit site across audit site
5 Pre-audit results Industry best
used to review practice
and improve
safety system;
willingness for

Table 3. Pre-audit checklist example.

Please estimate the truth of the following affirmations taking

into account the actual situation from the workplace

nr. Question Yes No

1 We have a comprehensive ‘‘Health

and Safety Policy’’ manual plan in
2 All our employees are familiar with
local and national safety regulations
and we abide by them
3 We have developed a comprehensive
safety inspection process
4 We are performing regularly this
safety inspection process taking
into account all the necessary
details—our inspection is real and
not formal
Figure 4. Safety scenario module.

and one of its attributes would be the preparedness • The Human Operator;
in emergency situations. In our example we could • The Machine(s)—including facilities;
consider the sudden apparition of a fire at one of • The Working Environment;
the control panels at the workplace. If the prepared-
ness in emergency situations is set on in scenario, the together with a derived component which includes the
operator is able to put down the fire and no other specific work task and also the interaction between
loss occurs. If the attribute is set off the operator is components;
frightened and runs—the fire propagates and there is All these components- and their interaction—are
an accidental spill—because some valves got out of analysed in the best case-worst case framework con-
control. sidering also an intermediary state, the medium case.
Our scenario analysis instrument assures the rule of The medium case is (if not mentioned otherwise) is
the 3 P’s (Kovacs 2006b): the actual situation in the SME. One point of attention
is the transition between the cases, in order to analyse
• Plan: what happens if, for example, safety resources allo-
◦ Establish goals and objectives to follow; cation is postponed in order to allocate resources in a
◦ Develop procedures to follow; more hotter places.
• Predict:
◦ Predict specific risk action; 5 OBTAINED RESULTS
◦ Predict component failure;
◦ Predict soft spots where risks could materialize We have tested our system on a statistically significant
more often; lot of 250 Romanian SME (Kovacs 2006a) from all the
• Prevent: economic activities, on a half year period, taking into
account the following assessments:
◦ Foresee the necessary prevention measures; some
of these measures could be taken immediately; • General management assessment;
other are possible to be postponed for a more • Safety management assessment;
favourable period (for example the acquisition of • Incident rate after implementation (comparatively
an expensive prevention mean), other are sim- with incidents on a 5 year period);
ply improvements of the existing situation—for • Assessment of the ground floor work teams;
example a training that should include all the
workers at the workplace not just the supervisors; The SME’s test shown that such a system—which
The actual development of the scenario is per- is not very complicated—in order to be able to be used
formed in a best case—medium case—worst case by SME’s alone—is a very efficient tool in order to:
framework. This framework could be seen in the
Figure 5. – assess more objectively safety together with quality
Mainly there are considered three essential compo- and environment;
nents: – perform an efficient assessment of the SME man-
agement regarding quality, safety and environment;
– offers a realistic image to the SME management
in order to be convinced about the necessity of
improvement, not just for safety but also for envi-
ronment, as quality improvement is a must for every
SME in order to be able to remain in the market.
– tells the SME manager that quality must not be con-
sidered alone but only in connexion with safety and
– offers a valuable assessment instrument for exter-
nal assessment firms, inspection authorities and risk
assurance companies (Kovacs 2003a);

The Figure 6 shows the vulnerability analysis results

for the statistical lot.
It is possible to see that taking into account the
vulnerability alone the majority of the statistical lot
has a vulnerability over 3, this showing a severe
Figure 5. Worst case-best case scenario framework. vulnerability at risk action.

Vulnerability analysis results REFERENCES

Kovacs S, Human operator assessment—basis for a safe

workplace in the Process Industry, in Proceedings of the
5 0
Hazards XVI Symposium—Analysing the past, planning
12% 14% the future, Manchester 6–8 November 2001, Symposium
Series no. 148, ISBN 0-85295-441-7, pp. 819–833.
16% 14% Kovacs S, Safety as a need-Environment protection as a
deed, in Proceedings of the Hazards XVI Symposium—
Analysing the past, planning the future, Manchester
6–8 November 2001, Symposium Series no. 148, ISBN
0-85295-441-7, pp. 867–881.
2 Kovacs S, Major risk avoidance-fulfilling our responsibilities-
costs and benefits of Romania’s safety integration into
the European Union, in Proceedings of the Hazards XVII
Figure 6. Vulnerability analysis results. Symposium—fulfilling our responsibilities, Manchester
25–27 March 2003 Symposium Series no. 149, ISBN
0-85295-459-X, pp. 619–633.
6 CONCLUSIONS Kovacs S, Developing best practice safety procedures through
IT systems, in Proceedings of the Hazards XVII—
MRAS (Multi-Role Assessment System) was devel- fulfilling our responsibilities symposium, Manchester
oped initially as a self-audit tool which could allow 25–27 March 2003 Symposium Series no. 149, ISBN
SME to have an objective and realistic image regard- 0-85295-459-X, pp. 793–807.
ing their efforts to assure the continuous improvement Kovacs S, To do no harm- measuring safety performance
in a transition economy, in Proceedings of the Hazards
of quality and maintain a decent standard of safety
XVIII Symposium-Process safety-sharing best practice,
and environment protection. However, on the devel- Manchester 23–25 November 2004, Symposium Series
opment period we have seen a serious interest from No. 150, ISBN 0-85295-460-3, pp. 151–171.
control organs (like the Work Inspection) so we have Kovacs S, Process safety trends in a transition economy-
developed the system so that it can be used for self- a case study, In Proceedings of the Hazards XIX
audit or it can be used by an external auditor. The Symposium-Process Safety and Environmental Protec-
control teams are interested to have a quick referential tion, Manchester 25–27 March 2006, Symposium Series
in order to be able to check quickly and optimally the No. 151, ISBN 0-85295-492-8, pp. 152–166.
safety state inside a SME. In this respect our system Kovacs S, Meme based cognitive models regarding risk and
loss in small and medium enterprises, In Proceedings of
was the most optimal.
the Seventh International Conference on Cognitive Mod-
Romanian SME are progressing towards the full elling, ICCM06, Trieste, Edizioni Goliardiche, ISBN
integration into the European market. In this respect 88-7873-031-9, pp. 377–379.
they need to abide to the EU provisions, espe- Mahinda Seneviratne and Wai on Phoon, Exposure assess-
cially regarding safety and environment. Considering ment in SME: a low cost approach to bring oHS Services
this, the system assures not just the full conformity to SME’s, in Industrial Health 2006, 44, pp. 27–30.
with European laws but also an interactive forecast- TechDir 2006, SMP 12 Safety Case and Safety Case report.
plan-atact-improve instrument. The compliance audits TUV Rheinland: SEM 28 Safety Assessment service.
included in the system together with the management
and culture audits are opening Romanian SME’s to the
European Union world.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

DETECT: A novel framework for the detection of attacks to critical


F. Flammini
ANSALDO STS, Ansaldo Segnalamento Ferroviario S.p.A., Naples, Italy
Università di Napoli ‘‘Federico II’’, Dipartimento di Informatica e Sistemistica, Naples, Italy

A. Gaglione & N. Mazzocca

Università di Napoli ‘‘Federico II’’, Dipartimento di Informatica e Sistemistica, Naples, Italy

C. Pragliola
ANSALDO STS, Ansaldo Segnalamento Ferroviario S.p.A., Naples, Italy

ABSTRACT: Critical Infrastructure Protection (CIP) against potential threats has become a major issue in
modern society. CIP involves a set of multidisciplinary activities and requires the adoption of proper protection
mechanisms, usually supervised by centralized monitoring systems. This paper presents the motivation, the
working principles and the software architecture of DETECT (DEcision Triggering Event Composer & Tracker),
a new framework aimed at the automatic and early detection of threats against critical infrastructures. The
framework is based on the fact that non trivial attack scenarios are made up by a set of basic steps which have to
be executed in a predictable sequence (with possible variants). Such scenarios are identified during Vulnerability
Assessment which is a fundamental phase of the Risk Analysis for critical infrastructures. DETECT operates
by performing a model-based logical, spatial and temporal correlation of basic events detected by the sensorial
subsystem (possibly including intelligent video-surveillance, wireless sensor networks, etc.). In order to achieve
this aim, DETECT is based on a detection engine which is able to reason about heterogeneous data, implementing
a centralized application of ‘‘data fusion’’. The framework can be interfaced with or integrated in existing
monitoring systems as a decision support tool or even to automatically trigger adequate countermeasures.

1 INTRODUCTION & BACKGROUND a new framework aimed at the automatic detection of

threats against critical infrastructures, possibly before
Critical Infrastructure Protection (CIP) against ter- they evolve to disastrous consequences. In fact, non
rorism and any form or criminality has become trivial attack scenarios are made up by a set of basic
a major issue in modern society. CIP involves a steps which have to be executed in a predictable
set of multidisciplinary activities, including Risk sequence (with possible variants). Such scenarios must
Assessment and Management, together with the be precisely identified during Vulnerability Assess-
adoption of proper protection mechanisms, usu- ment which is a fundamental aspect of Risk Analysis
ally supervised by specifically designed Security for critical infrastructures (Lewis 2006). DETECT
Management Systems (SMS)1 (see e.g. (LENEL operates by performing a model-based logical, spatial
2008)). and temporal correlation of basic events detected by
Among the best ways to prevent attacks and dis- intelligent video-surveillance and/or sensor networks,
ruptions is to stop any perpetrators before they strike. in order to ‘‘sniff’’ sequence of events which indicate
This paper presents the motivation, the working prin- (as early as possible) the likelihood of threats. In order
ciples and the software architecture of DETECT to achieve this aim, DETECT is based on a detection
(DEcision Triggering Event Composer & Tracker), engine which is able to reason about heterogeneous
data, implementing a centralized application of ‘‘data
fusion’’ (a well-known concept in the research field of
cognitive/intelligent autonomous systems (Tzafestas
1 In some cases, they are integrated in the 1999)). The framework can be interfaced with or inte-
traditional SCADA (Supervisory Control & Data grated in existing SMS/SCADA systems in order to
Acquisition) systems. automatically trigger adequate countermeasures.

With respect to traditional approaches of infrastruc- or radiological material in underground stations, com-
ture surveillance, DETECT allows for: bined attacks with simultaneous multiple train halting
and railway bridge bombing, etc. DETECT has proven
• A quick, focused and fully automatic response to be particularly suited for the detection of such artic-
to emergencies, possibly independent from human ulated scenarios using a modern SMS infrastructure
supervision and intervention (though manual con- based on an extended network of cameras and sensing
firmation of detected alarms remains an option). In devices. With regards to the underlying security infras-
fact, human management of critical situations, pos- tructure, a set of interesting technological and research
sibly involving many simultaneous events, is a very issues can also be addressed, ranging from object
delicate task, which can be error prone as well as tracking algorithms to wireless sensor network inte-
subject to forced inhibition. gration; however, these aspects (mainly application
• An early warning of complex attack scenarios since specific) are not in the scope of this work.
their first evolution steps using the knowledge base DETECT is a collaborative project carried out by
provided by experts during the qualitative risk anal- the Business Innovation Unit of Ansaldo STS Italy
ysis process. This allows for preventive reactions and the Department of Computer and System Science
which are very unlikely to be performed by human of the University of Naples ‘‘Federico II’’.
operators given the limitation both in their knowl- The paper is organized as follows: Section 2
edge base and vigilance level. Therefore, a greater presents a brief summary of related works; Section 3
situational awareness can be achieved. introduces the reference software architecture of the
• An increase in the Probability Of Detection (POD) framework; Section 4 presents the language used to
while minimizing the False Alarm Rate (FAR), due describe the composite events; Section 5 describes the
to the possibility of logic as well as temporal correla- implementation of the model-based detection engine;
tion of events. While some SMS/SCADA software Section 6 contains a simple case-study application;
offer basic forms of logic correlation of alarms, Section 7 draws conclusions and provides some hints
the temporal correlation is not implemented in any about future developments.
nowadays systems, to the best of our knowledge
(though some vendors provide basic options of on-
site configurable ‘‘sequence’’ correlation embedded 2 RELATED WORKS
in their multi-technology sensors).
Composite event detection plays an important role
The output of DETECT consists of:
in the active database research community, which
• The identifier(s) of the detected/suspected sce- has long been investigating the application of Event
nario(s). Condition Action (ECA) paradigm in the context of
• An alarm level, associated to scenario evolution using triggers, generally associated with update, insert
(only used in deterministic detection as a linear or delete operations. In HiPAC (Dayal et al. 1988)
progress indicator; otherwise, it can be set to 100%). active database project an event algebra was firstly
• A likelihood of attack, expressed in terms of proba- defined.
bility (only used as a threshold in heuristic detection; Our approach for composite event detection follows
otherwise, it can be set to 100%). the semantics of the Snoop (Chakravarthy & Mishra
1994) event algebra. Snoop has been developed at the
DETECT can be used as an on-line decision sup- University of Florida and its concepts have been imple-
port system, by alerting in advance SMS operators mented in a prototype called Sentinel (Chakravarthy
about the likelihood and nature of the threat, as well et al. 1994, Krishnaprasad 1994). Event trees are used
as an autonomous reasoning engine, by automati- for each composite event and these are merged to form
cally activating responsive actions, including audio an event graph for detecting a set of composite events.
and visual alarms, emergency calls to first respon- An important aspect of this work lies in the notion
ders, air conditioning flow inversion, activation of of parameter contexts, which augment the semantics
sprinkles, etc. of composite events for computing their parameters
The main application domain of DETECT is home- (parameters indicate ‘‘component events’’). CEDMOS
land security, but its architecture is suited to other (Cassandra et al. 1999) refers to the Snoop model
application fields like environmental monitoring and in order to encompass heterogeneity problems which
control, as well. The framework will be experi- often appear under the heading of sensor fusion. In
mented in railway transportation systems, which have (Alferes & Tagni 2006) the implementation of an event
been demonstrated by the recent terrorist strikes to detection engine that detects composite events speci-
be among the most attractive and vulnerable targets. fied by expressions of an illustrative sublanguage of
Example attack scenarios include intrusion and drop the Snoop event algebra is presented. The engine has
of explosive in subway tunnels, spread of chemical been implemented as a Web Service, so it can also be

used by other services and frameworks if the markup • Event History database, containing the list of basic
for the communication of results is respected. events detected by sensors or cameras, tagged with
Different approaches for composite event detec- a set of relevant attributes including detection time,
tion are taken in Ode (Gerani et al. 1992a, b) and event type, sensor id, sensor type, sensor group,
Samos (Gatziu et al. 1994, Gatziu et al. 2003). Ode object id, etc. (some of which can be optional, e.g.
uses an extended Finite Automata for composite event ‘‘object id’’ is only needed when video-surveillance
detection while Samos defines a mechanism based on supports inter-camera object tracking).
Petri Nets for modeling and detection of composite • Attack Scenario Repository, providing a database
events for an Object Oriented Data-Base Management of known attack scenarios as predicted in Risk
System (OODBMS). Analysis sessions and expressed by means of an
DETECT transfers to the physical security the Event Description Language (EDL) including log-
concept of Intrusion Detection System (IDS) which ical as well as temporal operators (derived from
is nowadays widespread in computer (or ‘‘logical’’) (Chakravarthy et al. 1994)).
security, also borrowing the principles of Anomaly • Detection Engine, supporting both determinis-
Detection, which is applied when an attack pattern is tic (e.g. Event Trees, Event Graphs) and heuris-
known a priori, and Misuse Detection, indicating the tic (e.g. Artificial Neural Networks, Bayesian
possibility of detecting unknown attacks by observing Networks) models, sharing the primary requirement
a significant statistical deviation from the normality of real-time solvability (which excludes e.g. Petri
(Jones & Sielken 2000). The latter aspect is strictly Nets from the list of candidate formalisms).
related to the field of Artificial Intelligence and related • Model Generator, which has the aim of building
classification methods. the detection model(s) (structure and parameters)
Intelligent video-surveillance exploits Artificial starting from the Attack Scenario Repository by
Vision algorithms in order to automatically track parsing all the EDL files.
object movements in the scene, detecting several type • Model Manager, constituted by four sub-modules
of events, including virtual line crossing, unattended (grey-shaded boxes in Figure 1):
objects, aggressions, etc. (Remagnino et al. 2007).
Sensing devices include microwave/infrared/ultra- ◦ Model Feeder (one for each model), which
sound volumetric detectors/barriers, magnetic detec- instantiates the inputs of the detection engine
tors, vibration detectors, explosive detectors, and according to the nature of the models by cyclically
advanced Nuclear Bacteriologic Chemical Radio- performing proper queries and data filtering on
logical (NBCR) sensors (Garcia 2001). They can be the Event History (e.g. selecting sensor typolo-
connected using both wired and wireless networks, gies and zones, excluding temporally distant
including ad-hoc Wireless Sensor Networks (WSN) events, etc.).
(Lewis 2004, Roman et al. 2007). ◦ Model Executor (one for each model), which
triggers the execution of the model, once it has
been instantiated, by activating the related (exter-
3 THE SOFTWARE ARCHITECTURE nal) solver. An execution is usually needed at each
new event detection.
The framework is made up by the following main ◦ Model Updater (one for each model), which
modules (see Figure 1): is used for on-line modification of the model




Figure 1. The software architecture of DETECT.

(e.g. update of a threshold parameter), with- • Standard communication protocols (OPC3 ,
out regenerating the whole model (whenever ODBC4 , Web-Services, etc.) needed to interop-
supported by the modeling formalism). erate with open databases, SMS/SCADA, or any
◦ Output Manager (single), which stores the out- other client/server security subsystems which are
put of the model(s) and/or passes it to the interface compliant to such standards.
The last two points are necessary to provide
• Model Solver, that is the existing or specifically DETECT with an open, customizable and easily
developed tool used to execute the model. upgradeable architecture. For instance, by adopt-
ing a standard communication protocol like OPC,
Model Generator and Model Manager are depen- an existing SMS supporting this protocol could inte-
dent on the formalisms used to express the models grate DETECT as it was just a further sensing
constituting the Detection Engine. In particular, the device.
Model Generator and Model Feeder are synergic in At the current development state of DETECT:
implementing the detection of the event specified in
EDL files: in fact, while the Detection Engine plays • A GUI has been developed to edit scenarios and
undoubtedly a central role in the framework, many generate EDL files starting from the Event Tree
important aspects are demanded to the way the query graphical formalism.
on the database is performed (i.e. selection of proper • A Detection Engine based on Event Graphs (Buss
events). As an example, in case the Detection Engine 1996) is already available and fully working, using
is based on Event Trees (a combinatorial formalism), a specifically developed Model Solver.
the Model Feeder should be able to pick the set of last • A Model Generator has been developed in order to
N consecutive events fulfilling some temporal proper- generate Event Graphs starting from the EDL files
ties (e.g. total time elapsed since the first event of the in the Scenario Repository.
sequence <T), as defined in the EDL file. In case of • A Web Services based interface has been developed
Event Graphs (a state-based formalism), instead, the to interoperate with external SMS.
model must be fed by a single event at a time. • The issues related to the use of ANN (Jain et al.
Besides these main modules, there are others which 1996) for heuristic detection have been addressed
are also needed to complete the framework with useful, and the related modules are under development and
though not always essential, features (some of which experimentation.
can also be implemented by external tools or in the
• Scenario GUI (Graphical User Interface) used to
draw attack scenarios using an intuitive formalism The Detection Engine needs to recognize combination
and a user-friendly interface (e.g. specifically of events, bound each other with appropriate operators
tagged UML Sequence Diagrams stored in the in order to form composite events of any complexity.
standard XMI2 format (Object Management Group Generally speaking, an event is a happening that occurs
UML 2008)). in the system, at some location and at some point in
• EDL File Generator, translating GUI output into time. In our context, events are related to sensor data
EDL files. variables (i.e. variable x greater than a fixed threshold,
• Event Log, in which storing information about variable y in a fixed range, etc.). Events are classified
composite events, including detection time, sce- as primitive events and composite events.
nario type, alarm level and likelihood of attack A primitive event is a condition on a specific sen-
(whenever applicable). sor which is associated some parameters (i.e. event
• Countermeasure Repository, associating to each identifier, time of occurrence, etc.). Event parameters
detected event or event class a set of operations to can be used in the evaluation of conditions. Each entry
be automatically performed by the SMS. stored in the Event History is a quadruple:
• Specific drivers and adapters needed to interface < IDev, IDs, IDg, tp >, where:
external software modules, possibly including anti- • IDev is the event identifier;
intrusion and video-surveillance subsystems. • IDs is the sensor identifier;

3 OLE (Object Linking & Embedding) for Process

2 XML (eXtended Markup Language) Metadata Communication.
Interchange. 4 Open Data-Base Connectivity.

• IDg is the sensor group identifier (needed for In the following, we briefly describe the semantics of
geographical correlation); these operators. For a formal specification of these
• tp is the event occurrence time which should be a semantics, the reader can refer to (Chakravarthy et al.
sensor timestamp (when a global clock is available 1994).
for synchronization) or the Event History machine OR. Disjunction of two events E1 and E2 , denoted
clock. (E1 OR E2 ). It occurs when at least one of its
components occurs.
Since the message transportation time is not instan- AND. Conjunction of two events E1 and E2 ,
taneous, the event occurrence time can be different denoted (E1 AND E2 ). It occurs when both E1 and
from the registration time. Several research works E2 occur (the temporal sequence is ignored).
have addressed the issue of clock synchronization in ANY. A composite event, denoted ANY (m, E1 ,
distributed systems. Here we assume that a proper E1 , . . . , En ), where m ≤ n. It occurs when m out of n
solution (e.g. time shifting) has been adopted at a lower distinct events specified in the expression occur (the
level. temporal sequence is ignored).
A composite event is a combination of primitive SEQ. Sequence of two events E1 and E2 , denoted
events defined by means of proper operators. The (E1 SEQ E2 ). It occurs when E2 occurs provided that
EDL of DETECT is derived from Snoop event alge- E1 has already occurred. This means that the time
bra (Chakravarthy & Mishra 1994). Every composite of occurrence of E1 has to be less than the time of
event instance is a triple: occurrence of E2 .
<IDec, parcont, te>, where: The sequence operator is used to define composite
• IDec is the composite event identifier; events when the order of its component events is rel-
• parcont is the parameter context, stating which evant. Another way to perform a time correlation on
occurrences of primitive events need to be con- events is by exploiting temporal constraints.
sidered during the composite event detection (as The logic correlation could loose meaningfulness
described below); when the time interval between component events
• te is the temporal value related to the occurrence of exceeds a certain threshold. Temporal constraints can
the composite event (corresponding to the tp of the be defined on primitive events with the aim of defin-
last component event). ing a validity interval for the composite event. Such
constraints can be added to any operator in the formal
Formally an event E (either primitive or composite) expression used for event description.
is a function from the time domain onto the boolean For instance, let us assume that in the composite
values, True and False: event E = (E1 AND E2 ) the time interval between the
occurrence of primitive events E1 and E2 must be at
E: T → {True, False}, given by: most T. The formal expression is modified by adding
 the temporal constraint [T] as follows:
True, if E occurs at a time t
E (t) =
False, otherwise
(E1 AND E2 )[T] = True
The basic assumption of considering a boolean
function is quite general, since different events can ⇔
be associated to a continuous sensor output according ∃ t1 ≤ t|(E1 (t) ∧ E2 (t1 ) ∨ E1 (t1 ) ∧ E2 (t)) ∧ |t − t1 | ≤ T
to a set of specified thresholds. Furthermore, negate
conditions (!E) can be used when there is the need for
checking that an event is no longer occurring. This
allows considering both instantaneous (‘‘occurs’’ = 5 THE SOFTWARE IMPLEMENTATION
‘‘has occurred’’) and continuous (‘‘occurs’’ = ‘‘is
occurring’’) events. However, in order to simplify This section describes some implementation details of
EDL syntax, negate conditions on events can be sub- DETECT, referring to the current development state
stituted by complementary events. An event Ec is of the core modules of the framework, including the
complementary to E when: Detection Engine. The modules have been fully imple-
mented using the Java programming language. JGraph
Ec ⇒!E has been employed for the graphical construction of
the Event Trees used in the Scenario GUI. Algorithms
Each event is denoted by an event expression, whose have been developed for detecting composite events in
complexity grows with the number of involved events. all parameter contexts.
Given the expressions E1 , E2 , . . . , En , every applica- Attack scenarios are currently described by Event
tion on them through any operator is still an expression. Trees, where leaves represent primitive events while

• Chronicle: the (initiator, terminator) pair is unique.
The oldest initiator is paired with the oldest termi-
• Continuous: each initiator starts the detection of the
• Cumulative: all occurrences of primitive events are
accumulated until the composite event is detected.
The effect of EDL operators is then conditioned
by the specific context, which is implemented in the
Event Dispatcher. Theoretically, in the construction of
the model a different node should be defined for each
context. Whilst a context could be associated to each
operator, currently a single context is associated to
each detection model. Furthermore, a different node
object for each context has been implemented.
Figure 2. Event tree for composite event ((E1 OR E2) AND In the current implementation, Event Graphs are
(E2 SEQ (E4 AND E6))). used to detect the scenarios defined by Event Trees,
which are only used as a descriptive formalism. In
fact, scenarios represented by more Event Trees can
internal nodes (including the root) represent EDL lan- be detected by a single Event Graph produced by the
guage operators. Figure 2 shows an example Event Model Generator. When an Event Detector receives
Tree representing a composite event. a message indicating that an instance of a primitive
After the user has sketched the Event Tree, the Sce- event Ei has occurred, it stores the information in the
nario GUI module parses the graph and provides the node associated with Ei . The detection of compos-
EDL expression to be added to the EDL Repository. ite events follows a bottom-up process that starts from
The parsing process starts from the leaf nodes rep- primitive event instances and flows up to the root node.
resenting the primitive events and ends at the root So the composite event is detected when the condition
node. Starting from the content of the EDL Repository, related to the root node operator is verified. The propa-
the Model Generator module builds and instantiates gation of the events is determined by the user specified
as many Event Detector objects as many composite context. After the detection of a composite event, an
events stored in the database. The detection algorithm object of a special class (Event Detected) is instanti-
implemented by such objects is based on Event Graphs ated with its relevant information (identifier, context,
and the objects include the functionalities of both the component event occurrences, initiator, terminator).
Model Solver and the Detection Engine.
In the current prototype, after the insertion of attack
scenarios, the user can start the detection process on 6 AN EXAMPLE SCENARIO
the Event History using a stub front-end (simulating
the Model Executor and the Output Manager mod- In this section we provide an application of DETECT
ules). A primitive event is accessed from the database to the case-study of a subway station. We consider
by a specific Model Feeder module, implemented by a a composite event corresponding to a terrorist threat.
single Event Dispatcher object which sends primitive The classification of attack scenarios is performed by
event instances to all Event Detectors responsible for security risk analysts in the vulnerability assessment
the detection process. process.
The Event Dispatcher requires considering only The attack scenario consists of an intrusion and drop
some event occurrences, depending on a specific of an explosive device in a subway tunnel. Let us sup-
policy defined by the parameter context. The policy pose that the dynamic of the scenario follows the steps
is used to define which events represent the begin- reported below:
ning (initiator) and the end (terminator) of the sce-
nario. The parameter context states which component 1. The attacker stays on the platform for the time
event occurrences play an active part in the detec- needed to prepare the attack, missing one or more
tion process. Four contexts for event detection can be trains.
defined: 2. The attacker goes down the tracks by crossing the
limit of the platform and moves inside the tunnel
• Recent: only the most recent occurrence of the 3. The attacker drops the bag containing the explosive
initiator is considered. device inside the tunnel and leaves the station.

Obviously, it is possible to think of several variants A partial alarm can be associated to the scenario
of this scenario. For instance, only one between step 1 evolution after step 1 (left AND in the EDL expres-
and step 2 could happen. Please note that the detection sion), in order to warn the operator of a suspect
of step 1 (person not taking the train) would be very abnormal behavior.
difficult to detect by a human operator in a crowded In order to activate the detection process, a sim-
station due to the people going on and off the train. ulated Event History has been created ad-hoc. An
Le us suppose that the station is equipped with on-line integration with a real working SMS will
a security system including intelligent cameras (S1 ), be performed in the near future for experimentation
active infrared barriers (S2 ) and explosive sniffers (S3 ) purposes.
for tunnel portal protection. The formal description of
the attack scenario consists of a sequence of events
which should be detected by the appropriate sensors
and combined in order to form the composite event. 7 CONCLUSIONS & FUTURE WORKS
The formal specification of primitive events consti-
tuting the scenario is provided in following: In this paper we have introduced the working principles
and the software architecture of DETECT, an expert
a. extended presence on the platform (E1 by S1 ); system allowing for early warnings in security critical
b. train passing (E2 by S1 ); domains.
c. platform line crossing (E3 by S1 ); DETECT can be used as a module of a more com-
d. tunnel intrusion (E4 by S2 ); plex hierarchical system, possibly involving several
e. explosive detection (E5 by S3 ). infrastructures. In fact, most critical infrastructures
For the sake of brevity, further steps are omitted. are organized in a multi-level fashion: local sites,
The composite event drop of explosive in tunnel grouped into regions and then monitored centrally by
can be specified in EDL as follows: a national control room, where all the (aggregated)
events coming from lower levels are routed. When
the entire system is available, each site at each level
(E1 AND E2 ) OR E3 SEQ (E4 AND E5 )
can benefit from the knowledge of significant events
happening in other sites. When some communication
Figure 3 provides a GUI screenshot showing the links are unavailable, it is still possible to activate
Event Tree for the composite event specified above. countermeasures basing on the local knowledge.
The user chooses the parameter context and builds the We are evaluating the possibility of using a single
tree (including primitive events, operators and inter- automatically trained multi-layered ANN to comple-
connection edges) by the user-friendly interface. If a ment deterministic detection by: 1) classification of
node represents a primitive event, the user has to spec- suspect scenarios, with a low FAR; 2) automatic detec-
ify event (Ex ) and sensor (Sx ) identifiers. If a node tion of abnormal behaviors, by observing deviations
is an operator, the user can optionally specify other from normality; 3) on-line update of knowledge trig-
parameters such as a temporal constraint, the partial gered by the user when a new anomaly has been
alarm level and the m parameter (ANY operator). Also, detected. The ANN model can be trained to under-
the user can activate/deactivate the composite events stand normality by observing the normal use of the
stored in the repository carrying out the detection infrastructure, possibly for long periods of time. The
process. Model Feeder for ANN operates in a way which is
similar to the Event Tree example provided above. A
ANN specific Model Updater allows for on-line learn-
ing facility. Future developments will be aimed at a
more cohesive integration between deterministic and
heuristic detection, by making the models interact one
with each other.


Alferes, J.J. & Tagni, G.E. 2006. Implementation of a Com-

plex Event Engine for the Web. In Proceedings of IEEE
Services Computing Workshops (SCW 2006). September
18–22. Chicago, Illinois, USA.
Buss, A.H. 1996. Modeling with Event Graphs. In Proc.
Figure 3. Insertion of the composite event using the GUI. Winter Simulation Conference, pp. 153–160.

Cassandra, A.R., Baker, D. & Rashid, M. 1999. CEDMOS: Jain, A.K., Mao, J. & Mohiuddin, K.M. 1996. Artificial Neu-
Complex Event Detection and Monitoring System. MCC ral Networks: A tutorial. In IEEE Computer, Vol. 29, No.
Tecnical Report CEDMOS-002-99, MCC, Austin, TX. 3, pp. 56–63.
Chakravarthy, S. & Mishra, D. 1994. Snoop: An expressive Jones, A.K. & Sielken, R.S. 2000. Computer System Intru-
event specification language for active databases. Data sion Detection: A Survey. Technical Report, Computer
Knowl. Eng., Vol. 14, No. 1, pp. 1–26. Science Dept., University of Virginia.
Chakravarthy, S., Krishnaprasad, V., Anwar, E. & Kim, S. Krishnaprasad, V. 1994. Event Detection for Supporting
1994. Composite Events for Active Databases: Seman- Active Capability in an OODBMS: Semantics, Architec-
tics, Contexts and Detection. In Proceedings of the ture and Implementation. Master’s Thesis. University of
20th international Conference on Very Large Data Bases Florida.
(September 12–15, 1994). LENEL OnGuard 2008.
Bocca, J.B., Jarke, M. & Zaniolo, C. Eds. Very Large Data Lewis, F.L. 2004. Wireless Sensor Networks. In Smart Envi-
Bases. Morgan Kaufmann Publishers, San Francisco, CA, ronments: Technologies, Protocols, and Applications, ed.
pp. 606–617. D.J. Cook and S.K. Das. John Wiley, New York.
Dayal, U., Blaustein, B.T., Buchmann, A.P., Chakravarthy, S., Lewis, T.G. 2006. Critical Infrastructure Protection in
Hsu, M., Ledin, R., McCarthy, D.R., Rosenthal, A., Sarin, Homeland Security: Defending a Networked Nation. John
S.K., Carey, M.J., Livny, M. & Jauhari, R. 1988. The Wiley, New York.
HiPAC Project: Combining Active Databases and Timing Object Management Group UML, 2008. http://www.omg.
Constraints. SIGMOD Record, Vol. 17, No. 1, pp. 51–70. org/uml.
Garcia, M.L. 2001. The Design and Evaluation of Physical OLE for Process Communication.
Protection Systems. Butterworth-Heinemann, USA. Remagnino, P., Velastinm, S.A., Foresti G.L. & Trivedi, M.
Gatziu, S. & Dittrich, K.R. 1994. Detecting Composite 2007. Novel concepts and challenges for the next genera-
Events in Active Databases Using Petri Nets. In Proceed- tion of video surveillance systems. In Machine Vision and
ings of the 4th International Workshop on Research Issues Applications (Springer), Vol. 18, Issue 3–4, pp. 135–137.
in data Engineering: Active Database Systems, pp. 2–9. Roman, R., Alcaraz, C. & Lopez, J. 2007. The role of Wire-
Gatziu, S. & Dittrich, K.R. 2003. Events in an Object- less Sensor Networks in the area of Critical Information
Oriented Database System. In Proceedings of the 1st Infrastructure Protection. In Information Security Tech.
International. Report, Vol. 12, Issue 1, pp. 24–31.
Gerani, N.H., Jagadish, H.V. & Shmueli, O. 1992a. Event Tzafestas, S.G. 1999. Advances in Intelligent Autonomous
Specification in an Object-Oriented Database. In Systems. Kluwer.
Gerani, N.H., Jagadish, H.V. & Shmueli, O. 1992b. COM-
POSE A System For Composite Event Specification and
Detection. Technical report, AT&T Bell Laboratories,
Murray Hill, NJ.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Methodology and software platform for multi-layer causal modeling

K.M. Groth, C. Wang, D. Zhu & A. Mosleh

Center for Risk and Reliability, University of Maryland, College Park, Maryland, USA

ABSTRACT: This paper introduces an integrated framework and software platform that uses a three layer
approach to modeling complex systems. The multi-layer PRA approach implemented in IRIS (Integrated Risk
Information System) combines the power of Event Sequence Diagrams and Fault Trees for modeling risk
scenarios and system risks and hazards, with the flexibility of Bayesian Belief Networks for modeling non-
deterministic system components (e.g. human, organizational). The three types of models combined in the IRIS
integrated framework form a Hybrid Causal Logic (HCL) model that addresses deterministic and probabilistic
elements of systems and quantitatively integrates system dependencies. This paper will describe the HCL
algorithm and its implementation in IRIS by use of an example from aviation risk assessment (a risk scenario
model of aircraft taking off from the wrong runway.

1 INTRODUCTION the third layer to extend the causal chain of events to

potential human, organizational, and socio-technical
Conventional Probabilistic Risk Assessment (PRA) roots.
methods model deterministic relations between basic This approach can be used as the foundation for
events that combine to form a risk scenario. This addressing many of the issues that are commonly
is accomplished by using Boolean logic methods, encountered in risk and safety analysis and hazard
such as Fault Trees (FTs) and Event Trees (ETs) or identification. As a causal model, the methodology
Event Sequence Diagrams (ESDs). However since provides a vehicle for identification and analysis of
with human and organizational failures are among cause-effect relationships across many different mod-
the most important roots of many accidents and inci- eling domains, including human, software, hardware,
dents, there is an increased interest in expanding causal and environment.
models to incorporate non-deterministic causal links The IRIS framework can be used to identify all risk
encountered in human reliability and organizational scenarios and contributing events and calculate associ-
theory. Bayesian Belief Networks (BBNs) have the ated probabilities; to identify the risk value of specific
capability to model these soft relationships. changes and the risk importance of certain elements;
This paper describes a new risk methodology known and to monitor system risk indicators by considering
as Hybrid Causal Logic (HCL) that combines the the frequency of observation and the risk signifi-
Boolean logic-based PRA methods (ESDs, FTs) with cance over a period of time. Highlighting, trace, and
BBNs. The methodology is implemented in a software drill down functions are provided to facilitate hazard
package called the Integrated Risk Information Sys- identification and navigation through the models.
tem (IRIS). The HCL computational engine of IRIS All of the features in IRIS can be implemented with
can also be used as a standalone console application. respect to one risk scenario or multiple scenarios, e.g.
The functionality of this computational engine can be all of the scenarios leading to a particular category or
accessed by other applications through an API. IRIS type of end state. IRIS can be used to build a single
was designed for the United States Federal Aviation one-layer model, or a network of multi-layer models.
Administration. Additional information on IRIS can IRIS was developed as part of an interna-
be found in the references (Groth, Zhu & Mosleh 2008; tional research effort sponsored by the FAA System
Zhu et al 2008; Groth 2007). Approach for Safety Oversight (SASO) office. Other
In this modeling framework risk scenarios are mod- parts of this research created ESDs, FTs, and BBNs by
eled in the top layer using Event Sequence Diagrams. teams of aviation experts from the United States and
In the second layer, Fault Trees are used to model the Europe. IRIS integrates the different models into a
factors contributing to the properties and behaviors of standard framework and the HCL algorithm combines
the physical system (hardware, software, and environ- quantitative information from the models to calculate
mental factors). Bayesian Belief Networks comprise total risk.

The Dutch National Aerospace Laboratory (NLR) crew and fatigue and workload contributed to decision
used the NLR air safety database and aviation experts errors made by ATC. The details from the flight 5191
to created a hierarchical set of 31 generic ESDs rep- and the group of models for use of the incorrect run-
resenting the possible accident scenarios from takeoff way during takeoff will be used throughout this paper
to landing (Roelen et al. 2002). to show how the HCL methodology can be applied to
Another layer of the aviation safety model was cre- a real example.
ated by Hi-Tec Systems. Hi-Tec created a comprehen-
sive model for the quality of air carrier maintenance
(Eghbali 2006) and the flight operations (Mandelapu 2 OVERVIEW OF HCL METHODOLOGY
2006). NLR has also created FTs for specific accident
scenarios (Roelen & Wever 2004a, b). 2.1 Overview of the HCL modeling layers
The NLR and Hi-Tec models were built and ana-
lyzed in IRIS. One set of models pertains to the use The hybrid causal logic methodology extends con-
of the incorrect runway during takeoff. These models ventional deterministic risk analysis techniques to
became especially pertinent after the August 2006 fatal include ‘‘soft’’ factors including the organizational and
Comair Flight 5191 crash in Lexington, Kentucky. The regulatory environment of the physical system. The
pilot of flight 5191 taxied onto the wrong runway dur- HCL methodology employs a model-based approach
ing an early morning takeoff due to a combination of to system analysis; this approach can be used as the
human and airport factors. The incorrect runway was foundation for addressing many of the issues that are
shorter than the minimum distance required for the air- commonly encountered in system safety assessment,
craft to takeoff. The aircraft was less than 300ft from hazard identification analysis, and risk analysis. The
the end of the runway before pilots realized the error integrated framework is presented in Figure 1.
and attempted to takeoff at below-optimal speed. The ESDs form the top layer of the three layer model,
attempted takeoff resulted in a runway overrun and the FTs form the second layer, and BBNs form the bottom
death of 49 of the 50 people onboard. layer. An ESD is used to model temporal sequences of
The NTSB (2007) cited human actions by crew events. ESDs are similar to event trees and flowcharts;
and air traffic control (ATC) contributing to the acci- an ESD models the possible paths to outcomes, each
dent. The crew violated cockpit policy by engaging in of which could result from the same initiating event.
non-pertinent conversation during taxiing and by com- ESDs contain decision nodes where the paths diverge
pleting an abbreviated taxi briefing. Signs indicating based on the state of a system element. As part of the
the runway number and cockpit displays indicating the hybrid causal analysis, the ESDs define the context
direction of takeoff were not mentioned by either pilot or base scenarios for the hazards, sources of risk, and
during the takeoff. During takeoff the flight crew noted safety issues.
that there were no lights on the runway as expected, but The ESD shown in Figure 2 models the probability
did not double check their position as the copilot had of an aircraft taking off safely, stopping on the run-
observed numerous lights out on the correct runway way, or overrunning the runway. As can be seen in
the previous day. Pre-flight paperwork also indicated the model, the crew must reject the takeoff and the
that the centerline lights on the proper runway were speed of the aircraft must be lower than the critical
out. The flight crew did not use the available cues to speed beyond which the aircraft cannot stop before the
reconsider takeoff.
At the time of the accident only one of two required
air traffic controllers were on duty. According to post- IE PE-1 PE-2
accident statements, the controller on duty at the time
of the accident was also responsible for monitoring
radar and was not aware that the aircraft had stopped
short of the desired runway before he issued takeoff
clearance. After issuing takeoff clearance the con-
troller turned around to perform administrative tasks
during take-off and was not engaged in monitoring the C Top layer: ESD
progress of the flight. Fatigue likely contributed to the E
Middle layer: FT
performance of the controller as he had only slept for C Bottom layer: BBN
2 hours in the 24 hours before the accident. B
Impaired decision making and inappropriate task
prioritization by both crew members and ATC were
major contributing factors to this accident. The reduc-
ing lighting on both the correct and incorrect runways
at the airport contributed to the decision errors made by Figure 1. Illustration of a three-layered IRIS model.

Figure 2. Case study top layer—ESD for an aircraft using the wrong runway (Roelen et al. 2002).

Figure 4. Partial NLR model for takeoff from wrong run-

way. The flight plan node is fed by Figure 5, and the crew
Figure 3. Case study middle layer—FT for air traffic control
decision/action error is fed by additional human factors.
events (Roelen and Wever 2004a).

end of the runway. By the time the Flight 5191 crew of BBNs to the traditional PRA modeling techniques
realized the mistake, the plane was above critical speed extends conventional risk analysis by capturing the
and the runway overrun was inevitable. diversity and complexity of hazards in modern sys-
The initiating event of the ESD, ATC event, is tems. BBNs can be used to model non-deterministic
directly linked to the top gate of the FT in Figure 3. casual factors such as human, environmental and
This FT provides three reasons an aircraft could be organizational factors.
placed in this situation: loss of separation with traffic, BBNs offer the capability to deal with sequential
takeoff from incorrect runway, or a bird strike. dependency and uncertain knowledge. BBNs can be
FTs uses logical relationships (AND, OR, NOT, connected to events in ESDs and FTs. The connections
etc.) to model the physical behaviors of the system. In between the BBNs and logic models are formed by
an HCL model, the top event of a FT can be connected binary variables in the BBN; the probability of the
to any event in the ESD. This essentially decomposes linked BBN node is then assigned to the ESD or FT
the ESD event into a set of physical elements affecting event.
the state of the event, with the node in the ESD taking The wrong runway event in the center of the FT is
its probability value from the FT. the root cause of the accident. Factors that contribute
BBNs have been added as the third layer of the to this root cause are modeled in the BBNs in Figure 4
model. A BBN is a directed acyclic graph, i.e. it can- and 5. Figure 4 is part of the wrong runway BBN
not contain feedback loops. Directed arcs form paths developed by NLR (Roelen and Wever 2007); the
of influence between variables (nodes). The addition wrong runway FT event is linked to the output node

Figure 5. Case study bottom layer—BBN of flight operations (Mandelapu 2006).

of this BBN. The flight plan node in Figure 5 feeds BBN nodes are quantified in conditional proba-
into the wrong runway node in Figure 4. Figure 5 bility tables. The size of the conditional probability
is fed by the Hi-Tec air carrier maintenance model table for each node depends on the number of parent
(Eghbali 2006; not pictured) with the end node of the nodes leading into it. The conditional probability table
maintenance model feeding information into the fleet requires the analyst to provide a probability value for
availability node at the top of the flight operations each state of the child node based on every possible
model. combination of the states of parent nodes. The default
Since many of the casual factors in BBNs may have number of states for a BBN node is 2, although addi-
widespread influence, BBN nodes may impact multi- tional states can be added as long as the probability of
ple events within ESDs and FTs. The details of the all states sums to 1. Assuming the child and its n par-
HCL quantification procedure can be found in the ent nodes all have 2 states, this requires 2n probability
references (Groen & Mosleh 2008, Wang 2007). values.
In order to quantify the hybrid model it is neces-
sary to convert the three types of diagrams into a set
2.2 Overview of HCL algorithm quantitative
of models that can communicate mathematically. This
is accomplished by converting the ESDs and FTs into
An ESD event can be quantified directly by inputting a Reduced Ordered Binary Decision Diagrams (BDDs).
probability value for the event, or indirectly by linking The set of reduced ordered BDDs for a model are all
it to a FT or a node in a BBN. Linked ESD events take unique and the order of variables along each path from
on the probability value of the FT or node attached to it. root node to end node is identical. Details on the algo-
This allows the analyst to set a variable probability for rithms used to convert ESDs and FTs into BDDs have
ESD events based on contributing factors from lower been described extensively (Bryant 1992, Brace et al.
layers of the model. Likewise, FT basic events can be 1990, Rauzy 1993, Andrews & Dunnett 2000, Groen
quantified directly or linked to any node in the BBN. et al. 2005).

BBNs are not converted into BDDs; instead, a of using the wrong runway is a continued takeoff with
hybrid BDD/BBN is created. In this hybrid structure, no consequences. The bottom half of the figure dis-
the probability of one or more of the BDD variables plays the cut-sets only for the scenarios that end with
is provided by a linked node in the BBN. Additional a runway overrun. As can be seen in the figure, the
details about the BDD/BBN link can be found in most likely series of event reading to an overrun is the
Groen & Mosleh (2008). combination of using the incorrect runway, attempt-
ing a rejected takeoff, and having speed in excess of
the critical stopping speed (V1). This is the pattern
3 HCL-BASED RISK MANAGEMENT displayed by flight 5191.

In addition to providing probability values for each

3.1 Importance measures
ESD scenario, each FT and each BBN node, the HCL
methodology provides functions for tracking risks over Importance measures are used to identify the most
time and for determining the elements that contribute significant contributors to a risk scenario. They pro-
most to scenario risk. HCL also provides the mini- vide a quantitative way to identify the most important
mal cut-sets for each ESD scenario, allowing the user system hazards and to understand which model ele-
to rank the risk scenarios quantitatively. Specific func- ments most affect system risk. Importance measures
tions are described in more detail below. For additional can be used to calculate the amount of additional safety
technical details see (Mosleh et al. 2007). resulting from a system modification, which allows
Figure 7 displays scenario results for the wrong run- analysts to examine the benefits of different modifi-
way scenario. It is clear that the most probable outcome cations before implementation. Analysts can also use

Figure 6. Probability values and cut sets for the base wrong runway scenario.

Figure 7. Importance measure results for the runway overrun model.

importance measures to identify the elements that most system risks and to track changes in risk over time.
contribute to a risk scenario and then target system Risk significance is calculated with respect to selected
changes to maximize the safety impact. ESD scenarios or end states. It can be calculated for
There are numerous ways to calculate importance any BBN node, FT gate or event, or ESD pivotal event.
measures for Boolean models. However, due to the The risk indicator is calculated by Equation 3,
dependencies in HCL models introduced by inclu- where R is the total risk, φ is the frequency of the
sion of BBNs, the methods cannot be applied in their event.
original form. Four conventional importance measures
have been modified and implemented in HCL: Risk R = Pr(S| f ) · φ (3)
Achievement Work (RAW), Risk Reduction Worth
(RRW), Birnbaum, and Vesely-Fussel (VF). Pr(S| f ) is the risk weight of a BBN node or FT event or
The standard Vesely-Fussel importance measure gate ( f ) and S is the selected ESD end state or group of
(Eq. 1) calculates the probability that event e has end states. If S consists of an end state category or mul-
occurred given that ESD end state S has occurred tiple end states in the same ESD Equation 3 is modified
(Fussel 1975). using the same logic explained for modifying Equa-
tion 1. For multiple end states in different ESDs the
p(e · S) risk indicator value can be calculated using the upper
p(e|S) = (1)
P(S) bound approximation. The procedure for performing
precursor analysis and hazard ranking follows directly
For hybrid models, event e is a given state of a model from the risk indicator procedure.
element, e.g. a FT event is failed or a BBN node is Figure 8 displays individual risk indicators and total
‘‘degraded’’ instead of ‘‘fully functional’’ or ‘‘failed.’’ risk for several BBN nodes from the example model.
By addressing a particular state, it is possible to extend Frequency values are to be provided by the analyst. In
importance measures to all layers of the hybrid model. the example case, the frequency values were selected
Importance measures must be calculated with to show how IRIS could be used to monitor the risks
respect to an ESD end state. To ensure independence before the accident; these are not values from data.
in ESDs with multiple paths, it is necessary to treat The top graph in Figure 8 shows the changing risk
the end state S as the sum of the Si mutually exclusive values for each of the three selected indicators. The
paths leading to it. The importance measure can then bottom graph shows the aggregated risk value over
be calculated by using Equation 2. time. Based on the risk values obtained from the mod-
els and the hypothetical frequency data, it becomes
i p(e · Si ) p(Si |e) apparent that the risk associated with airport ade-
p(S) =  = i (2) quacy increased sharply between May and July. The
i p(S i ) i p(Si ) hypothetical risks associated with the adequacy of the
airport could have been identified in July and steps
For a set of scenarios belonging to two or more
ESDs the probability can be calculated as a func-
tion of the results from each ESD or by use of the
mean upper bound approximation. Additional details
on HCL importance measure calculations can be found
in Zhu (2008).
Figure 7 provides importance measure results for
the runway overrun model. The importance measures
in the figure are arranged by the Vesely-Fussel impor-
tance measure. The items in the components column
are FT events and some selected BBN nodes. The BBN
nodes selected reflect the factors that contributed to the
runway overrun of Flight 5191. From the figure it is
obvious that take-off from incorrect runway is the most
important contributing factor to the runway overrun
end state.

3.2 Risk indicators

Risk indicators are used to identify potential system
risks by considering both the risk significance and the
frequency of the event. They are also used to monitor Figure 8. Sample risk indicators implemented in IRIS.

could have been taken to reduce these risks before the flight 5191 flight crew. Airport adequacy was set to
serious consequences occurred. the state inadequate because of the lack of proper light-
ing on both runways. The takeoff plan was deemed
3.3 Risk impact substandard.
By comparing the results of the base case, Figure 6,
Analysts can use IRIS to visualize the change in system to the case updated with scenario evidence, Figure 9,
risk based on observed or postulated conditions. This it is possible to quantify the change in risk accompany
can be achieved by using the set evidence function certain behaviors. The updated probability of a runway
to make assumptions about the state of one or more overrun based on human actions, airport conditions,
BBN nodes. Once assumptions are made the model is and the takeoff plan is an order of magnitude greater
updated to reflect the new information, providing new than the probability of the base scenario. Again, the
probability values for all nodes subsequently affected series of events leading to the flight 5191 crash is the
by the changes. most probable sequence leading to an overrun in the
When the BBN is linked to an ESD or FT, the new model.
ESD and FT models will also display new probabil- It is evident from Figure 10 that the three BBN
ity values. The set evidence function allows users to nodes strongly impact the probability of taking off
see the impact of soft factors on risk scenarios. The from the incorrect runway. This probability increases
result is a more tangible link between the actions of by almost a factor of 2 when the model is updated with
humans/organizations and specific system outcomes. the scenario evidence.
Setting evidence will provide users with a better
understanding of how low-level problems propagate
through the system and combine to form risk scenar-
ios. Figure 9 displays updated scenario results for the 4 CONCLUSION
flight 5191 overrun. In this scenario, evidence was set
for three nodes in the BBN (Fig. 5). Human actions This paper provides an overview of the hybrid
was set to the state unsafe because of errors made by causal logic (HCL) methodology for Probabilistic Risk

Figure 9. Updated scenario results for the runway overrun with information about flight 5191 specified.

Figure 10. Fault tree results showing the probability of taking off from the wrong runway for the base case (top) and the case
reflecting flight 5191 factors (bottom).

Assessment and the IRIS software package developed REFERENCES
to use the HCL methodology for comprehensive risk
analyses of complex systems. The HCL methodol- Andrews, J.D. & Dunnett, S.J. 2000. Event Tree Analysis
ogy and the associated computational engine were using Binary Decision Diagrams. IEEE Transactions on
designed to be portable and thus there is no specific Reliability 49(2): 230–239.
HCL GUI. The computational engine can read mod- Brace, K., Rudell, R. & Bryant, R. 1990. Efficient Implemen-
tation of a BDD Package. The 27th ACM/IEEE Design
els from files and can be accessed through use of Automation Conference, IEEE 0738.
an API. Bryant, R. 1992. Symbolic Boolean Manipulation with
The three-layer The flexible nature of the HCL Ordered Binary Decision Diagrams. ACM Computing
framework allows a wide range of GUIs to be devel- Surveys 24(3): 293–318.
oped for many industries. The IRIS package is Eghbali, G.H. 2006. Causal Model for Air Carrier Mainte-
designed to be used by PRA experts and systems ana- nance. Report Prepared for Federal Aviation Administra-
lysts. Additional GUIs can be added to allow users tion. Atlantic City, NJ: Hi-Tec Systems.
outside of the PRA community to use IRIS without in Fussell, J.B. 1975. How to Hand Calculate System Relia-
depth knowledge of the modeling concepts and all of bility and Safety Characteristics. IEEE Transactions on
Reliability R-24(3): 169–174.
the analysis tool. Groen, F. & Mosleh, A. 2008 (In Press). The Quantifica-
Two FAA specific GUIs were designed with two tion of Hybrid Causal Models. Submitted to Reliability
different target users in mind. Target users provided Engineering and System Safety.
information about what information they needed from Groen, F., Smidts, C. & Mosleh, A. 2006. QRAS—the quan-
IRIS and how they would like to see it presented. The titative risk assessment system. Reliability Engineering
GUIs were linked to specific IRIS analysis tools, but and System Safety 91(3): 292–304.
enabled the results to be presented in a more qualitative Groth, K. 2007. Integrated Risk Information System Vol-
(e.g. high/medium/low) way. ume 1: User Guide. College Park, MD: University of
The GUIs were designed to allow target users to Maryland.
Groth, K., Zhu, D. & Mosleh, A. 2008. Hybrid Methodology
operate the software immediately. Users are also able and Software Platform for Probabilistic Risk Assess-
to view underlying models and see full quantitative ment. The 54th Annual Reliability and Maintainability
results if desired. Symposium, Las Vegas, NV.
HCL framework was applied to the flight 5191 Mandelapu, S. 2006. Causal Model for Air Carrier Mainte-
runway overrun event from 2006, and the event was nance. Report Prepared for Federal Aviation Administra-
analyzed based on information obtained about the tion. Atlantic City, NJ: Hi-Tec Systems.
conditions contributing to the accident. Mosleh, A. et al. 2004. An Integrated Framework for
The three layer HCL framework allows different Identification, Classification and Assessment of Avia-
modeling techniques to be used for different aspects of tion Systems Hazards. The 9th International Probabilistic
Safety Assessment and Management Conference. Berlin,
a system. The hybrid framework goes beyond typical Germany.
PRA methods to permit the inclusion of soft causal fac- Mosleh, A., Wang, C. & Groen, F. 2007. Integrated Method-
tors introduced by human and organizational aspects ology For Identification, Classification and Assessment
of a system. The hybrid models and IRIS software of Aviation Systems Hazards and Risks Volume 1: Frame-
package provide a framework for unifying multiple work and Computational Algorithms. College Park, MD:
aspects of complex socio-technological systems to per- University of Maryland.
form system safety analysis, hazard analysis and risk National Transportation Safety Board (NTSB) 2007. Aircraft
analysis. Accident Report NTSB/AAR-07/05.
The methodology can be used to identify the most Rauzy, A. 1993. New Algorithms for Fault Trees Analysis.
Reliability Engineering and System Safety 40: 203–211.
important system elements that contribute to spe- Roelen, A.L.C. & Wever, R. 2004a. A Causal Model
cific outcomes and provides decision makers with a of Engine Failure, NLR-CR-2004-038. Amsterdam:
quantitative basis for allocating resources and making National Aerospace Laboratory NLR.
changes to any part of a system. Roelen, A.L.C. &. Wever, R. 2004b. A Causal Model of
A Rejected Take-Off. NLR-CR-2004-039. Amsterdam:
National Aerospace Laboratory NLR.
ACKNOWLEDGEMENT Roelen, A.L.C et al. 2002. Causal Modeling of Air Safety.
Amsterdam: National Aerospace Laboratory NLR.
The work described in this paper was supported by Wang, C. 2007. Hybrid Causal Methodology for Risk Assess-
ment. PhD dissertation. College Park, MD: University of
the US Federal Aviation Administration. The authors Maryland.
are indebted to John Lapointe and Jennelle Derrick- Zhu, D. et al. 2008. A PRA Software Platform for Hybrid
son (FAA—William J. Hughes Technical Center) for Causal Logic Risk Models. The 9th International Proba-
overall monitoring and coordination. The opinions bilistic Safety Assessment and Management Conference.
expressed in this paper are those of the authors and Hong Kong, China.
do not reflect any official position by the FAA.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

SCAIS (Simulation Code System for Integrated Safety Assessment):

Current status and applications

J.M. Izquierdo, J. Hortal, M. Sánchez, E. Meléndez & R. Herrero

Consejo de Seguridad Nuclear (CSN), Madrid, Spain

J. Gil, L. Gamo, I. Fernández, J. Esperón & P. González

Indizen Technologies S.L., Madrid, Spain

C. Queral, A. Expósito & G. Rodríguez

Universidad Politécnica Madrid UPM, Spain

ABSTRACT: This paper surveys the current status of Spanish Nuclear Safety Council (CSN) work made to
establish an Integrated Safety Analysis (ISA) methodology, supported by a simulation framework called SCAIS,
to independently check the validity and consistency of many assumptions used by the licensees in their safety
assessments. This diagnostic method is based on advanced dynamic reliability techniques on top of using classical
Probabilistic Safety Analysis (PSA) and deterministic tools, and allows for checking at once many aspects of
the safety assessments, making effective use of regulatory resources. Apart from a theoretical approach that is at
the basis of the method, application of ISA requires a set of computational tools. Steps done in the development
of ISA started by development of a suitable software package called SCAIS that comprehensively implies an
intensive use of code coupling techniques to join typical TH analysis, severe accident and probability calculation
codes. The final goal is to dynamically generate the event tree that stems from an initiating event, improving the
conventional PSA static approach.

1 NEED OF RISK-BASED DIAGNOSTIC Important examples are for instance the analy-
TOOLS sis justifying the PSA success criteria and operating
technical specifications, which are often based on
Most often, in defending their safety cases within potentially outdated base calculations made in older
the licensing process, industry safety analysis have times in a different context and with other spectrum of
to rely on computational tools including simulation applications in mind.
of transients and accidents and probabilistic safety This complex situation generates a parallel need
assessments. Such an assessment capability, even if in regulatory bodies that makes it mandatory to
reduced to its analytical aspects, is a huge effort increase their technical expertise and capabilities in
requiring considerable resources. this area. Technical Support Organization (TSO) have
The increasing trend towards Risk Informed Regu- become an essential element of the regulatory pro-
lation (RIR) and the recent interest in methods that cess1 , providing a substantial portion of its technical
are independent on the diversity of existing nuclear and scientific basis via computerized safety analy-
technologies motivate an even greater demand for sis supported on available knowledge and analytical
computerized safety case analysis. It has been further methods/tools.
fostered by: TSO tasks can not have the same scope as their
industry counterparts, nor is it reasonable to expect
• new nuclear power plant designs;
• the large time span and evolution of the old generic
safety analysis, that requires confirmation of its
present applicability; and
• the need to extend the life of the existing plants with 1 Examples are GRS, IRSN, PSI, Studvik, of TSOs
associated challenges to the potential reduction in supporting the regulatory bodies of Germany, France,
their safety margins. Switzerland, Sweden, respectively.

the same level of resources. Instead, in providing its • their relationships when addressing high level
technical expertise, they shall: requirements such as defense in depth and safety
• review and approve methods and results of
licensees, and Analysis of PSA success criteria and operating
• perform their own analysis/calculations to verify the technical specifications and its mutual consistency are
quality, consistency, and conclusions of day to day important chapters of the optimization of the pro-
industry assessments. tection system design encompassing, for instance,
problems like:
The last is a difficult, different and very special reg-
ulatory task, requiring specific TSO diagnostic tools • To ensure that the protection system is able to
to independently check the validity and consistency of cope with all accident scenarios and not only with
the many assumptions used and conclusions obtained a predetermined set. This umbrella character is
by the licensees in their safety assessments. hard to prove, particularly within an atmosphere of
The approach and the tools shall include a sound reduced safety margins, (SMAP Task Group 2007).
combination of deterministic and probabilistic sin- It requires careful regulatory attention to the historic
gle checks, pieces however of an ISA methodology, evolution of the deterministic assessments and it is
that together constitute a comprehensive sample ver- a source of potential conflicts when risk techniques
ifying all relevant decision making risk factors and are combined.
ensuring that the decision ingredients are properly and • To ensure the adequacy of success criteria,
consistently weighted. that become critical and sensitive, (Siu, N. &
Hilsmeier, T. 2006). Many studies demonstrating
the umbrella condition are old and perhaps unsuit-
able under these more restrictive circumstances.
2 ISSUES OF PARTICULAR RELEVANCE Extension to operator actions of the automatic
protection design is one such source of potential
In recent years efforts are being devoted to the clari- inconsistencies with complex aspects like available
fication of the relative roles of deterministic and times for operator action. Emergency procedures
probabilistic types of analysis with a view towards verification is also worth mentioning, because they
their harmonization, in order to take benefit of their imply longer than automatic design accident time
strengths and to get rid of identified shortcomings, scales to consider and important uncertainties in the
normally related with inter-phase aspects, like the timing of interventions, both potentially altering the
interaction between the evolution of process variables umbrella conditions of the deterministic design.
and its influence in probabilities. Different organi- • Another important extension of the scope of the
zations, (Hofer 2002) and (Izquierdo 2003a), have analysis is the need to consider degraded core sit-
undertaken some initiatives in different contexts with uations to ensure acceptable residual risks, (IAEA
claims such as the need for ‘‘an integration of proba- 2007). Again consistency issues appear requiring
bilistic safety analysis in the safety assessment, up to regulatory checks.
the approach of a risk-informed decision making pro-
cess’’ as well as for ‘‘proposals of verification methods These consistency checks call for an appropriate
for application that are in compliance with the state of extension of the probabilistic safety metrics currently
the art in science and technology’’. used. Different exceedance frequency limits for differ-
These initiatives should progressively evolve into ent barrier safety limit indicators have been extensively
a sound and efficient interpretation of the regulations discussed and may be used as a sound risk domain
that may be confirmed via computerized analysis. It interpretation of the existing regulations. For instance,
is not so much a question of new regulations from frequency limits for partial core damage or few core
the risk assessment viewpoint, but to ensure com- fuel failures may correctly interpret the present deter-
pliance with existing ones in the new context by ministic rules for safety margins in a way consistent
verifying the consistency of individual plant assess- with a probabilistic approach.
ment results through a comprehensive set of checks.
Its development can then be considered as a key and
novel topic for research within nuclear regulatory 3 DEVELOPEMENTS FOR AN INTEGRATED
More precisely, issues that require an integrated SAFETY CASES
approach arise when considering:
The CSN branch of Modelling and Simulation (MOSI)
• the process by which the insights from these com- has developed its own ISA methodology for the above
plementary safety analysis are combined, and referred purposes. This diagnostic method has been

designed as a regulatory tool, able to compute the and to overcome difficulties derived from particular
frequency of PSA sequences and the exceedance fre- models and computational methods.
quency of specified levels of damage, in order to
check in an independent way the results and assump-
tions of the industry PSAs, including their RIR 3.1 Software package description
extensions/applications. This approach harmonizes A consolidation and modernization program,
the probabilistic and deterministic safety assessment (Izquierdo 2003b), is currently being executed to
aspects via a consistent and unified computer frame- enhance capabilities and functionality of the soft-
work. ware package that would also facilitate an easier
Apart from a theoretical approach that is at the basis maintenance and extensibility.
of the method, application of ISA requires a set of com- The current SCAIS development includes as main
putational tools. A suitable software package called elements the Event Scheduler, the Probability Calcu-
SCAIS (Figure 1) at each time step couples, (Izquierdo lator, the Simulation Driver (BABIECA) and the Plant
2003a): Models (Figure 2):
• simulation of nuclear accident sequences, resulting 1. Event scheduler (DENDROS), that drives the
from exploring potential equipment degradations dynamic simulation of the different incidental
following an initiating event (i.e. simulation of ther- sequences. Its design guarantees modularity of the
mal hydraulics, severe accident phenomenology and overall system and the parallelization of the event
fission product transport); tree generation, (Muñoz 1999).
• simulation of operating procedures and severe acci- It is designed as a separate process that controls
dent management guidelines; the branch opening and coordinates the differ-
• automatic delineation (with no a-priori assump- ent processes that play a role in the generation
tions) of event and phenomena trees; of the Dynamic Event Tree (DET). The idea is
• probabilistic quantification of fault trees and to use the full capabilities of a distributed com-
sequences; and putational environment, allowing the maximum
• integration and statistic treatment of risk metrics. number of processors to be active. To this end, it
Since the final goal is to generate dynamically the manages the communications among the different
event tree that stems from an initiating event, improv- processes that intervene in the event tree develop-
ing the conventional PSA static approach, this simula- ment, namely, the distributed plant simulator, the
tion technique is called tree simulation. The activation probability calculator, and an output processor.
of branching conditions is referred to as stimuli activa- The scheduler arranges for the opening of the
tion. Stimulus Driven Theory of Probabilistic Dynam- branch whenever certain conditions are met, and
ics (SDTPD), (Hofer 2002) and (Izquierdo 2003a), is stops the simulation of any particular branch that
the underlying mathematical risk theory (basic con- has reached an absorbing state. The scheduler must
cepts, principles and theoretical framework) on which know the probability of each branch in order to
it is inspired and supported. The massive use of cou- decide which branch is suitable for further devel-
pled codes has led to the definition and development opment. Each new branch is started in a separate
of a Standard Software Platform that allows a given process, spawning a new transient simulator pro-
code to be incorporated quickly into the overall system cess and initializing it to the transient conditions
that were in effect when the branching occurred.

Figure 1. SCAIS overview schema. Figure 2. Global system architecture.

This saves a substantial amount of computation connection scheme to be applied to any set of codes
time, since common parts of the sequences are not regardless of the particular codes. This feature
recomputed. The applications of a tree structured increases the power of calculation since large codes
computation extend beyond the scope of the DETs. can be split and executed in different machines.
In fact, the branch opening and cutoff can obey any This feature allows BABIECA to be coupled with
set of criteria not necessarily given by a probability itself, enhancing an easier modeling and simulation
calculation as, for instance, sensitivity studies or management of large model topologies.
automatic initialization for Accident Management 4. Plant Models. Sequences obtained in ISA involve
Strategy analysis. Tasks distribution among the dif- very often a wide range of phenomena, not cov-
ferent processors is managed by the Parallel Virtual ered by a single simulation code. On the other
Machine (PVM) interface. hand, Emergency Operation Procedures (EOPs) are
2. Probability calculator module that incrementally a very complex set of prescriptions, essential to the
performs the boolean product of the fault trees cor- sequence development and branching and hard to
responding to each system that intervene in the represent in detailed codes. A plant model suitable
sequence, additionally computing its probability. for ISA purposes does not comprise then a single
The fault trees that will be used for the probability input deck for just one code, but several inputs
calculations are those of PSA studies. This imposes for several codes, each one being responsible for
a strong computational demand that is optimized the simulation of certain phenomena. The coupling
by preprocessing the header fault trees as much as entails different although interrelated interfaces
possible. The current approach is trying to use fast (see Figure 2).
on-line probability computation based on the rep- Codes as MELCOR, MAAP, RELAP, TRACE
resentation of fault trees using the Binary Decision can adapted to perform tree simulations under
Diagram (BDD) formalism, fed from the industry control of the scheduler. At present Modular Acci-
models. dent Analysis Program (MAAP4) is coupled to
3. BABIECA, the consolidated simulation driver, BABIECA to build up a distributed plant simu-
solves step by step topologies of block diagrams. A lation. MAAP4 performs the calculation of the
standardized linkage method has also been defined plant model when the transient reaches the severe
and implemented to incorporate as block-modules accident conditions, being then initialized with the
other single-application oriented codes, using par- appropriate transient conditions. Some parts of the
allel techniques. BABIECA driver allows also to simulation (specially the operator actions, but also
change the simulation codes at any time to fit the control systems) may still be performed by the orig-
model to the instantaneous conditions, depend- inal code and the appropriate signals be transferred
ing on the need of the given simulation. Two as boundary conditions.
coupling approaches, namely by boundary and ini-
tial conditions, have been implemented, (Herrero Consolidated versions of both driver simulator
2003): BABIECA and DENDROS scheduler have been
designed with an object oriented architecture and
• Initial Conditions Coupling. This type of cou- implemented in C++ language. They have been devel-
pling is used when a certain code is reaching oped using OpenSource standards (Linux, XercesC,
validity and applicability limits, and new models libpq ++). The code system has been equipped
and codes are necessary to further analysis. The with a Structured Query Language (SQL) Relational
typical example of this type of coupling is the Database (PostgreSQL), used as repository for model
transition from conventional Thermal hydraulic input and output. The input file has been also modern-
(TH) codes to severe accident codes. BABIECA ized using XML standards since it is easy to read and
accomplish that allowing parts of the model understand, tags can be created as they are needed, and
(modules) remaining active or inactive depend- facilitates treating the document as an object, using
ing on a specific variable (called simulation object oriented paradigms.
• Boundary Conditions Coupling. Some of the
output variables obtained at the time advance- 3.2 Features of SCAIS coupled codes and future
ment in one of the codes are sent to the compu- extensions
tation of the model boundary conditions in the
In order to connect BABIECA with external codes
other code. This type of coupling is used to build
has been developed a wrapper communication code
a wide scope code starting from several codes
based on PVM. BABIECA solves a step by step cou-
with a more limited scope.
pled blocks topology. The solution follows an Standard
The synchronization points are external to the Computational Scheme in a well defined synchroniza-
solution advancement; this subject allows the tion points that allows an easy code coupling with other

codes following the Standard. Two blocks are in charge • New developments in sequence dynamics. A gen-
of BABIECA communication with coupled codes: eralization of the transfer function concepts for
sequences of events, with potential for PSA applica-
• SndCode supplies the boundary conditions; and tion as generalized dynamic release factors is under
• RcvCode. Receives messages of every spawned investigation.
code in each time step. • New developments about classical PSA aspects.
For any desired code to be coupled, an specific They include rigorous definitions for concepts like
wrapper, consistent with the Standard Computational available time for operations or plant damage states.
Scheme, must be developed and implemented. It needs
the message passing points defined by BABIECA in
each synchronization point, allowing the communica- 4 TEST CASE: MBLOCA SEQUENCES
tion between both codes. Three wrappers have been
developed and are being tested at present: A full scale test application of this integrated software
package to a Medium Break Loss of Coolant Accident
• BABIECA—Wrapper allows BABIECA to be con- (MBLOCA) initiating event of a Spanish PWR plant
nected, and used to split big topologies into smaller is currently under development.
ones in order to save computation time parallelizing The specific objective of this analysis is to demon-
the processes. strate the methodology and to check the tool, focusing
• Probability—Wrapper allows BABIECA and DEN- on an independent verification of the event tree delin-
DROS connections with the probability calculator eation and assessment of realistic EOPs for LOCA
module. plant recovery. SCAIS provides a huge amount of
• MAAP4—Wrapper allows BABIECA-MAAP4 results for the analyst, when unfolding the Dynamic
connections. Event Tree (DET), even though methodology reduces
This wrapper, implemented in FORTRAN77 as to manageable the number of sequences. The follow-
MAAP4, gives us the advantage to analyze MAAP4 ing sections outline some conclusions of the assess-
sequences with the data processing tools devel- ment, including sequence evolution and operator
oped to BABIECA. The interface module has the actions analysis.
following functions:
1. To initialize the MAAP4 simulation using input 4.1 Sequence analysis: MBLOCA sequence with
data values provided by the BABIECA model. accumulators failure
2. To initialize MAAP4 from a restart image data.
In a first step MBLOCA sequences are simulated with
3. To accomplish the exchange of dynamic vari-
MAAP code. Results show that for breaks up to 6
ables between MAAP4 and other codes.
(inches) no action to achieve the primary depressuriza-
4. To drive MAAP4 time-advancement calculation.
tion is necessary and LPSI starts automatically about
5. To save results and restart image data in
3000 seconds. However, for 2 break and lower, pri-
BABIECA Data Base.
mary system is stabilized at a higher pressure than low
Recent extensions under development are pressure safety injection pump head, being necessary
oriented to: the operator action to achieve low-pressure controlled
conditions, Figure 3.
• Develop the Paths and Risk assessment modules of Main actions of set of operator actions, correspond-
SCAIS system. ing to EOP E-1 (loss of reactor or secondary coolant)
They implement a dynamic reliability method and EOP ES-1.2 (cooling and decrease of pressure
based on the Theory of Stimulated Dynamics TSD after a LOCA), are the following:
which is a variant of the more general SDTPD in its
path and sequence version, (Izquierdo 2006) and 1. Check the need of reactor coolant pump trip (E-1,
(Queral 2006). step 1).
• Development and application of advanced proba- 2. Check the steam generators (SG) levels (E-1,
bilistic quantification techniques based on Binary step 3).
Decision Diagrams (BDDs) that would release some 3. Check pressure decreasing and cooling in the Reac-
traditional drawbacks (e.g. truncation and rare event tor Coolant System (RCS) (E-1, step 11). If RCS
approximation) of the currently used quantification pressure is higher than 15 kg/cm2 a transition to
approaches. EOP ES-1.2 is required.
• New modeling algorithms to simulate standard 4. Check SG levels (ES-1.2, step 5).
PSA, correcting for dynamic effects. 5. Start the RCS cooling until cool shutdown condi-
• New wrapper module allowing BABIECA-TRACE tions (ES-1.2, step 6).
connections. 6. Check if sub-cooling margin greater than 0◦ C.

Figure 3. MAAP4 simulation. Comparison with/without Figure 5. Simplified topology scheme of BABIECA-
operator actions. Primary Pressure System (MBLOCA 2 ). MAAP simulation.

Figure 6. Primary System Water Temperature. MAAP stand

Figure 4. MAAP4 simulation. Primary System Water alone and BABIECA-MAAP comparison (MBLOCA 2 ).
Temperature. Comparison with/without operator actions
(MBLOCA 2 ).

BABIECA and thermal hydraulic codes like MAAP

7. Check if Safety Injection System (SIS) is active.
or TRACE, (Esperón 2008).
8. Disconnect pressurizer (PZR) heaters.
9. Decrease RCS pressure in order to recover PZR
4.2 Dynamic event tree simulation for MBLOCA
These operator actions has been implemented in As a third step of the study, DET of a 6 MBLOCA is
MAAP. Of particular relevance is primary cool-down unfolded by incorporating DENDROS to the previous
process at 55◦ C/h by SGRV control, Figure 4. model. Each time a safety system set-point is reached,
As a second phase of the study, manual actions have DENDROS unfolds the tree by simulating two dif-
been modelled by using the available BABIECA gen- ferent branches (namely system success and failure
eral modules, transferring the corresponding actions branch), Figure 7. In the study, the following headers
to MAAP4, by using SndCode and RcvCode blocks, have been considered:
Figure 5. Simulations with MAAP4 stand-alone and
BABIECA coupled with MAAP4 give the same • HPSI High Pressure Safety Injection.
results, Figure 6. • ACCUM Safety Injection Accumulator.
In a near future EOPs instructions will be com- • LPSI Low Presure Safety Injection.
puterized with SIMPROC that will be coupled with • RECIR Safety Injection Recirculation Mode.

consistency of probabilistic and deterministic aspects.
It is our opinion this need could be framed on an
international cooperative effort among national TSOs.
We have also shown that SCAIS is a powerful tool
that carries out the CSN Integrated Safety Analysis. Its
versatility and extensibility makes it an appropriate set
of tools that may be used either together or separately
to perform different regulatory checks.


This work is partially founded by Spanish Ministry of

Education & Science in the STIM project (ENE2006
Figure 7. MAAP4 Event Tree of MBLOCA 6 .
Automati- 12931/CON).
cally drawn by DENDROS simulation (branch opening time
in seconds).


ISA Integrated Safety Analysis

SCAIS Simulation Codes System for Integrated Safety
PSA Probabilistic Safety Analysis
CSN Spanish Nuclear Safety Council
RIR Risk Informed Regulation
EOP Emergency Operation Procedure
SAMG Severe Accident Management Guide
DET Dynamic Event Tree
PVM Parallel Virtual Machine
BDD Binary Decision Diagram
TSO Technical Support Organization
MAAP Modular Accident Analysis Program
SDTPD Stimulus Driven Theory of Probabilistic
Figure 8. Safety Injection Flows for different DET
sequences (MBLOCA 6 ).
RCS Reactor Coolant System
SIS Safety Injection System
PSRV Pressure Safety Relief Valve
TWPS Temperature of Water in the Primary System
The results for some sequences show the impact XML Extensible Markup Language
of different system failures and/or operator actions, MBLOCA Medium Break Loss of Coolant Accident
Figure 8. HRA Human Reliability Analysis
TH Thermal Hydraulic
TSD Theory of Stimulated Dynamics
5 CONCLUSIONS PWR Pressurized Water Reactor
SQL Structured Query Language
We have presented an overview of CSN methods and
simulation packages to perform independent safety
assessments to judge nuclear industry PSA related
safety cases. It has been shown that this approach is REFERENCES
adequate for an objective regulatory technical support
to CSN decision-making. Esperón, J. & Expósito, A. (2008). SIMPROC: Procedures
simulator for operator actions in NPPs. Proceedings of
This paper also argues on the need for development ESREL 08.
of diagnosis tools and methods for TSO, to perform Herrero, R. (2003). Standardization of code coupling for inte-
their own computerized analysis to verify quality, con- grated safety assessment purposes. Technical meeting on
sistency, and conclusions of day to day individual progress in development and use of coupled codes for
industry safety assessments, in such a way that asserts accident analysis. IAEA. Viena, 26–28 November 2003.

Hofer, E. (2002). Dynamic Event Trees for Probabilistic Muñoz, R. (1999). DENDROS: A second generation sched-
Safety Analysis. EUROSAFE Forum, Berlin. uler for dynamic event trees. M & C 99 Conference,
IAEA (2007, September). Proposal for a Technology-Neutral Madrid.
Safety Approach for New Reactor Designs. Technical Queral, C. (2006). Incorporation of stimulusdriven theory
Report TECDOC 1570, International Atomic Energy of probabilistics dynamics into ISA (STIM). Joint project
Agency, of UPM, CSN and ULB founded by Spanish Ministry of
te_1570 web.pdf. Education & Science (ENE2006 12931/CON), Madrid.
Izquierdo, J.M. & Cañamón, I. (2006). Status report Siu, N. & Hilsmeier, T. (2006). Planning for future probabilis-
on dynamic reliability: SDTPD path and sequence tic risk assessment research and development. In G.S. Zio
TSD developments. Application to the WP5.3 bench- (Ed.), Safety and Reliability for Managing Risk, Number
mark Level 2 PSA exercise. DSR/SAGR/FT 2004.074, ISBN 0-415-41620-5. Taylor & Francis Group, London.
SARNET PSA2 D73 [rev1]. SMAP Task Group (2007). Safety Margins Action Plan. Final
Izquierdo, J. (2003a). An integrated PSA Approach Report. Technical Report NEA/CSNI/R(2007)9, Nuclear
to Independent Regulatory Evaluations of Nuclear Energy Agency. Committee on the Safety of Nuclear
Safety Assessments of Spanish Nuclear Power Stations. Installations,
EUROSAFE Forum, Paris. 2007-9.pdf.
Izquierdo, J. (2003b). Consolidation plan for the Integrated
Sequence Assessment (ISA) CSN Code system SCAIS.
CSN internal report.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Using GIS and multivariate analyses to visualize risk levels and spatial
patterns of severe accidents in the energy sector

P. Burgherr
Paul Scherrer Institut (PSI), Laboratory for Energy Systems Analysis, Villigen PSI, Switzerland

ABSTRACT: Accident risks of different energy chains are analyzed by comparative risk assessment, based on
the comprehensive database ENSAD established by the Paul Scherrer Institut. Geographic Information Systems
(GIS) and multivariate statistical analyses are then used to investigate the spatial variability of selected risk
indicators, to visualize the impacts of severe accidents, and to assign them to specific geographical areas.
This paper demonstrates by selected case studies how geo-referenced accident data can be coupled with other
socio-economic, ecological and geophysical contextual parameters, leading to interesting new insights. Such an
approach can facilitate the interpretation of results and complex interrelationships, enabling policy makers to
gain a quick overview of the essential scientific findings by means of summarized information.

1 INTRODUCTION to provide an economic valuation of severe acci-

dents (Burgherr & Hirschberg 2008; Burgherr &
Categorizing countries by their risk levels due to natu- Hirschberg, in press; Hirschberg et al. 2004a).
ral hazards has become a standard approach to assess, Recently, ENSAD was extended to enable
prioritize and mitigate the adverse effects of natural geo-referencing of individual accident records at
disasters. Recent examples of coordinated interna- different spatial scales including regional classifi-
tional efforts include studies like the ‘‘World Disasters cation schemes (e.g. IPCC world regions; sub-
Report’’ (IFRC 2007), ‘‘Natural Disaster Hotspots’’ regions of oceans and seas; international organization
(Dilley et al. 2005), and ‘‘Reducing Disaster Risk’’ participation), sub-national administrative divisions
(UNDP 2004) as well as studies by the world’s leading (ADMIN1, e.g. state or province; ADMIN2, e.g.
reinsurance companies (Berz 2005; Munich Re 2003; county), statistical regions of Europe (NUTS) by Euro-
Swiss Re 2003). Applications to the impacts of man- stat, location name (PPL, populated place), latitude
made (anthropogenic) activities range from ecological and longitude (in degrees, minutes and seconds), or
risk assessment of metals and organic pollutants (e.g. global grid systems (e.g. Marsden Squares, Maid-
Critto et al. 2005; Zhou et al. 2007) to risk assess- enhead Locator System). The coupling of ENSAD
ment of contaminated industrial sites (Carlon et al. with Geographic Information Systems (GIS) and geo-
2001), conflicts over international water resources statistical methods allows one to visualize accident
(Yoffe et al. 2003), climate risks (Anemüller et al. risks and to assign them to specific geographical areas,
2006), and environmental sustainability assessment as well as to calculate new ‘‘risk layers’’, i.e. to produce
(Bastianoni et al. 2008). illustrative maps and contour plots based on scattered
Accidents in the energy sector rank second (after observed accident data.
transportation) of all man-made accidents (Hirschberg In the course of decision and planning processes
et al. 1998). Since the 1990s, data on energy- policy makers and authorities often rely on sum-
related accidents have been systematically collected, marized information to gain a quick overview of a
harmonized and merged within the integrative Energy- thematic issue. However, complex scientific results
related Severe Accident Database (ENSAD) devel- are often very difficult to communicate without appro-
oped and maintained at the Paul Scherrer Institut priate visualization. Methods for global, regional or
(Burgherr et al. 2004; Hirschberg et al. 1998). local mapping using GIS methods are particularly use-
Results of comparative risk assessment for the dif- ful because they reveal spatial distribution patterns
ferent energy chains are commonly expressed in a and link them to administrative entities, which allow
quantitative manner such as aggregated indicators (e.g. planning and implementation of preventive measures,
damage rates), cumulative risk curves in a frequency- legal intervention or mitigation at the appropriate
consequence (F-N) diagram, or external cost estimates administrative level.

The aim of this paper is to present and discuss – 200 or more evacuations
results of comparative risk assessment by means of – a far-reaching ban on the consumption of food
so-called disaster maps. The selected case studies – a release of at least 10000 tonnes of hydrocarbons
address different spatial scales and resolution as well as – the cleanup of a land or water surface of 25 km2 or
different analytical techniques to calculate aggregated more
risk indicators, based on summary statistics, multivari- – economic damages of at least 5 million USD (year
ate statistical analyses to produce a single index, and 2000 exchange rates).
spatial interpolation techniques.

2 METHODS 2.2 Geo-referencing of accident data

The plotting of accident data on maps and the
ENSAD concentrates on comprehensively covering analysis of spatial distribution patterns requires spe-
severe, energy-related accidents, although other man- cific information about the position of an event.
made accidents and natural catastrophes are also The geographic coordinates of accident locations
reviewed, but somewhat less explicitly. The database were determined using detailed accident information
allows the user to make conclusive analyses and cal- stored in ENSAD as well as other resources such
culate technical risks, including frequencies and the as the World Gazetteer (
expected extent damages. or Google Earth ( Addition-
The compilation of a severe accident database is ally, accidents were assigned to hierarchical orga-
a complex, tedious and extremely time consuming nization of political geographic locations, referring
task. Therefore, it was decided in the beginning to country (ADMIN0) and the first level below
that ENSAD should build upon existing information (ADMIN1; e.g. state or province). All maps were
sources. Its unique feature is that it integrates data from produced using ArcGIS 9.2 software (ESRI 2006b).
a large variety of primary data sources, i.e. information The basic GIS layer data for country boundaries were
is merged, harmonized and verified. based on ESRI world data and maps (ESRI 2006a),
The actual process of database building and im- data from the Geographic Information System of
plementation has been described in detail elsewhere the European Commission (GISCO) (Eurostat 2005),
(Burgherr et al. 2004; Hirschberg et al. 1998), thus and data from the U.S. Geological Survey (USGS
only a brief summary of the essential steps is given 2004).
– Selection and survey of a large number of informa- 2.3 Evaluation period
tion sources.
– Collection of raw information that is subsequently The time period 1970–2005 was selected for analysis
merged, harmonized and verified. of accident risks to ensure an adequate representation
– Information for individual accidents is assigned to of the historical experience. In the case of the Chinese
standardized data fields and fed into ENSAD. coal chain, only the years 1994–1999 were considered
– The final ENSAD data is subjected to several cross- because annual editions of the China Coal Indus-
checks to keep data errors at the lowest feasible try Yearbook were only available for these years. It
level. could be shown that without access to this information
– Comparative evaluations are then carried out, based source, data are subject to substantial underreporting
on customized ENSAD-queries. (Burgherr & Hirschberg 2007).

2.1 Severe accident definition 2.4 Data analysis

In the literature there is no unique definition of a This section describes the methodological details of
severe accident. Differences concern the actual dam- the four selected examples that are presented in this
age types considered (e.g. fatalities, injured persons, publication. In the remainder of this paper they are
evacuees or economic costs), use of loose categories referred to as case studies 1–4.
such as ‘‘people affected’’, and differences in damage Case Study 1: The total fatalities per country of
thresholds to distinguish severe from smaller acci- severe accidents (≥5 fatalities) in fossil energy chains
dents. Within the framework of PSI’s database ENSAD (coal, oil, natural gas and Liquefied Petroleum Gas
an accident is considered to be severe if it is charac- (LPG)) are plotted on a world map. Additionally, the
terized by one or more of the following consequences top ten countries in terms of number of accidents, and
(Burgherr et al. 2004; Hirschberg et al. 1998): the ten most deadly accidents are also indicated.
Case Study 2: Geo-referenced data for all fatal
– 5 or more fatalities oil chain accidents stored in ENSAD are mapped for
– 10 or more injuries European Union (EU 27), candidate countries, and

the European Free Trade Association (EFTA). A mul- of major state-owned mines in different provinces was
tivariate risk score was then calculated for individual investigated.
countries to analyze their differences in susceptibility
to accident risks. The proposed risk score consists of
four indicators: 3 RESULTS AND DISCUSSION

– total number of accidents (accident proneness) The ENSAD database currently contains 21549
– total number of fatalities (accident gravity) accident records, of which 90.2% occurred in the
– maximum consequences (most deadly accident) years 1970–2005. Within this period, 7621 accidents
– fatality rate (expectation value expressed in GWe yr resulted in at least five fatalities, of which 31.1% were
(Gigawatt-electric-year) using a generic load factor man-made, energy-related accidents. Table 1 sum-
of 0.35) marizes the number of accidents and fatalities that
occurred in fossil energy chains of different coun-
try groups. Results are separated for countries of the
Each variable was scaled between 0 and 1 using the
Organisation for Economic Co-operation and Devel-
equation xij = (zij − min)/(max − min), where zij is
opment (OECD), European Union (EU 27), and states
the value of the jth variable for the ith country, and min
that are not OECD members (non-OECD), due to
and max are the minimum and maximum values of the
the large differences in technological development,
jth variable. The resulting matrix was then analyzed
institutional and regulatory frameworks, and general
by means of Principal Components Analysis (PCA)
safety culture of OECD and EU 27 versus non-OECD.
(Ferguson 1998; Jolliffe 2002). Non-centred PCA was
Calculations were complemented by separate values
used because the first component (PC1) of such an
for the Chinese coal chain that has a significantly
analysis is always unipolar (Noy-Meir 1973), and can
worse performance than all other non-OECD countries
thus be used as a multivariate risk score (a lower value
(Burgherr & Hirschberg 2007).
indicates a lower accident risk).
Case Study 3: Tanker oil spills in the Euro-
pean Atlantic, the Mediterranean Sea (including the 3.1 Main findings and insights of case studies
entrance to the Suez Canal) and the Black Sea were
analyzed because these maritime areas pertain to Case Study 1: Figure 1 shows the worldwide distri-
the geographical region addressed in Case Study 2. bution of total fatalities per country of severe (≥5
Additionally, large parts of the Northeast Atlantic fatalities) accidents in the period 1970–2005. The top
(including the North Sea and the Baltic Sea), the ten countries in terms of total numbers of accidents
Canary current and the Mediterranean Sea belong to are also indicated in Figure 1, as well as the ten most
the so-called Large Marine Ecosystems (LME) that deadly accidents.
are considered ecologically sensitive areas (Hempel & China was the most accident prone country with
Sherman 2003). Distribution patterns of oil spills 25930 fatalities, of which almost 95% occurred in
(≥700 tonnes) were analyzed using the kriging tech- 1363 accidents attributable to the coal chain. How-
nique, which is a geo-statistical method for spatial ever, only 15 of these resulted in 100 or more fatalities.
interpolation (Krige 1951; Matheron 1963). In a pre-
liminary step, locations were assigned to a Marsden Table 1. Numbers of accidents (Acc) and fatalities (Fat)
Square Chart, which divides the world into grids of of severe (≥5 fatalities) accidents in fossil energy chains
10 degrees latitude by 10 degrees longitude, because in are given for OECD, EU 27, and non-OECD countries
some cases only approximate coordinates were avail- (1970–2005). For the coal chain, non-OECD w/o China (first
able. Afterwards, the number of spills per Marsden line) and China alone (second line) are given separately.
Square was calculated, and coordinates set to the cen-
ter of each grid cell. Ordinary point kriging was then Natural
applied to compute a prediction surface for the number Coal Oil Gas LPG Total
of spills to be expected in a particular region, i.e. to
evaluate regional differences in susceptibility to acci- OECD Acc 81 174 103 59 417
dental tanker spills. For methodological details on the Fat 2123 3388 1204 1875 8590
applied kriging procedure see Burgherr (2007) and EU 27 Acc 41 64 33 20 158
Burgherr & Hirschberg (2008). Fat 942 1236 337 559 3074
Case Study 4: Severe (≥5 fatalities) accidents in Non-OECD Acc 144 308 61 61 574
the Chinese coal chain were analyzed at the province 1363
Fat 5360 17990 1366 2610 27326
level (ADMIN1). Fatality rates were calculated for 24456
large state-owned and local mines, and for small town- World total Acc 1588 482 164 120 2354
ship and village mines, respectively. The influence of Fat 31939 21378 2570 4485 60372
mechanization levels in mining as well as the number

Figure 1. Individual countries are shaded according to their total numbers of severe accident fatalities in fossil energy
chains for the period 1970–2005. Pie charts designate the ten countries with most accidents, whereas bars indicate the ten
most deadly accidents. Country boundaries: © ESRI Data & Maps (ESRI 2006a).

Figure 2. Locations of all fatal oil chain accidents and country-specific risk scores of EU 27, accession candidate and
EFTA countries for the period 1970–2005. Country boundaries: © EuroGeographics for the administrative boundaries
(Eurostat 2005).

In contrast, the cumulated fatalities of the non-OECD to OECD, of which the USA and Turkey have been
countries Philippines, Afghanistan, Nigeria, Russia, founder members of 1961, whereas Mexico gained
Egypt and India were strongly influenced by a few very membership more than three decades later in 1994.
large accidents that contributed a substantial share of The LPG chain contributed almost 50% to total fatal-
the total (see Figure 1 for examples). Among the ten ities in Mexico because of one very large accident
countries with most fatalities, only three belonged in 1984 that resulted in 498 fatalities. In Turkey the

coal chain had the highest share with 531 fatalities of accidents and 70% of fatalities taking place in the
or about 55%, of which 272 fatalities are due to a sin- oil and gas chains.
gle accident, i.e. a methane explosion in a coal mine in Case Study 2: The map of Figure 2 shows the
north-western Turkey in 1992. Finally, the USA exhib- locations of all fatal oil chain accidents contained in
ited a distinctly different pattern compared to the other ENSAD for EU 27, accession candidate and EFTA
countries with no extremely large accidents (only three countries in the period 1970–2005. The calculated
out of 148 with more than 50 fatalities), and over 75% risk score is a measure of the heterogeneous accident

Figure 3. Individual geo-referenced oil spills for the period 1970–2005 are represented by different-sized circles correspond-
ing to the number of tonnes released. Regional differences in susceptibility to accidents were analyzed by ordinary kriging,
resulting in a prediction map of filled contours. The boundaries of the Large Marine Ecosystems (LME) are also shown.
Country boundaries: © EuroGeographics for the administrative boundaries (Eurostat 2005).

Figure 4. For individual provinces in China, average fatalities per Mt produced coal are given for severe (≥5 fatalities)
accidents in large and small mines for the period 1994–1999. Provinces were assigned to three distinct levels of mechanization
as indicated by their shading. Locations of major state-owned coal mines are also indicated on the map. Administrative
boundaries and coal mine locations: © U.S. Geological Survey (USGS 2004).

risk patterns among countries. Four countries had risk Figure 3 also provides results of ordinary kriging
scores greater than 0.40, namely the United Kingdom, that are based on a spherical model for the fitted semi-
Italy, Norway and Turkey. This is largely due to variogram (SV) function. Cross-validation indicated
the substantially higher values for total fatalities and that the model and subsequently generated predic-
maximum consequences, and to a lesser extent also tion map provided a reasonably accurate prediction
for total accidents compared to the respective aver- (details on the methodology are given in Burgherr and
age values for all countries. In contrast, fatality rates Hirschberg (2008) and Matheron (1963)). The predic-
(i.e. fatalities per GWe yr) of these four countries tion map based on spatial interpolation by ordinary
were clearly below the overall average. These find- kriging provides useful information for identification
ings support the notion that besides fatality rates other and assessment of regional differences in susceptibil-
performance measures should be evaluated, particu- ity to oil spills from tankers. Such an interpolated
larly in the context of multi-criteria decision analy- surface layer is also superior to a simple point rep-
sis (MCDA) because preference profiles may differ resentation because it enables estimates for areas with
among stakeholders (e.g. Hirschberg et al. 2004b). few or no sample points. The map clearly identifies
Case Study 3: Geographic locations were avail- several maritime regions that are particularly prone
able for 128 out of a total of 133 tanker accidents in to accidental oil spills, namely the English Channel,
the years 1970–2005 that occurred in the European the North Sea, the coast of Galicia, and the Eastern
Atlantic, the Mediterranean Sea and the Black Sea, Mediterranean Sea. Finally, those spills were iden-
and each resulted in a spill of at least 700t. The severity tified that occurred in ecologically sensitive areas
of the spills is divided into different spill size classes, because they are located within the boundaries of the
based on the amount of oil spilled. Large Marine Ecosystems (LME) of the world. In

total, 82.8% of all mapped spills were located within ACKNOWLEDGEMENTS
LME boundaries. However, tankers can generally
not avoid passing LMEs because shipping routes are The author thanks Drs. Stefan Hirschberg and Warren
internationally regulated, and because LMEs also Schenler for their valuable comments on an earlier
include large fractions of coastal areas that ships version of this manuscript. This study was partially
have to pass when approaching their port of desti- performed within the Integrated Project NEEDS (New
nation. Therefore, recent efforts to reduce this share Energy Externalities Development for Sustainabil-
have focused on technical measures, for example ity, Contract No. 502687) of the 6th Framework
improved navigation and the replacement of single Programme of European Community.
hull tankers by modern double hull designs. The sub-
stantial decrease in total spill volume (also in these
ecologically sensitive areas) since the 1990s reflects
the achieved improvements of this ongoing process REFERENCES
(Burgherr 2007).
Case Study 4: The Chinese coal chain is a worri- Anemüller, S., Monreal, S. & Bals, C. 2006. Global Cli-
some case with more than 6000 fatalities every year, a mate Risk Index 2006. Weather-related loss events and
their impacts on countries in 2004 and in a long-term
fatality rate about ten times higher than in other non- comparison, Bonn/Berlin, Germany: Germanwatch e.V.
OECD countries, and even about 40 times higher than Bastianoni, S., Pulselli, F.M., Focardi, S., Tiezzi, E.B.P. &
in OECD countries (Burgherr & Hirschberg 2007). Gramatica, P. 2008. Correlations and complementarities
Average values of fatalities per million tonne (Mt) of in data and methods through Principal Components Anal-
coal output for the years 1994–1999 showed a dis- ysis (PCA) applied to the results of the SPIn-Eco Project.
tinct variation among provinces (Figure 4). The figure Journal of Environmental Management 86: 419–426.
also demonstrates how fatality rates are influenced by Berz, G. 2005. Windstorm and storm surges in Europe: loss
the level of mechanization in mining. When results trends and possible counter-actions from the viewpoint
of individual provinces were assigned to three groups of an international reinsurer. Philosophical Transactions
of the Royal Society A—Mathematical Physical and
according to differences in mechanized levels, average Engineering Sciences 363(1831): 1431–1440.
fatality rates were inversely related to mechanization Burgherr, P. 2007. In-depth analysis of accidental oil spills
indicating that higher mechanized levels of mining do from tankers in the context of global spill trends from all
contribute to overall mine safety. Furthermore, aver- sources. Journal of Hazardous Materials 140: 245–256.
age fatality rates for large state-owned and local mines Burgherr, P. & Hirschberg, S. 2007. Assessment of severe
were significantly lower than for small township and accident risks in the Chinese coal chain. International
village mines with very low safety standards. Finally, Journal of Risk Assessment and Management 7(8):
major state-owned mines exhibit predominantly high 1157–1175.
and medium levels of mechanization. Burgherr, P. & Hirschberg, S. 2008. Severe accident risks
in fossil energy chains: a comparative analysis. Energy
33(4): 538–553.
Burgherr, P. & Hirschberg, S. in press. A comparative anal-
ysis of accident risks in fossil, hydro and nuclear energy
4 CONCLUSIONS chains. Human and Ecological Risk Assessment.
Burgherr, P., Hirschberg, S., Hunt, A. & Ortiz, R.A. 2004.
The coupling of ENSAD with a GIS-based approach Severe accidents in the energy sector. Final Report to the
has proven to be useful in determining spatial distri- European Commission of the EU 5th Framework Pro-
bution patterns of accident risks for selected energy gramme ‘‘New Elements for the Assessment of External
chains and country groups at global and regional Costs from Energy Technologies’’ (NewExt), Brussels,
Belgium: DG Research, Technological Development and
scales. Multivariate statistical methods (PCA) and Demonstration (RTD).
spatial interpolation techniques (kriging) have been Carlon, C., Critto, A., Marcomini, A. & Nathanail, P. 2001.
successfully used to extract additional value from Risk based characterisation of contaminated industrial
accident data and to produce illustrative maps of site using multivariate and geostatistical tools. Environ-
risk scores and contour plots. The potential benefits mental Pollution 111: 417–427.
of such an approach are threefold: First, it allows Critto, A., Carlon, C. & Marcomini, A. 2005. Screening
the identification of spatial patterns including acci- ecological risk assessment for the benthic community in
dent hotspots and extreme events. Second, powerful, the Venice Lagoon (Italy). Environment International 31:
flexible and understandable visualizations facilitate 1094–1100.
Dilley, M., Chen, R.S., Deichmann, U., Lerner-Lam, A.L.,
the interpretation of complex risk assessment results. Arnold, M., Agwe, J., Buys, P., Kjekstad, O., Lyon, B. &
Third, the results summarized by means of GIS pro- Yetman, G. 2005. Natural disaster hotspots. A global
vide a simple and comprehensive set of instruments risk analysis. Disaster Risk Management Series No.
to support policy makers in the decision and planning 5, Washington D.C., USA: The World Bank, Hazard
process. Management Unit.

ESRI 2006a. ArcGIS 9: ESRI Data & Maps, Redlands Krige, D.G. 1951. A statistical approach to some basic mine
(CA), USA: Environmental Systems Research Institute valuation problems on the Witwatersrand. Journal of the
Inc. (ESRI). Chemical, Metallurgical and Mining Society of South
ESRI 2006b. ArcGIS 9: using ArcGIS Desktop, Redlands Africa 52: 119–139.
(CA), USA: Environmental Systems Research Institute Matheron, G. 1963. Traité de Géostatistique Apliquée. Tome
Inc. (ESRI). II: Le krigeage, Paris, France: Ed. Bureau du Recherches
Eurostat 2005. Guidelines for geographic data intended for Geologiques et Minieres.
the GISCO Reference Database, Witney, UK: Lovell Munich Re 2003. NatCatSERVICE—A guide to the Munich
Johns Ltd. Re database for natural catastrophes, Munich, Germany:
Ferguson, C.C. 1998. Techniques for handling uncer- Munich Re.
tainty and variability in risk assessment models, Berlin, Noy-Meir, I. 1973. Data transformations in ecological ordi-
Germany: Umweltbundesamt. nation. Some advantages of non-centering. Journal of
Hempel, G. & Sherman, K. (Eds.) 2003 Large Marine Ecology 61: 329–341.
Ecosystems of the world: trends in exploitation, protec- Swiss Re 2003. Natural catastrophes and reinsurance, Zurich,
tion, and research, Amsterdam, Elsevier B.V. Switzerland: Swiss Reinsurance Company.
Hirschberg, S., Burgherr, P., Spiekerman, G. & Dones, R. UNDP Bureau for Crisis Prevention and Recovery 2004
2004a. Severe accidents in the energy sector: comparative Reducing disaster risk. A challenge for development.
perspective. Journal of Hazardous Materials 111(1–3): New York, UNDP, Bureau for Crisis Prevention and
57–65. Recovery.
Hirschberg, S., Dones, R., Heck, T., Burgherr, P., USGS 2004. Open-File Report 01–318: Coal geology, land
Schenler, W. & Bauer, C. 2004b. Sustainability of elec- use, and human health in the People’s Republic of China
tricity supply technologies under German conditions: a (, Reston (VA),
comparative evaluation. PSI-Report No. 04–15, Villigen USA: U.S. Geological Survey.
PSI, Switzerland: Paul Scherrer Institut. Yoffe, S., Wolf, A.T. & Giordano, M. 2003. Conflict and
Hirschberg, S., Spiekerman, G. & Dones, R. 1998. Severe cooperation over international freshwater resources: Indi-
accidents in the energy sector—first edition. PSI Report cators of basins at risk. Journal of the American Water
No. 98-16, Villigen PSI, Switzerland: Paul Scherrer Resources Association 39(5): 1109–1126.
Institut. Zhou, F., Huaicheng, G. & Hao, Z. 2007. Spatial distribution
IFRC (International Federation of the Red Cross and Red of heavy metals in Hong Kong’s marine sediments and
Crescent Societies) 2007. World Disasters Report 2007, their human impacts: a GIS-based chemometric approach.
Bloomfield, USA: Kumarian Press Inc. Marine Pollution Bulletin 54: 1372–1384.
Jolliffe, I.T. 2002. Principal Component Analysis. Springer
Series in Statistics, 2nd ed., New York, USA: Springer.

Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

Weak signals of potential accidents at ‘‘Seveso’’ establishments

Paolo A. Bragatto, Patrizia Agnello, Silvia Ansaldi & Paolo Pittiglio

ISPESL, Research Centre via Fontana Candida, Monteporzio Catone (Rome), Italy

ABSTRACT: At industrial facilities where the legislation on major accident hazard is enforced, near misses,
failures and deviations, even though without consequences, should be recorded and analyzed, for an early
identification of factors that could precede accidents. In order to provide duty-holders with tools for capturing
and managing these weak signals coming from operations, a software prototype, named NOCE, has been
developed. ‘‘Client-server’’ architecture has been adopted, in order to have a palmtop computer connected to an
‘‘experience’’ data base at the central server. The operators shall record by the palmtop any non-conformance, in
order to have a ‘‘plant operational experience’’ database. Non-conformances are matched with the safety system
for finding breaches in the safety system and eventually remove them. A digital representation of the plant and
its safety systems shall be developed, step by step, by exploiting data and documents, which are required by the
legislation for the control of major accident hazard. No extra job is required to the duty holder. The plant safety
digital representation will be used for analysing non-conformances. The safety documents, including safety
management system, safety procedures, safety report and the inspection program, may be reviewed according
to the ‘‘plant operational experience’’.

1 INTRODUCTION these precursors effectively, major accidents may be

prevented and consequent fatalities, severe injuries,
At industrial facilities where major accident hazard is asset damages and production losses may be avoided.
posed, for one accident with fatalities or severe injuries An effective system for reporting any non confor-
there are tens of near-misses with consequences just mance, even without consequence, is essential for an
on equipment and hundreds of failures that cause just efficient safety management. Furthermore, an active
small loss of production, as well as procedures not well monitoring of equipment and of procedures should be
understood or applied, with minor consequences. Fur- planned to find out warning signals, before an incident
thermore in the life of an establishment, thousands non or a failure occurs. This monitoring strategy should
conformances are usually reported both for equipment include inspections of safety critical plants, equipment
and for procedures. The benefit of having a good pro- and instrumentation as well as assessment of com-
gram for analysing and managing near-misses, failures pliance with training, instructions and safe working
and non conformances have been widely demon- practices.
strated in many papers, including Hursta et al. (1996), The events potentially useful to detect early signals
Ashford (1997), Jones et al. (1999), Phimister et al. of something potentially going wrong in the safety
(2003), Basso et al. (2004), Uth et al. (2004) system include deviations, anomalies, failures, near-
Sonnemans et al. (2006). There are definitely much misses and incidents. These events should be recorded
more failures, trivial incidents and near-misses, than in a data base. Attention to cases of near-misses and
severe accidents. Furthermore failures and deviations minor incidents should include investigation, analy-
are very easy to identify, to understand, to control. sis, and follow-up to ensure that the lessons learnt
They are quite small in scale, relatively simple to ana- are applied to future operation. For failures, deviation
lyze and to resolve. In near-misses, actual accident and minor failures, corrective and preventive measures
causes are not hidden to avoid a potential prosecution, have to be ensured.
unlike the accidents with fatalities, as demonstrated A rough classification of non conformances should
by Bragatto et al. (2007) and Agnello et al. (2007). be useful to address the follow-up. In the case of human
At major accident hazard installations, near-misses, or organizational failure, audits on the safety man-
failures and deviations are able to give ‘‘weak sig- agement system should be intensified and operational
nals’’, which have the potential of warning the operator procedures be reviewed. In the case of a mechanical
before the accidents happen. Therefore, by addressing failure, inspection plan should be reviewed, to prevent

equipment deterioration and potential consequences analysis methods, such as the IEC 61882 HAZOP
of the failure should be considered. method (IEC 2001) or eventually the MOND Fire,
Explosion and Toxic index (Lewis 1979), which is
less probing, but also less difficult. In other words at a
2 WEAK SIGNALS FOR POTENTIAL Seveso facility, a structured and documented safety
ACCIDENTS system is always present. It is definitely ruled by
regulations and standards.
Many operators suppose that the non conformances At ‘‘Seveso’’ establishment there is already a quite
have to be recorded only in the cases of loss of complex system to manage risks, with its tools, its
hazardous materials, stop of production or damaged documents and its data, which are described in many
equipment; on the contrary every little anomaly, papers, including Fabbri et al. (2005), OECD (2006).
defect, deviation or minor failure should be taken into For that reason the first objective of the research has
account, as even a silly event could be the very first been to organize and to exploit in a better way the infor-
precursor or a potential concurrent to an accident. The mation already present, minimizing the efforts for the
personnel should be encouraged in not discriminating operator. No new models have to be implemented but
significant and silly events, as any event is potentially the items already present in the safety system have to
useful for finding latent conditions which might lead to be exploited. The results of non-conformances and
an accident after a long time. That could also motivate deviation analysis should be completely transferred
personnel in taking responsibility and stewardship. in the safety procedures, in the SMS manual and in
The inspiration for this research comes from the the safety report, in order to improve the overall risk
widespread use of personal wireless telecommunica- management in the establishment.
tion equipment, such as a palmtop, even in the indus-
trial premises. The palmtops should be exploited for
recording immediately any non conformance detected 3 THE PROPOSED APPROACH
in the plant, by writing notes, descriptions or com-
ments, but also by capturing the event through pictures. A new approach is proposed here for filling the gap
The analysis of non conformances recorded is very between safety documents and operational experi-
useful for the early detection of conditions, which ence. According to standards and regulations, which
might lead to an accident. For this purpose it is are enforced at major hazard facilities, the safety
essential to have sound methodologies, supported by system is well defined and may be digitally repre-
adequate tools, for understanding whether a single non sented. The basic idea is to exploit this representation
conformance could open a breaching in the safety bar- for analyzing non conformances and improving the
riers and for finding weak points of the safety system, safety system. That model is suitable for unscholarly
which could be improved. As the non conformance operators, including depot workers.
is perturbing the safety system, it has to be quickly The backbone of the proposed system is the digital
notified, looking for a solution. representation of the equipment, as used in opera-
For the follow-up of near misses and anomalies tion. In the present paper the equipment representation
many models have been proposed in the literature. has been integrated with a digital representation of
The systemic approach is quite new for this matter. the safety system, tailored expressly for small sized
An adequate model of industrial safety systems may ‘‘Seveso’’ plants.
be found just in a few recent papers, including Beard & The potential of the digital models coming from
Santos Reyes (2003), Santos-Reyes & Beard (2003), computer aided design system, for supporting hazard
Beard (2005), Santos Reyes & Beard (2008). The analysis has been demonstrated by Venkatasubrama-
development of a general systemic methodology for nian et al. (2000), Chung et al. (2001), Zhao et al.
finding latent accident precursors would be an over- (2005) Bragatto et al. (2007). In our approach, the
whelming task indeed. As the scope of the research scrutiny of the plant, required by the HAZID and
is restricted to the facilities where major accident leg- HAZAN methods, is exploited to build step by step a
islation is enforced and the goal is a demonstrative plausible representation of the plant. The hierarchical
prototype, the effort is instead affordable. The Euro- structure has basically five nested levels: Facility, Unit,
pean legislation on major accident hazard (‘‘Seveso’’ Assembly, Component, Accessory or Instrument.
Legislation) defines a framework, which structures the Furthermore, as a result of hazard and conse-
safety system along the lifecycle of the plant, including quences analysis, critical components and accessories
hazard identification and risk analysis, safety policy are discriminated. Components and accessories are
and management, operational procedures, emergency considered critical if their failures or anomalies are
management and periodical safety audit. Furthermore, in a chain of single events, which could lead to a
in most plants a scrutiny of equipment is performed, major accident. They are tagged and linked to the sin-
according to the best known hazard identification and gle event, present in the top events list, as handled in

the SR. In this way the top event list is embedded in
the digital representation of the plant.
At the end, the emergency plan may be included
in the net, too. For each major event found by the
hazard analysis, the plan should have an action or a
sequence of actions. In this way any emergency action
is linked to an event, which is in the top events list.
Furthermore the actions require usually operations to
be done on accessories (e.g. valves), which have to be
included in the plant digital representation. It is any-
way to be stressed again that this whole representation
of the plant does not require any new duty for the plant
Just SR and safety manual, which are mandatory
according to the Seveso legislation, have been used.
The pieces of information, usually lost after the job
of preparing mandatory safety documents, are stored
in a quite structured way, in order to have a com-
plete representation of the whole system, including the
equipment, the hazard ranked according to the Mond
index, the list of the top events, the sequences of fail-
ures that lead a top event, the sequence of actions
in the emergency plan, the SMS and the operating
In this structured digital environment, the non-
conformances shall be recorded. The backward path
from the single event (failure, near miss or accident)
to the safety system is supported by the complete dig-
ital representation of the plant. When a failure or near
miss is reported, it is connected to a piece of equip- Figure 1. The proposed digital model for the management
ment (component or accessory), present in the plant of non conformances.
digital representation.
There are many links between equipment and safety number of notes, which should be used for the periodic
documents, which may be used. Namely any sin- reviewing.
gle items of the Mond check list is linked to one or
more components or assembly, any event in a chain
leading to a top event is linked to a component, any
action of a safety procedure is linked to an acces-
sory or a component. A few components could be
In order to widespread the proposed methodology,
found without a direct link to safety documents; in
NOCE (NO-Conformance Events analysis), a soft-
this case, the parent assembly or unit will be con-
ware prototype, has been developed. ‘‘Client-server’’
sidered. In other words the path of the equipment
architecture has been adopted, in order to have a
tree will be taken backward, in order to retrieve the
palmtop computer on the field, connected to an
pieces of information about the assembly or the unit
‘‘experience’’ data base on the central server.
affected by the failure. If the failed item is linked to
The basic objectives of the software prototype are
a chain, which could lead to a top event, it shall be
noticed. • to keep track of the present event happened in the
If the non conforming item is corresponding to a plant by collecting all feasible information and tak-
credit factor in the Mond index method, the credit ing into account all the events occurred in the past
will be suspended, until the non conformance will be in the same context;
removed. • to access directly into the Safety Management
The basic result of this continuous trial of report- System for updating the documents, having the
ing any non conformance, which happens somewhere possibility to properly look at the risk analysis
in the plant, and walks inside the plant digital safety results;
representation, is to have, after a short time, the • To evaluate the new event in the appropriate envi-
safety documents (basically Mond check list, top ronment, for instance in safety management or in
event sequences and safety procedures) with a large risk analysis.

In order to define an adequate architecture for the 4.1 Software architecture
software, the workflow has been outlined. In the work-
The architecture of the proposed system is basically
flow two phases have been defined. The first phase is
composed by an application for workers, which have
basically the event recording and it is supposed to be
to record events, and application for safety managers,
performed by each single worker, which detects the
which have to analyze events and to update safety
failure or the non-conformance. The worker, or even-
documents. The application for the worker side has
tually the squad leader, is enabled to record directly
been supposed running on a palmtop computer, featur-
the event by means of a palmtop system. Immediate
ing Windows CE; while the application for the safety
corrective actions should be recorded too. The event
manager side has been running on a desktop computer
is associated to a component, which is supposed to be
featuring Windows XP. The palmtop application is
present in the plant data base. The worker may verify
aimed to record the non-conformances; to retrieve past
whether other failures had been recorded in the past.
events from the database; to upload the new events in
The very basic data are introduced by the worker, the
the database. The desktop application has all the func-
follow up of this information are instead managed on
tionalities needed to analyze new recorded events and
the desktop, by some safety supervisor. As the safety
to access to the databases, which contain equipment
manual addresses basic and general issues, this has
digital representation, structured safety documents in
always to be verified, as the very first follow up. This
digital format and recorded non-conformances. The
check is required for any type of non-conformances;
following paragraphs describe the modules into more
but it has to be deepened, in the case of human or orga-
nizational failure; which could require intensifying
audits on the safety management system or review-
ing safety procedures. In the case of a mechanical
failure, asset active monitoring should be intensified 4.2 Palmtop application
to prevent equipment deterioration. As the last step
the safety report has to be considered, as well as in 4.2.1 Event information
the study about hazard identification and risk assess- As explained above, an event is considered something
ment, including check list and HAZOP when present. happened in the facility, all weak signals coming from
The workflow above described is summarized by the operational experience, such as failures, incidents and
‘‘flow-chart’’ shown in figure 2. near-misses, which may involve specific components,
or a logic or process unit, but also a procedure of the
safety management system. For this reason the event
has to be associated to an item of the establishment,
which may be an equipment component or a procedure.
The worker is required to input the basic infor-
mation about the event. The event is characterized
by some identifiers (e.g. worker’s name, progres-
sive id number, date and time). Required information

• A very synthetic description

• The type of cause, which has to be selected from a
predefined list
• The type of consequence, which has to be selected
from a predefined list
• Immediate corrective action (Of course the planned
preventive actions have to be approved in the next
phase by the safety manager)

Before recording any event, the worker is required

to connect the experience database and to look for
the precedents in order to find analogy with the
present case. The form is shown in figure 3. As
an equipment data base is supposed already present
in the establishments, the browsing is driven by the
non-conformance identifiers, which are linked to the
equipment component identifier or, eventually, to a
Figure 2. The basic architecture of the NOCE prototype. procedure identifier.

Figure 3. Consulting precedents related to a non conform-
Figure 4. Recording a non conformance.
ing component.

4.2.2 Event recording form The proposed extension is basically a discussion of

The recording phase corresponds to filling out the the event in comparison with the relevant points in the
event form, introducing the information which charac- safety documentation (SR, SMS, Active monitoring),
terizes the event, as shown in figure 4. The prototype just where equipment or components involved in the
requires all the fields to be filled in, in order to have a event are cited.
complete description. After a new event has been sent
to the database, it will be analyzed. 4.3.1 Safety management system
In analysis phase, the first step is to verify the safety
management system manual. The access to this mod-
ule is mandatory for the next steps. It reflects the
4.3 Desktop application
action required by the Seveso legislation for updat-
An analysis of the event (accident or near miss) is ing the documents. The first action required is to
already contained in the recording format, which is identify the paragraph in the SMS manual for intro-
provided within the safety management system. ducing the link with the event occurred, and eventually
The key of these methods is basically the recon- selecting the procedure or the operational instruction
struction of the event: the analysis goes along the steps involved. In this phase both general safety procedures
that allowed the event to continue, did not prevent it and operational procedures have to be checked. Every
from evolving or even contributed to it. operational procedure is linked to a few pieces of
In order to learn better the lessons from the events, equipment (e.g. valves, pumps or engines). If in the
it is essential to transfer into the safety documenta- plant digital model, the piece of equipment is linked to
tion the new information or knowledge coming from a procedure, it is possible to go back from the failure
unexpected events. to the procedure through the equipment component.

In this way a detected non conformance or failure may 4.3.4 Session closing
generate a procedure revision. Discussion session may be suspended and resumed
many times. At the end, the discussion may be defi-
nitely closed. After discussion closing, lessons learnt
4.3.2 Safety report
are put in the DB and may be retrieved both from the
The following steps are the reviewing of the safety
palmtop and from the desktop.
report and its related documents. These two mod-
ules are aimed to discuss the follow up of the event.
They exploit a hierarchical representation of the estab- 4.4 A case study
lishment, where equipment components, with their
The NOCE prototype has been tested at a small-
accessories are nested in installations, which are
medium sized facility, which had good ‘‘historical’’
nested in units, which are nested in plants. In the safety
collections of anomalies and near misses. These
report, the point related to the failed components, or
data have been used to build an adequate experience
to the affected plant unit, will be highlighted in order
database. The following documents have been found
to be analyzed. In many cases it will be enough to
in the safety reports:
understand better the risk documents; in a few cases a
reviewing could be required. A tag will be added in the • Index method computation;
safety report. This tag will be considered when safety • hazard identification;
report will be reviewed or revised. • list of top events;
• Fault tree and event tree for potential major accident.
4.3.3 Active monitoring intensification They have been used to develop the plant safety
In the case of a failure, inspection plan may be digital model. Both technical and procedural failures
reviewed, in order to intensify active monitoring have been studied, using the prototype. The analysis
and prevent equipment deterioration. Affected acces- determined many annotations in the safety report and
sories, components and units are found in the com- in the related documents, as well in the procedures of
ponent database and proposed for maintenance. In the the safety management system. In figure 5 the list of
case of unexpected failures on mechanical part the data non conformances is shown, as presented in the NOCE
base may used to find in the plant all the parts, which user interface.
comply with a few criteria (e.g. same type or same In figure 6 a sample of a NOCE window is shown.
constructor). Extraordinary inspections may be con- In the window each single pane is marked by a letter.
sidered as well as reduced inspection period. Potential The order of the letters from A to F is according the
consequences of the failure may be considered too for logical flow of the analysis. In A the digital represen-
intensifying inspections. tation of the plant is shown; the affected component

Figure 5. The list of near misses, failures and deviation, as presented in the NOCE graphical user interface.

Figure 6. A. The tree plant representation. B. The event data, as recorded via palmtop. C. The computation of Mond FE&T
index. D. Basic representation of the top event. E. The paragraph of the Safety Report that has been tagged. F. The lesson
learnt from the non-conformance.

is highlighted. In B the event data, as recorded via The case study is quite simple. In a more complex
palmtop, are shown. The computation of Mond FE&T establishment, such as a process plant, the number
index is shown in pane C. the basic representation of of failures and non-conformances is huge and many
the event chain that leads to the top event is shown in D. workers have to be involved in the job of recording
From left to right there are three sub panes, with the as soon as possible the failures and the non-
initiating event, the top event and the event sequence, conformances. Their cooperation is essential for a
which has the potential to give a top event. The para- successful implementation of the proposed system.
graph of the Safety Report where the component is Furthermore advanced IT mobile technologies could
mentioned is shown in pane E. The paragraph has been be exploited for achieving good results even in com-
tagged for a future review. The lessons learnt from the plex industrial environment.
non-conformance are shown in F.


The software presented in this paper exploits the ‘‘plant The authors wish to thank Mr Andrea Tosti for his pro-
safety’’ digital representation, for reporting and ana- fessional support in implementing palmtop software.
lyzing anomalies and non conformances, as recorded
in the operational experience, as well as for updat-
ing safety report, safety management system and REFERENCES
related documents. For building the digital represen-
tation, no extra duties are required; but exploiting in Lewis, D.J. (1979). The Mond fire, explosion and toxicity
a smarter way documents that are compelled by the index a development of the Dow Index AIChE on Loss
major accident hazard legislation. Prevention, New York.

Hursta, N.W., Young, S., Donald, I., Gibson, H. & Muyselaar, Uth, H.J. & Wiese, N. (2004). Central collecting and evaluat-
A. (1996). Measures of safety management performance ing of major accidents and near-miss-events in the Federal
and attitudes to safety at major hazard sites. J. of Loss Republic of Germany—results, experiences, perspectives
Prevention in the Process Industries 9(2), 161–172. J. of Hazardous Materials 111(1–3), 139–145.
Ashford, N.A. (1997). Industrial safety: The neglected issue Beard, A.N. (2005). Requirements for acceptable model use
in industrial ecology. Journal of Cleaner Production Fire Safety Journal 40, 477–484.
5(1–2), 115–121. Beard, A.N. (2005). Requirements for acceptable model use
Jones, S., Kirchsteiger, C. & Bjerke, W. (1999). The Fire Safety J. 40(5), 477–484.
importance of near miss reporting to further improve Zhao, C., Bhushan, M. & Venkatasubramanian, V. (2005).
safety performance. J. of Loss Prevention in the Process ‘‘Phasuite: An automated HAZOP analysis tool for
Industries 12(1), 59–67. chemical processes’’, Process Safety and Environmental
Venkatasubramanian, V., Zhao, J. & Viswanathan, V. (2000). Protection, 83(6B), 509–548.
Intelligent systems for HAZOP analysis of complex Fabbri, L., Struckl, M. & Wood, M. (Eds.) (2005). Guidance
process plants. Computers & Chemical Engineering, 24, on the Preparation of a Safety Report to meet the require-
2291–2302. ments of Dir 96/82/EC as amended by Dir 03/105/EC EUR
Chung, P.W.H. & McCoy, S.A. (2001). Trial of the 22113 Luxembourg EC.
‘‘HAZID’’ tool for computer-based HAZOP emulation Sonnemans, P.J.M. & Korvers P.M.W. (2006). Accidents in
on the medium-sized industrial plant, HAZARDS XVI: the chemical industry: are they foreseeable J. of Loss
Analysing the past, planning the future. Institution of Prevention in the Process Industries 19, 1–12.
Chemical Engineers, IChemE Symposium Series 148, OECD (2006). Working Group on Chemical Accident (2006)
391–404. Survey on the use of safety documents in the control of
IEC (2001). Hazop and Operability Studies (HAZOP Stud- major accident hazards ENV/JM/ACC 6 Paris.
ies) Application Guide IEC 61882 1st Geneva. Agnello, P., Ansaldi, S., Bragatto, P. & Pittiglio, P. (2007).
Phimister, J.R., Oktem, U., Kleindorfer, P.R. & The operational experience and the continuous updating
Kunreuther, H. (2003). Near-Miss Incident Management of the safety report at Seveso establishments Future Chal-
in the Chemical Process Industry. Risk Analysis 23(3), lenges of Accident Investigation Dechy, N Cojazzi, GM
445–459. 33rd ESReDA seminar EC-JRC-IPS.
Beard, A.N. & Santos-Reyes, J.A. (2003). Safety Man- Bragatto, P., Monti, M., Giannini,F. & Ansaldi, S. (2007).
agement System Model with Application to Fire Safety Exploiting process plant digital representation for risk
Offshore. The Geneva Papers on Risk and Insurance 28(3) analysis J. of Loss Prevention in the Process Industry 20,
413–425. 69–78.
Santos-Reyes, J.A. & Beard, A.N. (2003). A systemic Santos-Reyes, J.A. & Beard, A.N. (2008). A systemic
approach to safety management on the British Railway approach to managing safety J. of Loss Prevention in the
system. Civil Eng. And Env. Syst. 20, 1–21. Process Industries 21(1), 15–28.
Basso, B., Carpegna, C., Dibitonto, C., Gaido, G. &
Robotto, A. (2004). Reviewing the safety management
system by incident investigation and performance indica-
tors. J. of Loss Prevention in the Process Industry 17(3),

Dynamic reliability
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

A dynamic fault classification scheme

Bernhard Fechner
FernUniversität in Hagen, Hagen, Germany

ABSTRACT: In this paper, we introduce a novel and simple fault rate classification scheme in hardware. It is
based on the well-known threshold scheme, counting ticks between faults. The innovation is to introduce variable
threshold values for the classification of fault rates and a fixed threshold for permanent faults. In combination
with field data obtained from 9728 processors of a SGI Altix 4700 computing system, a proposal for the
frequency-over-time behavior of faults results, experimentally justifying the assumption of dynamic and fixed
threshold values. A pattern matching classifies the fault rate behavior over time. From the behavior a prediction
is made. Software simulations show that fault rates can be forecast with 98% accuracy. The scheme is able to
adapt to and diagnose sudden changes of the fault rate, e.g. a spacecraft passing a radiation emitting celestial
body. By using this scheme, fault-coverage and performance can be dynamically adjusted during runtime.
For validation, the scheme is implemented by using different design styles, namely Field Programmable Gate
Arrays (FPGAs) and standard-cells. Different design styles were chosen to cover different economic demands.
From the implementation, characteristics like the length of the critical path, capacity and area consumption


The performance requirements of modern micropro-

cessors have increased proportionally to their growing
Number of neutron impacts

number of applications. This led to an increase of clock

frequencies up to 4.7 GHz (2007) and to an integration
density of less than 45 nm (2007). The Semiconductor
Industry Association roadmap forecasts a minimum
feature size of 14 nm [6] until 2020. Below 90 nm a
serious issue occurs at sea level, before only known
from aerospace applications [1]: the increasing prob-
ability that neutrons cause Single-Event Upsets in
memory elements [1, 3]. The measurable radiation on
sea level consists of up to 92% neutrons from outer 6100
space [2]. The peak value is 14400 neutrons/cm2 /h 0 2000 4000 6000 8000

[4]. Figure 1 shows the number of neutron impacts per Time in hours
hour per square centimeter for Kiel, Germany (data
from [5]). Figure 1. Number of neutron impacts per hour for Kiel,
This work deals with the handling of faults after Germany (2007).
they have been detected (fault diagnosis). We do not
use the fault rate for the classification of fault types related work. Secti