Journal of Loss Prevention in the Process Industries 32 (2014) 319e334

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Accident modelling and analysis in process industries

Ali Al-shanini a, b, Arshad Ahmad a, b, *, Faisal Khan c
a
Institute of Hydrogen Economy, Universiti Teknologi Malaysia, 81310 Johor Bahru, Malaysia
b
Faculty of Chemical Engineering, Universiti Teknologi Malaysia, 81310 Johor Bahru, Malaysia
c
Faculty of Engineering and Applied Science, Memorial University of Newfoundland, St. John's, NL A1B 3X5, Canada

a r t i c l e i n f o a b s t r a c t

Article history: Accident modelling is a methodology used to relate the causes and effects of events that lead to acci-
Received 25 July 2014 dents. This modelling effectively seeks to answer two main questions: (i) Why does an accident occur,
Accepted 30 September 2014 and (ii) How does it occur. This paper presents a review of accident models that have been developed for
Available online 5 October 2014
the chemical process industry with in-depth analyses of a class of models known as dynamic sequential
accident models (DSAMs). DSAMs are sequential models with a systematic procedure to utilise precursor
Keywords:
data to estimate the posterior risk profile quantitatively. DSAM also offers updates on the failure prob-
Accident modelling
abilities of accident barriers and the prediction of future end states. Following a close scrutiny of these
Dynamic sequential accident models
Dynamic risk assessment
methodologies, several limitations are noted and discussed, and based on these insights, future work is
Precursor data suggested to enhance and improve this category of models further.
© 2014 Elsevier Ltd. All rights reserved.

1. Introduction However, this is difficult to realise unless accidents can be antici-

The chemical process industry (CPI) is a highly complex system
with diverse equipment, control schemes and operating pro-
cedures. It is also common for plants in this industry to utilise a
variety of hazardous materials as raw materials and/or products.
The interactions among these components, human factors, and
management and organisational (M&O) issues make CPI suscepti-
ble to process deviations, which, in turn, may lead to failures if not
properly managed (Khan and Abbasi, 1998c, Papazoglou et al.,
1992). As illustrated by Fig. 1, when process failures occur, some
may be recovered from, while others escalate into minor or major
accidents and losses. To maintain the plant economy at desired
levels, process plants are often equipped with a comprehensive
process control system to ensure smoothness of operation and to
prevent accidents. The system provides protection through varying
degrees of automation, facilitated by human intervention and
shielded by additional layers of protection as mitigating measures
should the system fail. Nevertheless, despite all these measures,
accidents still continue to happen. Examples of recent accidents in
the CPI, along with some key information, are shown in Table 1.
An efficient means of combating accidents is to formulate suit-
able preventive measures targeting the right plant components.
* Corresponding author. Faculty of Chemical Engineering, Universiti Teknologi
Malaysia, 81310 Johor Bahru, Malaysia.
E-mail address: arshad@cheme.utm.my (A. Ahmad).
pated and are thoroughly understood, such that the failed
component can be identified prior to the occurrence of an accident.
Such efforts fall within the realm of accident modelling, which
relates the causes and effects of events that lead to accidents.
Effectively, accident modelling seeks to answer two main ques-
tions: (i) why does an accident occur, and (ii) how does it occur. The
development of these methodologies can be traced back to 1941,
when Heinrich introduced the domino theory (Qureshi, 2007).
Accident models can be classified in many ways. Qureshi (2007)
has proposed a reasonably comprehensive classification by dividing
the models into two broad categories, i.e., traditional and modern:
the traditional approach is further categorised into sequential
(SAMs) and epidemiological (EAMs), while the modern approach
includes systematic (SyAMs) and formal (FAMs). This classification
can be further extended by introducing a third category within the
modern approach, called the dynamic sequential accident model
(DSAM) (see Fig. 2). DSAM is a precursor-based technique that in-
cludes two modelling schemes: (i) process hazard prevention ac-
cident models (Kujath et al., 2010; Rathnayaka et al., 2011a); and (ii)
dynamic risk assessment (DRA) models. Some of the most common
accident models based on this categorisation are shown in Fig. 2.
The accuracy, capability, and limitation of accident models vary
significantly, depending on their purpose and focus (Rathnayaka
et al., 2011a). Brief descriptions of these AMs (except the DSAMs
because they will be extensively reviewed in this article), as well as
their limitations regarding their use in the CPI, are summarised in
Table 2. One major problem with these models is that they are

http://dx.doi.org/10.1016/j.jlp.2014.09.016
0950-4230/© 2014 Elsevier Ltd. All rights reserved.
320 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
Fig. 1. Safety Pyramid (adopted from Phimister et al. (2003)).
generally case-specific, with outcomes that are mostly descriptive
and qualitative. Those that have quantitative components suffer
from data scarcity and uncertainty limitations. As such, they have a
limited ability to provide general solutions that are capable of
representing a wider class of problems and representing non-linear
interactions, uncertainties and data scarcity.
In contrast, DSAMs have the advantage of simplicity due to
their sequential structure and can represent non-linearity and
interactions through the use of different model sequences within
one framework. DSAMs use real-time precursor data (e.g., near-
miss, mishap, incident, and accident) to estimate the likelihood
of all possible end-states. Furthermore, they provide updated risk
profiles that facilitate better decision-making. Such uses of pre-
cursor data are particularly useful in cases involving a high
likelihood of occurrence or severe losses commonly found in the
CPI, as well as in the nuclear, aerospace, and aviation industries.
Thus, precursor programs have been developed for compulsory
safety requirements such as site-specific and company-specific
near-miss programs in the CPI. Similarly, the nuclear industry
has also introduced the Accident Sequence Precursor (ASP) and
the Institute for Nuclear Power Operation's Significant Event
Evaluation and Information Network programs (van der Schaaf
et al., 1991).
This paper analyses the development and application of dy-
namic sequential accident models as a part of precursor-based ac-
cident modelling. Section 2 extensively reviews the DSAMs and
their developmental steps, and highlights recent developments
within each step. Section 3 covers the application of DSAMs. This is
followed by the future research needed in AMs and risk-
assessment-based precursor data in section 4, and the conclu-
sions of this analysis are presented in section 5.
2. Dynamic sequential accident model (DSAM)
DSAM is a part of precursor-based dynamic risk analysis that
uses common sequential models such as Fault Tree (FT) and Event
Tree (ET) to represent accident scenarios and is often combined
with other approaches to accommodate non-linear and complex
interactions, as well as dynamic updating features, in one frame-
work. To overcome uncertainty issues associated with failure data,
an updating scheme based on precursor data was proposed as
early as 1982 (Minarick and Kukielka, 1982). This study, which was
carried out to estimate core damage failure probability in the
nuclear industry, was echoed in many other efforts, leading to the
development of methodologies that integrate the use of precursor
data into reliability analysis. Some of these works include
Modarres and Amico (1984); Lois (1985); Hoertner and Kafka
(1986); Hoertner et al. (1985); Ballard (1985); Cooke et al.
(1987); Bier and Mosleh (1990); Oliver and Yang (1990); Cooke
and Goossens (1990); Bier (1993); Abramson (1994); Bier and Yi
(1995); Yi and Bier (1998); Meel and Seider (2006); Meel
(2007); Kalantarnia et al. (2009a); Rathnayaka et al. (2011a,
2011b); Pariyani et al. (2012a, 2012b), the most significant of
which is the systematic dynamic methodology proposed by Oliver
and Yang (1990). Their method uses a Bayesian approach to update
the failure probabilities of safety systems in an Event Tree through
the use of precursor data. In addition to overcoming uncertainty
and the scarcity of reliable data, this dynamic feature also provides
posterior information that supports risk-based decision-making
for safer plants.
As illustrated in Fig. 2, the DSAMs can be conveniently cat-
egorised into two modelling schemes: process hazard prevention
accident models (PHPAMs) and dynamic risk assessment (DRA)
models. These will be elaborated in subsequent sections.
2.1. Process hazards prevention accident model (PHPAM)
This family of accident models was recently introduced by
Khan and co-workers, targeting applications in the CPI. To date,
two models have been proposed, i.e., an off-shore oil and gas
process industry accident model, and a system hazard identifi-
cation, prevention and prediction (SHIPP) methodology. The off-
shore oil and gas process industry accident model developed by
Kujath et al. (2010) is founded on the assumption that accidents
in off-shore oil and gas facilities are initiated by hydrocarbon
release, which then propagates into accidents. As a safety mea-
sure, five prevention barriers are installed along the accident
propagation path to prevent and/or mitigate the impact of the
release, as shown in Fig. 3. Within this modelling paradigm, the
worst-case scenario occurs when all barriers fail, resulting in
major or catastrophic accidents. Failures of prevention barriers
are modelled using FT, while the resulting consequences are
modelled using ET. Precursor data of end-state events in the ET
are used to update the failure probabilities of the safety barriers
using Bayesian theory. The model was successfully applied to the
Piper Alpha (1988) and BP Texas City refinery (2005) accidents.
However, the model has some limitations, including the
following: (i) it only considers operational and technical failures
as causes of accidents, and other contributing factors such as
human and organisational errors are not reflected (Rathnayaka
et al., 2011a); and (ii) it does not consider other initiating
events that could lead to accidents, such as explosions or other
forms of energy releases.
To overcome the weaknesses of the off-shore model, an exten-
sion was introduced by Rathnayaka et al. (2011a) by incorporating
the neglected factors into a new framework to model CPI accidents.
This extended model is called the System Hazard Identification,
Prediction and Prevention (SHIPP) methodology. Within the SHIPP
framework, all accident causations related to operational and
technical, human, management and organisational aspects are
included and formulated into seven prevention barriers as shown
in Fig. 4. Among these, three barriers, i.e., release prevention (RPB),
ignition prevention (IPB) and escalation prevention (EPB) are the
same as in the off-shore model. Three barriers are new, i.e.,
dispersion prevention (DPB), human factor prevention (HPB), and
management and organisational prevention (M&OPB). The last
barrier, i.e., damage control and emergency management preven-
tion (DC&EMB), is a combination of the harm and loss barriers in
the off-shore model with some modifications.
Based on a release of material, six consequences are considered
depending on the success or failure of the barriers. These conse-
quences are safe, near-miss, mishap, incident, accident, and serious
 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
accident, as shown in Fig. 4. Similarly, a Bayesian update mecha-
nism is implemented using accident precursor data to update the
failure probabilities of all barriers. In addition, SHIPP also employs a
stochastic prediction model to compute the number of abnormal
events in the next time interval. These prediction and failure
updating features facilitate risk-based decisions and the prioriti-
sation of initiatives such as maintenance, management of changes,
and safety plans to improve inherent safety.
SHIPP was successfully applied to two LNG facilities, and
promising results were obtained (Rathnayaka et al., 2011b; and
Rathnayaka et al., 2012). Despite this potential, the SHIPP model
suffers from four main limitations. First, the framework only con-
siders process hazards, leaving other hazards such as external and
occupational hazards unaccounted for. Second, it has dependency
limitations that makes some barriers illogical for certain initiating
events. For example, in case of toxic and non-flammable material
release, ignition barriers will be irrelevant in the accident path.
Third, the capability for predicting future events are provided by a
stochastic Poisson-gamma model, which has the tendency to un-
derestimate the expected events and has a relatively low sensitivity
to the observed data. Fourth, the updating technique only estimates
the failure probability of barriers and cannot specifically determine
the posteriors of basic events in the fault tree models of the pre-
vention barriers. This can be overcome using vulnerability ranking
analysis. Details on future studies needed to improve DSAM are
discussed in section 4.
2.2. Dynamic risk assessment (DRA) methodology
DRA, which is also known as Dynamic Quantitative Risk
Assessment (DQRA) methodology, is an extension of the QRA
methodology to include updates of the failure probabilities of
safety systems for a particular accident scenario using precursor
data (Meel, 2007; Kalantarnia et al., 2009a). In a typical QRA
methodology, four main steps are involved, i.e., hazard identifica-
tion to identify plausible hazards, frequency evaluation to estimate
the likelihood of occurrence, consequence analysis to assess the
severity of the effect, and risk quantification to determine the risks
associated with the hazards identified (CCPS, 2000). As shown in
Fig. 5, the major difference between QRA and DRA is that the latter
provides additional steps in the likelihood estimation to include
dynamic probability assessment by translating accident precursor
data into a likelihood function and estimating the posterior failure
probability. DRA methodology follows the following six steps: (i)
hazard identification, (ii) scenario generation and prior probabili-
ties estimation, (iii) likelihood function formation, (iv) posterior
failure probabilities estimation, (v) consequence analysis, and (vi)
posterior risk calculation (Meel, 2007; Kalantarnia et al., 2009a).
2.2.1. Hazard identification
Similar to QRA, the hazard identification step in a DRA involves
the identification of potential hazards resulting from plausible
failure scenarios and their consequences, such as injuries, fatalities,
and property damages and other loses. At this stage, several hazard
identification techniques can be used, as reviewed by (Glossop
et al., 2000; Gould et al., 2005), including checklists, what if anal-
ysis, hazard and operability (HAZOP) analysis, and hazard identi-
fication and ranking (HIRA).
Checklist analysis is the simplest technique, involving a list of
questions related to operation, organisation, maintenance, and
other aspects, which need to be verified and checked against the
process facilities. However, it has a limited analysis power, as it can
only analyse one item per time and cannot be used effectively for
complex systems and conditions in which the resulting hazards are
due to interactions between many process variables such as
321
temperature, pressure, and flows (Khan and Abbasi, 1998c; Oyeleye
and Kramer, 1988; Rogers, 2000; Bahr, 2000; Hyatt, 2003; Mannan,
2004; Ericson, 2005).
“What if analysis” is the oldest hazard identification technique
(CCPS, 1985; Mannan, 2004) and is based on a set of “what if”
questions to be answered. It is simple to use, but significant time
and expertise are required to develop questions, which are typically
case-specific (Khan and Abbasi, 1998d). The identification efficiency
of this technique can be improved by combining it with checklist
analysis (Rogers, 2000; Mannan, 2004).
HAZOP is popular because it is structured and thus effective to
use. This approach involves a team effort that gathers various forms
of expertise to incorporate experiences and process information
that are illustrated in documents such as PI&D, PFD, and operation
manuals. As it is time-consuming, many studies have been carried
out to include some level of automation in the procedure
(McKelvey, 1988; Montague, 1990; Khan and Abbasi, 1997a, b). The
HAZOP technique that originated from Imperial Chemical In-
dustries (ICI) in 1974 has undergone many modifications to
improve its effectiveness in implementation. Most of these modi-
fications can be found in a valuable review article by Dunjo  et al.
(2010).
HIRA is an identification and ranking technique specifically
designed for chemical processes and unit operation based on multi-
attribute hazard identification and ranking. This technique was
proposed by Khan and Abbasi (1998c), in which the hazard in
process units is treated as a function of the material used, unit
capacity, unit operation type, operation conditions, and surround-
ings. HIRA provides two output risk hazard indices: the fire and
explosion damage index, and the toxic release and dispersion in-
dex. This technique has been applied for hazard identification in
Optimum Risk Analysis (ORA) (Khan and Abbasi, 2001).
2.2.2. Scenario generation
After identifying all plausible hazards, the Event Tree (ET) model
is constructed to formulate possible sequences associated with
each abnormal initiating event passing through safety systems
(barriers) and ending with final consequences. Reliability data of
prior failure probabilities of safety barriers, as well as failure fre-
quencies of abnormal initiating events have to be known either as
specific values (number) or in the form of distribution functions.
These prior data can be collected from the published literature,
experts’ judgment, and/or by accessing database agencies. In the
absence of such reliable data, a non-informative prior distribution
function that equally weights all parameters can be used, e.g., a
uniform distribution (Meel and Seider, 2006, 2008; Meel, 2007;
Kalantarnia et al., 2009a).
Fig. 6 shows the use of ET as a scenario generation technique.
The tree propagates through all safety barriers, including control
and technical equipment, human interventions, emergency pro-
cedures, and/or combinations of these events until the final end
states (Rausand and Høyland, 2004). Each event in the ET is con-
ditional and dependent on the occurrence of previous events. The
failure probabilities of the barriers and the end-state events are
evaluated quantitatively by multiplying the probabilities of the
sequence path starting from the initiating event to the end-state
passing through the safeguards of that sequence (CCPS, 2000;
Fullwood, 2000; Mannan, 2004; Rausand and Hoyland, 2004;

Ericson, 2005; Hong et al., 2009; Cepin, 2011).
For ease of implementation, efforts have been spent to auto-
matically generate ETs. Clementel and Galvagni (1984) proposed a
systematic computer code for ET generation that analyses 1000 to
10 000 events with individual event sequences. Papazoglou
(1998) has developed a mathematical basis algorithm to auto-
matically construct ETs via computer aid. Aram Hakobyan et al.
Table 1

322
Examples of some Recent Accident in CPIs.

No. Date of accident Accident location Accident type Accident reason Facility type The impact Reference

1 May 18, 2001 Northern part of fire and VCE Release of flammable chemicals Acrylic resin 100 injuries and high (Kao and Hu, 2002)
Taiwan manufacturing property damage
plant including part damage
of 16 nearby plants
2 January 19, 2004 Skikda, Algeria VCE and flash fire A leak in the hydrocarbon A steam boiler, Partly destroyed of the (Beale, 2006)
refrigerant system, followed by LNG plant plant, 27 deaths and
ignition source that yielded from 74 injuries
a failure in boiler within the steam
drum leading to rise pressure and
drum rupture.
3 July 30, 2004 Ghislenghien, Fireball and VCE Release due to pipe damage by NLG pipeline 24 deaths, over 120 (Mahgerefteh and Atti,
Belgium unknown reason injuries and property 2004)

A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
damage
4 March 23, 2005 BP's Texas City Fireball and VEC Release due to raffinate splitter Gasoline 15 deaths, 180 injuries CSB, 2007
refinery tower overfilled isomerization and high property
unit, oil refinery about 1.5 billion $
5 December 11, 2005 Buncefield, UK VCE and huge fire Release of gasoline vapor due to Storage facility Burning about 58,000 (Vautard et al., 2007)
overfilling of a depot tank that tons of fuel led to huge
ignited environmental impact.
6 January 30, 2007 Little General VCE Liquid propane release Propane store 4 deaths, 6 injuries CSB (2008a)
Store in Ghent, tank and destroy nearby
West Virginia, USA vehicles
7 February 16, 2007 Valero's McKee Fire Liquid propane release cracked control 4 injuries and property CSB (2008b)
Refinery near station piping loss about 50 million
Sunray, Texas. USA at refinery US dollars
8 July 17, 2007 Valley Center, Explosion and Ignitable vapor-air mixtures Solvents facility Property loss CSB (2008c)
Kansas fireball inside tanks
9 October 2, 2007 west of Denver, Fire Likely static ignition Xcel Energy‘s 5 deaths and 3 injuries CSB, 2010
Colorado, USA hydroelectric
plant
10 October 29, 2007 Barton Solvents fire and series Ethyl acetate release due to chemical 2 injuries and property CSB (2008d)
Des Moines, Iowa. of explosions operator mistake distribution loss
USA facility
11 November 1, 2007 Carmichael, Fireball and VCE Liquid propane release by the Liquid propane 2 deaths, 7 injuries and NTSB, 2009
Mississippi, USA reason of weak welded pipeline property loss for comp.
about 33,77,247 $ in
addition to several
houses were destroyed
12 December 19, 2007 Inc. (T2),Jacksonville, powerful explosion Loss of sufficient cooling to the a chemical 4 deaths, 32 injuries CSB (2009a)
Florida, USA (eq. 1400 lb. TNT), chemical reactor leading to manufacturer and destroyed T2
and fire runaway reaction, that resulted Laboratories
an high and uncontrollable
temperature and pressure
13 February 7, 2008 Port Wentworth, a series of sugar Unknown source ignited the Sugar 14 deaths, 6 injuries CSB (2009b)
Georgia, USA dust explosions sugar dust manufacturing and high property
and fire facility loss in facility unites
14 August 28, 2008 Bayer CropScience Fire and explosion Chemical reaction runaway Methomyl unit 2 deaths, 8 injuries CSB, 2011
facility in Institute, inside a pressure vessel leading and damage the unit
West Virginia, USA to explore the vessel that led fire
15 June 29, 2009 Viareggio, Italy VCE and flash fire Derailing of a freight train LPG train tanks High property loss in (Brambilla and Manca,
loaded with 630 tons LPG in the street area. 31 2010)
14 tanks people died and
more than 30 injuries
16 January 8, 2010 Nanpao Resin Co. Fire and explosion Fluid leaking from the cumene Chemical Destroyed about 4298 (Chen et al., 2010)
Taiwan oxidation tower manufacturer square meters of
plant's area, partly
 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334 323

(2008) introduced a software tool for the dynamic automated

generation of event trees based on user-specified criteria for ET

(Ahmed et al., 2012)

(UNEP/OCHA, 2011)

(Tullo and Johnson,

(Tullo and Johnson,

branching.
(Cleveland et al.,

In cases where data regarding barrier failure probabilities are

NTSB, 2011
lacking, FTA can be used to estimate values by analysing the com-
binations of possible causes that lead to these failures (Kujath et al.,
2010)

2013)

2013)
2010; Rathnayaka et al., 2011a; Tan et al., 2013). As in ET, to expedite
implementations, a number of computer-aided tools have been
developed to generate and evaluate FTs (Khan and Abbasi, 2000;
Ferdous et al., 2007, 2009; Majdara and Wakabayashi, 2009).
38 homes and damaged 70

More than 100 deaths and

company Taiwan Steel &

Today, commercial software is available, including CARA-FaultTree,

includes fully destroyed
4.2 million barrels were
injuries, and caused the

8 deaths, many injuries

in US history with very

52 injuries, 116 houses

damage of a neighbour

1 death, 7 injuries, and

Iron Co. and plant shut

largest marine disaster

down for repairing job

at least more than 100

impact in which about

and property damage

PROFAT, Relex Reliability Software, and FaultTreeþ.

2 deaths, 73 injuries,
huge environmental
11 deaths, workers'

spilled into the sea

At least 27 deaths,
and property loss

property damage
2.2.3. Likelihood function formation
In this step, a likelihood function is selected based on the
destroyed.

injuries characteristics of the accident precursor data obtained from the

plant (i.e., accidents, incidents, mishaps, and near-misses). These
functions may take the form of relative, conditional, marginal,
profile, or partial likelihood and are selected to suit both the data
and the type of probability distribution involved, e.g., discrete,
pipeline system

Ethylene plant

fertilizer plant
A fuel tank of

continuous, or discrete-continuous. Typically, a conjugate pair with

LNG pipeline
Offshore oil

Oil pipeline

a prior discrete distribution function is used (Oliver and Yang, 1990;

Nitrogen

Bier and Yi, 1995; Johnson and Rasmuson, 1996; Meel and Seider,
well

2006, 2008; Meel et al., 2007; Kalantarnia et al., 2009a;

Kalantarnia et al. 2010; Pariyani et al., 2012a). For example,
because the Beta and binomial distribution functions are a conju-
gate pair, the binomial distribution is therefore used as a likelihood
platform that effectively the pipe
The explosion led to sinking the
gas from the well into rig in the
reuse of high-pressure methane

function for the prior of the Beta distribution. Similarly, the Poisson
connection to well leading to
Offshore rig explosion due to

Fuel leaking from a fuel tank

existence of ignition source.

distribution function is used as a likelihood function for the prior

LNG release due to pipeline

off-loading of nitrogen gas

manifold ruptured during
Release of oil due to pipe

A temporary distribution

Gamma distribution.
punctured to steal oil

As an illustration, a binomial likelihood distribution is repre-

sented mathematically in Eq. (1) below.
Still unknown

n 
oil blowout

f ðdatayxÞ ¼ xs ð1  xÞf (1)

s
rupture

Here, f(datayx) is the binomial distribution function, the symbols

(s) and (f) demonstrate the number of successes and failures,
respectively, and (n) is the total number of successes and failures.
Explosion and oil spill

Discrete precursor data regarding an end-state event in an ET are

Fire and explosion

Fire and explosion

Fire and explosion

provided at each time interval. From these data, a likelihood

function has to be extracted as the number of successes and failures
for each safety barrier at each time interval. For each safety barrier
Explosion

Explosion

(x) in ET, there are two branches. The upper branch represents the
probability of success, while the lower branch denotes the proba-
bility of failure of the safety barrier. The number of successes (s) in
Eq. (1) is the summation of end-state events that branched from the
success branch. Similarly, the number of failures (f) is the sum-
William Olefins Inc,
BP's Macondo well,

Geismar, Louisiana

mation of end-state events that branched from the fail branch of

northern Gulf of

gas distribution
Nairobi Natural

the safety barrier at a particular time interval.

Donaldsonville
California, USA

CF Industries,

X X
A Petroleos
Mexicanos,
San Bruno,

sx ¼ mðxÞsb ; fx ¼ mðxÞfb (2)

Kenyan,
Mexico

Mexico

plant

Here, (sb), and (fb) denote the success branch and fail branch of a
particular safety barrier, respectively, and m(x) is the number of
occurrences of end-state events that are branched from the success
September 19, 2010

September 12, 2011

December 19, 2010
September 9, 2010

or fail branches of safety barrier (x) at each time interval.

April 20, 2010 to

For the ET in Fig. 6, there are four end-state events (C1 to C4),
June 13, 2013

June 14, 2013

with number of occurrences of m ¼ m1, m2, m3, m4 for each time

interval. Therefore, the likelihood function for safety barrier (A) in
the ET will be:
X
sA ¼ mðAÞsb ¼ m1 þ m2
X (3)
fA ¼ mðAÞfb ¼ m3 þ m4
17

18

19

20

21

22
324 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
Fig. 2. Accident model classification.
2.2.4. Posterior probability estimation
Using the prior failure probabilities and the likelihood function,
the posterior probability can be determined using Bayesian theory
as given by the following equation:
 
f ðxÞ f ðdatayxÞ
f ðxydataÞ ¼ P af ðxÞ f datayx
f ðxÞ f ðdatayxÞ
Here, f(xydata) is the posterior failure probability, f(x) is the prior
P
failure probability, f(datayx) is the likelihood function, and f(x)
f(datayx) is the normalisation factor. When the prior probability is
a constant value, Eq. (4) can be easily applied for posterior esti-
mation (e.g., see Kalantarnia et al., 2009a; Rathnayaka et al., 2011b).
However, in many cases, the prior probabilities are introduced as
distribution functions, and in cases such as these, the means or
medians of the distributions are considered (e.g., see Oliver and
Yang, 1990; Bier and Yi, 1995; Johnson and Rasmuson, 1996; Meel
and Seider, 2006; Kalantarnia et al., 2010).
As an illustration, consider a beta prior probability distribution
for a random variable, which is defined as:
f ðxÞaxa1 ð1  xÞb1
with prior mean ¼ a/(aþb) and variance ¼ ab/[(aþb)2(aþbþ1)],
where a and b are the shaping parameters of the beta distribution.
Because the posterior probability distribution is the product of the
multiplication of the prior and likelihood functions, the beta pos-
terior probability distribution may be represented as:
f ðxydataÞaxa1 ð1  xÞb1 xs ð1  xÞf
This can be further simplified to the following:
f ðxydataÞaxaþs1 ð1  xÞbþf 1
with the posterior mean of (aþf)/(aþf þ b þ s) representing the
posterior failure probability of ET safety systems corresponding to
their s and f values. As mentioned by Yi and Bier (1998), this
updating methodology for prior probabilities was first introduced
in Oliver and Yang (1990). In their work, independent successive
system failures were assumed. This means that the failure proba-
bilities of the sub-systems are not affected by the performance of
previous systems and sub-systems. For instance, the failure prob-
abilities of sub-systems xB1 and xB2 in ET shown in Fig. 6 are
assumed to be equal. For this reason, the estimation of systems
failure probabilities using this approach is not accurate and raises a
(4)
need for further dependency studies to improve the results of the
updating mechanism. However, the assumption of system inde-
pendence simplifies the calculation procedure. This strategy has
been followed by many studies to overcome the dependency lim-
itation. Despite this limitation, the Oliver and Yang (1990) approach
has been applied to a number of case studies including a storage
tank containing hazardous chemicals (Kalantarnia et al., 2009a), an
off-shore process facility (Kalantarnia et al., 2009b), and a Texas
City refinery (Kalantarnia et al., 2010), and in all cases good findings
were obtained. Furthermore, the approach has also been applied as
part of a methodology to estimate rare event frequency (Yang et al.,
2013).
2.2.5. Dependency studies of event tree safety systems and sub-
systems
(5) Johnson and Rasmuson (1996) introduced a dependency study
for ET safety sub-systems by assuming that the sub-systems are
perfectly independent. This means that xB1 and xB2 (in ET Fig. 6) are
independent and that determining the failure probability of system
B given the success of system A does not provide any information
about its failure probability under different conditions. Neverthe-
less, their approach includes interactions between subsystems
when sufficient data on the failure probabilities of these systems
(6) under different conditions are available. In this case, the probability
of a safety system can be affected conditionally by the previous
system. A reasonable estimation of sub-system safety probabilities
can be obtained by this approach when sufficient data are available
(7) under different conditional circumstances.
Contrary to the previous strategies, Bier and Yi (1995) intro-
duced an approach that includes intersystem dependency by
assuming that the sub-systems xB1 and xB2 have an extended nat-
ural conjugate prior Probability Density Function (PDF). In the PDF,
coupling functions with binomial expansion correlation factors
g(xB1, xB2) partially weigh the joint probability distribution f(xB1, xB2)
 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
Table 2
Accident Models and their limitations in CPI.
The accident model Brief description
SAMs Domino theory All SAMs regard accidents as outcomes of a chain of discrete
events that are taken place in a temporal order. Domino
theory describes accident sequence as a chain of five
discrete events or factors (social environment, fault of person,
unsafe acts or conditions, accident, injury) that if the first
factor falls, the four other factors will fall in a domino
fashion (Heinrich et al., 1980).
FTA It is a deductive and graphical technique that used as
standard technique to quantify failure probability of human
and technical systems. It has the capability to represent
multi-linear failure causes.
ETA It is an inductive, logic and graphical technique that is used
as standard technique for consequence analysis.
FMEA It is a step-by-step analysis approach for identifying potential
failures and then preventing them. In FMEA, failures of
individual
components or sub-systems are the initiating events. It is one
of standard methods for components failures in case of few
and well known modes of failures (McDermott et al., 2008).
CCA It is a combination of fault tree and event tree in which fault
tree describes cause analysis and event tree describes
consequence analysis. Consequently, CCA can illustrate time
delay in the analysis. Due to that, CCA is most frequently
applied to systems that their state changes with time
(Turney et al., 1996).
EAMs Swiss cheese model of The events, in this model, are propagation in same analogous
defense (Reason's model) as disease spreading. Accidents in EAMs are resulting from a
combination of manifest and some latent factors that are
taken place together in space and time. In Swiss cheese model;
procedure, human and material protection barriers were
introduced, and how they fail, as well how organizational
factor affects these barriers was asserted. In this model,
the accident cause - which can be either immediate or
proximal cause - is regarded as people fault either who is
involved in the process or interacting with the processes
technology (Reason, 1990).
SyAMs Rasmussen's model It is based on control theoretic concepts. This AM has
organizational, management, and operational frameworks
that signify as the preconditions of accidents
(Rasmussen, 1997).
AcciMap Rasmussen's It is a modification of Rasmussen's model. This model focuses
model on control of the hazardous process of the socio-technical
system (Rasmussen, 1997; Svedung and Rasmussen, 2000).
STAMP In STAMP, the accident causations are built on the system
theory that can represent accidents in non-linear complex
systems. Accident is defined here as control system
malfunction or safety related constraints due to inadequate
considerations of external disturbances or system
components interaction (Leveson, 2004).
CREAM It is an abbreviation of Cognitive Reliability and Error
Analysis Method (CREAM). In this model, human
performance cognitive characteristics are modeled to assess
the human error consequences on the safety aspect of
systems. Two major developments on CREAM have been
introduced DREAM and BREAM models (Hollnagel, 1998).
FRAM It is abbreviation of Functional Resonance Accident Model.
It is a qualitative accident model that assumes stable
internal, external and performance variabilities in
studied systems.
FSyAMs Probabilistic Models of In these models probabilistic causation approaches are
Causality used to model the interactions between causes and effects
instead of deterministic. From the probabilistic approaches
used are Bayesian logic and Bayesian network
(Johnson and Holloway, 2003).
WBA What-Because Analysis is based on formal semantics
and logic. In WBA, each component in the system is
highly affected by the overall system environment
(Ladkin, 1999).
325
AMs limitations in CPI
 Human failure was the only one considered factor
whereas others failures such as process,
management and organizational were not.
 It is a linear model that regards accident causal as
a result of single cause rather than multi-causes or
nonlinear as in real life.
 Cannot represent accident in complex systems
with nonlinear interactions (Qureshi, 2007).
 Cannot represent multi-linear causes of accident
or nonlinear casualty.
 Cannot represent multi-causes accident or
nonlinear casualty.
 independent relationships between failures and
consequences are considered
 It is easily to become bulky (compare with FT
and ET) that make it very complicated to follow
in such huge interactions as in accident modeling.
 It is linear causation model.
 The causality that links the organizational
conditions and accident consequence is complex.
 Qualitative model with no mathematical
representation.
 They are qualitative explanation of accident
causations with no quantification manner or
mathematical accident prediction model.
 Their outcome is not that quite precision
compare with other AMs such as WBA
model (Ladkin, 2005).
 It is a good qualitative analysis for accident.
However, development is needed for this
model in order to develop its control model
and classified the control defectives
(Qureshi, 2007).
 The lack to the quantification procedure and
prediction model.
 CREAM and its new modification models are
most suitable for accident in non-complex
socio-technical systems since they focus on
modelling human error consequences.
 No quantification procedure and accident
prediction model.
 It is assumption of stable internal, external,
and performance variabilities cannot represent
that real complex technical system where
variabilities are not stable (Hollnagel, 2004).
 It has only qualitative outcomes with no
qualitative procedure.
 These models are not complete AMs that consider
all causal interactions and this because of the
complexity of such approaches as a result of the
lack in the reliability data as well as the lack of
knowledge about the distribution function of
failures in huge system as in a complete
accident modeling.
 Its major application is in transportation accidents,
especially on aircraft accidents. However, it focus
more about the environment effects to the studied
system that limits its use to CPI due to the fact that
all component interactions and effects have to be
considered and studied fluently.
326 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334

Fig. 3. Off-shore oil and gas prevention accident model (Kujath et al., 2010).

of each sub-system. The prior joint probability density is repre-
sented as follows:
f ðxB1 ; xB2 ÞagðxB1 ; xB2 Þ xaB1 1 ð1  xÞbB1 1 xaB2 1 ð1  xÞbB2 1
Here, g(xB1,xB2) is the coupling function, and (aB1, bB1) and (aB2, bB2)
are distributions shaping the parameters of sub-systems xB1 and
xB2, respectively. Therefore, the posterior joint PDF becomes:
f ðxB1 ; xB2 ydataÞaf ðxB1 ; xB2 Þ f ðdatayxB1 ; xB2 Þ
0f ðxB1 ; xB2 ydataÞaf ðxB1 ; xB2 Þ xsB1 ð1  xÞfB1 xsB2 ð1  xÞfB2
where f(datayxB1,xB2) is the likelihood function of the joint PDF,
P copula functions were used to represent the interdependence be-
with successes and failures obtained from sj, k ¼ m(j, k)sb a fj,
P tween the safety sub-system barriers for a fluidised catalytic
k ¼ m(j, k)fb, and k represents the number of safety sub-systems
(k ¼ 2, 3, 4 … N). In addition to intersystem dependency analysis,
this approach also minimises the calculation time and the
computational difficulty through the use of Bayesian updating
because the distribution pair is closed under consecutive binomial
sampling. However, using coupling functions in this manner limits
the practical capability of this technique given that (i) the desired
values at a given time can only be achieved by trial and error; (ii)
the modelling correlation method is not useful for large numbers of
probabilities (Yi and Bier, 1998). The authors recommended ex-
tensions of their work to develop alternative coupling functions
that could simplify the estimation without having to use trial and
error mechanisms, and suggested the use of copula functions to
extend natural conjugate distributions. Furthermore, as a contin-
uation of their previous work, Yi and Bier (1998) applied bivariate
Archimedean (Frank, Gumbel, and Cook and Johnson) copulas and
MacKenzie's multivariate copula successfully to analyse the de-
pendency of the failure probabilities of two and three sub-systems,
(xA,1, x A,2) and (xA,1, xA,2, xA,3), respectively.
(8) Later, Meel and Seider (2006) applied the Cuadras and Auges
copula to study the interdependence of safety system failure
probabilities for CSTR precursor data. In this study, they also
developed prediction models to determine the expected number of
occurrences of abnormal events in the next time interval as a
posterior PDF of the Gamma-Poisson distribution pair. As an
extension to their group efforts, Pariyani et al., (2012a,b) introduced
(9)
a new methodology based on DRA to dynamically assess the risk
based on alarm databases to improve process safety and product
quality. In this case, the multivariate normal and Cuadras-Auge 
cracker based on plant data.
In recent years, Bayesian Networks (BNs) have been extensively
used in studies involving dependability, safety and risk assessment,
and maintenance. This is due to their ability to model probabilistic
data by taking into consideration dependency analyses between
events (Weber et al., 2012). This technique can also predict the
probability of accidents and estimate posteriors of events
depending on the BN configuration (Przytula and Thompson,
2000). Consequently, many studies have been carried out to
convert conventional reliability analysis techniques such as FTA,
ETA and reliability block diagrams (RBDs) into their equivalent BNs
through the use of conditional probability tables (CPTs) (Torres-
Toledano and Sucar, 1998; Bobbio et al., 2001; Bearfield and
Marsh, 2005) to overcome the dependency associated with these
conventional techniques. BN has also been applied to successfully

Fig. 4. SHIPP Accident model (Rathnayaka et al., 2011a).

 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
Fig. 5. Steps in the QRA and DRA methodologies.
represent the dynamic event tree (DET) with good accuracy, as can
be found in the work of Zhou et al. (2011), in which their proposed
Dynamic Bayesian Network (DBN) was applied to a self-destruction
subsystem of a missile; the authors found that this technique has
the ability to model failures with dependency analysis. Khakzad
et al. (2013) applied BN to estimate the posterior failure probabil-
ities of the safety systems of ET in a bow-tie model. In this case the
ET was first converted to its equivalent BN and then integrated with
precursor data.
2.2.6. Consequence analysis
Accidents in CPI can be divided into three broad categories:
explosion, fire, and toxic release. Each category contains sub-
categories of different classes of fires, explosions, and toxic
Fig. 6. Event tree.
327
releases (Abbasi et al., 2010). According to Lees (1996) and Mannan
and Lees (2005), fire has the highest frequency of occurrence in CPI,
accounting for 67.7% of the total accidents, followed by explosions
with 30.2%, and then toxic release with 2.1%.
Explosion is defined as a sudden and violent release of energy
(Lees, 1996) or a release of energy that causes a blast (CCPS, 1999)
and can be classified in many ways (Lees, 1996; CCPS, 1999; Abbasi
et al., 2010). However, for practical purposes, it is more convenient
to refer to the type of the explosion itself; among these, vapour
cloud explosion (VCE) and boiling liquid expansion vapour explo-
sion (BLEVE) are most important. VCEs are the most frequently
occurring explosions in the CPI, and as reported by Lenoir and
Davenport (1993), out of every ten large property losses, seven
are due to VCEs. Consequently, VCEs received most of the attention
until Kletz (1977) noted that BLEVEs can cause losses as great as
those resulting from VCEs. Abbasi and Abbasi (2007) listed some of
the BLEVE cases in the period 1926e2004 that led to significant
damages.
Fires are triggered when a release of flammable material due to
leakage or spillage is ignited. Fires are typically classified into four
types, pool fire, jet fire, fireball and flash fire, depending on the
release scenario (Pula et al., 2006). Pool fires begin with a release of
flammable liquid due to leakages or ruptures in pipes or tanks,
forming a pool on a surface, which then vaporises and is ignited. Jet
fires are a result of immediate ignition of continuous high pressure
release. This form of fire is considered the most dangerous due to
the high probability of impingement on objects within reach,
leading to possible domino effects. Fireballs are often caused by
failure of a pressure vessel containing flammable materials. This
may begin with an adjacent pool fire or jet fire that causes a rapid
rise in the vessel's pressure. This results in a high amount of ther-
mal radiation, blast hazards and flying shrapnel. Flash fires are
328 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
transient fires associated with vapour clouds formed in the vicinity
of gas or volatile liquid releases. Delayed ignition in this scenario
typically results in VCE (CCPS, 1999; Mannan, 2004; Pula et al.,
2005, 2006; Vinnem, 2007).
Many studies have been carried out to predict the consequences
of fires and explosion, and the overall impact can be assessed by
using these theoretical and/or empirical models. The following sub-
topics provide brief reviews of the techniques that are available to
estimate the magnitude and dynamics of materials and energy
release and dispersion, as well as their impacts.
2.2.6.1. Source models. Source models are used to quantitatively
estimate the release of a material by computing its discharge rate
and state (solid, liquid, vapour, or combination), the release dura-
tion, the extent of flash and evaporation from a liquid pool, and the
dispersion of the released material (CCPS, 1999; Crowl and Louvar,
2001). Release models help in determining ignition probabilities
and the size of vapour clouds, as well as in predicting the initial
sizes of fires and explosions (Pula et al., 2006). Dispersion models
are used to predict the dispersion behaviour of the released gas and
vapour dynamically with respect to time.
Several source models have been developed based on material,
momentum and energy conservation equations, the size and shape
of holes (e.g., hole model and pipe model), and the state of release.
The most popular discharge models used are liquid flow through a
hole, liquid flow through a hole in a tank, liquid flow through pipes,
vapour flow through holes, gas flow through pipes, flashing liquids,
liquid pool evaporation or boiling, and some other release models
specific to certain materials. Extensive descriptions and mathe-
matical representations of these models can be found in CCPS (1999)
and Crowl and Louvar (2001). These hole and pipe discharge models
have been shown to be very capable. The hole model is efficient in
predicting release from small holes, while the pipe model provides
more accurate predictions for a completely broken pipe; accurate
predictions of gas release have been shown by Montiel et al. (1998),
Yuhu et al. (2003) and Luo et al. (2006). However, hole and pipe
models have limitations in prediction accuracy, as they are built
based on steady-state releases. Transient conditions such as changes
in the flow rate of the released gas due to partial closure of the hole
with time or as a result of manipulations due to control actions are
not considered. Montiel et al. (1998) developed an unsteady-state
sonic and subsonic release flow model as a combination of hole
and pipe models that can predict gas release at high and low pres-
sure for small and large holes. Yuhu et al. (2003) proposed a release
model to predict the release flow rate for hole sizes between those of
the hole and pipe models; the model was validated with accurate
findings compared with those of the hole and pipe models.
Furthermore, they found that the mass of the released gas during
sonic flow is more than 90% of the total mass of released gas when
the initial pressure inside the pipe is higher than 1.5 MPa. In addi-
tion, they also found that the total average release rate can be rep-
resented as approximately 30% of the initial release rate.
The dispersion of gas/vapour is affected by many factors
including atmospheric stability, wind speed and direction, local
terrain effects, height of the release above the ground, release ge-
ometry, momentum of the material released, and buoyancy of the
material released. Depending on the characteristics of the material
released, dispersion models for plume and puff releases are clas-
sified into two classes: neutrally buoyant models (e.g., the Pas-
quilleGifford model (Gaussian model)), and dense gas dispersion
models (e.g., the Britter and McQuaid model (CCPS, 1999; Crowl and
Louvar, 2001)). Based on the models’ mathematical formulae,
Dandrieux et al. (2006) categorised dispersion models into three
types with decreasing order of complexity: three-dimensional (3-
D), slab, and Gaussian.
The 3-D model, which is also called the computational fluid
dynamic (CFD) model, is founded on mass, momentum and energy
conservation equations. It provides more precise outcomes, espe-
cially in cloud dispersion modelling where complex geometry with
obstacles is considered for heavy, neutral, or light gas dispersion.
Slab models are usually more effective than other models for heavy
gas dispersion. Gaussian models are specific to passive clouds in
which the dispersed molecules are assumed to be distributed with
standard deviations depending on atmospheric conditions, and the
distance from the release source is assumed to be within
0.1e10 km. Extensive descriptions and reviews regarding disper-
sion models and their applications can be found in Holmes and
Morawska (2006). Won So et al. (2010) used a combination of the
Gaussian dispersion model, optical sensors, and a neural network
to estimate the release rate, and the technique showed a high
capability for estimating release behaviour as a real-time moni-
toring technique with high accuracy and efficiency.
Several software tools have been developed especially for CPIs
to predict consequences using source models; these include PHAST,
which was developed by Det Norske Veritas to estimate the con-
sequences of dispersion, fire, and explosion accidents (Pitblado
et al., 2005); the MAXCRED package, developed by Khan and
Abbasi (1998a); SAFETI, which was developed by Technica for risk
assessments of chemical process industry facilities (Pitblado and
Nalpanis, 1989); WHAZAN, which was also developed by Technica
to compute the consequences of incidents involving toxic and
flammable chemicals (Pitblado and Nalpanis, 1989); ALOHA,
developed to predict the movement and dispersion of gases based
on the toxicological/physical characteristics of the released chem-
ical, atmospheric conditions, and specific circumstances of the
release (EPA, 1999); the HAZDIG software package, for the acci-
dental release of toxic chemicals (Khan and Abbasi, 1999);
ATLANTIDE, for accidents in processing plants (Ditali et al., 2000);
the OSIRIS software package, for consequence analysis of the
transportation of toxic and flammable goods (Tixier et al., 2002);
the SMAH software package, developed by Mustapha and El-
Harbawi (2005); SCIA, a GPS-based program for chemical indus-
trial accidents caused by toxic and flammable materials (El Harbawi
et al., 2008; El-Harbawi et al., 2010); and finally, a new version of
the PHAST unified dispersion model (UDM), which was developed
more recently by (Witlox and Harper, 2013) for more accurate time-
dependent effects.
2.2.6.2. Consequence impact models. Consequence Impact Models
(CIMs) are used to estimate the effect of toxic materials, fires, and
explosions on people, the environment, and property. This type of
consequence assessment includes many models such as dos-
eeresponse models, probit models, and financial consequence
severity matrices.
The doseeresponse model seeks to estimate the effects of toxic
exposure to people by studying the relation between the toxin dose
and the associated response. Several methods are used to represent
dose. One way is to quantify the dose per unit of body weight by
testing different doses on organisms, typically animals or insect.
Another method is to quantify the dose per skin surface area. For
inhaled vapours, dose is represented as a specified vapour con-
centration administered over a period of time. The resulting data
are used at the conclusion of the risk assessment process, in which
the doseeresponse relationships estimated as previously
mentioned are extrapolated to determine safe exposure levels to
toxic agents for humans (USEPA, 1999; CCPS, 1999).
There are two main types of doseeresponse model applications.
The first application is used for non-threshold effects to evaluate
the impact of carcinogens, such as by benchmark dosing. In this
case, according to the USEPA, a linear non-threshold model is the
 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
default model to use for carcinogen risk impact analysis (USEPA,
2005). The second type of application is to evaluate the threshold
of toxic effects for non-carcinogenic impact, such as the No
Observed Adverse Effects Level (NOAEL) (van Leeuwen et al., 2007).
NOAEL is used to identify the highest dose at which no statistically
significant responses were observed in the available toxicity
studies. NOAEL is not suitable for cases in which there is no dose-
threshold, e.g., for carcinogens. Other disadvantages of NOAEL
have also been published (Clewell III and Andersen, 1986; Vermeire
et al., 1999). In contrast, the benchmark dose, which was introduced
by Crump (1984), is the lower confidence limit of a dose level
estimated using a parametric model yielding an acceptable level of
excess risk.
Probit functions are mathematical models used to assess the
dose-effect relationship for human responses to thermal radiation,
toxic substances and overpressure by estimating a Damage Proba-
bility Model. Depending on the estimated probit value or per-
centage, the damage degree (class) is determined. Many probit
models have been developed in the literature based on scarce data
or oversimplified assumptions; e.g., see (Eisenberg et al., 1975;
Bagster and Pitblado, 1991; Khan and Abbasi, 1998b; Atkins, 1998;
Cozzani and Salzano, 2004). (Mingguang and Juncheng, 2008)
developed a reliable probit model for the impact assessment of
process vessel overpressure by gathering damage data in chemical
processes. Then, by avoiding oversimplified assumptions, the probit
percentage obtained from the model is qualitatively converted to
damage classes.
The traditional Risk matrix is regarded as one of the impact
models that qualitatively rank accident severity into classes (CCPS,
1999). As mentioned by Jang et al. (2011), the financial risk matrix
was developed to convert losses to cost for mortality and injury,
environmental impacts, plant capital losses, and production and
business interruption losses by Brid and Germain in their 1969
book entitled “Loss control management: Practical loss control
leadership”. Over time, loss prevention professionals have devel-
oped a consequence severity matrix with five different severity
classes for major oil and gas accidents, in which human, environ-
mental, and confidence or reputation losses are converted to
equivalent dollar values for the five severity classes (Kalantarnia
et al., 2010). Jang et al. (2011) proposed a new approach for risk
assessment matrices based on the financial risk matrix using
chemical accident records. The methodology consists of 5 steps,
including hazard identification, modifying accident probability,
applying Value at Risk (VaR), and mapping the estimated accident
probability with VaR and the financial risk matrix. Summers et al.
(2012) (Summers et al., 2012) introduced a qualitative conse-
quence severity matrix caused by injuries and human life losses
and environmental losses; the matrix has five classes of severity
levels associated with their equivalent dollar losses. (Sordini et al.,
2013) developed an impact model to assess the cost of risks
Table 3
Some application of DSAMs.
Field Number of article
Financial and economic 5 (Oliver and Yang, 1990; Bier and Yi, 1995; Yi and Bier, 1998;
Nuclear industries 3 (Johnson and Rasmuson, 1996; Kalantarnia, 2010; Kaplan, 1992;
Chemical process industry (CPI) 18
329
associated with major accident hazards per barrel of oil for offshore
and onshore oil facilities. Severities with significant potential for
multiple fatalities and/or serious personal injuries, extensive asset
damage, extensive environmental impact, and international impact
on reputation were all considered in terms of cost.
2.2.7. Posterior risk calculation
A posterior risk is a combination of the posterior failure proba-
bility and its severity impact and may be evaluated in semi-
quantitative manner, e.g., by using fuzzy logic (Markowski and
Mannan, 2008; Markowski and Mannan, 2009), or it may be quan-
titatively calculated by multiplying the posterior probability of each
end-state event of the ET with its severity impact in terms of
equivalent dollar loss, which is estimated using the consequence
impact model (section 2.2.6.2) (Kalantarnia et al., 2010; Marhavilas
et al., 2011). This produces an updated risk profile that is then
compared with selected risk acceptance criteria to ascertain the risk
tolerability. For cases where the risk level is close to or exceeds the
tolerability limit, management intervention is required to improve
the inherent safety aspects or to add additional mitigating measures.
3. Application of DSAMs
DSAMs that were initially introduced for use in the financial in-
dustry have been extended to be used in nuclear and CPI applica-
tions. These experiences have produced results that proved the
adeptness of DSAMs in utilising precursor data to update risk pro-
files and have spurred interest to further improve the methodolo-
gies to enhance the updating procedures and produce more accurate
estimations. In DSAM implementations, the intervals used between
updates depend on the availability of precursor data, which vary
from one field to another. As listed in Table 3, more applications are
found in the CPIs, and most of these were in recent years.
4. Future development direction
DSAMs have been proven useful in providing the necessary in-
sights for better planning, as well as in responding to process safety
needs. However, the current DSAMs need to be further refined to
overcome some of their existing weaknesses and to improve their
efficiency. In this section, some of the future research themes to
complement some of the weaknesses and limitations of the
methods are presented. The list is non-exhaustive, however, and it
is certainly biased towards the interest of the authors.
4.1. Development of a comprehensive framework for the CPI
accident model
To provide a more comprehensive solution for the CPIs, new or
improved frameworks of accident models are needed. Important
References
Jun et al., 1999; Palomo et al., 2007)
Solanki and Gupta, 2010)
(Goossens and Cooke, 1997; Kirchsteiger, 1997; Khakzad et al., 2013;
Kalantarnia et al., 2009a; Kalantarnia et al., 2010; Khakzad et al., 2012;
Kujath et al., 2010; Meel and Seider, 2006; Meel et al., 2007;
Pariyani et al., 2012a; Pariyani et al., 2012b; Kalantarnia et al., 2009b;
Rathnayaka et al., 2011a; Rathnayaka et al., 2011b;
Rathnayaka et al., 2012; Tan et al., 2013; Yang et al., 2013;
Al-shanini et al., 2014)
330 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
sources of failures such as intentional security and natural hazards
should be incorporated because their impacts on safety can be
significant, depending on the geographic location of the plant. In
fact, natural hazards, such as lightning, storms, floods, earthquakes,
and volcanic eruptions are the reasons for approximately 3% of
industrial accidents (Campedel et al., 2008). Furthermore, this class
of accidents, which is known as Na-Tech accidents, is increasing in
frequency (Lindell and Perry, 1997; Showalter and Myers, 1994;
McCarthy et al., 2001; Kao and Hu, 2002). Such accidents are also
more severe compared to technical and operational accidents due
to the high possibility of simultaneous multiple and cascading ac-
cidents that may take place (Steinberg and Cruz, 2004; Campedel
et al., 2008). Worse still, these events also hamper emergency re-
sponses, as well as rescue and evacuation efforts. Depending on the
population density and the concentration of industrial facilities and
other infrastructure, the level of severity varies. The higher the
population density and the more crowded the area, the more se-
vere is the expected consequence.
Similarly, intentional security hazards also contributed signifi-
cantly to industrial accidents (Bennett, 2003; Schierow, 2005). Acts
of terrorism/sabotage for any reason may put the CPI in great
danger due to their potential impacts. For example, studies carried
out by the U.S. Public Interest Research Group (USPIRG) and the
National Environment Law Centre have found that more than 41
million Americans live within the range of the release cloud of
chemical facilities in the USA (Laplante, 1998). This means that a
large segment of the population is vulnerable to toxic release or
vapour cloud explosions, both of which belong to the more severe
group of hazards. The likelihood of such events is also of varying
degree, with some countries more vulnerable than others. In any
case because the impact can be devastating, security hazards
should also be considered in CPI accident modelling.
4.2. Dependency analysis
As previously mentioned, the consequence model of SHIPP
suffers from one major weakness, i.e., a dependence limitation in
which toxic and energy releases act as accident initiating events
that affect the estimation of updated barrier failure probabilities. To
overcome this limitation, two approaches can be taken: (i) develop
the consequence model using ET models that consider all possible
initiating events and find a suitable algorithm for the updating
process, or (ii) convert the ET of consequence analysis to its
equivalent BN. Next, the barrier failure probability and the end-
state events probability are dynamically estimated through a like-
lihood function of the precursor data. Carrying out this analysis is
important because more reliable outcomes of the prevention bar-
riers’ dynamic performance can be provided, which allow the
prevention plans to be decided more precisely.
4.3. Dynamic risk management
Risk management (RM) is a process that supports decision-
making, and it starts by identifying the potential hazards to deter-
mine suitable arrangements and measures that prevent accidents
and promote emergency response in case of accident occurrence
(Aven and Vinnem, 2007). RM is carried out during the design stage
to reduce the risk by reducing the equipment failure probabilities
and/or the impact of consequences of the acceptance criteria. The
adequacy of protection is further ascertained through process haz-
ard analysis techniques including HAZOP, What-if analysis, FMEA,
and LOPA. Upon implementing all these measures, as well as others,
the plant in question may be said to have been properly designed
and installed, and the present safety risks are within the acceptance
criteria as prescribed by the design objectives.
Nevertheless, this level of risks is not constant. As the plant
operates over time, the level of risks increases due to wear and tear
and degradation of plant components. It is therefore important to
be able to determine the level of risks periodically so that necessary
measures may be taken to ensure that the risk level stays within the
intended limit. This requires dynamic risk management by
applying suitable updating techniques (Chapman, 1997; Xie et al.,
2006).
Among these techniques, risk analysis and ranking is the tool
commonly used in risk management (Slavic et al., 1979). Another
commonly used technique is risk-based maintenance and in-
spection, which focuses on minimising risks through prioritising
the maintenance and inspection duties to the equipment that is
more vulnerable to failure instead of using a scheduling proce-
dure. Due to their importance, a number of risk-based mainte-
nance and inspection methodologies have been developed and
can be categorised based on their outputs into qualitative (e.g.,
Hayens et al., 2001), semi-qualitative (e.g., Goyet et al., 2002;
Khan et al., 2004), and quantitative (e.g., Khan and Haddara,
2003; Kallen and Van Noortwijk, 2003) types. Quantitative
methodologies are more accurate compared to the qualitative or
semi-quantitative ones (Khan et al., 2004). To provide a more
comprehensive assessment, Khan and Haddara (2003) introduced
a quantitative risk-based maintenance methodology founded on
risk analysis of system failure and its consequences. The meth-
odology involves three modules, i.e., risk estimation, risk evalu-
ation and maintenance planning, into one framework. The output
is the rank of maintenance activities based on their vulnerability
to failure and associated risks, and this approach has been suc-
cessfully applied to ethylene oxide production facilities and po-
wer plants (Khan and Haddara, 2004; Krishnasamy et al., 2005).
Scrutinising the methodology, however, revealed the fact that it
still lacks the capability for dynamic updating of risks (Mili et al.,
2009).
Due to the potential of this work, the methodology proposed by
Khan and Haddara (2003) should be further improved. One aspect
for improvement is to provide dynamic updating of basic event
failure probabilities in the FT model. One way of doing this is to
convert the FT model into its equivalent BN, in which a hierarchy
Bayesian approach (HBA) will be used for root nodes (basic events)
to evaluate their posterior failure probabilities by using their pre-
cursor data.
4.4. Accident prediction and prevention study
The accident prediction model used in SHIPP is a Poisson model
with a non-informative Gama prior distribution. This model
showed poor prediction and tends to underestimate the outputs
(Rathnayaka et al., 2012). Furthermore, it becomes less sensitive
when the data are too excited or noisy. To maximise the potentials
of the SHIPP model, there is a need to improve this prediction
capability by introducing alternative approaches or fine-tunings to
the existing technique. According to Zheng and Liu (2009), quan-
titative forecasting models are classified into two main groups,
which are the time-series (e.g., Markov chain method, grey model,
and neural network), and causality forecasting methods (e.g., sce-
nario analysis, regression method and Bayesian networks). Each
method has its own limitations, depending on the data availability,
data type (continuous or discrete), and the model's constraints that
must be matched. However, the best prediction can be achieved, as
(Liang et al., 2001; Hsu and Chen, 2003; Hsu, 2003; Hsu and Wang,
2007; Zheng and Liu, 2009) found, through the combination of
different models in one scheme. In future work, a combined pre-
diction model will be developed that takes into account the data
scarcity of CPI accidents.
 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
5. Conclusions
This paper provides descriptions and analyses of accident
models commonly used in the field of CPI. The models were clas-
sified based on Qureshi (2007) and extended to include a
precursor-based category approach, known as DSAM. The capabil-
ities of DSAMs and their implementation steps have been exten-
sively discussed. Based on these analyses, it can be concluded that.
 These models have the capability to model CPI accidents caused
by process hazards and human and organisational factors
effectively with systematic procedures and quantitative outputs.
 These models can utilise precursor data (near-misses, mishaps,
incidents, and accidents) to overcome the uncertainty associ-
ated with reliability data and to quantitatively estimate the
dynamic risk profile that supports dynamic decision making.
Among DSAMs, the SHIPP model is the most promising for
application in CPI as it takes into account the interactions between
all process hazards, human faults, and management and organ-
isational deficiencies. However, it has also been shown that there is
a need to further improve the SHIPP model in the following aspects:
 Extend its framework by considering other highly contributing
hazards.
 Overcome the dependency limitation of its ETs.
 Improve its predictive model by introducing another prediction
approach with high sensitivity to track changes in the observed
data.
These suggested future improvements all fall among the in-
terests and on-going studies of the authors.
Acknowledgement
The authors would like to acknowledge Universiti Teknologi
Malaysia for the infrastructure and financial supports through the
research university grant scheme RUGS-05H03.
References
Abbasi, T., Abbasi, S., 2007. The boiling liquid expanding vapour explosion (BLEVE):
mechanism, consequence assessment, management. J. Hazard. Mater. 141 (3),
489e519.
Abbasi, T., Pasman, H., Abbasi, S., 2010. A scheme for the classification of explosions
in the chemical process industry. J. Hazard. Mater. 174 (1), 270e280.
Abramson, L., 1994. A Unified Statistical Approach to Estimating Core Damage
Frequency Based on Accident Sequence Precursor Conditional Core Damage
Probabilities. PSAM-II, San Diego, California, pp. 20e25.
Ahmed, M.M., Kutty, S., Shariff, A.M., Idris, M.F.K.O., 2012. Hazard analysis and safe
transportation procedure for fuel outlets. In: Paper Presented at the Pro-
ceedings of the 1st International Conference in Safety and Crisis Management in
the Construction, Tourism and SME Sectors.
Al-shanini, A., Ahmad, A., Khan, F., 2014. Accident modelling and safety measure
design of a hydrogen station. Int. J. Hydrog. Energy. http://dx.doi.org/10.1016/
j.ijhydene.2014.05.044 available online.
Atkins, W., 1998. Development of Methods to Assess the Significance of Domino
Effects from Major Hazard Sites. Health and Safety Executive, HMSO, London.
Aven, T., Vinnem, J., 2007. Risk Management, with Applications from the Offshore
Oil and Gas Industry. Springer Verlag, NY.
Bagster, D., Pitblado, R., 1991. Estimation of domino incident frequencies- an
approach. Process Saf. Environ. Prot. 69 (4), 195e199.
Bahr, N., 2000. System safety engineering and risk assessment. Int. Encycl. Ergo-
nomics Hum. Factors 2, 1604.
Ballard, G., 1985. An analysis of dependent failures in the ORNL-precursor study
(NUREG/CR-2497). In: Paper Presented at the Proceedings of the ANS/ENS Int.
Topical Meeting on Probabilistic Safety Methods and Applications, San Fran-
cisco, Ca (24 Februarye1 March, 1985).
Beale, J., 2006. The Facts about LNG. Prepared for AES Sparrows Point LNG.
Bearfield, G., Marsh, W., 2005. Generalising event trees using bayesian networks
with a case study of train derailment. In: Computer Safety, Reliability, and Se-
curity, pp. 52e66.
331
Bennett, M., 2003. TICs, TIMs, and terrorists commodity chemicals take on a sinister
role as potential terrorist tools. Todays Chem. At Work 12 (4), 21e26.
Bier, V.M., 1993. Statistical methods for the use of accident precursor data in esti-
mating the frequency of rare events. Reliab. Eng. Syst. Saf. 41 (3), 267e280.
Bier, V.M., Mosleh, A., 1990. The analysis of accident precursors and near misses:
implications for risk assessment and risk management. Reliab. Eng. Syst. Saf. 27
(1), 91e101.
Bier, V.M., Yi, W., 1995. A Bayesian method for analyzing dependencies in precursor
data. Int. J. Forecast. 11 (1), 25e41.
Bobbio, A., Portinale, L., Minichino, M., Ciancamerla, E., 2001. Improving the analysis
of dependable systems by mapping fault trees into Bayesian networks. Reliab.
Eng. Syst. Saf. 71 (3), 249e260.
Brambilla, S., Manca, D., 2010. The viareggio LPG railway accident: event recon-
struction and modeling. J. Hazard. Mater. 182 (1), 346e357.
Campedel, M., Cozzani, V., Krausmann, E., Cruz, A.M., 2008. Analysis of Natech ac-
cidents recorded in major accident databases. In: Paper Presented at the Proc.
PSAM.
CCPS, 1985. Guidelines for Hazard Evaluation Procedures. American Institute of
Chemical Engineers, New York.
CCPS, 1999. Guidelines for Consequence Analysis of Chemical Releases, vol. 1. Wiley-
AIChE.
CCPS, 2000. Guidelines for Chemical Process Quantitative Risk Analysis, second ed.
Center for Chemical Process Safety/AIChE.

Cepin, M., 2011. Event Tree Analysis Assessment of Power System Reliability.
Springer, pp. 89e99.
Chapman, C., 1997. Project risk analysis and managementdPRAM the generic
process. Int. J. Proj. Manag. 15 (5), 273e281.
Chen, C.-C., Wang, T.-C., Chen, L.-Y., Dai, J.-H., Shu, C.-M., 2010. Loss prevention in
the petrochemical and chemical-process high-tech industries in Taiwan. J. Loss
Prev. Process Industries 23 (4), 531e538.
Clementel, S., Galvagni, R., 1984. The use of the event tree in the design of nuclear
power plants. Environ. Int. 10 (5e6), 377e382. http://dx.doi.org/10.1016/0160-
4120(84)90045-x.
Cleveland, C., Hogan, C., Saundry, P., 2010. Deepwater Horizon Oil Spill. The Ency-
clopedia of Earth.
Clewell III, H.J., Andersen, M.E., 1986. A Multiple Dose-route Physiological Phar-
macokinetic Model for Volatile Chemicals Using ACSL/PC. DTIC Document.
Cooke, R., Goossens, L., 1990. The accident sequence precursor methodology for the
European Post-Seveso era. Reliab. Eng. Syst. Saf. 27 (1), 117e130.
Cooke, R., Goossens, L., Hale, A., Van der Horst, J., 1987. Accident Sequence Precursor
MethodologydA Feasibility Study for the Chemical Process Industries (Report
for the Dutch Ministry of Environment, TUDelft/TNO Apeldoorn).
Cozzani, V., Salzano, E., 2004. The quantitative assessment of domino effects caused
by overpressure: Part I. Probit models. J. Hazard. Mater. 107 (3), 67e80.
Crowl, D.A., Louvar, J.F., 2001. Chemical Process Safety: Fundamentals with Appli-
cations. Prentice Hall.
Crump, K.S., 1984. A new method for determining allowable daily intakes. Fundam.
Appl. Toxicol. 4 (5), 854e871.
CSB, March 20, 2007. Investigation Report; Refinery Explosion and Fire. Report no.
2005-04-I-TX. http://www.csb.gov/investigations/detail.aspx?SID¼20.
CSB, 2008a. Investigation Report; Little General Store e Propane Explosion. Report
no. 2007-04-I-WV, September 2008. www.csb.gov/assets/document/
CSBFinalReportLittleGeneral.pdf.
CSB, 2008b. Investigation Report; LPG Fire at ValeroeMckee Refinery. Report no.
2007-05-I-TX, July 2008. http://www.csb.gov/investigations/detail.aspx?
SID¼12.
CSB, 2008c. Barton Solvents Static Spark Ignites Explosion inside Flammable Liquid
Storage Tank. Case study no. 2007-06-I-KS, June 26, 2008. http://www.csb.gov/
investigations/detail.aspx?SID¼58.
CSB, 2008d. Static Spark Ignites Flammable Liquid during Portable Tank Filling
Operation case study no. 2008-02-I-IA,September, 2008. www.csb.gov/assets/
document/Barton_Case_Study__9_18_2008.pdf.
CSB, 2010. Investigation Report; Xcel Energy Hydroelectric Plant Penstock Fire.
Report no. 2008-01-I-CO, August 2010. http://www.csb.gov/investigations/
detail.aspx?SID¼9.
CSB, 2009a. Investigation Report. In: Runway Reaction. T2 Laboratories, INC. Report
no. 2008-3-I-FL, September 15, 2009. http://www.csb.gov/newsroom/detail.
aspx?nid¼281.
CSB, 2009b. Investigation Report; Sugar Dust Explosion and Fire. Report no. 2008-
05-I-GA, September 15, 2009. http://www.csb.gov/investigations/detail.aspx?
SID¼6.
CSB, January 2011. Investigation Report, Pesticide Chemical Runaway Reaction
Pressure Vessel Explosion. Report no. 2008-08-I-WV. http://www.csb.gov/
investigations/detail.aspx?SID¼3.
Dandrieux, A., Dimbour, J., Dusserre, G., 2006. Are dispersion models suitable for
simulating small gaseous chlorine releases? J. Loss Prev. Process Industries 19
(6), 683e689.
Ditali, S., Colombi, M., Moreschini, G., Senni, S., 2000. Consequence analysis in LPG
installation using an integrated computer package. J. Hazard. Mater. 71 (1),
159e177.
Dunjo  , J., Fthenakis, V., Vílchez, J.A., Arnaldos, J., 2010. Hazard and operability
(HAZOP) analysis. A literature review. J. Hazard. Mater. 173 (1), 19e32.
Eisenberg, N.A., Lynch, C.J., Breeding, R.J., 1975. Vulnerability Model. In:
A Simulation System for Assessing Damage Resulting from Marine Spills. DTIC
Document.
332 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
El-Harbawi, M., Mustapha, S., Choong, T.S., Rashid, Z.A., Rashid, S.A., Sherif, A., 2010.
SCIA: GIS-Based software for assessing the impacts from chemical industrial
accidents. Pract. Periodical Hazard. Toxic, Radioact. Waste Manag. 14 (2),
104e114.
El Harbawi, M., Mustapha, S., Choong, T.S.Y., Rashid, S.A., Kadir, S., Rashid, Z.A.,
2008. Rapid analysis of risk assessment using developed simulation of
chemical industrial accidents software package. Int. J. Environ. Sci. Technol. 5
(1), 53e64.
EPA, N, 1999. Area Locations of Hazardous Atmospheres (ALOHA). User's Manual. US
Environmental Protection Agency (USEPA) and the National Oceanic and At-
mospheric Administration (NOAA), Washington, DC.
Ericson, C.A., 2005. Hazard Analysis Techniques for System Safety. John Wiley &
Sons.
Ferdous, R., Khan, F., Veitch, B., Amyotte, P.R., 2009. Methodology for computer
aided fuzzy fault tree analysis. Process Saf. Environ. Prot. 87 (4), 217e226.
http://dx.doi.org/10.1016/j.psep.2009.04.004.
Ferdous, R., Khan, F.I., Veitch, B., Amyotte, P.R., 2007. Methodology for computer-
aided fault tree analysis. Process Saf. Environ. Prot. 85 (1), 70e80. http://
dx.doi.org/10.1205/psep06002.
Fullwood, R.R., 2000. Probabilistic Safety Assessment in the Chemical and Nuclear
Industries. Butterworth-Heinemann.
Glossop, M., Loannides, A., Gould, J., 2000. Review of Hazard Identification Tech-
niques. Health & Safety Laboratory.
Goossens, L., Cooke, R., 1997. Applications of some risk assessment techniques:
formal expert judgement and accident sequence precursors. Saf. Sci. 26 (1),
35e47.
Gould, J., Glossop, M., Ioannides, A., 2005. Review of Hazard Identification Tech-
niques (Health & Safety Laboratory Report, UK).
Goyet, J., Straub, D., Faber, M.H., 2002. Risk based inspection planning: methodology
and application to an offshore structure. Rev. Française Ge nie Civ. 6 (3),
489e503.
Hakobyan, A., Aldemir, T., Denning, R., Dunagan, S., Kunsman, D., Rutt, B.,
Catalyurek, U., 2008. Dynamic generation of accident progression event trees.
Nucl. Eng. Des. 238 (12), 3457e3467.
Hayens, D.M., Minty, A.M., Pegram, A., Morris, P., Andrews, G., 2001. Risk based
decision management. In: Proceedings of SPE Exploration and Production
Environmental Conference, February 26-28, San Antonio, TX (2001).
Heinrich, H.W., Petersen, D., Ross, N., 1980. Principles of Accident Prevention. In-
dustrial Accident Prevention, pp. 20e29.
Hoertner, H., Frey, W., von Linden, J., Reichart, G., 1985. German precursor study-
methods and results. In: Paper Presented at the Proceedings of the ANSENS
International Topical Meeting on PSA Methods and Applications. San Francisco,
CA.
Hoertner, H., Kafka, P., 1986. Precursor Studies. IAEA Report TECMWJ-387, Vienna.
Hollnagel, E., 1998. Cream-Cognitive Reliability and Error Analysis Method. Elsevier
Science Ltd, Oxford.
Hollnagel, E., 2004. Barriers and Accident Prevention. Ashgate Pub Limited.
Holmes, N.S., Morawska, L., 2006. A review of dispersion modelling and its appli-
cation to the dispersion of particles: an overview of different dispersion models
available. Atmos. Environ. 40 (30), 5902e5928.
Hong, E.-S., Lee, I.-M., Shin, H.-S., Nam, S.-W., Kong, J.-S., 2009. Quantitative risk
evaluation based on event tree analysis technique: application to the design of
shield TBM. Tunn. Undergr. Space Technol. 24 (3), 269e277.
Hsu, C.-C., Chen, C.-Y., 2003. Applications of improved grey prediction model for
power demand forecasting. Energy Convers. Manag. 44 (14), 2241e2249.
Hsu, L.-C., 2003. Applying the grey prediction model to the global integrated circuit
industry. Technol. Forecast. Soc. Change 70 (6), 563e574.
Hsu, L.-C., Wang, C.-H., 2007. Forecasting the output of integrated circuit industry
using a grey model improved by the Bayesian analysis. Technol. Forecast. Soc.
Change 74 (6), 843e853.
Hyatt, N., 2003. Guidelines for Process Hazards Analysis (PHA, HAZOP), Hazards
Identification, and Risk Analysis. CRC press.
Jang, N., Koo, J., Kim, H., Shin, D., Sup Yoon, E., 2011. A study on the financial
approach of risk assessment using chemical accident records in chemical pro-
cess industries. Asia-Pacific J. Chem. Eng. 6 (3), 509e517.
Johnson, C., Holloway, C., 2003. A survey of logic formalisms to support mishap
analysis. Reliab. Eng. Syst. Saf. 80 (3), 271e291.
Johnson, J.W., Rasmuson, D.M., 1996. The US NRC's accident sequence precursor
program: an overview and development of a Bayesian approach to estimate
core damage frequency using precursor information. Reliab. Eng. Syst. Saf. 53
(2), 205e216.
Jun, C.-H., Chang, S.Y., Hong, Y., Yang, H., 1999. A Bayesian approach to prediction of
system failure rates by criticalities under event trees. Int. J. Prod. Econ. 60e61
(0), 623e628. http://dx.doi.org/10.1016/s0925-5273(98)00135-2.
Kalantarnia, M., 2010. Dynamic Risk Assessment Using Accident Precursor Data and
Bayesian Theory. Memorial University of Newfoundland.
Kalantarnia, M., Khan, F., Hawboldt, K., 2009a. Dynamic risk assessment using
failure assessment and Bayesian theory. J. Loss Prev. Process Industries 22 (5),
600e606. http://dx.doi.org/10.1016/j.jlp.2009.04.006.
Kalantarnia, M., Khan, F., Hawboldt, K., 2010. Modelling of BP Texas city refinery
accident using dynamic risk assessment approach. Process Saf. Environ. Prot. 88
(3), 191e199. http://dx.doi.org/10.1016/j.psep.2010.01.004.
Kalantarnia, M., Khan, F.I., Hawboldt, K., 2009b. Risk Assessment and Management
Using Accident Precursors Modeling in Offshore Process Operation.
Kallen, M., Van Noortwijk, J., 2003. Inspection and maintenance decisions based on
imperfect inspections. In: Paper Presented at the Proceedings of the European
Safety and Reliability Conference, Maastricht, The Netherlands.
Kao, C.-S., Hu, K.-H., 2002. Acrylic reactor runaway and explosion accident analysis.
J. Loss Prev. Process Industries 15 (3), 213e222. http://dx.doi.org/10.1016/
s0950-4230(01)00070-5.
Kaplan, S., 1992. ‘Expert information’versus ‘expert opinions’. Another approach to
the problem of eliciting/combining/using expert knowledge in PRA. Reliab. Eng.
Syst. Saf. 35 (1), 61e72.
Khakzad, N., Khan, F., Amyotte, P., 2012. Risk-based design of process systems using
Discrete-Time Bayesian Networks. Reliab. Eng. Syst. Saf. 109, 5e17.
Khakzad, N., Khan, F., Amyotte, P., 2013. Dynamic Safety analysis of process systems
by mapping bow-tie into Bayesian network. Process Saf. Environ. Prot. 91 (1),
46e53.
Khan, F., Sadiq, R., Haddara, M., 2004. Risk-based inspection and maintenance
(RBIM): multi-attribute decision-making with aggregative risk analysis. Process
Saf. Environ. Prot. 82 (6), 398e411.
Khan, F.I., Abbasi, S., 1998a. MAXCREDea new software package for rapid risk
assessment in chemical process industries. Environ. Model. Softw. 14 (1), 11e25.
Khan, F.I., Abbasi, S., 1998b. Models for domino effect analysis in chemical process
industries. Process Saf. Prog. 17 (2), 107e123.
Khan, F.I., Abbasi, S., 1999. HAZDIG: a new software package for assessing the risks of
accidental release of toxic chemicals. J. Loss Prev. Process Industries 12 (2),167e181.
Khan, F.I., Abbasi, S., 2001. Risk analysis of a typical chemical industry using ORA
procedure. J. Loss Prev. Process Industries 14 (1), 43e59.
Khan, F.I., Abbasi, S.A., 1997a. OptHAZOPdan effective and optimum approach for
HAZOP study. J. Loss Prev. Process Industries 10 (3), 191e204. http://dx.doi.org/
10.1016/s0950-4230(97)00002-8.
Khan, F.I., Abbasi, S.A., 1997b. TOPHAZOP: a knowledge-based software tool for
conducting HAZOP in a rapid, efficient yet inexpensive manner. J. Loss Prev.
Process Industries 10 (5e6), 333e343. http://dx.doi.org/10.1016/s0950-
4230(97)00023-5.
Khan, F.I., Abbasi, S.A., 1998c. Multivariate hazard identification and ranking system.
Process Saf. Prog. 17 (3), 157e170. http://dx.doi.org/10.1002/prs.680170303.
Khan, F.I., Abbasi, S.A., 1998d. Techniques and methodologies for risk analysis in
chemical process industries. J. Loss Prev. Process Industries 11 (4), 261e277.
http://dx.doi.org/10.1016/s0950-4230(97)00051-x.
Khan, F.I., Abbasi, S.A., 2000. Analytical simulation and PROFAT II: a new method-
ology and a computer automated tool for fault tree analysis in chemical process
industries. J. Hazard. Mater. 75 (1), 1e27. http://dx.doi.org/10.1016/s0304-
3894(00)00169-2.
Khan, F.I., Haddara, M.M., 2003. Risk-based maintenance (RBM): a quantitative
approach for maintenance/inspection scheduling and planning. J. Loss Prev.
Process Industries 16 (6), 561e573.
Khan, F.I., Haddara, M.R., 2004. Risk-based maintenance of ethylene oxide pro-
duction facilities. J. Hazard. Mater. 108 (3), 147e159.
Kirchsteiger, C., 1997. Impact of accident precursors on risk estimates from accident
databases. J. Loss Prev. Process Industries 10 (3), 159e167.
Kletz, T., 1977. Unconfined vapour cloud explosions. AIChE Loss Prev. 11, 50.
Krishnasamy, L., Khan, F., Haddara, M., 2005. Development of a risk-based main-
tenance (RBM) strategy for a power-generating plant. J. Loss Prev. Process In-
dustries 18 (2), 69e81.
Kujath, M.F., Amyotte, P.R., Khan, F.I., 2010. A conceptual offshore oil and gas process
accident model. J. Loss Prev. Process Industries 23 (2), 323e330. http://
dx.doi.org/10.1016/j.jlp.2009.12.003.
Ladkin, P.B., 1999. A Quick Introduction Why-because Analysis.
Ladkin, P.B., 2005. Why-Because Analysis of the Glenbrook, NSW Rail Accident and
Comparison with Hopkins's Accimap. Report RVS-RR-05e05, 19 December.
Faculty of Technology, Bielefeld University. http://www.rvs.uni-bielefeld.de.
Laplante, A., 1998. Too Close to Home: a Report on Chemical Accident Risks in the
United States. US Public Interest Research Group, Washington, DC.
Lees, F.P., 1996. Loss Prevention in the Process Industries: Hazard Identification,
Assessment and Control, vol. 3 (set).
Lenoir, E.M., Davenport, J.A., 1993. A survey of vapor cloud explosions: second up-
date. Process Saf. Prog. 12 (1), 12e33. http://dx.doi.org/10.1002/prs.680120104.
Leveson, N., 2004. A new accident model for engineering safer systems. Saf. Sci. 42
(4), 237e270. http://dx.doi.org/10.1016/s0925-7535(03)00047-x.
Liang, M.T., Zhao, G.F., Chang, C.W., Liang, C.H., 2001. Evaluating the carbonation
damage to concrete bridges using a grey forecasting model combined with a
statistical method. J. Chin. Inst. Eng. 24 (1), 85e94.
Lindell, M.K., Perry, R.W., 1997. Hazardous materials releases in the Northridge
earthquake: implications for seismic risk assessment. Risk Anal. 17 (2), 147e156.
Lois, E., 1985. Class Specific Approach to Nuclear Power Plant Safety Studies with
Applications. Maryland Univ, College Park (USA).
Luo, J., Zheng, M., Zhao, X., Huo, C., Yang, L., 2006. Simplified expression for esti-
mating release rate of hazardous gas from a hole on high-pressure pipelines.
J. Loss Prev. Process Industries 19 (4), 362e366.
Mahgerefteh, H., Atti, O., 2004. An Analysis of the Gas Pipeline Explosion at Ghi-
slenghien. University College London, Belgium (London).
Majdara, A., Wakabayashi, T., 2009. Component-based modeling of systems for
automated fault tree generation. Reliab. Eng. Syst. Saf. 94 (6), 1076e1086. http://
dx.doi.org/10.1016/j.ress.2008.12.003.
Mannan, S., 2004. Lees' Loss Prevention in the Process Industries. In: Hazard
identification, Assessment and Control. Butterworth-Heinemann.
 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
Mannan, S., Lees, F.P., 2005. Lee's Loss Prevention in the Process Industries. In:
Hazard Identification, Assessment, and Control, vol. 1. Elsevier.
Marhavilas, P., Koulouriotis, D., Gemeni, V., 2011. Risk analysis and assessment
methodologies in the work sites: on a review, classification and comparative
study of the scientific literature of the period 2000e2009. J. Loss Prev. Process
Industries 24 (5), 477e523.
Markowski, A.S., Mannan, M.S., 2008. Fuzzy risk matrix. J. Hazard. Mater. 159 (1),
152e157.
Markowski, A.S., Mannan, M.S., 2009. Fuzzy logic for piping risk assessment
(pfLOPA). J. Loss Prev. Process Industries 22 (6), 921e927.
McCarthy, J.J., Canziani, O.F., Leary, N.A., Dokken, D.J., White, K.S., 2001. Climate
Change 2001: Impacts, Adaptation, and Vulnerability: Contribution of Working
Group II to the Third Assessment Report of the Intergovernmental Panel on
Climate Change. Cambridge University Press.
McDermott, R.E., Mikulak, R.J., Beauregard, M.R., 2008. The Basics of FMEA. Pro-
ductivity Press.
McKelvey, T.C., 1988. How to improve the effectiveness of hazard and operability
analysis. Reliab. IEEE Trans. 37 (2), 167e170.
Meel, A., 2007. Dynamic Risk Assessment of Inherently Safer Chemical Processes: an
Accident Precursor Approach.
Meel, A., O'Neill, L.M., Levin, J.H., Seider, W.D., Oktem, U., Keren, N., 2007. Opera-
tional risk assessment of chemical industries by exploiting accident databases.
J. Loss Prev. Process Industries 20 (2), 113e127. http://dx.doi.org/10.1016/
j.jlp.2006.10.003.
Meel, A., Seider, W.D., 2006. Plant-specific dynamic failure assessment using
Bayesian theory. Chem. Eng. Sci. 61 (21), 7036e7056. http://dx.doi.org/10.1016/
j.ces.2006.07.007.
Meel, A., Seider, W.D., 2008. Real-time risk analysis of safety systems. Comput.
Chem. Eng. 32 (4), 827e840.
Mili, A., Bassetto, S., Siadat, A., Tollenaere, M., 2009. Dynamic risk management
unveil productivity improvements. J. Loss Prev. Process Industries 22 (1),
25e34.
Minarick, J., Kukielka, C., 1982. Precursors to Potential Severe Core Damage Acci-
dents, 1969-1979. A Status Report: The Commission.
Mingguang, Z., Juncheng, J., 2008. An improved probit method for assessment of
domino effect to chemical process equipment caused by overpressure.
J. Hazard. Mater. 158 (2), 280e286.
Modarres, M., Amico, P., November, 13 1984. LER Categorization Report. Martin
Marietta Energy Systems, Inc., Oak Ridge National Laboratory, and University of
Maryland, College Park.
Montague, D.F., 1990. Process risk evaluationdWhat method to use? Reliab. Eng.
Syst. Saf. 29 (1), 27e53. http://dx.doi.org/10.1016/0951-8320(90)90071-t.
Montiel, H., Vılchez, J.A., Casal, J., Arnaldos, J., 1998. Mathematical modelling of
accidental gas releases. J. Hazard. Mater. 59 (2), 211e233.
Mustapha, S., El-Harbawi, M., 2005. SMAH: a new software package for evaluating
major accident hazard. In: Paper Presented at the Systems, Man and Cyber-
netics, 2005 IEEE International Conference on.
National Transportation Safety Board (NTSB), October 14, 2009. Pipeline Accident
Report; Rupture of Hazardous Liquid Pipeline with Release and Ignition of
Propane Carmichael. Mississippi November 1, 2007. NTSB/PAR-09/01
PB2009e916501.
National Transportation Safety Board NTSB, August 30, 2011. Pipeline Accident
Report; Pacific Gas and Electric Company Natural Gas Transmission Pipeline
Rupture and Fire San Bruno. California September 9, 2010., NTSB/PAR-11/01
PB2011e916501.
Oliver, R.M., Yang, H., 1990. Bayesian updating of event tree parameters to predict
high risk incidents. In: Oliver (Ed.), Influence Diagram, Belief Nets and Decision
Analysis, pp. 277e296.
Oyeleye, O.O., Kramer, M.A., 1988. Qualitative simulation of chemical process sys-
tems: steady-state analysis. AIChE J. 34 (9), 1441e1454. http://dx.doi.org/
10.1002/aic.690340906.
Palomo, J., Rios Insua, D., Ruggeri, F., 2007. Modeling external risks in project
management. Risk Anal. 27 (4), 961e978.
Papazoglou, I.A., 1998. Functional block diagrams and automated construction of
event trees. Reliab. Eng. Syst. Saf. 61 (3), 185e214. http://dx.doi.org/10.1016/
s0951-8320(98)00011-8.
Papazoglou, I.A., Nivolianitou, Z., Aneziris, O., Christou, M., 1992. Probabilistic safety
analysis in chemical installations. J. Loss Prev. Process Ind. 5 (3), 181e191.
́
Pariyani, A., Seider, W.D., Oktem, U.G., Soroush, M., 2012a. Dynamic risk analysis
using alarm databases to improve process safety and product quality: Part
IdData compaction. AIChE J. 58 (3), 812e825. http://dx.doi.org/10.1002/
aic.12643.
Pariyani, A., Seider, W.D., Oktem, U.G., Soroush, M., 2012b. Dynamic risk analysis
using alarm databases to improve process safety and product quality: Part
IIdBayesian analysis. AIChE J. 58 (3), 826e841. http://dx.doi.org/10.1002/
aic.12642.
Phimister, J.R., Oktem, U., Kleindorfer, P.R., Kunreuther, H., 2003. Near-Miss
incident management in the chemical process Industry. Risk anal. 23 (3),
445e459.
Pitblado, R., Baik, J., Hughes, G., Ferro, C., Shaw, S., 2005. Consequences of liquefied
natural gas marine incidents. Process Saf. Prog. 24 (2), 108e114.
Pitblado, R., Nalpanis, P., 1989. Quantitative Assessment of Major Hazard In-
stallations: 2, Computer Programs. Butterworth-Heinemann, London,
pp. 180e196.
333
Przytula, K.W., Thompson, D., 2000. Construction of Bayesian networks for di-
agnostics. In: Paper Presented at the Aerospace Conference Proceedings, 2000
IEEE.
Pula, R., Khan, F., Veitch, B., Amyotte, P., 2006. A grid based approach for fire
and explosion consequence analysis. Process Saf. Environ. Prot. 84 (2),
79e91.
Pula, R., Khan, F.I., Veitch, B., Amyotte, P.R., 2005. Revised fire consequence models
for offshore quantitative risk assessment. J. Loss Prev. Process Industries 18 (4),
443e454.
Qureshi, Z.H., 2007. A review of accident modelling approaches for complex socio-
technical systems. In: Paper Presented at the Proceedings of the Twelfth
Australian Workshop on Safety Critical Systems and Software and Safety-
related Programmable Systems, vol. 86.
Rasmussen, J., 1997. Risk management in a dynamic society: a modelling prob-
lem. Saf. Sci. 27 (2e3), 183e213. http://dx.doi.org/10.1016/s0925-7535(97)
00052-0.
Rathnayaka, S., Khan, F., Amyotte, P., 2011a. SHIPP methodology: predictive accident
modeling approach. Part I: methodology and model description. Process Saf.
Environ. Prot. 89 (3), 151e164. http://dx.doi.org/10.1016/j.psep.2011.01.002.
Rathnayaka, S., Khan, F., Amyotte, P., 2011b. SHIPP methodology: predictive accident
modeling approach. Part II. Validation with case study. Process Saf. Environ.
Prot. 89 (2), 75e88. http://dx.doi.org/10.1016/j.psep.2010.12.002.
Rathnayaka, S., Khan, F., Amyotte, P., 2012. Accident modeling approach for safety
assessment in an LNG processing facility. J. Loss Prev. Process Industries 25 (2),
414e423. http://dx.doi.org/10.1016/j.jlp.2011.09.006.
Rausand, M., Høyland, A., 2004. System reliability theory: Models, statistical
methods, and applications. John Wiley & Sons.
Reason, J., 1990. Human Error. Cambridge university press.
Rogers, R., 2000. The RASE Project Risk Assessment of Unit Operations and
Equipment. Available at:(Can be downloaded).
Schierow, L.-J., 2005. Chemical Plant Security.
Showalter, P.S., Myers, M.F., 1994. Natural disasters in the United States as release
agents of oil, chemicals, or Radiological materials between 1980e1989: analysis
and Recommendations. Risk Anal. 14 (2), 169e182.
Slavic, P., Fischhoff, B., Lichtenstein, S., 1979. Rating the risks. Environment 21 (3),
14e39.
So, W., Koo, J., Shin, D., Yoon, E.S., 2010. The estimation of hazardous Gas release rate
using optical sensor and neural network. Comput. Aided Chem. Eng. 28,
199e204.
Solanki, R., Gupta, S., 2010. Application of PSA based operational event analysis to
Indian nuclear power plants. In: Paper Presented at the Reliability, Safety and
Hazard (ICRESH), 2010 2nd International Conference on.
Sordini, E., Petrone, A., Scataglini, L., De ghetto, G., La Rosa, L., Pellino, S., ,
et al.Dresda, F., 2013. Evaluating the Hse risk costs and Reputational Implica-
tions of major accident hazards in E&P activities. In: Paper Presented at the SPE
Annual Technical Conference and Exhibition.
Steinberg, L.J., Cruz, A.M., 2004. When natural and technological disasters collide:
lessons from the Turkey earthquake of August 17, 1999. Nat. Hazards Rev. 5 (3),
121e130.
Summers, A., Vogtmann, W., Smolen, S., 2012. Consistent consequence severity
estimation. Process Saf. Prog. 31 (1), 9e16.
Svedung, J.R.I., Rasmussen, J., 2000. Proactive Risk Management in a Dynamic So-
ciety. Swedish Rescue Services Agency, Karlstad.
Tan, Q., Chen, G., Zhang, L., Fu, J., Li, Z., 2013. Dynamic accident modeling for high-
sulfur natural gas gathering station. Process Saf. Environ. Prot. http://dx.doi.org/
10.1016/j.psep.2013.03.004.
Tixier, J., Dusserre, G., Rault-Doumax, S., Ollivier, J., Bourely, C., 2002. OSIRIS: soft-
ware for the consequence evaluation of transportation of dangerous goods
accidents. Environ. Model. Softw. 17 (7), 627e637.
Torres-Toledano, J., Sucar, L., 1998. Bayesian networks for reliability analysis of
complex systems. Prog. Artif. IntelligencedIBERAMIA 98, 465.
Tullo, A.H., Johnson, J., 2013. Two Plant Blasts Kill Three People. AMER CHEMICAL
SOC, 1155 16th st, NW, Washington, DC 20036 USA.
Turney, R., Pitblado, R., Institution of Chemical, E., International Study Group on
Risk, A, 1996. Risk Assessment in the Process Industries. Institution of Chemical
Engineers, Rugby.
UNEP/OCHA, 2011. In: Besson, S., Merland, P., McClain, S., Nijenhuis, R. (Eds.), Fuel
Spill and Fire Rapid Environmental Emergency Assessment (Switzerland).
USEPA., 1999. Guidelines for Developmental Toxicity Risk Assessment [microform].
Risk Assessment Forum, U.S. Environmental Protection Agency, Washington,
DC.
USEPA., 2005. Guidelines for Carcinogen Risk Assessment [electronic Resource].
United States Environmental Protection Agency, Risk Assessment Forum,
Washington, D.C.
van der Schaaf, T.W., Lucas, D.A., Hale, A.R., 1991. Near Miss Reporting as a Safety
Tool. Butterworth-Heinemann.
van Leeuwen, C., Vermeire, T., Vermeire, T., 2007. Risk Assessment of Chemicals: an
Introduction. Springer.
Vautard, R., Ciais, P., Fisher, R., Lowry, D., Breon, F., Vogel, F., , et al.Nisbet, E., 2007.
The dispersion of the Buncefield oil fire plume: an extreme accident without air
quality consequences. Atmos. Environ. 41 (40), 9506e9517.
Vermeire, T., Stevenson, H., Pieters, M.N., Rennen, M., Slob, W., Hakkert, B.C., 1999.
Assessment factors for human health risk assessment: a discussion paper. CRC
Crit. Rev. Toxicol. 29 (5), 439e490.
334 A. Al-shanini et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 319e334
Vinnem, J.-E., 2007. Offshore Risk Assessment: Principles, Modelling and Applica-
tions of QRA Studies. Springer.
Weber, P., Medina-Oliva, G., Simon, C., Iung, B., 2012. Overview on Bayesian net-
works applications for dependability, risk analysis and maintenance areas. Eng.
Appl. Artif. Intell. 25 (4), 671e682.
Witlox, H.W., Harper, M., 2013. Modeling of time-varying dispersion for releases
including potential rainout. Process Saf. Prog. http://dx.doi.org/10.1002/
prs.11652.
Xie, G., Zhang, J., Lai, K., 2006. Risk avoidance in bidding for software projects based
on life cycle management theory. Int. J. Proj. Manag. 24 (6), 516e521.
Yang, M., Khan, F.I., Lye, L., 2013. Precursor-based hierarchical Bayesian approach for
rare event frequency estimation: a case of oil spill accidents. Process Saf. En-
viron. Prot. 91 (5), 333e342.
Yi, W., Bier, V.M., 1998. An application of copulas to accident precursor analysis.
Manag. Sci. 44 (12), S257eS270.
Yuhu, D., Huilin, G., Jing’en, Z., Yaorong, F., 2003. Mathematical modeling of gas
release through holes in pipelines. Chem. Eng. J. 92 (1), 237e241.
Zheng, X., Liu, M., 2009. An overview of accident forecasting methodologies. J. Loss
Prev. Process Industries 22 (4), 484e491.