Professional Documents
Culture Documents
Print 63 168 Min
Print 63 168 Min
• Top-down approach
• Bottom-up approach
53 54
Example:
Procedure for top-down approach
G1 Top-gate
“AND” is replaced by horizontal
G2,G3
• Uniquely identify all gates and basic events arrangement
A,G3 Gates are replaced with input
G4,G3 events
• Place the top gate in the first row of a matrix. A,C
A,G5 “OR” is replaced by vertical
B, G3 arrangement
• Replace all gates by basic events either using a or b.
C, G3
A,C
• Replace an “OR” gate by vertical arrangement. A,B
B,C According to Boolean algebra
B,G5 A×A≡ A
• Replace an “AND” gate by horizontal arrangement. C,C
C,G5
• Delete all supersets (sets that contain another set as a subset.) A,C
A,B
B,C
A,B
C
C,A,B
The minimal cut sets for the tree are:
{C}, {A, B}, {A, C}, {B, C}, {A, B, C}
55 56
Bottom-up approach Bottom-up approach
• Example: using the same fault on above for bottom-up
Similar, except start with gates containing only basic events.
approach
1) Generate two columns, one is for gates and other for the
other for cut sets.
4) For “OR” gate If gate use union rule and represent the basic
events separately. Example: A “OR” B= (A), (B).
5) For “AND” gate uses intersection rule and put the events
into the same
The minimal cutsets for the tree are:
{C}, {A, B}, {A, C}, {B, C}, {A, B, C}
57 58
• Cutsets approach:
1) Top-event probability estimation
Gate-by-gate approach: Quickest method. Applicable when the fault tree is large and
Straightforward and simple. Using union (OR gate) and the failure rate/failure probability of basic events are small.
intersection (AND gate) rule to calculate top-event Where, PTOP is the probability for the top event and Cj is the
probability. probability of minimal cutsets. And, i=1, 2, 3,..n, denotes the
failure probability of corresponding components or basic
events.
59 60
Importance factor estimation 5. Importance factor estimation
• Basic-events (Components) importance (BIi): It is calculated by • The symbol Σ in the equation denote a “sum of all those
“the sum of the probability of occurrence of all cutsets containing probability of cutsets containing basic-event i as one of its
the basic-event (component)” divided by the total probability of basic-events”.
occurrence for the system. • • Cutsets importance (CIj): It is the ratio of cutsets
characteristic over the system characteristic.
61 62
• It is an inductive procedure which maps the all possible • Identification of initiating event
outcomes resulting from an initiating event (any
accidental release or occurrence), e.g. gas leakage,
• Identifications of Safety Functions
equipment failure or human error.
Examples:
• Determine the probability of various outcomes (final
consequences) resulting from the initiating event.
• Automatic shutdown
• Alarms which alert the operator
• Operator actions in response to alarms
• Barriers or containment systems to limit the effects on the
initiating event
63 64
The steps of ETA: The steps of ETA:
65 66
67 68
Construct the Event Tree b) Evaluate the safety functions.
b. Evaluate the safety functions.
Oxidation reactor Operator Automatic Oxidation reactor Operator Automatic
SAFETY high temperature reestablishes shutdown system SAFETY high temperature reestablishes shutdown system
FUNCTION alarm alerts operator cooling water flow stops reaction at FUNCTION alarm alerts operator cooling water flow stops reaction at
at temperature T1 to oxidation reactor temperature T2 at temperature T1 to oxidation reactor temperature T2
Success Success
B C D
A Safe condition,
return to normal
operation
AC Safe condition,
process shutdown
INITIATING EVENT: INITIATING EVENT:
Loss of cooling water ACD Unsafe condition,
Loss of cooling water runaway reaction,
to oxidation reactor to oxidation reactor operator aware of
A problem
AB
Unstable condition,
process shutdown
ABD Unsafe condition,
runaway reaction,
Success Success operator unaware
Completed ! of problem
Failure Failure
73 74
Bow-TieXP by CGERISK
Bayesian network - How does it work?
Decision
making
data
Diagnosis
Expert
knowledge
Optimization
75 76
Bayesian Network Software for BN-based approach
Khakzad et al. (2013) Dynamic safety analysis of process systems by mapping bow-tie into Bayesian
network, PSEP, 91, 46-53 77 78
Detailed
• Risk Gas leaked and
design Mishap vented onto rig
Yang, M., Khan, F., Lye, L. (2013). Precursor-based hierarchical Bayesian approach for rare event frequency
79 estimation: a case of oil spill accidents. Process Safety and Environmental Protection, 91(5), 333-342. 80
Dynamic risk assessment framework
Consequence Analysis
1 Asset Loss
Estimation of
X Human fatality • Purpose: To assess the extent of damage
Dollar Value
X Environmental Loss • Typical Hazard
X Business loss • Toxic Release, Fire and Explosion
• Modelling of hazard scenario
– Toxic Release: Source (Release) Model,
Unit Selection & Consequence Probability Posterior Risk Dispersion
Scenario Assessment Assessment Estimation
Identification – Fire and explosion: Source Model, Fire and
Explosion, Heat Dispersion
Prior Failure Design stage data
– Fatality Assessment: Probit Analysis
Likelihood Function Real time process data
– Nonfatal Consequence: Skin-burn, Property
Posterior Failure Bayesian theory damage
Yang, M., Khan, F., Amyotte, P. (2015). Operational risk assessment: a case of Bhopal disaster.
Process Safety and Environmental Protection, 97 70-79. 81 82
83 84
CFD Modeling
qThe common method of estimating the overpressure caused by an
FLACS – a CFD fire and explosion
explosion (Multi-Energy method and TNT-Equivalence method) assume that
the blast generated is similar in all directions with no directional effects. software
However, these methods do not take into account factors such as:
–Directional effects
–Focusing effects
–Reflection effects
–Factors related to the source of the explosion (e.g. initial strength,
shape)
Thus, Computational Fluid Dynamics (CFD) modeling has been introduced
to allow for the better predictions of the strength of blast waves generated
by gaseous explosions.
85 86
87 88
Risk Estimation and Evaluation Risk Management
• Purpose: To assess Risk and Make Safety • Propose: to propose mitigating measure to
Judgment reduce the potential impact of the hazard and
• Methods possibly reduce the risk level
– Individual Risk • Method
– Societal Risk – Safe Work Procedure at every project stages
• Tolerability Criteria – Emergency Response Management
– Emergency Response Procedure
89 90
Risk Communication
91 92
The Proposed Methodology Step 1.0 Environmental Load
Select a system
Modelling
Environmental load modeling • Loading scenarios are defined in two dimensions:
Take one loading scenario – Annual Extreme Low Temperatures @
Probability Consequence – Various consecutive hours of exposure
assessment assessment
e.g., probability of temperature between -40 to -30 °C for
Risk Estimation
24 consecutive hours, etc.
Risk exceeds no Safe, do not apply
acceptable level? winterization • Through statistical analysis, probability distributions
yes
Redesign winterization
plan
Apply winterization
Method
selection
Risk-based decision of environmental load can be determined
analysis
Residual risk assessment [presented by Dr. Lye]
yes Risk exceeds
acceptable level?
no
All loading no
scenarios analyzed?
yes
93 94
Safe
consequences
– Assume ΔTactual > ΔTlimit is a failure state Required for good Failure may affect the >$0.2Million Serious injury requiring 4-6
operation performance and lead to weeks to recover
– Estimate Pr (g(x)>0) based on environmental subsequent failure of the
system
load Part of good Failure may not affect the >$10,000 Injury requiring rest and 2-4
operation performance immediately recovery
– Rank Probability [Definitely, Likely, Occasional, Seldom, but prolonged failure may
lead to failure of the
Unlikely] system
Optional for Failure may not affect the <$10,000 First Aid 0-2
operation performance of the system
95 96 96
Step 2.3 Risk Estimation Step 3.0 Applying Winterization
97 98
99 100
• Step 1.0 Environmental load • Step 2.3 Risk estimation
– Load (extreme temperatures for 24 hours duration 100 year return – Risk is considered “high” according to risk matrix,
period) follows a normal distribution with mean
winterization must be applied
temperature as -45.8 and standard deviation as 1.1 • Step 3.0 Apply winterization
• Step 2.1 Probability of failure assessment – Electric heat tracing option 1 providing:
• Q=8 watt per foot
– ΔTactual = |load-Top| , then it follows normal distribution
with mean of 55.8 and standard deviation as 4.2 – Efficacy (E) in terms of temperature difference:
• E=ΔT= Q*ln(Do/Di)/(2pi*k) = 43 °C
– PoF= Pr(ΔTactual >25) = 1.00 [100% chances
exceeding allowable temperature difference] where 2pi is part of the formula for calculating the area
of a cylinder; Do is the outer insulation diameter =6.5
• Step 2.2 Consequence assessment inch; Di is the inner insulation diameter =4.5 inch; k is
– Severity value = 4 (Failure may affect the performance and lead conductivity factor (BTUin/hrft2 oF) =0.25 (fiber glass)
to subsequent failure of the system )
101 102
42.4 mm
• Quantitative risk assessment (QRA) accuquires
varieties of models to obtain “pure” quantitative
results.
• Lots of attention and effort have been devoted to
1) Set minimum insulation thickness probability assessment; consequence loss
2) Set acceptable risk level
3)
4)
Take environmental loading
Adjust insulation thickness and heat
modeling needs more investigations.
tracing to minimums to meet
acceptable risk level. • QRA can help the decision-makers to understand
the value of safety interventions and optimize
resource allocation.
105 106
Thank you!
Questions?
Improved misses
Safety
• Safer workplace
Management
• Improved efficiency
Incorporation (reduced downtime)
of human
• Lower lifetime costs
factors????
(maintenance is cheaper,
and re-engineering not
needed)
• More productive workforce
Time
*Source: OGP guidelines on “Human factors: a means of improving HSE performance”. *Source: Hughes, G., & Kornowa-Weichel, M. (2004). Whose fault is it anyway?: A practical illustration of human factors in
process safety. Journal of hazardous materials, 115(1), 127-132.
5
Human Error Human Error Classification
• Discrete action classifications Very simple but powerful (Swain & Guttman, 1983)
• Information processing classifications
• Behavior type based classifications • Error of omission - acts not carried out
• Errors of commission – acts carried out either
• inadequately
• in wrong sequence
• too early or too late
• Extraneous act – Wrong/Unrequired act performed
Information processing classification Behavior type based classification
• Specific categories of errors can occur at each stage (i.e. • Knowledge-based (KB Mistakes)
incorrect interpretation of state of the system) • errors result from inadequate analysis or decision making
• Major systems accidents (“normal accidents”) start with an • Some of the factors affecting performance:
accumulation of latent errors • Lack of experience with system in failure states: training is
rarely sufficient to develop a rule base that captures
• Latent errors: whose adverse consequences may lie system response outside of normal bounds resulting RB
dormant within the system for a long time, only becoming errors
evident when they combine with other factors
• System complexity and cognitive strain:
• Most of those latent errors are human errors: designers, • system complexity prohibits mental modeling
high-level decision makers, construction workers, managers • stress of an emergency encourages RB approaches
and maintenance personnel and diminishes KB effectiveness
• Invisible latent errors change system reality without altering • Limited system visibility by automation and “defense in
operator’s models depth”: results in improper rule choices and KB reasoning
• seemingly-correct actions can then trigger accidents
Airline industries
• http://www.youtube.com/watch?v=s2PkViQWPeA
• http://www.youtube.com/watch?v=RjnqePtCaCI&feature=related
• http://www.youtube.com/watch?v=RDNnldonjZE&feature=related
Subway crash
• http://www.youtube.com/watch?v=0r2gvlTMG-Q
Part B: Quantifying human error
Monorail crash
• http://www.youtube.com/watch?v=dCis-KGEolo
Purpose: Evaluating the probability of a human error occurring Step 1: The selection of the expert panel
throughout the completion of a specific task. Step 2: The definition of situations and subsets
Step 3: The elicitation of PSFs
Outcome: Measures to reduce the likelihood of errors occurring Step 4: The rating of the tasks on the PSF scale
within a system and therefore lead to an improvement in the Step 5: PSF weighting
overall levels of safety. Step 6: The calculation of Success Likelihood Index (SLIs)
Step 7: Conversion of SLIs into probabilities
Step 3: 5 PSFs identified: Training, Procedures, Feedback, The Step 6: SLI calculation
perceived level of risk and Time pressure involved
PSFs Rating Weighting SLI
Step 4: PSF rating (VO1O1open)
Errors Training Procedures Feedback Perceived risk Time
VO1O1 open 6 5 2 9 6 Training 6 0.15 0.9
PSFs VO1O1 open Alarm mis-set Alarm ignored !"# $%& = ( )!* + ,
Training 0.9 0.75 0.6
Two additional tasks X and Y were assessed, which had HEP
Procedures 0.75 0.45 0.75
values of 0.5 and 10-4 respectively and SLIs respectively of 4.00
Feedback 0.6 0.6 2.1
and 6.00
Perceived risk 2.7 2.1 2.1
Time 0.6 0.4 0.2
Solve these two equations to find a and b
Total SLI 5.55 4.3 5.75
Tenable
operator who at the time of muster operator who at the time of months) operator who at
Muster person in
alarm is in the process units muster alarm is changing the time of muster alarm is Move along egress Register at TSR
question
draining a process vessel. filters in a solids removal in the process units working route
Ascertain
unit. valves to isolate a vessel. YES
if danger
The incident occurs in good The incident occurs in cold, The incident occurs during a is Provide pertinent
Weather feedback attained while
weather and calm seas. wet weather. winter storm. imminent
Assess enroute to TSR
The muster is conducted during The muster is conducted The muster is conducted quality of
Time of day NO
daylight hours. during daylight hours. during nighttime hours. egress
The operator is on a different deck The operator is on the same The operator is on the same Return process path Don survival suit if
Location of muster than the person who has fallen deck as the gas release. deck as the fire and
equipment to safe state directed to
initiator overboard. The operator does not explosion.
Not tenable
Make workplace as safe
see or hear the muster initiator. Choose alternate route
as possible in limited Follow OIM’s instructions
time
37
Descriptions of PSFs PSF Rating
PSF Description
PSF affecting the completion of actions as quickly as possible to effectively muster in
Stress a safe manner. This is essentially the effect from the muster initiator on the Performance Shaping Factor
consequences of not completing the task. Rating
Atmospheric
PSF that affects the likelihood of a task being completed successfully because of the Scale Stress Complexity Training Experience Event Factors
intricacy of the action and its sub-actions. This, combined with a high level of stress, Factors
Complexity can make actions that are normally simplistic in nature complicated or cumbersome. highly very
This PSF can cause individuals to take shortcuts (violations) to perform a task as 100 no stress not complex no effect no effect
quickly as possible or not to complete the task. trained experienced
PSF that directly relates to an individual’s ability to most effectively identify the somewhat some somewhat
50 some stress some effect some effect
muster alarm and perform the necessary actions to complete the muster effectively. complex training experienced
Training
Training under simulation can provide a complacency factor as a highly trained
highly no
individual may lack a sense of urgency because of training’s inherent repetitiveness. 0 very complex no training large effect large effect
PSF related to real muster experience. An individual may not be as highly trained as stressed experience
Experience other individuals but may have experienced real musters and the stressors that
accompany real events. Strong biases may be formed through these experiences.
PSF that is a direct result from the muster initiator and the location of the individual
Event factors with respect to the initiating event. Distractions that can affect the successful
completion of a muster include smoke, heat, fire, pressure wave and noise.
PSF that influences actions due to weather. High winds, rain, snow or sleet can affect
Atmospheric manual dexterity and make egress paths hazardous when traversing slippery
factors sections. Extremely high winds negatively impact hearing and flexibility of
movement.
HEP
No. Action Phase Loss of Defenses
1 2 3
1 Detect alarm 0.00499 0.0308 0.396 Do not hear alarm. Do
2 Identify alarm 0.00398 0.0293 0.386 not properly identify
Awareness alarm. Do not
3 Act accordingly 0.00547 0.0535 0.448 maintain composure
(panic).
Ascertain if
Misinterpret muster
4 danger is 0.00741 0.0765 0.465
initiator seriousness
imminent
Muster if in and fail to muster in a
5 0.00589 0.0706 0.416 timely fashion. Do not
imminent danger
return process to safe
Return process
Evaluation state. Leave
6 equipment to 0.00866 0.0782 0.474
workplace in a
safe state
condition that
Make workplace
escalates initiator or
as safe as
7 0.00903 0.0835 0.489 impedes others
possible in
egress.
limited time
Predicted HEP Advantages of SLIM
HEP
No. Action Phase Loss of Defences
1 2 2
8
Listen and follow PA
0.00507 0.0605 0.420
• Given that HEPs are calibrated with other known HEPs, they
announcements
Evaluate potential
are likely to be a reasonable estimate
9 egress paths and 0.00718 0.0805 0.476 Misinterpret or do not hear PA
choose route announcements. Misinterpret
Move along egress tenability of egress path. Fail to • It is a flexible technique: one can deal with the entire range
10 0.00453 0.0726 0.405
route
Assess quality of egress Egress
follow a path which leads to TSR;
decide to follow a different egress
of HE forms without requiring a detailed decomposition of
11 route while moving to 0.00677 0.0788 0.439 path with lower tenability. Fail to the task; for example, as required with THERP
TSR assist others. Provide incorrect
Choose alternate route assistance which delays or
12 if egress path is not 0.00869 0.1000 0.500 prevents egress.
tenable
Assist others if needed
14 0.01010 0.0649 0.358
or as directed
15 Register at TSR 0.00126 0.0100 0.200
Provide pertinent Fail to register while in the TSR.
16 feedback attained while 0.00781 0.0413 0.289 Fail to provide pertinent
enroute to TSR feedback. Provide incorrect
Don personal survival feedback. Do not don personal
Recovery
survival suit in an adequate time
17 suit or TSR survival suit 0.00517 0.0260 0.199
for evacuation. Misinterpret
if instructed to abandon
OIM’s instructions or do not
Follow OIM's follow OIM’s instructions.
18 0.00570 0.0208 0.210
instructions
A reliability engineer has the task of assessing the probability of From the relevant tables, it can be established that the type of
a plant operator failing to carry out the task of isolating a plant task in this situation is of the type (F) which is defined as
bypass route as required by procedure. However, the operator is “Restore or shift a system to original or new state following
fairly inexperienced in fulfilling this task and therefore typically procedures, with some checking”. This task type has the
does not follow the correct procedure; the individual is proposed nominal human unreliability value of 0.003
therefore unaware of the hazards created when the task is
carried out
TPM 024A
1
2 3
Concepts, Terms and Definition
Concepts, Terms and Definition
Reliability
• Reliability is the probability that a component or system
will perform desired operation for a given period of time • Maintainability
under the defined operating conditions.
– Probability Numerical parameter – Maintainability is the probability that a failed
– Desired operation component or system will be restored or
– Time Engineering parameters repaired to specified conditions within a
– Operating conditions period of time using specified maintenance
• It is the probability of a non-failure over time. In some
cases reliability is not defined over time but over another procedure.
measurement such as miles traveled, units or batches – In simple terms it is probability of repair in a
produced etc.
given time.
4 5
• Availability • Quality
– Availability is the probability that a component – Quality is defined as the amount by which
or system is performing its required function product satisfies the user’s (customer’s)
at a given point of time in a specified requirements
operating condition. In other words, it is the – Quality is function of design specification.
probability or degree to which the system will Quality of a product and reliability are
dependent on each other
be ready to start a mission when needed.
– A high reliability product will have a high
Availability = failure time/(failure time + repair quality, but vice versa may or may not be true
time)
6 7
Concepts, Terms and Definition Concepts, Terms and Definition
8 9
10 11
Concepts, Terms and Definition Concepts, Terms and Definition
• Operating Time • Failure Rate
– The time during which an item is performing a – A value expressing the frequency of failure
function. It is the time period between turn-on occurrence over any specified time interval or
and turn-off of a system, subsystem, cycles of operation
component or part during which operating is • Failure Modes
specified.
– The various manner or ways in which failures
• Repair Time occur and the resulting operating condition of
– Time measured from the beginning of the item at the time of failure
correction of a malfunction to the completion • Common Cause
of such correction. Time during which one or
more technicians are actually working to – A cause resulting in failure of all affected
repair a failure. This time include preparation systems
time, fault location time, correction time and
checkout time.
12 13
• Reliability is defined as the probability that a • The cumulative distribution function (CDF) is
component or system will function over some the probability that a failure occurs before
time period, t. Let us define a continuous time, t, and therefore, the CDF is:
random variable as the time to failure of the
component or system T. F (t ) = 1 - R(t ) = Pr{T < t } , where, F (0) = 0 , limt ® ¥ F (t ) = 1.
• Then, reliability function can be expressed as The probability density function (PDF) is defined as:
R(t ) = Pr{T ³ t }
dF (t ) dR(t )
=-
• where R(t ) ³ 0 , R(0) = 1 , and limt ® ¥ R(t ) = 0 f (t ) =
dt dt
and this function describes the shape of the
for a given value of t, is the probability that failure distribution. The PDF, f (t ) has two properties,
the time to failure is greater than/equal to T. ¥
f (t ) ³ 0 and ò f (t )dt = 1.
0
14 15
Relation between PDF and
Failure time
Reliability Function/CDF
• Mean time to failure (MTTF) t
t
is the statistical mean of the failure ∞ 1.0
In other words, l(t), hazard rate or failure rate function, uniquely Average failure rate is defined between two times t1 and t 2 .
determines the reliability function as shown below.
t é t ù
- ò l (t )dt = ln R(t ) as R(0) = 1, and therefore, R (t ) = exp ê - ò l (t )dt ú
0 ë 0 û
t
L(t ) = ò l (t )dt
0
24 25
28 29
32 33
• Hazard rate functions that are not constant over • For convenience it is better to express as:
time. l (t ) =
bæt ö
b -1
θ > 0, β > 0, t ³ 0
ç ÷ Θ is a scale parameter that
q èq ø
• It is one of the most useful probability distribution é t b æ t ö b -1 ù
influence both the mean and the
( t / q )b spread or dispersion of the
in the reliability engineering. R(t ) = expê- ò ç ÷ dt ú = e -
êë 0 q è q ø úû distribution. It is called
• It may be used to model both increasing and dR (t ) b æt ö
b -1 b
characteristic life and has units
f (t ) = - = ç ÷ e - (t / q ) identical to those of failure time.
decreasing failure rates. dt q èq ø
• The general expression for hazard rate function β is referred as the shape parameter
is a power function given by
β < 1, the probability density function is similar to in shape to
b Hazard function is increasing for a > 0, b > 0
l (t ) = at exponential, for large values β < 3, the probability density function is
Decreasing for a > 0, b < 0. somewhat symmetrical, like normal distribution
34 35
The Weibull Distribution The Weibull Distribution
1
b=4.0
f(t)
b=2.0
b=0.5
b=0.5 b=4.0
b=4.0 b=1.5
R(t)
b=0.5
b=1.5
b=1.5 b=2.0
b=2.0
36 37
Θ=0.5
Θ=0.5
Θ=2.0
Θ=2.0
R(t)
Θ=1.0
Θ=1.0
Θ=1.0
Θ=1.0
Θ=0.5
Θ=0.5
Θ=2.0
Θ=2.0
38 39
The Weibull Distribution The Weibull Distribution
• In case two identical components (assumed • Because of its flexibility, Weibull distribution is often the
first choice when attempting to model a population with
independent) are used to form a redundant increasing failure rate. Some common applications of
system (both must fail for the system to fail), then Weibull distribution are:
the system reliability is: – Determining the breaking strength of components or
the stress required to fatigue failure of metals
– Estimating the time to failure for mechanical/electrical
é ì b ü
2ù b b components.
R s (t ) = 1 - [1 - R(t )] 2 Rs (t ) = ê1 - í1 - e - (t / q ) ý ú = 2e - (t / q ) - e - 2(t / q )
êë î þ úû – Calculating the time to failure for items that wear out,
b such as automobile tires, thinning of pipe wall
æt ö æ 1ö
-ç ÷ MTTF = q .Gçç1 + ÷÷(2 - 2 -1 / b ) thickness etc.
R (t ) = e è q ø è bø
– Analyzing systems that fail when the weakest
b -1 b
bæt ö 2 - 2e - (t / q ) component in the system fails. In this case, the Weibull
ls ( t ) = ç ÷
q èq ø 2 - e - (t / q )
b distribution represents an extreme value distribution
46 47
Normal (Gaussian) Distribution Normal (Gaussian) Distribution
1 é - 1 (t - µ ) 2 ù
• The normal distribution has also been f (t ) = expê ú -¥ < t< ¥
2p s êë 2 s 2 úû
used to model fatigue and wear out
phenomena.
=0.5
• Because of its relationship with f(t)
= 0.5
48 49
• Parameters μ and σ are the mean and variance • There is no closed form solution to reliability
of the distribution. function, it must be evaluated numerically
• The distribution is symmetrical about its mean.
æt -µ ö
• Reliability z= ç ÷ is made, then z will be normally distributed with a mean
è s ø
of zero and variance of one.
¥ 1 é - 1 (t - µ ) 2 ù
expê 1 2
R (t ) = ò údt PDF F( z ) = e-z / 2
t 2p s êë 2 s 2 úû 2p
t
CDF F ( z ) = ò (F( z )dz
-¥
50 51
Normal (Gaussian) Distribution Lognormal Distribution
• The standardized table can be used to find the • If the random variable T, the time to failure has a
cumulative probabilities of any normally lognormal distribution, the logarithm of T has a
distributed random variable, by making use of normal distribution.
æT - µ t- µö
• The lognormal density function may be written as
F (t ) = Pr{T £ t } = Prç £ ÷
è s s ø
ì t- µ ü æt- µ ö
= Pr íz £ ý = Fç ÷
î s þ è s ø æ 2ö
1 æ ö
expçç - ÷
1 t
f (t ) = çç ln ÷÷ for t ³ 0
æt- µ ö f (t ) f (t ) 2Pst 2 t ÷
R (t ) = 1 - F ç ÷ l (t ) = = è 2s è med ø ø
è s ø R(t ) 1 - F{(t - µ ) / s }
52 53
54 55
Lognormal Distribution Lognormal Distribution
• To compute failure probabilities, the relationship • Since the logarithm is a monotonically increasing
between the normal and lognormal is used. It is function
shown in
F (t ) = Pr{T £ t } = Pr{lnT £ ln t }
Distribution Lognormal Normal
ì lnT - ln t med ln t - ln t med ü
2 = Pr í £ ý
s î s s þ
Mean t med exp In tmed
2
ì 1 t ü
= Pr íz £ ln ý
î s t med þ
Variance t2
med
[ ]
exp(s2 ) exp(s2) -1 S2
æ1 t ö æ1 t ö
= Fçç ln ÷÷ R(t ) = 1 - Fçç ln ÷÷
è s t med ø è s t med ø
Given that T is a lognormal random variable
56 57
• Similar to normal, the hazard rate • The effect of shape parameter on lognormal hazard rate
function for the lognormal distribution curve
cannot be solved analytically. λ(t)
• The lognormal hazard rate can be
calculated numerically at selected points
in time by finding f(t)/R(t). s=0.4
s=0.4
s=0.6
• The hazard rate function increases until it s=1.0
s=0.8
s=0.8
s=0.6
s=1.0
reaches a peak and then it slowly
decreases, which is an uncommon failure
rate behavior for most components.
t
58 59
Serial Configuration Serial Configuration
components are critical, if either Rs = P(E1 Ç E2 ) = P(E1 ).P (E 2 ) = R1.R2 (assuming independence)
components fails, the system Generalizing to n components in series, System reliability (Rs) is:
will fail Rs (t) = R1(t ). R 2 (t ). R3 (t ) …. Rn £ Min{R1(t ), R2 (t ), R3 (t ) …. R n (t )}
60 61
Serial Configuration:
Serial Configuration
Constant Failure rate
• In such case system reliability If each component has constant failure rates, the
system reliability
can never greater than smallest
æ ö
component reliability. Rs (t ) = Õ Ri (t ) = Õ exp( -li t ) = expç - å li t ÷ = exp( -ls t )
ç ÷
i =1,n è ø
• It is important for all n
components to have a high ls = å l i is the system failure rate.
i =1
reliability, for having high system This means that the system also has a constant failure rate
reliability.
62 63
Serial Configuration:
Parallel configuration
Weibull failure model
The Weibull system reliability is given by: • If components in parallel or 1
bi ù bi ù
redundant, all units must fail for
é æ t ö é æ ö
Rs (t ) = Õ expê- çç ÷÷ ú = expê- å ç t ÷÷ ú the system to fail. The system 2
b i -1
æ dRs (t ) ö 1 b æ t ö found by 1 minus the probability
l (t ) = ç - ÷ = å i çç ÷÷ of all components fail (i.e. the
dt ø Rs (t ) i =1,n q i è q i
N
è ø
probability that at least one
It is evident from above expression of l(t) that system component doesn’t fail). c c
Rs (t ) = P( E1 È E2 ) = 1 - P( E1 È E2 ) c = 1 - P( E1 Ç E2 )
exhibit Weibull type failure though every component c c
= 1 - P( E1 ).P( E2 ) = 1 - (1 - R1 )(1 - R2 )
has Weibull failure distribution.
64 65
Parallel configuration:
Parallel configuration
Constant failure rate system
R s (t ) = P (E1 È E 2 ) = 1 - P (E1 È E 2 ) c = 1 - P (E1c È E 2 c ) 1 • A redundant system consisting of
= 1 - P (E1c ).P (E 2 c ) = 1 - (1 - R1 )(1 - R 2 )
2 all CFR components, the system
Generalizing R s (t ) = 1 - Õ [1 - R i (t )]
i =1, n
3 reliability:
It is always true that,
N R s (t ) = 1 - Õ (1 - e - li t )
Rs(t) ³ Max (R1, R 2 , R 3 ,...R n ) i =1, n
• In parallel configuration system reliability is always li is the failure rate of the i th component.
• greater than maximum reliability component
66 67
Parallel configuration: Combined Series and
Weibull system Parallel Systems
68 69
R2
system may have one or more parallel
R6
C components
R4 R5
70 71
Comparison of High and Low
High Level redundancy
level of redundancy
72 73
• k-out-of-n identical and independent components to func tion for The number of ways in which x successes can be obtained from
the system to function. Obviously, k <=n . -
n components. R x (1 - R )n x is the probability of x successes
• If k = 1, complete redundancy occurs, and if k = n , the n and n - x failures for a single arrange ment of successes and
components are, in effect, in series. failures. Therefore the probability of k or more successes from
• The reliability may be obtained from the binomial probability among the n components can be written as,
distribution.
n n ænö
If each component is viewed as an i ndependent trial with R ( its R s = å P ( x ) = å çç ÷÷R x (1 - R ) n - x
reliability), as a constant probability of success, then, x =k x =k è x ø
The mean time to failure the system is,
n x
P( x ) = R (1- R )n - x
x ¥
is the probability of exactly n component operating. MTTF = ò R s (t )dt
0
74 75
k-out-of-n CFR case Complex Configuration
Decomposition Enumeration
A C
E
• For small networks, enumeration is used to
B D
The shown network is broken down in two determine the system reliability. Steps are:
sub network, one in which component E has
failed (II) and one in which component E is – identify all possible combination of success (S) and
functioning with reliability RE (I). Reliability failures (F) of each component and the resulting
A C of each network is determined separately. success and failures of the system.
I
– For each possible combination of component success
B D
or failures, the probability of the intersection of these
The total reliability of the system may be
events is computed (considering mutually exclusive
computed as: events).
A C
II – Sum of success probabilities or one minus sum of
R s = R E RI + (1 - R E )RII failure probabilities is the system reliability
B D
78 79
System structure function System structure function
• A very general alternative approach for analyzing • Reliability for series system
the reliability of complex systems is through the Pr{Y( X 1, X 2 , X 3 ,... X n ) = 1} = Pr{ X 1 = 1, X 2 = 1, X 3 = 1,..., X n = 1}
use of system structure function: = Pr{ X 1 = 1} Pr{ X 2 = 1} Pr{ X 3 = 1}... Pr{ X n = 1}
= R1.R 2 R 3 ...R n
Xi = 1 {
if component i operates
0 if component i has failed
• Reliability for parallel system
The system structure function is defined as:
80 81
• Several components may fail by common mode failure • Three state devises are components that have
such as same power source, external load, vibrations etc. three states such as open and short failure
• A common-mode failure can be depicted in series with
modes, and an operating state. Examples include
electrical circuits, flow valves etc.
those components sharing the failure mode.
– It is interesting to note that system comprising these
• In order to represent system in series, it must be possible components is that redundancy may either increase or
to separate independent failures from common-mode decrease the system reliability
failures. – An alarm system is a three state device, which may fail
R1 safe (false alarm) or may fail to danger (failure to
function in need)
R2 R’
R3
R s = [1 - (1 - R1 )(1 - R 2 )(1 - R 3 )].R '
84 85
90 91
Thank you!
High-level Redundancy
1 2 m
1 2 m
Questions?
1 2 m
N components
1 2 m
3 4
5 6
One of the domains of operational risk
2. Why?
management
• Some figures and psychological info
7 8
Some accident & accident cost figures Some accident & accident cost figures
• Daily 18,900 accidents at work in Europe (EU-27, data from • Costs to employers in France due to workplace accidents and work-
2007), related ill-health (extrapolations based on study in UK): 4.5 – 8.9
Billion € (EU, 2011)
9 10
Economic consequences of safety and prevention
for a company
Some derived facts
11 12
13 14
Loss Aversion Individual Psychological background:
Loss aversion and prevention investments
Translating this psychological principle into safety terminology, it is clear
that company management would be more inclined to invest in
production (‘certain gains’) than to invest in prevention (‘uncertain
gains’).
Also, management is more inclined to risk highly improbable
accidents (‘uncertain losses’) than to make large investments
(‘certain losses’) in dealing with such accidents.
15 16
17 18
What operational safety economics can do, is
Prediction
help to find the balance
Operational safety and prevention economics =
emerging field of interest to academia and industry
19 20
21 22
Costs of prevention measures (‘control Costs of accidents (non-exhaustive)
costs’) Interested Non-quantifiable consequences of Quantifiable consequences of
parties accidents accidents
Victim(s) -Pain and suffering -Loss of salary and bonuses
-Moral and psychic suffering -Limitation of professional skills
• - Staffing costs of company HSE department -Loss of physical functioning
-Loss of quality of life
-Time loss (medical treatment)
-Financial loss
• - Staffing costs for the rest of the personnel (time needed to implement safety -Health and domestic problems
-Reduced desire to work
-Extra costs
-Anxiety
measures, time required to read working procedures and safety procedures, etc.) -Stress
Colleagues -Bad feeling -Time loss
• - Procurement and maintenance costs of safety equipment (e.g., fire hoses, fire -Anxiety or panic attacks
-Reduced desire to work
-Potential loss of bonuses
-Heavier work load
extinguishers, emergency lighting, cardiac defibrillators, pharmacy equipment, -Anxiety
-Stress
-Training and guidance of temporary
employees
etc.) Organisation -Deterioration of social climate
-Poor image, bad reputation
-Internal investigation
-transport costs
-medical costs
• - Costs related to training and education w.r.t. working safe -lost time (informing authorities,
insurance company, etc.)
• - Costs related to preventive audits and inspections -Damage to property and material
-Reduction in productivity
-Reduction in quality
• - Costs related to exercises, drills, simulations w.r.t. safety (e.g., evacuation -personnel replacement
-New training for staff
exercises, etc.) -Technical interference
-Organisational costs
-Higher production costs
• - A variety of administrative costs -Higher insurance premiums
-Administrative costs
• - Prevention-related costs for early replacements of installation parts, etc. -Sanctions imposed by parent
company
-Sanctions imposed by the
• - Investigation of near-misses and incidents government
-modernization costs (ventilation,
lighting, etc.) after inspection
• - Maintenance of machine park, tools, etc. -new accident indirectly caused by
accident (due to personnel being
• - Good housekeeping tired, inattentive, etc.)
-loss of certification
-loss of customers or suppliers as a
• … direct consequence of the accident
-variety of administrative costs
-loss of bonuses
-loss of interest on lost cash/profits
-loss of shareholder value
23 24
25 26
Hypothetical benefits Hypothetical benefits
Costs of incidents and accidents that happened (‘failure Hypothetical benefits are all costs related
costs’) and costs of
incidents and accidents that were avoided and that never
with accidents which have never occurred.
happened (‘hypothetical benefits’) are different in their nature,
due to the number of scenarios of possible accidents.
27 28
• The hypothetical benefit of the risk treatment option can be regarded in two
ways:
•
• Definition (i): as the difference between the highest possible costs of an
accident in the current situation and those of an accident after applying the
treatment measure. Hence:
•
• Maxmax Hypothetical Benefit = Maximum possible accident cost
without any
• treatment – Maximum possible accident cost after the risk
treatment
•
• Definition (ii): as the difference between the costs of retention when doing
nothing (taking no action) and those of the possible accident after applying
the treatment measure. Hence:
• • For each company the break-even point is different
• Expected Hypothetical Benefit = Cost of retention – Expected possible cost • No hypothetical benefits are taken into consideration in this figure
of • Only re-active way of economic analysis (based on accident/failure
• accident after the risk treatment
statistics over time, linked with prevention efforts)! (à not usable for disasters)
• Nonetheless, all accidents are treated similar
29 30
Accident Typology Risk typology
• Accidents where a satisfactory amount of
information is available (Type I accidents or
non-major accidents)
31 32
33 34
Hence: different types of risk, also for decision-
Some further considerations on economic prevention
making and operational economics! analyses
• Economic analyses can support normative risk
Risks possibly leading to minor occupational control decisions but can not be used to determine
accidents (“Type I”) are not to be confused with the efficiency and effectivity of prevention measures.
risks possibly leading to disasters and major
accidents (“Type II and Type III”) when making
• Economic analyses require debatable information,
prevention investment decisions. e.g. the price of a fatality, the price of a finger cut-off,
the question of who pays which costs, the question
Statistical cost-benefit methods may yield reliable of who receives which benefits, etc.
results for Type I risks, whereas the (maxmax)
hypothetical benefits of Type II risks almost always
outweigh the prevention costs for these types of
risks.
35 36
Choices between safety and prevention measures, • Many critiques can be formulated on the concept of ‘economic approaches
for safety decisions’ , e.g.:
constrained with the available H&S budget – Economic approach for safety decisions gives the industry the aura of
being more scientific about prevention measures taken
– Economic approaches and processes allow governments and
Example: (low probab, high conseq.) or organisations to hide behind ‘rationality’ and ‘objectivity’
(higher prob., lower conseq.) accident reduction? – Analysts know that the economic assessments are often based on
selective information, arbitrary assumptions, and enormous uncertainties.
Nonetheless they accept that the assessments are used to conclude on
à Evaluative best value-for-money risk reduction risk acceptability.
measures
• HOWEVER: THERE IS NO ALTERNATIVE (!): to support and continuously
improve the decision-making about prevention and safety measures, we
need to make economic assessments. The right way forward is not to reject
the economic approach in safety decision-making, but to improve the tools
and their use!
37 38
Economic approaches in safety decision- Economic approaches in safety decision-
making making
• Two fundamental scientific requirements should be
• Two fundamental scientific requirements should met:
be met:
2. Validity requirements of the economic assessment:
1. Reliability requirements of the economic assessment:
• The degree to which the produced economic/financial
• The degree to which the economic analysis methods numbers are accurate compared to the underlying
produce the same results at reruns of these methods true number
• The degree to which the economic analysis produces • The degree to which the assigned probabilities
identical results when conducted by different analysis adequately describe the assessor’s uncertainties of
teams, but using the same methods and data the unknown quantities considered
• The degree to which the economic analysis produces • The degree to which the epistemic uncertainty
identical results when conducted by different analysis assessments are complete
teams with the same analysis scope and objectives,
but no restrictions on methods and data • The degree to which the economic analysis
addresses the right quantities
39 40
41 42
Helping decision makers to take prevention
investment decisions: Current decision models Five-step approach
and Decision Support Systems
• - “Quick and dirty” calculations 1. Preparation (scope, goals, suitable technique, parties to
be involved)
• - Calculations for costs and prevention 2. Selecting variables and indicators (smart choice : in line
with goals etc., data available, agree upon)
investments regarding Type I accidents
3. Finding data (available, extrapolation, new)
• - Calculations for costs and prevention
4. Valuations and calculations (attach money values to
investments regarding Type II accidents quantified variables and indicators; understandable
presentation of results)
43 44
45 46
“Quick and dirty” accident cost calculations:
only possible for Type I accidents
Quick-calculation example
• Use e.g. the type I pyramid: • Use e.g. the Bird pyramid:
Serious 1 N x N.x
47 48
49 50
Safety and prevention econ. calculations:
More rigourous calculations for costs and prevention Number of existing models/tools exist
investments
regarding Type I accidents Models are often quite simplistic, providing
only a very rough idea of for example
1
51 52
53 54
The model
An example of a Type I model/tool for cost
calculations and prevention investment
calculations – building the model
Porter Business in Context Model
MEEMO Model
Man Equipement
Organisation
Energy Product
Material Environment
55 56
DIRECT COSTS
Fines
A. MAN
• medical costs, costs for
INDIRECT COSTS prosthesis, costs of orthopaedic
B. EQUIPEMENT
C. INTERNAL WORK ENVIRONMENT
material, travelling costs;
Social
Energy loss disturbances
D. MATERIAL/PRODUCTS/... • costs due to the temporary
E. ORGANIZATION
Man Equipment
Man F. PRODUCT (OUTPUT) disability of the victim;
Health Material Health damage G. CUSTOMERS
Exhaustion
damage damage Products
H. SUPPLIERS • costs due to the possible
Organization Damage I. EXTERNAL ENVIRONMENT permanent disability of the
Energy Damage
victim;
Bad products
Lost
Material Environment
Raise premium
deals • costs due to the disease of the
Waste
victim.
Raw materials
Exhaustion Waste
Damage
In case of a deathly accident, aside the possible costs above, their are
Raw material
other costs like the funeral costs, a percentage of the wage of the victim as
an indemnity for the persons left behind etc. This also is clearly described
Bad publicity
in the Belgian legislation.
57 58
Integrate supplementary information Tool can be used for estimating the accident costs
B. EQUIP EMENT/MACHINES/... Plea se enter decimal n umbe rs: (eg 0,25 = 2hrs, 1 = 8 hrs) TOTAL SUP PLIERS 0 €
days sp ent average c ost/d amo unt
I. EXTERNAL ENVIRON MENT Ple ase enter de cimal numbers: (e g 0,25 = 2hrs, 1 = 8hrs)
Makin g th e are a safe 0 €
Govern ement da ys spent ave rage cost/d amount
Da ma ged pro te ctive equ ipment 0 €
Extra control of gov erneme nt 0 €
Repa irs, clean ing of working g ear, veh icles o r in stallation s 0 €
Legal costs, fine s, indemnities 0 €
Repla cemen t o f wo rking gea r, vehicles or installations 0 €
Cha nge me nt of p rodu ction location Media
0 €
Pr ess re lease s 0 €
Oth er material co sts 0 €
External environment
TOTA L EQUIPEMENT/MA CHINES/... 0 € Dama ge to the e nv ironment 0 €
Market
C. INTER NAL WORK ENVIRONMENT Plea se enter decimal n umbe rs: (eg 0,25 = 2hrs, 1 = 8 hrs) Attractive ne ss to potentia l customer s (loss of im age) €
days sp ent average c ost/d amo unt Labour market
Costs ma de to rep air orig inal wo rk en viron me nt Position la bour mar ket, a ttr activeness ne w personnel €
0 €
TOTA L INTER NA L WORK ENVIRONMENT 0 € TOTAL EXTERNAL ENVIRON MENT 0 €
D. MA TER IAL /PR ODUCTS/... Plea se enter decimal n umbe rs: (eg 0,25 = 2hrs, 1 = 8 hrs)
days sp ent average c ost/d amo unt
OTHER COSTS: 0 €
Material damage of stock s 0 € DIREC T CO ST INDIRECT COST TOTAL CO ST
Sub stitution of pro du cts 0 €
0 + 0 = € 0,00
TOTA L MA TER IAL /PR ODUCTS/... 0 € RATIO DIRECT C OST / INDIRECT CO ST 1/ #DI V/0!
59 60
- Case 1
Yearly costs of acci dents (Calculated) 0
Number of worker s (FTE) 0 FTE
Number of accidents 0 injuries sector pun
Tar get reduction of i njuries 0 injuries
- Case 2
Case 1 : Tar get reduction of injuries w ill be achieved i mmediately
Payback period
#DIV /0!
#DIV /0!
%
Years
supporting beam of the ceiling. As a result, the
fork lift truck overturned.
Rate of return #DIV /0!
cost saving per year #DIV /0! €
Case 2 : Target reduction of injuries will be achieved as fol low s:
Rate of return
after 1 year 20,00% #DIV /0! after 1 year
after 2 years 40,00% #DIV /0! after 2 years
after 3 years 60,00% #DIV /0! after 3 years
after 4 years 80,00% #DIV /0! after 4 years
after 5 years 100,00% #DIV /0! after 5 years
61 62
Type II models/tools?
Opmerkin gen :
De reachttruck zou in sept 20 08 restwaard e total loss 304 7 euro
afgeschreven huur van drie maanden van reachttruck: 3350
zijn. De machine was total loss en de
verzekering heeft enkel de restwaar de
uitgekeerd.
De n ieuwwaarde reachtruck i s 25 050 eu ro
63 64
65 66
Costs and benefits? Costs and benefits?
(Prevention) cost categories Benefit (avoided accidents) categories
• Initial costs: research, selection and design, material, training and • Production chain benefits: production losses, start-up, planning
information, adaptation of the guidelines & work procedures, etc.
• Benefits regarding damages and losses: material/property/asset damages
• Installation costs: production losses, start-up, installation team, tools and and losses of the own company, material/property/assets damages and
utensils losses of other companies, of neighbouring living areas, of public property, …
• Exploitation costs: utility costs • Judicial benefits: penalties, interim-lawyers, specialized lawyers, internal
investigation team, experts, legislation changes, permits
• Maintenance costs: material, maintenance team, production losses, start-up
• Insurance benefits: insurance premium
• Inspection costs: inspection team
67 68
02/02/2010
29/03/2010
26/05/2010
21/07/2010
15/09/2010
09/11/2010
06/01/2011
02/03/2011
28/04/2011
27/06/2011
19/08/2011
14/10/2011
08/12/2011
06/02/2012
30/03/2012
29/05/2012
25/07/2012
19/09/2012
13/11/2012
10/01/2013
06/03/2013
02/05/2013
Table 13: BP Share Price, Key Values
Source: Based on (BP, 2013)
69 70
Disproportion factor:
Tool for type II risk economic analyses
research in progress
– Cost-benefits analysis for x measures for 1 scenario
– Cost effectiveness analysis for x measures for 1 scenario
– Cost-effectiveness analysis for y measures for z scenarios
30"
!
!
4. ‘Cost structure’ sheet
!
!
! 5. ‘Benefit structure’ sheet
Level%2%risks:%Tolerable%if%ALARP%
!
Level%1%risks:%First%priority%
Level%3%risks:%Acceptable%
!
!
!
6. ‘Cost-Effectiveness Analysis’ sheet
!
10"
!
!
7. ‘Report’ sheet
!
!
!
!
8. ‘History’ sheet
!
1"
!
Broadly( ALARP( ! Intolerable(
Risk(
9. ‘Optimization tool’ sheet
Acceptable( !
!
!
!
71 72
73 74
Building blocks for the approach
Cost effectiveness analysis
Approach: “Knapsack problem” formulation
max Bi xi
• Building block 1: The risk matrix
s.t. Ci xi £ Bu tot
• Building block 2: Costs and Benefits
xi Î {0,1} needed
A number of assumptions are implicitly taken in this formulation:
• A measure is either taken or not (it cannot be partially taken);
• The total benefit of all measures taken is the sum of the individual benefits of the chosen
measures;
• The total cost of all measures taken is the sum of the costs of the individual measures;
• Method used in combinatorial
• Measures can be independently implemented, without consequences for the other measures.
optimization, that is, to solve the so-
called ‘knapsack problem’
75 76
(DoD, 2000)
Probability of Hazard
Severity of
F E D C B A
consequences
Impossible Improbable Remote Occasional Probable Frequent
I
1.
Catastrophic
II
3. 2.
Critical
III
4.
Marginal
IV
Negligible Every cell of the risk matrix corresponds with a certain cost Ci.
Acceptable
Risk Code/ Un- Un-
Actions
1.
acceptable
2.
desirable
3. with 4. Acceptable (This cost is the total cost of all risks together within that cell
controls
of a certain type (e.g. fire risks) –
hence first one looks at the likelihood as well as at the
consequences, second one sums the consequences per
cell, third a final cell is assigned to the package of risks)
77 78
Building block 2: Cost-benefit analysis
The risk matrix, with cell cost per year
• “Costs” = costs of prevention measures
Likelihood Cell assignments (in €/year)
[year-1] for decreasing from risk cell i to risk cell j;
>1 7,500 75,000 750,000 2,500,000 called COPij
> 10-1 750 7,500 75,000 250,000
> 10-2 75 750 7,500 25,000
> 10-3 7.5 75 750 2,500
> 10-4 0.75 7.5 75 250 • “Benefits” = averted costs (thus:
Consequence
classes / financial “hypothetical benefits due to the taking of
impact [€] à < 7,500 < 75,000 < 750,000 < 2,500,000 prevention measures”): to calculate by
(ideally, we have real cost values Ci, based on financial information available about risks in the organization) determining the decrease of costs related
(cfr. as used in tool under construction)
to risk cell i and risk cell j. This decrease
can be calculated by subtracting Cj from
Ci.
79 80
81 82
Illustrative example (1) Illustrative example (2)
83 84
Illustrative example (3) Solution of the illustrative example (4) chosen cost benefit
Start = Risk cell
1
3
3 2 35 67.5 0 0 0
3 1 42 74.25 1 42 74.25
Start = Risk cell
to solve this problem, four conditions have to be met: (i) the total benefit of measures taken, 7
7 6 325 675
1
0 0 0
7 5 460 742.5 0 0 0
needs to be maximized; (ii) the available budget constraint needs to be respected; (iii) 7 3
7 2
295
420
675
742.5
1
0
295
0
675
0
7 1 590 749.25 0 0 0
Start = Risk cell
maximum 1 decrease per risk cell is allowed; and (iv) a measure can be taken, or not. These 10
10 9 330 675
0
0 0 0
10 6 350 675 0 0 0
10 5 390 742.5 0 0 0
conditions translate into the following mathematical expressions: 10 2 400 742.5 0 0 0
10 1 880 749.25 0 0 0
Start = Risk cell
1
12
12 11 13500 17500 0 0 0
12 10 13750 24250 0 0 0
åB
12 9 14800 24925 0 0 0
(ii) å CoP
i, j
ij £ Bu tot 12 4
12 3
12 2
13900
17000
27500
24750
24925
24992.5
0
0
0
0
0
0
0
0
0
12 1 38000 24999.25 0 0 0
Start = Risk cell
0
13
(iii) åxj
ij £1 13 9
13 5
13 1
410
550
700
675
742.5
749.25
0
0
0
0
0
0
0
0
0
Start = Risk cell
1
15
x ij Î {0,1}
15 14 31000 67500 0 0 0
(iv) 15 13
15 11
36650
29880
74250
67500
1
0
36650
0
74250
0
• Solution: total cost = 49,987€; total hypothetical benefit = 97,499.25€. Total hypothetical profit =
47,512.25€.
85 86
Possible approach refinements for further application in real Possible approach refinements for further application in real
industrial practice industrial practice
87 88
Possible approach refinements for further application in real Possible approach refinements for further application in real
industrial practice industrial practice
either risk cell r or risk cell t needs to be decreased, but not both risk cells at either risk cell r, or risk cell t, or both, need to be decreased.
the same time.
(e.g. two measures are redundant (they duplicate each other’s effects), and (e.g. either invest in a company fire department or in a sprinkler
the organisation judges it superfluous to invest in both measures system, or in both)
simultaneously)
Mathematical constraint:
(e.g. protection of machine from fire by procedural measures or by physical
X(ràs) + x(tàu) >= 1
measures (fire wall), but not by both)
Extra constraint:
x(ràs) = 1 – x(tàu)
89 90
Possible approach refinements for further application in real Possible approach refinements for further application in real
industrial practice industrial practice
Other relationships:
Another possibility:
• In principle, all relationships between measures can be expressed in a
mathematical way as constraints
if risk cell t is decreased, risk cell r cannot be decreased, and vice
versa. The possibility also exists that both measures are not taken. • Logical relationships can also be used, and expressed by operators
– NOT (risk cell i is not decreased)
(e.g., management has decided that one part of a facility will be – AND (risk cell i and risk cell j are decreased)
protected by a sprinkler system at most, but not two parts) – OR (risk cell i or risk cell j is decreased)
– IMPLICATION (if risk cell i is decreased, then risk cell j is decreased)
Mathematical constraint: These logic-operators can be used to create arbitrarily complex relationships that can
X(ràs) <= 1 – x(tàu) be used to express the most complex logical relationships between safety measures
91 92
Possible approach refinements for further application in real Possible approach refinements for further application in real
industrial practice industrial practice
Example for logical operators: Logical equivalent: (M1 AND M2) AND NOT(M3) IF THEN M4 OR
M1: automatic fire door is installed [e.g. x(4à2)] M5
M2: fire alarm system is installed [e.g. x(6à2)]
M3: electricity system is upgraded [e.g. x(3à1)]
Converted into its conjunctive normal form:
M4: back-up generator is installed [e.g. x(7à3)]
M5: a link to an additional electricity system is installed [e.g. x(5à2)] (NOT(M1) OR NOT(M2) OR M4 OR M5) AND (M3 OR M4 OR M5)
The condition is the following: Which, in turn, can be translated into the following mathematical
If both the automatic fire door and the alarm system are installed, and the constraints which need to be met both:
electricity system is not upgraded, then either a back-up generator should be
installed, or a link to an additional power system should be purchased.
X(4à2) + x(6à2) – x(7à3) – x(5à2) <= 1
X(3à1) + x(7à3) + x(5à2) >= 1
Logical equivalent: (M1 AND M2) AND NOT(M3) IF THEN M4 OR M5
93 94
Possible approach refinements for further application in real Possible approach refinements for further application in real
industrial practice industrial practice
95 96
97 98
Optimal diversified selection – application
Evaluating + and – side of risk treatment
of the Langrange multiplier method
Assume the following functions for the curves of diminishing marginal rate of return on investment for
Technology, Organisation, and People respectively:
yT =
0.5 xT
; yO =
0.2 xO
; yP =
0.3xP
• Method for Risk Treatment decisions
xT + 5000 xO + 200 xP + 2000
Furthermore, the safety budget is for example set to be 20,000€. Hence, since x i represents the safety
budget for safety measure of type i, the condition xT + xO + x P = 20000 can be drafted. The following
using:
maximization problem thus arises:
¶L 2500
– Variability = Max cost – Min cost
= -l = 0
¶xT ( xT + 5000 )
2
¶L
=
40
-l = 0
– Uncertainty = Variability / Max cost
¶xO ( xO + 200)
2
¶L
=
600
-l = 0
– Hypothetical benefit = Cost of retention – Cost of
¶x P (xP + 2000 )
2
¶L
= 20000 - xT - xO - x P = 0
retention AFTER treatment
¶l
Solving this system of equations gives xT » 11,700; xO » 1920; xP » 6350 . Hence, under the made – Defining a maximum uncertainty level for the company
assumptions, the safety budget of 20,000€ should be allocated to technological measures for some
11,700€, to organisational measures for some 1,920€, and to people-related measures for some
6350€. Therefore, using a budget of 20,000€ allows to achieve a safety benefit of some (0.35 + 0.18 +
(e.g. 30%)
0.23)% = 76%.
99 100
101 102
Event trees and economics – cost-
Other promising techniques under
variable approach for domino effects
investigation
prevention
- Safety value function approach
103 104
105 106
Thank you!
Conclusions & recommendations
• Preventing accidents is an important expenditure on a yearly
basis for organizations
1 2
Safety?
• What is Health? • What is Safety?
• Absence of illness/sickness • Absence of accidents
• How to measure and • How to measure and
maximize? maximize?
• Check for any illness or • Check for any accident
sickness causing situation - RISK
• Avoid unhealthy conditions • Minimize Risk
• Do regular checkups • Monitor and Manage Risk
3 4
9 10
Tong, Q., Yang, M., Zinetullina, A. (2020). A dynamic Bayesian network-based approach to resilience assessment of engineered systems, JLPPI, 65, 104152
• How to define resilience for complex engineered Burnard and Bhamra (2011) [30] Resilience is the emergent property of
organizational systems that relates to the
Adaptive
capacity
inherent and adaptive qualities and capabilities Improve
systems? that enable an organizations adaptive capacity
during turbulent periods. The mechanisms of
awarenes
s
organizational resilience thereby strive to Reduce
• How to measure resilience? improve an organization’s situational awareness,
reduce organizational vulnerabilities to systemic
vulnerabi
lity
risk environments and restore efficacy following Restore
the events of a disruption. efficacy
Economics Charles Perrings (2006) [31] Economic resilience refers to the ability or Absorb
capacity of a system to absorb or cushion against
damage or loss.
Joseph Fiksel (2006) [32] Enterprise resilience refers to the capacity for an Survive
enterprise to survive, adapt, and grow in the Adapt
face of turbulent change. Grow
Rose and Liao (2005) [33] Economic resilience refers to inherent ability and Inherent
adaptive response that enables firms and ability
regions to avoid maximum potential losses. Adaptive
response
Avoid
losses
Social system Adger (2000) [34] Ability of groups or communities to cope with Cope
external stresses and disturbances as a result of with
social, political and environmental change. external
stresses
and
disturban
ces
Social-ecological system Gumming et al. (2005) [35] Ability of a system to maintain its identity in case Maintain
11 of disturbances. 12
Kinzig et al. (2006) [36] Resilience in a social-ecological system refers to Survive
Sharma, N., Tabandeh, A. and Gardoni, P. (2017). Resilience analysis: a mathematical formulation to model resilience of
Dinh, Pasman, Gao, and Mannan (2012) Sharma, Tabandeh, and Gardoni (2017)
• Resilience is the ability to recover quickly after an
• “The resilience of a system is related to its ability
upset, has been recognized as an important
to withstand stressors, adapt, and rapidly recover
characteristic of a complex organization…
Tong, Q. Yang, M.*, Zinetullina, A. (2020). A dyanmic Bayesian newtork-based approach to resilience assessment of Tong, Q. Yang, M.*, Zinetullina, A. (2020). A dyanmic Bayesian newtork-based approach to resilience assessment of
engineered systems, JLPPI, 65, 104152 engineered systems, JLPPI, 65, 104152
15 16
I. FRAM modeling
Develop FRAM model
for the system
• Integration of FRAM
Resilience
Establish linkages
Simulate the system between the identified
V. Resilience assessmernt
after improvement
Propose additional safety
measures based on FRAM
model
process systems using functional resonnance analysis method and dynamic Bayesian
Zinetullina, A., Yang, M*., Khakzad, N., Golman, N. (2020). Dynamic resilience assessment for process units operating in
19 network. RESS, 205, 107232 End 20
Arctic environments. SIEE, 2, 113-125.
Chen et al. (2021). A dynamic stochastic methodology for quantifying HAZMAT storage resilience.
RESS, 215, 107909.
21 22
Cai and Xie et al. (2017) Sun, Wang, Yang, Reniers (2021)
Steady-state availability is
used as a resilience metric
Cai et al. (2017). Availability-based engineering resilience metric and its corresponding evaluation
Sun et al. (2021). Resilience-based approach to safety barrier performance assessment in process
methodology. RESS, 6041.
facilities, JLPPI, 73, 104599
23 24
Resilience
quantification
Functionality
assessment
25 26
The goal is to improve resilience References
• Aven, T. (2017). How some types of risk assessment can support resilience analysis and
management, RESS, 167, 536-543.
• Cai et al. (2017). Availability-based engineering resilience metric and its corresponding evaluation
methodology. RESS, 6041.
• Dinh et al. (2012). Resilience Engineering of industrial processes: principles and contributing
factors, JLPPI, 25(2), 233-241.
• Hollnagel, E. (2006). Resilience - the Challenge of the Unstable. In E. Hollnagel, D. D. Woods, & N.
Leveson (Eds.), Resilience Engineering: Cocnepts and Percepts (pp. 9–17). Ashgate Publishing, Ltd. .
• Patriarca, R. et al. (2018). Resilience Engineering: Current status of the research and future
challenges. Safety Science, 79-100.
• Sharma, N., Tabandeh, A. and Gardoni, P. (2017). Resilience analysis: a mathematical formulation
to model resilience of engineering systems. Sustainable and Resilient Infrastructure, 3(2), 49-67.
• Sun, H., Wang, H., Yang, M., Reniers, G. (2021). Resilience-based approach to safety barrier
performance assessment in process facilities, JLPPI, 73, 104599
• Tong, Q. Yang, M., Zinetullina, A. (2020). A dyanmic Bayesian newtork-based approach to resilience
assessment of engineered systems, JLPPI, 65, 104152
Health to the human is Safety to the System
• Woods, D. (2003). Creating foresight: how resilience engineering can transform NASA’s approach
Let’s build up the immunity of complex to risky decision-making.
systems! • Zinetullina, A. Yang, M., et al. (2020). Quantitative resilience assessment of chemical process
systems using functional resonnance analysis method and dynamic Bayesian network. RESS, 205,
10723.
.
27 28
Unsafe Behaviors/Conditions
10,000
2 3
D. McCutcheon
Planned
Reviews
RISK MANAGEMENT
Management Activities
To track company
actions against policy.
Identification of
Hazards
• Knowledge uncertainty
– Various techniques
Reduce the Risk Risk Analysis/
A GENERIC • Physical scope
Assessment
Risk Analysis/ FRAMEWORK – Definition of system boundary for assessment
Assessment Activities
Yes To track, look for and FOR RISK • Analytical scope
analyze and assess MANAGEMENT
Can the
No
Is the risk
hazards or concerns that
arise and challenge
– Nature of hazards under consideration
risk be acceptable?
reduced?
policy.
• Perception, in addition to
Yes
– Event likelihood & Severity of consequences
No
Management Activities
Discontinue the Manage the To ensure company
Activity Residual Risk activities keep risks
under control.
4 5
Hierarchy of Controls D. Hendershot Risk reduction/treatment – (i)
• Techniques of control and risk reduction: • Techniques of control and risk reduction:
– Reduction/mitigation are techniques whose – Segregation summarizes the techniques
goal is to reduce the severity of accidental which are to minimize the overlapping of
losses when an accident occurs: losses from a single event. It may imply very
• Measures applied before the occurrence high costs.
of the event (often also have an effect on • Segregation by separation of high risk
the likelihood/frequency) units
• Measures applied after the occurrence of • Segregation by duplication of high risk
the event (often aim to accelerate and units
enhance the effectiveness of the rescue)
8 9
Risk reduction/treatment – (iv) Risk reduction/treatment options
10 11
Design Basis
Protection Layers
Effect Mitigating
Measures
Passive Protection Measures
(eg. PSV)
an
SIS
Inherent safer design
Pl
lan
cy
yP
Critical Alarms
en
rg
nc
me
ge
er
al
rn
Ex
te
In
HSE TOTAL
12 13
PETROCHEMICALS
INHERENTLY SAFER DESIGN
Principles of Inherent Safety (EARLY)
• Minimization (Intensification)
INHERENT SAFETY
Minimize amount of hazardous material
in use (when use of such materials
PASSIVE ENGINEERED cannot be avoided – i.e. elimination)
(ADD-ON) SAFETY
ACTIVE ENGINEERED
(ADD-ON) SAFETY
PROCEDURAL
(ADMINISTRATIVE)
14 15
SAFETY
16 17
With respect to stairs, an inherently safer
Principles of Inherent Safety (EARLY)
option to a two-story house is a…
• Simplification
Simplify equipment and processes that
are used; avoid complexities; make
equipment robust; eliminate opportunities
for error
18 19
20 21
Safety by design
Safety Management System/ Safety by Design
Control Safety Instrumented Systems
• Redundancy/diversity of instrumentation
• Planned inspections/maintenance
• ESD system
• Emergency preparedness
• Blowdown systems
• Knowledge and skill training
• Interlock systems
• Engineering and change management
• …
• Communication
• Materials and services management
• Hiring and placement, contractor selection
• …
22 23
24 25
Safety by Design Safety by Design
Inspection and Maintenance Inspection and Maintenance
Monitoring info.
House keeping
General "Good
RBI analysis/
priotitization
findings
• Infrared/Thermal Testing (IR)
Corporate Policy • Leak Testing (LT)
i. Inspect
ii. Onsite assessment • Magnetic Particle Testing (PT)
iii. Detailed FfS if
Codes and
needed • Neutron Radiographic Testing (NR)
Standards, RP's, Data analysis
RAGAGEP • Penetrant Testing (PT)
Anomolies
DM's
• Radiographic Testing (RT)
Database Update database
Design Construction
• Ultrasonic Testing (UT)
Operation Inspection
•Visual Testing (VT)
06_Inspection Planning RBI role.vsd
26 27
Prevention Prevention
• Prevention is an attitude and/or a series of • 9 Principles of prevention:
measures to be taken to avoid degradation – 1. Avoid risks: remove the hazard or the exposure to it
of a certain situation (social, environmental, – 2. Assess risks that cannot be avoided: assess their
nature and importance, identify actions to ensure
economical, technological, etc) or to prevent safety and guarantee the health of workers.
accidents, epidemics or illness. It acts mainly – 3. Fight risks at the source: integrate prevention as
on the likelihood of occurrence and the early as possible, from the design of processes,
causality chain, trying to lower the probability equipment, procedures and workplace
that an event happens. Prevention actions – 4. Adapt work to man: design positions, choose
equipment, methods of work and production to reduce
are also intended to keep a hazard risk the effects of work on health.
problem from getting worse. They ensure – 5. Consider the state of technological developments:
that future development does not increase implement preventative measures in line with the
hazard losses. technical and organization developments.
28 29
Prevention
• 9 Principles of prevention:
– 6. Replace the hazardous by what is less hazardous:
avoid the use of harmful processes or products when
the same result can be obtained with a method with
less hazards.
– 7. Plan prevention integrated in a coherent package: Environmental risk minimization –
a) technique, b) work organization, c) working
conditions, d) social relations, e) environment pollution prevention
– 8. Take collective protection measures and give
them priority over individual protective measures: use
of personal protective equipment’s (PPE) only to
supplement collective protection or their defaults.
– 9. Give appropriate instructions to employees:
provide them the necessary elements for
understanding the risks and thus involve them in the
preventative approach.
30 31
32
32 33
What is Pollution Prevention (P2) P2 vs. Pollution Control
Process
Energy Wastes
Treatment
36
36 37
37
P2 Principles P2 practice or not?
38
38 39
39
40
40 41
41
P2 Examples in a Restaurant, Cont’d Group Discussion #2
Benefits of P2
• Reduced material, operation, and
production costs
Application of P2 to OOG Operations –
• Reduced waste treatment and future clean
up costs A Brief Discussion
• Improved business efficiency and
profitability
• Improved company image
• Reduced risks to employees and
communalities
• …
44
44 45
45
Environmental Impacts
Four Main Stages of OOG Operations
Stage Activity Type of nature of impacts
Acoustic source, short-term disturbance to marine
• Geological and geophysical survey Geo. survey Seismic survey
organism and fish population
– Identify areas with favorable geological conditions Increase in turbidity, disturbance on bottom
Test drilling
– Aerial and seismic survey to provide detailed geological information
• Exploration Exploratory Emissions and discharges of pollutants, disturbance to
drilling fisheries, accidental blowouts
– Exploration drilling to verify presence and quantity of hydrocarbons
– Determine if the reservoir is feasible to develop Exploration Plugging well Long-term impacts on benthic and pelagic habitats,
and biodiversity
• Development and production
abandonment
– Platform and pipeline emplacement
Platform Construction discharges, long term and chronic effects
– Drilling for production of discharges on benthic and pelagic biota
emplacement
– Produced hydrocarbon separation and gas processing and pipeline
– Oil and gas export laying
• Decommissioning Development and Drilling for Drilling fluids and cuttings discharge, produced water,
– Removal of platform facilities production production and accidental spillage, impacts on fisheries, physical
injection wells disturbance
– Remediation of environmental impacts
Vessel traffic Operational emissions and discharges, impacts on
marine birds, mammals and other organisms
Decommissioning Facility removal Operational emissions and discharges, impacts on
fisheries, marine organisms if explosive charges are
used
46
46 47
47
Patin (1999)
48
48 49
49
P2 Opportunities, Cont’d P2 Opportunities, Cont’d
50
50 51
51
Thank you!
P2 Opportunities, Cont’d
1 2
3 4
A Risk Governance PDCA Mindset: Risk Governance Model
5 6
9 10
Why?
Presentation outline Safety Concerns
A Never-ending Story.
11 12
Why? - Safety Concerns (i) Why? - Safety Concerns (ii)
• All stakeholders
• Prudence due to industrial activities should be present
in every industry, and certainly also in the hazardous
materials using industries
• Characteristics of chemicals using industries: use of
hazardous materials, existence of chemical industrial parks,
license to operate/acceptability linked with reputation, high
uncertainties linked with debatable opinions
• Belgium & The Netherlands: densely populated area
combined with highly concentrated chemical industrial
activities
• The Rotterdam Port Area is part of the “ARRRA” and is
extremely important for the Dutch
(/Belgian/German/European) economy
13 14
What?
Safety Matters
What? – Safety Matters (i)
http://www.youtube.com/watch?v=2MpsArclaxw
15 16
What? – Safety Matters (i) What? – Safety Matters (i)
• Specialistic AND Generalistic • Analytic
• Technology AND HOFS
• Reactive AND Proactive
• Current practice
• Individu AND Group • Linear
• Confidential
• Static
• Practical
• Realist/Pragmatic
17 18
Easy?
What? – Safety Matters (ii) Safety Bothers
21 22
How?
Playing with Safety How? - Playing with Safety (i)
23 24
How? - Playing with Safety (ii) New?
(so that it gets safer!) Safety Futures
25 26
29 30
The End.
Who? – Safety Scores (ii) The Safety Tail/Tale: A Never-ending Story.
31 32
The End. The End.
The Safety Tail: A Never-ending Story. (i) The Safety Tale: A Never-ending Story. (ii)
Some recommendations:
• Safety (or rather: ‘dealing with uncertainty’) should be
taught at all levels of education, and in all studies
• Safety thinking should always in some sort be part of
technological innovation
• Safety Science should be a true pillar of society if it wants
to excell
“All I’m saying is now is the time to develop the technology to
deflect an asteroid.”
(from: Risk-benefit analysis, Wilson and Crouch, Harvard Univ. Press,
2001)
33 34