Beruflich Dokumente
Kultur Dokumente
Abstract
In quantitative risk analysis (QRA) risk is quantified using probabilities and expected values, for example expressed by PLL values,
FAR values, IR values and F–N curves. The calculations are tedious and include a strong element of arbitrariness. The value added by
the quantification can certainly be questioned. In this paper, we argue that such analyses often are better replaced by semi-quantitative
analyses, highlighting assessments of hazards and barriers, risk influencing factors (RIFs) and safety improvement measures. The
assessments will be based on supporting information produced by risk analysts, including hard data and analyses of failure causes and
mechanisms, barrier performance, scenario development, etc. The approach acknowledges that risk cannot be adequately described and
evaluated simply by reference to summarising probabilities and expected values. There is a need for seeing beyond the standard
probabilistic risk results of a QRA. Key aspects to include are related to uncertainties in phenomena and processes, and manageability
factors. Such aspects are often ignored in standard QRAs.
r 2007 Elsevier Ltd. All rights reserved.
1. Introduction See, e.g. Bedford and Cooke [1] and Vinnem [2]. The risk
indices form a risk picture, which constitutes the basis for
The standard way of reporting the results from the risk evaluation, to determine the significance of the risk
quantitative risk analyses (QRAs) (including probabilistic and the need for risk reducing measures. Often risk
risk analyses (PRAs)) is to present calculated frequencies acceptance criteria (tolerability limits) are defined to give
(expected values) and probabilities. Examples include a reference by which risk is assessed to be acceptable or not
indices such as acceptable.
This way of expressing risk and evaluating risk is
consistent with the common definition of risk: Risk is the
IR (individual risk—the probability that a specific combination of probability and consequences [1–3]. By
individual being present at a certain position is killed highlighting relevant probabilities and associated expected
during 1 year), values, a risk picture is being presented.
PLL (the expected number of fatalities during 1 year), However, this risk picture is not an objective state of
FAR (the expected number of fatalities per 100 million the world. It represents a ‘‘best estimate’’ or a ‘‘best
exposed hours), assignment’’, depending on the foundational basis of the
safety function impairment frequencies and probabil- analysis:
ities,
F–N curves showing the frequencies of accidents with at
least N fatalities. (a) A probability is interpreted in the classical statistical
sense as the relative fraction of times the events occur if
E-mail address: terje.aven@uis.no. the situation analyzed were hypothetically ‘‘repeated’’
0951-8320/$ - see front matter r 2007 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2007.03.025
ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775 769
an infinite number of times. The underlying probability we are to assess uncertainties of average performance of
is unknown, and is estimated in the risk analysis. quantities of this population, it is essential that we
(b) Probability is a measure of uncertainty about future understand what they mean. Then we become uncertain
events and outcomes (consequences), seen through the what the correct values of these quantities. In our view this
eyes of the assessor and based on some background approach creates uncertainties, and the analysis becomes
information and knowledge. Probability is a subjective unnecessary complex. Its message is disturbed by a
measure of uncertainty (the Bayesian perspective). discussion of uncertainties.
Another approach is to use intervals of probabilities, see
Following definition (a), we produce estimates of the the overview by Coolen and Utkin [7]. This approach is
underlying true risk. This estimate is uncertain, as there however in a rather early development stage and further
could be large differences between the estimates and the research is required to provide tools for implementation.
correct risk values. As these correct values are unknown, it In this paper, we present and discuss an alternative
is difficult to know how accurate the estimates are. solution, acknowledging that risk cannot be accurately
Following interpretation (b), we assign a probability by expressed using probabilities and expected values. A QRA
performing uncertainty assessments, and there is no is in many cases better replaced by a more qualitative
reference to a correct probability. There are no uncertain- approach. We refer to it as a semi-quantitative approach as
ties related to the assigned probabilities, as they are aspects of risk may be quantified. The basic features of the
expressions of uncertainties. approach can be summarised as follows:
For both perspectives, we conclude that risk cannot be
adequately described and evaluated simply by reference to A broad qualitative risk picture is established high-
the summarising probabilities and expected values. In the lighting
classical case, we have to take into account the uncertain- J potential hazards/threats and accident scenarios,
ties in the estimates and in the Bayesian perspective we J barriers and the effectiveness of these barriers,
have to acknowledge that the computed probabilities are J risk influencing factors (RIFs) and possible risk
subjective probabilities conditional on a specific back- reducing measures,
ground information. J uncertainties in phenomena and processes,
In a risk evaluation, we need to see beyond the computed J vulnerabilities,
risk picture in the form of the summarising probabilities J special features of the consequences,
and expected values. Traditional QRAs often fail in this J manageability factors.
respect. This observation is the starting point for the Crude risk categorisations are defined based on this risk
present paper. We acknowledge the need for analysing risk, picture, reflecting
but question the added value by performing traditional J probabilities/frequencies of hazards/threats,
QRAs in many cases. The arbitrariness in the numbers J expected losses given the occurrence of such a
produced could be significant, due to the uncertainties in hazard/threat,
the estimates or as a result of the uncertainty assessments J factors that could create large deviations between
being strongly dependent on the assessors. As experienced expected outcomes and the actual outcomes (un-
risk analysts, we have all struggled with the lack of certainties, vulnerabilities).
precision in risk analysis, and it has also been documented Evaluations of the risk picture and categorisations to
by several benchmarking exercises, see e.g. [4]. compare alternatives and make judgments about risk
To cope with this problem, alternative solutions are acceptance.
suggested. One is to assess the uncertainties of the risk
estimates, which leads to the so-called probability of We will look closer into these features in the following
frequency approach. In this approach, there are two levels sections, using a case from the offshore industry as an
of probability introduced; the relative frequency inter- illustration.
preted probability reflecting variation (aleatory uncer- Risk analysis is used as a basis for supporting decision
tainty) within fictional populations and the subjective making, and is often used together with cost–effectiveness
probabilities reflecting the analyst’s uncertainty (epistemic analyses and cost–benefit analyses. These cost analyses are
uncertainty) what the correct relative frequency probability based on the use of expected values and their rationale for
is, see e.g. [5,6]. adequately reflecting safety measures are questioned, see
However, in our view a search for accurate estimates of e.g. [8, 9]. The semi-quantitative approach recognises the
some ‘‘true’’ risk is meaningless for situations involving problems of these cost analyses and provides a more
large uncertainties. Hard data showing the ‘‘truth’’ about comprehensive risk picture. The basic idea is that decision
risk will not be available. Adopting the probability of making under uncertainty need be based on broader
frequency approach, we first introduce infinite populations perspective than given by such cost analyses. We refer to
of similar situations and related fictional parameters, for the coming sections.
example the probability of a large-scale accident. But what The need for seeing beyond the produced risk numbers
is the meaning of this population and these parameters? If has been addressed by many researchers. In addition to the
ARTICLE IN PRESS
770 T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775
above-cited references, we would like to mention [10], who would have been that protective shielding costs too much
presents a risk governance framework. This framework relative to the calculated risk reduction.
also highlights uncertainty aspects and special aspects of The conclusions following our semi-quantitative risk
the consequences. However, the scope of this framework is analysis could have been the same. A risk analysis produces
risk management and risk governance, whereas our work decision support, not the decision. However, the way risk is
relates to the risk analyses and the way we perform these described could strongly influence the risk evaluation, i.e. the
analyses. process of judging the significance of the risk, whether risk is
acceptable, etc. The basic idea of the semi-quantitative risk
2. Basic features of the semi-quantitative approach analysis approach is that a broad risk picture should be
presented, that goes beyond the probabilities and expected
We will use an example to illustrate the basic features of values computed in the traditional analyses. Below, we
the semi-quantitative approach. This example is inspired by outline the basic features of such a picture.
a case presented in [9]. However, the analysis approaches
and results are different. 2.2. Qualitative analysis
Leak test
Release of
hydrocarbons
Failure to reveal valve(s) in of the basis (background information) for the risk assign-
wrong position after ments.
maintenance by self control/
use of checklists
From this analysis, it is concluded that the main safety
challenges are
Fig. 3. Influence diagram for the basic event ‘‘Operator fails to detect a valve in wrong position by self check/checklist’’. (HMI: human machine interface).
Similarly, we establish risk matrices for ignited releases Increased PLL, 5%.
(fires) and the expected consequences. Let fi denote the Increased IR, 10% for a specific personnel group.
assigned probability for the ith fire scenario (severe fire)
and let E[C|firei] denote the expected number of fatalities Effect of the implementation of the protective shielding on
given this scenario. Then, the pair (fi, E[C|firei]) forms the existing escape ways (after modification):
risk matrix.
A set of scenarios are defined, and for these relevant Reduced PLL, 30%.
consequence calculations are carried out providing insights Reduced IR, 50% for a specific personnel group.
about, e.g. initial release rates and development of the
discharge concentration (when and where we could get a 2.4. Uncertainty considerations and vulnerability
combustible mixture). From these studies and the analyst assessments
group’s general risk analysis experience, the uncertainties
related to releases and consequences are assessed. The These figures represent the best judgments of the analysis
assessments are based on all relevant information, includ- group. This risk picture is supplemented with uncertainty
ing the identified poor performance of some of the safety considerations and assessments of vulnerability:
barriers and the equipment deterioration problem. The
consecutive assigned probabilities and expected values 2.4.1. Equipment deterioration and maintenance
represent the analyst group’s best judgments, based on The deterioration of critical equipment is assumed not to
the available information and knowledge (K). cause safety problems by implementing a special main-
To simplify the assessments, some pre-defined categories tenance programme. However, experience gained on off-
of probabilities and expected values are defined. For the shore installations indicates that unexpected problems
probabilities pi, the following categories are used: occur. Production of oil over time lead to changes in
operating conditions, such as increased production of
450%; 10 50%; 1 10%; 0:01 1% and o0:01%.
water, H2S and CO2 content, scaling, bacteria growth,
Hence, for the second category we predict 1–5 events for a emulsions, etc.; problems that to large extent need to be
10 years period. To specify a probability, a default value is solved by the addition of chemicals. These are all factors
assigned, by general comparisons with similar type of causing increased probability of corrosion, material brittle-
systems, and partly based on studies performed as a part ness and other conditions that may cause leakages. The
of QRAs. Then a review of all key factors influencing the quantitative analysis has not taken into account that
probabilities are evaluated and based on this evaluation, the surprises might occur. The analysis group is concerned
probabilities are adjusted. In our case, the equipment about this uncertainty factor, and it is reported along with
deterioration was identified as a critical issue. However, the the quantitative assessments.
probabilities were not adjusted, but an assumption was made
that extended maintenance activities will be carried out. 2.4.2. Barrier performance
The effect of the modification was assessed and the The historical records show poor performance on a set of
probabilities and expected values adjusted. Also the effect critical safety barrier elements, in particular for some types
of the implementation of the protective shielding on of safety valves. The assignments of the expected number
existing escape ways was assessed. of fatalities E[C] given a leakage or a fire scenario were
The following changes were quantified: based on average conditions for the safety barriers, and
adjustments were made to reflect the historical records.
However, the changes made were small. The poor
Modification:
performance of the barrier elements would not necessarily
result in significant reduced probabilities of barrier system
Increased pi, 5%. failures, as most of the barrier elements are not safety
Increased fi, 5%. critical. The barrier systems are designed with a lot of
ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775 773
redundancies. Nonetheless, also this problem causes 2.5. Summarising risk picture
concern, as the poor performance may indicate that there
is an underlying problem of operational and maintenance The results of the analysis are summarised in the
character, which results in reduced availability of the safety following table.
barriers in a hazardous situation. There are a number of
dependencies among elements for these systems, and the Quantitative See results above.
risk analysis methods for studying these are simplified with assessments The assigned fire
strong limitations. Hence, there is also an uncertainty risk is not
aspects related to the barrier performance. considered
unacceptable in
2.4.3. Vulnerability (robustness) itself
Protecting Moderate
The smoke production from fires will be very dense and
shielding improvement of
poisonous. The heat loads may be limited due to the smoke,
implemented assigned fire risks,
but still at such levels that personnel will be fatally injured about 30%
after few seconds. The existing escape ways do not provide measured by PLL.
any protection of personnel, to the extent that if a fire occurs, Significant
there are no barriers in order to protect personnel. improvement for
Heat and smoke protection on escape ways is a passive one personnel
way of protecting personnel, which does not require any group (50%)
mobilisation or action in an emergency. Therefore, it is
Uncertainty Minor Significant Undoubtedly
usually considered to be a robust way to reduce risk, as
factors etc. problem unacceptable
opposed to actions that rely on equipment to be started or
management actions to be implemented and followed up, Equipment
which often will have much higher failure probability. deterioration
The analysis assigns a rather small probability of a Barrier
critical fire. However, a fire may occur, and the additional performance
fire protection will have a considerable positive effect in Vulnerability
order to protect personnel. The protection of escape ways (no protection
will also help in less critical fires, which will be more likely in the case of
fires)
to occur. During 20 years, a probability of 50% is assigned
for such fires.
Now, given this information, what is the conclusion?
2.4.4. Operational measures
Should the protective shielding be implemented?
A large part of hydrocarbon leaks are due to manual
That depends on the management attitude to risks and
intervention on process equipment. In theory, all non-
uncertainties, and of course costs. The analysis does not
essential personnel could be removed from all areas where direct the decision makers but provides a basis for making
effects could be experienced during the use of escape ways
appropriate decisions.
in a fire scenario. Management may however consider that
this places too much restriction on the operation of the
installations, such that this is not feasible in practice. The 2.6. Cost effectiveness
risk quantification is based on this assumption.
These issues are related to the quantitative risk result in Say that the investment cost for this measure is about 5
the following way. A probability assignment is a statement million £. Can this extra cost be justified?
P(A|K), a probability of an event given the background The expected reduced number of fatalities is rather
information K. Assumptions are a part of K. In the ageing small, and hence the expected cost per expected saved life
case, for example, K includes the assumption about the (the value of a statistical life) would give a rather high
implementation of an effective maintenance program. number, and a traditional cost–benefit (cost–effectiveness)
Hence, our probability assignments do not reflect all type criterion would not justify the measure. Say that the
of uncertainties. We may ask if the equipment deteriora- assigned expected reduced number of fatalities is 0.1. Then
tion may cause surprises, resulting in leakages? The we obtain a value of a statistical life equal to 5/0.1 ¼ 50
numbers do not explicitly express this issue. This is always million £. If this number is considered in isolation, in a
the case—the quantitative analyses have to be placed in a quantitative context, it would normally be considered too
broader context of the constraints and limitations of the high to justify the implementation of the measure.
analyses. Aspects to consider relate to hidden uncertainties This number is heavily dependent on key assumptions.
in the assumptions, the problem of expressing uncertainties Sensitivity analyses performed show that the value of a
by using probabilities and the selection of appropriate risk statistical life is very sensitive to changes in the probabil-
indices. ities of leakage and ignition.
ARTICLE IN PRESS
774 T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775
According to our risk management perspective, we In general, the risk picture should highlight the following
should see beyond the results of the cost–effectiveness aspects, in addition to presenting probabilities and
analysis. The purpose of the safety investment is to reduce expected values:
risks and uncertainties, and the traditional cost–effective-
ness (cost–benefit) analyses do not reflect these concerns in uncertainties in phenomena and processes,
an appropriate way. The point is that these analyses are manageability factors.
based on the use of expected values, and hence give little
weight to risks and uncertainties. Investments in safety are Uncertainties were discussed in the previous section. Are
not only justified by reference to expected values. Manage- there large uncertainties related to the underlying phenom-
ment review and judgment is required to balance the ena, and do experts have different views on critical aspects?
different concerns and give the right weight to the risks and It is an aim to identify factors that could lead to
uncertainties. A mechanical analytical procedure prescrib- consequences C far from the expected consequences E[C].
ing the decision cannot be justified according to our way of A system for describing and characterising the associated
thinking. The broad risk picture established, together with uncertainties are outlined in Sandøy et al. [18]. This system
the cost–effectiveness (cost–benefit) analyses, provide a reflects features such as the current knowledge and
basis for the decision making. understanding about the underlying phenomena and the
systems being studied, the complexity of technology,
3. Discussion and conclusions the level of predictability, the experts’ competence, and
the vulnerability of the system.
We define risk by the combination of possible con- The level of manageability is related to the extent for
sequences of the activity and associated uncertainties [16]. which it is possible to control and reduce the uncertainties,
Let C denote the consequences or outcomes associated and obtain desired outcomes. The expected values and the
with the activity. Typically, C would be expressed by some probabilistic assessments performed in the risk analyses
quantities C1, C2, y, e.g. the number of fatalities and provide predictions for the future, but some risks are more
number of injuries. The quantity C is unknown—we are manageable than others, meaning that the potential for
uncertain what value C will take. The uncertainty results reducing the risk is larger for some risks compared to
from lack of knowledge, about C and underlying influen- others. By proper management, we seek to obtain desirable
cing phenomena and processes. Hence, it is epistemic. consequences. This leads to considerations on for example
Subjective probabilities are used to assess the uncertainties, how to run processes reducing risks (uncertainties) and
in line with basis (b) introduced in Section 1. The reference how to deal with human and organisational factors and
is a certain standard such as drawing a ball from an urn. If obtain a good safety culture.
we assign a probability of 0.1 for an event A, we compare A search procedure needs to be established to identify
our uncertainty of A to occur with drawing a specific ball the uncertainty and manageability factors. Such a proce-
from an urn having 10 balls [17]. dure can be based on the initial analysis addressing
This definition of risk acknowledges that risk cannot be historical records, measurements and evaluations of the
adequately described and evaluated simply by reference to state of systems and equipment, as well as interviews of key
summarising probabilities and expected values. There is a personnel. Reference is given to the list in Section 2,
need for seeing beyond these values. Computed probabil- qualitative analysis. Active involvement of system experts
ities and expected values are not objective quantities, but are required. In our example, personnel with operational
subjective assignments conditioned on the background experience are in a position of identifying safety critical
information (including assumptions and suppositions). issues that could be difficult to reveal using other sources.
Hence, we may characterise risk by (I, C, I*, C*, U, P, Furthermore, the assumptions and suppositions of the
K), where I refers to the hazards (initiating events), C the probability assignments in the quantitative analysis pro-
consequences, I* and C* are predictions of I and C, U the vide an additional checklist. We would also like to draw
uncertainties, P the assigned probabilities and K the attention to the list of special consequence features
knowledge and background information the analysis is presented by Renn and Klinke [19] (see also [20]).
based on (e.g. assumptions, models). The aim of the risk Examples of such features are temporal extension, delay
analysis is to establish a risk picture covering all relevant effects, irreversibility and aspects of the consequences that
dimensions of (I, C, I*, C*, U, P, K). could cause social mobilisation, i.e. violation of individual,
This conclusion of seeing beyond the probabilities and social or cultural interests and values generating social
expected values also applies for other risk perspectives, conflicts and psychological reactions by individuals and
including the standard definition expressing that risk is the groups who feel afflicted by the consequences. This feature
combination of possible consequences and associated classification system can be used as a checklist for ensuring
probabilities. Probabilities need to be estimated or the right focus of the analysis, i.e. that we address the
assigned, and we need to address uncertainties in phenom- appropriate consequences attributes C. But it can also be
ena and processes as illustrated by the example in the used as a checklist for identifying relevant uncertainty and
previous section. manageability factors. For example, the feature ‘‘delay
ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775 775
effects’’ could lead to a focus on activities or mechanisms [2] Vinnem JE. Offshore risk assessment. 2nd ed. London: Springer;
that could initiate equipment deteriorating processes 2007.
[3] ISO. Risk management vocabulary. ISO/IEC Guide 73, 2002.
causing future surprises.
[4] Lauridsen K, Christou M, Amendola A, Markert F, Kozine I, Fiori
Quantifying risk using risk indices such as FAR and PLL M. Assessing the uncertainties in the process of risk analysis of
gives an impression that risk can be expressed in a very chemical establishments. In: Zio E, Demichela M, Piccinini N,
precise way. However, in most cases, the arbitrariness is editors. Safety and reliability. Towards a safer world. Proceedings.
large, and our approach acknowledges this by providing vol. 1. ESREL 2001. Torino (IT), 16–20 September 2001. p. 592–606.
crude risk numbers, including assessments of the factors [5] Kaplan S, Garrick BJ. On the quantitative definition of risk. Risk
Anal 1981;1:11–27.
that can cause ‘‘surprises’’ relative to the probabilities and [6] Aven T. Foundations of risk analysis: a knowledge and decision-
the expected values. We are not negative to detailed risk oriented perspective. New York: Wiley; 2003.
quantification as such, but quantification often require [7] Coolen FPA, Utkin LV. Imprecise reliability: a concise overview. In:
strong simplifications and assumptions and as result, Proceedings ESREL 2007, Stavanger, June 25–27, 2007.
important factors could be ignored or given too little (or [8] Aven T, Abrahamsen EB. On the use of cost-benefit analysis in
ALARP processes, 2006, submitted.
much) weight. In a qualitative or semi-quantitative analysis [9] Aven T, Vinnem JE. Risk management, with applications from the
a more comprehensive risk picture can be established, offshore oil and gas industry. Springer; 2007.
taking into account underlying factors influencing risks. In [10] Renn O. White paper no. 1. Risk Governance, IRGC, 2005.
contrast to the prevailing use of QRAs, the precision level [11] Aven T, Hauge S, Sklet S, Vinnem JE. Methodology for incorporat-
ing human and organizational factors in risk analyses for offshore
of the risk description is in line with the accuracy of the risk
installations. Int J Mater Struct Reliab 2006;4:1–14.
analysis tool. In addition, risk quantification is very [12] Papazouglou IA, Bellamy LJ, Hale AR, Aneziris ON, Ale BJM, Post
resource demanding. We need to ask whether the resources JG, et al. I-Risk: development of an integrated technical and
are used in the best way. We conclude that in many cases management risk methodology for chemical installations. J Loss
more is gained by opening up for a broader more Prevent Process Ind 2003;16(6):575–91.
qualitative approach, which allows for considerations [13] Duijm NJ, Goossens L. Quantifying the influence of safety manage-
ment on the reliability of safety barriers. J Hazard Mater
beyond the probabilities and expected values. We acknowl- 2006;130(3):284–92.
edge that more research is required to establish a ‘‘perfect’’ [14] Paté-Cornell ME, Murphy DM. Human and management factors in
structure for such a qualitative or semi-quantitative probabilistic risk analysis: the SAM approach and observations from
approach—the aim of this paper has been to given some recent applications. Reliab Eng Syst Safety 1996;53:115–26.
[15] Røed W, Mosleh A, Vinnem JE, Aven T. On the use of hybrid causal
overall considerations and outline some main ideas.
logic method in offshore risk analysis, 2006, submitted.
[16] Aven T, Kristensen V. Perspectives on risk: review and discussion of
Acknowledgement the basis for establishing a unified and holistic framework. Reliab
Eng Syst Safety 2005;90:1–14.
The author is grateful to two anonymous reviewers for [17] Lindley DV. Making decisions. 2nd ed. New York: Wiley; 1985.
useful comments and suggestions to an earlier version of [18] Sandøy M, Aven T, Ford D. On integrating risk perspectives in
project management. Risk Manage Int J 2005;7:7–21.
the paper. [19] Renn O, Klinke A. A new approach to risk evaluation and
management: risk-based, precaution-based and discurse-based stra-
References tegies. Risk Anal 2002;22:1071–94.
[20] Kristensen V, Aven T, Ford D. A new approach on Renn & Klinke’s
[1] Bedford T, Cooke R. Probabilistic risk analysis: foundations and approach to risk evaluation and management. Reliab Eng Syst Safety
methods. Cambridge: Cambridge University Press; 2001. 2006;91:421–32.