ARTICLE IN PRESS

Reliability Engineering and System Safety 93 (2008) 768–775

www.elsevier.com/locate/ress

A semi-quantitative approach to risk analysis,

as an alternative to QRAs
Terje Aven
University of Stavanger, Norway
Received 21 December 2006; received in revised form 16 March 2007; accepted 18 March 2007
Available online 24 March 2007

Abstract

In quantitative risk analysis (QRA) risk is quantified using probabilities and expected values, for example expressed by PLL values,
FAR values, IR values and F–N curves. The calculations are tedious and include a strong element of arbitrariness. The value added by
the quantification can certainly be questioned. In this paper, we argue that such analyses often are better replaced by semi-quantitative
analyses, highlighting assessments of hazards and barriers, risk influencing factors (RIFs) and safety improvement measures. The
assessments will be based on supporting information produced by risk analysts, including hard data and analyses of failure causes and
mechanisms, barrier performance, scenario development, etc. The approach acknowledges that risk cannot be adequately described and
evaluated simply by reference to summarising probabilities and expected values. There is a need for seeing beyond the standard
probabilistic risk results of a QRA. Key aspects to include are related to uncertainties in phenomena and processes, and manageability
factors. Such aspects are often ignored in standard QRAs.
r 2007 Elsevier Ltd. All rights reserved.

Keywords: QRA; Semi-quantitative approach; Uncertainties

1. Introduction
The standard way of reporting the results from
quantitative risk analyses (QRAs) (including probabilistic
risk analyses (PRAs)) is to present calculated frequencies
(expected values) and probabilities. Examples include
indices such as
 IR (individual risk—the probability that a specific
individual being present at a certain position is killed
during 1 year),
 PLL (the expected number of fatalities during 1 year),
 FAR (the expected number of fatalities per 100 million
exposed hours),
 safety function impairment frequencies and probabil-
ities,
 F–N curves showing the frequencies of accidents with at
least N fatalities.
E-mail address: terje.aven@uis.no.
See, e.g. Bedford and Cooke [1] and Vinnem [2]. The risk
indices form a risk picture, which constitutes the basis for
the risk evaluation, to determine the significance of the risk
and the need for risk reducing measures. Often risk
acceptance criteria (tolerability limits) are defined to give
a reference by which risk is assessed to be acceptable or not
acceptable.
This way of expressing risk and evaluating risk is
consistent with the common definition of risk: Risk is the
combination of probability and consequences [1–3]. By
highlighting relevant probabilities and associated expected
values, a risk picture is being presented.
However, this risk picture is not an objective state of
the world. It represents a ‘‘best estimate’’ or a ‘‘best
assignment’’, depending on the foundational basis of the
analysis:
(a) A probability is interpreted in the classical statistical
sense as the relative fraction of times the events occur if
the situation analyzed were hypothetically ‘‘repeated’’

0951-8320/$ - see front matter r 2007 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2007.03.025
 ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775
an infinite number of times. The underlying probability
is unknown, and is estimated in the risk analysis.
(b) Probability is a measure of uncertainty about future
events and outcomes (consequences), seen through the
eyes of the assessor and based on some background
information and knowledge. Probability is a subjective
measure of uncertainty (the Bayesian perspective).
Following definition (a), we produce estimates of the
underlying true risk. This estimate is uncertain, as there
could be large differences between the estimates and the
correct risk values. As these correct values are unknown, it
is difficult to know how accurate the estimates are.
Following interpretation (b), we assign a probability by
performing uncertainty assessments, and there is no
reference to a correct probability. There are no uncertain-
ties related to the assigned probabilities, as they are
expressions of uncertainties.
For both perspectives, we conclude that risk cannot be
adequately described and evaluated simply by reference to
the summarising probabilities and expected values. In the
classical case, we have to take into account the uncertain-
ties in the estimates and in the Bayesian perspective we
have to acknowledge that the computed probabilities are
subjective probabilities conditional on a specific back-
ground information.
In a risk evaluation, we need to see beyond the computed
risk picture in the form of the summarising probabilities
and expected values. Traditional QRAs often fail in this
respect. This observation is the starting point for the
present paper. We acknowledge the need for analysing risk,
but question the added value by performing traditional
QRAs in many cases. The arbitrariness in the numbers
produced could be significant, due to the uncertainties in
the estimates or as a result of the uncertainty assessments
being strongly dependent on the assessors. As experienced
risk analysts, we have all struggled with the lack of
precision in risk analysis, and it has also been documented
by several benchmarking exercises, see e.g. [4].
To cope with this problem, alternative solutions are
suggested. One is to assess the uncertainties of the risk
estimates, which leads to the so-called probability of
frequency approach. In this approach, there are two levels
of probability introduced; the relative frequency inter-
preted probability reflecting variation (aleatory uncer-
tainty) within fictional populations and the subjective
probabilities reflecting the analyst’s uncertainty (epistemic
uncertainty) what the correct relative frequency probability
is, see e.g. [5,6].
However, in our view a search for accurate estimates of
some ‘‘true’’ risk is meaningless for situations involving
large uncertainties. Hard data showing the ‘‘truth’’ about
risk will not be available. Adopting the probability of
frequency approach, we first introduce infinite populations
of similar situations and related fictional parameters, for
example the probability of a large-scale accident. But what
is the meaning of this population and these parameters? If
769
we are to assess uncertainties of average performance of
quantities of this population, it is essential that we
understand what they mean. Then we become uncertain
what the correct values of these quantities. In our view this
approach creates uncertainties, and the analysis becomes
unnecessary complex. Its message is disturbed by a
discussion of uncertainties.
Another approach is to use intervals of probabilities, see
the overview by Coolen and Utkin [7]. This approach is
however in a rather early development stage and further
research is required to provide tools for implementation.
In this paper, we present and discuss an alternative
solution, acknowledging that risk cannot be accurately
expressed using probabilities and expected values. A QRA
is in many cases better replaced by a more qualitative
approach. We refer to it as a semi-quantitative approach as
aspects of risk may be quantified. The basic features of the
approach can be summarised as follows:
 A broad qualitative risk picture is established high-
lighting
J potential hazards/threats and accident scenarios,
J barriers and the effectiveness of these barriers,
J risk influencing factors (RIFs) and possible risk
reducing measures,
J uncertainties in phenomena and processes,
J vulnerabilities,
J special features of the consequences,
J manageability factors.
 Crude risk categorisations are defined based on this risk
picture, reflecting
J probabilities/frequencies of hazards/threats,
J expected losses given the occurrence of such a
hazard/threat,
J factors that could create large deviations between
expected outcomes and the actual outcomes (un-
certainties, vulnerabilities).
 Evaluations of the risk picture and categorisations to
compare alternatives and make judgments about risk
acceptance.
We will look closer into these features in the following
sections, using a case from the offshore industry as an
illustration.
Risk analysis is used as a basis for supporting decision
making, and is often used together with cost–effectiveness
analyses and cost–benefit analyses. These cost analyses are
based on the use of expected values and their rationale for
adequately reflecting safety measures are questioned, see
e.g. [8, 9]. The semi-quantitative approach recognises the
problems of these cost analyses and provides a more
comprehensive risk picture. The basic idea is that decision
making under uncertainty need be based on broader
perspective than given by such cost analyses. We refer to
the coming sections.
The need for seeing beyond the produced risk numbers
has been addressed by many researchers. In addition to the
 ARTICLE IN PRESS
770 T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775
above-cited references, we would like to mention [10], who
presents a risk governance framework. This framework
also highlights uncertainty aspects and special aspects of
the consequences. However, the scope of this framework is
risk management and risk governance, whereas our work
relates to the risk analyses and the way we perform these
analyses.
2. Basic features of the semi-quantitative approach
We will use an example to illustrate the basic features of
the semi-quantitative approach. This example is inspired by
a case presented in [9]. However, the analysis approaches
and results are different.
2.1. Problem definition and framing
Consider an existing offshore platform which is part of a
so-called ‘production complex’, i.e. with bridge linked
installations. The platform in question is a production
platform. The scope of the case is a significant modification
of the installation, implying adding of new production
equipment, which will have an impact on the risk level.
New equipment units will imply additional potential leak
sources, with respect to gas and/or oil leaks, which may
cause fire and/or explosion, if ignited. The decision to be
made is whether or not to install additional fire protection
for the personnel in order to reduce expected consequences
in the event of critical fires on the platform.
The installation has been designed and installed with
rather limited protection of personnel during use of escape
ways against fire and explosion effects. The installation has
an important function at the field as the only installation to
process all oil and gas from the field, which is expected to
continue to operate for the next 20 years.
A risk analysis is to be performed to support the decision
making. The question is how to do this. Below, we
summarise the basic elements when conducting the analysis
according to our semi-quantitative approach.
First, we need to generate a set of decision alternatives.
To simplify, say that only three alternatives were con-
sidered for further discussions:
(1) Minor improvement in order to compensate for
increased risk due to new equipment, but no further
reduction.
(2) Installation of protective shielding on existing escape
ways together with overpressure protection in order to
avoid smoke ingress in to the enclosed escape ways.
(3) Do nothing, accept situation as is.
Following a traditional approach to risk analysis, the
ambition now would have been to calculate risk using risk
indices such as IR, FAR and PLL. If the expected cost of
averting a statistical life is high, the safety investments
cannot be justified. A typical result for such an analysis
would have been that protective shielding costs too much
relative to the calculated risk reduction.
The conclusions following our semi-quantitative risk
analysis could have been the same. A risk analysis produces
decision support, not the decision. However, the way risk is
described could strongly influence the risk evaluation, i.e. the
process of judging the significance of the risk, whether risk is
acceptable, etc. The basic idea of the semi-quantitative risk
analysis approach is that a broad risk picture should be
presented, that goes beyond the probabilities and expected
values computed in the traditional analyses. Below, we
outline the basic features of such a picture.
2.2. Qualitative analysis
In this case, we have only one type of hazards,
hydrocarbon leakages, and the main barrier functions are
 prevent loss of containment (leak),
 prevent ignition,
 reduce cloud/emissions,
 prevent escalation,
 prevent fatalities.
For each barrier function, qualitative analysis are
conducted as in standard QRAs. However, the analysis
also highlight operational aspects. As an example of the
type of analysis we have in mind, consider the barrier block
diagram in Fig. 1 for a possible hydrocarbon release,
starting from the initiating event ‘‘valve in wrong position
after maintenance’’. In order to analyse the performance of
the barriers, fault trees can be constructed as shown by the
example in Fig. 2.
The probabilities of these events are influenced by a set
of RIFs, and it is common to use influence diagram to
show this influences. An example for the basic event
‘‘Operator fails to detect a valve in wrong position by self
check/checklist’’ is shown in Fig. 3.
Barrier block diagrams, event trees, fault trees, and
influence diagrams are key building blocks of many risk
analysis methods incorporating human and organisational
factors. Examples include the I-Risk [12], ARAMIS [13],
the BORA projects [11], the SAM approach [14] and the
HCL method [15].
These methods are both qualitative and quantitative. We
highlight the qualitative aspects in our approach. Com-
pared to these methods, we reduce the Quantitative
analysis based on this detailed modelling. Instead, we put
emphasis on the following information:
 historical records for hazardous situations and acciden-
tal events, such as leakages,
 historical records for the performance of barrier
elements/systems, such as the reliability of the gas and
fire detection systems,
 measurements and evaluations of the state of the technical
conditions of the various systems on the installation,
 ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775 771

Initiating event Barrier functions End event

Detectionof valve(s) in Detectionof release prior

wrong position to normal production

Valve(s) in wrong Self control/

”Safe state”
position after check lists
Failurerevealed
maintenance (isolation plan)

3rd party control

of work

Leak test

Release of
hydrocarbons

Fig. 1. Barrier block diagram for one release scenario [11].

Failure to reveal valve(s) in of the basis (background information) for the risk assign-
wrong position after ments.
maintenance by self control/
use of checklists
From this analysis, it is concluded that the main safety
challenges are

(1) the increased accident risk caused by the modification

work,
Operator fails to detect (2) poor performance on a set of barrier elements,
Self control not a valve in wrong
performed/ checklists (3) deterioration of critical equipment, causing need for
position by self control/
not used use of checklists substantial maintenance.
A13
When presenting the risk picture, these challenges will be
an integrated part of the results. We will explain this below.
First we look into the risk quantification.
Use of self control/ Activity specified, but
checklists not not performed 2.3. Crude risk quantification: risk matrix
specified in program

A11 A12 The analysis group assigns probabilities for a number of

Fig. 2. Fault tree for failure of one barrier [11].
 investigation reports from near misses and accidents,
 evaluations of the performance of the main barrier
systems based on the historical records and expert
judgments,
 interviews of key personnel on operation and main-
tenance of the installation.
The aim of this part of the analysis is to establish a
picture of the state of the system (platform), and to identify
safety critical issues and factors, as well as uncertainties in
phenomena and processes. It constitutes an important part
events, using a rather crude risk matrix approach. Let us
use the analysis of the gas release as an example.
The hazardous situations identified are gas releases of
different sizes. Let say that we use three categories, r1, r2
and r3. For each of these, we assess the number of fatalities
C. The uncertainty distribution has an expected value
(centre of gravity) E[C|ri], which together with the assigned
probabilities pi ¼ P(release of category ri during the
coming year of operation) form the risk matrix. If pi is
large (typically larger than 0.5), we should replace the
probability by the frequency, the expected number of
leakages. Combining the probabilities pi and the expected
values E[C|rj], we obtain the expected number of fatalities
caused by this scenario. Summing up, we find the total
expected number of fatalities.
 ARTICLE IN PRESS
772 T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775

Area technician fails to

detect a valve in wrong
position by self control/
use of checklists

Maintain- Competence Procedures

Time
HMI ability/ of area for self Work permit
pressure
accessibility technician control

Fig. 3. Influence diagram for the basic event ‘‘Operator fails to detect a valve in wrong position by self check/checklist’’. (HMI: human machine interface).

Similarly, we establish risk matrices for ignited releases
(fires) and the expected consequences. Let fi denote the
assigned probability for the ith fire scenario (severe fire)
and let E[C|firei] denote the expected number of fatalities
given this scenario. Then, the pair (fi, E[C|firei]) forms the
risk matrix.
A set of scenarios are defined, and for these relevant
consequence calculations are carried out providing insights
about, e.g. initial release rates and development of the
discharge concentration (when and where we could get a
combustible mixture). From these studies and the analyst
group’s general risk analysis experience, the uncertainties
related to releases and consequences are assessed. The
assessments are based on all relevant information, includ-
ing the identified poor performance of some of the safety
barriers and the equipment deterioration problem. The
consecutive assigned probabilities and expected values
represent the analyst group’s best judgments, based on
the available information and knowledge (K).
To simplify the assessments, some pre-defined categories
of probabilities and expected values are defined. For the
probabilities pi, the following categories are used:
450%; 10  50%; 1  10%; 0:01  1% and o0:01%.
Hence, for the second category we predict 1–5 events for a
10 years period. To specify a probability, a default value is
assigned, by general comparisons with similar type of
systems, and partly based on studies performed as a part
of QRAs. Then a review of all key factors influencing the
probabilities are evaluated and based on this evaluation, the
probabilities are adjusted. In our case, the equipment
deterioration was identified as a critical issue. However, the
probabilities were not adjusted, but an assumption was made
that extended maintenance activities will be carried out.
The effect of the modification was assessed and the
probabilities and expected values adjusted. Also the effect
of the implementation of the protective shielding on
existing escape ways was assessed.
The following changes were quantified:
Modification:
 Increased pi, 5%.
 Increased fi, 5%.
 Increased PLL, 5%.
 Increased IR, 10% for a specific personnel group.
Effect of the implementation of the protective shielding on
existing escape ways (after modification):
 Reduced PLL, 30%.
 Reduced IR, 50% for a specific personnel group.
2.4. Uncertainty considerations and vulnerability
assessments
These figures represent the best judgments of the analysis
group. This risk picture is supplemented with uncertainty
considerations and assessments of vulnerability:
2.4.1. Equipment deterioration and maintenance
The deterioration of critical equipment is assumed not to
cause safety problems by implementing a special main-
tenance programme. However, experience gained on off-
shore installations indicates that unexpected problems
occur. Production of oil over time lead to changes in
operating conditions, such as increased production of
water, H2S and CO2 content, scaling, bacteria growth,
emulsions, etc.; problems that to large extent need to be
solved by the addition of chemicals. These are all factors
causing increased probability of corrosion, material brittle-
ness and other conditions that may cause leakages. The
quantitative analysis has not taken into account that
surprises might occur. The analysis group is concerned
about this uncertainty factor, and it is reported along with
the quantitative assessments.
2.4.2. Barrier performance
The historical records show poor performance on a set of
critical safety barrier elements, in particular for some types
of safety valves. The assignments of the expected number
of fatalities E[C] given a leakage or a fire scenario were
based on average conditions for the safety barriers, and
adjustments were made to reflect the historical records.
However, the changes made were small. The poor
performance of the barrier elements would not necessarily
result in significant reduced probabilities of barrier system
failures, as most of the barrier elements are not safety
critical. The barrier systems are designed with a lot of
 ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775 773

redundancies. Nonetheless, also this problem causes 2.5. Summarising risk picture
concern, as the poor performance may indicate that there
is an underlying problem of operational and maintenance The results of the analysis are summarised in the
character, which results in reduced availability of the safety following table.
barriers in a hazardous situation. There are a number of
dependencies among elements for these systems, and the Quantitative See results above.
risk analysis methods for studying these are simplified with assessments The assigned fire
strong limitations. Hence, there is also an uncertainty risk is not
aspects related to the barrier performance. considered
unacceptable in
2.4.3. Vulnerability (robustness) itself
Protecting Moderate
The smoke production from fires will be very dense and
shielding improvement of
poisonous. The heat loads may be limited due to the smoke,
implemented assigned fire risks,
but still at such levels that personnel will be fatally injured about 30%
after few seconds. The existing escape ways do not provide measured by PLL.
any protection of personnel, to the extent that if a fire occurs, Significant
there are no barriers in order to protect personnel. improvement for
Heat and smoke protection on escape ways is a passive one personnel
way of protecting personnel, which does not require any group (50%)
mobilisation or action in an emergency. Therefore, it is
Uncertainty Minor Significant Undoubtedly
usually considered to be a robust way to reduce risk, as
factors etc. problem unacceptable
opposed to actions that rely on equipment to be started or
management actions to be implemented and followed up, Equipment 
which often will have much higher failure probability. deterioration
The analysis assigns a rather small probability of a Barrier 
critical fire. However, a fire may occur, and the additional performance
fire protection will have a considerable positive effect in Vulnerability 
order to protect personnel. The protection of escape ways (no protection
will also help in less critical fires, which will be more likely in the case of
fires)
to occur. During 20 years, a probability of 50% is assigned
for such fires.
Now, given this information, what is the conclusion?
2.4.4. Operational measures
Should the protective shielding be implemented?
A large part of hydrocarbon leaks are due to manual
That depends on the management attitude to risks and
intervention on process equipment. In theory, all non-
uncertainties, and of course costs. The analysis does not
essential personnel could be removed from all areas where direct the decision makers but provides a basis for making
effects could be experienced during the use of escape ways
appropriate decisions.
in a fire scenario. Management may however consider that
this places too much restriction on the operation of the
installations, such that this is not feasible in practice. The 2.6. Cost effectiveness
risk quantification is based on this assumption.
These issues are related to the quantitative risk result in Say that the investment cost for this measure is about 5
the following way. A probability assignment is a statement million £. Can this extra cost be justified?
P(A|K), a probability of an event given the background The expected reduced number of fatalities is rather
information K. Assumptions are a part of K. In the ageing small, and hence the expected cost per expected saved life
case, for example, K includes the assumption about the (the value of a statistical life) would give a rather high
implementation of an effective maintenance program. number, and a traditional cost–benefit (cost–effectiveness)
Hence, our probability assignments do not reflect all type criterion would not justify the measure. Say that the
of uncertainties. We may ask if the equipment deteriora- assigned expected reduced number of fatalities is 0.1. Then
tion may cause surprises, resulting in leakages? The we obtain a value of a statistical life equal to 5/0.1 ¼ 50
numbers do not explicitly express this issue. This is always million £. If this number is considered in isolation, in a
the case—the quantitative analyses have to be placed in a quantitative context, it would normally be considered too
broader context of the constraints and limitations of the high to justify the implementation of the measure.
analyses. Aspects to consider relate to hidden uncertainties This number is heavily dependent on key assumptions.
in the assumptions, the problem of expressing uncertainties Sensitivity analyses performed show that the value of a
by using probabilities and the selection of appropriate risk statistical life is very sensitive to changes in the probabil-
indices. ities of leakage and ignition.
 ARTICLE IN PRESS
774 T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775
According to our risk management perspective, we
should see beyond the results of the cost–effectiveness
analysis. The purpose of the safety investment is to reduce
risks and uncertainties, and the traditional cost–effective-
ness (cost–benefit) analyses do not reflect these concerns in
an appropriate way. The point is that these analyses are
based on the use of expected values, and hence give little
weight to risks and uncertainties. Investments in safety are
not only justified by reference to expected values. Manage-
ment review and judgment is required to balance the
different concerns and give the right weight to the risks and
uncertainties. A mechanical analytical procedure prescrib-
ing the decision cannot be justified according to our way of
thinking. The broad risk picture established, together with
the cost–effectiveness (cost–benefit) analyses, provide a
basis for the decision making.
3. Discussion and conclusions
We define risk by the combination of possible con-
sequences of the activity and associated uncertainties [16].
Let C denote the consequences or outcomes associated
with the activity. Typically, C would be expressed by some
quantities C1, C2, y, e.g. the number of fatalities and
number of injuries. The quantity C is unknown—we are
uncertain what value C will take. The uncertainty results
from lack of knowledge, about C and underlying influen-
cing phenomena and processes. Hence, it is epistemic.
Subjective probabilities are used to assess the uncertainties,
in line with basis (b) introduced in Section 1. The reference
is a certain standard such as drawing a ball from an urn. If
we assign a probability of 0.1 for an event A, we compare
our uncertainty of A to occur with drawing a specific ball
from an urn having 10 balls [17].
This definition of risk acknowledges that risk cannot be
adequately described and evaluated simply by reference to
summarising probabilities and expected values. There is a
need for seeing beyond these values. Computed probabil-
ities and expected values are not objective quantities, but
subjective assignments conditioned on the background
information (including assumptions and suppositions).
Hence, we may characterise risk by (I, C, I*, C*, U, P,
K), where I refers to the hazards (initiating events), C the
consequences, I* and C* are predictions of I and C, U the
uncertainties, P the assigned probabilities and K the
knowledge and background information the analysis is
based on (e.g. assumptions, models). The aim of the risk
analysis is to establish a risk picture covering all relevant
dimensions of (I, C, I*, C*, U, P, K).
This conclusion of seeing beyond the probabilities and
expected values also applies for other risk perspectives,
including the standard definition expressing that risk is the
combination of possible consequences and associated
probabilities. Probabilities need to be estimated or
assigned, and we need to address uncertainties in phenom-
ena and processes as illustrated by the example in the
previous section.
In general, the risk picture should highlight the following
aspects, in addition to presenting probabilities and
expected values:
 uncertainties in phenomena and processes,
 manageability factors.
Uncertainties were discussed in the previous section. Are
there large uncertainties related to the underlying phenom-
ena, and do experts have different views on critical aspects?
It is an aim to identify factors that could lead to
consequences C far from the expected consequences E[C].
A system for describing and characterising the associated
uncertainties are outlined in Sandøy et al. [18]. This system
reflects features such as the current knowledge and
understanding about the underlying phenomena and the
systems being studied, the complexity of technology,
the level of predictability, the experts’ competence, and
the vulnerability of the system.
The level of manageability is related to the extent for
which it is possible to control and reduce the uncertainties,
and obtain desired outcomes. The expected values and the
probabilistic assessments performed in the risk analyses
provide predictions for the future, but some risks are more
manageable than others, meaning that the potential for
reducing the risk is larger for some risks compared to
others. By proper management, we seek to obtain desirable
consequences. This leads to considerations on for example
how to run processes reducing risks (uncertainties) and
how to deal with human and organisational factors and
obtain a good safety culture.
A search procedure needs to be established to identify
the uncertainty and manageability factors. Such a proce-
dure can be based on the initial analysis addressing
historical records, measurements and evaluations of the
state of systems and equipment, as well as interviews of key
personnel. Reference is given to the list in Section 2,
qualitative analysis. Active involvement of system experts
are required. In our example, personnel with operational
experience are in a position of identifying safety critical
issues that could be difficult to reveal using other sources.
Furthermore, the assumptions and suppositions of the
probability assignments in the quantitative analysis pro-
vide an additional checklist. We would also like to draw
attention to the list of special consequence features
presented by Renn and Klinke [19] (see also [20]).
Examples of such features are temporal extension, delay
effects, irreversibility and aspects of the consequences that
could cause social mobilisation, i.e. violation of individual,
social or cultural interests and values generating social
conflicts and psychological reactions by individuals and
groups who feel afflicted by the consequences. This feature
classification system can be used as a checklist for ensuring
the right focus of the analysis, i.e. that we address the
appropriate consequences attributes C. But it can also be
used as a checklist for identifying relevant uncertainty and
manageability factors. For example, the feature ‘‘delay
 ARTICLE IN PRESS
T. Aven / Reliability Engineering and System Safety 93 (2008) 768–775
effects’’ could lead to a focus on activities or mechanisms
that could initiate equipment deteriorating processes
causing future surprises.
Quantifying risk using risk indices such as FAR and PLL
gives an impression that risk can be expressed in a very
precise way. However, in most cases, the arbitrariness is
large, and our approach acknowledges this by providing
crude risk numbers, including assessments of the factors
that can cause ‘‘surprises’’ relative to the probabilities and
the expected values. We are not negative to detailed risk
quantification as such, but quantification often require
strong simplifications and assumptions and as result,
important factors could be ignored or given too little (or
much) weight. In a qualitative or semi-quantitative analysis
a more comprehensive risk picture can be established,
taking into account underlying factors influencing risks. In
contrast to the prevailing use of QRAs, the precision level
of the risk description is in line with the accuracy of the risk
analysis tool. In addition, risk quantification is very
resource demanding. We need to ask whether the resources
are used in the best way. We conclude that in many cases
more is gained by opening up for a broader more
qualitative approach, which allows for considerations
beyond the probabilities and expected values. We acknowl-
edge that more research is required to establish a ‘‘perfect’’
structure for such a qualitative or semi-quantitative
approach—the aim of this paper has been to given some
overall considerations and outline some main ideas.
Acknowledgement
The author is grateful to two anonymous reviewers for
useful comments and suggestions to an earlier version of
the paper.
References
[1] Bedford T, Cooke R. Probabilistic risk analysis: foundations and
methods. Cambridge: Cambridge University Press; 2001.
775
[2] Vinnem JE. Offshore risk assessment. 2nd ed. London: Springer;
2007.
[3] ISO. Risk management vocabulary. ISO/IEC Guide 73, 2002.
[4] Lauridsen K, Christou M, Amendola A, Markert F, Kozine I, Fiori
M. Assessing the uncertainties in the process of risk analysis of
chemical establishments. In: Zio E, Demichela M, Piccinini N,
editors. Safety and reliability. Towards a safer world. Proceedings.
vol. 1. ESREL 2001. Torino (IT), 16–20 September 2001. p. 592–606.
[5] Kaplan S, Garrick BJ. On the quantitative definition of risk. Risk
Anal 1981;1:11–27.
[6] Aven T. Foundations of risk analysis: a knowledge and decision-
oriented perspective. New York: Wiley; 2003.
[7] Coolen FPA, Utkin LV. Imprecise reliability: a concise overview. In:
Proceedings ESREL 2007, Stavanger, June 25–27, 2007.
[8] Aven T, Abrahamsen EB. On the use of cost-benefit analysis in
ALARP processes, 2006, submitted.
[9] Aven T, Vinnem JE. Risk management, with applications from the
offshore oil and gas industry. Springer; 2007.
[10] Renn O. White paper no. 1. Risk Governance, IRGC, 2005.
[11] Aven T, Hauge S, Sklet S, Vinnem JE. Methodology for incorporat-
ing human and organizational factors in risk analyses for offshore
installations. Int J Mater Struct Reliab 2006;4:1–14.
[12] Papazouglou IA, Bellamy LJ, Hale AR, Aneziris ON, Ale BJM, Post
JG, et al. I-Risk: development of an integrated technical and
management risk methodology for chemical installations. J Loss
Prevent Process Ind 2003;16(6):575–91.
[13] Duijm NJ, Goossens L. Quantifying the influence of safety manage-
ment on the reliability of safety barriers. J Hazard Mater
2006;130(3):284–92.
[14] Paté-Cornell ME, Murphy DM. Human and management factors in
probabilistic risk analysis: the SAM approach and observations from
recent applications. Reliab Eng Syst Safety 1996;53:115–26.
[15] Røed W, Mosleh A, Vinnem JE, Aven T. On the use of hybrid causal
logic method in offshore risk analysis, 2006, submitted.
[16] Aven T, Kristensen V. Perspectives on risk: review and discussion of
the basis for establishing a unified and holistic framework. Reliab
Eng Syst Safety 2005;90:1–14.
[17] Lindley DV. Making decisions. 2nd ed. New York: Wiley; 1985.
[18] Sandøy M, Aven T, Ford D. On integrating risk perspectives in
project management. Risk Manage Int J 2005;7:7–21.
[19] Renn O, Klinke A. A new approach to risk evaluation and
management: risk-based, precaution-based and discurse-based stra-
tegies. Risk Anal 2002;22:1071–94.
[20] Kristensen V, Aven T, Ford D. A new approach on Renn & Klinke’s
approach to risk evaluation and management. Reliab Eng Syst Safety
2006;91:421–32.