paper126c-balkema

Safety and Reliability – Bedford & van Gelder (eds)© 2003 Swets & Zeitlinger, Lisse, ISBN 90 5809 551 7

1437

System reliability of jack-up structures based on fatigue degradation

N. Shabakhty & H. BoonstraDelft University of Technology, Marine Technology, Mekelweg, Delft, The Netherlands

P. Van GelderDelft University of Technology, Civil Engineering Faculty, Stevinweg, Delft, The Netherlands

ABSTRACT: In recent years there has been considerable development in the area of system reliability assess-ments of offshore structures except for jack-up platform. However, since the reliability of jack-up platform is acrucial aspect with regard to the safety of the structure during its service time and possibly beyond the predictedlifetime, there is significant demand from the offshore industry to investigate system reliability of this type of off-shore structure. This paper therefore presents a methodology to estimate the system reliability of jack-up struc-tures by considering sequence of fatigue failure. First, component reliability of this structure based on fatiguelimit state function is derived, and then the branch and bound technique has been used to identify an importantsequence of section failure leading to system collapse. The structural failure is therefore regarded as the eventat which one of these important sequences occurs. The result determined for a jack-up structure shows a sig-nificant systems effect and that the probability of structural failure is larger than the probability of failure for anindividual section.

1 INTRODUCTION

Jack-up structures are generally used for productiondrilling and exploration of hydrocarbons. Their com-bination of mobility and the behavior as fixed structuresin operational conditions have made them importantin the offshore industry over the last 40 years.

When these types of platforms have been in opera-tion for a great part of their original design-life andthe intention is to extend their utilization beyond thepredicted lifetime, considerable research into assessingthe safety of structures regarding to degradation agentslike fatigue is needed. In accordance with code phi-losophy, most of this work is on the safety of individualsections in terms of fatigue limit state function. How-ever, jack-up structures have redundancy and failure ofindividual section does not lead to structural collapse.Hence, a procedure is needed to investigate system reli-ability of jack-up structure due to fatigue degradation.

Several investigations have been carried out in lastdecade on system reliability of jacket structure due tofatigue, extreme environmental loads or combinationof these two failure modes, (Karamchandani et al.,1991, Shetty, 1992, Dalane, 1993, Onoufriou, 1999,Pillai & Pradad, 2000). However, regarding to jack-upplatforms, this has been only restricted to component

level e.g. Jensen et al. (1991) and Shabakhty et al.(2001) and system effect under extreme environmen-tal loads without considering fatigue degradation, e.g.Karunkaran (1993) and Daghigh (1997).

This paper presents a specific approach to estimatesystem reliability of jack-up platforms under fatiguedegradation. First, probability of failure of each com-ponent of platform is calculated by using fatigue limitstate function. The probability of failure of secondelement is therefore determined by extending fatiguelimit state function for subsequent failure. Importantsequences of failure are then identified by utilizingbranch and bound technique and finally the systemreliability through combination of important failurepaths leading to system failure has been calculated.

The advantage of this method is that the FORM orSORM technique can be used to compute each failurepath individually and finally determine system reliabil-ity based on combination of significant failure pathsidentified in branch and bound search technique.

2 FORMULATION OF FATIGUE DAMAGE

To predicate crack growth due to fatigue, the growthof crack per stress cycle at any points along the crack

09048-S-12.qxd 5/15/03 12:58 AM Page 1437

front is supposed to follow the Paris-Erdogans equation.In addition, to simplify the problem, the fatigues cracksshape is assumed to be initially semielliptic, and toremain semi-elliptic during propagation of crack. Asis clear from figure (1), characteristics of crack frontcan be sufficiently described with two parameter ofcrack depth (a) and crack length (2c). Based on Paris-Erdogans equation, the increment of crack size dr(f)during a load cycle dN, at a specific point along thecrack front can be related to stress intensity factor,�Kr(f) with the following expression

(1)

when Cr(f) and m are two material parameters forspecific points along the crack front, and f is locationangle. However, this differential equation must satisfyat all points along the crack front.

The consequence is the following differential equa-tion for deepest point of crack, point A, (see figure 1)

(2)

The general expression for the stress intensity factoris K � YS�pa� , where the geometry function Y accountsfor the effect of all boundaries, i.e. width, thickness,crack front curvature, etc.

Raju & Newman (1986) proposed an empiricalequation for the stress intensity factor, �K(f), of asurface crack in a finite plate subjected to remote ten-sion and bending loads. This equation has been fitted onfinite element results for two types of remote tensionand bending loads applied to surface cracked-plate. The

derived stress intensity equation from this research is

where St and Sb are remote tension and bending stressranges, respectively. Q is shape factor and two param-eters F and H characterize the boundary-correctionfactor.

In the welded joints, such as tubular member injack-up platforms, the non-linearity in stress fieldarising from local stress concentration at the weld toeis important and should be considered. Smith &Hurworth (1984) therefore recommended applyingthe following correction to stress intensity factor toconsider this non-linearity.

(4)

The final geometry function used for tubular jointscan therefore multiplied by this correction factor, Y �YplateMK. Now by substituting this geometry functionin the stress intensity factor, (�K)m � Sm Y(a)m

(pa)m/2 and integrating differential equation of propa-gation of crack, the following expression is betweenpropagation of crack and stress range derived.

(5)

In which dY is a random variable to model uncer-tainty introduced in the geometry function. As is clear,the left hand side of this equation depend only onfatigue and material characteristics, and right hand sideon loading, therefore we term them fatigue strengthfunction, CR(a), and fatigue loading function, CL(T ),respectively.

Since each stress range in equation (5) has randomcharacteristic, the summation will be random. For alarge amount of stress range, Nt, the coefficient ofvariation of stress range is relatively small and cantherefore be replaced by its expected value.

Furthermore, the fatigue degradation is combinationof damage of structural elements in long-term due tostress range of several sea-states. The fatigue loadingfunction for combination of long-term stress distribu-tion can be determined by following expression, Shetty(1992).

(6)

1438

Figure 1. Crack-growth due to fatigue.

(3)

09048-S-12.qxd 5/15/03 12:58 AM Page 1438

Where vlp is long-term average peak-frequency of

stress-cycle and El[Sm] is long-term expected stressrange power m. We can determine long-term distribu-tion of stress range by combining stress distributionin each sea-state that the structure may experience inits lifetime. This can be carried out by multiplyingstress distribution with weighting factor, v, and prob-ability of occurrence of each sea-state

(7)

In which fS(S|hS, tZ . u) is short term stress range dis-tribution, fHS,TZ (hS, tZ . |u) is conditional distributionfunction of the sea-state in direction u, and fu is direc-tional distribution of wave. v is the weighting factor,which expresses the relative rate of response peakswithin each short-term sea-state to the long-termresponse peak.

When the stress process is narrow banded, the average peak of response will be almost the same as aver-age zero crossing. However, in jack-up structure, thiscase is not correct and original peak-frequency derivedfrom stress distribution is used here. The weighting fac-tor can therefore be determined for each sea state withthe following expression

(8)

when vp (hS, tz, �) is the average peak-frequency ofstress-cycle in specific sea-state and vl

p is long-termaverage zero-frequency of stress-cycle, which can bedetermined with the following equation.

(9)

Since close form integration of equation (7) is notpossible and in fatigue reliability, we need an analyti-cal expression for long-term distribution function ofstress range, it is important to fit a specific availabledistribution function on simulation results. If the stressprocess followed Gaussian process, the distribution ofstress range according to bandwidth parameters willvary between Rayleigh and Gaussian distribution,Farens (1990). The non-linearity in stress process due todrag term in calculation of hydrodynamic loads, vari-ability in submergence section of structure when wavepassing from structure and finally p-d effects in jack-upplatform deviates the stress process from Gaussian andusing a proper distribution is therefore very important.

The two-term Weibull distribution is found to fitappropriately on long-term stress range distributiondetermined in simulation results and selected for its

simplicity and ability to resemble Rayleigh distribu-tion, Farens (1990). Hence, by calibrating two-termWeibull distribution on the outcome of simulationresults, the long-term distribution of stress range canbe specified with

(10)

where A and B is scale and shape parameter of Weibulldistribution and can be calculated by using non-linearleast square methods. In computing stress range, someuncertainties in the hydrodynamic load, stress calcu-lation and stress concentration in a specific hot spotare existed and should be accounted. To take intoaccount these uncertainties, the final stress range deter-mined with Weibull model has been therefore multi-plied by three random variables, dF dS and dSCF whicheach one represent uncertainty in hydrodynamic load,stress calculation and stress concentration factor in spe-cific hot-spot respectively, Dalan (1993). Consequently,the final expression of fatigue loading function is

(11)

and time required for propagation of crack throughthe thickness of the tubular elements can be calculatedwith the following expression.

(12)

According to fatigue damage, development ofthrough the thickness cracks may not cause sectionfailure and before the final failure occurs the crackshould propagation significantly along the circumfer-ence of tubular section. The time to develop such crackwill be larger than the time to develop through thethickness and this should be taken into account in ourformulation. Hanna & Karsan (1989) revealed the timeto failure could be related to the time of the first throughthe thickness crack with

(13)

when multiplication factor, dtf, is the random correctionfactor. Furthermore, the test data in this researchdemonstrated that the correction factor is independentof the stress parameter and lognormal distribution canappropriately be fitted on the results with mean value1.5 and standard deviation 0.5.

1439

09048-S-12.qxd 5/15/03 12:58 AM Page 1439

3 FAILURE PROBABILITY BASED ONSEQUENCE OF JOINTS FAILURE

In reliability analysis, we need to specify the limit statefunction, which separate safe and failure domain anddetermine the probability of failure. The time-to-failurederived for specific joint based upon equation (13) hasrandom characteristics since it depend on other randomvariables. Applying modification factors mentionedin last section, the random time-to-failure of joint e.g.J1 can therefore be determined by

(14)

If this random time-to-failure becomes less than theexpected lifetime of joint J1, the fatigue failure willbe expected to occur in this joint and vice versa if it isgreater than the expected lifetime it means the jointcan appropriately functioning. Therefore, the limitstate function required in the reliability analysis basedon fatigue failure of the first joint, e.g. J1 can beexpressed by

(15)

and its probability of failure determined with the following expression.

(16)

Furthermore, for each joints in the structure, we canextend and determine their probability of failure withan expression like equation (16). The highest probabil-ity determined in this way would therefore be relatedto the joint with the maximum probability of occur-rence of failure. It means the joint with the highestfailure probability likely to be the first failure joint.However, it is not general cases and other possibilitiesmight be suggested. The branch and bound techniquein this situation can help us to specify the most impor-tant failure sequence of joints under fatigue.

The next step in reliability calculation would be toestablish a formulation for next failure joint when thefirst failure joint is known. In this regards, suppose thefirst joint, which fails due to fatigue degradation is J1, the next failure joints might be joints as well as J2. Interm of linear damage accumulation model for fatigue,this joint has fatigue strength function like equation(5) but the fatigue loading function is the combinationof two terms. The first one is fatigue loading functionin joint J2 when the joint J1 is in intact state and reaches

to failure, CLJ2(TJ1), and next one from failure of jointJ1 to J2, CLJ2/J1.

(17)

The total time to reach the sequence failure of jointJ2 follow by joint J1 is therefore divided to the timewhen the first joint is in intact state and reaches to fail-ure, TJ1, and the time of failure of joint J2 followed byJ1, (TJ2/J1 � TJ1).

By substituting equation (17) in equation (5) andapply same modification factors to consider uncer-tainty in hydrodynamic load, stress concentration factorand time to failure, the following expression can begenerated to relate the fatigue strength function andloading function.

(18)

As noted from equation (18), the first expression isthe strength of the joint and next expression shows thetotal fatigue loading at failure time. The modificationdtf J2 is applied to the first expression to representsuncertainty in the strength. This modification is thenmodeled independent of the loading function i.e. doesnot change when the fatigue loading function changed.

The time to failure of J2 followed by J1 is thereforeexpressed by rearranging equation (18) as

(19)

and the probability of failure of sequence J2 followedby J1 can be calculated with

(20)The same approach can be used to determine an

expression for higher sequence failure e.g., joint Jnwhen J1, J2 …, Jn-1 have respectively failed,

(21)

By substitute this equation in equation (5) and apply thesame modification factors to represents uncertainty inthe strength, hydrodynamic load and stress concentra-tion factor, the following general equation can be

1440

09048-S-12.qxd 5/15/03 12:58 AM Page 1440

derived for the time to failure of joint Jn when failureof joints J1, J2/J1, J3/J2, J1, …, Jn-1/Jn-2, Jn-3, …, J2, J1occur respectively.

(22)

where the fatigue loading function for this sequencefailure of joints can be obtain with the followingexpression

(23)

Hence, the final failure probability of the sequence ofk joints failure i.e. J1, J2, J3, …, Jk should be calculatedwith intersection of all these component failures i.e.,

(24)

4 SEARCH TECHNIQUES TO IDENTIFYDOMINANT FAILURE SEQUENCE

In redundant offshore structure, innumerable failuresequences can be expected to occur but only some ofthem contribute significantly to collapse or system fail-ure and others have very low probability of occurring.

In system reliability, identification of these importantsequences is essential and several methods have beendeveloped to distinguish dominant failure sequence.These methods can be generally classified into twocategories, deterministic and probabilistic approaches.

Incremental loading and plastic mechanism analy-sis are two examples of deterministic method. In theincremental lading, the random variables are fixed attheir mean values and a deterministic analysis is per-formed to identify the sequence of section failure lead-ing to structural collapse. By assuming a proportionalloading condition, the load factor is gradually increasedto cause sequence of element failure. To determineadditional failure sequence, value of some variablescan be modified and deterministic analysis repeatedto specify a new failure sequence. This method basi-cally uses a deterministic search strategy and obtainimportant failure path without so many repetitions ofstructural analysis, but can not ensure all the proba-bilistically dominant failure paths are identified, Moses(1982).

In plastic mechanism, an ideal plastic behavior of amaterial is considered and based on this model ana-lytical formulation for plastic limit state function isextended. Hence, the final plastic mechanism leadingto structural collapse is identified using �-unzippingmethod in connection with basic plastic mechanisms.Which, it is not possible to guarantee that the �-unzipping method identifies all significant mechanismsbut it may gives reasonable good results. Since someof plastic mechanisms are excluded in this method, thereliability index determined in this approach is there-fore an upper bound of the correct generalized systemreliability index, Thof-Christensen & Murotsu (1986).

The simulation-based and branch and bound meth-ods are two main models of probabilistic approaches.The simulation-based is constructed on Monte Carlosimulation technique and is an expensive tool for reli-ability assessment of large structures. The structuralanalysis needs to repeat several times for each sampling point and taking into account numbers ofleading to failure of structure. Furthermore, toincrease the efficiency and reduce the simulation, theimportance sampling technique in combination withdirectional simulation technique can be employed,Warrts & Vrouwenvelder (1998).

The more robust method to specify system failureis branch and bound technique, Thoft-Christensen &Murotsu (1986). In this approach, the failure sequenceis identified based on the sequences in decreasingorder of importance. This means the first failuresequence belongs to the largest probability of failurewhich has maximum probability of occurrence of cor-responding damaged state and the second one to thesecond largest and so on. Therefore, the first step willbe to compute the failure probability of each jointusing equation (16).

The calculated failure probabilities show the firstbranches in failure tree. Let the joint J1 has the largestfailure probability i.e. the most likely to occur dam-age state, now focus shift to this joint and the proba-bility of failure leading to next joint failure whichrepresent new damage state in the failure tree and canbe calculated with equation such as equation 20.

Note that the probability of occurrence of this dam-age state is the probability of joint J1 fails in intactstate and joint J2 fails subsequently if the second jointfailure is J2. However, this can be extended for otherjoints to determine their failure probability. Hence, thesequence with maximum probability of failure in thesecond branches leads us to the next damage state withmaximum probability of occurrence. This process con-tinues to reach the damage state, which constitutescollapse of system. The sequence of failure leading tothis damage state is the-most-likely-to-occur sequence.Since the focus was on the most-likely-to-occur damage state with maximum probability of occurrence,the collapse state reached in this way is the most

1441

09048-S-12.qxd 5/15/03 12:58 AM Page 1441

important one and is named the collapse state with thehighest probability of occurrence.

System collapse can happen in the sequence otherthan expected already; the contribution of other col-lapse sequence in system reliability should thereforebe taken into account. To establish different system col-lapse, we need to consider other scenarios that mightoccur and lead to system collapse.

The system collapse based on maximum probabilityof occurrence is the system with the highest failureprobability but it is possible to shift focus in branchtree to the next failure sequence which has the secondhighest probability i.e. on the next most-likely-to-occurdamage state. If this is not the collapse state, continuesthe search technique until the damage states understudy constitute the system collapse. The sequenceleading to this collapse state is the second most impor-tant failure sequence. If this process is continued forother failure sequences i.e. third, fourth, etc., most-likely-to-occur damage states, it will be possible toidentify several collapse states and their probabilityof occurrence. Since some of these collapse states arenot disjoint, the total system probability should be com-puted based on the union of these collapse sequences.In this research, the branch and bound technique hasbeen used to identify sequences leading to collapse ofsystem and system reliability is determined based onunion of these collapse failure.

5 JACK-UP MODEL AND PROBABILISTICDESCRIPTION OF RANDOM VARIABLES

To illustrate the procedure of determining system reli-ability based on sequence of fatigue failure, the Nekajack-up platform is considered in this research. Thisplatform operates in water depth 95 m with threeretractable legs, see figure (2).

The system reliability of this platform due toextreme environmental loads has been already inves-tigated by Daghigh (1997). In this research, systemfailure was represented based on series system of par-allel subsystem when failures of elements constitutesubsystem. The system reliability is evaluated by usingsimple upper bound on series system and incrementalloading approach used to identify failure of elements inparallel system.

To determine stochastic response of jack-up platform, two approaches can generally be used in struc-tural analysis, frequency and time domain method. Thefrequency domain is applicable when structure behaveslinearly.

The stochastic time domain analysis is preferredand used in this research because the stress processesshow high non-linearity due to drag term in wave load-ing, variation in submergence sections of structuraland finally p-� effects in jack-up platform.

By using Morison equation and P-M spectra, thehydrodynamic loads in combination with wind andfunctional loads are calculated for several sea-statefor each 0.25 second of time step. In addition, to takeinto account the wave kinematics above mean waterlevel, the Wheeler stretching method is applied in thisresearch.

The short-term stress distributions are determinedfor each elements and each sea-state in scatter diagramusing the time history of stress response computed forone hour simulation of each sea-state, figure (3).

To determine the long-term distribution of stressrange, we need to calculate the integral of equation (7).Since calculation of this integral is difficult and impos-sible in close form, the Monte Carlo Simulation (MCS)technique is preferable to other numerical integrationbecause this technique is less rigorous on the analyti-cal properties of the function to be integrated and canbe used even for the block-block system of scatterdiagram. The long-term stress distribution is deter-mined by using MCS and the results are fitted on a two-term Weibull distribution for each element in structure.

Due to computer memory restriction, we cannot usethe full details of the three legs. In addition, the simu-lation results showed that the critical hot-spot stressusually occur in the first leg for several sea states thuswe shift our focus to detailed models of the first legand suppose the failure of this leg cause the failure ofstructure, figure (3). However, the present approach inthis research can be used for full detail model of legs.

The fatigue failure usually occurs at welded joint.Hence, for each member in the structure two potential

1442

+29.5

+16.32

+8.7

�95.00

0.0

Figure 2. Neka jack-up platform.

09048-S-12.qxd 5/15/03 12:58 AM Page 1442

of failures can be expected at the ends of memberjoints. Element fails and separate from structure if eachfailure in the ends of element joints occurs. However,this member retains in structure for wave load calcula-tion. In this investigation, structural collapse is assumedto occur if any two members fail or if a leg memberfails.

For the jack-up model under investigation the fatiguecharacteristic, C, is modeled as a random variable bylognormal distribution in which the mean value andcoefficient of variation of its logarithm are respec-tively �29.84 and 0.55 for joints in air and for joint inseawater �31.01 and 0.77, respectively. These valuesare selected based on DNV (1984) specification. Otherfatigue characteristic i.e., m, is equal to 3.1 for joints inair and 3.5 for joint in sea-water based on this specifi-cation and in this research is considered deterministic.

Based on review on available data for initial crack,Bokalrud & Karlsen (1981) showed the exponentialdistribution with mean value 0.11 and coefficient ofvariation equal 1.0 can appropriately be used to spec-ify randomness in the initial crack size, a0. However,Moan’s (2001) later investigation on crack data derivedfrom under-water inspection of jacket platforms indi-cated mean value equal 0.19 mm would be sufficient.

To represent uncertainty in stress analysis, threerandom variables dF dS and dSCF are used to representuncertainty in hydrodynamic load; stress calculationand stress concentration factor in specific hot spot,respectively. Since there is not any statistical informa-tion for these variables in jack-up structure, we usedthe same values recommended by Dalan (1993) for

hydrodynamic load and stress concentration factorand higher coefficient of variation for stress calcula-tion due to using one leg detail model. Therefore, eachof these variables is log-normally distributed withmean value 1 and coefficient of variation 0.1, 0.15 and0.1 respectively and independent from each other.

The statistical characteristics of two random vari-ables dF and dSCF are assumed the same in all sea-statesand damage states. However, the stress calculationuncertainty, dS is dependent from joint to joint and asthe structure state changed.

In this research, since the time history of each seastate are available, the correlation coefficient of eachpair of joints can be determined by integration of cor-relation coefficient of these joints in each sea-statewith regarding to weighting function presented byequation (8).

6 RESULTS

By using the limit state function and random variablesexplained and presented in the last section, a computerprogram has been written to determine probability offailure of each element and sequence of failure basedon FORM method.

The result of branch and bound technique is illus-trated in figure (4). As is clear, the most likely to failureelement is 295 with a failure probability 0.0026175.The most likely of collapse sequence is 295 followedby 169 with the occurrence probability 0.00174543.The probability of any section failure in the intact struc-ture is 0.0107317, while the probability of systemfailure is 0.00727 based on the ten important sequences of failure. It is important to note that inclusion of addi-tional sequences did not cause significant increase in the probability of system failure. This result showsthat here is a significant system impact on failureprobability.

It is important to note that the probability of systemfailure is quite larger than the individual first elementfailure. The reason to the difference can be explainedby redundancy effect. Usually, the first failure occursin the bracing elements, see figure (5). Thus, failureof this element cause the load transmitted by frameaction and stress increase suddenly in other elements.Probability of failure of second element increases andcauses to increase probability of system failure. Thisfact can be clearly observed from figure (4) for ele-ment 169 when the failure probability of this elementincreases from 0.00020737 for the first failure to0.00174543 for subsequent failure.

This result is in contrary to result determined forjacket type platform, Karamchandani et al. (1991)showed the probability of total structure failure forjacket type platform is much smaller than the probabil-ity of an individual section failure. The reason to this

1443

Figure 3. Finite element model of Neka Jack-up platformused for stress calculation.

09048-S-12.qxd 5/15/03 12:58 AM Page 1443

difference between these two platforms, jacket andjack-up, can be explained by this fact that the jacketplatform under investigation showed more redundancythan the K bracing jack-up platform here. Therefore,when the first failure occurs in jacket structure, theincreasing of stress parameter is not too large and someadditional time is required before the next section fail.

7 CONCLUSION

An approach to determine system reliability of jack-upstructure is presented in this research. This approachcan account change of stress distribution in jack-upstructure when the elements fail and allow usingdetailed probabilistic model. In addition, the importantor major advantage of this approach is that it allowsusing the fist order reliability methods, which make bet-ter and easier calculation of the probability of failure.

This approach is used to estimate the system reli-ability of jack-up structure. The result shows there is

1444

0.00070705

0.0026175

0.00019772

0.00062035

0.00172779

0.00031840

0.00020737

0.00168489

295S

283E

295E

289S

166E

170S

169E

158S

289E

Intact

0.00052501

0.00040307

169S

170S

52E

54E

53S

158E

169E

166S

0.0017543

0.00087346

0.00072020

0.00060764

0.00046453

0.00035460

0.0002663654S

0.0002125552S

0.00045383

0.00032930

50E

50S

0.0003891053E

0.00018881

0.00122813

0.00064219

0.00046455

0.00042472

53S

0.00030317

0.00017892

0.00013747

0.00177180

163S

163E

164S

50E

50S

49E

49S

[1]

[2]

[3]

[4]

[5]

[6]

[8]

[9]

[7]

[10]

Figure 4. Failure sequence in branch and bound (E stand for End and S for Start of element).

Figure 5. Schematic representation of jack-up structure.

09048-S-12.qxd 5/15/03 12:58 AM Page 1444

significant system effect and probability of structuralcollapse is much larger than the probability of failureof the first element in contrary to jacket type platforms.This difference is explained by redundancy of structureand revealed this factor is important and should be con-sidered in reliability analysis.

REFERENCES

Bokalrud, T. & Karlsen, A. 1981. A probabilistic FractureMechanics Evaluation of Fatigue from Weld Defects,Proceeding of Conference on Fitness for Purpose Valida-tion of Welded Constructions, No. 8, London, UK.

Daghigh, M., Hengst, S., Vrouwenvelder, A. & Boonstra H.1997. System reliability analysis of jack-up structuresunder extreme environmental conditions., Proceeding of the Behavior of Offshore Structure, BOSS97, pp.127–143.

Dalan, J.I. 1993. System reliability in design and maintenanceof fixed offshore structures, Ph.D. thesis, Department ofMarine Structures, The Norwegian institute of Technology,Trondheim, Norway, May.

DNV, 1984. Fatigue strength analysis for Mobile offshoreunits, classification notes, No. 30.2, August.

Farnes, K.A. 1990. Long term statistics of response in non-linear marine structures, Div. of Maine structure, TheNorwegian Inst. of Tech., MTA-Rep, 1990: 74.

Hanna, S.Y. & Karsan, D.I. 1989. Fatigue modeling for reli-ability based inspection and repair of welded tubular offshore structure, Eight Offshore Mechanics and ArcticEngineering Conference, The Hague, Netherlands, pp.657–666.

Jensen, J.J., Mansour, A.E. & Pedersen, T. 1991. Reliability ofJack-up platforms against overturning, Marine struc-tures, No. 4, pp. 203–229.

Karamchandani, A.K. Dalane, J.I. & Bjerager, P. 1991,System reliability of offshore structures including fatigueand extreme wave loading, Marine structures, No. 4, pp. 353–379.

Karunkaran, D.N. 1993. Nonlinear dynamic response andreliability analysis of drag-dominated offshore platforms,Ph.D. thesis, Department of Marine Structures, TheNorwegian institute of Technology, Trondheim, Norway,November.

Moan, T., Zhong, W. & Vardal, O.T. 2001. Initial CrackDepth and POD Data based on Underwater Inspection ofFixed Steel Platforms, Proc. Of the Eighth InternationalConference on Structural Safety and Reliability, ICOS-SAR2001, June, Newport Beach, California, USA.

Moses, F. 1982. System reliability developments in struc-tural engineering, Structural Safety, 1 (1), p.p. 3–13.

Onoufriou, T. 1999. Reliability based inspection planning ofoffshore structures, Marine structures, No. 12, p.p.521–539.

Pillai, T.M.M. & Prasad A.M. 2000, Fatigue reliability analy-sis in time domain for inspection strategy of fixed offshorestructures, Ocean Engineering, No. 27, p.p. 167–186.

Raju, I.S. & Newman, J.C. 1986. Stress Intensity Factor forCircumferential Surface Crack in pipes and rods underbending and tension loads, Fracture Mechanics, ASTM,Vol.17, pp. 709–805.

Shabakhty, N. Van Gelder, P. & Boonstra, H. 2002. Reli-ability analysis of Jack-up platforms based on fatiguedegradation, Proceeding of 21st International Conferenceon Offshore Mechanics and Artic Engineering, OMAE2002, June, Oslo, Norway.

Shetty, N. 1992. System reliability of fixed offshore structuresunder fatigue deterioration, Ph.D. thesis, Department ofCivil Engineering, Imperial College of Science, Technol-ogy and Medicine, London, April.

Smith, I.J. & Hurworth, S.J. 1984. The effect of geometrychanges upon the predicted fatigue strength of weldedjoints, Res. Report No. 244,Welding Inst, Cambridge,England.

Thoft-Christensen, P. & Murotsu Y. 1986. Application ofstructural system reliability theory, ISBN 0-387-16362-X, Spring-Verlag, Berlin.

Waarts, P.H. & Vrouwenvelder, A. 1998. The use of direc-tional sampling in structural reliability, The Eighth IFIPWG 7.5 Conference on reliability and optimization of struc-tural systems, Krakow, Poland.

1445

09048-S-12.qxd 5/15/03 12:58 AM Page 1445

09048-S-12.qxd 5/15/03 12:58 AM Page 1446


1447

Correlation in probabilistic safety assessment uncertainty analysis

Z. Šimic, I. Vukovic, V. Mikuli�icUniversity of Zagreb, Faculty of Electrical Engineering and Computing, Zagreb, Croatia

ABSTRACT: Uncertainty analysis is essential part of every complete risk assessment. Increased usage ofProbabilistic Safety Assessment (PSA) models for various practical applications in the nuclear industry makesuncertainty analyses even more important. Essential steps related to the PSA model uncertainty determinationare: parameters uncertainty identification, uncertainty propagation, and uncertainty analysis. One special issuerelated to the PSA model uncertainty analysis is about parameter uncertainty correlation. PSA model parametersuncertainty might be correlated because of various different reasons (i.e., same data source, similar componentdesign, same related function, same operating environment, etc.). There are two interesting and important ques-tions related to the parameter uncertainty correlation: (1) how to determine correlation level? and (2) what is theinfluence of parameter correlation to the PSA model uncertainty? This paper discusses second question: assum-ing parameter correlation existence and various levels, the potential influence to the PSA results uncertainty isinvestigated.

1 INTRODUCTION

Uncertainty analysis is an important component ofprobabilistic safety assessment (PSA). It providesquantitative statement as to degree of uncertainty in thePSA results, and it can force careful consideration ofthe sources of uncertainty and clear thinking of PSAmodel itself.

Uncertainties can be grouped regarding their natureinto two groups: aleatory and epistemic (U.S. NRC RG1.1.74, 2002). The aleatory uncertainty is addressed thatwhen the events or phenomena being modeled arecharacterized as occurring in a random manner (usuallyknown as stochastic, type A or irreducible uncertainty).The epistemic uncertainty is that associated with theanalyst’s assessment confidence in the predictions ofthe PSA model (usually known as subjective, type B,reducible), thus reflecting how well PSA model rep-resents the real system being modeled. This has beenreferred to as state-of-knowledge uncertainty. Aleatoryuncertainty is a property of a system, whereas epis-temic uncertainty is a property of the analysts perform-ing the study and general level of knowledge about anevent (Jordan Cizelj, R. et al. 2002). The aleatoryuncertainty is built into the PSA model itself, so in thispaper it is the epistemic uncertainty that is discussed.

On the other hand, there are three classes of uncer-tainty that impact the results of PSAs: parameteruncertainty, model uncertainty and completeness

uncertainty. Parameter uncertainties are those associ-ated with the values of the basic parameters of the PSAmodel (e.g., component failure rate). Those parametersare defined by establishing their probability distribu-tions, thus expressing the analyst’s degree of belief inthe values these parameters could take, based on hisstate of knowledge. For the PSA purposes the corre-sponding PSA tool must have adequate built-in capa-bilities to propagate the distributions representingparameter uncertainty in order to generate a probabilitydistribution of the results (e.g., core damage frequency,fault tree top event probability). Model uncertaintyreflects the fact that state of knowledge induces dif-ferent opinions on how the model should be formulated.Completeness, which is not itself uncertainty, reflectsan unanalyzed contribution and is very difficult toestimate its magnitude (U.S. NRC RG 1.1.74, 2002).Analysis carried out for this paper included only theanalysis of the parameter uncertainty.

Random variables that exhibit aleatory uncertaintiesare considered to be independent and consequentlywithout correlation. On the other hand, two variableswith epistemic uncertainty that are derived from thesame source are considered to be correlated.

This paper describes the procedure to determine theinfluence of correlation level between the uncertaininput variables (parameters assigned to fault tree’sbasic event such as component failure rate, probabilityof failure per demand, unavailability due to test and

09048-S-13.qxd 5/15/03 8:45 PM Page 1447

maintenance) on the uncertainty of the fault tree topevent probability. Since correlation level is a-priorinot known, the analysis has been done by changing its value. The procedure is applied to minimal cut-setsfor a fault tree model from a plant-specific PSA. Thepropagation of uncertainties is performed usingMonte Carlo simulation methodology.

2 GENARAL ABOUT CORRELATION

The experience has shown that input variables toMonte Carlo simulation are often not independent ofone another. If two identical components are locatedside by side in a building there is a high responsedependency and the responses of these components arecorrelated. This is called the correlation of response.Similarly, it is thought that capacities of two identicalcomponents are correlated what is called the correla-tion of capacity.

Physically, dependencies exist due to similaritiesin both response and capacity parameters. The struc-tural capacities of two identical pumps, located sideby side in a building, are highly correlated. Then, if onepump fails due to an earthquake, it is likely that theother pump will also fail (Reed, J.W. et al. 1985).

When the degree of correlation increases the prob-ability of simultaneous failure of multiple components(intersection of component failures) increases and theoccurrence probability of union of component failuredecreases (Wantanabe, Y. et al. 2003).

A nuclear power plant (NPP) consists of redundantsystems, with large number of components, and thefailures of the systems and core damage represented byunion of many intersections of component failures.Therefore, correlation might significantly influencefailure probabilities of system and core damage frequency.

In PSA model of NPP uncertainty is mostly epis-temic so the variables might be quite strongly corre-lated. The analysis must be done to correlate the samplevalues for different PSA elements from a group towhich the same parameter value applies (the so-calledstate-of-knowledge dependency) (Apostolakis, G. &Kalan, S. 1981).

2.1 Definition of correlation

Mathematically, the strength (level) of correlationbetween two random variables Xi and Xj is expressedby correlation coefficient, r, defined by the followingequation:

(1)

where Cov(Xi, Xj) is covariance coefficient between Xiand Xj, Var(Xi) is variance of Xi defined by the fol-lowing equation:

(2)

(3)

where E(Xi) and E(Xi, Xj) are defined by the followingequation using probability density function f(Xi) andf(Xi, Xj):

(4)

(5)

The value of r lies between �1 (perfect negativecorrelation) and 1 (perfect positive correlation).

3 CASE STUDY

In order to demonstrate the influence of input parameter uncertainty correlation on the uncertaintyof output variable of interest, fault tree top event was selected. PSA analysis tool, Risk SpectrumProfessional (RS), was used to generate the minimalcut-sets (MCS) for selected fault tree top event. Thistool can make uncertainty analysis (calculate a prob-ability distribution for a top event result) only for twoboundary cases (Berg, U. & Sardh, L. 1994):

– parameters are not correlated ( r � 0), and– parameters are perfectly correlated (r � 1).

First one is so-called Event Sampling simulationtype, which means RS samples parameter valuesaccording to the uncertainty distribution assignedgenerating a new parameter for each basic event witha reference to the parameter. This is done for eachsampling in Monte Carlo Simulation.

The second one is so-called Parameter Sampling,which means RS samples the parameter value accord-ing to the uncertainty distribution assigned and usethis value for all basic events with a reference to theparameter (Olsson, A. 2000). This is also done foreach sampling in the Monte Carlo simulation.

One important effect of simulating at the parame-ter level is that parameter dependencies (coupled fail-ure data, state-of-knowledge dependence) are correctlytaken into account.

Having this on mind, it is necessary to employanother tool for uncertainty analysis of correlated

1448

09048-S-13.qxd 5/15/03 8:45 PM Page 1448

uncertain parameters using some values from correla-tion coefficient range [0,1]. This was done usingCrystal Ball software which has an executive inter-face with MS Excel.

Thus, for this paper’s purpose, RS provides a list ofminimal cut-sets and fault tree top event unavailabil-ity as a sum of minimal cut-sets each of which pre-sented as a product of basic events.

3.1 Fault tree model and propagation of uncertain correlated parameters

In order to obtain a minimal cut-set list for furtheranalysis, an existing fault tree model from a plant-specific PSA was selected as a case study. The faulttree was chosen after its initial minimal cut-set analy-sis showed that there were no minimal cut-sets whichcontribution was over dominant. Point-estimated topevent probability was 1.24E-4. Only first 100 mini-mal cut-sets out all 4460 minimal cut-sets (cut-offvalue was set to 1E-12) were selected for furtheranalysis since the contribution of each other minimalcut-set was less than 0.1% of calculated value.

In Crystal Ball, probability distributions (referredto as “assumptions”) are normally calculated independ-ently of each other. Crystal Ball generates randomnumbers for each assumption without regard to howrandom numbers are generated for other assumptions.

However, because dependencies often do existbetween variables in a system being modeled, CrystalBall has a Correlated Assumptions feature that allowsto build these dependencies into the model. When thevalues of two variables depend on each other in anyway, they should be correlated to increase the accu-racy of simulation’s forecast results. When simulationwith correlation is run, Crystal Ball does not alter theway that the random values are generated for eachassumption. It merely rearranges the values to pro-duce the desired correlation. In this way, the originaldistributions of the assumptions are preserved.

For the purpose of this paper, we have consideredonly the positive correlation. Anything in the range[�0.15, 0.15] could be noise and is unlikely to impactthe results. It is rare to have correlation coefficientsabove 0.8 or below �0.8 (Murtha, J. 2000). Havingthis in mind, the Monte Carlo simulation was run witha several values of correlation coefficient (0.25, 0.5,

and 0.75) beside two boundary cases (independentparameters �r � 0 and perfectly correlated parame-ters �r � 1). Correlations were established withinspecific failure modes (e.g. failure to start ondemand, failure to operate, etc.) of components of thesame generic types (e.g. air operated valves, motor-driven pumps, compressors, etc.).

3.2 Results

List of minimal cut-set were obtained for an existingfault tree model from a plant-specific PSA, selectedas a case study, by employing RS.

Propagation of uncertainties in the fault tree wasperformed with Monte Carlo simulation usingCrystal Ball software with ability to change arbitrarycorrelation level between uncertain input variable.

Number of trials was increasing as the correlationlevel increased equally in steps of 0.25 within range [0,1] in order to achieve same results confidence level.

The results of analysis performed using differentcorrelation levels are shown in Table 1.

Figure 1 presents visualization of most importantresults describing the uncertainty of the output value.

Another fault tree model (Example B) with higherresult probability was analyzed in order to verify correlation influence to the result. Table 2 presentsresults for Example B. It is visible that correlation

1449

Table 1. Numerical results of the fault tree top event uncertainty analysis for five correlationlevels – Example A.

Correlation statistics 0 0.25 0.50 0.75 1Trials 2100 2950 3700 4850 6250Mean 1.15E-04 1.15E-04 1.21E-04 1.28E-04 1.31E-04Median 1.03E-04 9.89E-05 1.03E-04 1.02E-04 1.01E-04St. deviation 5.31E-05 6.40E-05 7.49E-05 9.05E-05 1.05E-04Coeff. of variability 0.46 0.55 0.62 0.71 0.80

1.4E-04

1.2E-04

1.0E-04

8.0E-05

6.0E-05

4.0E-05

2.0E-05

0.0E+00

Probability Mean Median Standard Deviation

0.00 0.25 0.50 0.75 1.00Correlation Level

Figure 1. Correlation level and output variable uncertainty –Example A.

09048-S-13.qxd 5/15/03 8:45 PM Page 1449

influence to the result uncertainty is similar but littlebit less significant as result probability increases.

Additional analysis has been done in order to seehow increased uncertainty (error factor for log-normaldistribution) of input parameters impact the uncertaintyof output given the assumed correlation betweenparameter exists. Just for illustration, the resultsshowed that correlation influence is then even moreemphasized (Figure 2).

Finally as illustration probability density function ispresented for two extreme correlation cases: withoutcorrelation (Figure 3) and with perfect correlation(Figure 4).

4 CONCLUSION

Positive correlation between uncertain input parame-ters increased the mean value of the result. This is theconsequence of a product model since the mean valueof the output is not affected by correlation among thesummands. PSA models are neither pure products norpure sums, but rather complex algebraic combinationsof the various inputs.

The influence of correlation on standard deviation ofan output and coefficient of variability is more obviousand significantly has increased by increasing the cor-relation level. The median of the output is very weaklyaffected by correlation and remains almost the samewith change of correlation level.

Input parameters correlation has increased effectson result uncertainty with higher degree of inputparameter uncertainty and lower total result.

It seems important for the more precise resultuncertainty and mean result value determination toinvestigate existence and level of correlation betweeninput parameters. PSA model parameters uncertaintymight be correlated because of various different reasons(i.e., same data source, similar component design, samerelated function, same operating environment, etc.).

REFERENCES

Apostolakis, G. & Kaplan, S. 1981. Pitfalls in risk calcula-tion. Reliability Engineering, Vol. 2, pages 134–145.

1450

Table 2. Numerical results of the fault tree top event uncertainty analysis for five correlationlevels – Example B.

Correlation statistics 0 0.25 0.50 0.75 1Trials 2100 2950 3700 4850 6250Mean 5.32E-03 5.40E-03 5.52E-03 5.74E-03 5.92E-03Median 4.72E-03 4.61E-03 4.62E-03 4.70E-03 4.64E-03St. deviation 2.87E-03 3.05E-03 3.38E-03 4.05E-03 4.52E-03Coeff. of variability 0.54 0.57 0.61 0.70 0.76

2.0E-4 6.0E-4

5.3E-4

4.5E-4

3.8E-4

3.0E-4

2.3E-4

1.5E-4

7.5E-5

1.8E-4

1.5E-4

1.3E-4

1.0E-4

7.5E-5

2.5E-5

5.0E-5

0.0E+0 0.0E+00.00 0.25 0.50 0.75 1.00

Probability Mean Median Standard Deviation

Correlation Level

Figure 2. Correlation level and output variable uncertaintywith higher level of input variable uncertainty – Example A.

Figure 3. Probability density function of output variableuncertainty with no correlation – Example A.

Figure 4. Probability density function of output variableuncertainty with perfect correlation – Example A.

09048-S-13.qxd 5/15/03 8:45 PM Page 1450

Berg, U. & Sardh, L. 1994. Risk Spectrum Theory Manual.Relcon Teknik AB.

Boissonnade, A. 1999. Modeling correlation in the treatmentof uncertainty for catastrophic loss assessment, RiskManagement Solutions Inc.

Borgonovo, E. et al. 2003. Comparison of global sensitivityanalysis techniques and importance measures in PSA.Reliability Engineering & System Safety, Issue 79, pages175–185.

Decisioneering, Inc. 2002. How to correlate dependentassumptions?, Web-site: www.decisioneering.com

Jordan Cizelj, R. et al. 2002. Uncertainty analysis of fault treeparameters, Proceedings of ANS International TopicalMeeting on PSA., Detroit, MI, USA, 6–9 October 2002,pages 450–455.

Murtha, J. 2000. When does correlation matter? Risk Analysisfor the Oil Industry. Pages 20–23.

Olsson, A. 2000. The Probability of a parameter, RELCONAB, Risk Spectrum Magazine, Issue 2, Stockholm,Sweden, pages 8–9.

Reed, J.W. et al. 1985. Analytical techniques for performingprobabilistic seismic risk assessment of nuclear powerplants. Proceedings of 4th International Conference onStructural Safety and Reliability.

U.S. Nuclear Regulatory Commission 2002. Regulatory Guide1.174 Revision 1. An approach for using probabilisticrisk assessment in risk-informed decisions on plant-specific changes to the licensing basis. Washington, DC, USA.

Wantanabe, Y. et al. 2003. Development of the DQMFmethod to consider the effect of correlation of compo-nent failures in seismic PSA of nuclear power plant.Reliability Engineering & System Safety, Issue 79 pages,265–279.

1451

09048-S-13.qxd 5/15/03 8:45 PM Page 1451

09048-S-13.qxd 5/15/03 8:45 PM Page 1452


1453

Experience with the use of risk assessment in IMO

Rolf SkjongDet Norske Veritas, Høvik, Norway

ABSTRACT: In the maritime industry the International Maritime Organisation (IMO) is the UN organisationresponsible for developing international safety and environmental protection regulations. IMO has recentlydeveloped the second version of “Guidelines for FSA for use in the IMO rule making process” available as cir-culars both from the Marine Safety Committee (MSC) and the Marine Environmental Protection Committee(MEPC). This standard is, as far as the author knows, the first risk assessment standard adopted in an UN organ-isation. As there have been some attempts to develop internationally accepted risk assessment and risk man-agement standards, the paper try to describe some of the experience and lessons learned from implementingFSA in IMO.

The work with developing the guidelines is briefly reviewed. Some concepts used in the first version of theguidelines, e.g. the regulatory impact diagram resulted in a lot of controversies, and have subsequently beenremoved. Similarly the questions of risk acceptance and transparency have been subject to considerable debateand controversy.

Paralleling the development of the guidelines there have been a number of applications of the guidelines,recently focusing on bulk carrier safety. Relevant studies have been carried out by UK, by Japan, by Norway andInternational Confederation of Free Trade Unions (ICFTU), and by International Association of ClassificationSocieties (IACS). These studies will be briefly reviewed with respect to methods used, assumptions made andconclusions drawn. The entire process from the initial terms of reference was formulated by IMO to the finaldecisions is briefly reviewed. The final decision making took place at the MSC meeting early in December 2002.

The main conclusion is that the maritime industry has made a lot of progress, quite fast in the use of riskassessment for use in the decision making process. This being the case, despite the many communication prob-lems that arises in discussing risk issues in international forums. Furthermore, the FSA has helped balancingthe often-conflicting interest of the flag states and non-governmental organisations present in IMO.

1 INTRODUCTION

1.1 General

The application of risk analysis techniques is gener-ally well established in most industries, both as ameans for the owner/operator to manage their ownrisks and for the regulator to prioritize work on thedevelopment of rules and regulations.

Most risk analysis techniques have their origin inthe nuclear industry, for which risk analysis becamean important tool in the 1960s, and has now developedinto living Probabilistic Safety Assessment (living-PSA). The living-PSA will be regularly updated, e.g.after upgrades, inspections, maintenance.

In the offshore industry the use of risk analysis hasbeen required since 1981 in Norway and in the UKsince 1992 as a consequence of the Piper Alpha disas-ter. The risk analysis is carried out on behalf of the

owner of the plant, and is to be documented. The doc-ument is called a Safety Case in the UK, which willbe approved by the UK Health and Safety Executive.In Norway the authorities do not approve such docu-mentation or any safety goals, but are allowed insightinto the safety related decision making process of theindividual enterprises, and can act on situation whichare not considered acceptable.

On a generic policy level, most OECD countriesrequire risk analysis as basis for regulation, e.g.:according to the US President Executive Order # 12866on “Regulatory Planning and Review” for example theUS Coast Guard has to base the rules and regulation onrisk analysis and cost benefit evaluation. From OECDmany nations have also received a tool calledRegulatory Impact Assessment (RIA), and are imple-menting this in many areas of regulatory policies. RIAalso refers to risk and costeffectiveness assessment.

09048-S-14.qxd 5/15/03 8:46 PM Page 1453

Finally, it should be noted that both InternationalOrganization for Standardization (ISO) and CENhave most of their structural standards based on riskassessment.

1.2 Shipping

In the shipping industry, most of the statutory regula-tions in the past have been developed as a reaction tomajor accidents and disasters. However, in 1992, the“UK House of Lords Select Committee on Science andTechnology” recommended a Safety Case Regime forshipping, similar to that already adopted in the oil andgas industries. It also recommended a move towardsperformance standards in place of prescriptive rules,and a concentration on the management of safety.

In 1993, during the 62nd session of the IMO MSC,the UK proposed a standard five step risk basedapproach, which was termed Formal Safety Assessment(FSA). In 1996 the IMO established a working groupon FSA, and by 1997 a Circular on “Interim Guidelineson the Application of FSA to the IMO Rule-makingProcess” (IMO, 1997) had been developed, which wasadopted by the MSC and MEPC the same year.Subsequently, a number of FSA trial applications andFSA studies were carried out and presented to IMO. In2001, during the 74th session of the IMO MSC, theFSA Interim Guidelines were revised into “Guidelinesfor Formal Safety Assessment (FSA) for Use in theIMO Rule- Making Process” (IMO, 2001).

1.3 Purpose of FSA

FSA has been developed as a tool for supporting thedecision making process at IMO. It should make deci-sion making procedures more rational and provide aproactive and holistic approach, thus reducing thenumber of ad-hoc proposals and implementations,and giving less room for politics in the decision mak-ing process.

FSA should also encompass both technical andoperational aspects, taking into account the influenceof human factors on accidents in shipping.

FSA should provide reliable information on haz-ards, risks, risk control options, their costs and bene-fits, in a rational, structured and auditable manner, inorder to improve the decisions regarding the manage-ment of the risks identified.

1.4 What is FSA?

FSA is a risk based approach consisting of five inter-related steps:

1. Identification of hazards2. Assessment of the risks arising from the hazards

identified

3. Identification of options to control the risks4. Cost/benefit assessment of the risk control options5. Recommendations for decision making, based

upon the information derived in the previous steps.

The safety of an issue under consideration isassessed by evaluating the risk associated with thisissue, e.g. a specific system or operation. The decisionupon the acceptability of that risk is done by referring torisk acceptance criteria. So far IMO has been reluctantto formulating explicit criteria. However, during thework with the bulk carrier safety references were madeto criteria submitted by Norway (2000). The Norwaypaper argued that bulk carrier risk were in the ALARPregion, and suggested cost effectiveness criteria of $3 mper fatality averted to be used for decision making.

Compared to the current safety assessmentapproach there are several differences to be observed.Today, decision on regulatory changes at IMO is nor-mally initiated as a reaction to an accident. The deci-sion on safety requirements results from activitiesafter the problem occurred, focusing on the question:What went wrong? The FSA approach is pro-active,by trying to find out before an accident occurs: Whatmight go wrong?

In today’s safety assessment approach the risk isnormally not explicitly evaluated. The FSA approachtries to find out about the likelihood of scenarios,which may possibly develop from the hazards, andabout the magnitude of their consequences in order tocalculate the risk.

As today’s safety assessment process is rather reac-tive to an accident rather than pro-active, decisions onhow to improve matters are often carried out on an ad-hoc basis, influenced by public pressure or aspectslike reputation. Quick fixes are therefore preferredand an assessment of the costs and the benefits ofsuch solutions are normally not performed. The FSAapproach, on the other hand, systematically analysesthe different options which are available to control therisk, and also assesses both the costs and the benefitsof those options should they be implemented. Thefinal decision on safety requirements can therefore bemade on the basis of an analysis.

The current reactive approach has lead to a contin-uous amendment of already complex and sometimesinconsistent regulations. These regulations are oftencharacterised as being prescriptive, leaving only lim-ited room for other equivalent solutions to a safetyproblem than those prescribed. Especially in periodsof rapid technology developments the pace of regula-tory developments is too slow to cope with industrialneeds and the principle of technical equivalence anobstruction to innovation. Specific safety objectivesand functional requirements would be more useful,requiring safety goals/performances to be met bothfor technical and operational aspects.

1454

09048-S-14.qxd 5/15/03 8:46 PM Page 1454

2 THE FIRST FSAs

The first FSA studies were termed trial applications.There are a number of such studies, and it would befar beyond the scope of this paper to discuss all thesesubmissions. They generally did not contain any rec-ommendations for decision making, and thereforewere not subject to much scrutiny at IMO. Their pur-pose was mainly to illustrate and educate.

There were some exceptions to this: The UK FSAon High Speed Crafts and the Norway/InternationalCouncil of Cruise Lines (ICCL) study on helicopterlanding areas. In addition IACS carried out a HAZIDto communicate the safety problems generated byrequiring ballast water exchange at sea, a requirementresulting from environmental considerations (IACS,1998), thereby demonstrating that complete FSAstudies are not always required.

The UK FSA on high speed craft was a large proj-ect, and a number of reports were submitted to IMO.A large number of questions were raised relating tothe results of the analysis, some of which clearly indi-cating that many delegates were of the opinion thatresults were wrong and contradicted factual informa-tion. It was decided to review the reports, and a corre-spondence group was established, chaired by Italy.The terms of reference may be found in IMO (1998).The correspondence group concluded by stating “The Group appreciated both studies by the UnitedKingdom (for which the majority of comments weremade) and Sweden, which were found to provide agreat deal of insight into high-speed craft safetyissues, although concerns were raised about thedegree to which they should be used for decisionmaking. Given the complexities of the FSA and thesystem under consideration, the analysis needs to beextremely open and clear in order for the utility of the study for decision making to be assessed” (Italy,1999). The correspondence group analysed the situa-tion and pointed to the use of regulatory impact dia-grams, instead of fault and event trees as causing theproblem, and stated “It may generate confusion andsubjectivity rather than offer a valuable contributionto the FSA.” The story ended with the new FSAGuidelines, where the regulatory impact diagramshave been removed (IMO, 2001).

The first FSA that was used for decision makingwas the Norway/ICCL FSA on helicopter landing areasfor non-ro/ro passenger ships (Skjong et al. (1997)).Helicopter landing areas had been proposed as a safetymeasure for ro/ro passenger ships by the Panel ofExperts in the aftermath of the Estonia tragedy in 1994(Estonia, 1997). Some of the proposals by the Panel ofExperts had been made mandatory for all passengerships by IMO. The industry representatives (likeICCL), questioned the justification for the regulation,and Norway decided to carry out an analysis. The

FSA developed two different risk models. One modelwas rather reliant on review of historic accidents, andestimation of the benefits of helicopter landing areasfor those accidents. The other model was more theo-retical, and estimated helicopter response time, time tocome to the scene of the accident, time to find andpick up personnel, etc. This was compared to the timeavailable for successful search and rescue operations.Both models gave the same and very clear conclusion:The regulation was not justified based on cost andbenefits of requiring helicopter landing areas forcruise ships. The cost of averting a fatality was esti-mated under optimistic assumptions relating to theeffectiveness of helicopter landing areas to be largerthan $70 m. This was observed to be much higher thancriteria used for safety interventions in any OECDcountry. Also this FSA was subject to detailed review.The terms of reference for the review can be found inIMO (1998). The review was first carried out in a cor-respondence group, reported in UK (1999) and con-cluded that “the methodology broadly followed theguidelines”, “the scenarios selected for analysis areappropriate”, and “the evaluation of risk are broadlyvalid”. Still, the joint working group on FSA and theHuman Element used the full MSC 70 meeting toreview the FSA in further detail. The conclusion of theworking group may be fond in IMO (1999) stating“The Committee noted that the cost-effectiveness of ahelicopter landing area, in terms of the cost of imple-mentation divided by the expected number of addi-tional lives saved (the implied cost of averting afatality) is $37 m and that, acknowledging the uncer-tainties in the evaluation of both risk benefit and cost,the group agreed that the Implied Cost of Averting aFatality (ICAF) may range from about $12 m to$73,000 m.” The working group noted that all assump-tions made were optimistic on behalf of requiring hel-icopter landing areas. The conclusions were thereforerobust, and the requirement was repeated.

3 FSA FOR BULK CARRIERS

3.1 Initial studies

The first FSA study on bulk carriers was carried outby DNV in 1997, and a paper was distributed to boththe working group on Bulk Carrier Safety and theworking group on FSA during the MSC meeting(DNV, 1997). The study represented the DNV’s justi-fication for supporting the IACS decision tostrengthen the bulkhead between No.1 and No.2 cargoholds on existing bulk carriers. The justification wasbased on costs of averting a fatality between $0.5 mand $1.5 m for the various types of bulk carriers ana-lyzed. This decision is therefore consistent with laterdecisions at IMO. The analysis was based on extensive

1455

09048-S-14.qxd 5/15/03 8:46 PM Page 1455

analysis of casualty data and rather simple risk mod-eling. The analysis was very easy to understand. Thepaper was widely distributed, and contributed to theunderstanding of FSA in the industry.

3.2 Bulk carrier FSA studies at IMO

An FSA on bulk carrier safety was proposed by UK(1998). The proposal was generally supported,although many delegates expressed concerns that thescope of the study was too broad. In the aftermath itmay be observed that this concern was justified. Mostof the risk control options adopted during MSC 76 inDecember 2002 related to fore-end watertightintegrity – an issue put on the agenda prior to MSC 70for urgent review. On this issue IACS submitted aHAZID report to MSC 71 (IACS, 1999) and a fullFSA to MSC 74 (IACS, 2001). This study was carriedout independently by IACS and reported to IMO. Thestudy took about a year. The study uses standard riskassessment techniques involving fault and event treesand extensive analysis of accident data. However, tobe able to quantify some of the risk reduction effects(e.g. strengthening of hatch covers), structural relia-bility methods (see Skjong et al. 1996) was developedbased on detailed probabilistic modelling of strength,structural response and the marine environment.

Norway initiated the study on life saving appli-ances by preparing a document on risk acceptancecriteria, as this was viewed as a preparatory step to anFSA. This document was submitted to MSC 72(Norway, 2000). Individual and Societal risk for bulkcarriers and other ship types are given in Figure 1 andFigure 2 are taken from this document.

The complete study was reported to MSC 74(Norway & ICFTU, 2001). This study took less than ayear, and is very detailed in the risk modelling as com-pared to other FSA submissions. The level of detailreflected the need to quantify risk control measuresthat affected probabilities at a detailed level. The studyhad to use human reliability data from other indus-tries, as similar data did not exist for the maritimeindustry. The study was carried out independently.

Also Japan was able to deliver their FSA after aone year project (Japan, 2001), but decided to updatethe study to MSC 75 (Japan, 2002a). The Japan study,much like the IACS study, is based on comprehensiveassessment of accident statistics and rather limitedrisk modelling. Still, the study is sufficiently detailedfor the decision making and relatively easy to follow.Also this study was carried out independently.

The international study was coordinated by UKbased on terms of reference agreed during MSC 71(IMO, 1999). Up to MSC 76 only progress reportswere received by IMO. An implication was that dur-ing MSC 75 in May 2002 the committee short-listedthe recommendations from all studies including theUK recommendation, but without any reported FSAstudy from UK. The main study was subsequentlyreported to MSC 76 (UK, 2002a). UK also submitteda large number of other papers on bulk carrier safetythat was independent of the main FSA report, includ-ing a complete FSA carried out at Strathclyde (UK,2002b) on the IACS unified requirement for hatchcover strength.

3.3 Decision making

The final decision making based on the FSA studieson bulk carrier safety was scheduled for MSC 76(December 2002). As previously stated, the riskcontrol options had already been short-listed at MSC75, and the working group tried to structure the orderin which decision were made. The reason is that deci-sions to implement one risk control option wouldaffect the cost effectiveness of other risk control

1456

1.00E-02

1.00E-03

1.00E-04

1.00E-05

1.00E-06

1.00E-07

Indi

vidu

al r

isk

Intolerable Risk

ALARP

Negligible Risk

Oil Tan

ker

Chemica

l Tan

ker

Oil/Che

mica

l Tan

ker

Gas T

anke

r

Bulk/O

il Car

rier

Bulk C

arrie

r (inc

l. Ore

)

Conta

iner V

esse

l

Gener

al Car

go C

arrie

r

Ro/Ro

Cargo

Car

rier

Figure 1. Individual (annual) risk per ship-type.

1.0E-02

1.0E-03

1.0E-04

1.0E-051 10 100 1000

Fre

quen

cy o

f N o

r m

ore

fata

litie

s (p

er S

hip

year

)

Bulk and ore

Intolerable

ALARP

Negligible

Fatalities (N)

Container

Figure 2. Societal risk of bulk carrier and container vesselaccidents.

09048-S-14.qxd 5/15/03 8:46 PM Page 1456

options as there would be “fewer to save”. Both Japan(2002a) and INTERCARGO (2002) submitted papersdiscussing this final decision making process, and itmay be expected that the FSA working group willreconvene at a later MSC meeting to discuss andresolve these issues, as many delegates found theprocess difficult to grasp.

For a risk analyst it may be difficult to understandthe problem as such recalculations are rather trivial,and the whole idea of waiting to make all decisionrelating to bulk carrier safety at the same time wasthat such dependencies between risk control optionswere unavoidable.

3.4 The risk control options and the decisions

The first and most important risk control optionrelated to the side shell failures. These failures hadbeen demonstrated by all studies to be a major con-tributor to bulk carrier casualties. The most compre-hensive risk control option considered was to requiredouble side skin. The quantification of costs and ben-efits were carried out by IACS (2001). The key data,from IACS, are given in Table 1. The decision param-eters are now defined in the FSA guidelines as Grossand Net Cost of Averting a Fatality.

(1)

(2)

PLL is the Potential Loss of Life, �Cost is theadditional cost of the risk control option, and�Benefit is the economic benefits resulting fromimplementing the risk control option.

This rather clear recommendation, given anacceptance criterion of $3 m was later confirmed byUK (2002a). This study claimed many commercialbenefits of double side skin in addition to the safetybenefits. This made the NCAF value negative.Although the IACS study was conclusive, IACS didwait for MSC 76 to take the decision, and promised todevelop the necessary unified requirements for dou-ble side skin bulk carriers (IMO, 2002).

IACS (2002) and UK (2002a) both had includedcoating in their assessment, and both studies produced

negative NCAFs. IACS summarized the situation inthe working group by stating that the analysis con-firmed that it is always in the owner’s best interest tocoat and to maintain coating. However, as explainedby INTERCARGO, coating of cargo holds can not beeasily be regulated, as appropriate coating depend onthe cargo. However, the MSC noted that SOLAS regu-lation II-1/3-2 made the coating of dedicated ballasttanks mandatory for oil tankers and bulk carriers butextending that requirement to cargo holds could intro-duce serious problems, bearing in mind that cargoscan react distinctly to different coatings. Therefore,MSC agreed that new ships, which would be of doubleside skin construction, should be required to have theirdedicated seawater ballast tanks and void spaceswithin double hull spaces coated according to currentSOLAS requirements for ballast spaces. Class and theship-owner would address the coating of cargo holds.The MSC instructed the Design and Equipment (DE)Sub-Committee to develop international performancestandards for coatings. With respect to existing ships,the Committee acknowledged that at present there wassufficient control over the condition of coatingsthrough the enhanced survey programme and agreedthat this risk control option should also be addressedby class and the ship-owner.

Control standards of steel repair carried out at ter-minals, was proposed by UK (2002a), and presentedwith negative NCAFs, but very small risk reducingeffects, actually indication that this was mainly ofcommercial interest. The discussion disclosed that theproblem could be associated with repair carried outwithout notifying the class society. The discussionwas inspired by a detailed casualty investigation pre-sented by Marshall Island (2002), where this problemwas clearly identified. MSC agreed to request the DESub-Committee to prepare a draft MSC circular toremind ship owners and operators of their obligationsand responsibilities under SOLAS regulation II-1/3-1, concerning the provision that ships shall be main-tained in accordance with the structural requirementsof recognized classification societies, and otherrelated management obligations under the ISM Code.It is clear from the discussion that the FSA was notused as a significant contributor to this decision.

IACS did propose Forecastle and presented this asmarginally cost effective for new building; see table11 of IACS (2001) and Table 2.

MSC noted the information provided by IACS onthe on-going development of Unified RequirementS28, requiring the fitting of a forecastle on bulk car-riers contracted for construction on or after 1 January2004 with the purpose of protecting foredeck fittingsagainst green sea loads and minimizing the impact ofsuch loads on fore hatch covers. The Committee alsonoted that, while the fitting of a forecastle as such wasnot an IMO requirement, draft Load Lines Protocol

1457

Table 1. Double side skin for new bulk carriers.

RiskCost $ reduction NCAF $m GCAF $m

Double 131,000– 41% 0.8–1.1 0.1–0.4side skin, 182,000new bulkcarriers

09048-S-14.qxd 5/15/03 8:46 PM Page 1457

regulation 39 – “Minimum bow height and reservebuoyancy” would require additional reserve buoy-ancy forward consistent with the provision of somesheer and/or a forecastle. It seems as the FSA and theuse of the same decision criteria by IMO and IACSlead IACS to the conclusion.

The MSC recognized that replacing hatch coversin existing ships would not be cost-effective, butagreed that more attention should be paid to hatchcover securing mechanisms and the issue of horizon-tal loads only, especially with regard to maintenanceand frequency of inspection. The Committee agreedthat ship owners and operators should be made awareof the need to implement regular maintenance andinspection procedures for closing mechanisms inexisting bulk carriers in order to ensure proper opera-tion and efficiency at all times, and instructed the DESub-Committee to develop standards for hatch coversecuring arrangements for existing ships. The deci-sion of not strengthening hatch covers on existingships is not well documented. It may be noted thatIACS (2001), in Table 12, lists this risk control optionas cost effective. UK (2002b) also lists this as cost-effective. The reason for not implementing this riskcontrol option may be found in Japan (2002c), table 1.This table shows that UK classified too many acci-dents as hatch cover related. A scrutiny of the data,which was made possible by the exchange of infor-mation between UK and Japan, resulted in an agree-ment to reduce the frequency of hatch cover failuresin the models. This resulted in the conclusion that thisrisk control option was no longer cost effective.

Hold, ballast and dry space water level detectorswas already scheduled for implementation in the newSOLAS regulation XII/12, both for new and existingbulk carriers. Both Norway/ICFTU (2000) and IACS(2000) demonstrated this risk control option to be costeffective. After the decision was made also UK (2002a)confirmed this. Close comparisons of the FSA studiesshows that all risk models are different – still givingthe same result. Earlier, at IMO, many delegates havestated skepticism on FSA by referring to some undoc-umented experience that an FSA can produce “anyanswer”. Hopefully the case of the water level detec-tors can prevent such skepticism to flourish.

UK (2002a) proposed to ban alternate hold load-ing for bulk carriers carrying heavy bulk cargo andpresented Table 3. It should be clear from the infor-mation, if taken as unquestionable facts that this recommendation would be outside the criteria, whenconsidering the other risk control options alreadyimplemented.

MSC decided to have DE look closer into this issue.

4 DISCUSSION

4.1 FSA work

Generally IACS, Japan and Norway/ICFTU demon-strated that rather extensive FSA studies may be car-ried out in about a year’s time. If well coordinated acomprehensive FSA study of a ship type may taketwo to three years. The reason is that many ship typesare more complicated to analyse, more modellingwork and search into reliability and incident data maytherefore be required. Bulk carriers are particularlysimple designs and there have been (too) many acci-dents that make up the experience base. Still FSAstudies may be carried out within the time span that isnormally available at IMO for such tasks – it is quitecommon that a dedicated work group need two tothree years to complete the tasks.

4.2 FSA methods

Most FSA studies presented at IMO have used stan-dard risk models using fault trees and event trees.Fault trees have not been large or detailed. Whendetailed fault trees have been prepared, e.g. by France(2002) as part of the UK/International project, theanalysts have sometimes given up on populating thefault trees with relevant data. This happened with the UK/Int. study, which ended up without using faulttrees except for splitting up the initiating events intocauses. The result of this was that the UK/Int. studyhad no models for quantifying risk reduction basedon risk models, but resorted to expert judgement ofrisk reducing effects for each event tree scenario.

Both IACS (2001) and Japan (2002) used ratherdetailed structural reliability models to be able toquantify risk reducing effects, and Norway/ICFTU(2001) used detailed fault and event trees populatedby data from many sources.

1458

Table 2. Forecastle for new bulk carriers.

Cost Risk NCAF GCAF$ reduction $m $m

Capesize 54,000– 0.0211 2.2–4.5 2.6–4.8102,000

Panamax 29,100– 0.0493 0.2–0.7 0.6–1.154,000

Handymax 15,600– 0.0933 �4.9�2.0 0.2–0.351,000

Table 3. Ban Forecastle for new bulk carriers.

Cost Risk NCAF GCAF$ reduction $m $m

Panamax-new 54,000 0.0216 2.5 1.4Panamax-existing 50,000 0.0120 4.2 2.8

09048-S-14.qxd 5/15/03 8:46 PM Page 1458

From a method perspective it may be stated that theFSA studies have presented something good at some-thing new. The problem is that what is new is not good(e.g. the regulatory impact diagrams), and what isgood is not new. The maritime industry is just learn-ing to use the standard methods.

4.3 Remaining controversies

There are some issues that are still unresolved andsubject to debate. For example there seems to be twodifferent views on the use of NCAFs and GCAFs.When risk reduction is small and economic benefitsare large, this may result in large negative NCAF.Some seem to conclude that such risk control optionsshould be implemented in mandatory instruments,whilst others are of the opinion that there is no need toregulate, as it is reasonable to assume that the ownercan take care of his own economic interest. At MSC76, various questions relating to coating came in thiscategory. All studies showed that it is in the owner’sbest interest to coat and maintain coating, and thatthis also have safety implications. Still it was decidednot to regulate this at IMO level.

There are also controversies on how FSA studiesshould be verified. The verification of the FSA onhelicopter landing areas for non-Ro/Ro passengerships was a case of detailed verification. The interna-tional FSA on bulk carrier safety was not verified.The study was open to anyone, but there are norecords of any independent verification. It is expectedthat verification of FSA studies will be on the agendafor future IMO meetings.

Finally, the risk acceptance criteria will be an issueof future discussions. On environmental risks therehas not so far been any proposal on how to deal withthis issue.

4.4 Risk acceptance criteria

The FSA guidelines are sufficiently specific on theformat of the risk acceptance criteria for safety relat-ing to loss of life. Individual risk and societal risks aresupposed to be analyzed, and societal risk should bepresented as FN diagrams. The ALARP criterion isreferred to, but no criteria have been given for intoler-able risk or negligible risk. Still, during the FSA onbulk carriers safety the reasoning by Norway (2000)was adopted. This document concluding that mostship types (including bulk carriers) are in the ALARParea, and that cost effectiveness criteria should be usedto reach a final recommendation. In the final decisionmaking process at IMO referred only to this criterionand implemented all risk control options with a cost ofaverting a fatality less than $3 m. This is the criterionsuggested by Norway (2000) in cases where a fatality

is used an indicator which in addition to representingthe fatality risk also represents injuries.

4.5 The FSA process

Most risk analysts see the FSA process as a method tocoordinate all activities relating to the decision mak-ing process. This is still not a widespread view in themaritime industry. A number of risk issues with largecost implications have been put on the agenda duringthe last couples of years, without considering FSAstudies. For example, both security issues and largepassenger ship safety issues have been consideredwithout FSA.

Even during the decision making process for bulkcarriers there were a number of risk control optionsimplemented without FSA, for example issues relat-ing to the revision of the Load Line Conventions orthe UK proposal to strengthen all bulkheads on exist-ing bulk carriers UK (2002c). Furthermore a largenumber of separate studies, e.g. model tests, werenever integrated into the FSA studies, although somestudies used structural reliability models that couldeasily include e.g. new hatch cover load distributionsin the risk estimation and estimation of risk reduction.

5 CONCLUSIONS

It took the maritime industry seven years from thework with developing the first version of the FSAguidelines was initiated to the first major decisionswere made based on the new decision making tool.There have been some failures with using the newtool, but the industry is learning relatively fast. Someattempts to make FSA something different from stan-dard risk based decision making have failed, andfocus seems now to be shifting towards educatingmore people to use the new tools, rather than “invent-ing the wheel” again.

There is still a lot to be done relating to verifica-tion, risk acceptance, data collection and methods forintegrating all relevant knowledge. This is probablygoing to take many years.

The final decisions for bulk carrier safety seems asa good package of preventive and risk mitigatingmeasures, and have a large risk reduction potential ofsome 60–70%, for new ships, according to the studies.This is a good achievement, and it is not likely that allthese decisions would be possible without an FSA.

ACKNOWLEDGEMENT

The work reported in this paper has been carried outunder the DNV strategic research programmes. The

1459

09048-S-14.qxd 5/15/03 8:46 PM Page 1459

opinions expressed are those of the author and shouldnot be construed to represent the views of DNV.

REFERENCES

Estonia (1997) “Final report on the capsizing on 28September 1994 in the Baltic Sea of the Ro Ro Passengervessel MV ESTONIA” The Joint Accident InvestigationCommission of Estonia, Finland and Sweden.

DNV (1997) “Cost benefit analysis of existing bulk carri-ers”, Det Norske Veritas Paper series No. 97-P008.

France (2002) “International collaborative study – Step 2 ofFSA” MSC 75/5/5.

IACS (1998) “HAZID of ballast water exchange at sea”MEPC 41/9/2 submitted by International Association ofClassification Societies.

IACS (1999) “Hazard identification on the watertightintegrity of the fore end of bulk carriers” MSC 71/INF.7.

IACS (2001) “Formal safety assessment – fore-end water-tight integrity” MSC 74/5/4.

IACS (2002) “Bulk carrier safety – side shell integrity eval-uation of risk control options” MSC 76/INF.21.

IMO (1997) “Interim Guidelines on the Application ofFormal Safety Assessment (FSA) to the IMO Rule-making Process.” MSC Circ.829/MEPC Circ.335.

IMO (1998) “Report from MSC 69”.IMO (1999) “Bulk carrier Safety – Report of the working

Group” MSC 71/WP.3.IMO (2001) “Guidelines on the Application of Formal

Safety Assessment (FSA) to the IMO Rule-makingProcess.” MSC Circ.1023/MEPC Circ.392.

IMO (2002) “Report from the Working Group on BulkCarrier Safety” MSC 76/WP.16.

INTERCARGO (2002) MSC 76/5/6 submitted by Interna-tional Association of Dry Cargo Shipowners.

Italy (1999) “Report of the correspondence group on trialapplications of FSA to high speed crafts”.

Japan (2001) “Report on FSA study on bulk carrier safety”MSC 74/5/3.

Japan (2002a) “Report on FSA study on bulk carrier safety”MSC 75/5/2.

Japan (2002b) “Consideration on decision-making processfrom independent FSA Studies” MSC 76/5/12.

Japan (2002c) “Investigation on Hatch-Cover related casual-ties” MSC 76/5/13.

Marshall Island (2002) “Hull envelope structural failure ofM/V LAKE CARLING” MSC 72/5/16.

Norway (2000) “Decision parameters including risk accept-ance criteria” MSC 72/16. (Authors: R Skjong and M Eknes).

Norway & ICFTU (2001) “Formal Safety Assessment ofLife Saving Appliances for Bulk Carriers FSA/LSA/ BC”MSC 74/5/5 (Authors: R Skjong and B.H Wentworth).

Skjong, R, E Bitner-Gregersen, E Cramer, A Croker, Ø Hagen, G Korneliussen, S Lacasse, I Lotsberg, F Nadim and KO Ronold (1995) “Guidelines forOffshore Structural Reliability Analysis – General” DetNorske Veritas Report No 95 – 2018. The guidelines areavailable on the internet at http://research.dnv.com/skj/OffGuide/SRAatHOME.pdf.

Skjong, R, P Adamcik, ML Eknes, S Gran and J Spouge(1997), “Formal Safety Assessment of HelicopterLanding Area on Passenger Ships as a Safety Measure”DNV Report 97-2053. (Public as IMO/COMSAR 3/2and IMO/DE 41 documents).

UK (1998) MSC 70/4/Add.1 and MSC 70/INF.14.UK (1999) “Report of the intersessional correspondence

group on helicopter landing areas (HLAs)” MSC 70/14.UK (2002a) “International collaborative FSA study – final

report” MSC 76/5/5.UK (2002b) “Effect of URS21 on existing hatch covers of

bulk carriers” MSC 76/5/3.UK (2002c) “Comments on the international collaborative

FSA study final report and review of proposals” MSC76/5/17.

1460

09048-S-14.qxd 5/15/03 8:46 PM Page 1460


1461

Criteria for establishing risk acceptance

Rolf SkjongDet Norske Veritas, Høvik, Norway

ABSTRACT: In the maritime industry the International Maritime Organization (IMO) is the UN organizationresponsible for developing international safety and environmental protection regulations. IMO has recentlydeveloped the “Guidelines for FSA for use in the IMO rule making process”. This standard is, as far as the authorknows, the first risk assessment standard adopted in an UN organization.

Paralleling the development of the guidelines there have been a number of applications of the guidelines,recently focusing on bulk carrier safety. Bulk carrier safety has been a challenge for IMO and the industry, inparticular after heavy losses in the early nineties. As the problems mainly relates to structural components, theFSA studies have to some extent applied Structural Reliability Analysis (SRA) in order to quantify the effect ofRisk Control Options (RCOs) that have been proposed to mitigate the risk.

The paper briefly reviews FSA and SRA describing similarities and differences relating risk acceptancecriteria.

The main point in the paper is that the traditional risk acceptance criteria established in SRA can not be usedconsistently in an FSA. Criteria based on the As Low As Reasonably Practicable (ALARP) principle and cost-effectiveness may play a more prominent role if the two methods shall be integrated.

The consequence of this change is exemplified with one of the few studies that are available. It is observedthat the actual change of practice in terms of costs to the industry (e.g. structural material used) is limited.

The case studies are based on experiences from the maritime industry. However, it should be pointed out thatSRA is used in many industries and that similar debates take place elsewhere. The proposed approach is expectedto be more generally applicable.

1 INSTRUCTION

1.1 Target reliabilities in structural reliabilityanalysis

The tradition in structural reliability analysis is to basethe target reliabilities on one of the following methods(Skjong et al., 1996; DNV, 1992):

• Calibration against well established codes that arejudged acceptable or best practices for the same typeof structures

• Calibration against well established codes that arejudged acceptable or best practices for similar type ofstructures

• Calibration against tabulated values, using distri-bution assumptions that are judged to be (slightly)conservative

The first two methods adds costs to the use of SRAas the analysis has to identify implicit reliabilities in

current codes in addition to carrying out the proba-bilistic design or code calibration in question.

The problem with using the tabulated values, seeTable 1, is that the calculated value of the reliability

Table 1. Annual target probabilities (and Target bT) fromDNV classification Note 30.6.

Consequence of failure

Class of Failure Less serious Serious

I – Redundant structure PF � 10�3, PF � 10�4,bT � 3.09 bT � 3.71

II – Significant warning PF � 10�4, PF � 10�5,before the occurrence of bT � 3.71 bT � 4.26failure in a non-redundantstructureIII – No warning before the PF � 10�5, PF � 10�6,occurrence of failure in a bT � 4.26 bT � 4.75non-redundant structure

09048-S-15.qxd 5/15/03 1:01 AM Page 1461

index is a function of the analysis methods used and distribution assumptions. Therefore, one shouldnot directly compare reliability indices as obtainedfrom different models and sources.

A calculation of bcalculated and btarget (b � ��1

(PF), where � is the standard normal distribution andPF is the failure probability) should be based on similarassumptions about distributions, statistical and modeluncertainties. It is thus understood that bCalculated �bTarget is not considered to be unique when using dif-ferent distribution assumptions and computationalprocedures. The value of the target reliability levelmay be dependent on how the reliability is calculated.Generally, structural reliability analysis is based ona Bayesian interpretation of the probability concept,and the tradition by most practitioners is to includeepistemic uncertainties in the models. Such uncer-tainties are not properties of the structures, but of ourknowledge and will also result in probability estima-tion that is not reflected in a frequency interpretation.

It should also be noted that the industry is in a tran-sition period from experience based to risk baseddesign codes. As the physical models describing thefailure mechanisms are improved and more calibra-tion studies are carried out, the knowledge of implicittarget reliabilities in excising codes will be improved.Today the inherent target level is not precisely knownin many cases or it should hardly be presented with-out a number of assumptions used for its calculationdue to lack of precise knowledge of physical modelsor lack of data. Furthermore, the reliability models areupdated from time to time. If an author claims that theimplicit target reliability in a specific code is btarget thiswill relate to the models used. Another model refinedduring the years would give a different btarget.

Owing to dependence on assumptions and analy-sis models used for reliability analysis the word “reli-abilities” in a frequency interpretation of observedstructural failures cannot be used in a narrow sense.Due to the unknown deviations from ideal predictionsthe computed failure probabilities are often referred toas nominal failure probabilities. This is due to therecognition that it is difficult to determine the absolutevalue of the inherent safety in e.g. design codes byreliability analyses. The requirements to absolute reli-ability levels may be avoided by performing analysison a relative basis, i.e. a similar model and distribu-tions are used for calculation of btarget as for bcalculated.By relating the reliability analysis to relative values it may be possible to use probabilistic analysis fordesign without a specific requirement to an absolutetarget reliability level. Such considerations are includedin many documents. For the sake of exemplificationthe first NPD regulations accepting probabilisticanalysis are quoted: “The design may be based ona more complete probabilistic analysis, provided itcan be documented that the method is theoretically

suitable, and that it provides adequate safety in typical,familiar cases.” Reference is made to NPD (1994).

1.2 Risk acceptance criteria in FSA

In the same way as structural reliability analysis has twodistinct types of uses, either as basis for design codes orfor use in risk based (probabilistic) design, risk assess-ment is also used in two different ways. The risk assess-ment is either basis for approving individual objects(e.g. structures, platforms, and plants) or as a basis fordeciding on implementing risk-reducing measures fora class of objects (e.g. cars and ships). For example inthe offshore or nuclear sectors, risk assessment of theindividual platforms or plants is on a license perlicense basis, whilst in shipping risk assessment isused to make decisions about all ships or all ships ofa particular type, e.g. bulk carrier, tanker, or passen-ger vessel. The terms used for the two uses are riskbased design and risk based rules or regulations.

The methods for defining acceptable risk are inpractice quite different. For safety issues, both indi-vidual and societal risks are considered and risks aredivided into three categories. Risks are intolerable,negligible or in the ALARP region. Intolerable risksmust be reduced irrespectively of costs or a license tooperate will not be given or withdrawn, for new orexisting structures, respectively. Negligible risks areaccepted and it is accepted that no further assessmentin required. Risks that are in the ALARP region needto be reduced until further risk reduction can not beachieved unless excessive costs are involved. A deci-sion is therefore based on the cost effectiveness of therisk reducing measure.

Figure 1 and Figure 2 are examples of individualand societal risks representing some ship types(Skjong and Eknes, 2000). The situation that mostship types are in the ALARP region may be expectedto be true also for other existing objects (e.g. plants,platforms, and structures) as it should be expectedthat regulators acted on intolerable risk.

Based on the considerations above it may beexpected that in most cases the risk acceptance criteria

1462

1.00E-02

1.00E-03

1.00E-04

1.00E-05

1.00E-06

1.00E-07

Intolerable Risk

Indi

vidu

al R

isk

ALARP

Negligible Risk

Oil Tan

ker

Chemica

l Tan

ker

Oil/Che

mical T

anke

r

Gas Tanke

r

Bulk/O

il Car

rier

Bulk C

arrie

r (inc

l.Ore

)

Contai

ner V

esse

l

Gener

al Car

go C

arrie

r

Ro/Ro

Cargo

Car

rier

Figure 1. Individual fatality risk (annual) for crew of dif-ferent ship types, shown together with a proposed individualrisk evaluation criterion.

09048-S-15.qxd 5/15/03 1:01 AM Page 1462

of importance (dimensioning) will be the criteriabased on cost effectiveness.

2 METHODS FOR DERIVING CRITERIA

The type of risk criteria proposed above may definea range within which the risks should be reducedALARP. Cost effectiveness assessment is recommendedused to select reasonably practicable measures.

2.1 Human capital method

Cost benefit assessment is discredited by its earlieruses by economists. In the human capital approach,some economists found “value of life” by estimatingthe value of man as a resource in an economic activity.The view was pursued in e.g. Rice (1966) and Laveand Seskin (1970). This approach is conflicting withethical traditions. Most ethical systems would regardthe wellbeing of man as the purpose of economicactivity1 rather than regarding man as a resource for usein economic activity. Early use of cost benefit assess-ment lead to such bizarre result that a child was worthnext to nothing, because of the “low opportunity cost

of replacement”. The resulting acceptance criteria aregiven for some countries in Figure 5.

2.2 Well informed decisions

Cost effectiveness assessment presents a ratio of coststo benefits, and avoids putting a value to the benefit(e.g. life saved). The value judgment is left to thedecision-maker when deciding which risk controloptions to implement. Sometimes such decisions aremade by the responsible regulatory body, based onrisk and cost effectiveness studies. After a decision ismade on which risk control options to implement andnot implement the criterion is revealed and may be usedin later studies. Such a judgment was made at IMO bythe Marine Safety Committee when deciding whichrisk control options to implement from the FormalSafety Assessment studies carried out for bulk carriers.The criterion used was $3 m to avert a fatality.

2.3 Comparing to previous decisions

Society spends large sums (some 20% of GrossDomestic Product in some countries) on safety (includ-ing the health sector). Such use of resources cannotbe justified in order to optimize economic production(the human capital approach). However, resources arelimited and society needs to put some limit to howmuch resources could be used for safety, and thus a costeffectiveness criterion may be proposed.

The valuation of fatality risks is a critical step inthis process, and modern risk assessment practice isto highlight this issue by expressing the results in theform of a Gross Cost of Averting a Fatality (GCAF) ifa risk control option were to be adopted, i.e. by costeffectiveness assessment.

(1)

�Cost is the marginal (additional) cost of the riskcontrol option, whilst �Risk is the reduced risk interms of fatalities averted. If the regulators couldavoid implementing risk control options with highGCAFs and implement those with low GCAFs, morelives would be saved for the same budget (Conditionof Pareto optimality), see e.g. Tengs et al. (1995),Ramberg and Sjøberg (1997).

An alternative cost-effectiveness measure is givenby Net Cost of Averting a Fatality (NCAF), where theeconomic benefits of the investigated RCOs areaccounted for. Economic benefits (or risk reduction)may also include the economic value of reduced pollu-tion. The consequence of pollution may be establishedfrom clean-up costs or comparing to previous deci-sions. For example the OPA 90 regulations represent

1463

1e.g. The “Homo Mensura” sentence was formulated byProtagoras (485–415 BC).

1.0E-06

1.0E-05

1.0E-04

1.0E-03

1.0E-02

1 10 100

Fatalities (N)

Fre

quen

cy o

f N o

r m

ore

fata

litie

s (p

er s

hip

year

)

Oil tankers

Chem tankers.

Oil/Chemicaltankers

Gas tanker

Negligible

Intolerable

ALARP

Figure 2. FN curves for different tankers, shown togetherwith established risk evaluation curves. Data are from 1978to 1998, from Lloyds Maritime Information System. Themethod for deriving the risk criteria is from Skjong andEknes (2001, 2002).

09048-S-15.qxd 5/15/03 1:01 AM Page 1463

a cost of $10.000 per barrel of oil pollution averted(see Lloyds List May 18th 2001).

(2)

Large studies have revealed large inconsistenciesin safety policy. The most well known and largeststudy is that of Tengs et al. (1995) carried out in theUS. Table 2 presents the average values. These fig-ures represent willingness to pay in actual decisions.Assuming that a fatality corresponds to 35 lost life-years, the median value corresponds to $1.47 m. By

reallocating resources and implementing only the mostcost effective measures, but allocating the same totalbudget some 40.000 additional lives could be savedannually in the US.

2.4 Social indicators

It is also possible to derive evaluation criteria expressedas NCAF from compound aggregated social indicators,see UNDP (1990) and Lind (1996), Skjong and Ronold(1998, 2002), Ditlevsen (2003). The Life Quality IndexCriterion for acceptable risk implies that an option ispreferred or accepted as long as the change in the LifeQuality Index owing to the implementation of theoption is positive. The Life Quality Index containssuch indicators as GDP/capita and life expectancy atbirth. As a risk control option changes these two, anoptimum acceptable NCAF may be derived, and asGDP and life expectancy varies between countriesthere are variations in the evaluation criteria. WithinOECD member countries with sustained member-ships (representing some 95% of the global GDP), thevariation is not very large, see Figure 3.

Based on the above, a NCAF criterion of $3 m maybe proposed for use for international regulations, incases where fatalities in addition to representingfatality risk also represent an indicator of risk of

1464

Table 2. Results from Tengs et al. (1995).

“Five hundred life-saving interventions and their costeffectiveness”

Number of measures studied 587Range of cost effectiveness Negative to $10

billion/life year savedMedian Value $42.000/life yearMedian for Medical $19.000/life yearInterventionsMedian for Injury $48.000/life yearPreventionMedian for toxic control $2.8 million/life year

CAF for OECD Countries ( $ million )

0

0,5

1

1,5

2

2,5

3

3,5

4

4,5

Aus

tral

ia

Aus

tria

Bel

gium

Can

ada

Cze

ch R

epub

lic

Den

mar

k

Fin

land

Fra

nce

Ger

man

y

Gre

ece

Hun

gary

Icel

and

Irel

and

Italy

Japa

n

Kor

ea

Luxe

mbo

urg

Mex

ico

Net

herla

nds

New

Zea

land

Nor

way

Pol

and

Por

tuga

l

Spa

in

Sw

eden

Sw

itzer

land

Tur

key

Uni

ted

Kin

gdom

Uni

ted

Sta

tes

Ave

rage

OE

CD

Figure 3. Acceptance criterion in terms of cost of averting a fatality for OECD member countries. Data are for 1999, fromSkjong and Ronold (2002).

09048-S-15.qxd 5/15/03 1:01 AM Page 1464

injuries and ill health. The NCAF criterion may beupdated every year according to the average risk freerate of return (some 5%), or if data is available by useof the formula derived by societal indicators, seeSkjong and Ronold (1998, 2002). Higher values maybe justified for risks that are just tolerable.

From the ideas presented, it should be evident thatrational arguments exist for using specific criteria forcost effectiveness. Still, in practice it may be difficultto argue against proposals for increasing the safety ofstructures if a hazard is identified that may be avoidedby increasing the structural dimension.

2.5 Voluntary measures

It is well known from the research literature overmany years that there is a relationship between purchas-ing power and life expectancy. The life expectancyincreases with increasing purchasing power. Thiseffect is well known from demographic studies, andmost people have probably seen results from suchstudies comparing, for example, east and west in theirown hometown. The effect exists despite the fact thatthe same safety regulations and health services areoffered regardless of purchasing power. If a causaleffect can be established the result is interesting,because it would then indicate that individuals will besafer without any safety regulations if their purchasingpowers increase. As the implementation of mandatorysafety regulations also implies expenses, there will bea limit to the cost effectiveness of such expenses atwhich decisions by individuals are more cost effec-tive. It may therefore be stated that a mandatory regu-lation that is less cost effective actually has a netnegative result (net killers).

In a similar way as the NCAF value derived fromthe societal indicators indicates how much a regulatorshould spend on life saving interventions the NCAFvalue derived from voluntary investment in safety,should be regarded as an upper limit for implement-ing safety measures.

Keeney (1990) formalized this idea and Lutterand Morrall (1994) and Lutter et al. (1999) formu-lated a theoretical relationship for linking mortalityand income. To derive this relationship, a model wasestablished by which individuals reduce their risk ofdeath through self-protective measures and increasetheir risk of death with increases in risky behaviorsuch as smoking, consumption of alcohol and over-weight. A causal relation was established with 99%confidence and the question of whether good healthresults in high income or vice versa was given ananswer. Keeney (1994) also discusses a number ofpractical and ethical implications.

Figure 4 from Skjong and Ronold (2002), showsthe global relationship between life expectancy andpurchasing power using 190 data-points (countries)

from CIA(2001). Among a number of tested func-tions, the following function was found to honour thedata the best:

(3)

in which e is the life expectancy at birth and p is theannual purchasing power (in $US/year). The coeffi-cients of the best fit to the data are a � 7.1874, b �371.5 and c � 6.2075.

The derivative of the function is

(4)

Again, consider the prevention of one fatality. Asin Skjong and Ronold (1998, 2002) it is assumed thatthe number of years saved by averting one fatality ina population is �e � e/2. To “buy” this additionalnumber of life years requires an increase in annualpurchasing power per capita

(5)

With duration of one life expectancy, the implica-tion of this is that the net cost of averting a fatality byvoluntary investment is

(6)

A country like India is at $2,200 annual purchas-ing power (CIA, 2001), corresponding to NCAF(Voluntary) � $0.46 m. The number estimated byHahn et al. (2000) based on data from Pritchett andSummers (1996) for averting a child mortality in Indiais $0.3 million. As previously indicated the methodsare different but the results are similar and within thevariability range in Figure 4. However, it should benoted that a child fatality should count as the loss of eand not e/2, which is used herein to represent the lossassociated with an arbitrary accidental fatality.

For a wealthy country like the US, Lutter et al.(1999) derive a NCAF(Voluntary) of $15 m (with anuncertainty range between $10 m and $50 m). Keeney

1465

0

10

20

30

40

50

60

70

80

90

0 5000 10000 15000 20000 25000 30000 35000 40000

Figure 4. Life expectancy (years) as function of annualpurchasing power (US$). The data represent 190 countries.

09048-S-15.qxd 5/15/03 1:01 AM Page 1465

(1990) derives a value of $7.5 m. These calculationswere in 1980 dollars, and converts to $12.71 m 1999dollars by assuming a 3% annual inflation rate.Keeneys’s results were based on a regression modelfor annual mortality data in the US. The basic idea ofKeeney’s model is therefore similar to that of theglobal regression model suggested Skjong andRonold (2002). With a purchasing power of $36,200(CIA, 2001) the formula in Eq. (6) gives $16.6 m. It

appears that the indications from the different typesof data and models give similar results. All modelsshould be taken as indicative. More detailed studieswould be required to arrive at criteria for use in anyspecific country.

In Figure 5, the results for all OECD member coun-tries are presented. For illustration the acceptance cri-teria from the human capital approach, indicated asge/2 is plotted together with the results from the LQI(a willingness-to-pay approach) and the limitingNCAF(Voluntary). In this way a recommended crite-rion is proposed together with a lower and upper limit.

2.6 Some criteria used by regulatory bodies

Table 3 gives values of GCAF used by some authori-ties. It is seen that the criteria are similar to thosederived by the LQI approach.

3 DISCUSSION

It is seen that the techniques used to derive riskacceptance criteria are resulting in similar results.Within the OECD countries, excluding a few newmembers, a cost of averting a statistical fatality is atabout $1.5–3.0 m. In a risk assessment, where thequestion is about implementing or not implementinga safety measure the uncertainty in the criteria is notvery important. A risk analysis will in most cases endup with risk control options with cost effectivenessabove or below the criteria. Some knowledge of thecriteria will therefore be sufficient input to acceptingor rejecting a specific proposed risk control option.

1466

0

2

4

6

8

10

12

14

16

18

Austra

lia

Austri

a

Belgium

Canad

a

Czech

Rep

ublic

Denmar

k

Finla

nd

France

Germ

any

Greece

Hunga

ry

Icelan

d

Irela

ndIta

ly

Japan

Korea

Luxe

mbo

urg

Mex

ico

Nethe

rland

s

NewZealand

Norway

Poland

Portu

gal

Spain

Sweden

Switzer

land

Turke

y

United

King

dom

United

Sta

tes

Avera

ge O

ECD

$US

mill

ion

Figure 5. The net cost of averting fatality criteria for OECD member countries. The left columns would be defendable bypurely economic considerations, the middle columns represent the societal value (derived from the societal indicators), theright columns represent the limit where no regulation should be implemented as individuals would use the resources better onlife saving. The OECD average numbers are $0.76 m, $2.65 m and $8.93 m. The factor differences are 3.50 and 3.33.

Table 3. Published GCAFs in use as evaluation criteria.

Organization Subject GCAF Source

US Federal Road $2.5 m FHWAHighway Admin. transport (£1.6 m) (1994)

UK Department Road £1.0 m DETRof Transport transport (1998, (1998)

up-ratedwith GDP/capita)

UK Health & Industrial As above HSESafety Executive safety or higher (1999)

Railtrack (UK Overground As above Railtrackrail infrastructure railways to £2.65 m (1998)controller)

London Underground £2 m RoseUnderground Ltd railways (1994)

EU Road a1 m Evanstransport ($1 m) (1998)

Norway All hazards NOK10 m Norway($1.4 m) (1996)

09048-S-15.qxd 5/15/03 1:01 AM Page 1466

In SRA most design variables are continuous, andthe exact number used will have direct influence onthe resulting structural design. However, the few stud-ies that have been performed, see Skjong and Bitner-Gregersen (2002), see Table 4, does not indicate anydramatic effect and in practice the uncertainty in thecalculations may be larger that in the acceptancecriteria.

The advantage with using the marginal safetyreturn as criteria relates more to the consistencybetween normal risk assessment practice and struc-tural reliability analysis as the same criteria may beused in both cases.

Furthermore, the structural reliability analysis isbased on Bayesian probabilities. Probabilities arethus properties of our knowledge of the structure andthe loads it is subjected to. To use acceptance criteriathat are based on a frequency interpretation of proba-bilities is therefore discomforting. It is actually moresatisfactory to use the NCAF criterion, because onlyinformation relating to relative changes in the proba-bilities as a function of design parameters is used inthe decision process.

The paper suggests that the human capitalapproach is used to define a lower limit, the life qual-ity index is representing a recommended value andthe cost effectiveness of voluntary measures representan upper limit for cost of averting fatalities. The threecriteria could be referred to as “life for $”, “$ for life”and “life for life”; respectively.

ACKNOWLEDGEMENT

The work reported in this paper has been carried outunder the DNV strategic research programmes. Theopinions expressed are those of the author and shouldnot be construed to represent the views of DNV.

REFERENCES

CIA (2001) US Central Intelligence Agency “The WorldFact Book, 2001”.

DETR (1998) “1998 Valuation of the Benefits of Preventionof Road Accidents and Casualties”, Highways EconomicsNote No1: 1998, Department of the Environment,

Transport and the Regions. www.roads.detr.gov.uk/road-safety/hen198/index.htm.

Ditlevsen, O (2003) “Decision Modeling and acceptancecriteria” Structural Safety 25, 165–191.

DNV (1992) Classification Note 30.6 “Structural ReliabilityAnalysis of Marine Structures”.

Evans (1998) “Automatic train protection and the valuationof statistical life”. ESRA Newsletter, January 1998.

FHWA (1994) “Motor Vehicle Accident Costs”, US FederalHighway Administration, Technical Advisory T7570.2,1994. www.fhwa.dot.gov/legsregs/directives/techadvs/t75702.htm.

Hahn, RW, RW Lutter and WK Viscusi (2000) “Do FederalRegulations Reduce Mortality”, AEI – Brookings JointCenter for Regulatory Studies.

HSE (1999) “Reducing Risks, Protecting People”.Discussion document, Health & Safety Executive.

Keeney, RL (1990) “Mortality Risks Induced by EconomicExpenditures”, Risk Analysis, Vol 10, No. 1, 1990. pp 147–159.

Keeney, RL (1994) “Mortality risks Induced by the Cost of reg-ulations”, Journal of risk and Uncertainty, Vol. 8, 95–110.

Keeney, RL (1997) “Estimating Fatality Induced byEconomic Costs of Regulations”, Journal of Risk andUncertainty, Vol. 14, 5–23.

Lave, L and EP Seskin (1970) “Air pollution and humanhealth”, Science, 109, 723–732, August 1970.

Lind, NC (1996) “Safety Principles and Safety Culture”,Proceedings, 3rd International Summit on Safety at Sea,Conference organized by Norwegian Petroleum Society,Oslo, Norway.

Lutter, R and JF Morrall III (1994) “Health-Health Analysis:A new way to Evaluate Health and Safety regulations”,Journal of risk and Uncertainty, Vol. 8, pp 43–66.

Lutter, R, JF Morrall III and WK Viscusi (1999) “TheCostper-Life-Saved Cutoff for Safety-Enhancing Regula-tions”, Economic Inquiry 37 (4): 599–608.

Norway (1996) Stortingsproposisjon No 1 1996–97 (InNorwegian).

NPD (1994), “Regulations Relating to Load bearing Struc-tures in the Petroleum activities”, Norwegian PetroleumDirectorate.

Pritchett, L and L Summers (1996) “Wealthier is Healthier”,Journal of Human resources 31 (4): 840–68.

Railtrack (1998) “Railway Group Safety Plan 1998–99”,Safety & Standards Directorate, Railtrack, London.

Ramberg, JAL and L Sjøberg (1997) “The Cost-Effectivenessof Lifesaving Interventions in Sweden”, Risk Analysis,Vol 17. No 4, 1977.

Rice, D (1966) “Estimating the cost of illness”, US Depart-ment of Health and Welfare, Public Health Service,Home Economic series, No.6 (May, 1966).

Rose, J (1994) “Risk Assessment – To Quantify or Not toQuantify? Is that the Question?” Conference on Practi-cally Implementing Safety Case Regulations in the Trans-port Industry, IBC, London, March 1994.

Skjong, R, E Bitner-Gregersen, E Cramer, A Croker, Ø Hagen,G Korneliussen, S Lacasse, I Lotsberg, F Nadim and KO Ronold (1996) “Guidelines for Offshore StructuralReliability Analysis – General”.

Skjong, R and ML Eknes (2000) “Decision Parameters includ-ing Risk Acceptance Criteria”. Available as IMO MSC72/16 submitted by Norway. http://research/dnv.com/skj.

1467

Table 4. GCAF/NCAF in US$ m for increasesof the reliability index b (mid ship bendingmoment capacity).

b Flat bar L-Profile

2.5→3.09 0.402/�2.80 0.133/�3.073.09→3.50 1.76/�1.74 2.55/�0.6453.50→3.72 4.44/1.24 10.3/7.13

09048-S-15.qxd 5/15/03 1:01 AM Page 1467

Skjong, R and ML Eknes (2001) “Economic activity andsocietal risk acceptance”, ESREL 2001, 16th–20thSeptember, 2001, Turin, Italy.

Skjong, R and ML Eknes (2002) “Societal Risk and societalbenefits”, Risk Decision and Policy (2002), vol 7, pp 1–11, Published by Cambridge University Press 2002.

Skjong, R and KO Ronold (1998) “Societal Indicators andRisk Acceptance”, Offshore Mechanics and ArcticEngineering Conference, OMAE 1998.

Skjong, R and K Ronold (2002) “So much for Safety”,OMAE-2002-28451, Oslo, June 2002.

Skjong, R and E Bitner-Gregersen “Cost Effectiveness ofHull Girder Safety” OMAE 2002-28494.

Tengs, T et al. (1995) “Five hundred life-saving interven-tions and their cost effectiveness”, Risk Analysis, Vol. 15,369–391.

UNDP (1990) United Nations Development Programme,“Human Development Report”, Oxford University Press,1990.

1468

09048-S-15.qxd 5/15/03 1:01 AM Page 1468


1469

Risk assessment of passenger vessels

H. Soma, S. Haugen & B. ØygardenSafetec Nordic AS, Norway

ABSTRACT: Some severe capsize and fire accidents have taken place with passenger vessels in the latestyears. The objective in this paper is to describe the issues that must be addressed in a Quantitative RiskAssessment (QRA) for passenger vessels and some of the required development tools. Further, IMO haslaunched the concept of Formal Safety Assessment (FSA), and the usefulness and possible shortcomings ofFSA as compared to a QRA are evaluated. The conclusion is that a QRA is a powerful tool in enhancing pas-senger ship safety, while a FSA has a limited potential, mainly because it is not applied on a concrete ship.

1 INTRODUCTION

Some severe capsize and fire accidents have takenplace with passenger vessels in the latest years asreferred in Table 1.

The accidents have demonstrated a clear need forimprovements, and highlighted deficiencies inherentin the safety regime in force.

The regulatory regime for passenger vessels isbased upon international co-operation in IMO. Theregulation requirements are prescriptive and verydetailed. The development is based on re-use ofproven solutions and technologies and has been influ-enced by ad-hoc solutions after accidents.

In several industries Quantitative Risk Assessment(QRA) has proven a powerful tool in enhancingsafety. It may be mentioned that in the late 60s, IMOissued Res. A265 (the equivalent) for passenger ves-sels, based upon a probabilistic method. Collision

damages were statistically predicted based on acci-dents that had occurred. At that time IMO was a fore-runner in the field of risk analysis. However, A265was an alternative to the prescriptive regulations inforce, and the ship owners stuck to the legislativeregime they were familiar with. Hence Res. A265 wasnever really implemented in practical ship design, andthe scene of risk assessment was dominated by thenuclear and process industries.

2 OBJECTIVE

The objective of this paper is to describe how a QRAfor passenger vessels can be performed and the toolsrequired for making it. Further, IMO has launched theconcept of Formal Safety Assessment (FSA), and theusefulness and possible shortcomings of FSA as com-pared to a QRA is evaluated.

3 QRA AND FSA METHODOLOGIES

In a QRA a specific passenger vessel, which operatesin a specific environment, is analyzed.

In a FSA as proposed by IMO, the risk assessmentis used as a tool for development of rules and regula-tions for a generic ship in a representative environ-ment, based on cost–benefit analyses. The “genericship” is defined in order to represent a selected shipgroup with common properties, e.g. ro-ro ferries. TheFSA is quantitative, and might as well have beenclassified as “a QRA for a generic ship operating in a representative environment”. Hence, the principal

Table 1. Accidents with passenger vessels.

Ship Date Accident Fatalities

Herald of Free March Rapid capsize, 193Enterprise 1987 high list

Scandinavian Star April Fire, toxic 1581990 smoke

Moby Prince April Fire 1401991

Estonia Sept. Rapid cap-size, 8521994 high list

Express Samina 1999 Grounding and 83capsize

09048-S-16.qxd 5/15/03 8:47 PM Page 1469

difference between a QRA and a FSA is that a QRA isperformed for a specific ship in its real environment,while a FSA is performed on a generic ship in a rep-resentative environment. Except for this difference,the basic methodology is similar for a QRA and aFSA. However, it may only be meaningful to define a generic ship at a relatively coarse level of detail.Otherwise there will be severe differences betweenthe “generic ship” and most ships it is intended torepresent. This difference in specification level ascompared to a “real ship” in a QRA introducesmethodological differences as well.

The main steps in a QRA and FSA are:

– Hazard identification– Cause and frequency analysis– Consequence analyses– Risk calculation and evaluation– Evaluation of preventive and mitigating measures

In the following, the execution of the above steps in aQRA is explained. Most of these steps will be similar,or even identical in a FSA, but there will be someimportant differences. At the end of each section, thedifferences as compared to a FSA are thereforeexplained and commented.

4 HAZARD IDENTIFICATION

In the offshore industry, the Hazard Identification(HAZID) method has proven a powerful tool in iden-tifying hazards. In a meeting where specialists on dif-ferent topics participate, a set of predefined controlwords are systematically applied on each area of theinstallation being analyzed, in order to identify haz-ards. When a hazard is identified, it will be subject tofurther analyses as part of the QRA process.

It is evident from the accident statistics for passen-ger vessels that flooding events and fires representthe main high level hazards.

Flooding events include collisions, groundings,flooding through openings not properly closed orthrough damages caused by structural failure. In theHAZID, these hazards may be evaluated in somedetail. For each relevant ship area, potential causesfor flooding will be identified, together with thepotential for progressive flooding. It may e.g. bequestioned what the effects of possible rupture ofpipes in a collision may be.

With respect to fire, the amount of flammable mate-rial, ignition temperatures, possible ignition sources,ventilation conditions that may worsen the fire, etc.,will be evaluated in relevant areas.

Hazard identification will be performed both in aQRA and FSA. However, the “generic” ship in the FSAwill only be defined at a relatively coarse level. At amore detailed level, there will also be major differences

between the individual ships belonging to the “generic”group. HAZID has proved a very successful activity inoffshore projects, provided the object being analyzed is concrete and sufficiently defined. It may easily beforeseen that a HAZID performed on a “generic” ves-sel will suffer from several deficiencies.

5 CAUSE ANALYSES

The cause analysis focuses upon the possible causesfor e.g. flooding and fire. In some cases it may be pos-sible to prevent accidents by implementing measureson the specific vessel. The bow port on Estonia, couldfor example have been prevented from falling off andcause flooding of the deck. However, only to a limitedextent it is possible to prevent collisions by implement-ing measures on a specific vessel. In these cases focushave to be put on mitigation in order to control risks.

Based on the HAZID and Cause analyses, accidentscenarios should be established. These scenarios mustbe sufficiently defined to facilitate a consistentassessment of the potential consequences. The proba-bility of initial fire events may be based upon acci-dent statistics.

With respect to collisions and similar accidents,frequencies may also be established based on genericaccident data. However, theoretical models have alsobeen developed. In larger parts of the North Sea, shiplanes have been mapped and the sizes and types ofvessels operating at each lane have been recorded.These data are used to predict the collision frequen-cies for offshore installations.

The models used for prediction of ship to ship col-lisions may also account for the ship course and sizedistributions in the area. Ship owners may, however,hesitate in designing a ship for a particular area, andfor this reason they may tend to assume “worst case”traffic data to have the flexibility to traffic other areaswith a ship.

It is reasonable to assume that the likelihood of fireevents to take place is independent of the weatherconditions and time of the day. Hence, the conditionalprobability of a ship evacuation in severe weather dueto fire may be assumed to correspond to the probabil-ity of severe weather to occur.

Collision events, however, are most likely to takeplace in weather conditions with reduced visibility,e.g. in “calm” weather with dense fog during night.Some flooding events are, however, strongly correlatedto bad weather (ref Estonia). It is important that the correlations between accident frequencies andweather conditions are established and documented inorder to make consistent analyses within the QRA.

The above described approach will be similar for aQRA and FSA. However, it will not be meaningful toaddress detailed issues in a FSA.

1470

09048-S-16.qxd 5/15/03 8:47 PM Page 1470

6 CONSEQUENCE ANALYSES

6.1 Flooding

In the specific regulations, it is a requirement that aship shall survive certain damage conditions. Accord-ing to “the Equivalent”, which in general is stringentas compared to the SOLAS requirements, a ship withless than 600 POB shall survive any damage betweenbulkheads. A ship with at least 1200 POB shall sur-vive damage to any bulkhead.

In a QRA, it will be focused upon the potentiallosses of lives. Hence, it is a key issue whether a shipkeeps afloat for sufficient time for evacuation to takeplace. If a ship sinks due to progressive flooding dur-ing hours like Titanic, most people will survive innormal cases (with enough lifeboats). On the otherhand, a rapid capsize during an intermediate stage offlooding will cause heavy loss of lives (ref Estoniaand Herold of Free Enterprise).

IMO has presented a comprehensive data basis for“the Equivalent”. Based on recorded collision dam-ages on ships, probability distributions with respect tolength and penetration of damages were established,together with a theoretical framework for assigningconditional probabilities to different damages.

In Table 2, it is shown that the “Equivalent” is apowerful tool for assessing damage probabilities for aship being rammed by another vessel. In the examplesit is assumed that a ship is subdivided into 10, respec-tively 5 watertight compartments by evenly spacedtransverse bulkheads.

The first line in Table 2 is applicable for a ship,which is subdivided into 10 compartments with equallength. Based on formulas in “the Equivalent” theprobability of damage between two specific adjacentbulkheads has been assessed at 0.038. The total prob-ability of (the 10 cases with) damages between bulk-heads sums up to 0.38, as shown in the table.Therefore, given a collision, the probability that thedamage will be more severe and include damage toone or more bulkheads is 1.0 � 0.38 � 0.62. Hence,if the ship is designed to survive damages betweenbulkheads only, the probability for a more severe

damage will be 0.62. The last line in the table showsthat if the distance between bulkheads is doubled, itbecomes, as expected, more likely that damage mayoccur in between bulkheads. Note that “the Equiva-lent” includes an adjustment to account for the factthat damages are more likely to occur in the forwardpart of the ship. It is not accounted for this adjustmentin the above presentation.

Table 2 also gives an indication that collision dam-ages are relatively likely to exceed the requirementsin the regulations in force. For this reason it is evenmore important to address the possibility people haveto survive flooding accidents in which the ship sinks.

As an alternative or supplement to “the Equivalent”,collision scenarios may be established and the sizes ofdamages may be predicted by use of Finite ElementPrograms, which account for large deformations.

The time development of the flooding process ismainly a function of the size of the “hole” and the sub-mergence of it. The amount of flooding water dependsupon the size of the compartment being flooded, aswell as on possible progressive flooding through open-ings that may become submerged during the process.

Due to the free surface effect, a small amount ofwater may cause a ship to capsize at an early floodingstage. In a QRA, the potential of this failure must begiven much attention. For Estonia, a relatively smallamount of water that could shift from side to side onthe bulkhead deck caused the ship to lose its stabilityand to capsize. In ship collision events, there may bepotential for free surface effects at two or more decks,possibly causing the ship to capsize at an early flood-ing stage. These effects must be carefully evaluated.

The “Equivalent” provides a comprehensive anduseful tool for assigning conditional probabilities toflooding cases.

The time development of the flooding process andcorresponding ship draught and inclination can becalculated with reasonable accuracy based on basichydrodynamic equations.

The “Equivalent” is an example of a successfulFSA activity relating to damage stability. A riskassessment was performed as basis for developmentof specific regulations. The “Equivalent” can of causeform the basis for QRAs as well. Detailed evalua-tions, e.g. relating to extent of flooding, may not befeasible within a FSA.

6.2 Fire

Fires are most likely to start in machinery rooms or inpassenger sections. The main risk is that a fire mayspread so fast that people may be trapped. Severalsafety barriers are built into passenger vessels to pre-vent this from happening:

– Use of material with high ignition temperature.

1471

Table 2. Damage probabilities.

Ship design, no. Probability of of compartments Damage case damage case

10 Damage between 0.38bulkheads

10 Damage to one 0.84bulkhead or in between bulkheads

5 Damage between 0.64bulkheads

09048-S-16.qxd 5/15/03 8:47 PM Page 1471

– Sectionalizing by use of Passive Fire Protection(PFP).

– Closing of fire doors and ventilation shut down toextinguish fire and prevent smoke spread.

– Fire alarms to notify people.– Fire extinguishing systems. Sprinkler requirement

on new ships.

The safety barriers will prevent most fires fromdeveloping into disasters. However, unforeseenevents together with failure or operational errors withsafety systems may cause severe fires to develop. TheScandinavian Star disaster is an example of this.Arson in combination with unforeseen operationalerrors and technical faults resulted in an extreme firewith 158 fatalities. The main reason for the disasterwas extremely unfavorable ventilation conditions insome corridors because a door between the passengersection and car deck was left open. The fire spreadlike a “fire ball” in some corridors and through a fewfire doors that failed to close, and in some places thepropagation speed was so fast that fire victims haddifficulties in running away.

What may be assumed is that there exist a largenumber of very unlikely combinations of events andfailures that may develop into fire disasters. It maynot be feasible to address all of them in a realisticway, and most of them may be so peculiar that mostpeople would say they never could happen. As a hypothetical example it may be claimed that ifsomebody had presented a fire scenario similar towhat happened on Scandinavian Star as basis forsafety evaluations prior to the accident, he might nothave been taken serious. Hence, it is very importantthat creativity is exercised in the HAZID when firerisks are addressed, in order to identify criticalscenarios.

Reliability calculations of safety systems are stan-dard practice in offshore QRAs, and failures areprobabilistically accounted for. Further, vulnerabilityanalyses that focus on the possibility that safety sys-tems may be damaged by the accident are performed.Such calculations should also be part of a passengership QRA. As it may not be meaningful to define rep-resentative safety systems in detail, these calculationsmay not be feasible within a FSA.

As soon as a concrete scenario is defined, a suit-able fire development model together with a CFDcode may be used to simulate the fire developmentand smoke spread. There exist several CFD codes,and some of them also include a fire model. As part ofthe Scandinavian Star investigation, such simulationswere performed, and they showed good agreementwith observations from the accident. The importantresults of the simulations are the time development ofthe fire and smoke spread, together with smoke con-centration and visibility.

The described approach involves so many designdetails, that a FSA may not be feasible.

6.3 Mustering

Mustering is defined as the process whereby passen-gers move towards their muster areas, which normallyis near the lifeboats. Mustering is initiated with alarmand PA messages, when the captain has decided thatevacuation must be performed. There are severalexamples that delayed decision taking has contributedto loss of lives. Suitable measures for decision sup-port, helping the captain to get an overview of the sit-uation, are therefore important.

The external conditions that may complicate mus-tering are possible static heel of the ship, motion of itin waves and smoke impact in case of fires. All theseeffects have contributed to heavy loss of lives in therecent accidents with passenger vessels.

In flooding accidents, it is important to account for escapeway impairment due to possible list. Listmakes walking and climbing stairs difficult, andreduces the capacity of escapeways. It may becomedifficult to open heavy doors in case of list. Looseitems may slide towards the low side and furtherrestrict escape. If the ship in addition should be mov-ing due to wave impact in bad weather, evacuationmay be even more difficult. Passengers inside theship will be afraid to get trapped inside a sinking andcapsizing ship, and they will try to get up and out asfast as possible. Possible muster area inside the shipmay not be used.

The impact of list and ship motion on the evacua-tion performance was investigated in the MEP Designproject. To study passenger motion in corridors andstairs, TNO performed empirical studies by use ofmockups of passenger cabin sections and a motionsimulator (Bles, 2000). Volunteers who constituted arepresentative sample of the population participated,and they had also to find their way with guidancefrom different signposting concepts. A full scale mus-tering test was performed with the Danish passengership “Kronprins Fredrik” with about 600 passengersaboard.

The mustering simulation program EVAC wasdeveloped as part of the MEP Design project.Individuals, each with his distinct properties, consti-tute the basic entity. As the program performs MonteCarlo simulations, several variables are assigned val-ues based on weighted drawings from probability dis-tributions. At least 15–20 replications of a simulationare required to produce statistically significant results.

In fire scenarios, escape ways may be impaired bydense smoke. In the Scandinavian Star disaster, a partof the passenger section became filled with densesmoke. The visibility in the smoke was down to 0.3 m.Some exit doors were located a short distance from

1472

09048-S-16.qxd 5/15/03 8:47 PM Page 1472

the end of the corridors, and several evacuees losttheir lives just inside the door because they did notfind the door handle where they expected. Otherswere trapped in a blind end. Most of the passengerswho lost their lives were in their cabins, which theydid not leave to enter the smoke filled corridors. Thecabins were kept free from smoke for a long time, butwhen the ventilation system was shut off as it shouldaccording to the procedures, smoke penetrated intothe cabins, and intoxicated all the passengers whoremained in their cabins. Passengers in other areas ofthe ship mustered without severe problems.

There exist a lot of empirical data on human behav-ior in fires. These data have been collected in ques-tionnaires and interviews with fire victims. There arefor example established probabilities that evacueesmay turn back in smoke as a function of the visibility.Such behavior was important at the Scandinavian Stardisaster, where several passengers remained in theircabins. Further, intoxication by smoke, usually by CO,represents the main hazard in fires. There exist suffi-cient data to calculate time until incapacitation of rest-ing or walking persons, as well as how long time theymay stay alive. In a validation project of evacuationprograms, the two programs being tested (ASERI –German and Evacsim – Norwegian/French) were bothable to represent the Scandinavian Star fire in a rea-sonably correct manner.

It is shown in this section that there exist a lot ofempirical data with respect to Mustering in case offire or list with passenger ships. In addition, com-puter programs are available.

The mustering simulation requires a detailed topo-logical description of the escapeway system, and isnot feasible for a “generic” ship within a FSA.

6.4 Evacuation

Evacuation from the ship is usually performed bymeans of enclosed lifeboats. However, ships operat-ing close to shore are allowed to substitute lifeboatswith inflatable life rafts. In UK, a study of lifeboatperformance in real situations was performed, and itwas shown that the historical success rate was low.Later on, lifeboat launch simulation programs as wellas model tests of lifeboat evacuation have clearly con-firmed lifeboats to be unsafe evacuation means unlessthe weather is good. The failure modes with lifeboatevacuation are:

– Difficulties in starting launching on a possiblyinclined ship.

– Collision with ship side during descent, caused by lifeboat pendulum motion and ship motion inwaves.

– Release of lifeboat while it still is in the air.– Release failure of lifeboat fallwires.

– Collision with ship side due to wave impact afterlifeboat has become seaborne.

– Damages caused by obstructions on the ship side.

It is particularly collisions with the shipside that is of much concern. The passengers in the boat may be seriously injured due to the impact, and the lifeboatmay be damaged and subsequently flooded whenseaborne.

The LBL lifeboat launch simulation program wasoriginally developed for simulating launches fromoffshore installations, where there normally is consid-erable clearance between the installation structureand lifeboat during descent. Despite this, in launcheson the windward side in severe weather, high wavesand wind may sweep the boat a long distance backand cause a collision with the installation. The pro-gram performs Monte Carlo simulations, and the timefor commencement of the launch operation is the ran-dom parameter. A stochastic wave and wind model is applied. In the MEP Design project, LBL wasamended to simulate launches from a rolling ship. Inthe same project, systematic model tests were carriedout with launches of lifeboats from a ship model in amodel basin.

The model tests as well as the LBL simulationsshowed that launch of lifeboats from a passenger ves-sel broadside the oncoming sea was unsafe in 2–3 mwave conditions.

The above evidence clearly demonstrates thatevacuation from passenger vessels is an unreliableoperation. This is also a strong indication that IMOshould focus more on the operational reliability oflifeboat evacuation and less on the time development.

It is shown above that empirical data from modeltests as well as computer programs are available forassessment of the launch failure probability of lifeboats.

In the present situation with very standardizedevacuation means, there may not be much differencesbetween a QRA and FSA. However, there is a needfor improvements of evacuation systems. In a FSAapproach, the authorities will take the responsibilityfor the specific regulations and their possible short-comings. In a QRA approach, the full responsibilitywill be put on the ship owners and the design team.Improvements and innovation will be more likely inthis case.

6.5 Rescue

Following an accident where a passenger ship sinks,there will be people in distress in lifeboats, rafts andpossibly in the sea. For people in lifeboats, the rescueoperation itself may represent the main hazard. Thedisaster with the offshore installation Ocean Rangeris an example of this. A lifeboat collided with the ves-sel trying to rescue it in stormy and cold weather, and

1473

09048-S-16.qxd 5/15/03 8:47 PM Page 1473

nobody survived the accident. To avoid such acci-dents, rescue of people in lifeboats in bad weather willnormally be postponed until the weather improves.

People having entered the sea are in the worst situ-ation. They normally have donned their life vests. Ifthe weather is bad, they may get their head submergedbelow wave crests for sufficient time to drown. If thesea temperature is low, the survival time may only be afew minutes, and they may perish from hypothermia.

Rescue will be carried out by ships in the area andby helicopters. In most cases, it will be possible forSAR helicopters to reach the site of the accident. Thehelicopter needs some mobilization time, and it takessome time to fly to the area. They then have to detectpeople in the sea, and to rescue them by use of the res-cue hoist. The capacity of the helicopter may be about20 persons, and they have to bring the rescued peopleto a safe place before they can return to the scene of the accident. Altogether, it may take long time torescue a large number of people in distress at sea byhelicopters.

Ships in the area will usually try to pick up peoplein the sea by launching their MOB boats. They needsome time to detect each person in the sea, and also toget him into the boat, which may be very difficult inbad weather. The boat may only have capacity to takea few rescued persons on board before they must bebrought back to the mother vessel.

The simulation program Offshore Sea Rescue wasdeveloped several years ago, to simulate a rescueoperation of people in distress at sea. The programwas based upon a macroscopic model. As part of thedevelopment, a Delphi session was arranged withparticipation from helicopter pilots and MOB boatpersonnel, who were questioned about time require-ments to detect and rescue people in distress at seaunder varying weather conditions.

The program contains default data on survivaltimes as function of sea temperature and clothing.

The user of the program has to specify number ofpeople in distress at sea, the rescue resources avail-able and their arrival and shuttle times, as well as theenvironmental conditions. The program simulates thetime development of the rescue operation. Picked uppeople may be alive or dead, depending on how longtime they have been in the sea. As there are a fewprobabilistic variables, the program performs MonteCarlo simulations, but few replications are required.

It will not be meaningful to perform rescue simu-lations for people in distress at sea in a “representa-tive environment” as defined in a FSA.

7 RISK ACCEPTANCE CRITERIA

Risk acceptance criteria usually address two types of concerns. One concern relates to the maximum

acceptable risk that it is ethically acceptable to exposea group of people to. The corresponding requirementmust be explicitly stated, e.g. by a maximum allow-able average number of fatalities per year.

The other concern is that if it is possible to reducethe risk in a cost efficient way that should be done.This refers to the so-called “As Low As ReasonablyPracticable” (ALARP Principle). In order to performcost–benefit analyses, the limiting acceptable cost inorder to avert a fatality may be defined. The soundestand most feasible proposal (Skjong, 1998) mayroughly be said to originate from the following logic:Quality of life in a society should be optimized. If aminor amount of resources are spent on health andsafety, the inhabitants may live a short life in luxury.If, however, a large amount of resources are spent onhealth and safety, there will not be much left for con-sumption, and the inhabitants will live a long life inpoverty. Obviously there exist an optimum quality oflife in between these extremities, and the maximumamount of money to be used to avert a fatality can beassessed as function of the BNP in the society. It fol-lows that it will be justified to use less money to averta fatality in poor countries than in rich ones. In richEuropean countries, it was shown that something like4 million Euro should be used to avert a fatality inorder to optimize quality of life.

The above approach is feasible both within a QRAand FSA.

8 EVALUATIONS

In the following, the potential of QRA to serve as atool for enhancing passenger ship safety is consid-ered, and some of the main differences between aQRA and a FSA are evaluated. In this respect, focusis placed on the following three issues:

– Safety involvement and resources– Level of detail in the analyses– Assumptions of average or representative values

8.1 Feasibility of passenger ship QRA

In the paper it has been shown that there exists plenti-ful tools for addressing passenger ship safety in arealistic manner in a QRA. A lot of relevant experi-ence is already available in the offshore sector. Whatmay be lacking, however, is that operational errors areincluded with the same realism. In the offshore indus-try there has been performed a lot of work to achievethis, and inclusion of human error analyses is rather aquestion about acceptable uncertainties in the esti-mates than on available methods.

Prediction of human error is usually performed at a microscopic level, addressing detailed design and

1474

09048-S-16.qxd 5/15/03 8:47 PM Page 1474

applied operational procedures. The FSA may not befeasible for this purpose.

8.2 Safety involvement and resources

During the design of a passenger ship, the designersand representatives from the ship owner spend mostof their safety related efforts on securing that specificregulation requirements are complied with. If theyinstead had focused on prevention and mitigation of concrete accidents, and combined this effort withtheir detailed knowledge of the ship being designed,this would have given a very high contribution to theefforts towards safer ships. This is what has happenedin the offshore sector, where engineering teams arestrongly involved with QRA issues.

Similar concerns played an important role whenthe investigation committee for the disaster at the UK offshore installation Piper Alpha recommended totransfer the safety responsibility from the DOT, whohad implemented a safety regime for offshore instal-lations similar to that for ships, to the HSE who wasfamiliar with QRAs and goal setting requirements.

Development of good specific regulations on ahigh level is a very difficult or even impossible task.The regulation makers have to address a more or lessinhomogeneous group of ship and expected futuredevelopment as well. In addition, the developmenttends to be biased because representatives from dif-ferent countries try to promote concerns relating tothe competitiveness of their national fleet. Goal set-ting requirements on a high level in combination witha QRA related legislative regime is the obviousresponse to these difficulties.

8.3 Level of detail

A QRA addresses safety issues at a relatively highlevel. However, the methodology also includes fea-tures to capture detailed safety problems as explainedin the following.

Reliability and vulnerability analyses of safetycritical systems address properties of these systems ata detailed level. The results of these analyses are usu-ally input to Event Trees in a QRA. Hence, the relia-bility and vulnerability standard of these systems arereflected in the outcome of a QRA.

The Hazop has the potential to identify detailedsafety problems in the area being analyzed. Onceidentified, the problems may be resolved or alterna-tively accounted for in the QRA.

Hence, the QRA do possess properties to addressdetailed issues. In addition, it is usual to performQRAs on the assumption that detailed safety regula-tions and standards are adhered to. A FSA, however,almost completely lacks the capability to account for

detailed properties, as it addresses an average ship ina representative environment.

8.4 Assumptions of average or representativevalues

The FSA addresses an average ship in a representa-tive environment. In relation to risk assessment, thisis an obvious oversimplification. Accidents are oftenrelated to unusual properties and extreme conditions.Taking Titanic and Estonia as examples, many peoplelost their lives because the seawater temperature wasvery low. If these accidents had been analyzed before-hand based on an assumption of representative envi-ronmental conditions (as in the FSA), the outcome ofthese analyses would have shown far less dramaticconsequences than what occurred in reality. Hence,assumptions of average or representative conditionsin a FSA may in some cases introduce severe errors.

9 CONCLUSIONS

The conclusion is that a legislative regime based onQRAs may be a powerful measure in enhancing pas-senger vessel safety. There exist a set of comprehen-sive and realistic tools for addressing relevant safetyissues in QRAs.

The FSA proposed by IMO has limited potentialbecause it is not concrete in addressing a particularvessel. Hence, a FSA may not be considered as analternative to a QRA, but rather a supplementary aidto improve prescriptive regulations.

REFERENCES

Bles, W. & Boer, CL. 2000. Design Features: Effect of shiplisting on mustering speed. MEP Design report, WP2b.

Canter, D. 1980. Fire and Human Behaviour. John Wiley &Sons, Ltd.

Haugen, S. 1998. An overview over ship-platform collisionrisk modelling, in Ed. C Guedes Soares, A.A. Balkema,1998. Risk and Reliability in Marine Technology.

Haugen, S. 1997. Ship–Platform Collision Risk Analysis,ESREL, Lisboa 1997.

Haugen, S. 1993. Effect of Platforms in Shipping Lanes,COLLIDE seminar, Aberdeen, June 1993.

IMO, 1974. Resolutions and Other Decision (Resolutions259–314). Assembly, Eight Session 1973.

Marin Accident Report, 1982. Capsizing and Sinking of theU.S. Mobile Offshore Drilling Unit OCEAN RANGER,off the East Cost of Canada 166 Nautic Miles East of St. John’s, New Foundland.

Paulsen, T. 1995. Evaluation of Simulation Models ofEvacuation from Complex Spaces. SINTEF report no.STF75 A95020.

Solem, R. 1987. Modelling and Simulation of an OffshoreEvacuation and Rescue Operation. IMACS-International

1475

09048-S-16.qxd 5/15/03 8:47 PM Page 1475

Symposium on AI, Expert Systems and Languages inModelling and Simulations. Barcelona, Spain.

Soma, H. 2001. Computer Simulation of Passenger ShipEvacuation. ESREL 2001 in Torin.

Soma, H. 1998. How to Account for Working EnvironmentalConditions in QRAs. OMAE 1998 in Lisbon.

Soma, H. 1996. Validation of Egress Simulation Programs.OMAE 1996 in Florence.

Soma, H. 1995. Computer Simulation for Optimisation of Offshore Platform Evacuation. OMAE 1995 inKøbenhavn.

Skjong, R. 1998. Societal Indicators and Risk Acceptance.OMAE 98.

Technica, 1983. Risk Assessment of Emergency Evacuationfrom Offshore Installations.

The Scandinavian Star Investigation Board, 1991. TheScandinavian Star Disaster. NOU 1991.

Tsychkova, E. Influence of Waves and Ship Motions on SafeEvacuation of Passenger Ships. Licentiate Thesis, RoyalInstitute of Technology, Stockholm.

Vinnem, J. & Haugen S. 1987. “Risk ..............Vinnem & Haugen, 1987. “Risk Assessment of Buoyancy

Loss (RABL) – Introduction to Analytical Approach”,International Conference on Mobile Offshore Structures,London, Sept. 1987.

Wang, J. 2001. The current status and further aspects in for-mal ship safety assessment. Safety Science 38 (2001).

1476

09048-S-16.qxd 5/15/03 8:47 PM Page 1476


1477

Measuring the safety standard of organizations

T. SomaNorwegian University of Science and Technology, Department of Marine Technology, Trondheim, Norway

ABSTRACT: This paper describes a new general method for measuring the safety standard of an organiza-tion. It is assumed that a high safety standard is a result of systematic management and control. The principalidea is therefore to focus on the systematic pattern of safety performance variables in the measurement calcu-lations, which is in sharp contrast to common measuring techniques. The paper focuses on description of theprincipal idea and some examples for calculations. The most important finding is the methods’ efficiency inmeasuring the safety culture maturity of seven shipping companies. The method uses a database of nearly 3000responses on the Ship Management Attitude Questionnaire (SMAQ) held by Risø National Laboratories. Theanalysis show that the maturity of the safety culture can describe about 50% of the variation in an accident per-formance indicator and more than 60% of the variation of a Port State Control performance indicator.

1 INTRODUCTION

The term substandard and blue chip organizationshave become frequently used labels of companiesbeing respectively very poor and extremely good insafety issues. It has also become common practice toconceptually distinguish between an organizations’experienced safety performance and its safety stan-dard, which focus on its resistance against accidents.This shift in focus is caused by a need for more effi-cient prevention of losses. The safety standard of anorganization is commonly measured through ratingschemes or similar methods. This paper describes anew general method for measuring the safety stan-dard of an organization. It is assumed that a highsafety standard is a result of systematic managementand control. The principal idea is therefore to focuson the systematic pattern of safety performancevariables in the measurement calculations. Focus onpattern is in sharp contrast to common measuringtechniques like ranking scheme, regression analysisand factor scores, which all threat individual variablesindependent of each other. Even artificial neural net-works, which is commonly used in pattern recogni-tion, does not efficiently capture the dependencybetween pairs of variables (Soma & Kristiansen,2001). However, most conceptual models used insafety management, accident investigation andhuman error and reliability analysis agree upon thatthere is a dependency between some distal core safetyfactors and the performance variables commonly

used in measuring techniques e.g. incidents, audit andinspection findings.

Several authors have realized that we have seriousmeasuring problems within safety management,safety research and safety analysis. The uncertaintiesinvolved in measuring safety performance. There hasbeen a shift towards more proactive methods attempt-ing to measure safety standard of an organization.Incident happens too rear within an organization to bea basis for common statistical inference. It is alsorealized that the statistics drawn from investigationreports are unreliable due to subjective interpretationsand questionable scope (Pedrali et al., 2002)(Wagenaar et al., 1997) (Reason, 1987). Hence theimportance of near miss reporting has been empha-sized. The reporting frequency of near-misses is how-ever too unreliable to form a basis for evaluation ofperformance (Scaaf et al., 1991). Expert judgment isassumed to have a large measuring potential, but hasalso been staggered due to lacking reliability (Skjong &Wenthworth). We have diagnosed a number of acci-dents as being a result of poor safety culture.Therefore the importance of a mature safety culture isstressed. No technique has however yet been able tomeasure the maturity of an organizations’ safety cul-ture (Cox & Flin, 1998) (Sorensen, 2002). We knowthat the majority of the accidents are caused by oper-ator errors (Wagenaar & Groeneweg, 1987). Quantita-tive analyses of human factors have probably strongerinfluence on safety through their ensuing discussionsand disputes (Fragola, 2000) (Hollnagel, 2000) than

09048-S-17.qxd 5/15/03 1:02 AM Page 1477

their quantitative results. Within maritime transportrating techniques has become popular for targetingand screening purposes. This reaction on accidentslike Erika is unlikely to have any effect over longerperiods as they only emphasize on the present generalcharacteristics of substandard managers and not theiressential safety management problems. We also knowthat the techniques fail to pinpoint catastrophe vesselssuch as Estonia and Exxon Valdez.

Despite of the problems, the situation is not toopessimistic. The public focus on safety has forcedmore safety information to be generated, collectedand made public available. Today safety inspectionfindings, accident history and ship characteristics areavailable on the Internet even for individual ships.When we still are unsatisfied with the applied quanti-tative safety measurements it might seem reasonableto take two steps back and critically consider theapplied measuring techniques. This study hasexplored the potential of using an alternative measur-ing principle. The alternative approach seems to bevalid and extremely advantageous in measuringsafety culture maturity.

2 PRINCIPAL IDEA

Commonly used quantitative approaches apply a lin-ear (Y � wi xi) model for evaluation of the safetycharacteristic. These models treat the variables (xi)independent. In a rating scheme like InternationalMarine Safety Rating System (DNV, 1995) theweights (wi) may be estimated through approacheslike statistical inference or expert judgment. Byregression analysis the weights (w) are typically opti-mized on the basis of minimal least squared sum ofthe residuals. In factor analysis the scores on eachfactor is a weighted sum of responded values withineach principal factor. Also neural networks applyindependent calculations of the input (xi).

The lack of consistency related to the independentevaluation of variables may be described through anexample. The German magazine ADAC Motorwelt(ADAC, 1998–2001) performs an annual safety assess-ment of ro-ro passenger ferries sailing in Europeanwaters. This assessment is carried out through a six-item rating scheme. Typical items are the quality ofSafety Management (X1), the quality of the Emer-gency Equipment (X2) and the quality of the FireProtection system (X3). Imagine two ships A and Bwith the following scores. Ship A is judged to have anextremely poor quality of safety management, but hasextremely good quality of the emergency equipment.Ship B on the contrary, is judged to have extremelygood safety management, but defective emergencyequipment. Both ships have a satisfying fire protec-tion. What is then the likely safety standard of these

two ships? Lay people might consider the three itemsto have equal importance (w1 � w2 � w3), whereasmore experienced safety analysts may consider safetymanagement to have higher importance (w1 � w2,,w1 � w3). Both evaluations however, miss the crucialfact that neither of the ships demonstrates control ofsafety management. Because the efficiency of theEmergency Equipment is highly dependent of thequality of the Safety Management is might seemunreasonable to assess these factors independently.Despite ship B is judged to have extremely goodSafety Management the contradicting scores forEmergency Equipment is not reflected in the obtainedfor safety management.

Another example can be drawn from the worldfleet accident statistics. A scatter diagram of the worldfleets loss ratio due to collisions versus wreckings isshowed in Figure 1 (Lloyd’s Register of Shipping,1970 to 1993). Letting each year from 1939 to 1996(excluding 2. World War figures) be one point in ascatter diagram, the relation between the two loss cat-egories can be computed. The diagram shows thatthere were no linear relationships between theseevents prior to 1971. In the 1970s, after about 20 yearsof existence, the International Maritime Organization(IMO) started to demonstrate some regulative power.Among other achievement it developed a set of trafficregulations for prevention of collisions named COL-REG. It is evident that the accident rates decreasedafter implementation. However, most importantly, thedependency between these two incidents raised fromzero to very high (0.90). Navigation has traditionallybeen very focused on keeping control of the ships’position relative to land. The new regulations mayhave reduced this bias in focus, causing the samemechanisms to influence on these two aspects of nav-igational control.

This example indicates that there are two ways of measuring improvements in risk control. The

1478

0

0,001

0,002

0,003

0,004

0,005

0 0,0002 0,0004 0,0006 0,0008 0,001 0,0012

1939 to 1971 1972 to 19771978 to 1996 Linear (1939 to 1971)Linear (1978 to 1996)

Correlation: 0.06

Correlation: 0.90

World Fleet Loss Ratio due to COLLISION

Wor

ld F

leet

Los

s R

atio

due

to W

RE

CK

ING

Figure 1. Scatter diagram of the world fleet loss ratio due toCollision and Wrecking (Grounding, Stranding and Contact)before, during and after COLREG 72 implementation.

09048-S-17.qxd 5/15/03 1:02 AM Page 1478

common technique uses independent absolute values,while the dependency between the values may pro-vide additional knowledge, namely that they are con-trolled by a joint core factor. The objective of thisstudy is therefore to develop and validate a methodtaking advantage of the dependencies between safetyvariables. In order to develop a measuring techniquethat also evaluates the dependency between the vari-ables a deeper understanding of organizational safetyis necessary.

3 CONCEPTUAL BASIS

Reason (1997) presents a framework for understand-ing organizational accidents. His models have oneimportant similarity with the large majority of modelsused within safety management, accident investiga-tion and human error and reliability analysis. Thiscommon characteristic is the dependency between theincident chain of events, and a more basic element ofthe organizational system. A survey of more than 30conceptual models (Soma, to be published a) showsthat the root casual factors in these models are eitherOrganizational Factors or Culture, External or SocialEnvironment, Lack of Control, Upper Management,Working Conditions, Statements of Goals andObjectives etc. The variation in the definition of theseCore Safety Factors (CSF) may be related to the spe-cific purpose of the various models. However, theconsensus of the idea that there is one, or at least afew, CSFs that influence or determines the safety per-formance of the lower level of the organization isinteresting in itself. If this understanding of organiza-tional safety is correct, these CFSs should influencethe lower level of the organization and even theunsafe acts (Figure 2).

Despite the dependency of the CFSs seems to beaccepted by most professional domains involved insafety management, research and analysis it is notreflected in the commonly applied measuring tech-niques. According to the graph outlined in Figure 2 the

organizations’CSFs influence the safety variables usedin measuring techniques. In principle an organizationhaving a high safety standard should have strongdependencies between the CSFs and the variables.

Strong dependencies are therefore an indication ofcontrol. On the contrary, if the organization is sub-standard the CSFs are weak. Therefore is the safetylevel of substandard shipping organizations moredependent of other governing ship characteristics likeits age, type or size and external factors like classifi-cation society or flag of registration. Figure 3 illus-trates the necessary knowledge for reasoning withpatterns. The patterns represent the dependencybetween the considered variables. For each pattern weneed some logical explanation to interpret the pat-terns’ topography.

4 MEASUREMENT AND LOGICS

When developing a measurement tool for safety stan-dard it is extremely important to have some basicunderstanding of measurement theory. This chapterdescribes general measuring principles used in itemanalysis and neural networks. The two last sectionsdescribe how the new methods’ relationship to thistheory.

4.1 Theory of measurement

Successful questionnaires or rating schemes can bedeveloped through selection of suitable items, vari-ables and scales. For inspections the formal require-ments are the basis for selection of items, variablesand questions while the scales are typically dichoto-mous (compliance or not). In an analysis each ques-tionnaire response, inspection result or audit findingis considered as a case (Table 1).

In order to optimize the set of selected items, vari-ables and values it is common to carry out an item anddiscrimination analysis (Anastasi & Urbina, 1997). Inthis way the most suitable items can be selected and

1479

Incidents

Safety Awareness

Systemavailability

Attitudes andpreferences

Level1: Dependencybetween cases and variables

Level 2: Dependencybetween dependency

pattern and safety

Core Safety Factors

Safety Performance

Inspectionfindings

Auditfindings

Figure 2. Conceptual model for safety influence.

Org. patternLevel 1

Discriminat. patternLevel 2

Logics Logics

Combinedpatterns

Combined Logics Organizationalsafety standard

Data from individualorganization

General organizationaldata

Figure 3. Outline of method.

09048-S-17.qxd 5/15/03 1:02 AM Page 1479

their scales can be optimized for the measuring pur-pose. Artificial neural networks also use this,although this process is automatically learnedthrough network training. Both in item analysis and inneural network sigmoid functions (I and II in Figure 4)are considered to be powerful for this purpose. Thesecontinuous functions effectively divide the low fromthe high (passing) values. The most effective way tomeasure the performance through a test is to selectitems that only 50% of the respondents pass. However,if we want to disguise the very few best or the veryfew worst from the group other functions may beeffective. The convex and concave exponential func-tions (III and IV) are for instance used to distinguishthe few worst and the few very best respectively. Aftercollection of data a measurement tool has to be vali-dated to confirm it measures what it is supposed todo. Also the reliability has to be considered in order toassess the how accurate the tool is.

There are several ways to quantify indicators of thesafety standard of an organization. The number ofdeficiencies of a safety inspection, the number of non-conformities identified through a safety audit or thenumber of fulfilled items of a check-list are someexamples. In contrast to incidents these indicators area result of a more or less formalized test with a specific

and often restricted purpose. Therefore, the obtainedcorrelation coefficients from such data also includethe reliability and the different scope of theseapproaches. The correlation coefficients should there-fore be interpreted with care.

Two indicators are used to validate the results ofthis study (Soma, in review). One indicator is basedon severe accidents collected in a Lloyds Registerdatabase. The other is based on Port State Controlfindings collected in Paris MOU’s database and theEquasis database. The PSC regime is a measure tocounteract the relaxed attitude towards fulfillment ofinternational regulations of some flag states. Bothindicators provides the likelihood of a ships’ safetystandard to be among the 25% highest quality, the50% average standard or the 25% most substandardvessels of the world fleet. These figures are combinedinto a single safety performance measure Pd. Pd hasvalues from �100 to 100 where 100 reflects a proba-bility of one for being among the 25% highest stan-dard vessels and vice versa.

4.2 Linear dependencies

In theory dependencies can take many forms. Lineardependencies are considered most feasible whendescribing the dependency between variables and the computation is straightforward. The measuringmethod outlined in this paper uses a two-stagedependency calculation. The first stage is to calculatethe organization’s pattern of dependencies betweenvariables. This is the first level in Figure 2. This pattern of dependency has certain linear character-istics to variables of similar scope and similar influ-ence from the CSFs. The next stage is to assess thesafety effects of this dependency pattern. Thereforethe similarity between the organizations’ dependencypattern and a pre-established norm pattern is cal-culated. This norm pattern reflects how efficient CSFsshould influence on safety variables. This similarity isalso expressed through a linear model. The depend-ency to safety performance may however be non-linear.

The correlation coefficient expresses the degree oflinear correspondence, or relationship between thevalues of two variables. Because the correlation coef-ficient varies from �1 to 1, it can be used to comparethe strength of the linear relationship between the vari-ables. Two variables with a correlation of either �1.0or �1.0 are highly correlated because knowledge ofone variable provides precise knowledge of the other.Independent variables have a correlation of zero.There are several ways to calculate the correlation.The two most common types are the Pearson’s corre-lation, rP, for variables having values on an interval or ratio scale and Spearman’s correlation, rS, for ordinal value. The correlation coefficients are

1480

Table 1. Examples of cases, variables and values.

Measurement Core Safety Cases variable Scale Factor

Different Safety Compliance Compliance totime series inspections or not requirements

Different Questionnaire Degree of Safety culturerespondents items/variables agreement

Different Audit findings Practice Safety time series according practice/plans

to plans

Different System Operates or Maintenance years availability not management

Incidents Happens or Safety not management

100%

0%Item difficulty

Res

pond

ent

pass

ing IV V I II III

Figure 4. Examples of item discrimination functions.

09048-S-17.qxd 5/15/03 1:02 AM Page 1480

defined as:

(1)

(2)

where:sxy � Covariance of the variables x and ysx,y � Standard deviation of the variables x and y

respectivelyn � Number of data pointsd � Difference between the most discriminating

ranking of the variables when each have a sumof n(n � 1)/2

An example of the estimated linear dependenciesbetween safety variables for a large tanker company isoutlined in Table 2. The cases are taken from differentship management departments and years. The acci-dent history and port state control findings for thisspecific company indicates that its fleet is among theworlds 25% highest safety standard.

Table 2 is an example of the dependency patterndeveloped through the first stage of the measuringtechnique (level 1 in Figure 2). The table shows thatthe incidents related to operational aspects (LTI andoil pollution) are dependent of the number of auditnon-conformities. The incidents related to more tech-nical aspects (Process availability) are more depend-ent of the number of inspection findings. The normpattern, which could be used to assess if this organiza-tion is a good safety performer or not, is however notyet developed (Level 2 in Figure 2). The similarity orcorrelation between a norm pattern would provideestimates of the companies’ absolute safety standard.This second stage is later carried out for incident pat-terns and safety culture survey results. More detailedassessments of the individual dependencies are howeverconsidered first. The objective is now to start the next

dependency level. In such an analysis knowledge ofhow the dependencies are for high standard and sub-standard organizations has to be developed.

4.3 Incident correlations

Within the ship management as for aviation and traintransport, offshore and land based industry there istoday regulative requirements for continuous safetyimprovement activities. A stochastic process governsthe occurrence of incidents. It is for instance commonto describe the occurrence of accidents through aPoisson process. A Poisson process can be describedas a counting process where the occurrence accidentsis dependent of an accident rate, , and a time win-dow. Within an organization there are several stochas-tic processes that may be of relevance for the safety. Agraph demonstrating the relationships between twoincident processes, namely Lost Time Incidents andProcess disturbance incidents is shown in Figure 5.

The first 63 weeks the safety management is only involved in reducing the lost time incidents.Consequently, the process disturbances are independent

1481

Table 2. Example of dependencies between variables.

Incidents Inspections Safety audit

Oil Property Process Pollution loss freq. availab. Vetting PSC In house External Internal

LTIF �0.30 0.22 0.30 �0.04 �0.01 �0.69 0.88 0.94Oil pollution incident 0.01 �0.37 0.48 0.01 �0.07 �0.75 �0.78Property loss frequ. 0.04 0.55 0.21 �0.38 0.17 0.31Process availability �0.68 �0.64 �0.26 �0.02 0.11Vetting 0.75 0.61 �0.12 0.22PSC 0.30 �0.01 0.04External audit 0.97

0

20

40

60

80

100

120

0 50 100 150 200 250Time

Num

ber

of e

vent

s

Correlation : 0.06 Correlation : 0.62 Correlation : 0.04Correlation : 0.37

Uncontrolled Improving perfection controlling

Process disturbance

Lost time incidents

Figure 5. Principles of incident correlations.sP LOGICS

Low at least one uncontrolled OR at least one controlledModerate one under perfection AND one under improvementHigh both under improvement

09048-S-17.qxd 5/15/03 1:02 AM Page 1481

of the CFSs and also independent of the LTI rate.However, because the organization has no control overprocess incidents it is not having a satisfactory safetymanagement. After 63 weeks, however, the safety man-agement’s scope is increased and a risk control measureis implemented to also handle the process disturbances.From this stage both risks are under improvement. Thisresults in higher correlation between the time series.After a period the process disturbance rate has beenreduced considerable and they experience weeks withno events of either kind. The correlation is now reducedagain because the time window is too small relative tothe event rate ( · t � 3). Hence both the uncontrolledand controlled states have low correlation.

A relatively new discriminating function used in neural network analysis is the bell-shaped function(V in Figure 2). When applying a bell-shaped func-tion only the average pass the item. On a single itemthis may seem ridiculous because it do not distinguishthe best from the worst. However, in combinationwith other items, it is possible to distinguish betweenthe three groups instead of two. Experience in neuralnetworks show that this is more effective becausefewer neurons (items) are required. From figure 5 itcan be seen that the correlation between incidentshave a similar nature. Both the most substandard andthe highest standard level have in fact correlationcoefficient of zero.

4.4 Analysis of CSF influence

The dependency between the CSFs and the safetylevel illustrated in Figure 2 could be assessed throughanother approach. As already described a substandardorganization is assumed to have weak CSFs. There-fore the safety performance are dependent of otherfactors, like the age of the ship. In order to assess this hypothesis a sample of 1700 ships selected ran-domly from the fleet having class society within theInternational Association of Classification Societies(IACS) covering more than 90% of the world ton-nage. These ships were assessed according to theirPSC findings.

Table 3 shows that there is a significant reductionin correlation for the most quality operators.Especially the correlations between the PSC indicatorand age and ship size are significantly lower for the25% best. Also the correlation between the indicatorand the selected flag and Protection and IndemnityInsurer is lower for the most quality vessels. Thismeans that factors like the ships age, flag and sizemay be suitable indicators for identification of themost substandard, but that these factors have littlepotential for identification of the best ships. Moreprecisely, the commonly used age factor is statisti-cal significant because it is relevant for 75% of the fleet (average and substandard). To assess whether the

correlations described in table 6 also can be an indi-cator for individual companies seven organizationsare selected for assessment. The sum of the absolutecorrelation values for the companies and their PSCindicator score are presented in Figure 6. The scatterplot indicates that the dependency between the shipcharacteristics and the PSC indicator may be a suitableindicator for estimating the companies CSF quality.

5 INCIDENT CORRELATIONS REASONING

The incident statistics for the fleets of twelve differentflags of registration is presented to describe the meas-uring principle.

The numbers is the average correlation betweenthe time series from 1970 to 1996 for the flags ratio oflosses due to collision, foundering, wrecking and fire.A high correlation indicates that both flags are underimprovement (Figure 5). A low correlation is asshown earlier an indication of at least one is uncon-trolled or both controlled. In order to perform a com-plete evaluation the flags have to be discriminated.For this purpose the correlation between the acceptedsafety resolutions adopted by the IMO is used. High

1482

Table 3. Correlation between ship characteristics and PSCperformance (Soma, to be published b).

PSC 25% 50% 25% Performance best average worst

Gross Tonnage �0.01 0.20 0.16Ship type 0.02 0.01 �0.04Age of ship 0.03 �0.21 �0.17Flag �0.04 0.05 0.09Classification Society �0.05 0.04 0.06P&I 0.00 0.05 0.06External membership �0.06 0.06 0.07Sum of absolute values 0.21 0.62 0.64

R2 = 0,58

-100

-80

-60

-40

-20

0

20

40

60

80

100

0 0,5 1 1,5 2

Pd

for

Acc

iden

ts

Average correlation between the

PSC indicator and the variable sin table 2

Figure 6. Relationship between the sum of absolute corre-lation values and the PSC indicator.

09048-S-17.qxd 5/15/03 1:02 AM Page 1482

values indicate that the pair of flags has accepted asimilar pattern of resolutions.

The complete ranking of the flags is then the corre-lation between the patterns of the two matrices (Table6). This value is a measure of the flags’ safety perform-ance. Negative values indicate that the flags having sim-ilar regulative pattern has low incident correlations andthose with moderate or high incident correlations havedissimilar regulative patterns. According to the logicaltables this indicates a flag within a Perfecting orControlling phase (Figure 5). Similar argumentationcan be used to identify those having positive values asbeing under Improvement. The estimated performancemeasurements are in correspondence with other per-formance measures. The correlation with the Flag StateConformity Index (FLASCI) Score (Alderton, 2001) is0.82 and the correlation with the flags total loss ratio for1998–2001 is 0.61.

6 SAFETY CULTURE PATTERNS

There is a range of definitions of safety culture (Cox &,Flin, 1998) (Sorensen, 2002). Their common charac-teristic is the involvement of a system or pattern ofbelieves, values, symbols, attitudes, etc. that influ-ence the way the members of the culture act and workwith safety. The common attempt to measure safetyculture is to perform a questionnaire survey. Theresponses are analyzed in a factor analysis to groupcorrelated items into groups called factors, dimen-sions or principal components. If the analysisincludes several groups, ships, departments or com-panies the score on each factor describes the culturalvariation between these groups. Several authors (Zohar,1980) (Itoh & Andersen, 1999) have attempted to quantify the relationship to the companies safety level but only with marginal success managedto quantify such factors (Cox & Flin, 1998)(Sorensen, 2002). The trend in fighting this problemseems to be towards combining factors and concep-tual models (Cooper, 2002) (Alistair, Cox, Amparo &Tomas, 1998). All these attempts seem to ignore thefact that safety culture only includes the common pat-terns of safety attitudes in contrast to individualsafety attitudes independent of the others. In themajority of the approaches the scores of each factorare added together as a weighted sum. Hence, in prin-ciple, adding more individuals who give positiveresponses to the questionnaire items improves thescore independent of the cultural influence. Whenusing a questionnaire survey to measure safety cul-ture we assume that the cultural pattern can bereflected into the way the respondents answer it.

�P LOGICS

Low Non-common perception of at least one variableOR independent variablesOR neutral responses to at least one variable

Moderate Dependent variables AND portions of commonperceptions

High Common perception of the variables ANDdependent variables

1483

Table 4. Incident dependencies.

Table 5. Regulative dependencies.

Table 6. Correlation between dependency patterns.

Cyprus Greece Japan Liberia Netherl. Norway Panama S. Korea UK US Denmark Spain

0,67 �0,04 0,27 0,29 �0,45 �0,29 0,21 0,19 �0,15 �0,56 �0,21 0,33

Strongly Agree

Slightly Agree

Neutral

Slightly Disagree

Strongly Disagree

09048-S-17.qxd 5/15/03 1:02 AM Page 1483

6.1 Safety training is important

At the most basic level the pattern can be representedby the correlation between the variables in the ques-tionnaire as a level 1 in Figure 2. There is establishedsome experience that makes us able to interpret theobtained correlation coefficients. Zohar (1980) hasproved that high safety level imply that the respon-dents answer higher level of agreement on safetyrelated questions compared to organizations havinglower safety level. In a measuring context this isadvantageous because values far from the averageincrease the value of the correlations coefficient. Itshould be remembered that it is common to designboth positive and negative questions. The itemdescribe above is therefore followed up by a negativelystated question e.g. Training is not very important.Therefore, according to Zohars’s findings organiza-tions having high safety standard should obtain highercorrelations between dependent variables.

A recent study on safety attitudes of four shippingcompanies having the same national culture has foundthat the organizations having lower safety perform-ance not only give responses of lower absolute valuesbut answer in a more neutral manner (Soma, to bepublished c). Hence, in principle when asked if safetytraining is important the respondents of a sub-standardorganization may not only answer lower agreementbut has also a tendency to be more neutral. A high por-tion of natural responses causes the correlation coeffi-cient to be low because the difference between theindividual scores and the average value is small.

The correlation matrix alone does however not rep-resent a measurement value because there is not anynorm to measure it against (Level 2 Figure 2).Therefore a norm is developed based on inter-organi-zational correlation of the correlation matrix. Thisnorm represents to which degree the pattern of atti-tudes towards safety issues correlates with otherorganizations. Some might disagree with this normbecause they believe that there are several patternsdescribing a mature safety culture. That might be the-oretically true, but experience show that the patternsdrawn from the questionnaire surveys of blueprintorganizations are similar for all domains. Safety com-mitment is for instance measured to be a significantfactor within aviation, railway, nuclear-process- andoffshore industry, medical institutions, and also withinthe maritime domain. Similarly are factors like com-munication, training etc. general factors. It would bemethodological impossible to identify these in severalcompanies, nor domains, if the correlation matrices ofthe various companies or domains were different.

To quantify the suitability of the technique thedependency between 39 SMAQ variables wereexpressed by their correlation matrix. The obtainedscores are expressed by the average correlation

between the matrices as shown on the abscissa ofFigures 7 and 8. The critical 95% confidence level ofthe correlation coefficient is 0.316. The ordinal val-ues of Figures 7 and 8 are the accident and PSC indi-cator respectively. As indicated in Figure 7, the safetyculture indicator can explain 53% of the variance inthe accident statistic indicator. The Pearson correla-tion between the two measures is 0.73. Figure 8shows that the dependency between the PSC indicatorand the safety culture indicator is even higher. Theinter-organizational safety culture score can explain65% of the variance in the PSC indicator. The Pearsoncorrelation is significantly 0.81. The sensitivity ofnational cultures is also calculated. The standarddeviation of the score due to national variation wasestimated to be 0.04 and insignificant variations witha 95% level confidence.

1484

y = 366,5x - 197,6

R2 = 0,53

-100

-80

-60

-40

-20

0

20

40

60

80

100

0 0,2 0,4 0,6 0,8 1

Pd

for

PS

C fi

ndin

gs

y = 93,8x - 29,0 R2 = 0,65

0

10

20

30

40

50

0 0,2 0,4 0,6 0,8 1

Pd

for

Acc

iden

ts

Figure 8. Estimated linear dependency between PSC indi-cator and safety culture indicator.

Figure 7. Estimated linear dependency between accidentstatistics indicator and safety culture indicator.

09048-S-17.qxd 5/15/03 1:02 AM Page 1484

7 CONCLUSIONS

This study has presented and validated a new generalsafety measuring principle. In contrast to existingtechniques, which threat the variables independently,the new approach focuses on the pattern of dependen-cies between variables. In addition to valid quantifi-cations, it is stressed that the method is more in linewith the conceptual understanding of organizationalsafety as well as definitions of safety culture.

It is believed that this method can be used as analternative to existing safety standard measuringtechniques. The technique requires several organiza-tions to be measured on an identical scheme. In the-ory this scheme may contain any safety relatedvariables. It is, however, especially fit for measuringsafety culture maturity and aspects of safety manage-ment within organizations.

REFERENCES

ADAC, 1998–2001, ADAC Motorwelt, no. 6 (each year),B2706E, München

Alderton, 2001, T., Winchester, N., Flag state conformance;a comparative global analysis, Globalisierung undseefahrt conference, University of Bremen, June

Alistair, C., Cox, S., Amparo, O., Tomas, J.M., 1998,Modelling safety climate in the prediction of levels ofsafety activity, Work and stress, vol. 12, no. 3

Anastasi, A., Urbina, S., 1997, Psychological Testing,Prentice Hall, New Jersey

Cooper, D., 2002, Safety Culture; A model for understand-ing & quantifying a difficult concept, Professionalsafety, June, 2002

Cox, S., Flin, R., 1998, Safety culture: philosopher’s stone orman of straw? Work and stress, vol. 12, no. 3

DNV, 1995, International Marine Safety Rating SystemWorking copy, International loss control institute,Atlanta, 1995

Itoh, K., Andersen, H., 1999, Motivation and Morale ofNight Train Drivers Correlated with Accident Rates,CAES’ 99: International Conference on Computer –Aided Ergonomics and Safety, Barcelona, Spain

Fragola, J., 2000, Focus, Strengths, and Weaknesses of HRA,Risk Management and human reliability in SocialContext, 18th ESReDA seminar, Sweden

Hollnagel, E., 2000, On understanding risks: Is human reli-ability a red herring? Risk Management and human reli-ability in Social Context, 18th ESReDA seminar, Sweden

Lloyd’s Register of Shipping, 1970–1993, Casualty Return,annual summary, London

Pedrali, M., Andersen, B.H., Trucco, P., 2002, Are MaritimeAccident Causation Taxonomies Reliable? An experimen-tal study of the Human Factors classification of the IMO,MAIB and CASMET Systems, RINA conference

Reason, J., 1987, Too little and too late: a Commentary onaccident and incident reporting system, Department onPsychology, University of Manchester, UK

Reason, J., 1997, Managing the Risk of OrganisationalAccidents, Ashgate, Hampshire, England

Scaaf, I.W., Lucas, D.A., Hale, A.R. (eds), 1991, Near missReporting as a Safety Tool, Butterworth-Heinemann,Oxford

Skjong, R., Wenthworth, B., Expert judgment and riskperception,

Soma, T., Kristiansen, S., 2002, Safety assessment of shipoperators – a neural network approach, MaritimeTransport Conference, Barcelona

Soma, in review, Ship safety standard classification based onaccident history and port state control findings, Engineer-ing reliability and safety science, Elsevier Science

Soma, to be published a, working title: Modelling the safetyperformance of maritime operations- aggregation ofsymbolic knowledge

Soma, to be published b, working title: Safety assessmentthrough artificial neural networks integrated with sym-bolic knowledge

Soma, to be published c, working title: The relationshipbetween safety cultural factors and the safety standard ofmaritime operators

Sorensen, J.N., 2002, Safety culture: a survey of the state ofthe art, article in press for Reliability Engineering andsystem safety, Elsevier Science Ltd., 2002

Wagenaar, W., Groeneweg, J., 1987, Accident at sea:Multiple Causes and Impossible Consequences, Int.Journal Man-Machine Studies, 1987

Wagenaar, W., Schrier, J., 1997, Accident analysis – The goaland How to get there, Safety Science, No. 1/2

Zohar, D., 1980, Safety Climate in Industrial Organisations:Theoretical and Applied Implications, Journal of AppliedPsychology, Vol. 65, No.1, pp 96–102

1485

09048-S-17.qxd 5/15/03 1:02 AM Page 1485

09048-S-17.qxd 5/15/03 1:02 AM Page 1486


1487

Application of a Bayesian approach to sequential life testing with anunderlying Weibull model

D.I. De Souza Jr.Industrial Eng. Lab., North Fluminense State University, Campos, RJ, BrazilFluminense Federal University, Civil Engineering Dept., Graduate Program, Niterói, RJ, Brazil

ABSTRACT: An example is used to illustrate a new Bayesian approach to sequential life testing proposed ina previous work by De Souza (2002). The underlying sampling distribution was the Weibull model. The intendedBayesian sequential life testing approach uses a posterior probability statement that is continually updated as newtest data become available. Since the underlying sampling distribution was the two-parameter Weibull model, inorder to find a final expression for the posterior distribution, some numerical procedure had to be applied. Forformulating the prior information on the scale parameter � of the Weibull sampling model, we have used theType II Extreme Value distribution, and for formulating the prior information on the shape parameter � of theWeibull model, we have applied a Beta distribution, defined between two probabilistic limits (L, U). In a followingarticle, we should present a truncation mechanism to the Bayesian sequential approach proposed in this paper.

1 INTRODUCTION

Life testing situations in which the product underanalysis is a well-known one have been treated beforeby De Souza (1999, 2000, 2001a, 2001b). The Bayesianapproach to sequential testing uses a posterior proba-bility statement, which is continually updated as newdata or information become available. In this work, anexample is used to illustrate a new Bayesian approachto sequential life testing proposed in a previous workby De Souza (2002). The underlying sampling distri-bution was the Weibull model and the product underanalysis had been recently modified in such a waythat one of its main characteristics had experiencedsignificant changes in its tensile strength value. Thesource of modification was in the product’s chemicalcomposition. The amount of Vanadium used in theproduct’s chemical composition (0.08%) was replacedby Niobium (0.12%). Both components (Vanadiumand Niobium) are used to increase a product’s tensilestrength resistance. In this work, we used the Type IIExtreme Value distribution and the Beta distributiondefined between two unknown limits for the priorinformation about the scale and shape parameters,respectively, of a Weibull model. Some numerical inte-gration procedures (a combination of Simpson’s 1/3rule with Simpson’s 3/8 rule in this work) had to be usedfor finding the posterior distribution. We providedrules for making one of the three possible decisions as

each observation becomes available; that is: accept thenull hypothesis H0, reject the null hypothesis H0 orobtain additional information by making anotherobservation. In a following article, we should presenta truncation mechanism to the Bayesian sequentialapproach proposed in this paper.

The Weibull density function is given by

(1)

2 PRIOR DISTRIBUTIONS

Most of the difficulties in performing a Bayesian lifetesting analysis concern the identification, selectionand justification of the prior distribution. Such rele-vant questions as: “What sort of prior should I use?”;“What sources of data are available for selecting aprior model?”; or yet “How should I quantify the sub-jective information?”; must be addressed. If multiplesources of relevant data are available for use in theanalysis, there is even a more fundamental issue thatmust be settled. It must be decided which data are tobe used in fitting the prior distribution and which dataare to be used in the likelihood function. This is notalways an easy task. Traditionally, the softer and more

09048-S-18.qxd 5/15/03 1:03 AM Page 1487

subjective data sources have been allocated to the prior,whereas the harder and more objective sample test datahave been used in the likelihood. The followingexample is from Martz & Waller (1982). “Suppose weare interested in Bayesian inferences about the fre-quency of core meltdown in commercial United Statesnuclear power reactors. Risk assessments have pro-duced estimates of this event, which are available to us.There are usually somewhat subjective estimates basedon analysis. In addition, there are historical operatingdata from the population of commercial power reac-tors, both within and outside the United States. Thereare also various historical data sources on noncommer-cial, such as military, power reactors. Which of thesedata sources should be used to fit a prior distributionis not clear cut and judgment must be exercised. It mayeven be decided to use certain subjective data sourcesin the likelihood portion of Bayes’ theorem, as there is nothing inherent in Bayes’ theorem that prohibitsthis usage”.

Soland (1969) used a Gamma and a finite discreteprior distribution for the scale and shape parameters,respectively. A finite discrete prior distribution canassume only a finite number of values in a certaininterval. Tsokos & Canavos (1972) developed fullyordinary as well as empirical bayes estimators of thescale parameter and the reliability function withrespect to the usual life testing procedures. The shapeparameter was assumed to be known. Papadopoulos &Tsokos (1975), developed Bayesian point estimates ofthe scale and shape parameters and reliability func-tion of the Weibull failure model. They also developedBayes confidence bound for the scale parameter underthe assumption that the shape parameter was known.Furthermore, they obtained lower Bayes confidencebounds for the reliability function of the same model.For the prior information for the scale parameter twosituations were considered: a) an inverted gammaprior pdf; b) a uniform prior pdf. They also investi-gated the case when wrong prior values are assumedfor the scale parameter. Kamat (1977) developed aMonte Carlo simulation method for Bayesian estima-tion of reliability of systems with statistically inde-pendent two-state components. The time-to-failuredistribution for each component was assumed to beWeibull with different parameter’s values for each oneof the components. The shape parameter was assumedto be known, and the prior distribution for the scaleparameter was the gamma model with known param-eters. We could say that the Bayes approach to relia-bility evaluation for the Weibull distribution is relativelyeasy when the shape parameter is known. But whenboth shape and scale parameters are unknown, wehave a more difficult problem. Erto & Rapone (1984)assumed respectively the Uniform and the InverseWeibull distributions as prior information for theshape and scale parameters of a Weibull samplingpopulation. According to Martz & Waller (1982), the

Uniform distribution represents a state of total igno-rance that is not characteristic of most life testing sit-uations. However, when the Uniform model is used asa prior distribution, the resultant posterior distribu-tions are usually tractable, and this fact helped to pro-mote the Bayesian approach. Lamberson & De Souza(1987), used the Inverse Weibull and a Beta distribu-tion defined between two unknown limits for theprior information about the scale and shape param-eters, respectively, of a Weibull model. De Souza &Lamberson (1995) used, respectively, the InverseWeibull and a Negative-Log Gamma distributiondefined between two unknown limits for the priorinformation about the scale and shape parameters. De Souza (1997) used the Type II Extreme Value dis-tribution and the Beta distribution defined betweentwo unknown limits for the prior information about thescale and shape parameters, respectively, of a Weibullmodel. We will use these distributions here as the priorinformation for the Weibull � and � parameters.

3 PRIOR DISTRIBUTION FOR THE SCALEPARAMETER

The Type II Extreme Value distribution was used herefor formulating the prior information on the scaleparameter � of the Weibull sampling model. ThisType II Extreme Value distribution has its densityfunction (pdf) given by

(2)

This pdf has an expected value and variance givenrespectively by

(3)

(4)

The coefficient of variation for the scale parameter ofthe prior distribution for � depends only on the shapeparameter b and is given by

(5)

1488

09048-S-18.qxd 5/15/03 1:03 AM Page 1488

The coefficient of variation represents the percentageof error in the estimation of �. The pre-selected value(0.10) for the coefficient of variation, although con-sidered reasonable, is arbitrary and could be changedfor different situations. Then

given b �12. As an initial estimate of �, the scaleparameter of the Weibull sampling distribution, wewill use an average �0 value obtained from the failuretimes observed during life testing of the sample underanalysis. We will apply the methodology presented inAppendix (1) to calculate this initial estimate �0. Then,using equation (3) with the E(�) replaced by �0, we get

(6)

We have determined the values of the shape parame-ter b and scale parameter a of the Type II ExtremeValue distribution. We shall now discuss the prior dis-tribution for the shape parameter �.

4 PRIOR DISTRIBUTION FOR THE SHAPEPARAMETER �

The Beta model, defined between two probabilisticlimits (L, U), proposed by Lamberson & De Souza(1987), was used for formulating the prior informationon the shape parameter � of the sampling Weibull dis-tribution. The Beta pdf is given by

As an initial estimate of �, the shape parameter of theWeibull sampling distribution, we will use an average�0 value obtained from the failure times observedduring life testing of the sample under analysis. Themethodology to calculate an initial estimate for � isgiven in Appendix (1). The mode of f(�) given byequation (7) can be obtained by taking the derivative off(�) with respect to � and setting the resulting expres-sion to zero. We propose that �0 be taken as the mode

of the prior. Then, we have

(8)

The coefficient of variation is given by

(9)

Here, c is given by

(10)

Again, the pre-selected value (0.10) for the coefficientof variation, although considered reasonable, is arbi-trary and could be changed for different situations.We now have the necessary quantities for the posteriordistribution.

5 THE POSTERIOR DISTRIBUTION

According to De Souza (2002), letting t be the time tofailure, and assuming that � and � are independentlydistributed variables, the joint density functionf(�,�\t) was given by

The integral given by [A] is very similar to the onesolved in De Souza & Lamberson (1995), and is equal to

(12)

1489

(7)

(11)

09048-S-18.qxd 5/15/03 1:03 AM Page 1489

Appendix (2) shows the solution of this integral.Then, if we substitute equation (12) into equation (11)we obtain

(13)

[B] was given before. Now, solving the integral inequation (13) by numerical methods, we will obtain avalue of, let’s say, M. Then, according to De Souza(2002), our expression for f(�,�\t) becomes

(14)

6 SEQUENTIAL TEST

According to Kapur & Lamberson (1977), the hypoth-esis testing situations will be given by

A. For �: H0: � � �0; H1: � � �0

The test criterion was based on the posterior probabil-ity P(� � �0). The probability of accepting H0 will beset at (1 � �) if P(� � �0) � �. If P(� � �0) � (1 � �),we will reject H0. In this case, the probability of accept-ing H0 will be set at a low level �. If it now happensthat � � P(� � �0) � 1 � �, we continue sampling.

B. For �: H0: � � �0; H1: � � �0

Again, the test criterion was based on the posteriorprobability P(� � �0). The probability of accepting H0will be set at (1 � �) if P(� � �0) � �. If P(� � �0) �(1 � �), we will reject H0. In this case, the probabilityof accepting H0 will also be set at a low level �. If now� � P(� � �0) � 1 � �, we continue sampling. There-fore, if the probabilities P(� � �0) or P(� � �0) becomelarge, then we would suspect that H1 was the truehypothesis. When the decisions about these quantities�0, �1, �0, �1, � and � are made, the sequential test istotally defined.

The development of a sequential test uses the sequen-tial probability ratio given by the following relationship(De Souza 1999) and (Kapur & Lamberson 1977).

(15)

Applying equation (15) to our present problem, we have

So, the continue region becomes A � SPR � B,where A � �/(1 � �) and B � (1 � �)/�. We willaccept the null hypothesis H0 if SPR � B and we will reject H0 if SPR � A. Now, if A � SPR � B, wewill take one more observation. Then, we will have

By taking the natural logarithm of each term in theabove inequality and rearranging, we get

(16)

1490

09048-S-18.qxd 5/15/03 1:03 AM Page 1490

(17)

7 EXAMPLE

A new low alloy – high strength steel product will belife tested. Since this is not a well-known product,some preliminarily life testing was performed inorder to determine possible estimated values for theshape and scale parameters of its sampling distribu-tion. It will be assumed here that a Weibull modelcould represent its sampling distribution. In this pre-liminary approach, a set of 20 items was life tested,with the testing being truncated at the moment ofoccurrence of the eighth failure. Table (1) belowshows the failure time data (tensile strength units –tsu) from the preliminary life testing. The failuretimes are arranged in order to facilitate the use of theestimation model described in Appendix (1).

We want to determine initial estimates of � and �,the parameters of the Weibull underlying distribution.Using equations (A1), A(2) and (A3) derived inAppendix (1), we obtained 28 possible failure timecombinations, resulting in 28 estimators of �. Theaverage � value obtained from these 28 estimatorswas 2.7427845 and after some sensitivity analysis wearrive at the � estimator of 2.5127671.

Tables (C1) included in Appendix (3) shows theresults of this computation. We will use this estimated� value (2.5127671) to calculate an estimator of thescale parameter �. Using equation (A1) and the 8 fail-ure times listed in Table 1, we obtain the final � esti-mator of 88.72238 tsu.

A sequential life testing was then performed withthis new steel product. We elect the null hypothesisparameters to be �0 � 88.72238 tsu; �0 � 2.512767;with � � 0.05 and � � 0.10 and choose some possi-ble values for the alternative parameters �1 and �1.

So, we choose �1 � 95 hours and �1 � 1.75. We alsochoose L � �0 – 1 � 1.512767 and U � �0 � 1 �3.512767. With b � 12, and using equations (6), (8)and (10), we obtain a � 84.0540; c � d � 6.439209.Then, using equations (16) and (17), we have:

The procedure is then defined by the following rules:

1. If X � n 3.270022 � 2.2512918 we reject H0.2. If X � n 3.270022 � 2.8903718, we accept H0.3. If n 3.270022�2.8903718 �X �n 3.27002�

2.2512918, we will take one more observation.

Table 2 and Figure 1 show the results of this test.According to De Souza (2000), this sequential life

testing procedure has been shown to be sensitive to“wrong” choices for the null shape and scale parame-ter values. In the fourth case presented in the examplefrom that paper, even after the observation of 20 fail-ure times, it was not possible to make the decision ofaccepting or rejecting the null hypothesis. The solu-tion encountered for that situation was the develop-ment of a truncation mechanism for the life testingprocedure. So, we carried out several life testing sim-ulations with different alternative parameter values tofind out if our calculated null parameter values could

1491

Table 1. Failure Time Data (tsu) forthe Life Testing Situation.

27.2 34.7 44.3 49.655.8 58.2 60.4 69.6

Table 2. Sequential test results for the Weibull model.(�1 � 1.75; �1 � 95 tsu; �0 � 2.512767; �0 � 88.72238 tsu).

Unit Failure Lower Upper Valuenumber time (tsu) limit limit of X

1 57.92 0.379650 5.521314 3.1743102 86.62 3.649672 8.791336 6.4866753 67.91 6.919694 12.06136 9.7490804 56.00 10.18972 15.33138 12.901395 99.89 13.45974 18.60140 16.158006 32.30 16.72976 21.87142 18.881117 43.84 19.99978 25.14145 21.853078 68.79 23.26980 28.41147 25.121169 25.80 26.53983 31.68149 27.6577210 31.96 29.80985 34.95151 30.3720511 73.27 33.07987 38.22153 33.6639812 91.86 36.49892 41.49157 36.9635113 29.12 39.61991 44.76158 39.60056

09048-S-18.qxd 5/15/03 1:03 AM Page 1491

lead to a situation in which such a mechanism wouldbe needed. Figure 1 above shows the “worst case sce-nario”, in which 13 units had to be life-tested to allowthe decision of accepting the null hypothesis.

8 CONCLUSION

The intended Bayesian sequential life testingapproach uses a posterior probability statement that iscontinually updated as new test data become avail-able. Since the underlying sampling distribution wasthe two-parameter Weibull model, in order to find afinal expression for the posterior distribution, somenumerical procedure had to be applied. In a followingarticle, we should present a truncation mechanism tothe Bayesian sequential approach proposed in thispaper.

The Bayesian sequential life testing approachdeveloped in this work provides rules for workingwith the null hypothesis H0 in situations where theunderlying sampling distribution is the Weibullmodel. After each observation one of three possibledecisions is made:

a. Accept the null hypothesis H0.b. Reject the null hypothesis H0.c. Take one more observation.

The practical estimation procedure presented inAppendix (1) was able to produce reasonable esti-mates for the shape and scale parameters of theunderlying Weibull sampling distribution. In fact, itwas necessary to test only 13 units of the product

under analysis to reach the decision to accept the nullhypothesis H0 (�0 � 88.72238 tsu; �0 � 2.512767).

Again, we would like to state that we are aware ofthe fact that the use of Bayesian statistics in sequentiallife testing is not yet a well-defined process, and thatit requires a certain level of knowledge about quan-tification of the parameters of the prior distributions,as well as of the underlying Weibull sampling distri-bution. Nevertheless, those willing to use this modelwill find it to be a reasonably defined alternative foruse in the decision procedure in industrial applications.

REFERENCES

De Souza, Daniel I. 2002. The Bayesian Approach toSequential Testing with an Underlying Weibull Model.European Conference on System Dependability andSafety, ESREL 2002 Conference, Lyon, France, 18–21March 2002; 2: 617–621, �13 (eds).(6).

De Souza, Daniel I. 2001a. Truncation Mechanism in aSequential Life Testing Approach with an UnderlyingTwo-Parameter Inverse Weibull Model, COMADEM2001 Conference, Andrew G. Starr and Raj B.K. Rao(eds), Manchester, U.K., 4–6 September 2001, 809–816,Elsevier Science.

De Souza, Daniel I. 2001b. Sequential Life Testing with aTruncation Mechanism for an Underlying WeibullModel. Towards a Safer World, ESREL 2001 Conference,Zio, Demichela & Piccinini (eds), Torino, Italy, 16–20September 2001; 3: 1539–1546, Politecnico Di Torino.

De Souza, Daniel I. 2000. Further Thoughts on a SequentialLife Testing Approach Using a Weibull Model. Foresightand Precaution, ESREL 2000 Conference, Cottam,Harvey, Pape & Tait (eds), Edinburgh; Scotland; 14–17May 2000; 2: 1641–1647, Rotterdam: Balkema.

De Souza, Daniel I. & Lamberson, Leonard R. 1995. BayesianWeibull Reliability Estimation. IIE Transactions, Vol. 27,Number 3, 1995, 311–320, USA.

De Souza, Daniel I. 1997. Bayesian Weibull 2-ParametersEstimation. I International Congress of Safety Engineering,Accessibility and Risk Management, SEGRAC 97,Universidade Federal do Rio de Janeiro (eds), 13–17October 1997, 5–16, Rio de Janeiro, Brazil.

Erto, P. & Rapone, M. 1984. Non-Informative and PracticalBayesian Confidence Bounds for Reliable Life in theWeibull Model. Reliability Engineering 7, 181–191. USA.

Kamat, S.J. 1977. Bayesian Estimation of System Reliabilityfor Weibull Destribution Using Monte Carlo Simulation.The Theory and Applications of Reliability. 123–131.

Kapur, Kailash & Lamberson, Leonard R. 1977. Reliability inEngineering Design. John Wiley & Sons, Inc., 1977, USA.

Lamberson, Leonard R. & De Souza, Daniel I. 1987.Bayesian Weibull Estimation. 1987 – ASQC QualityCongress Transactions, April 14–17, Minneapolis, 1987,pp. 497–506, USA.

Martz, H.F. & Waller, R., (1982). Bayesian ReliabilityAnalysis. John Wiley & Sons, Inc., USA.

Papadopoulos, A.S. & Tsokos, C.P. 1975. BayesianConfidence Bounds for the Weibull Failure Model. IEEETransactions on Reliability. Vol. R-32, N1, April, 21–26.

1492

0 1 2 3 4 5 6 7 8 9 10 11 12 13 140

4

8

12

16

20

24

28

32

36

40

44

48

REJECT Ho

ACCEPT Ho

CUMULATIVE

TEST

TIME NUMBER OF ITEMS TESTED

Figure 1. Sequential probability ratio results for the Weibullmodel.

09048-S-18.qxd 5/15/03 1:03 AM Page 1492

Soland, R.M. 1969. Bayesian Analysis of the WeibullProcess with Unknown Scale and Shape Parameters.IEEE Transactions on Reliability. 18(4), 181–184.

Tsokos, C.P. & Canavos, G.C. 1972. Bayes Concepts for theestimation of Reliability in the Weibull Life TestingModel. Int. Stat. Rev. Vol. 40, N2, 153–160.

APPENDIX 1

Initial Estimators for the Parameters � and � of aWeibull Sampling Distribution.

From equation (1), we have

Solving the above equation in terms of � and � wewill get

(A1)

(A2)

Thus, given the failure times tr1, tr2, …, trn from a ran-dom sample of n items (i � n � 1), in order to calcu-late the surviving percentage of the population at themoment of occurrence of failure number ri, we shouldobtain the following

(A3)

Here, ri/n indicates the failing percentage of the pop-ulation until time tri. Then, R(tri) � 1 � ri/n indicatesthe surviving percentage of the population until timetri. So, to estimate values for the two parameters � and� of a Weibull sampling distribution, we need onlycalculate two failing percentages of the populationbeing tested, and apply (A1) or (A2). As an example,if we have a sample size of 9 items, n � 9, with trun-cation of the test at the moment of occurrence of thesixth failure, and we decide to use failures number 1and 4, the reliability function values R(tri) for failures1 and 4 will be given by

Using equation (A1), we will have

Using the failure time values tr1 and tr4, and solvingthe above system of two equations, we will get esti-mated values for � and �. We could combine any twoof the failure times and obtain estimators for the twoparameters. For example, a sample with six failureswill allow a total of 6 5/2 � 15 possible combina-tions of failure times, each one of the combinationsallowing an estimator for � and an estimator for �.Now, if we remove all possible “outliers” or “freak”values, we could then utilize the average of the values� and � as preliminary estimators of these two param-eters. After that, we should perform a sensibilityanalysis with each one of the failure time combina-tion results, discarding the ones which have valuesthat are very different from the average values. Here,tri will be used to represent the failure time ri.

This proposed practical approach allows determi-nation of initial estimates for the shape parameter �and for the scale parameter � of a Weibull samplingdistribution, and for an initial failure time tR.

APPENDIX 2

Solving the integral

So, when U → 0, � → �; when U → �; � → 0. Then,we will have

1493

(B1)

09048-S-18.qxd 5/15/03 1:03 AM Page 1493

(B2)

More precisely;

(B3)

If we insert the value of (A), given by equation (B3),into equation (B2), we get

Now, consider the term

As U → �, e�U � 1/eU → 0 faster than UE�k increases,and so the term tends to 0. As U → 0, UE�k → 0 andso the term tends to zero again. Then, (X) becomes

As we know, the following two series are equal:

Then, the expression for (X) becomes

As we recall, U � (a/�)b. From equation (3), we haveE(�) � � � a%(1 � (1/b)).

When b � 1, the minimum value that %(1 � (1/b))could have occurs when the term 1/b goes to zero. So,%(1 � (1/b)) � 1. Then, in any practical application,since � � a%(1 � (1/b)), we can see that � � a.Therefore, U � (a/�)b � 1.

The value E � n�/b in any life testing situationcould vary, say, from 2 to a maximum of 7. For prac-tical purposes, when the value of E is not an integer, itwill be approximated to the next largest one. Now,even if the value of E is small, for example 3, andsince U � 1, we can see that

(B4)

Then, if we use this practical approximation in (X),we obtain

1494

09048-S-18.qxd 5/15/03 1:03 AM Page 1494

where the integral

With E � n�/b, we have (X) � (1/(ban��b))(n�/b)!.The integral finally becomes

(B5)

APPENDIX 3

Table C1 – Estimator results for � (first analysis)Sample Size � 20; Number of failures � 8.

27.2 34.7 44.3 49.655.8 58.2 60.4 69.6

Beta (1, 2) 2.9558964 Beta (1, 3) 2.3643108Beta (1, 4) 2.4472690 Beta (1, 5) 2.3996651Beta (1, 6) 2.5494221 Beta (1, 7) 2.6674838Beta (1, 8) 2.44463564 Beta (2, 3) 1.7744746Beta (2, 4) 2.1005596 Beta (2, 5) 2.1145173Beta (2, 6) 2.3580143 Beta (2, 7) 2.5407629Beta (2, 8) 2.2680803 Beta (3, 4) 2.8053410Beta (3, 5) 2.4743857 Beta (3, 6) 2.8802800Beta (3, 7) 3.1445028 Beta (3, 8) 2.5349375Beta (4, 5) 2.1568527 Beta (4, 6) 2.9332434Beta (4, 7) 3.3390597 Beta (4, 8) 2.4447379(E)Beta (5, 6) 5.1047568 Beta (5, 7) 5.0968520 (E)Beta (5, 8) 2.5981742 Beta (6, 7) 5.0878804 (E)Beta (6, 8) 2.0080782 Beta (7, 8) 1.2020698 (E)

First sum � 76.79797; First � estimator � 2.7427845Number of Combinations � 28; (E) � Combinationto be eliminated from computation.

Beta # 50% Beta � 2.7427845 # 1.3713923 �(1.3713923; 4.1141768).

Number of combinations to be excluded fromcomputation � 4.

Final number of combinations used to calculated� � 24; Final sum � 60.306411.

Final � estimator � 2.5127671.

Table C2 – Estimator results for � (first analysis)Sample Size � 20; Number of failures � 8.

27.2 34.7 44.3 49.655.8 58.2 60.4 69.6

� estimator used to calculate u 5 2.5127671

THETA(1) 88.69988 THETA(2) 84.97126THETA(3) 91.29320 THETA(4) 90.09984THETA(5) 91.61559 THETA(6) 87.72109THETA(7) 84.44817 THETA(8) 90.93002

First sum � 709.779052Final � estimator � 88.72238Number of combinations � 8.

1495

09048-S-18.qxd 5/15/03 1:03 AM Page 1495

09048-S-18.qxd 5/15/03 1:03 AM Page 1496


1497

Establishing steel rail reliability by combining fatigue tests, factorialexperiments and data transformations

D.J. StewardsonIndustrial Statistics Research Unit, University of Newcastle, UK

M.F. RamalhotoMathematics Department, Instituto Superior Tecnico, Portugal

L.F.M. da SilvaInstituto de Engenharia Mecanica e Gestao Industrial, Universidade do Porto, Portugal

L. DrewettCorus Group UK

ABSTRACT: This paper demonstrates a combination of the use of Factorial Experiments, Material TestFailure Analysis, Data Transformations and Plots of Residual Errors from “moving” Regression curves to deter-mine the nature of Fatigue Crack Growth Rate in steel rails. Fatigue cracks in rails are a particular problem inEurope and a major threat to passenger safety. The project was intended to harmonise results under the currentEC standard for determining crack growth rates, and hence the reliability, of a particular grade of steel railwayline. Previous studies had shown considerable scatter between both the testing laboratories and the rail manu-facturers. The consortium used fractional factorial designs to establish the effect of various nuisance variablesthat were thought to be responsible for much of the scatter. Two stages, screening and secondary, involving sixlaboratories produced results that were subjected to novel graph based analytic techniques that led to major rec-ommendations to the European Standards Bodies. The results also pointed to a new way to determine changesin growth rate generally when a mechanical test is applied to steel. It was well known that there are three stagesof growth rate in steel rails, but finding the change points from stage to stage had always been a problem. Firstand third stage growth can be either faster or slower than second stage rates but are highly unpredictable bothin appearance, duration and magnitude. This leads to difficulty in describing failure rates and hence the qualityof the rails. The paper shows how the application of a combination of statistical techniques with acceleratedtesting lead to a new robust method of determining the change points and better estimates of the second stagegrowth rates. This in turn leads to effective ways of monitoring the output from steel production and the cali-bration of test equipment. The findings can be used to estimate the relative lifetime of steel rails under normaloperating conditions.

1 INTRODUCTION

The work described here was conducted by a consor-tium of Partners funded by the European Commissionunder the Standards Measurements and Testing pro-gramme of the European 4th Framework programme.The purpose of this work was to determine the effectsof stress ratio and relative humidity on the fatigue crackgrowth rates measured in grade 260 rail steel. Theobjective relates to the need to verify the proceduresand specifications in a draft European Rail Standard,

and to measure the scatter in fatigue crack growth ratesmeasured in six laboratories under conditions specifiedin the draft. Approximately 75% of the rails currentlyproduced for use in Europe are 260 grade. The settingof acceptance limits for qualifying tests on rails requiresthat the scatter between results due to the test proce-dure is sufficiently small so that the test can identifyacceptable rails and reject unacceptable ones. A pre-vious exercise carried out to determine acceptancelimits found that there were considerable differencesin results between laboratories, which resulted in

09048-S-19.qxd 5/15/03 1:04 AM Page 1497

apparently acceptable rails failing the proposed spec-ification. The cause of these differences needs to beidentified so that a verified test procedure and accept-ance limits can be written into the standard.

The rails from four manufacturers were machinedto produce ten single edge-notched bend specimensfrom each rail, as described in the draft standard. Theresearch was split into two parts, Part 1 determinedthe effects of rail source, laboratory, stress ratio at val-ues of 0.2 and 0.5, and relative humidity at levels of�10%, 35% and 60%. Stress ratio refers to the ratioof the maximum and minimum loads, that are appliedin cycles, to a sample. A ratio of 0.5 means that themaximum load is double the minimum. Part 2 testswere carried out under a fixed stress ratio of 0.5, withcyclic test frequency in the range 10–120 Hz added asa factor in the experimental design. Temperature andrelative humidity were recorded but not controlled inthis stage. Test frame and crack monitoring detailswere also recorded, but not explicitly studied.

2 TEST PROCEDURE

Rails were supplied by four European rail manufac-turers and ten specimens were machined from each ofthe four. All of the specimens were machined by thesame facility using standardised conditions. The exper-imental design for the Part 1 tests was set up as shownbelow. Humidity was investigated at three levels,Stress Ratio at two only. There were only 5 samplesavailable from each manufacturer due to budgetaryconstraints. Because there are 4 manufacturers thisdesign is based on a half fraction of an L32 (see forexample Grove and Davis 1992) plus some centre pointcombinations. These centre point combinations repre-sent a one-quarter fraction of the 16 possible centrecombinations.

In fact the factorial part of the plan can be designatedunder the notation 4m2n�p as discussed in Ankeman(1999). In that case this is a 4123�1 resolution IVDesign. That means that no main effect estimate or anytwo-factor interaction estimates are confounded andthus inestimable. The design was intended to be ableto accommodate one or two further factors if required,without changing the structure of the design. This wasbecause the partners in the work, the labs, were com-petitors and it was not clear from the outset that everypotential factor could be included, yet the design hadto be agreed in advance and was embedded within thecontract! In the event, the new factors could not becontrolled in practice. If it were not for our wanting toaccommodate two potential factors, the design wouldhave been slightly different, and thus a resolution Vdesign, but no great loss of efficiency occurred. Afuller discussion of the different designs is given inStewardson (2000).

In the stage 1 experimental design in Table 1, theextra centre points are there to establish if the humid-ity levels had a non-linear effect on results. The centre points considered separately are themselves aheavily saturated design, an L4 or 22 of Stress ratioand Laboratories but with humidity fixed at 35% andwith each of the 4 runs allocated to a different manu-facturer. Analysis of the factorial part was completedseparately from these additional points.

The Labs reported their calculated values of crackgrowth rate, da/dN, and the stress intensity factorrange, �K, for each test performed. The growth rateda/dN is simply the ratio of the measured change incrack length divided by the number of cycles that thiswas recorded over. The calculation of �K is basedupon the stress ratio and the size of the sample as wellas a number of correction factors that depend upon therelationship between the size of sample and the cracklength achieved at each point. The associated formu-lae are somewhat complex and are beyond the scopeof this paper.

Each laboratory reported the values of crack lengthagainst the number of cycles and the loads applied(see Figure 1 for a plot of da/dN vs �K from a typicaltest result).

The plot of da/dN vs �K has a roughly straightcurve if plotted on a log–log scale (see Figure 2 for a graph of log(da/dN) vs log(�K) for the data of

1498

Table 1. First stage experimental array.

Design Factor Settings

Test Rail Maker Lab % Humidity Stress Ratio

Factorial PointsA1 1 B �60% 0.5A2 1 A ��10% 0.5A3 1 A �60% 0.2A4 1 B ��10% 0.2A6 2 A �60% 0.5A7 2 B ��10% 0.5A8 2 B �60% 0.2A9 2 A ��10% 0.2A11 3 A �60% 0.5A12 3 B ��10% 0.5A13 3 B �60% 0.2A14 3 A ��10% 0.2A16 4 B �60% 0.5A17 4 A ��10% 0.5A18 4 A �60% 0.2A19 4 B ��10% 0.2

Centre PointsA5 1 A �35% 0.5A10 2 A �35% 0.2A15 3 B �35% 0.5A20 4 B �35% 0.2

09048-S-19.qxd 5/15/03 1:04 AM Page 1498

Figure 1). Some problems were experienced in twocases, fracture of the specimen occurred during pre-cracking. When this happened a sub-size test piecewas machined from one of the broken halves of theoriginal test piece and re-tested.

Following the first stage findings (see below), thesecond stage tests involved five more specimens, testedin each of four more laboratories under a stress ratio of0.5, with temperature in the range �15 to �25°C, andcyclic test frequency in the range 10–120 Hz. The lab-oratory air environment was recorded but not con-trolled. These were all the factors still thought to bepotentially important by that stage. In the second stageeach laboratory tested at least one specimen from eachof the four rail manufacturers included in the study.

The unbalanced nature of the design, derived from the budget limitations inherent in the project is

discussed in Stewardson (2000) but in the event no other factor was found to be significant, althoughHumidity does brook further investigation.

Four different methods of monitoring crack growthwere used: direct current potential drop, complianceof the test piece, fractomat gauges, and optical micro-scope. The first three techniques give a continuousoutput for determining the crack length, but the opti-cal method, in this case, required interruptions to thetest overnight. Details of interruptions were recordedas required in BS 6835: 1988. A complete descriptionof this from an engineering standpoint is given in DaSilva (2003).

3 DATA ANALYSIS

The data were analysed in terms of the log(da/dN) vslog(�K) relationship. This is approximately a straightline when the crack growth rate is stable (as in themiddle part of Figure 2) and can be assessed, or bro-ken down, into the slope, the intercept and the resid-ual error. Residual error is a measure of the “scatter”or uncertainty around this straight line that is fitted tothe data, added to any lack of fit between the data andthe straight line. This lack of fit is an indication of theveracity of using a straight line at all. It is possible, at least partially, to separate these two components of error or uncertainty (see for example Davies andGoldsmith 1972). The data from each test could beseparated into “sections” that represent different ratesof change (or slopes). These may or may not indicatetwo or more of the three known stages in crack growth.There was strong evidence that these growth stagesdid appear in the data and could be separated by useof the analysis of the scatter apparent within each section of data. For example, the third, most unstable,growth stage the growth rate may either accelerate orslow down. Acceleration may be due to cleavage burstsand slowing may be due to blunting of cracks aftercleavage bursts, and if data associated with these prob-lems is included then this will tend to cause an under-estimate or overestimate of the true slope related tothe underlying growth rate.

Thus the importance of using data sections in theanalysis is that it is possible to get a greater, or lessergrowth rate than the more stable second stage growthrate in either of stages one or two. If all the data froma test is used to estimate the quality of the rails thenresults could be unreliable. Second stage growthtends to represent the “true” status of the rail quality.Table 2 shows the various responses discussed hereincluding two versions for calculating da/dN. Versiondenoted (1) is the current standard BS 6835 1988.Version (2) a possible improvement.

There are a number of ways to successfully split thedata into sections. One way is to calculate a moving

1499

Cra

ck le

ngth

, a (

mm

)

Crack length v Cycles

14.000

16.000

18.000

20.000

22.000

24.000

26.000

28.000

30.000

0 100000 200000 300000Cycles, N

Figure 1. Typical plot of da/dN vs �K.

Fatigue crack growth rate

1.0000 10.0000 100.0000

Stress Intensity Factor Range, Delta K (MPa.m^0.5)

Cra

ck G

row

th R

ate,

da/

dN (

M/c

ycle

)

Figure 2. Plot of Figure 1 data on a Log–Log scale:log(da/dN) vs log(�K).

09048-S-19.qxd 5/15/03 1:04 AM Page 1499

regression line, with 5 data points used in each, rightthrough the data and plot the results. The plots couldbe of either the slope, or perhaps more usefully, theresidual or mean error.

An example is shown to illustrate the effect. Theplot in Figure 3 shows the mean error associated withthe regression lines of, log(da/dN) vs log(�K) eachbased on 5 points only, calculated through the data forthe test A2. The (2) denotes that da and dN had beencalculated without first smoothing the data as done inBS 6835 (see Table 2).

The first two and the last two points on the plotshow greater levels of error. This indicates increasedlack of fit, or scatter, at the beginning and end.

The second plot (Figure 4) shows the slope coeffi-cients for the same data. It is now clear that the earlyincreased error (in Figure 3) was probably scatter due toan “outlier” or unusual result because the slope estimate

(Figure 4) is seen to drop for only one point on theplot. The later increase in error was, however, due to a change (a fall) in the measured crack growth rate,possible due to an arrest after cleavage bursts. Thischange shows up on the slope plot (Figure 4) as a fallin the final 3 points. It is clear that there are at least 2stages represented in the data.

In the plot of S (Figure 3), the increased error at theend of the data is due to an increase in the “lack of fit”.The more “stable” period in the middle of the plotdemonstrates the minimum lack of fit, plus background(or pure) error, however much that is.

Not all the plots were as clear cut as the examplegiven and it is possible to use more sophisticatedmethods to determine where a cut should be made, ifany. These methods could involve the use of formalstatistical formulae, or even simple, but effectiveprobability plots, such as Half-Normal plots.

3.1 Analysis of initial results without splitting datainto sections

In the Part 1 tests the analyses of effects on slope hadbeen carried out both with and without splitting thedata into the different stages of crack growth. Whenthe data was not split the analysis of the 2 level frac-tion showed found no significant factors, Table 3.

3.2 Analysis of initial design second stage growthsection data only

Under the more stable data section, Stress ratio andthe rail manufacturers were seen to be weakly signif-icant factors as in Table 4.

3.3 Analysis of second experiment stable growthrate section data only

Following the initial experiments the Part 2 tests werecarried out using a fixed stress ratio of 0.5, chosen as

1500

Table 2. Responses.

Response Description

Slope(1) The slope of the log–log plot using the methodin clause 10 of BS 6835: 1988

Slope(2) The slope of the log–log plot when using apoint to point calculation of da/dN & �K

S(1) The mean error of the log–log plot using themethod in clause 10 of BS 6835: 1988

S(2) The mean error of the log–log plot when usinga point to point calc’ of da/dN & �K

Int(1) The intercept of the log–log plot using themethod in clause 10 of BS 6835: 1988

Int(2) The intercept of the log–log plot when using apoint to point calc’ of da/dN & �K

Note* (1) (da/dN)i � (ai � 1 � ai � 1)/(Ni � 1 �Ni � 1)(2) (da/dN)i � (ai � ai � 1)/(Ni � Ni � 1)

Plot of S for 5pt MA(2)

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

100000 150000 200000 250000 300000 350000 400000 450000 500000 550000

N

Error

Figure 3. Plot of error for 5 point regression lines of testA2 data.

5ptMA of Slope(2)

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

100000 150000 200000 250000 300000 350000 400000 450000 500000 550000

Figure 4. Plot of slope for 5 point regression lines of testA2 data.

09048-S-19.qxd 5/15/03 1:04 AM Page 1500

a suitable value with which to fix the European standard. It was also possible to include a number ofthe other measurements as potential factors, such asthe starting point or number of total cycles, and thesewere included in the analysis, Table 5.

3.4 Within-lab scatter

The following Table 6 shows the general difference in random uncertainty between the laboratories usingthe analysis of variance for the mean error S usingmethod (2).

These tables show that the manufacturers had littleeffect on the uncertainty and that different laborato-ries had more variable results than others. Labs A andB had the highest level of variability, then labs D and F while Labs C and E had the lowest levels. It was

seen that laboratories C and E both used fractomatgauges for monitoring the crack growth and that thisappears to be a better technique.

3.5 Some project findings

• Stress ratio has a significant effect on the slope andintercept. Higher stress ratios produce lower crackgrowth rates. This should be taken into account inthe standard by fixing the set ratio.

• There was no significant difference between thecrack growth rate in samples from different manu-facturers: this applied to both the slope and theintercept based on the stable crack growth regionof the log (da/dN) (log �K) plot.

• All Labs produced similar growth rate estimatesprovided stable stage data was used.

• There was no effect on the results with regard todifferent cyclic test frequencies.

• Humidity had no direct significant effect on theresults.

• The results from some laboratories displayed morevariance around the log–log relationship betweenda/dN and �K than others did. This is due to thedifferent equipment used

• The mean slope for all of the tests using stress ratioof 0.5 was close to 4.

4 CONCLUSIONS

The best way to analyse data from these types of testis to break the data down into sections, and use onlythe stable data in the analysis. A suitable way is tofind the sections of data that show the least scatteraround the log–log curve of the stress and crack growth.This can be achieved by using moving Linear Regres-sion lines. It is also possible to derive quality moni-toring of the test data using charts of the Regressionparameters; slope, error and intercept. The method hasbeen recommended to the Commission and monitor-ing formulae have been provided. Examples of typi-cal formulae can be found in Hines and Montgomery(1990).

1501

Table 3. Anova table for effects on slope estimates usingfull data from Part 1.

Factor df F P

Rail manufacturer 3 1.64 0.26Laboratory 1 1.53 0.25Humidity 1 0.42 0.54Stress ratio 1 0.17 0.69Humidity* stress ratio 1 0.10 0.77Error 8

Total 15

Table 4. Anova table for effects on slope estimates in stable stage growth data from initial results.

Factor df F P

Rail manufacturer 3 3.51 0.06Stress ratio 1 4.90 0.05Relative humidity 1 0.00 0.95Humidity* stress ratio 1 1.12 0.32Error 9

Total 15

Table 5. Part 2 results from second stage growth data,derived by method (1) in Table 3.

Factor df F P

Number of cycles 1 0.25 0.62Rail manufacturer 3 1.50 0.25Laboratory 5 0.34 0.88Start – stable data 1 0.68 0.42Humidity 1 1.72 0.21Error 17

Total 28

Table 6. ANOVA of scatter within Labs.

Factor df F P

Number of cycles 1 0.25 0.63Rail manufacturer 3 2.46 0.10Laboratory 5 4.84 0.01Humidity 1 1.44 0.25Error 18

Total 28

09048-S-19.qxd 5/15/03 1:04 AM Page 1501

ACKNOWLEDGEMENT

The work described was carried out under projectnumber SMT4 – CT98 – 2240 – part-funded under the SMT part of the “Growth” programme of the 4thFramework of the European Commission. The writingof this paper was also supported under the EuropeanCommission’s 5th Framework “Growth” Programmevia the Thematic Network “Pro-ENBIS” contract ref-erence: G6RT-CT-2001-05059.

REFERENCES

Ankenman BE (1999) Design of Experiments with Two-andFour Level Factors Journal of Quality Technology v 31363–375.

British Standard BS 6835: 1988 “Determination of the rateof fatigue crack growth in metallic materials”.

Da Silva L, De Oliveira FMF, De Castro PMST &Stewardson DJ (2003) Fatigue Crack Growth of Rails forRailways Journal of IMECHE Series 6 in print.

Davies OL & Goldsmith PL eds. (1972) Statistical Meth-ods in Research and Production 4th ed. Oliver & Boyd,Edinburgh.

Grove DM & Davis TP (1992) Engineering, Quality &Experimental Design Longman, London.

Hines WH & Montgomery DC (1990) Probability and Statis-tics in Engineering and Management Science Wiley,New York.

Stewardson DJ, Drewett L, da Silva, Budano LS, Joller A,Mertens J & Baudry G (2000) Using Designed Experi-ments and the analysis of Statistical Error to DetermineChange Points in Fatigue Crack Growth Rate Proceedingsof Industrial Statistics in Action Conference September2000 Newcastle upon Tyne UK Vol 2, p. 59–69.

1502

09048-S-19.qxd 5/15/03 1:04 AM Page 1502


1503

Improved methods of power systems availability indices determination

M. StojkovHEP group, Distribution, Area Slavonski Brod, Croatia

S. NikolovskiFaculty of Electrical Engineering, University of Osijek, Croatia

I. MravakHEP group, Distribution, Zagreb, Croatia

ABSTRACT: This paper presents a role of reliability aspect in the power system supply quality. Increasingimportance of availability indices in quality improvement evaluation in power delivering and some cost savingsat the same time is given here. The evaluation method has been developed to solve a real technical and manage-ment problem – define optimal power system switching state. The evaluation method is based on Markov statespace model of power lines as system components, enumerating all possible power system states and composedof an independent power system components failures time-series data, their coincidence of the first, second andthe third order for the branches (lines and transformers), storing in a relational system database. Some input vari-ables and detailed reliability results calculated for all buses in the distribution power system of area SlavonskiBrod are a part of this paper too.

1 INTRODUCTION

1.1 Power quality

Anyone with a technical background can define powerdelivering as a dynamic process depending on customerdemands during any time period. So, power quality con-sists of the several main variables describing some kindof a dynamic process according to EN 50160. One ofthese variables describing power system reliability ismaximum allowed failures number per year and thesecond one is maximum allowed duration of voltageinterruption per year for each end-user. To determinethe above mentioned systems parameters, the powersystem (nodes and branches) has to be permanentlymonitored day by day during the whole year. The objectof this approach are only components failures, whichcause the power interruption to the end-users.

According to the EN 50160 voltage drop periodstarts when voltage drops down to a level less then1% of the nominal voltage level. There are two possi-ble voltage absence periods: planned maintenance(consumers are informed a days in advance) and accident failures. The last one can be divided furtherin long term (permanent failure) and short voltageinterruptions (transient failure, duration is less then

3 minutes). The latter failures are expected to lastabout several hundreds, but duration of 70% of themshould be less then 1 s. Long term non voltage periodsshould not be more then 10–50 per year.

The power system is given with its branches (powerlines and transformers) and buses (nodes) describingactual topology order. The nodes are the points withload feed (generators and load input from a highervoltage network), load output points from the distribu-tion network to the customer, branching points orpoints of the power line type changeability (like over-head line – buried line, isolation technology type,radius and conductor material).

1.2 Reliability aspect

The power system is composed of a great number ofmechanical and electrical components, which can beremoved when a failure occurs or even in a mainte-nance process (periodic maintenance or when anycomponent parameter deviate outside of the regulatedrange). There are also some organizations imperfec-tions and human faults as possible failure causes.

The power system is an open dynamic technical system with a number of strong connections with its

09048-S-20.qxd 5/15/03 1:05 AM Page 1503

environment. The environment is structured in two parts:technical with material parameters and physics essen-tials in one side and probability variables (demands,weather conditions) at the other side. However, at anytime, the system is in one and only one possible state thatis completely described by a set of variables.

The power delivering is object process we moni-tored within the system and its states. If the next system state can be predicted for sure on the base ofphysical process low, it is deterministic system. If weonly know probability distribution of a next systemstate, it is stochastic system. The power system isexactly a stochastic technical system. Some uncertain-ties in the power demand, external temperature, otherweather conditions, pollution and other factors becomeinto consideration here.

2 RELATIONAL POWER SYSTEM DATA BASE

2.1 Introduction

All time-series events about systems and componentsstates and their changes have been continually recordedin the power system management documents obligatedby the law. It was very hard and slow to retrieve datafrom these documents based on only one componentstate in a particular moment in the past. All recordeddata were extremely unconnected, hard readable andunsorted. So, the relational power system database isdesigned to solve above mentioned problems and toprovide greater accuracy in the power system avail-ability. Now, all the information about power systemand its components faults are recorded in the placewhere it could be simultaneously available to several

1504

Figure 1. Relationships scheme in the database kikaE2.mdb.

09048-S-20.qxd 5/15/03 1:05 AM Page 1504

users. The other advantage is in a recording immedi-ately after faults occur, which give us fresh and accuratedata. The traditional approach on a faults registrationtill now was to collect and store these data after sometime, some of the important facts used to be neglected,based on a subjective men opinion or memory.

2.2 Main parts

The relational database KikaE2.mdb (MicrosoftAccess) with its main parts – tables and relationships isillustrated in Figure 1. The most of the data in databaseis structured, interconnected, fast accessed, non redun-dant and sorted, describing events (faults, mainte-nance), system states (switching states, failure type,failure cause) and objects (components, power linesand transformer substations).

The relation between two tables depends on the con-nection key determination, with its connection proper-ties and rules. By means of data base queries, it is veryeasy to filter out desired information. For example, it iseasy to filter only one power line faults a user wantsfrom all power system lines faults, and to take intoaccount only faults in desirable time period betweentwo dates by users choice. It is possible to do furtherfiltration by selecting only faults with the same cause,faults of the same components, faults with durationmore then 5 or 20 minutes and so on.

Here, two expected energy not supplied (EENS)evaluations are calculated, traditional (EENS1) basedon transformers installed power and new real (EENS2)based on real measured power of the previous day inthe same non voltage period of the fault day.

3 POWER SYSTEM TOPOLOGY

3.1 Substations and power lines

The analyzed power systems area Slavonski Brod cover1983 square kilometers and population of 186,000,about 40,000 consumers and 33.13 MW peak power thatis between 1.6% and 2% of Croatian National ElectricityBoard. The distribution power system is presented inFigure 2.

There are following transformer substations in dis-tribution network in observed area (Table 1): Podvinje110/35 kV (80 MW) – basic systems feed point andBjelis 110/35/10 kV (40 MW) – secondary systemsfeed point and eight transformer substations 35/10 kV,66.7 km overhead power lines 35 kV and 10.6 km buriedpower lines 35 kV (see Tables 1–2, and Figure 2). Here,branches are marked by two incident buses.

3.2 The power load flow model

The real yearly load diagram (electric power againstdays during the year, see oscillating line, Figure 3) for

the power system is approximated by the stepwise lin-ear lines presenting load duration (Figure 4). Thedecreasing line (Figure 3) presents the electric powerfor all days (D) during the year but sorted by their val-ues from the largest to the lowest value.

Each level is marked by the system peak load level(absolute and relative to peak load of the first level)and its occurrence probability (Table 3). The powersystems load duration diagram is specified by 5 levels,where the first level is 100% (33.13 MW). It means,for example that 0.55% of the time (48.18 hours/year)load is PM (33.13 MW).

1505

Figure 2. Power system’s scheme.

Table 1. Distribution network nodes.

Node/Bus Bus name Transformers number (location) installed (MVA)

1 Podvinje110 80.002 Podvinje35 80.003 Bjelis35 40.004 Slavonski Brod1 32.005 Slavonski Brod2 16.006 Slavonski Brod3 16.007 Brodsko Brdo 8.008 Oriovac 6.509 Brodski Stupnik 0.00

10 Donji Andrijevci 12.0011 Bebrina 6.5012 INA-gas 0.0013 Topolje 0.0014 Zrinski Frankopan 0.00

09048-S-20.qxd 5/15/03 1:05 AM Page 1505

The most important step in load approximationprocess is to preserve the area under load curve in loadtime dependency graph (save equity of distributedelectric energy to consumers). Any quantity evaluationfor a part of the year (season, month), which is basedon load estimation, has to be start from a beginning byraw load data. In that case this approximation is notgood enough to cover usual accuracy.

4 RELIABILITY EVALUATION

Although it is not so easy and grateful to make a modelof a power system with distributed components in different weather and load conditions, there are several

modeling methods used to accomplish that task. Here,reliability evaluation is based on the analytical methodof state space enumeration (using Markov’s state spacemodel). This evaluation composes independent failuresof the power system components, their coincidence ofthe first, second and the third order for the branches.

4.1 Reliability output indices

The power system reliability indices we use for quan-tification adequacy aspect are:

4.1.1 The number and type of supply interruptionNumber of contingencies causing split network – SpltNumber of contingencies causing bus isolation – Isol

4.1.2 The load curtailment reliability indicesProbability of load curtailment (Prob 10�3)Frequency of load curtailment (Freq occ./year)Duration of load curtailment (Dur hours/year)

4.1.3 The Bulk Power Energy Curtailment Index(BPECI, BP MWh/MW, year)

This parameter shows quantity amount of unsuppliedenergy (MWh) per 1 MW installed load power yearly.

1506

Table 2. Distribution network branches.

Branch Start End number node node Power line/transformer type

1 1 2 Transformer 110/35 kV 40 MVA2 1 2 Transformer 110/35 kV 40 MVA3 2 4 NA2XS (F) 2Y 3 (1 240) mm2

4 2 12 Overhead line Copper 3 70 mm2

5 2 5 Overhead line Al-steel 3 150 mm2


7 5 6 NKBA – 3 150 mm2

8 4 6 NKBA – 3 150 mm2






14 12 14 NA2XS(F)2Y 3 (1 240) mm2

15 14 4 NKBA – 3 240 mm2



Figure 3. Electric power load diagram during the year (oscil-lating) and same decreasing characteristic in Area SlavonskiBrod, 1999.

Table 3. Stepwise linear lines load duration, AreaSlavonski Brod, 1999.

Days per Level P (MW) year (D) P/Ppeak T (%)

1 33.13 2 1.00 0.552 28.26 45 0.85 12.333 24.39 155 0.74 42.464 20.32 154 0.61 42.195 16.89 9 0.51 2.47

Figure 4. The stepwise linear lines load characteristic inArea Slavonski Brod, 1999.

09048-S-20.qxd 5/15/03 1:05 AM Page 1506

It is usually expressed in the system minutes – SM (bymultiplying BPECI by 60). It has two interpretations:a) actual system malfunction index SM is presentedon an equivalent fault state of power system under thepeak load for so many system minutes and b) SM isduration of outage time per each consumer at the sys-tem peak load.

4.1.4 The Expected Energy Not Supplied (EENS, ENS)

This parameter is usually shown in MWh/year, buthere is in kWh/year. The program does not calculatethis parameter directly, and then we calculate it outfrom BPECI, multiplying with the peak system load(PM � 33.13 MW).

4.2 Output results

Now, we can compare the reliability indices n-1, n-2and n-3 of the branches failure coincidence level forthe observed system. Only the power systems switch-ing states of the same order of the coincidence levelduring the monitored time period can be compared. Itis obvious that reliability evaluation based on the sec-ond order for branches (one or two possible failures)include all events of n-1 order of level contingencyand all events with two component failures in thepower system. Although it is possible to function inclosed ring topology (except four transformer substa-tions), the power system can function in the radialtopology. Table 4 presents possible radial networksappearance with its marks and branches with openconnections between two buses.

It is obvious that there are important differences inoutput reliability indices between different switchingstates of the distribution network. Reliability indiceslisted in chapter 4.1 are evaluated and given in Tables5–7 depending on contingency order for differentpower system switching states mark according toTable 4. If the systems switching state C (the best case)is compared with that marked B (the worst switchingstate by the reliability aspect), it is found out even53.94% less curtailment load probability, around

45.55% less expected unsupplied electric energy peryear, around 52.4% less load curtailment frequencyand 46.6% less load curtailment duration for case A.And furthermore, switching states can be sorted bytheir reliability indices of n-1 order as following: C, D,A, E, H, G, F and B.

This evaluation is composed of the independentfailures of the power system components, their coin-cidence of the second order for branches. Switchingstate sorting order is exactly the same as for the relia-bility evaluation of the first order with significant dif-ferences between indices of different switching statesof the power system.

In the third order for branches reliability evaluationof the monitored power system, there are not importantdifferences in the output reliability indices betweendifferent switching states of the distribution network.For example, if the systems switching state marked C

1507

Table 5. Reliability indices of n-1 order, Distributionpower network, area Slavonski Brod (radial topology).

State A B C D E F G H

Splt 3 5 1 2 2 5 4 3Isol 7 6 8 7 8 6 7 7Prob 4.19 7.56 4.03 4.09 7.35 7.56 7.50 7.40Freq 24.7 50.0 23.8 24.7 48.1 50.0 49.0 49.0Dur 36.7 66.2 35.3 35.8 64.4 66.2 65.7 64.9BP 3.51 6.51 3.29 3.38 6.06 6.51 6.27 6.15ENS 20.8 34.5 18.8 19.0 30.7 34.5 32.8 30.9




Table 4. Distribution network switching states, (radial).

Switching Open Open Open states mark branch 1 branch 2 branch 2

A 2–4 4–6 2–5 IIB 2–4 5–6 2–5 IIC 12–4 4–6 2–5 IID 12–4 5–6 2–5 IIE 12–4 5–6 2–5 IF 2–4 5–6 2–5 IG 2–4 4–6 2–5 IH 12–4 4–6 2–5 I




09048-S-20.qxd 5/15/03 1:05 AM Page 1507

(the best case) is compared with that marked F (theworst switching state by the reliability aspect), it isfound out only 2.74% less curtailment load probability,around 11% less expected unsupplied electric energyper year, around 3.76% less load curtailment frequencyand 2.73% less load curtailment duration for case A.The third contingency order evaluation has only theo-retical meaning due to low probability value for statewith more then two fault components in the same time.

Switching states can be sorted by their reliabilityindices of n-3 order as following: C, E, H, D, A, G, Band finally F. This switching states ranking is differentthen rankings for n-1 and n-2 branches order reliabil-ity evaluation and it could be used when one branch ison planned revision for long time period.

Besides reliability indices for complete power system it is possible to obtain some kinds of resultindices for each bus; for example Tables 8, 9, 10 and

11 presents bus indices for the switching state of thepower system marked E, n-1 contingence order.

All presented output reliability indices are results ofthe evaluation for the power system as it is todayaccording to the relational database for power linesfaults for period from 1. January 1998. to 30. April2000. There are power faults data for period from June1992 to June 1997 obtained from the Plant Logs of eachtransformer substation. Power system in that period wasconstituted of 16 branches (one less then today) becauseone-third of overhead line between buses 2 and 12 is latter changed by buried power line NA2XS (F) 2Y3 (1 240) mm2, making a new bus (14). Abovementioned reconstruction reduced impact of weatherconditions and war damages. The output reliabilityindices for the radial topology marked G (disconnectedbranches 2–4, 4–6 and 2–5 I) of the former power sys-tem for coincidence of the first, second and third orderare presented in Table 12.

Although the number of contingencies causing splitnetwork (Splt) and bus isolation (Isol) in the formerpower system is less then indices in today power sys-tem (because of existing one extra bus today), all oth-ers reliability indices are lower than indices in todaypower system.

All in all, we have done quantity analysis of the reli-ability in the power system for radial network. Now it

1508

Table 8. Expected bus indices of n-1 order,Distribution power network, area Slavonski Brod(radial topology, marked E).

Bus k Probk Freqk ENSk Durk

10 3.551 25.84 133.77 31.1111 3.478 18.21 48.14 30.478 2.678 15.19 86.32 23.466 0.089 1.26 4.09 0.787 0.081 0.75 2.40 0.714 0.029 0.24 1.80 0.25

Table 9. Maximum energy curtailed bus indicesof n-1 order, Distribution power network, areaSlavonski Brod (radial topology, marked E).

Bus k Probk Freqk ENSk

4 0.029 0.24 7.468 2.492 12.95 6.20

10 0.200 1.26 5.976 0.089 1.26 3.257 0.081 0.75 3.22

11 2.492 12.95 2.66

Table 10. Maximum duration curtailed busindices of n-1 order, Distribution power network,area Slavonski Brod (radial topology, marked E).

Bus k Probk Freqk Durk

8 2.492 12.95 1.6911 2.492 12.95 1.6910 0.200 1.26 1.394 0.029 0.24 1.047 0.081 0.75 0.956 0.089 1.26 0.62

Table 11. Average bus indices of n-1order, Distribution power network,area Slavonski Brod (radial topology,marked E).

Bus k ENSk Durk

4 7.475 1.048 5.683 1.54

10 5.178 1.206 3.255 0.627 3.215 0.95

11 2.644 1.67

Table 12. Reliability indices of n-1, n-2 and n-3 order, Distribution power network, formerconstitution of area Slavonski Brod (radial topol-ogy, marked G).

Coincidence order n-1 n-2 n-3

Splt 3 34 179Isol 7 51 189Prob 7.816 7.869 7.869Freq 52.08 52.63 52.63Dur 68.47 68.93 68.93BP 6.709 6.767 6.767ENS 34.83 35.01 35.01

09048-S-20.qxd 5/15/03 1:05 AM Page 1508

is very easy to select a system topology and to sort itby their reliability indices.

5 CONCLUSION

One of the main reliability evaluations of power systemtargets is system and its components analysis andapproaching the power system by reliability aspect. It means that power system engineer have to beinformed in advance about the further possible steps inthe selection topology of a power system with as muchas possible savings. No one can expect from a technicalmanager to do the evaluation when the fault(s) occur,reliability evaluation study have to be already done,defining and directing sequence of switching devicesmanipulation in any circumstances. Maybe the mostlogical way to meet these requirements is to createmanipulation tables based on results of the reliabilityevaluation, reestablish the rules and constitutions tocontrol a system function. It is useful to skip powersystem buses with good reliability parameters, find outbranches which are endangered (planed for reconstruc-tion them or for adding parallel branch), reduce faultsnumber and duration, diminish prearranged supplyinterruptions number and duration (scheduled revi-sions on the power system or its parts), improve repair

efficiency on faults occurrence including storage ofspare components with short age, in four words – betterpower supply quality.

The basic quality indices of the power supply areacceptable level of voltage and frequency variations aswell as interruptions (number, duration) in the powersupply. All of these criteria are essential for our busi-ness customers, and especially for the industry, trades,hospitality, restaurants, farming, agriculture, educa-tion, government etc. So, important financial deci-sions in the power system managing are made on thebasis of the reliability evaluation.

REFERENCES

Billinton R. & R.N. Allan 1983. Reliability Evaluation ofEngineering Systems. Boston, London, Melbourne:Pitman Advanced Publishing Program Inc.

Power System Research Group, University of Saskatchewan1995. COMREL Users Manual. San Diego: Power MathAssociates Inc.

Billinton R. & R.N. Allan 1984. Reliability Evaluation ofPower System. Boston, London, Melbourne: PitmanAdvanced Publishing Program Inc.

Wang L. & J. Endreny 1993. Reliability techniques in largeelectric power systems. Toronto: Academic Presss.

1509

09048-S-20.qxd 5/15/03 1:05 AM Page 1509

09048-S-20.qxd 17/May/03 2:40 PM Page 1510


1511

The safety of risk or the risk of safety?

S.I. SuddleDelft University of Technology & Corsmit Consulting Engineers Rijswijk, The Netherlands

P.H. WaartsTNO, The Netherlands

ABSTRACT: Safety is nowadays one of the main items on the agenda during the planning, realisation and man-agement of most large-scale projects, particularly in infrastructure and building projects in intensively used areassuch as multiple use of land projects. It is vital that safety aspects are properly assessed at an early possible stageof the project. In this paper relations between safety and risk are suggested. In order to quantify the safety inobjective terms, risk (analysis) is used as an important tool. However, definitions of risk vary from global andinformal to objective variants and consists both psychological and mathematical elements. When a risk analy-sis is performed, one has to consider these definitions. In this paper, both psychological and mathematical riskdefinitions are mentioned and their interrelation is described. An essential element in risk assessment is riskevaluation. When a risk analysis is performed, it is also important to realise that decision making about risks isvery complex and that not only technical aspects but also economical, environmental, comfort related, political,psychological and societal acceptance play an important role. Finally, a recommendation has been made for nar-rowing the gap between deterministic and probabilistic approach by use of Bayesian Networks. It appears thatthese networks are also useful in order to integrate psychological and mathematical definitions of risk.

1 INTRODUCTION

From a psychological, social and risk point of view,safety is a wide notion. According to [Vrouwenvelderet al., 2001], safety is the state of being adequatelyprotected against hurt or injury, freedom from seriousdanger or hazard. In the philosophy of safety, safety isusually classified into social safety and physical safety[Durmisevic, 2002; Suddle, 2002A; Voordt & Wegen,1990]. Social safety implicates the behaviour amongpersons. Crime incentive factors, spatial factors, insti-tutional factors and social factors of an area are char-acteristics of social safety. In contrast, physical safetycontains both the probability of a person being killed orinjured by natural hazards, like bad weather, an earth-quake, floods and the probability by man-made haz-ards like traffic, calamities by transport of dangerousmaterials, calamities by nuclear reactors etc. In somecases, like fire, it is difficult to classify which kind ofsafety it is. A subdivision within physical safety ismade by internal safety and external safety [Vrijlinget al., 1998]. The following subdivision, here rankedaccording to increasing benefit to the persons at riskis frequently found.

2 SAFETY AND RISK

2.1 Introduction

Generally, safety consists both of subjectivity andobjectivity elements. A person who experiences thathe is safe from a psychological point of view, does notautomatically implies he is safe from a mathematicalpoint of view and vice versa. The relation betweensubjectivity and objectivity components of safety can be presented with aspects of irrational behaviour[Bouma, 1982].

Safety

Social Safety Physical Safety

Natural & Man-made hazards Crime incentive factors

Spatial factors Institutional factors

Social factors

InternalUsers

Passengers Personnel

ExternalThird parties

Figure 1. Subdivision of safety.

09048-S-21.qxd 5/15/03 1:06 AM Page 1511

Subjective safety is related to psychological aspects(see also [Stoessel, 2001]), while objective safety isbased on mathematical grounds. Note that sometimesthe objective safety is also based on subjective esti-mates. To define and to quantify the objective ele-ments of safety, it is vital to link safety with risk. Inessence, it can be assumed that safety, either internalor external, is complementary with the level of risk[Suddle, 2002A] (see fig. 3). This means to reach alow-risk level, one has to make investments for safetymeasures, while one may expect both human and finan-cial risks, such as casualties and loss of human live inaccordance with a minimum level of safety (high-risklevel). If the level of acceptability and tolerability ofrisk would be embedded correctly, the optimum levelof safety would have laid on the minimum of the sumof investments and expecting risks.

The survey of Vlek [Vlek, 1990] yielded 20 defini-tions of risk, which vary from global informal defini-tions to objective variants. The 11 formal definitionsof risk or riskiness, which can be distinguished fromthose 20, are presented in table 1.

This collection of risk definitions may be consideredby viewing risk as the characterization of: (a) a singlepossibility of accident, loss or disease (defs 1–4), (b) a collection of accident possibilities (defs 5–7),and (c) an activity having accident (and other) possi-bilities (defs 8–11) [Vlek, 1996]. Table 1 does hardlyconsist informal definitions of risk, which are relatedto social and psychological aspects. Still, the commu-nity demands that engineers and designers take bothsocial and psychological aspects into account whendoing and evaluating risk analysis.

2.2 Psychological definitions of risk

One of the first conceptual analyses of risk is carriedout by Vlek [Vlek, 1990]. This analysis is based ondecision-making and empirical-psychological workon the nature and the dimensions of risks and hazards.Examples of psychological (informal) definitions

from [Vlek, 1990; Schaalsma et al., 1990] are “lackof perceived controllability”, “set of possible negativeconsequences” and “fear of loss”. From [Vlek, 1990],it can be concluded that one has to consider the waypeople interpret risk in risk management, also calledrisk perception. The interpretation is different for asingle person and a group of persons [Gezondheidsraad,1995; 1996]. The perception of risk differs by factorsin relation with [Vlek, 1990]:

• The origin of the hazard• The social context• The personal remarks

1512

Subjective

Safe

Subjective

Unsafe O

bjec

tive

Safe Healthy un-

concern Paranoia

Obj

ectiv

e

Uns

afe

Naivety Healthy

anxiety

Figure 2. Aspects of irrational behaviours.Figure 3. Model safety vs risk [Suddle, 2002A].

Table 1. Formal definitions of risk or riskiness (adaptedfrom [Vlek, 1990]).

1. Probability of undesired consequence.2. Seriousness of (maximum) possible undesired

consequence.3. Multi-attribute weighted sum of components of

possible undesired consequence.4. Probability x seriousness of undesired consequence

(“expected loss”).5. Probability-weighted sum of all possible undesired

consequences (“average expected loss”).6. Fitted function through graph of points relating

probability to extent of undesired consequences.7. Semivariance of possible undesired consequences

about their average.8. Variance of all possible undesired consequences about

mean consequences.9. Weighted sum of expected value and variance of all

possible consequences.10. Weighted combination of various parameters of the

probability distribution of all possible consequences(encompasses 8 en 9).

11. Weight of possible undesired consequences (“loss”)relative to comparable possible desired consequences(“gain”).

09048-S-21.qxd 5/15/03 1:06 AM Page 1512

It may be assumed that these aspects are related to the risk perception and aspects of subjective safety, as presented in figure 2. According to [Vlek, 1996]dimensions of underlying perceived riskiness, whichare related to risk perception, must be taken intoaccount in risk management, as presented in table 2.

Note that these dimensions of underlying per-ceived riskiness consists mainly variants of both sub-jectivity and objectivity (as presented in figure 1). In[Vlek, 1996] different scale-levels of risk and riskmanagement are suggested, which amplify the aspectsof subjectivity. These psychological definitions, how-ever, are basic ingredients for the assessment of risk.Besides, these add value to the perception of risk andplay a vital role in risk acceptance and decision-making. Additionally, in [Vlek, 1990], it is recom-mended to take additional measures for the comfort ofsafety, especially for persons who feel themselves asunsafe, while objectively it is safe. Moreover, it is rec-ommended in the survey [Vlek, 1990] not only to com-ply with the risk acceptance criteria, but also to applythe safest option regarding measures in accordance withthe budget of the project. Therefore in some conditionsone may deliberate the costs and the benefits of thatproject.

Thus, according to [Vlek, 1990; 1996] it may beconcluded that (safety) measures are desired, and mustbe explored in the risk management process to increasethe subjective level of safety. However, these argu-mentation are psychological and do not provide theanswer to the question “how much safe or unsafe is an activity or what is the effect of a safety measure inaccordance with safety and financial aspects”. In orderto answer such question in objective terms and to deter-mine safety, there is a need for a quantifiable (mathe-matical) approach and not an informal psychological.Besides, a mathematical approach enables to compare

risk of different activities and use the risk analysis asa basis for rational decision-making. It is thereforeuseful to quantify the aspects of subjectivity of table 2and to integrate in decision-making.

2.3 Mathematical definitions of risk

The common definition of risk (associated with a haz-ard) is a combination of the probability that hazardwill occur and the (usually negative) consequences ofthat hazard [Vrouwenvelder et al., 2001; Vrijling et al.,1998]. In essence, it comes down to the followingexpression, which is the same definition as definition 4of table 1:

(1)

where:R � Risk [fatalities or money year�1];Pf � Probability of failure [year�1];Cf � Consequence of the unwanted event [fatalitiesor money].

This definition mostly is used in risk analysis.Consequences (Cf) to be taken into account include:

• Injury, or loss of life, due to structural collapse• Reconstruction costs• Loss of economic activity• Environmental losses

Mostly, there is a (reverse) relation between theprobability that a hazard will occur and the conse-quences of that hazard. More complicating still is thegradual unfolding of a host of differing definitions ofrisk [Coombs, 1972; Libby & Fishburn, 1977; Vlek &Stallen, 1980]. According to [Kaplan & Garrick,1981], risk consists of three components:

• Scenario• Probability of scenario• Consequence of scenario

Following [Kaplan & Garrick, 1981] risk cannotbe properly expressed in terms of a single number oreven a single curve. In their view the best formal def-inition of risk is a probability distribution of possible(future) frequencies of harmful consequences, whichthemselves may be multidimensional in nature.

2.4 Comparison of psychological andmathematical definitions

The description of risk given by [Kaplan & Garrick,1981] hardly differs from the mathematical one of[Vrijling & Vrouwenvelder, 1997], because bothprobability and consequence of scenario are included.According to [Kaplan & Garrick, 1981] one has to con-sider all hazards in account, which can be accomplishedby summing up all possible hazards (scenarios) with

1513

Table 2. Basic dimensions underlying perceived riskiness(adapted from [Vlek, 1996]).

1. Potential degree of harm or fatality.2. Physical extent of damage (area effected).3. Social extent of damage (number of people involved).4. Time distribution of damage (immediate and/or

delayed effects).5. Probability of undesired consequence.6. Controllability (by self or trusted expert) of undesired

consequences.7. Experience with, familiarity, imaginability of

consequences.8. Voluntariness of exposure (freedom of choice).9. Clarity, importance of expected benefits.

10. Social distribution of risks and benefits.11. Harmful intentionality.

09048-S-21.qxd 5/15/03 1:06 AM Page 1513

their consequences for an activity. Therefore as anobvious extension, multiple scenarios (indexed i) maybe taken into account. This can be presented in thefollowing formula:

(2)

According to [Vrouwenvelder et al., 2001] proba-bility is, generally speaking, the likelihood or degreeof certainty of a particular event occurring during aspecified period of time. Assuming that a system maybe found in mutually exclusive situations Hi, and thefailure F of the system (e.g. of the structure or its ele-ment) given a particular situation Hi occurs with theconditional probability P(F | Hi), then the total proba-bility of failure Pf is given by the law of total proba-bility as:

(3)

Substitution of formula (3) in (2) gives:

(4)

where:P(C | Hi � F) � the probability of a consequencegiven that Hi and F occur.

Formulas (1), (2) and (4) are presented as mathe-matical variants. However, these are also mentionedin the psychological dimensions of risk (see table 1).The three components of formula (4) correspond with the definitions of risk as mentioned in tables 1and 2. Therefore, from an objective safety assessmentpoint of view one may assume that even psychologicaldefinitions from [Vlek, 1990] are integrated intomathematical definitions of [Kaplan & Garrick, 1981]combined with [Vrijling & Vrouwenvelder, 1997].The psychological part of the mathematical definitionemphasises particular the consequence of a scenario.From a mathematical point of view, all possible con-sequences are taken into account in risk analysis (seeformulas (2) and (4)). Besides, the subjective aspectswith accordance with psychology, which are mostlyrelated to the acceptability of risk, are also integratedin acceptability and tolerability of risk in terms ofvulnerability and the direct benefit of a person. Froma mathematical point of view, the acceptability andtolerability of societal risk provides a tool in which itis common to accept less the probability of an eventconsisting big numbers of fatalities. This concept ofrisk aversion is also included in these risk acceptancecriteria (e.g. societal and individual risk (see paperSuddle, S.I., A Logarithmic approach for Individualrisk: The safety-index, this proceedings).

In some cases, especially scenarios with great conse-quences, weighing factors for all risk dimensions areused in order to make them comparable to each otherand to relate them to the measures that must be takenfor possible risk reduction [Coombs, 1972; Libby &Fishburn, 1977; Vlek & Stallen, 1980; Vlek, 1990;Vrouwenvelder et al., 2001]. It is, therefore, recom-mendable to compare and to integrate these definitionsin one-dimensional weighted risk (Rw) in terms ofmoney as following:

(5)

(6)

where:Rw � weighted risk [year�1];�j � (monetary) value per considered loss [].

It has to be noted that weighted risk (Rw) may con-sist of cost unities, which can be financial, but it is notnecessary (see [Seiler, 2000]). Formulas (5) and (6)can be specified into particular risk components:

(7)

where:�1 � (monetary) value per casualty or injury [–];�2 � (monetary) value per environmental risk [–];�3 � (monetary) value per economical risk [–] (mostly

�3 � 1);�4 � (monetary) value per quality risk [–], and so on.

According to [Lind, 1996] safety criterions are notabsolute. Cost-utility is only a part of the economic,social, cultural and political assessments that arerequired for responsible decision-making. Note thatsome �j may also be negative (e.g. time). Besides, the�j is in particular correlated with the consequences(Cf), in which the correlation is not necessary to belinear. (The first component (human risk) of formulas(7) can be subdivided into:

(8)

where:a1k � monetary value per considered basic dimen-sions of underlying perceived riskiness as presentedin table 2 [money].

1514

09048-S-21.qxd 5/15/03 1:06 AM Page 1514

So, �1k ∈ {�1,�2, …, �11} of table 2. These mone-tary values �1, �2, …, �11 are functions of subjectiveaspects of table 2 and can be determined by multi criteria analysis. If one adds monetary value to thesedifferent aspects, one can integrate all kind of subjec-tive aspects into risk analysis, such as value for areaeffected (�2), value for number of people involved(�3), value for time (�4), value for voluntariness (�3,�8, �11), etc. According to [Seiler, 2000], the mone-tary value per casualty or costs per live saved of a per-son depends on the voluntariness of an activity (seetable 3).

If these subjective aspects are quantified in weightedrisk (analysis), and thus in one (monetary) dimension,safety measures can be balanced and optimised inrespect of decision-making as following:

(9)

where:Ctot � total costs;

C0(y) � the investment in a safety measure;y � decision parameter;j � the number of the year;r � real rate of interest;

Hence, one may assume that for rational decision-making it is desired to objectify the safety in terms ofprobability and the consequences of all events. There-fore, both mathematical and psychological approachesof risk can and should be quantified by the mathe-matical variant. It may also be recommended that, forsafety studies and risk analysis, risk can commonly beestimated by the mathematical expectation of the con-sequences of an undesired event that often leads to thesum of the product probability x consequences com-bined with the monetary value per considered loss, isan interesting approach (formula (8) and (9)).

2.5 Risk evaluation

When a risk analysis is performed, it is also importantto realize that decision making about risks is verycomplex and that not only technical aspects but alsopolitical, psychological and societal processes (all)play an important role [Suddle, 2002A; Jonkman etal., 2002]. If a risk analysis is carried out for only thequalitative part, the psychological and politicalaspects play a major role in risk acceptance and deci-sion-making. Contrarily, when risk analysis is carriedout till the quantitative part, limits for risk acceptanceand economical criteria are considered for decision-making. Additionally, regarding safety managementand control, one has to take measures regarding safetyfor persons who feel themselves as unsafe, while

objective it is safe. This is exactly [Vlek, 1990] arguedfor the comfort of safety for all kind of people.

3 APPROACHES FOR RISK ASSESSMENT

3.1 Deterministic and probabilistic approach

During the 1950s and 1960s two approaches emergedfor analysing safety aspects of potentially hazardoussystems, including a deterministic approach and aprobabilistic approach [Weaver, 1980]. The most sig-nificant difference between the two approaches is theway probability is dealt with [Vrijling and Stoop,1999]. Deterministic safety analysis is focused on thecausal processes of accident scenarios equals 1.

Whereas probabilistic risk analysis takes intoaccount the possibility and the likelihood of uncer-tainty that accident scenarios might occur. As a result,in deterministic analysis the focus is on developinginsights into accident scenarios and consequences,whereas in probabilistic risk analysis main efforts aremade on the behalf of the quantification of probabilities[Hale, 2000; Rosmuller, 2001]. Thus, one may assumethere is an existing gap between the probabilistic anddeterministic methods in risk analysis. If a risk analy-sis is performed with present models such as faulttrees and event trees, this gap will not be narrowed

1515

Hazard Identification(qualitative)

Risk estimation (qualitative)

Risk evaluation

PsychologyPolitics

Limits for risk acceptanceEconomic criteria Risk acceptance

Figure 4. Risk analysis and risk acceptance [Suddle, 2002].

Table 3. Costs per live saved of a person depends on thevoluntariness of an activity.

Voluntariness of Individual Costs per life an activity risk [year� 1] saved a

1. Voluntary risk 10�3 1.500.0002. High degree of 10�4 6.000.000

self-determination, direct individual benefit (car driving)

3. Low degree of 5 10�5 15.000.000self-determination, individual benefit (working conditions)

4. Involuntary, imposed 10�5 20.000.000risk exposition, no direct benefit (local resistance of dangerous installation)

09048-S-21.qxd 5/15/03 1:06 AM Page 1515

because of large dimensions and big complexity ofsuch models. Nevertheless, the following paragraphs isan introduction to the theory, which shows that theexisting gap can be narrowed by use of BayesianNetworks in risk analysis (see [Suddle, 2001A].

3.2 Use of Bayesian Networks

A Bayesian Network is a graphical tool that repre-sents the relations between a set of variables and a setof directed edges between variables [Hansen, 1999;Jensen, 1996; 2001], which can be divided into eventsand consequences. The major advantage of BayesianNetworks is that these networks can replace and compact both traditional fault trees and event trees inone model [Bobbio et al., 2001]. Thus, these networksprovide an effective tool, particularly for enormousrisk analysis. According to [Friis-Hansen, 2000] thepotential of Bayesian Networks are an intuitive mod-elling tool, partly based on artificial intelligence thatadds transparency and consistency to the models.Normally, the relation between fault trees and eventtrees are represented in the Bowtie model, which willexpand exponentially in case of the relations betweenthe events will increases [Ale, 2002; Oh, 2001]. Thiscan now be replaced into a single compatible BayesianNetwork, which grows linear (figure 5).

A Bayesian Network consists of a set of nodes anda set of directed arrows. Each node represents a prob-ability distribution, which may in principle be contin-uous or discrete. Arcs indicate conditional probabilisticdependence so that the probability of a dependentvariable being in a particular state is given for eachcombination of the states of the receding variables.The dependence structure is thus represented by a setof conditional probability distributions. A variable,which is dependent on other variables, is often referredto as a child node.

Likewise, directly preceding variables are calledparents. Nodes, which have no parents, are calledroot nodes and nodes without children are leaf nodes.Bayesian Networks are sometimes referred to asdirected acyclic graphs (DAGs), indicating that loops(or cycles) are not allowed. A Bayesian Network is arepresentation of the joint probability distribution ofthe entire variable domain U � {X1, X2, …, Xn}.Thisis seen by applying the chain rule to factorisation of the joint distribution into a chain of conditionalprobability distributions [Friis-Hansen, 2000]:

(10)

(11)

(12)

where P(X1, …, Xn) is the joint distribution of X1 to Xnand P(X1 | X2,…, Xn) is the conditional distribution ofX1 given X2, …, Xn. The notation pa(Xi) means the setof parent variables of the variable Xi. From the updatedjoint table the marginal distributions of each individualvariable may be found by summation over all othervariables. This is desired for calculating risk for allscenarios. This is known as sum-marginalisation:

(13)

So, if the undesired events (Hi), failure modes (F), consequences (C), safety measures (M) and risk(R) are elements of the entire variable domain U �{X1, X2, …, Xn}, than every risk analysis with BayesianNetworks is possible.

(14)

These safety measures may include the rescue avail-ability or functional design, which are characteristic fordeterministic risk analysis. These measures may alsoconsist structural measures, which are characteristic forprobabilistic risk analysis. Besides, integration of thesemeasures is a vital issue from the psychological point ofview, as mentioned in section 2.3. This concept providesthe methodology for quantifying the effectiveness ofsafety measures regarding risk, which is desired froma mathematical point of view. A standard BayesianNetwork corresponding with a standard risk analysisfor basic events may be expressed as:

Considering the previous, it may be assumed thatthe Bayesian Networks are not only an effective toolfor narrowing the gap between the probabilistic and

1516

Figure 5. The size of a Bayesian Network is smaller than thetraditional fault trees. Hence, a Bayesian Network is muchcompacter.

09048-S-21.qxd 5/15/03 1:06 AM Page 1516

deterministic risk analysis, but Bayesian Networks areuseful for combining psychological and mathematicalapproaches towards risk (analysis). For a case studyof such an approach, see paper; Suddle, S.I., Safetyassessment of third parties during construction inMultiple Use of Space using Bayesian Networks, thisproceedings.

4 CONCLUSIONS

Considering the title of this paper “the safety of riskor the risk of safety?”, it is recommendable to observeboth components in safety assessment studies. Regard-ing the safety of risk it is common to objectify thesafety in terms of risk with mathematical approaches(the sum of probability consequences) instead ofpsychological one. In this regard the risk (of the safety)can be computed. In contrast, the safety of the riskcharacterises the opposite approach. For the safety ofthe risk it is recommended to take psychological def-initions in consideration in risk management process.Therefore one has to combine all risk elements withthe monetary value per considered loss.

Hence, one can accomplish all risks in one (mone-tary) dimension including psychological aspects. In thispaper an approach for the integration of both mathe-matical and psychological definitions is proposed.Such integration can be accomplished with the use ofBayesian Networks. Moreover, these networks pro-vide transparency and consistency to the risk analysisand are useful to both probabilistic and deterministicrisk analysis and to combine both mathematical andpsychological definitions of risk in a risk manage-ment process.

LITERATURE

Bobbio, A, L. Portinale, M. Minichino & E. Ciancamerla,Improving the analysis of dependable systems by map-ping fault trees into Bayesian networks, Reliability

Engineering and System Safety, Volume 71, March 2001,pp. 249–260.

Bouma, H., Als het leven je lief is, Max Gelder Stichiting,1982.

Coombs, C.H., A review of Mathematical Psychology of Riskand Risk taking, University of Michigan: MichiganMathematical Psychology Program Report MMPP 72-6.

Durmisevic, S., Perception aspects in underground spacesusing intelligent knowledge modeling, Delft DUPScience 2002. 159 pp.

Friis-Hansen, A., Bayesian Networks in a Decision SupportTool in Martine Applications, Department of NavelArchitecture and Offshore Engineering, TechnicalUniversity of Denmark, KGS. Lingby, December 2000,183 pp.

Gezondheidsraad: Commissie Risicomaten en risicobeo-ordeling, Niet alle risico’s zijn gelijk, Den Haag:Gezondheidsraad, 1995; publicatie nr 1995/06, pp. 122.

Gezondheidsraad: Commissie Risicomaten en risicobeo-ordeling, Risico, meer dan een getal, Den Haag:Gezondheidsraad, 1996; publicatie 1996/03, pp. 130.

Hale, A.R., Collegedictaat WM0801TU: Inleiding algemeneveiligheidskunde, TU-Delft, 2000.

Hansen, P.H., Introduction to risk analysis; Structural andStochastic Load Modeling, Lyngby, Deparment ofStructural Engineering and Materials, Technical Univer-sity of Denmark, August 9–20, 1999.

Jensen, Finn V., An introduction to Bayesian networks,London UCL Press 1996, 178 pp.

Jensen, Finn V., Bayesian networks and decision graphs,New York Springer 2001. 268 pp.

Jonkman, S.N., P. van Gelder, H. Vrijling, An overview ofquantitative risk measures and their application for calculation of flood risk, ESREL 2002, Volume 1, pp. 311–318.

Kaplan, S. & B.J. Garrick, On the quantitative definition ofrisk, Risk Analysis, Volume 1, pp. 11–27.

Libby, R., P.C. Fishburn, Behavioural models of risk takingin business decisions: a survey and evaluation, Journal ofAccounting Research, Autumn, pp. 272–292.

Lind, N.C., Target reliability levels from social indicators,Structural safety, 1994.

Oh, J.I.H., Co-operation between regulator and industry withrespect to inspections, Ministerie van Sociale Zaken enWerkgelenheid, mei 2001.

Rosmuller, N. Safety of transport Corridors, dissertation,TU-Delft, Trail Thesis Series, May 2001, pp. 336.

Schaalma, H.P., C.A.J. Vlek & P.F. Lourens, Veiligheid ver-voer te water; perceptie, beoordeling en acceptatie vanrisico’s van het vervoer over de Nederlandse binnenwa-teren, Haren Rijksuniversiteit Groningen, VerkeerskundigStudiecentrum 1990, 158 pp.

Seiler, H., Risiko-basiertes Recht – Elemente einer ein-heitlichen Politik zur regulierung technischer Risiken.Abschussbericht des Gesamtsproject FNP Risk BasedRegulation – ein tauglisches Konzept dur dasSicherheitsrecht, Berne Staempfi, 2000.

Stoessel, F., Can we learn to accept risks, Conference report,“Safety, Risk and reliability – Trends in engineering”,Malta, 2001.

Suddle, S.I., Veiligheid van bouwen bij MeervoudigRuimtegebruik, afstudeerrapport, TU-Delft, April 2001,298 pp.

1517

Event

M

H

F

C R

Figure 6. A standard Bayesian Network for risk analysis.

09048-S-21.qxd 5/15/03 1:06 AM Page 1517

Suddle, S.I., Beoordeling veiligheid bij MeervoudigRuimtegebruik, Cement, Volume 54, no. 1/2002, Februari2002, pp. 73–78.

Vlek, C.A.J., Beslissen over risico-acceptatie; een psycholo-gisch-besliskundige beschouwing over risicodefenities,risicovergelijking en beslissingsregels voor het beoorde-len van de aanvaardbaarheid van riskante activiteiten,Rijksuniversiteit Groningen, ‘s-Gravenhage: Gezondhei-dsraad, 1990, 236 pp.

Vlek, Ch. & P.J. Stallen, Rational and personal aspects ofrisks, Acta Psychologica, Volume 45, pp. 273–300.

Vrijling, J.K. en J. Stoop, Naar één beslismodel voor de veiligheid, Watertovenaars, Vol. 17, pp. 202–213,Rijkswaterstaat, 1998.

Vrijling, J.K., W. van Hengel, R.J. Houben, Acceptable riskas a basis for design, Reliability Engineering and SystemSafety, Volume 59, 1998, pp. 141–150.

Vrijling, J.K., A.C.W.M. Vrouwenvelder e.a., Kansen in deciviele techniek, Deel 1: Probabilistisch ontwerpen in detheorie, CUR-rapport 190, CUR, Gouda, maart 1997.

Vrouwenvelder, A.C.W.M., Risk Assessment and RiskCommunucation in Civil Engineering, CIB Report,Publication 59, Februari 2001.

Voordt, D.J.M. van der & H.B.R. van Wegen, Sociaal veiligontwerpen; checklist ten behoeve van het ontwikkelen entoetsen van (plannen voor) de gebouwde omgeving, TU-Delft: Publikatieburo Bouwkunde, 1990, 128 pp.

Weaver, W.W., Deterministic criteria versus probabilisticanalysis: Examining the single failure and separationcriteria, Nuclear Safety, Volume 47, No. 2, 1980, pp. 234–243.

1518

09048-S-21.qxd 5/15/03 1:06 AM Page 1518


1519

Safety assessment of third parties during construction in multiple use ofspace using Bayesian Networks


ABSTRACT: Lack of space leads to the design and construction of projects which make intensive and opti-mal use of the limited space. Buildings above roads, railways and buildings themselves are examples of inten-sive use of space projects. The construction processes of those buildings are in general extremely complicated.Safety is one of the critical issues. A research has recently been completed [Suddle, 2001] about the safety forpeople present in the neighbourhood of these projects (such as users of infrastructure where above buildings arebeing built). This paper will purpose a methodology for the assessment of safety for such people using BayesianNetworks.

1 INTRODUCTION

In spite of many obstructions regarding constructionsafety, there have been already a number of differentprojects realised in The Netherlands. Examples of suchprojects are buildings situated on top of the motor-way “Utrechtse Baan” in The Hague. An importantlesson from these projects is learned; activities duringconstruction phase of such projects form a hazard forpeople present on infrastructure beneath – called thirdparties – such as drivers and passengers [Meijer &Visscher, 2001; Suddle, 2001A]. However, on thebasis of law there are no explicit norms for the safetyof third parties during construction, especially not forsuch projects [Suddle, 2001B]. Besides, methodologyof safety assessment of third parties in such condi-tions is up until now not developed. Case studies ofprojects built over the motorway Utrechtse Baanshowed that specifying requirements regarding safetyat an early possible stage during the design phasedecreases risks for third parties during construction. Itis essential to have clarity among those who are respon-sible for taking safety measures. Moreover, it is nec-essary to have an adequate and effective organisationat the construction site. This can restrict potentialdanger during construction [Meijer & Visscher, 2001;Suddle, 2001A].

Before realising such projects, one has to consider,which aspects mainly influence the safety of thirdparties during construction and how the safety ofthird parties can be assessed during construction of

such projects. Moreover, the use of infrastructuremust be maintained during construction of the build-ing above. Therefore the knowledge about safetysystem in construction phase of such projects andeffectiveness of safety measures in accordance withhuman and financial risks is essential. It has to benoted that the measures have to be financial attractiveand must comply with the level of risk acceptance criteria, to be divided into criteria on an individualand on a social basis [Vrouwenvelder et al., 2001;Vrijling & Vrouwenvelder, 1997].

2 CLASSIFICATION OF SAFETY ASPECTSDURING CONSTRUCTION PHASE

To determine the safety and thus the risks for thirdparties in multiple use of land projects, a classificationhas been made for aspects, which influence the safetyof third parties during construction. This classificationconsists of four main aspects (see figure 1). A fullscope of these aspects is presented in [Suddle, 2001A].

2.1 Regulations

In order to carry out a flexible process, regulationsbasically provide an effective tool for all actors andtheir relations during any stage of any project. Inessence, regulations, like guidelines for contractors,that control the safety during construction. However, incase of multiple use of space projects, these regulations

09048-S-22.qxd 5/15/03 1:06 AM Page 1519

are hardly effective and thus not explicit. Other types ofregulations are meant for structural calculations, mate-rials, quality sets, organisation at the site etc. Bothnational and international standards are a part of thismain aspect.

2.2 External conditions

External conditions are a main parameter for thesafety of third parties. The location of the building,which depends on the (traffic) condition beneath, formsa fundamental aspect of external conditions. Theseparameters determine both the intensity and the speedof traffic. Furthermore, it is important to realise thatsafety (of third parties) during construction dependson whether the building is being constructed (e.g.above roads or above railway tracks) or the heightlevel of the infrastructure. Typically, the surroundingsimpose these conditions. The position of cables in theunderground can be also considered in this main part.Therefore, some of these parameters can hardly beinfluenced. However, one may prevent risk for thirdparties by logistic measures e.g. close off the road andreroute the traffic during construction.

2.3 Design aspects

Other parameters, which influence safety of third parties, are related to design aspects. These aspectsdepend on e.g. dimensions of the building, architec-tural design, structural elements, functional design ofthe building and technological aspects. These param-eters, which are characteristics of the considered proj-ect can be influenced and controlled in the projectdesign phase.

2.4 Construction aspects

Finally, characteristic aspects related to constructionwork can be mentioned as a main part for safety ofthird parties. Aspects fixed in the design phase hardlycan be changes during construction. Hence, mistakesmade in the design phase will always come to light inthe construction phase. The construction (phase) is

characterised by many parties involved. Therefore,the organisation between these parties is crucial aswell. In this phase, regulations, boundaries and pre-ventive measures regarding safety of third partiesduring construction, is relevant.

3 RISK ANALYSIS

3.1 Qualitative risk analysis

Considering the safety aspects during constructionphase, the relation between these aspects of construc-tion in multiple use of land and their risk has beenanalysed. Accordingly, risk analyses have been madefor several cases. First, a qualitative risk analysis forthe safety of third parties has been performed byFMEA-techniques (Failure Mode and Effect Analysis).This technique represents a complete view of haz-ards and consequences. In this study this technique is applied for the construction of a building over amotorway (a full scope of the FMEA is presented in[Suddle, 2001A]). Normally a FMEA consists effectsof failure like cost increase, time loss, loss of quality,environmental damage and loss of human life. Consi-dering the aim of this study, risk regarding cost increaseand loss of human life are taken into account. A partof the FMEA is presented in table 1 (adapted from[Suddle, 2001A]).

It appeared from the FMEA [Suddle, 2001A] thatsafety of third parties during construction largelydepends on falling elements. The falling objects mayconsist of bolts, screws, part of concrete (structures),parts of a scaffold, building parts, hammers, beams,or even construction workers.

3.2 Quantitative risk analysis

Hence, these falling elements may cause casualtiesamong people present at the infrastructure and insome cases economical risks as well as. This observa-tion is analysed in more detail by a quantitative riskanalysis using Bayesian Networks for a case [Suddle,2001A]. This case consists of a building of 10 storiesthat is built above a 2 2 lane motorway. The spanand the linear direction of the building are respec-tively 20 meters and 50 meters. Two risks, loss ofhuman life and economic loss, are considered in thesenetworks. (see figure 2)

In this regard, possible quantifiable parametersshould be transformed into conditional probabilities,which are determined from both the classificationaspects for safety of third parties during construction(section 2) and the FMEA (table 1). These quantifi-able aspects are the following:

• the position where the element falls (inside or out-side the building);

1520

Classification of safety aspects during construction phase

Regulations External conditions

Design aspects

Construction aspects

Figure 1. Classification of safety aspects of third partiesduring construction phase [Suddle, 2001A].

09048-S-22.qxd 5/15/03 1:06 AM Page 1520

• the situation below the building;• (design) errors;• the weight of the falling element;• the actions of elements in relation with the installa-

tion of elements;• the collapse of the main structure of the building

caused by falling elements;• the probability of elements falling;• the height from which the element is falling;• fatalities and economic risk.

These aspects are taken into account in BayesianNetworks. Each aspect is represented as a node or isintegrated in these networks (see figure 3). Each nodeis divided into categories corresponding with eventsof that node. The relations between the nodes are con-nected with arcs, which specify the probable influ-ence between these nodes.

These probabilities are determined by historicaldata, expert opinion or by engineering judgement.

1521

Table 1. An example of the FMEA for safety of third parties during construction (adapted from [Suddle,2001A]).

Failure mode Failure mechanism Effect of failure

Activity: Ground activities

Activity: Fabricate elements

Activity: Fabricate elements

Activity: Concrete workLogistic problems Planning fault Time lossCollapse of concrete element Design fault Costs, time loss, casualtiesFixing concrete elements Element falls Costs, time loss, loss of quality,

casualtiesHuge deformations of elements Element collapses and Costs, time loss, loss of quality,

falls casualtiesNo right composition of concrete Production fault Costs, time loss, loss of quality

Activity: Installing temporary structures/scaffoldsFixing temporary structures Construction fault Costs, time loss, casualties

Collapse of temporary structures

Construction fallsConstruction element falls

Activity: Remove temporary structures

Figure 2. Case 2 2 lane motorway.

costoutside

errors

loss lives

mainstruct.

situationbel.

where

falling

weight

height

econ.loss

costoutside

errors

losslives

mainstruct.

sit.platform

where

falling

weight

height

econ.loss

sit.below

(a)

(b)

Figure 3. Bayesian Network for building above roads (a)and above railway tracks (b).

09048-S-22.qxd 5/15/03 1:06 AM Page 1521

In some cases, especially cases, where historical datacannot be found in literature and for that reason expertopinion or engineering judgement is used. Same ordermagnitude following from occurrence frequencies ofhazardous events combined with different probabili-ties are used to determine the failure probability.

3.3 Quantification of probabilities and relations of aspects

• the position where the element falls (inside or out-side the building);

The position where the element falls depends onthe considered surface. The ratio of the buildingsurface and the surface of risk zones outside thebuilding Abuilding/Aoutside1,2 determines the P(elementfalls outside or inside the building | element falls).In this analysis, the value of risk zones outside thebuilding (Aoutside1,2) is estimated on 2 meters out ofthe façade of the building (see figure 4).

• the situation below the building;In order to compute the probability of a person

of the third party is being hit by a falling element,it is relevant to know the situation below the build-ing. The situation below the building correspondswith the P(element falls on a car or the road | ele-ment falls outside) and P(element falls on cars |element falls inside | building collapses) can bedetermined respectively by the ratio of total cars inthe risk zones Acars/Aoutside2 and total cars beneaththe building Acars/Abuilding.

• (design) errors;An assumption has been made for fatal (design)

errors. The P((design) errors) � 10�4, which corre-spond with category “remote”.

• the weight of the falling element;To investigate the effect of falling element, five

different weight-classes (of falling elements), whichare used in the building, are formulated: (see table 2)

• the actions with elements in relation with theinstallation of elements;

It is not only the weight class that determines therisk of third parties, but the actions per elementparticularly are the main cause whether the ele-ment falls or not. Therefore, the distribution oftotal elements in the building is determined regard-ing the case-study (see figure 5). Subsequently,this distribution is transformed into the distribu-tion of the actions of elements (see figure 5). Thismeans that the output probabilities should be mul-tiplied with the total actions per project per year.

• the collapse of the main structure of the buildingcaused by falling elements;

A collapse of the building can only occur if theelement falls inside the building during construction.In this respect, the P(collapse of the building | weight

1522

x

y

Abuilding

Aoutside 2

Aoutside 1

Figure 4. The building surface and the surface of riskzones outside the building.

Distribution of actions of elements per weight-class

0,063

0,578

0,266

0,085

0,0080,00

0,10

0,20

0,30

0,40

0,50

0,60

0,70

< 5 kg 5-100 kg 100-1000 kg 1000-1000 kg > 10000 kg

Weight-class

Weight-class

Distribution of elements per weight-class

0,181

0,549

0,253

0,016 0,0010,00

0,10

0,20

0,30

0,40

0,50

0,60

< 5 kg 5-100 kg 100-1000 kg 1000-1000 kg > 10000 kg

Figure 5. Distribution of elements and distribution ofactions per element.

Table 2. Examples of different weight classes.

Weight-class Example of elements

�5 kg Very light material, bolts, screws, concreteremains, etc.

5–100 kg Light material, interior material, lightdividing walls, construction workers, etc.

100–1000 kg Structural elements for the façadeconstruction, etc.

1000–10000 kg Structural elements, beams, hollow corebeams, etc.

�10000 kg Heavy structural elements, main structureof the building, etc.

09048-S-22.qxd 5/15/03 1:06 AM Page 1522

class | element falls inside building | element falls)is determined by a combination of engineeringjudgement and laws of mass and impulse.

A logic assumption has been made that the heav-ier the element and the higher from it falls, thehigher the probability that the building collapsesdue to the falling of an element inside the building(see figure 6).

• the probability of elements falling;Because of no data could be found about the

probability of elements falling per weight class, anextensive expert opinion has been performed (seeAppendix A). The experts varied from scientist specialised in construction technology in multipleuse of space projects and construction workers. Itseemed that their opinion regarding the probabilityof failure corresponded with each other. The aver-age probability of elements falling per weight classper project is given in figure 7.

• the height from which the element is falling;The height from which the element is falling is

integrated in the Bayesian Network as a variable in the risk analysis. This variable corresponds with the ratio of the height of the building. Three

different height levels are proportionally consid-ered; h � 5 m; 5 m � h � 10 m and h � 10 m.

• fatalities and economic risk;The probabilities of the node fatalities and eco-

nomic risk are determined by engineering judge-ment (for a full overview see [Suddle, 2001A]). Thenode fatalities is divided into injury and loss oflive. It has to be noted that P(person being killed |an element falls on a person) is almost 1, if an ele-ment is even less than 5 kg falling (see figure 8).

A large economic damage mainly depends on thecase of closing the infrastructure for a long period offew weeks, due to e.g. collapse of the building above. Inthis regard five different cost-classes (of economic risk)were considered and particularly the effect is deter-mined if elements fall in the risk-zones (see table 3 andFigure 9):

A full overview of conditional probabilities offatalities and economic risk is presented in [Suddle,2001A].

1523

Probability of collapse per weight-class and height

1,00E-07

1,00E-06

1,00E-05

1,00E-04

1,00E-03

1,00E-02

1,00E-01

< 5 kg 5-100 kg 100-1000 kg 1000-10000 kg > 10000 kg

Weight-class

h < 5 mm 5 m < h < 10 m h > 10 m

Figure 6. Probability of collapse of the building if elementfalls inside the building.

Probability of element falling per weight-class

0,10

0,017

0,002550,0013

0,00014

1,00E-05

1,00E-04

1,00E-03

1,00E-02

1,00E-01

1,00E+00

< 5 kg 5-100 kg 100-1000 kg 1000-10000 kg > 10000 kg

Weight-class

Figure 7. The average probability of element falling [project�1].

Probability of being killed per weight of elements

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

0 5 10 15 20

Weight of elements [kg]

Pro

babi

lity

5m < h < 10m h> 5mh > 10m

Figure 8. The probability of being killed due to an fallingelement.

Table 3. Examples of different weight classes.

Cost-class Example of costs

No costs In case of no elements falls�a 10,000 Very light damage to vehicles, etc.a 10,000–a 100,000 Light damage to infrastructure and

total loss of (expensive) vehicles,etc.

a 100,000–a 1,000,000 Damage to infrastructure, etc.�a 1,000,000 Heavy damage in case of close off

the road and reroute the traffic for along period, etc.

09048-S-22.qxd 5/15/03 1:07 AM Page 1523

3.4 Quantification of probabilities above railways and existing buildings

To determine the risks for third parties in the con-struction phase by building over railways and existingbuildings, such networks are composed for cases bothcases. In the Bayesian Network building above rail-way track an extra node is added, which represents thesituation at platform (see figure 3). It has to be notedthat the financial damage given an element falls is inrailways is much bigger than by roads, because thereis no option for rerouting the train traffic [Suddle,2001A]. Finally, the risks for third parties are alsodetermined by making these networks for buildingover an existing building, in which the situationbeneath the building is less dynamic.

4 RESULTS OF THE RISK ANALYSIS

4.1 Individual Risk

Basically, the probabilities those are determined con-sists probabilities per year per action of a consideredelement. The individual risk (IR) during constructioncan be determined by multiplying the computed prob-abilities with the number of actions (see table 4). In thisregard the individual risk in both building above roadand railway tracks is almost the same order (10�6).

This can be presented as individual risk contours atthe construction site (figure 10). The expected loss ofhuman life (E(Nd)) can be computed by multiplyingthe individual risk (IR) with the number of participants.The results of the risk analyses comes down to thefollowing:

The results show that building over road infra-structure is the unsafe way to build, followed bybuilding over rail infrastructure. Building over exist-ing buildings is with less risk. From financial point ofview, building over rail infrastructure is not signifi-cantly different from building over road infrastructure.

Again, building over existing buildings is with less risk.

4.2 Group Risk

In the same way, group risk is considered for con-structing buildings above roads railways and existingbuildings. The group risk for building above roads,railway tracks and existing buildings is almost negli-gible. Note that building over existing buildings iswith less group risk.

4.3 Check for limits of risk acceptance

Because of a lack of explicit norms of risk acceptancefor the safety of third parties during construction, the method of [Vrijling et al., 1996] based on volun-tariness is used (bi � 0.01) When considering theseacceptance limits for risk acceptance, to be dividedinto criteria on an individual and on a social basis theresults for building over rail and road infrastructureare slightly exceeded. Therefore, safety measures are analysed and optimised for building above roadinfrastructure.

5 SENSITIVITY ANALYSIS

In order to formulate safety measures and to deter-mine their effect on risks, a sensitivity analysis is

1524

Table 4. Results of the risk analysis.

Building Rail over Roadway track Building

Expected 1,65 1,33 8,01 · 10�4 human loss of riskshuman life

Expected 5,46 1,72 8,10 · 10�6 human injuries risks

Expected € 945,000 € 1,035,750 € 17,700 economical costs risk

IR = 10-9

IR = 10-6

Figure 10. Risk contours during construction phase forbuilding above road.

Damage costs of elements falls outside the building per weight-class and height

1,00E+01

1,00E+02

1,00E+03

1,00E+04

1,00E+05

1,00E+06

1,00E+07

< 5 kg 5-100 kg 100-1000 kg 1000-10000 kg > 10000 kg

Weight-class

Dam

age

cost

s [

/yea

r]

h < 5 mm 5 m < h < 10 m h > 10 m

Figure 9. Damage costs of elements falls in the risk-zonesof the building.

09048-S-22.qxd 5/15/03 1:07 AM Page 1524

performed. The sensitivity analysis provides bothtransparency of relevant scenarios and deviation ofresults of risk analysis using Bayesian Networks. Thedominant aspects are:

• the number of actions per project;• the position where the element falls;• situation below the building;• the weight of the falling element.

Furthermore, the risk zones of the building, thefaçades that are crossing the road, form an importantnexus for the safety of third parties (see also fig-ure 10). Surprisingly, factors that turned out to behardly of any influence are (design) errors and col-lapsing of the main structure of the building causedby falling elements. The error in the calculated prob-abilities is approximate 40%. This is determined byevaluating the conditional probabilities that were

determined by engineering judgement. So, the resultof expected loss of human live varies between 1,20and 2,31. If the height of the building is consideredwith the individual risk (IR) of third parties, the fol-lowing relation can be presented.

Figure 12 presents the higher the building, thehigher the individual risk of third parties. It alsomeans that the higher the building, the more safetymeasures have to be taken.

6 CONCLUSIONS

This paper presented the probabilistic approach forthe safety of third parties during the constructionphase. The relation between FMEA-techniques andBayesian Networks is treated. This study showed thatthe risk zones of the building, the façades that arecrossing the road, form an important nexus for thesafety of third parties. The safety measures should beintegrated into these zones.

LITERATURE

Meijer, F. en H.J. Visscher, Bouwveiligheid en bouwhinder bijmeervoudig stedelijk ruimtegebruik., OnderzoeksinstituutOTB, DUP Satellite, 2001, 113 pp.

Suddle, S.I., Veiligheid van bouwen bij MeervoudigRuimtegebruik, afstudeerrapport, TU-Delft, april 2001A,298 pp.

Suddle, S.I., Veilig bouwen bij Meervoudig Ruimtegebruik,Land � Water, Volume 41, no. 9/2001, september 2001B, pp. 24–27.

1525

FN-curve for fatalities of third parties during construction

1,0E-09

1,0E-08

1,0E-07

1,0E-06

1,0E-05

1,0E-04

1,0E-03

1,0E-02

1,0E-01

1,0E+00

1 10 100 1000n (number of fatalities)

P(N

>n)

[1/y

ear] acceptable norm

VROM-rule

Railway tracks

Buildings

Roads

Relation Individual Risk of third parties and height

1,00E-09

1,00E-08

1,00E-07

1,00E-06

1,00E-05

1,00E-04

1 10 100 1000

Height of the building [m]

IR [

1/ye

ar] IR = 2.10-8h1,15

Figure 12. The relation between height of the building theindividual risk of third parties.

Figure 11. Group risks of building on top of transport routes.

09048-S-22.qxd 5/15/03 1:07 AM Page 1525

Suddle, S.I., Safety of construction in intensive use of space, Proceedings of Congress Risk Analysis, VolumeIII, Editor: C.A. Brebbia, Sintra (Portugal), WIT Press,Southampton, June 2002, pp. 305–314.

Vrijling, J.K., W. van Hengel, R.J. Houben, Acceptable riskas a basis for design, Reliability Engineering and SystemSafety, Volume 59, 1998, pp. 141–150.

Vrijling, J.K., A.C.W.M. Vrouwenvelder e.a., Kansen in deciviele techniek, Deel 1: Probabilistisch ontwerpen in detheorie, CUR-rapport 190, CUR, Gouda, maart 1997.

Vrouwenvelder, A.C.W.M, e.a., Risico-analyse bouwfaseboortunnel, CUR/COB Uitvoeringscommissie N510,tussenrapportage, TNO-Bouw, Delft, 25 november 1996.

Vrouwenvelder, A.C.W.M., Risk Assessment and RiskCommunucation in Civil Engineering, CIB Report,Publication 59, februari 2001.

1526

Expert opinion

0,00001 0,0001 0,001 0,01 0,1

Expert 1

Expert 2

Expert 3

Expert 4

Expert 5

Expert 6

Expert 7

Expert 8

Expert 9

Probability of element falling

> 10000 kg

1000 - 10000 kg

100 - 1000 kg

5 - 100 kg

< 5 kg

Figure 13. Results of expert opinion for probability of an element falling.

Figure 14. Construction of the Malie Tower in The Hagure (The Netherlands).

APPENDIX A

09048-S-22.qxd 5/15/03 1:07 AM Page 1526


1527

A logarithmic approach for individual risk: the safety-index


ABSTRACT: Risk analyses can be undertaken to examine the required safety measures that are needed torealise complex projects near hazardous installation. When doing this risk analysis, the results have to be checkedfor risk acceptance criteria. In this paper, the three main criteria for risk acceptance criteria, which can be dividedinto individual risk, risk on a social basis and the economic criterion, are analysed and their interrelation isdescribed. One of the relations between these criteria is the expected number of casualties. To quantify thisexpected number of casualties in term of economics, the expected numbers of casualties are taken into accountby using monetary value per casualty. This paper discusses the variation of the monetary value per casualty.Furthermore, the acceptable level for societal risk is analysed for different countries. Finally, a new approachfor the individual risk criterion on logarithmic scale, namely the safety-index is discussed in this paper. Thispaper describes a full derivation of the safety-index. Besides, on the basis of the safety-index, a dimensionlesscriterion for individual risk is proposed. The safety-index provides an effective tool for the assessment of individ-ual risk dimensionless regarding the acceptance of risk.

1 INTRODUCTION

During the design phase of a complicated project, riskanalyses can be undertaken to examine the requiredsafety measures that are needed to realise such projects.When doing this risk analysis, the results have to bechecked for risk acceptance criteria. If the results donot comply with these risk acceptance criteria, to bedivided into criteria on an individual and on a socialbasis, extra measures can be taken to increase thelevel of safety. However, these risk acceptance criteriaare different to each country. In order to take decisionsfor safety measures it is useful that the main criteria forrisk acceptance criteria are analysed and their interre-lation with economic considerations is described.

Moreover, the realisation of safety measures isrelated to investments. In this regard, economic con-siderations have to be taken into account when riskanalysis is performed and measures are going to betaken. These economic considerations consists costsfor investments and the economic risk. Consideringthese measures, the decision maker finds himself in adilemma: which measure has to be given preference,the one that minimises the economic risk or the onethat decreases the loss of human lives. Generally, insuch analyses it comes down to the fact that humanrisks e.g. expected number of casualties are also trans-formed into monetary terms. This paper will presentthe variation of the monetary value per casualty.

Another complexity during the design phase ofcomplicated projects is the transparency of the riskacceptance criteria for not-scientists e.g. municipalities.Considering these criteria, it is a difficulty for the deci-sion maker to understand these criteria. The individualrisk, which is one of these criteria, is traditionallydepicted as contours on a – two-dimensional – map[Ale et al., 1996]. When depicting such risk contours,only the probability of a person is given, who perma-nently is present at a certain location in the vicinity ofa hazardous activity will be killed as a consequenceof an accident with that activity. However, these riskcontours does not provides the acceptance of risk,which can be divided into the voluntariness and thedirect benefit, of that person. Different participants inthe exploitation phase require different demands andtherefore have a different perception of safety. There-fore, it is recommendable to implement these riskcontours including the voluntariness and the directbenefit of these participants.

Accordingly, in this paper, a new (dimensional)approach for the individual risk criterion on logarith-mic scale, namely the safety-index is proposed [Suddle,2002A]. This logarithmic approach is adapted frommedical sciences and insurance policies [Boudier et al.,1985], which can be applied in building engineeringand physical planning around hazardous installationsand infrastructure with transport of hazardous materialsto present safety results dimensionless and including

09048-S-23.qxd 5/15/03 1:07 AM Page 1527

personal acceptable level of risk. The formula ofsafety-index is applied to a line infrastructure case inwhich (individual) safety contours are depicted. Thisconcept can be handy for policy makers and thuseffective in risk communication.

2 RISK ACCEPTANCE ANDDECISION-MAKING

Risk analysis is a method that can be used to examinethe safety in objective terms. When doing this riskanalysis, the results have to be checked for risk accep-tance criteria. Criteria for accepting or rejecting theassessed risks include two related entities: the fre-quency of an undesired event and the consequences(casualties, monetary values, environmental values).In general, one may state that the higher the conse-quences, the lower the accepted probabilities are. Inmore detail, the acceptance limits for a given event mayoriginate from three different angles [Vrouwenvelderet al., 2001]:

1. A comparison with other risks related to individualsafety;

2. Societal aversion to big disasters, especially whenmany casualties are involved;

3. Economic considerations.

If the results do not comply with these risk accep-tance criteria, measures can be taken to increase therequired level of safety. However, these measure-ments have to be attractive in terms of economics.Moreover, these three aspects should be integratedand/or prioritised.

3 A SET OF RULES FOR THEACCEPTABILITY OF RISKS

3.1 Personally acceptable level of risk

An overview of measures to express the individualrisk is given by [Bedford & Cooke, 2001]. The smallestcomponent of the social acceptable of risk is the per-sonal cost-benefit assessment by the individual[Vrijling et al., 1998].

Individual risk (IR) is defined as the probabilitythat a person who permanently is present at a certainlocation in the vicinity of an activity will be killed asa consequence of an accident with that activity. Usually,IR is expressed for a period of a year. It can be pic-tured both on two and three-dimensional [Suddle et al.,2002] map by connecting point of equal IR around afacility, the risk contours [Ale, 2002].

From a personally point of view, the probability offailure (a fatal accident) should meet the followingrequirement [Vrijling & Vrouwenvelder, 1997]:

(1)

In which:Pfi � probability of failure f as a result of an event i

[year� 1];Pd|fi � probability of being killed if failure f as a

result of an event i, occurs;bi � the policy factor that varies with the degree of

voluntariness with which an activity i is under-taken and with the benefit perceived. It rangesfrom 100, in case of complete freedom of

1528

Figure 1. Two and three-dimensional individual risk contours for an installation and line infrastructure [Suddle et al., 2002].

09048-S-23.qxd 5/15/03 1:07 AM Page 1528

choice like mountaineering, to 0,01 in the caseof an imposed risk without any perceived directbenefit;

10� 4 � statistical probability of dying per year ofyoung people [year� 1].

3.2 Socially acceptable level of risk

Societal risk (SR) is defined as the probability that inan accident more than a certain number of people arekilled. Societal risk usually is represented as a graphin which the probability or frequency F is given as afunction of N, the number killed. This graph is calledthe FN curve. A mathematical expression in the caseof a straight FN curve (on log-log-scale) can be pre-sented as a combination of [Vrijling et al., 1998] and[Vrouwenvelder et al., 2001]:

(2)

(3)

where

(4)

In which:Ci � the (imaginary) acceptable probability

for n � 1;1 – FN (n) � frequency of more than n fatalities

[year� 1];N � the number of people being killed in

one year in one accident;n � number of fatalities in one year in one

accident;NA � the independent locations;g � the slope of the FN curve, also called

the risk aversion factor [Vrijling &Gelder, 1997]; the value of g rangesfrom 1 to 2;

k � the risk aversion factor; the value of kmostly is 3.

A standard with a steepness of g � 1 is called riskneutral. If the steepness g � 2, the standard is calledrisk averse. In this case larger accidents are weightedmore heavily and accepted with a relatively lowerprobability. Some international FN standards aregiven in figure 2 (right) [Jonkman et al., 2002]. Incontrast to other countries, the societal risk criterionin The Netherlands is much stringent. Hence, it is notremarkable that the result some safety studies doesnot comply with the Dutch criteria (VROM-rule),while for instance in other countries, they do comply.

1529

Figure 2. FN curves where 1 � FN (n) � P(N � n in one year) is illustrated in The Netherlands (left) and some internationalFN standards (right).

Table 1. Personal risks in Western countries, deduced fromthe statistics of causes of death and the number of death andthe number of participants per activity [Vrijling et al., 1998].

09048-S-23.qxd 5/15/03 1:07 AM Page 1529

In general, the FN curve indicates the borderbetween “acceptable” and “unacceptable” in a diagramwith probability on one axis and the number of casualties on the other. It is quite customary to havetwo FN curves as indicated in figure 2 (left):

• One curve representing an upper limit above whichactivities or situations are not acceptable;

• Another curve representing a lower limit belowwhich no further risk reductions are necessary.

In figure 2 the societal risk criterion in TheNetherlands, also called the VROM-rule, is illustrated.In the area in between risk reducing measures shouldbe considered and judged on an economical basis.Between these levels, it is required to reduce risks tolevels as “as low as reasonable achievable” (ALARA)that is, until the costs of further measures would begrossly disproportionate to the benefit gained.

3.3 Economic criteria

According to [Vrouwenvelder et al., 2001], the third acceptance creation can be schematised as amathematical-economic decision problem by express-ing both investments and all consequences of the disas-ter in terms of money (assuming a given period of time).

Besides, it may be suggested that a measure withless human risk is more expensive than a one withgigantic risk. To balance these measures an economiccreation is required. It means that the most economi-cal solution from all alternatives that are allowablefrom the human safety point of view. Mathematicallyit comes down to [Vrouwenvelder et al., 2001]:

Minimise:

In which:Ctot � total costs;C0(y) � the investment in a safety measure;j � the number of the year;r � real rate of interest;Cj � damage cost in year j;y � decision parameter;a � monetary value per casualty;E(Nd | F) � expected number of casualties given a

failure; E(Nd) � PfiPd|fiNpi; E(Nd | F)� Pd|fi Npi;

Npi � number of participants in activity i;PFj(y) � the failure in year j.

One should realise that PFj(y) denotes the failureexactly in year j, that is not in any year before or later.The term Cj includes all costs after failure (also calledthe material losses): it includes direct damage, cost ofrepair, but also future failure costs of the repairedstructure (if any).

3.4 Monetary value per casualty

Most decision makers prefer to treat the economicand human safety criteria completely separated. In thatcase, the value of a � 0; this is the creation fullycompatible to the approach of a purely economic deci-sion problem. Still, there are some decision makers whocompare the advantage of safety measures in compar-ison with economic investments. Having this in mind,it might be better to assess some amount of money tothe event for death or injury. For this purpose theamount for material damage is increased with the mon-etary value per casualty multiplied by the expectednumber of death (as presented in formula 5). Themonetary value per casualty depends on factors suchas Willingness To Pay (WTP), Willingness To Acceptcompensation (WTA), voluntariness, and responsibility[Jones-Lee & Loomes, 1995]. According to the Envi-ronmental Protection Agency the value of a citizen inthe US is approximately €5,600,000. � . It may beconcluded from [@1], that these values result in awide range. According to [Vrouwenvelder et al., 2001]a reasonable value seems €1,000,000. � . Anothermethod to determine this value is the so called LifeQuality Index (LQI) (see [Lind, 1994]). The valuesper casualty can be summarised in table 2.

4 THE SAFETY-INDEX

4.1 Introduction

According to [Boudier et al., 1985], most decision mak-ers prefer to present the risk results on a dimensionlessscale. Therefore [Boudier et al., 1985] used a logarithmscale for presenting the individual risk dimensionless.This logarithmic scale is used in medical sciences and

1530

Table 2. Investments in Risk Reduction, per nominal livessaved [University of East Anglia in 1998].

Theoritical Evaluations Value for a [a per person]

Human capital calculations 300,000Willingness to pay 1,600,000(hypothetical)

Road Safety (UK, 1987) 500,000Cost of medical procedures 2,000–300,000for comparison (real)

(5)

09048-S-23.qxd 5/15/03 1:07 AM Page 1530

insurance policies [Boudier et al., 1985]. In this scale,the unikohort, is defined as the negative logarithm ofindividual risk for a period of 1 year:

(6)

In which:U � unikohort.Note that this formula does not contain a correction

factor for risk acceptance. In order to integrate the fac-tor for risk acceptance we can analyse the individualrisk. Considering the acceptable level for individual risk,one may remark that improvements in the level of riskdo make sense, when risk increases with a factor ten[Suddle, 2002]. Similarly, a decrease of risk with afactor ten is a remarkable worsening. The factor tensuggests a logarithmic scale with base 10. Obviously,societal risk is displayed on a (double) logarithm scale.Individual risk, as early mentioned in this paper, can bedetermined by risk analysis and subsequently checkedfor the risk acceptance criteria. Writing formula (1) inanother configuration gives:

(7)

In which:IR � the individual risk (as mentioned before).Formula (7) can be written as:

(8)

Though the check in formula (8) is dimensionless,yet, it presents the ratio of individual risk and the riskacceptance criterion, which is hardly interesting. Thischeck is rather attractive if this is done on a base of a(negative) logarithmic scale. By considering the usualdefinition of risk, a possible standard or a scale forsafety in terms of individual risk can be given by:

(9)

In which:S � the safety-index (Dutch: Veiligheidsmaat (see

[Suddle, 2002])) [-];This introduces a new definition for the individual

risk; the safety-index. In this formula (9), the refer-ential level for acceptable safety is the level that (just)complies with the acceptability of individual risk.Eliminating the minus before the logarithm gives thefollowing:

(10)

The result of the safety-index S is a particular num-ber. In fact, a distinction can be made for the three fol-lowing situations:

1. S � 0 The computed safety/risk does not complywith the level of risk acceptance. The more the riskexceeds the norm (bi 10�4), the smaller is thesafety-index, and the unsafe is the activity. (Adecrease of the safety-index with one means thatthe risk increases with one level);

2. S � 0 The computed safety/risk complies with thelevel of risk acceptance;

3. S � 0 The computed safety/risk complies largelywith the level of risk acceptance. (An increase of thesafety-index with one means that the risk decreaseswith one level).

It can be assumed that one strives for situation 2 and3, thus S & 0. Combined with formula 10, this resultsin the norm for safety in terms of individual risk:

(11)

For decision maker it is attractive to present safetyresults of in terms of individual risk, formula (11) canbe used rather than formula (1). Note that differentsafety- index cannot be summed up. If one likes to pres-ent risk results on a dimensionless scale, one has tosum up different individual risks and than to take thelogarithm of it.

The result of the safety-index depends on the indi-vidual risk and the bi. Table 3 and the diagram representthe relation between the safety-index and individualrisk for different bis. This model enables safety interms of individual risk can be quantified and can bechecked directly for the limits of risk acceptance for

1531

Figure 3. Safety-index versus individual risk by different bis.

09048-S-23.qxd 5/15/03 1:07 AM Page 1531

individual risk. This instrument provides an effectivetool for determining the effects of the safety(-index)on safety-measures if the design limit is based uponthe individual risk.

Furthermore, the next limit is applicable:

(12)

With other words: if there is no risk, the safety(-index) will approach infinite.

4.2 Unikohort and the safety-index

If the unikohort is compared to the safety-index, thereis no correction factor for acceptance of risk taken intoaccount. In order to deduce the safety-index from theunikohort, the risk acceptance factor must be integratedinto the unikohort. The correction factor for acceptanceof risk can be given by:

(13)

In which:A � correction factor for acceptance of risk.In order to compute an index for individual safety

including the acceptability, one can deduce the correc-tion factor for acceptance of risk:

(14)

(15)

(16)

(17)

This formula is exact the same as formula (10).

4.3 Example

Formulas (10) and (11) provide an effective tool, par-ticularly for decision makers, which can be presentedin the following example in which the individual riskand the safety-index is computed and compared forlocal residents near infrastructure and car drivers at theinfrastructure. Suppose the following situation in whichan accident occurs on the infrastructure with a proba-bility of 10�5 [year�1]:

The safety-index S for this example can be computedwith formula (10), which is for local residents nearinfrastructure:

(10a)

The safety-index S for car drivers at the infrastruc-ture is:

(10b)

The result of the safety-index S is a particular num-ber, which is respectively �1 and 1 for local residentsnear infrastructure and car drivers at the infrastruc-ture. Though the individual risk IR for both local res-idents near infrastructure and car drivers is almost thesame (10�5 year�1), the safety-index S has a different

1532

Table 3. Safety-index versus individual risk for different bis.

Table 4. Different approach for local residents near infra-structure and car drivers at the infrastructure.

Local residents near Car drivers at the infrastructure infrastructure

Pfi � 10�5 [year�1]; Pfi � 10�5 [year�1];Pd|fi � 0.99 [�]; Pd|fi � 1 [�];bi � 0.01 (involuntary activity) bi � 1 (voluntary activity)

IR � 9.9 10�6�10�5 [year�1] IR � 10�5 [year�1]

09048-S-23.qxd 5/15/03 1:07 AM Page 1532

value for both. This comes down to the fact that thesafety (in term of individual risk) for local residentsnear infrastructure is insufficient, because the limit foracceptance of risk is exceeded. Accordingly, peoplepresent in the neighbour of the infrastructure, especiallywithin the 10�5 risk contour, will accept less risk thanthe car drivers.

The phenomena of the safety in terms of individualrisk can be illustrated by connecting the points with thesame safety-index yields an iso-safety contour, whichis related both to the individual risk and the acceptanceof risk. Figure 4 visualizes the idea of individual riskcontours and the safety contours. In this figure, thepolicy factor bi is given, which represents the riskacceptance as mentioned in table 1.

It can be noted that just outside the boundary of theinfrastructure the safety-index is below zero (S � 0).Furthermore it can be seen that the individual riskdecreases results in the increase of the safety(-index).

5 CONCLUSIONS

This paper contributes to the he transparency of the riskacceptance criteria. As a consequence, the interrelationbetween three main criteria for risk acceptance criteria,which can be divided into individual risk, risk on a

social basis and the economic criterion, is described.It may be concluded, the new approach for the indi-vidual risk criterion on logarithmic scale, namely thesafety-index is handy for policy makers and thereforeeffective in risk communication. Thus, this logarithmicapproach for the individual risk criterion partly adaptedfrom medical science and insurance policies can beapplied in civil engineering to present risk results ona dimensionless scale.

LITERATURE

Ale, B.J.M., Risk assessment practices in TheNetherlands, Safety Science, Volume 40, Issues 1–4,February–June 2002, pp. 105–126.Bedford, T., Cooke, R.M., Probabilistic Risk Analysis:Foundations and methods; Cambridge UniversityPress, 2001.Boudier, H.S., Heilmann, K., Urquhart, J., Risiko’smeten: een antwoord op de angst voor een technologis-che kultuur, Baarn, In den Toren 1985, 167 pp.Jones-Lee, M.W. & Loomes, G. Scale and ContextEffects in the Valuation of Transport Safety, Journal ofRisk and Uncertainty, 1995, pp. 183–203.Jonkman, S.N., van Gelder, P., Vrijling, H. Anoverview of quantitative risk measures and their

1533

Figure 4. Individual risk contours (left) and safety contours (right).

09048-S-23.qxd 5/15/03 1:07 AM Page 1533

application for calculation of flood risk, ESREL 2002,Volume 1, pp. 311–318.Lind, N.C., Target reliability levels from social indi-cators, Structural Safety and Reliability, Scheuller,Shinozuka and Yao (eds), Balkema, Rotterdam, 1994.Suddle, S.I., Beoordeling veiligheid bij MeervoudigRuimtegebruik, Cement, Volume 54, no. 1/2002, feb-ruari 2002, pp. 73–78.Suddle, S.I., Th. S. de Wilde, B.J.M. Ale, The 3rddimension of risk contours in multiple use of space,Proceedings of Congress ESREDA 2002, Editor: C.A. Brebbia, Delft (The Netherlands), November2002, pp. …–….Vrijling, J.K., and van Gelder, P.H.A.J.M. 1997,Societal risk and the concept of risk aversion, Advancesin Safety and Reliability, Vol. 1, pp. 45–52.

Vrijling, J.K., van Hengel, W., Houben, R.J. Accept-able risk as a basis for design, Reliability Engineeringand System Safety, Volume 59, 1998, pp. 141–150.Vrijling, J.K., Vrouwenvelder A.C.W.M. e.a., Kansenin de civiele techniek, Deel 1: Probabilistisch ontwer-pen in de theorie, CUR-rapport 190, CUR, Gouda,maart 1997.Vrouwenvelder, A.C.W.M., Risk Assessment and RiskCommunucation in Civil Engineering, CIB Report,Publication 59, februari 2001.http://www.fem.nl/story.asp?artikelid � 588.

1534

09048-S-23.qxd 5/15/03 1:07 AM Page 1534


1535

Reduced vertical separation minimum (RVSM): pre- andpost-implementation safety cases

Bernd TiemeyerEUROCONTROL/Directorate Safety, Airspace, Airports and Information Services/SafetyManagement, Brussels, Belgium

ABSTRACT: On 24 January 2002, the introduction of a Reduced Vertical Separation Minimum (RVSM) in theEUR RVSM Airspace provided six additional flight levels between 29,000 ft and 41,000 ft inclusive. This hasbeen achieved by reducing the vertical separation minimum between aircraft from 2,000 ft to 1,000 ft. The EURRVSM Programme – managed by EUROCONTROL on behalf of the participating States – has been imple-mented simultaneously in the airspace of 41 European and North African countries and was the biggest changein Europe’s Airspace for 50 years. This paper outlines the different elements of the Pre- Implementation andPost-Implementation Safety Cases, such as the derivation of the requirements, the regulatory process and howCollision Risk Assessment, Functional Hazard Assessment and National Safety Planning combined togetherprovide a conclusive argument that the concept of RVSM and its implementation are safe before and remainsafe after introduction.

1 INTRODUCTION

On 24 January 2002, the introduction of a ReducedVertical Separation Minimum (RVSM) in the EURRVSM Airspace provided six additional flight levelsbetween 29,000 ft (FL290) and 41,000 ft (FL410)inclusive (Figure 1). This has been achieved by reduc-ing the vertical separation minimum between aircraftfrom 2,000 ft to 1,000 ft. The RVSM Programme –managed by EUROCONTROL on behalf of the participating States – has been implemented simulta-neously in the airspace of 41 European and NorthAfrican countries and was the biggest change inEurope’s Airspace for 50 years (Figure 2).

As required in other regions, EUR RVSM had todemonstrate to the international aviation communitythat the Target Level of Safety (TLS) set out by ICAOfor the vertical collision risk would not be exceeded inthe European RVSM Airspace.

However, during the initiation of the EUR RVSMProgramme, it was felt, that to demonstrate the achieve-ment of this criterion would be viewed as being nec-essary but not sufficient for the EUR RVSM airspace.At that stage the decision was taken to develop theEUR RVSM Safety Policy in coordination with theEUROCONTROL Safety Regulation Commission(SRC) in order to establish the basis for the safety Figure 1. Flight level orientation scheme.

09048-T-01.qxd 5/15/03 7:38 PM Page 1535

assurance of the RVSM Concept and its safe Imple-mentation in the EUR RVSM Airspace and, in par-ticular, demonstrating compliance with the ATM2000 � Strategy [3].

To ensure that all safety conditions would be met,EUROCONTROL set up a dedicated safety assuranceprogramme. One key deliverable was the EUR RVSM“Pre-Implementation Safety Case” (PISC) [1], whichwas finalised in August 2001 and approved by theSRC in September 2001 paving the way for the “Go”-decision of the EURCONTROL ProvisionalCouncil (PC) to implement RVSM ontime. This paperexplains the different aspects of the Safety Case, suchas the Functional Hazard Assessment, the CollisionRisk Modelling and the National Safety Planning andhow these elements were developed into a conclusive argument providing the evidence that the concept ofRVSM and its implementation are safe. Second deliv-erable of the EUR RVSM Programme is the “Post-Implementation Safety Case” (POSC), which looksinto the initial months of RVSM operations and

contains the evidence that RVSM was safely imple-mented and that RVSM operations are safe and con-tinue to be safe.

2 PRE-IMPLEMENTATION SAFETY CASE

The assurance of flight safety is paramount in the EURRVSM Programme. All elements of the Programme arerelated to safety management in one way or another.Given the importance of the safety aspects, a separatesafety assurance programme undertook activities toensure that RVSM meets its safety objectives, and thatthis is demonstrated satisfactorily, covering the follow-ing three main aspects:

• The preparedness of the (41) EUR RVSM partici-pating States,

• The preparedness of the aircraft operators, and• The acceptability of the EUR RVSM Pre-

Implementation Safety Case.7

1536

Figure 2. EUR RVSM airspace.

09048-T-01.qxd 5/15/03 7:38 PM Page 1536

In order to address these aspects, Safety Objectives –as described in the next section – were set to be achievedthrough the Safety Case development.

2.1 Safety objectives

The Safety Policy for RVSM implementation wasestablished to meet the requirements of ICAO Stand-ards and Recommended Practices and GuidanceMaterial on managing collision risk and to be fullycompliant with the EATMP Safety Policy [2] and theATM 2000� Strategy [3].

The RVSM Safety Policy is described in [4], wherethe following statements define the main SafetyObjectives for the RVSM Programme:

i. The RVSM Programme shall conduct a full Func-tional Hazard Analysis looking at the whole sys-tem including air and ground segments and theproposed operational concept.

ii. The RVSM Programme shall, as its principalsafety objective, minimise the programme’s contri-bution to the risk of an aircraft accident. The RVSMProgramme recognises the Safety Objectives of theATM 2000 � Strategy [3], in particular the generalobjective to improve safety levels by ensuring thatthe number of ATM induced accidents and seri-ous or risk bearing incidents do not increase and,where possible, decrease. Therefore, the imple-mentation of RVSM shall not adversely affect therisk of en-route mid-air collision.

iii. In accordance with ICAO Guidance Material [5],the management of vertical collision risk withinRVSM airspace shall meet the Target Level ofSafety of 5 � 10�9 fatal accidents per flight hour.

iv. In accordance with ICAO Guidance Material [5],the risk of mid-air collision in the vertical dimen-sion within RVSM airspace, due to technicalheight keeping performance, shall meet a TargetLevel of Safety of 2.5 � 10�9 fatal accidents perflight hour.

v. Guidance shall be given to the States to explainthe necessary activities to provide evidence aboutthe safe implementation of RVSM on the nationallevel and subsequently assure the preparedness ofthe States.

2.2 Safety argument

The PISC demonstrates that the Safety Objectiveshave been met, by means of the following principalsafety arguments:

i. That a set of Safety Requirements has been spec-ified for RVSM that fully address all the function-ality, performance and reliability requirementsnecessary to ensure that the safety risks underRVSM will be tolerable and that, where possible,

risk has been reduced to a level as low as reason-ably practicable.

ii. That the RVSM Concept developed by EURO-CONTROL for the European region has the poten-tial to fully satisfy the RVSM Safety Requirements.

iii. That the Implementation of the RVSM Conceptby the individual participating States will fullysatisfy the RVSM Safety Requirements.

iv. That the Switch-Over from the current vertical sep-aration minimum of 2000 ft (600 m) to the RVSMvalue of 1000 ft (300 m) will not adversely affectthe safety of the on-going air traffic operations.

The above safety arguments are based on theassumption that the pre-RVSM levels of safety riskexperienced in European airspace between FL 290and 410 are accepted as tolerable.

Each of the above arguments is further developed inthe relevant sections of the PISC, together with evi-dence showing that all the arguments are valid.

Goal Structured Notation (GSN) is used to graphi-cally illustrate the detailed argument structure. Thearguments are decomposed to a level at which clearevidence of the validity of the argument can be pro-vided. This decomposition proceeds along two lines:direct arguments and evidence that the higherlevelarguments are true and backing arguments and evi-dence that the direct evidence is trustworthy.

2.2.1 Safety requirements determinationThe overall, high-level safety requirements, whichdescribe the function, performance and reliabilityrequired of RVSM are determined as follows:

RVSM1 – Provide safe vertical separation of aircraftby assigning aircraft to different flight lev-els (as in RVSM 4 below).

RVSM2 – Provide safe transition to and from non-RVSM (feet and metric systems) flight lev-els within the defined transition airspace.

RVSM3 – Prevent non-approved civil aircraft fromentering RVSM airspace.

RVSM4 – Nominal separation of flight levels shall be:a) 1000 ft between RVSM approved aircraft.b) 2000 ft between:

i. non RVSM approved State aircraftand any other aircraft operatingwithin the EUR RVSM airspace.

ii. all formation flights of State aircraftand any other aircraft operating withinthe EUR RVSM airspace.

iii. non RVSM approved aircraft and anyother aircraft operating within thedefined RVSM transition airspace.

RVSM5 – The accuracy of the Aircraft (technical)height keeping performance (i.e. the per-formance bounded by the requirements of

1537

09048-T-01.qxd 5/15/03 7:38 PM Page 1537

the MASPS) shall be sufficient to ensurethat the risk of midair collision in the ver-tical dimension, in RVSM airspace, shallmeet a Target Level of Safety of 2.5 � 10�9

fatal accidents per flight hour.RVSM6 – Provide facilities for safe operation under

abnormal conditions – eg aircraft on-boardemergencies.

RVSM7 – The probability of any system failure lead-ing to a mid-air collision shall be suffi-ciently low to ensure that the overall riskof mid-air collision due to the loss of ver-tical separation, from all causes, is withinthe TLS of 5 � 10�9 fatal accidents perflight hour.

RVSM8 – The system shall be sufficiently reliable toensure that the number of ATM inducedaccidents and serious or riskbearing inci-dents, under RVSM, shall not increase fromcurrent (pre-RVSM) levels and shall, wherepossible, decrease.

RVSM9 – The performance and reliability of the sys-tem shall not deteriorate in service.

Although there are no explicit RVSM safety require-ments associated with capacity, in order that the ben-efits of RVSM are realised, the introduction of RVSMshall not prevent the capacity goals of the ATM2000� Strategy from being achieved.

In the absence of any established precedent, the general approach employed in the PISC for deriving theRVSM high-level safety requirements was based on the approach used in International Safety ManagementStandard IEC 61508, Part 1 [6]. This Standardaddresses those aspects to be considered when elec-trical/electronic/programmable electronic systemsare used to carry out safety functions.

In order to ensure that all aspects of the behaviourof Vertical Separation have been considered; a set ofbehavioural attributes derived from those specified inUK CAA document CAP 670 – ATS Safety Require-ments [7] – was used. The list of attributes is morecomprehensive than those implied in IEC 61508 andtherefore more likely to yield a complete set of safetyrequirements. The PISC contains in one of itsAnnexes a table, which shows how the highlevel safetyrequirements relate to these attributes.

A comparison of the high-level safety requirementswith the relevant RVSM Safety Objectives specifiedabove shows that all key objectives have been cap-tured in the high-level safety requirements.

Therefore, on the basis that the method of achievingVertical Separation has not changed, that the currentATS is “safe” and that the key safety objectives forRVSM have been fully addressed, the PISC concludesthat high-level safety requirements for RVSM are suf-ficient as specified.

Subsequently, these high-level safety requirementshave been decomposed and allocated to the RVSMsystem comprising the following elements:

i. Airspace Design;ii. Flight Crew Procedures;iii. Flight Crew Training;iv. Aircraft Equipment;v. ATC Procedures;vi. ATC Training;vii. ATC Equipment;viii. System Monitoring.

A further table in the PISC contains the mappingbetween the RVSM high-level safety requirementsand the safety requirements for each system element.It should be noted that it is not possible to allocatehigh-level Safety Requirements RVSM7 and RVSM8 tospecific system elements; therefore, they are retainedas system-level safety requirements and argued as suchin the PISC.

A detailed Functional Hazard Assessment (FHA)was conducted to provide assurance that all hazardsand risks associated with RVSM were identified. TheFHA addressed three separate scenarios:

i. the situation whereby RVSM has been operationalfor one year, is fully operational and all introduc-tory problems have been resolved;

ii. the particular situation in States which have toensure the transition between RVSM and non-RVSM airspace; and

iii. the Switch-Over on the day of RVSM introduction.

A complete list of hazards identified in the FHA ispresented in respective Hazard Logs. The subsequentanalysis indicated that of these some hazards are safetysignificant in the context of the introduction of RVSM –i.e. either the hazard is new or the level of risk is poten-tially higher than already present in the ATM system.

For each of the safety-significant hazards, a safetyintegrity requirement is derived, which is allocated tothe appropriate elements of the system, together withan indication of what (if any) mitigation is available toreduce the effect, and/or probability of occurrence, ofthe hazard concerned.

Where mitigation is available, an explicit functionalsafety requirement was derived for the relevant systemelement(s), in order to specify clearly the mitigationrequired. Where mitigation is not available, the safetyintegrity requirement from the FHA is allocated to therelevant system element(s), in order to limit the risk toa tolerable level.

The PISC concludes at this stage that a sufficientset of high-level safety requirements have been spec-ified for RVSM, and have been completely and cor-rectly allocated to the appropriate elements of theRVSM system. Safety requirements have also beenspecified and allocated to the system elements, for each

1538

09048-T-01.qxd 5/15/03 7:38 PM Page 1538

hazard identified in the FHA, sufficient to controland/or mitigate the hazard.

2.2.2 RVSM conceptThis section of the PISC sets out the argument andevidence that the RVSM Concept satisfies the RVSMhigh-level safety requirements. For each of the systemelements the relevant safety requirements are listedand the approach is defined how their achievement isdemonstrated. Subsequently, direct and backing evi-dence is presented or referred to to demonstrate thatthe argument is true.

This part of the PISC also presents the results of theCollision Risk Assessment (CRA) to demonstrate thatthe high-level safety requirements, which are directlyrelated to ICAO requirements, are satisfied.

2.2.3 RVSM implementationThis section of the PISC provides the argument and evi-dence that the Implementation of the RVSM Conceptwill satisfy fully the relevant safety requirements.

It is the States’ ultimate responsibility to implementRVSM. To this end all participating States have preparedSafety Plans for the implementation of RVSM withintheir national airspace. These Safety Plans show inhow the respective State responsibility is discharged,what activities it is undertaking to assure the safety ofthe changes it is making in order to implement RVSM,and how risks to aircraft are identified and managed.

EUROCONTROL’s role was to provide guidance,co-ordination and support to the participating Statesand other parties in their preparation for the imple-mentation of RVSM and to demonstrate that the safetyrequirements identified in the PISC are traceable fromConcept through to Implementation.

EUROCONTROL also provided independent verifi-cation and validation for the implementation of RVSMby monitoring the overall performance in terms ofaltitude deviations. In addition, information of aircraftapproval status is obtained from States to provide ver-ification of the RVSM approval status within the filedflight plans, and information on the actual number ofRVSM approved aircraft, which was a key parameter inthe “Go”-decision process.

Again, this section of the PISC provides the argu-ment and evidence to satisfy the RVSM highlevelsafety arguments associated to RVSM Implementation.

A further section of the PISC demonstrates that theSwitch-Over from the pre-RVSM separation minimumof 2000 ft to RVSM of 1000 ft will not adversely affectthe safety of the on-going air traffic operations.

2.3 PISC conclusions

Based on the conclusions drawn in its different sections,the PISC concludes, that the application of the ICAORVSM Concept in the European Region and theImplementation of RVSM by the participating States

can be considered as tolerably safe and satisfies thecriteria defined in the EUR RVSM Safety Policy [4].

2.4 SRC review

The interface with the EUROCONTROL SafetyRegulation Commission (SRC) was established earlyin the development process of the PISC through theEUROCONTROL Safety Regulation Unit (SRU).The SRC set up on their behalf an expert group – theSRC RVSM Group (SRVG) – to review intermedi-ately delivered safety documentation. Guidance wasgiven to the EUR RVSM Programme until the maturePISC [1] was delivered in August 2001. The positiveoutcome of the regulatory review formed the basis forthe SRC’s recommendation to the EUROCONTROLProvisional Council (PC) for their “Go”-decision toimplement RVSM on time.

3 POST-IMPLEMENTATION SAFETY CASE

Reduced Vertical Separation Minimum (RVSM) wasintroduced into European airspace at 0001 hrs UTCon 24 January 2002, reducing the vertical separationbetween RVSM-approved aircraft from 2000 ft to1000 ft for aircraft operating at/between Flight Levels290 and 410 inclusive.

The Switchover to RVSM was executed extremelysmoothly, and since then there have been no majorproblems (either safety or operational) related toRVSM.

3.1 Safety objectives and argument

The Post-Implementation Safety Case (POSC) followson from the Pre-Implementation Safety Case (PISC)to demonstrate that the key safety objectives set out inthe EUR RVSM Safety Policy [4] are actually met inoperational service, and addresses any matters thatwere outstanding when the last version of the PISC[1] was issued.

The POSC demonstrates that this aim has beenachieved, by means of the following principal safetyarguments:

i. That the vertical collision risk – i.e. the risk ofmid-air collision in the vertical dimension – inRVSM airspace meets the ICAO overall TargetLevel of Safety (TLS) of 5 � 10�9 fatal accidentsper flight hour.

ii. That the vertical collision risk in RVSM airspacedue solely to technical height-keeping performancemeets the ICAO TLS of 2.5 � 10�9 fatal acci-dents per flight hour.

iii. That the implementation of RVSM has notadversely affected the overall risk of en-routemid-air collision.

1539

09048-T-01.qxd 5/15/03 7:38 PM Page 1539

iv. That all issues that were active when Version 2.0of the PISC was issued, including validation of theassumptions made therein, have been addressedsatisfactorily.

Each of the above arguments is developed in therelevant section of the POSC and evidence is presentedthat all arguments are valid.

The layout of the POSC follows that of the earlierPISC. In order to address the first two safety objectivesa post-implementation Collision Risk Assessment iscarried out to demonstrate that the ICAO Target Levelof Safety is achieved. The third safety objective isaddressed by a re-conduct of the pre-implementationFHA to review the hazards identified earlier, validatetheir relevance and identify if operational experienceindicates the existence of new hazards. This FHAreview included also elements of a Preliminary SystemSafety Assessment (PSSA) [8].

3.2 Lessons learnt

A number of lessons were learnt with regard to how toconduct such an FHA with operational experts and howto present the results. Were there 73 hazards identifiedduring the pre-implementation FHA, it became clearthat most of them could be considered as causes givingrise to higher-level hazards. Therefore, an RVSM sys-tem model was developed (see Figure 3), which

defined one overall hazard at the system boundaryand nine hazards at sub-system level (Table 1).

The terminology regarding “causes”, “hazards” and“consequences” was clarified and lead together withFault- and Event-Tree Analyses (FTA/ETA) to the“Bow-Tie” model in Figure 4.

The two main objectives of the FHA/PSSA sessionwere:

i. To identify, and estimate the probability of occur-rence of, the possible causes of each RVSM haz-ard, taking account of the available mitigations toreduce the probability of occurrence;

ii. To assess the severity of the consequences of eachhazard, taking account of available mitigations.

1540

Airspace

Structure

‘Pilot’

Flt Crew

Autopilot

AltimetryMeteorologicalconditions

Aircraft Height Keeping

ATC

ATC Ops

ATC Equipment

RVSM Status Notification

Flight Plan

Flt Crew

RVSMapproval

status

TCAS

Wake Vortex

A/c capability

A/c at wrong level / route

Hz 1

Hz 2

Hz 3

Hz 4

Hz 5

Hz 8

Hz 7

Hz 6Hz 9

Airspace

Structure

Flt Crew

Autopilot

‘Pilot’

Flt Crew

Autopilot

Flt Crew

Autopilot

Altimetry

Height Indication

AltimetryAltimetryAltimetryMeteorologicalconditions

Aircraft Height Keeping

ATC

ATC Ops

ATC Equipment

RVSM StatusNotification

Flight Plan

Flt Crew

RVSMapproval

status

RVSMapproval

status

TCASTCAS

Wake VortexWake Vortex

A/c capabilityA/c capability

A/c at wronglevel / route

Hz 1

Hz 2

Hz 1Hz 1

Hz 2Hz 2

Hz 3Hz 3Hz 3

Hz 4Hz 4Hz 4

Hz 5Hz 5Hz 8Hz 8

Hz 7

Hz 6

Hz 7Hz 7

Hz 6Hz 6Hz 9Hz 9Hz 9

Figure 3. RVSM system and sub-system hazards.

Table 1. RVSM sub-system hazards.

Hz 1 Non-RVSM approved aircraft is indicated asRVSM approved

Hz 2 RVSM approved aircraft cannot indicate loss ofRVSM capability to ATC

Hz 3 Airspace structure is wrongHz 4 Aircraft is assigned inappropriate levelHz 5 No clearances/instructions are given to pilot

from ATCHz 6 Undetectable altimetry system errorHz 7 Loss of, or detectable error in, altimetry

informationHz 8 “Pilot” deviates from cleared levelHz 9 Aircraft is unable to maintain cleared level

09048-T-01.qxd 5/15/03 7:38 PM Page 1540

The outcome of this session with operational expertswas subsequently analysed to construct “Bow-Ties” foreach sub-system hazard. Allowing for the first time toobtain quantitative results describing the aggregate riskfrom all hazards to be compared to the ICAO TLS.

3.3 POSC conclusions

The POSC delivers a conclusive argument and evi-dence that the key safety objectives set out in the EURRVSM Safety Policy [4] are met in operational service.

The outcome of the FHA/PSSA showed reason-able consistency with the pre-implementation resultsand identifies those causes and mitigations, whichhave the highest bearing on the aggregated risk.

4 CONCLUSIONS

The RVSM Pre-Implementation Safety Case was thefirst of its scale, which had been developed by theEUROCONTROL Agency for one of its Programmes.It established the precedent for a constructive reviewprocess with the EUROCONTROL Safety RegulationCommission and provided the basis for the “Go”-decision taken by the EUROCONTROL ProvisionalCouncil prior to the implementation of RVSM in 41participating States.

The RVSM Post-Implementation Safety Case wasdeveloped several months subsequent to the success-ful implementation of RVSM in Europe. It built onnumerous lessons learned during the earlier PISCdevelopment and concludes that RVSM was safelyimplemented and that RVSM operations are safe andcontinue to be safe.

The experience gained during the development ofboth RVSM Safety Cases together with input fromother areas within the EUROCONTROL Agency arenow providing the building blocks for a GuidelinesDocument, which will describe how future SafetyCases should be developed for different EUROCON-TROL activities.

ABBREVIATIONS

A/C AircraftATC Air Traffic ControlATM Air Traffic ManagementATS Air Traffic ServiceCRA Collision Risk AssessmentEATMP European ATM ProgrammeETA Event-Tree AnalysesEUR EuropeanFHA Functional Hazard AssessmentFL Flight LevelFTA Fault-Tree AnalysesGSN Goal Structured NotationHz HazardICAO International Civil Aviation OrganisationMASPS Minimum Aircraft System Performance

SpecificationPC Provisional CouncilPISC Pre-Implementation Safety CasePOSC Post-Implementation Safety CasePSSA Preliminary System Safety AssessmentRVSM Reduced Vertical Separation MinimumSRC Safety Regulation CommissionTCAS Traffic Alert and Collision Avoidance

SystemTLS Target Level of Safety

ACKNOWLEDGEMENTS

The author would like to outline the important contri-bution of Derek Fowler during the independent PISCreview (with CSE International Ltd.) and during thedevelopment of the POSC (with Praxis Critical Sys-tems) and thank him for all the invaluable discussions.Thanks are extended to Diena Seeger on behalf of the team working on the Collision Risk Assessment fortheir thorough and time-consuming assessment of the data. Finally, the author would like to thank PeterStastny and Tony Licu of the EUROCONTROL SafetyRegulation Unit (SRU) for their continuous supportduring the review process and their efforts to ensurethe timely completion of the review.

The views expressed in this paper are those of theauthor and do not necessarily represent officialEUROCONTROL policy.

REFERENCES

[1] EUROCONTROL: EUR RVSM Pre- Implementation SafetyCase, RVSM 691, Version 2.0, 14 August 2001.

[2] EUROCONTROL: EATMP Safety Policy, Edition 1.1,August 1999.

[3] EUROCONTROL/ECAC: Air Traffic Management Strategyfor the Years 2000� , January 2000.

1541

S

F

S

FS

FFTA

Causes ETA Consequences

S

F

S

F

S

FS

F

S

Hazard

FHAPSSA

Accident

Figure 4. “Bow-Tie” model.

09048-T-01.qxd 5/15/03 7:38 PM Page 1541

[4] EUROCONTROL: EUR RVSM Safety Policy, Edition 1.0,September 2000.

[5] ICAO Document 9574 (2nd Edition) – Manual on Imple-mentation of a 300M (1000 FT) Vertical SeparationMinimum between FL290 and FL410 inclusive.

[6] Internati Fonal Safety Management Standard IEC 61508Part 1.

[7] UK CAA Document 670 – ATS Safety Requirements[8] EUROCONTROL: EATMP Air Navigation System Safety

Assessment Methodology (Edition 1.0).

AUTHOR’S BIOGRAPHY

Dr.-Ing. Bernd Tiemeyer studied aerospace engineer-ing at the Technical University (TU) Braunschweig,

Germany. In 1991 he was appointed as research engi-neer and project leader in the area of Satellite Naviga-tion at the Institute of Flight Guidance of the TUBraunschweig. In 1994 he joined the EUROCONTROLExperimental Centre where he was appointed ProjectManager for the Satellite Navigation GBAS (GroundBased Augmentation Systems) Project and – sincemid-2000 – appointed Safety Manager for theReduced Vertical Separation Minimum (RVSM)Programme. In January 2002 he obtained a Doctorate inengineering from the University FAF Munich. In April2002 he joined the Safety Management Unit within theDirectorate for Safety, Airspace, Airports & InformationServices at EUROCONTROL’s Headquarters.

1542

09048-T-01.qxd 5/15/03 7:38 PM Page 1542


1543

Assessment of the environment vulnerability in the surroundings of an industrial site

J. Tixier, A. Dandrieux & G. DusserreIndustrial and natural risks department, LGEI, Ecole des Mines d’Alès, CEDEX, France

R. Bubbico, L.G. Luccone, B. Silvetti, R. Carta, B. Mazzarotta & S. Di CaveDipartimento di Ingegneria Chimica, Università di Roma “La Sapienza”, Italy

E. HubertCentre SITE, Ecole des Mines de Saint Etienne, France

N. Rodrigues, O. Salvi & D. GastonINERIS, Parc technologique ALATA, Verneuil en Halatte, France

ABSTRACT: ARAMIS project aims at assessing the risk level of an industrial site. To reach this goal, theenvironment, as a target, must be studied and taken into account. On the base of a multicriteria decisionapproach (Saaty method), a structured methodology is proposed. In the first step an identification of generictargets is made in order to assess, in a second step, their vulnerability. The expected results are cartographicalrepresentations of the index of vulnerability V which represents the vulnerability of an area in the surroundingsof an industrial site. This methodology must be implemented into a geographical information system (G.I.S) inorder to devise an operational tool to evaluate the vulnerability for the competent authorities, the industrialistand the risk experts.

1 INTRODUCTION

ARAMIS project aims at developing an integratedrisk index based on, among others, the environmentvulnerability. Indeed, environment vulnerability isscarcely taken into account in risk assessment, and itsintegration in ARAMIS project is therefore of greatinterest. The idea developed is to assess the vulnera-bility index to identify and characterise the vulnera-bility of targets located in the surroundings of aSeveso industrial site. To summarise, Figure 1explains the problematic and ARAMIS project mustanswer to the following question: Is the area 1, whichis composed of human, environmental and materialtargets, more or less vulnerable than the area 2 alsocomposed of human, environmental and material tar-gets, but in different quantity and of different nature?

To solve this question several steps are necessary,namely, the definition of the study area, the definitionof the targets and also the choice of available databaseswhich are essential to characterise the environment.

Then, a specific methodology for the assessment ofthe vulnerability is required.

The methodology used to obtain a semi-quantitativeapproach of vulnerability is a multicriteria deci-sion method (Saaty’s method) based on the experts judgements.

Figure 1. Problematic of vulnerability definition.

09048-T-02.qxd 5/15/03 7:38 PM Page 1543

Another critical step is to make a census of the tar-gets in the study area. This step can be supported bythe use of GIS (Geographic Information System)databases and tools. The chosen databases are avail-able for all the EC countries and cover informationconcerning the population, and the characteristics ofnatural and man made environment. GIS software andtools allow to display the geographical informationon maps, and to make operations on the various typesof geographical items.

Results of vulnerability and quantification factorsare presented in this paper.

2 CHARACTERISATION OF THESTUDY AREA

2.1 Size of the study area

On the base of previous studies (Egidi et al., 1995;ARPAT, 2000) and data concerning the effects dis-tances of major accidents, a study area of 400 kmsquare is retained. This area is expected to cover all theconsequences of flammable and explosive events andthe greatest part of the consequences of toxic events,but it will not include the impact area of a very largetoxic cloud under particular atmospheric conditions.However, in our opinion, the grid size of 20 km �20 km will fit our scope, requiring a reasonably lim-ited amount of territorial information. In order to havea more accurate representation of the vulnerabilityindex, it is convenient to cut into meshes the studyarea. The size of these meshes is of 250 meters in afirst approach but it may, in the future, depend on thedistance source – targets. In fact, close to the industrialsite it may be interesting to have a smaller size of themeshes (for example 50 m � 50 m) and far from theindustrial site to have a bigger size of the meshes (forexample 500 m � 500 m).

All these considerations permit to validate the pro-posed size of area to answer to the problematic inorder to determine the vulnerability of targets in frontof major accidents. Now, it is necessary to define theenvironment.

2.2 Targets typologies

The aim of this paragraph is to define the environ-ment of an industrial site to determine the risk level ofan industrial installation. It is therefore necessary topropose a set of target types to characterise with accu-racy the environment, while keeping in mind theimportance of the transferability of the method and itsflexibility. Indeed, it is necessary to find a proper bal-ance between the number of targets to be taken intoaccount and the limitations due to the multicriteriadecision method.

First of all, targets were divided into three cate-gories and each of these categories is then detailed ina list of generic targets:

• Human (H)– Staff of the site (H1)– Local population (H2)– Population in an establishment receiving public

(H3)– Users of communications ways (H4)

• Environmental (E)– Agricultural areas (E1)– Natural areas (E2)– Specific natural area (E3)– Wetlands and water bodies (E4)

• Material (M)– Industrial site (M1)– Public utilities and infrastructures (M2)– Private structures (M3)– Public structures (M4)

2.3 Available databases

Two databases have been retained.The Corine Land Cover (IFEN, 2002) database

provides homogeneous geographical informationabout land use in each country of Europe. The maininformation included in this database corresponds totopographical map, vegetation and type of forest mapand finally soil and network description.

There are five main types of territory description:

• artificial territory• land for agricultural use• forest and natural areas• humid areas• water areas

The five previous types are described by forty four classes in order to characterise the natural environment.

The TeleAtlas database is made of local data col-lection activities in all European countries and in theUSA (TeleAtlas, 1996).

The included themes are:

• road and street centre-lines• address areas• administrative areas• postal districts• land use and cover• railways• ferry connections• points of interest: built-up areas• settlement centers• water

These two databases fill most of our objectives todescribe the natural environment and man made

1544

09048-T-02.qxd 5/15/03 7:38 PM Page 1544

targets. Concerning the human targets, specific dataprovided by each country must be used. The informa-tion concerning the population will be obtained withthe data provided by the INSEE for France whichgives a status of the French population in 1999 by district (INSEE, 1999). In Italy, ISTAT (theNational Institute for Statistics) also gives this type ofinformation based on the 1991 (ISTAT, 1992) and,soon, on 2001 census of Italian population by districtor census unit.

To use these population data, some rules must beassumed to allocate a number of people to each meshincluded in a district, as discussed in the paragraphconcerning the quantification of environmental tar-gets. If more precise results are required, informationat the cadastral level should be taken into account.This second approach is more time consuming thanthe first one.

It has to be pointed out that other more specificinformation concerning some important environmen-tal features, such as parks or protected zones areavailable from national environmental organisations,such as APAT in Italy, or Natural zone of faunistic andfloristic interest in France (ZNIEFF).

Finally, some other information, such as that con-cerning the industrial site, has to be provided directlyfrom the user, since it is not available to the generalpublic. A specific procedure is proposed to fill thesedata, which can be used also to add information con-cerning special targets, such as sites concentratinghigh number of people, vital infrastructures, monu-ments, etc.

Figure 2 shows the information available fromCorine Land Cover, TeleAtlas, APAT and Istat for an example area in Northern Italy, displayed using the GIS software ArcView (ArcView, 2000) with a20 km � 20 km grid with 500 m � 500 m meshes(50 m � 50 m in the proximity of the plant).

3 THE VULNERABILITY INDEX

3.1 Generalities on the multicriteria decisionmethod of Saaty (Saaty, 1984)

In a general way, a decision-taking is a complexprocess which is not only based on a set of informa-tion about a subject. It depends also on feelings whichcorrespond to a more or less vague vision of the real-ity and on the influence of such or such person of thegroup of decision. In fact, personal preferences andpersuasion can have more importance in the processof decision than a clear and rigorous logic. So logicintervenes in a second time to order words and ideasand to lend weight to the decision taken previously.

A multicriteria hierarchical method brings anorganisation of information and appreciation whichintervenes in the process of decision-taking.

The purpose of this method is an assessment ofpriorities. In this goal, the first point is to have a con-sensus on the objective, then in a second time, todecompose the complex and not structured situationin its main constituents. The types of results can be aclassification, an allocation of numerical values ofsubjective judgments or the aggregation of judge-ments to determine variable having the biggest prior-ities. The multicriteria hierarchical method allows toobtain a decision-taking of group in a consensual waydue to a better coherence of judgement.

The multicriteria hierarchical method of Saaty(Saaty, 1984) is based on three main steps:

• a construction of hierarchies;• an assessment of priorities;• a validation of coherence.

The construction of a hierarchical structurerequires the creation or the identification of linksbetween the various levels of this structure.

Each element of a functional hierarchy takes placeat a given level of the structure. Its upper level corre-sponds to the global objective (or dominant element).Some binary comparisons are done between all theelements of a given level according to the element ofthe upper level, in order to rank the elements amongthem. The various levels of a hierarchy are, conse-quently, interconnected.

A complex situation can be analysed by a system-atic approach with the help of the hierarchical struc-ture. The priorities have to be assessed. This process isdone by a comparison of elements two by two (binarycomparison). This one gives the ranking of elementsaccording to their relative importance. Finally, the log-ical coherence confirms the whole applied process. Todo the binary comparisons, it is necessary to use ascale based on classic numerical variables or morequalitative variables contributing to take into accountintangible qualities as showed in the Table 1.

1545

Grid 50 m x 50 m

Grid 50 m x 50 m

10000 10000 20000 Meters0

Figure 2. Example of 20 km � 20 km study area.

09048-T-02.qxd 5/15/03 7:38 PM Page 1545

3.2 Application to the determination of the index of vulnerability (Saaty, 1984)

This part consists in the description of the environment(Fig. 3) in order to have a good understanding of thesituation. In this aim, three typologies are proposed:

• a typology of targets which is composed of three mainclasses of targets (human, environmental and mate-rial). Each main class of targets is characterised byfour types of targets as described in the paragraph 2.3.

• a typology of physical effects. Four types of effectsare considered:– overpressure;– thermal flux;– gas toxicity;– liquid pollution.

• a typology of impacts. Three impacts due to physi-cal effects are considered to characterise the effectsof major accidents on targets:– sanitary or integrity impact which qualifies the

effect on respectively human or environmentaland material structures;

– economical impact which qualifies an effect interms of loss of production or of rehabilitation;

– psychological impact which qualifies an effectin terms of influence on a group of people.

It is then necessary to organise these typologies inorder to answer to the vulnerability problematic.

Therefore, the following step consists in the struc-turing of the information. It is ensued from the fol-lowing definition of the vulnerability.

For a class of targets and a given physical effect,the vulnerability of each type of targets in comparisonwith the other one is evaluated by the way of binarycomparisons in function of characterisation criteriawhich are the three impacts.

The result is the vulnerability of one class of targetfor one physical effect. The associated hierarchicalstructure is presented in Figure 4 for the human vulnerability.

For a class of targets, the importance of each phys-ical effect in comparison with another one is evaluatedby the way of binary comparisons: the result is thevulnerability of one class of target (Fig. 5). Finally, thevulnerability of each class of targets is compared tothe others, leading to the global vulnerability (Fig. 5).

The same hierarchical structure applies to environ-mental and material vulnerability.

From this definition and from hierarchical struc-tures too, the matrixes and the functions of the vul-nerability index are deduced. The matrixes aretranslated into a questionnaire which allows to collectthe expert judgement for the evaluation of each coef-ficient of vulnerability of vulnerability functions.

3.3 The vulnerability factors and functions (Saaty, 1984)

Thirty eight experts have already been consulted in anindividual way. The repartition of experts per countryand type are presented in Figures 6 and 7: a great partof them were French or Italian.

1546

Industrial siteMajor accidents

Targets

Figure 3. Description of the system.

Human vulnerability / physical effect i

sanitary impact economical impact psychological impact

H1 H1 H1

H2

H3

H4

H2

H3

H4

H2

H3

H4

Figure 4. Hierarchical structure for the human vulnerabil-ity per physical effect characterisation.

Global Vulnerability

Human vulnerability Environmental vulnerability

Material vulnerability

Overpressure Overpressure Overpressure

Thermal flux

Toxicity

Pollution

Thermal flux

Toxicity

Pollution

Thermal flux

Toxicity

Pollution

Figure 5. Hierarchical structure of the global vulnerabilitycharacterisation.

Table 1. Scale of binary comparison.

Degree of importance Definition

1 Equal importance of two elements3 Weak importance of an element in

comparison to the other one5 Strong importance of an element in

comparison to the other one7 Certified importance of an element

in comparison to the other one9 Absolute importance of an element

in comparison to the other one2, 4, 6, 8 Intermediate values between two

appreciation1/2, 1/3, 1/4, 1/5, Reciprocal values of the previous 1/6, 1/7, 1/8, 1/9 appreciation

09048-T-02.qxd 5/15/03 7:38 PM Page 1546

During all the project, expert judgements will becollected in order to update vulnerability factors.

Concerning the type of experts, about 60% wererisks experts (from public or private structures).

A specific treatment must be done to aggregate theappreciation of the above mentioned experts. Eachappreciation is aggregated by the mean of geometricalaverage. So a new questionnaire which is an aggrega-tion of the appreciation of all experts consulted isbuilt. All obtained evaluations are reported into thematrixes and the factors of vulnerability can beassessed. Results are given in the following paragraph.

To assess the vulnerability factors of each function,the eigenvectors of the matrixes must be calculated.The solutions correspond to the factors of vulnerabil-ity. The following tables (Table 2 to 5) present theresults. The ratios of coherence (RC) must have a valuelower than 10% for each matrix to validate the coher-ence of the ratios and therefore the results. The resultsobtained for the function of global vulnerability (Table 2) show the great importance (about 75%) ofhuman vulnerability. The vulnerability factor of envi-ronmental targets represents 20%, while the materialvulnerability represents only 5% of the function.

For human targets (Table 3), the main effect is “gastoxicity” (47%). The effects of “overpressure” and“thermal radiation” have about the same importance(respectively 24% and 23%). On the contrary, theeffect of “liquid pollution” has a weak influence onhuman targets (only 7%).

For human targets and for all the physical effects,the sanitary impact is the dominating impact (about65%). The psychological impact represents about 25% of the vulnerability factors and the economicalimpact represents only 10%. For the physical effectsof “overpressure” and “thermal radiation”, the type of

targets E3 (specific natural area) has the higher vul-nerability factor for all impacts. By considering liq-uid pollution, the type of targets E4 (wetlands andwater bodies) has an important vulnerability. The twoother categories E1 and E2 (agricultural area and nat-ural area) seem to be less vulnerable to this physicaleffect than E3 and E4. Concerning material targets(Table 5), the effects of overpressure and thermalradiation represent the main parts of the vulnerabilityfactors (respectively 45% and 41%). For an overpres-sure effect and a thermal radiation effect, the integrityand the economical impacts are more important thana psychological impact. On the contrary, for a gas tox-icity effect and a liquid pollution effect, the economi-cal and the psychological impacts are more importantthan the integrity impact. For the effects of gas toxic-ity and liquid pollution, the factors of vulnerabilityhave about the same value for all types of targetsexcept for the type of target M1. For a thermal radiationeffect, the factor of vulnerability for an economicalimpact of the type of target M1 has a dominating value.

All the ratios of coherence (RC) are lower than10%, so the vulnerability factors based on the thirtyeight questionnaires mentioned above are validated.

To complete the functions of vulnerability, quan-tification factors of each type of targets are imple-mented. They are defined in the following paragraph.

3.4 Quantification factors

The quantification factors are those accounting forthe “quantity” of environmental targets in the studyarea. A quantification factor is defined as a dimen-sionless variable, assuming values in the range 0�1,where 0 indicates the absence of the target in the areaand 1 indicates that the quantity of that target in thearea reaches its expected maximum.

Therefore, the quantification factors aims at doinga normalized census of each detailed type of targets(H1�H4, E1�E4 and M1�M4).

3.4.1 Human targetsThe quantification factor Hi relevant to each of the i-thtypes of human targets in the area are determined as:

with Ni total number of people of the i-th human tar-get type and Nmaxi maximum number of people ofthe i-th human target type, in the area under exam.

1547

Experts repartition per country

France (16)

Italy (15)

Spain (3)

Denmark (1)

Poland (1)

United Kingdom (1)

Slovenia (1)

Figure 6. Experts repartition per country.

Type of experts (%)

Risk experts

Competent authorities

Industrialists

Figure 7. Experts repartition per type.

Table 2. Global vulnerability function.

Function RC%

Vglobal � 0,752 � VH � 0,197 � VE � 0,051 � VM 0,17

09048-T-02.qxd 5/15/03 7:38 PM Page 1547

Accordingly, in order to determine the quantifica-tion factors for human targets, it is preliminarily nec-essary to set the maximum value which the number ofpeople belonging to each i-th human category typecan reach in the area, Nmaxi.

It has to be noticed that, should some calculatedvalue of the quantification factor exceed the value of1, it must in any case be assumed as equal to 1.

The maximum value for the number of peoplebelonging to the staff of the site present at the same

time, based on the number of workers of single, ratherlarge plants, can be assumed as Nmax1 � 2,000 persons.

The target local population home-body is betterdescribed by means of a population density, expressedas number of people/km2, which can be calculatedbased on census data. A maximum reference value ofthe resident population density, PDmax2, can be deter-mined from the individual values of population den-sity of a great number of built-up aggregates. To this

1548

Table 3. Human vulnerability functions.

Functions RC%

Table 4. Environmental vulnerability functions.

Functions RC%

Table 5. Material vulnerability functions.

Functions RC%

09048-T-02.qxd 5/15/03 7:38 PM Page 1548

end, the individual population density values were cal-culated for about 60,000 Italian built-up aggregates,limiting the analysis to those covering areas larger thanthe average mesh size (from 0.0625 to 0.25 km2).PDmax2 was then taken as the upper 98% limit (i.e. thevalue that was exceeded only in 2% of the cases), whichcorresponds to about 15,000 people/km2. Due to therather high population density in the built-up areas inItaly, this value can be assumed to hold all over the EC.

The maximum number of resident population in astudy area is therefore:

with PDmax2 maximum population density of localpopulation home-body (people/km2) and A extensionof the area under exam (km2).

The number of resident people can be estimatedfor each mesh area as follows:

with PD2,k,mesh population density of the k-th builtupaggregate falling (totally or partly) in the mesh (peo-ple/km2) and Ak,mesh extension of the portion of sur-face covered by the built-up aggregation fallingwithin the boundaries of the mesh (km2).

Figure 8, shows the quantification factor H2 for thelocal population of the area shown in Figure 2.

The expected maximum value of people in anestablishment receiving public may vary considerablydepending on its type. It can be assumed that thelargest number of people present at the same time in aspecific place people may reach, or even exceed,80,000 persons for some events as sport matches or

rock concerts taking place in stadiums. However, itseems not practical to set the maximum number ofpeople to this extremely high value, since this willmean that, in the absence of this specific type ofestablishment, the quantification factors will comeout very low, due to the much lower number of peoplewho may be present in most of the other types ofestablishments, such as theaters, schools, restaurants,etc. Accordingly, the maximum number of people inan establishment receiving public was set asNmax3 � 30,000 persons.

It should be pointed out that, in most cases, infor-mation regarding the number of people in each estab-lishment and, possibly, its location, should be foundand added by the user, being not available from data-bases. However, it is possible to provide the user withsome default values based on the type and size of theestablishment.

Users of communication ways include people trav-elling on roads, rails and waterways. Some databases,such as TeleAtlas (TeleAtlas, 1996), give informationconcerning location and type of the communicationways, but, generally, no data is available concerningthe population travelling on them. Therefore, the datashould be inserted by the user, based on locally avail-able information concerning traffic data, averagenumber of people travelling on each mean (cars,trains and boats), etc.

The target users of communication ways can beconveniently expressed as number of people per unitlength of the communication way (namely road, rail-way, and waterway).

For example, the number of road users can be esti-mated as:

with LD4,road,k, linear population density of the k-thportion of road falling within the boundary of the areaunder exam (people/km) and Lroad,k extension inlength of the k-th portion of road.

Figure 9 shows, for example, the estimated numberof road users for the study area of Figure 2.

Similar expressions can be written for rails andwaterways users, as well. The total number of users

of communication ways is obtained as:The maximum number of users of communication

ways, Nmax4, can be calculated as:

with PDmax4 maximum population density of thishuman target, estimated as 1,250 person/km2, basedon Italian traffic data.

1549

Grid 50 m � 50 m

Grid 50 m � 50 m

Grid

Resident population # / km^20 - 500500 - 10001000 - 20002000 - 35003500 - 5000

10000 Meters010000

Figure 8. Quantification factor H2 for resident population.

09048-T-02.qxd 5/15/03 7:38 PM Page 1549

3.4.2 Environmental targetsAll environmental targets can be derived from com-mercial databases, and GIS tools allow to determinethe areas they cover within the study zone.

Accordingly, the quantification factor Ei, relevantto the i-th types of environmental targets in the areacan be determined as:

with Ai extension of the area covered by the i-th typeof environmental target within the boundaries of thearea under exam (km2) and A extension of the areaunder exam (km2).

Figure 10 shows the quantification factor for agri-cultural areas, E1, for the study area of Figure 2.

3.4.3 Material targetsMost material targets can be derived from commer-cial databases, which, however, may not account forsome specific targets, such as the industrial site, orfor some outstanding targets, such as vital infrastruc-tures (for material target type 2) or monuments (formaterial target type 4).

The quantification factor Mi, relevant to the i-thtypes of material targets in the area is:

with Ai extension of the area covered by material tar-get within the boundaries of the area under exam(km2). However, should some outstanding target (oftype 2 and 4 alone) be present, the quantification fac-tor is modified as follows:

with j equal to 2 or 4, Ij,k a factor representing theimportance of the k-th outstanding targets of the j-thtype of specific targets present in the area under examand Imaxj maximum value of the importance of the j-th outstanding target. In fact, being very difficult toassign a “value” to outstanding targets, it can beobtained based on a relative scale of importance. Forexample, to a crucial power plant an importance I2 �0.7 may be assigned, in a scale from 0 to 1: in thatcase Imax2 will be equal to 1.

However, it has to be remarked that it shouldalways be: M2 and M4 � 1: this means that if M2 � 1or M4 � 1, it should be taken M2 � 1 or M4 � 1.

4 TOWARDS AN OPERATIONAL TOOLWITH GEOGRAPHICAL INFORMATIONSYSTEM

This paragraph is devoted to do a summary of the pre-sented methodology. It also presents how it can beapplied to an area whose vulnerability must beassessed.

4.1 Description of the objectives of the GIS tool

The studied area is a square of 400 km2 with theindustrial site in the middle. In order to assess the vul-nerability index, the following steps have to be done:

• divide the studied area into meshes• assess the vulnerability for each mesh• identify the targets (H1–H2, E1–E4 and M1–M4)

which are included into the mesh in function of theproposed typologies

• quantify the number of the targets• calculate the vulnerability index• map the results

These actions must be repeated for all the meshes ofthe studied area.

1550

Grid 50 m � 50 m

Grid 50 m � 50 m

Grid

Road users0 - 2020 - 5050 - 100100 - 500500 - 1100

10000 Meters010000

Figure 9. Number of road users N4 in the study area.

Grid 50 m � 50 m

Grid 50 m � 50 m

Grid

Agricultural areas0 - 0.20.2 - 0.40.4 - 0.60.6 - 0.80.8 - 1

10000 Meters010000

Figure 10. Quantification factor E1 for agricultural areas.

09048-T-02.qxd 5/15/03 7:38 PM Page 1550

4.2 Expected cartographic results

The vulnerability values obtained in the previousphases can be mapped based on a scale of vulnerabil-ity which translates a value of vulnerability index intoa class of vulnerability.

Three types of results can be obtained:

• a cartographic representation of the global vulner-ability of the studied area

• a cartographic representation of the vulnerability ofa class of target (human, environmental or material)

• a cartographic representation of the vulnerabilityof a physical effect for a class of targets.

5 CONCLUSION

In conclusion, a structured methodology is proposedto quantify the vulnerability index of an area in thesurroundings of an industrial site. This methodologyis based on the expert judgements and hierarchicalstructures to organise the data to answer to the prob-lematic of vulnerability calculation and on the quan-tification of the different types of environmentaltargets within the area. This methodology is imple-mented with a geographical information system to

make available an operational tool for risk managerslike the competent authorities, the industrialists andthe risks experts. In this way, the end users will have aformalised representation of the situation of the envi-ronment in order to manage risks.

REFERENCES

ARPAT, 2000. Analisi del rischio per l’area di Livorno estrategie di intervento, Mossa Verre Ed., Firenze.

Egidi, D., Foraboschi, F., Spadoni, G., Amendola, A. 1995.The ARIPAR project: analysis of the major accident risksconnected with industrial and transportation activities inthe Ravenna area. Rel. Eng. and System Safety. 75–89.

ESRI, 2000. ArcView, 2000 GIS, 3.2a for Windows.ISTAT, 1992. 13° Censimento generale della popolazione e

delle abitazioni, Roma.IFEN, 2002. Corine Land Cover cartographical databases,

http://www.ifen.fr.INSEE, 1999. CDROM Populations légales recensement de

la population de 1999, http://www.insee.fr.SAATY T.L. 1984. Décider face à la complexité: une

approche analytique multicritère d’aide à la décision »,collection université – entreprise, entreprise moderned’édition, Paris.

TeleAtlas B.V. 1996. Roadnet.

1551

09048-T-02.qxd 5/15/03 7:38 PM Page 1551

09048-T-02.qxd 5/15/03 7:38 PM Page 1552


1553

Increasing of the electric safety in HV systems by means of the groundresistance of the body

R. Tommasini & R. PertusioDepartment of Electrical Engineering – Polytechnic of Turin, Italy

ABSTRACT: The dangers of personnel in high voltage stations can be very elevated, so the sharp evaluation ofthe resistance to ground of human body (REB) is very useful to establish and improve the safety levels and the planinterventions. The ground resistance of the body REB is the resistance that the current finds when it leaves thehuman feet for going into the earth; it depends both on the resistivities of the soils and on the thickness of theinsulating layer. The aim of this work is to propose new simplified formulas for the calculation of the groundresistance of plate electrodes placed on two-stratus soil, since feet can be assimilated to plates to evaluate the stepvoltage and the touch voltage, to which the subject can be submitted in the case of a fault in HV systems. Theresearch have been carried out with numerical methods; the results have been compared with semi empirical equa-tions and with experimental tests.

1 INTRODUCTION

Purpose of this investigation is the evaluation of theresistance to ground of plate electrodes placed on two-stratus soil. The study of two-stratus soil, in which thesuperficial layer has a higher resistivity than the lowerground, has a significant practical importance, becauseone of the usual methods to reduce touch voltage andstep voltage (Figs. 1 and 3) just consists in insulatingthe soil by means of a high resistance layer.

The utilisation of plate electrodes, placed on the soilto simulate the feet, allows to make experimental mea-sures in situ to establish the respect of the safety limitsof the electrical system. The figures 2 and 4 show thecircuital plans reported in the CENELEC Standard HD637 S1 [2] to measure the touch voltage and the stepvoltage.

Using the Finite Elements Method, with the com-mercial software Ansys, and the Resistance GridMethod [6], developed and applied by the authors for this specific problem, the influence of the char-acteristic parameters of the phenomenon has beenstudied.

The experimental measures on various typologiesof soils and materials used in building have beenmade in the laboratory of Department of ElectricalEngineering of Polytechnic of Turin on a scale model,in order to compare with the results of the numericalsimulations.

2 VOLTAGE SAFETY LIMITS

The human body is very sensitive to the electric current;the most dangerous risk is the ventricular fibrillationthat can cause death. In the graphic time/current (Fig. 5) the safety limits for the alternating currenteffects (15 Hz–100 Hz) on the body are proposed.

The effects of current passing through the humanbody depend both on the flowing time and on the cur-rent intensity: the longer the flowing time the lower theadmissible current.

UST UT UE UE

RE RE I I

Figure 1. Touch voltage.

09048-T-03.qxd 5/15/03 7:39 PM Page 1553

To establish the safety level in the electric plans, theuseful parameters are the voltage that the person can besubjected to and the time. In accordance with the Ohmlaw, the current flowing through the body and theapplied voltage are correlated by the body resistanceR, that is not constant but depends on the voltage.Knowing RB(V) and I(t), it is possible to obtain thegraph V/t, where the voltage that the body can tolerateis function of the time of the fault duration t (Fig. 6).

Usually in HV systems, the fault current intensity Igand the disconnecting time of the fault protection t aredefined; besides the resistance of the grounding planRE can be measured, so the voltage which the body canbe subjected to is V � Ig � RE (Figs. 1 and 3). In sev-eral cases, it is very difficult or impossible to respectthe safety levels of figure 6. To reach the safety, it isnecessary to increase the resistance to ground REB that,being in series with the RB(V) of the body (Fig. 7),raises the voltage safety level (Fig. 6).

Knowing the duration of fault t, it is possible to cal-culate the necessary value of REB (V � (RB(V) �REB) � I(t)admissible → REB � (V � RB(V) � Iadmissible)/I(t)admissible). In this work, new formulas to obtain REB

1554

Figure 2. Circuital plan for touch voltage measure.

USS USS US

RE RE

I I

Figure 3. Step voltage.

Figure 4. Circuital plan for step voltage measure.

ms10000

a

2 3 4

b c1 c2 c35000

2000

1000

500

200

100

50

20

100.1

Dur

ata

del p

assa

ggio

del

ta c

orre

nte

(I)

0.2 0.5 1 2 5 10 20 50 100 200 500 1000 2000 5000 10000mA

Body current

Ventricularfibrillation

1

Figure 5. Safety limits I/t for alternating current 50 Hz.

0

500

1000

1500

2000

2500

3000

3500

0,01 0,1 1 10t (s)

V (

Vol

t) REB

Figure 6. Safety limits V/t for alternating current 50 Hz,increasing the resistance to ground.

RB

REB

RB U

electrodes(plates)

Figure 7. Resistance of the body and resistance to ground.

09048-T-03.qxd 5/15/03 7:39 PM Page 1554

are proposed; the problem is to determine the resistivi-ties of the soils and the thickness of the insulating layer.Since the resistivites of the most common insulatingsoils have been already investigated [6] (Tab. 1), therelationships allow, chosen a specific insulating layer, toestablish the necessary thickness of the superficial one.

3 PARAMETRIC STUDY

In order to comprehend the phenomenon, a lot ofnumerical simulations have been made with FEMmethod and with the Resistance Grid Method [6],changing the plate side Lp between 10 and 25 cm andthe thickness of the insulating layer H between 1 and50 cm, in particular studying the values between 5 e and20 cm, of higher practical interest.

The value of the ratio �1/�2 changes between 1, caseof homogeneous soil, and 1000.

The simulations have allowed to study the influenceon resistance to ground of these parameters:

• plate side Lp

• thickness of the insulating layer H (�1)• ratio �1/�2 of the two layers• ratio Lp/H

To understand how these parameters influence betweenthemselves and how they intervene on the phenome-non, it is important to analyse the spatial form of theelectric field around the plate electrode.

A few images of voltage isosurfaces for the casesof higher interest have been reported in the following.

3.1 Parameter �1/�2

In the figures 8–10, the ratio Lp/H is constant, whilethe parameter �1/�2 changes:

• �1/�2 � 0.01 (Fig. 8);• �1/�2 � 1, homogeneous soil (Fig. 9);• �1/�2 � 100 (Fig. 10).

3.2 Parameter Lp/H

Once fixed the value of the ratio �1/�2, the voltagedistribution around the plate electrode depends uponthe ratio Lp/H only.

For instance, in figures 11 and 12, the images ofvoltage isosurfaces have been showed for two cases,where the ratio �1/�2 is constant and equal to 1000.

1555

Table 1. Resistivity of some materials (electrode pressedwith a strength of 250 N).

Material � ( * m)

Asphalt 100000Compost (dry) 55–140Concrete tiles (dry: relative Humidity 0.5%) 12000Concrete tiles (wet: relative Humidity 3%) 150Stone – small blocks fixed with sand (dry) 1200–1300Stone – small blocks fixed with sand (wet) 900

z

VOLT

.723E-03

.003615

.006507

.010845

.020967

.023859

.026751

.044103

.046995

.051333

x

Figure 8. Voltage isosurfaces, �1/�2 � 0.01.

VOLT

A �.435E-03B �.001305C �.002175

x �.020447

x

Figure 9. Voltage isosurfaces, �1/�2 � 1.

VOLT

A �.100E-02B �.002

H �1

XZ

Figure 10. Voltage isosurfaces, �1/�2 � 100.

09048-T-03.qxd 5/15/03 7:39 PM Page 1555

In the first case (Fig. 11), the ratio Lp/H is high, sothat the plate side Lp is very greater than the thicknessH, consequently the voltage isosurfaces tend tobecome parallel to the plate, except for the boundaryzones, and the current tends to run through the insu-lating layer vertically.

If the ratio Lp/H is low, so that the thickness is greaterthan Lp, the voltage isosurfaces will tend to becomehemispherical, as the case of homogeneous soil (Fig. 9).Now the current shares itself uniformly through alldirections (Fig. 12).

4 GENERAL RELATIONSHIP

The proposed equation is based on the trend of twocharacteristic parameters: �1/�2 and Lp/H.

The adimensional ratio, named adimensional resistance:

gives a value only depending on the ratio between thetwo resistivities �1/�2 and on the ratio between thesquare electrode Lp and the thickness of the superficiallayer H, because these parameters establish in a uni-vocal way the voltage conformation and consequentlythe current flow inside the ground and the correspon-ding met resistance.

Fixed the two parameters, the value of the adimen-sional resistance is constant and invariant.

4.1 Homogeneous soil

The case of plate electrode placed on homogeneoussoil has been studied to validate the numerical resultswith analytical treatments. The adimensional resistancehas a constant value, approximately 0.44, because theparameters are meaningless or it is possible to con-sider them fixed (�1/�2 � 1, Lp/H � ).

The relationship of R for homogeneous soil is:

(1)

The numerical results for the square plate coincide withthe analytical data reported in [3] and [4] for the circu-lar plates, because the electrode area, not its specificshape, influences the resistance [12].

4.2 Two-stratus soil

For the two-stratus soil, the adimensional resistancechanges between the case of homogeneous soil ofresistivity �homogeneous � �1 for H → (Lp/H � 0) and�homogeneous � �2 for H → 0 (Lp/H � ); for example,for a constant ratio of �1/�2 equal to 1000, the adi-mensional resistance changes between 440 (H → )and 0.44 (H → 0). The trends of (R � Lp)/�2, increasingthe ratio �1/�2 for a fixed ratio Lp/H, are linear, withan intersection point for the case of homogeneous soil(Fig. 13). (R � Lp)/�2 depends upon two parameters:Lp/H and �1/�2.

(R � Lp)/�2 (Lp/H, �1/�2) has to be a function con-tinuous, derivable and increasing for any �1/�2.

H � represents the case of homogeneous soilwith �hom � �1, so (R � Lp)/�2 (0, �1/�2) is a straightline of equation (R � Lp)/�1 � k → (R � Lp)/�2 � k ��1�2, for any �1/�2. H � 0 is the case of homogeneoussoil with �hom � �2, so (R � Lp)/�2 (, �1/�2) takes aconstant value k � 0.44.

Consequently it is possible to find an analyticalequation for a bundle of straight lines passing through

1556

VOLT

A �.236079B �.708236C �1.18D �1.653

I �4.013

P �7.318R �8.263

E �2.125

Z

X

Lp/2

H

�1/�2�1000L��4

Figure 11. Voltage isosurfaces, Lp/H � 4.

VOLT

A �.538764B �1.616C �2.694D �3.771E �4.849

I �9.159

P �16.702R �18.857

�1/�2�1000 L��0.4

Z

X

H

Figure 12. Voltage isosurfaces, Lp/H � 0.4.

09048-T-03.qxd 5/15/03 7:39 PM Page 1556

the point q, with the angular coefficient m function ofthe ratio Lp/H.

It is useful to do a translation of the reference systemof figure 13, taking the new origin into the point (1;0.44), so it is possible to give the value of (R � Lp/�2),got for the homogeneous soil, the term q. In figure 14,the trend of m, changing the parameter Lp/H between0.2 and 20, is shown; m varies between 0 and 0.44.

For Lp/H � 0.2, so that the case where the thick-ness of the insulating layer H is at least five times theplate side Lp, it is possible to refer to the homoge-neous case, with a corrective coefficient between thevalues 0.9 � 1.

The resistance becomes:

For Lp/H � 20, the voltage isosurfaces are parallel tothe plate, creating a flux pipe for the current. Thestudy of the current distribution around the plate with

FEM models has shown that, also for superficial layersvery resistive, it is necessary that the ratio Lp/H is veryhigh, so that the boundary perturbations have a littleinfluence and the current is forced to follow the verticaldirection, during the travel through the insulating layer.

For Lp/H � 20 and �1/�2 � 10, the 90% of the cur-rent flows into the resistive stratus vertically under theplate. Then the total resistance can be calculated asaddition of the resistance given by the insulating layerand the resistance of the II stratus, similar to the caseof plate on homogeneous soil.

For 0.2 � Lp/H � 20, a single accurate equation forthe angular coefficient m does not exist, so two simplerelationships are proposed, for 0.2 � Lp/H � 4 and4 � Lp/H � 20.

For then

For then

5 MUTUAL RESISTANCE

The standard HD 637 indicates the value of 400 cm2 astotal feet area. In figure 15, the increase of REB,decreasing the distance between the feet, is shown [7].For H � 100 cm, the 2 electrodes, of area 200 cm2, arecompletely electrical independent. For the two-stratussoil, with �1/�2 � 10, already at 20 cm, the trend canbe considered electrical independent, since the mutualinterference is negligible. The higher volt-age gradientaround the plate of two-stratus soil than the homoge-neous soil causes this very low mutual interference.

6 REB RELATIONSHIP

To evaluate REB, a plate of dimension 200 cm2 simu-lates one foot; so Lp is constant and equal to 0.14 m.

1557

(R*Lp)/�2

0

3

6

9

12

0 5 10 15 20 25Lp/H=infinite Lp/H=20Lp/H=4 Lp/H=2Lp/H=1,33 Lp/H=1Lp/H=0,4 Lp/H=0

�1/�2

Figure 13. Trend of (R · Lp)/�2 increasing �1/�2.

Angular coefficient m

0

0,1

0,2

0,3

0,4

0,5

0 3 6 9 12 15 18 21Lp/H

Figure 14. Trend of m increasing Lp/H.

09048-T-03.qxd 5/15/03 7:39 PM Page 1557

In this case, the equations become:

• For 70 cm � H � �, RFOOT is:

(2)

• For 3.5 cm � H � 70 cm, m � 0.43�e(�0.0325/H)

then RFOOT is:

(3)

• For 0.7 cm � H � 3.5 cm, m � 0.56 � (0.14/H)�0.8

then RFOOT is:

(4)

• For 0 � H � 0.7 cm, the simplified formula ofRFOOT is:

(5)

Because the feet are electrical independent betweeneach other, for the touch voltage, REB � RFOOT/2,being the feet in parallel; instead for the step voltage,REB � 2 � RFOOT, since the feet are in series.

7 COMPARISON WITH Std80 DATA

In Std80-96 and in Std80-2000, there is this formula forcalculating REB.

(6)

with b � 0.08 m. (b � radius of circular plate of area200 cm2). CS is the surface layer derating factor.

In the Standards there are few formulas for CS:

(6a)

with k � (�2 � �1)/(�2 � �1) between 0 and �0.98 and0 cm � H � 30 cm.

(6b)

with a � 0.106. This equation is more accurate thanequation 6a for very thin surface layers between0.005 m and 0.02 m.

(6c)

with a � 0.09 and 5 cm � H � 30 cm.The equations 6b and 6c are only valid for

b � 0.08 m. In table 2, the results of the different equa-tions have been compared, considering REB � RFOOT/2.

1558

Table 2.

H(m) r1(Vm) r2(Vm) (3) (4) (6a) (6b) (6c)

0,25 2000 222 2686 * 2771 2639 27010,2 2000 222 2611 * 2673 2543 26140,15 2000 222 2491,5 * 2521 2399,7 24830,1 2000 222 2271 * 2264 2162,6 22630,08 15000 222 15110,5 * 14393 14236 151250,05 2000 222 1736,4 * 1729 1695,5 18090,03 1200 100 * 787 746 778 8440,02 15000 222 * 6484 5675 6673 74520,01 1500 60 * 437 364 451 503

90

100

110

120

130

140

150

0 20 40 60 80 100Distance between the feet (cm)

%

Homogeneous H=5 cm

H=10 cm H=15 cm

Figure 15. Trend of R, decreasing the distance between feet.

09048-T-03.qxd 17/May/03 2:42 PM Page 1558

A very good agreement between the formulas has beenfound.

8 EXPERIMENTAL MEASURES

Experimental tests in laboratory have been carried outwith a scale model (120 � 120 � 10 cm) to measurethe resistance of plate placed on homogeneous soiland on two-stratus soil (Fig. 16).

Successively a few experimental results have beenreported and compared with the values calculated usingthe relations previously exposed. In table 3, the experi-mental data have been compared with the results ofrelationship 3.

The analytical results show a correspondence withthe experimental measures. For the sand, being an inco-herent material, the resistivity, depending strongly bythe pressure, changes in the zones under the plate andaround, modifying the electric field: Grid Models, madeconsidering this variation, have shown an increase of Rof 10–20%. For the blocks stone, it is very difficultto realize a perfect and homogeneous contact betweenthe plate and the insulating surface, so the real area ofcontact is less than the plate area and the R tends toincrease.

9 CONCLUSION

The research has permitted to work out with easierand more general relationships for the evaluation of theresistance to ground of plate electrodes on two-stratussoils. For the two-stratus soil, a study of the electricfield around the square electrode has been carried out,so the influence of the parameters Lp/H and �1/�2 onthe current flow inside the ground has been made clear.

For two-stratus soils with the superficial layer moreresistive than the lower round, three specific trends havebeen found, depending by the ratio Lp/H.

For values of Lp/H high (�20), a simplified modelcan be studied where all the current flows verticallyunder the plate electrode through the insulating layerand then spread itself homogeneously in the secondlayer.

For Lp/H less than 0.2 the global trend is similar tothe case of homogeneous soil, because the superficialstratus influences strongly the phenomenon.

For the intermediate values of Lp/H (0.2 � Lp/H � 20), two simple relationships have been pro-posed to value R.

In particular, for the calculation of REB, since onefoot is modelled as a plate of area 200 cm2, Lp is about0.14 m and RFOOT is:

• For 3.5 cm � H � 70 cm:

(7)

• For 0.7 cm � H � 3.5 cm:

(8)

with H in m, �1 and �2 in m.In equation 1, when �1 �� 2 (�1 � 10�2), it is

possible to consider instead of (�1 � �2) only �1 andto neglect the right term.

For the touch voltage, REB � RFOOT/2, being thefeet in parallel; instead for the step voltage, REB �2 � RFOOT, since the feet are in series.

1559

Table 3.

Cases Lp:0.18 m Experimental data Data (3) %

SAND H:0.05 m �1:150 m, �2:18.53 m 240 182.5 31,51SAND H:0.1 m �1:150 m, �2:16.38 m 320 251 27,49SAND H:0.05 m �1:1640.5 m �2:57.3 m 2280 1792.5 27,20BLOCKS STONE H:0.05 m �1:1297.24 m �2:56.53 m 1850 1433 29,10BLOCKS STONE H:0.1 m �1:1313.1 m �2:50.8 m 2660 2117.5 25,62BLOCKS STONE H:0.1 m �1:1218.34 m �2:50.8 m 2500 1968 27,03BLOCKS STONE H:0.1 m �1:900 m �2:50.8 m 1720 1465 17,41

Autotrasformatore

V

V

A

Trasformatored'Isolamento

PESO250N

PIASTRA

Inte

rrut

tore220 V

Figure 16. Scale model and circuital apparatus.

09048-T-03.qxd 5/15/03 7:39 PM Page 1559

These equations have been validated with otherrelationships and with experimental measures.

REFERENCES

[1] IEEE Std 80-2000, IEEE Guide for Safety in ACSubstation Grounding.

[2] CENELEC Standard HD 637 S1, 1998-12.[3] H.B. Dwight, Calculation of resistances to Ground,

“Electrical Engineering”, December 1936.[4] F. Ollendorf, Erdströme, J. Springer, 1928.[5] G.F. Tagg, Earth Resistances, George Newnes

Limited, London, 1964.[6] R. Tommasini and R. Pertusio, Resistance to ground of

human body in non homogeneous soil, IASTED Powerand energy systems, Marina del Rey, 13–15 May 2002,225–229.

[7] C.H Lee and A.P. Sakis Meliopoulos, Comparison oftouch and step voltages between IEEE Std 80 and IEC

479-1, IEE Proc-Gener. Transm. Distrib., 146 (5),1999, 593–601.

[8] J.G. Sverak, Progress in step and touch voltage equa-tions of ANSI/IEE Std8-Historical Perspective, IEEETransactions on power delivery, 13 (3), 1998, 762–767.

[9] B. Thapar, V. Gerez and H. Kejriwal, Reduction factorfor the ground resistance of the foot in substationyards, IEEE Transactions on power delivery, 9 (1),1994, 360–368.

[10] B. Thapar, V. Gerez and P. Emmanuel, Ground resis-tance of the foot in substation yards, IEEE Transactionson power delivery, 8 (1), 1994, 1–6.

[11] B. Thapar, V. Gerez and V. Singh, Effective ground resis-tance of the human feet in high voltage switchyards,IEEE Transactions on power delivery, 8 (1), 1993, 7–12.

[12] E.K.N. Yung, R.S.K. Wong and W.W.S. Lee, Analysisof a rectangular earthing plate, IEE Proceedings-C,140 (5), 1993, 381–388.

[13] B. Thapar, V. Gerez, A. Balakrishnan and A. Blank,Finite expression and models for footing resistance insubstations, IEEE Transactions on power delivery, 7 (1),1992, 219–224.

1560

09048-T-03.qxd 5/15/03 7:39 PM Page 1560


1561

A Safety Program Framework and its application on a Weapon Control System

Arild TomterKongsberg Defence & Aerospace AS, Kongsberg, Norway

ABSTRACT: This paper presents a real-life Safety Program Framework, which has been applied on someWeapon Control System projects at Kongsberg Defence & Aerospace. It starts with preparing the plan for thesafety effort throughout the project and specifying the safety requirements (including hazard acceptance crite-ria). It continues with identifying potential hazards based on a checklist of energies present in or controlled bythe system. The potential hazards are highlighted and brought to the attention to the design and constructionteam. Safety is considered an inherent property of the system to be developed, thus emphasizing the importantrole and responsibility of this team. The system resulting from the design and construction process is then sub-ject to safety verification. Each residual hazard is evaluated with respect to hazard control measures, and result-ing combination of hazard probability and severity (the risk assessment code) is assessed and compared withspecified hazard acceptance criteria. The safety program concludes with a summary of the safety tasks con-ducted, including a final statement of the safety of the system.

1 INTRODUCTION

Weapon Systems are associated with serious or cat-astrophic damage potential. In fact, they are designedto cause such serious or catastrophic damage, howeveron enemy only. Hence, as opposed to systems for civil-ian use, removing or reducing the capability to causedamage is not a feasible approach for a safety effort.The safety challenge is instead to ensure that the dam-age capability is tightly controlled by a combination of design solutions, specific protective measures, strictprocedures and adequate training of system operators.

Kongsberg Defence & Aerospace AS (KDA)designs Weapon Control Systems for Army, Navy andAir Force within Norway, other NATO countries, andcertain other countries, restricted by Norwegian gov-ernment regulations. As a manufacturer of such sys-tems KDA emphasizes safety as an important part ofthe business policy. It is vital for KDA to implementadequate measures to prevent any serious accident tohappen, as well as to create confidence in the safetyof the systems within military agencies as well as thegeneral society.

For each weapon control system project a safetyprogram is tailored to the project characteristics. It follows, however, a general framework, which is basedon guidelines in MIL-STD 882 D “Standard Practicefor System Safety”. This framework specifies a

number of phases, which cover the project phasesfrom the initial project definition until final accep-tance and system delivery.

2 FRAMEWORK OF THE SAFETY PROGRAM

The framework includes a total of 5 steps, which aredescribed below.

2.1 Plan the safety program, and determine safety requirements

The safety program is prepared as part of the initialproject planning. The safety program will include, inaddition to a broad description of the system:

1. A first cut discussion of the damage capabilitiesand associated potential hazards.

2. A system for categorizing hazards with respect toprobability and severity, the combinations of theseconstitute the risk assessment codes.

3. The safety philosophy employed as well as spe-cific safety requirements. The safety requirementsare defined as criteria for acceptance of risk assess-ment codes.

4. The safety organization, as part of the overall pro-ject organization.

5. Safety tasks to be conducted within the project.

09048-T-04.qxd 5/15/03 7:40 PM Page 1561

The safety plan is documented in a System SafetyProgram Plan.

2.2 Identify and categorize potential hazards

Potential hazards associated with the system will beidentified and categorized in the early design phase.In general, accidents and related damage levels areassociated with uncontrolled release of some type ofenergy. Hence, the system is thoroughly evaluatedwith respect to amount of various types of energyresiding in or controlled by the system. A standardchecklist of types of energy is employed. (A first cutevaluation of potential hazards is included in theSystem Safety Program Plan.) Each hazard is closelyassessed with respect to its severity and assigned tothe appropriate hazard severity category.

The hazard identification and categorization isdocumented in the Preliminary Hazard Analysis. Thisdocument constitutes an important part of the designrequirements, as the system design should assure thatfor each hazard, its probability level combined withits severity category (i.e. its risk assessment code)should be within the acceptance criteria specified inthe System Safety Program Plan.

For complex systems composed of several signifi-cant subsystems (as for Air Defence Systems), thePreliminary Hazard Analysis may be split in oneanalysis for each subsystem.

2.3 Resolve all potential hazards, i.e. eliminate orreduce hazards to within acceptance criteria

Safety of a system is considered to be an inherent system property, and is built into the system as part of the system design process. The main function of a weapon control system is to control the firing of theweapon(s), i.e. to cause damage to the enemy. Hence,reducing the hazard potential by designing forreduced damage capability is no feasible approach.Instead, the design must basically rely on tight controlof the firing procedure, i.e. high system reliability(especially for safety-critical functions), combinedwith presence of adequate safety barriers. The safetybarriers shall deny any firing of weapon unless anumber of very strictly defined conditions and crite-ria are true. The final design and construction shallfulfil the safety requirements, i.e. each hazard shallbe associated with a risk assessment code residingwithin the acceptance criteria.

During the design process, specialized safetyanalyses may be conducted as deemed required. Thismay e.g. include Failure Mode Effect and CriticalityAnalysis (to determine top-level effects of componentfailures); Fault Tree Analysis (to determine all com-binations of failures which may cause top-levelmishaps); Sneak Circuit Analysis (to determine

presence of hidden design errors); etc. Such special-ized safety analyses may be used especially for safetycritical functions.

2.4 Verify acceptability of residual hazards

Upon completion of the design, each hazard identifiedin the Preliminary Hazard Analysis is re-evaluatedwith respect to its probability and severity resultingfrom the final design solution. Associated risk assess-ment codes are determined, and compared with therisk acceptance criteria. If a hazard resides outside therisk acceptance criteria, additional effort will be con-ducted for reducing the hazard probability and/orseverity to within the acceptance criteria. The resultsfrom this analysis are documented in the SystemHazard Analysis.

For complex systems composed of major subsys-tems, this verification task may be undertaken in two steps: each major subsystem is addressed in anassociated Sub-system Hazard Analysis, leaving theSystem Hazard Analysis to cover system-level haz-ards only.

Safety tests are conducted in order to verify that allsafety barriers implemented are truly effective. If fir-ing is initiated when any one of the necessary prede-fined conditions and criteria is not true, the tests shallverify that firing is denied by the system. The resultsfrom these tests may be documented in a specificSafety Test Report, or may be incorporated in thereporting from the overall system test program.

The system operator is a critical element in thetotal system behaviour. Man is created fallible, andmaking errors is recognized as a basic human prop-erty. Hence, the system operator constitutes a funda-mental safety risk, but may also act as an importantsafety barrier. The hazard potential associated withoperator errors is analysed in the Operator HazardAnalysis. This analysis focuses on those operatortasks where an operator error has the capability tocause an accident, and therefore is a potential hazard.Each hazard is closely evaluated with respect to itsprobability and severity (i.e. risk assessment code),which is compared with the basic acceptance criteria.Hazards residing outside the acceptance criteria aresubject to additional effort in order to reduce thosehazards to within the acceptance criteria.

2.5 Summarize and conclude upon the safety of the system

The safety program concludes with the Safety Assess-ment Report. This is not a separate safety analysis, but rather a summary of the various safety tasksundertaken throughout the project. The results andconclusions from the safety effort are presented. TheSafety Assessment Report concludes with a safety

1562

09048-T-04.qxd 5/15/03 7:40 PM Page 1562

statement, stating the evidences derived from the sub-ordinate safety reports as well as the final conclusionregarding the safety of the system.

3 EXAMPLE: AN AIR DEFENCE SYSTEM

An Air Defence System consists basically of 3 majorsubsystems:

1. The Sensor (e.g. radar), which detects and tracksair targets and transmits target data to

2. The Fire Distribution Centre. This receives targetdata from the sensor, determines whether the targetshall be engaged, calculates when and in whichdirection the missile(s) shall be fired, and trans-mits fire message to

3. The Missile Launcher (loaded with missile). Thelauncher receives the fire message from the FireDistribution Centre, and fires the missile at pre-scribed time and direction.

The system is complex and consequences of a failuremay be catastrophic.

Application of the safety program framework onan Air Defence System is presented below.

3.1 Safety Program Planning (The System SafetyProgram Plan)

The System Safety Program Plan includes amongothers the following chapters:

• Energy levels involved with the system• Hazard categorization and acceptance criteria, and• Safety organization.

3.1.1 Energy levels and associated damagecapabilities

When discussing potential hazards it is easy to over-look potential, but not so obvious, hazards. In order toavoid this, a systematic approach based on a checklistof various types of energy is employed. The followingenergies were identified to be present: Movement,Electricity, Explosives, Chemical, Heat, Radiation,Vibration and Noise. Presence of each one of theseenergies is associated with a potential for uncon-trolled release and associated damage. The safetyeffort focuses on establishing measures to assure adequate control of these energies and prevent anyuncontrolled release.

3.1.2 Hazard categorization and acceptancecriteria

Hazards are categorized with respect to both theirprobabilities and severities in accordance with MIL-STD 882 D.

The following hazard probability levels are defined:

Table 1. Hazard probability levels.

A Frequent Likely to occur frequently

B Probable Will occur several times in the lifeof an item

C Occasional Likely to occur some time in thelife of an item

D Remote Unlikely, but possible to occur inthe life of an item

E Improbable So unlikely it can be assumedoccurrence may not be experienced

The following hazard severity categories aredefined:

Table 2. Hazard severity categories.

I Catastrophic Death, system loss or severeenvironmental damage

II Critical Severe injury, severeoccupational illness, majorsystem or environmental damage

III Marginal Minor injury, minor occupationalillness, minor system orenvironmental damage

IV Negligible Less than minor injury,occupational illness or less thanminor system or environmentaldamage

V None (not in Safety effected, but no expectedMIL-STD 882) injury, occupational illness or

system or environmental damage

The combinations of hazard probability levels andseverity categories constitute the risk assessmentcodes.

The following risk assessment codes acceptancecriteria are defined:

Table 3. Risk assessment codes acceptance criteria.

V None

IV Negligible xxx

III Marginal xxx

II Critical xxx

I Catastrophic xxxA B C D E Frequent Probable Occasional Remote Improbable

Hazards with risk assessment codes residingwithin white boxes are determined to be acceptable,while hazards with risk assessment codes resid-ing within shaded boxes are determined to be not

1563

09048-T-04.qxd 5/15/03 7:40 PM Page 1563

acceptable. Hazards with Risk Assessment Codeswithin boxes marked with xxx call for additional safetyeffort, in order to justify moving to a white box. If thisdoes not succeed, the hazard shall be subject to specialassessment and decision by the project manager.

3.1.3 Safety organizationSafety has to be designed into the system, making the design and construction team the most importantactor in the safety creation process. The safety orga-nization is characterized as follows:

1. The overall program responsibility rests with theAir Defence Manager, while the operationalresponsibility for the individual project, includingits safety, is held by the project manager.

2. The project manager is supported by a namedSafety Manager.

3. The creation of safety is an important dimensionof all project tasks. The design and constructionteam, acting as the key player in this process,assumes thus the major responsibility for comply-ing with the safety requirements.

4. The explicit safety tasks (e.g. to prepare theSystem Safety Program Plan and conduct the var-ious safety monitoring, evaluation and analysistasks) are the responsibility of the Safety Manager.

3.2 Hazard identification and categorization(Preliminary Hazard Analysis)

This analysis is based on the “Energy levels and asso-ciated damage potentials” discussed in the SystemSafety Program Plan, and amplifies and concludesthe findings to a set of distinct potential hazards. Forthe Air Defence System an analysis is prepared indi-vidually for each of the subsystems (Radar, FDC andLauncher).

Each potential hazard is discussed and evaluatedwith respect to its potential consequences and associ-ated severity. The evaluations are presented in sepa-rate work sheets. An extract of a work sheet for theFire Distribution Centre subsystem, including 3 poten-tial hazards, is shown below (table 4).

Note that the hazards are not evaluated withrespect to their probability levels at this stage.Probability levels are closely related to the associateddesign solutions, which remains to be developed atthis stage of the program. Instead, it is an importantdesign requirement to justify that, for each residualhazard, the combination of probability and severity iswithin the acceptance criteria.

3.3 Hazard resolution

The Preliminary Hazard Analysis is provided to thedesign and construction team. Their responsibility isto design and implement measures as required foreach hazard to be associated with a final combinationof hazard severity and probability (risk assessmentcode) residing within the acceptance limit. This maybe undertaken by measures to reduce the severity ofthe potential effect of the hazard (e.g. to employ non-toxic ACU medium) and/or to reduce the probabilityof the hazard to a satisfactory level (e.g. to implementrigorous and formal criteria for a firing message to beaccepted as valid by the system).

The final safety associated with the system is inte-grated in the design and construction, and relies entirelyon the design and construction team. The safety pro-gram is designed in order to support this process and toverify the level of safety as resulting from this process.

Within the Air Defence System it was deemedappropriate to address the firing procedure within theFire Distribution Centre on a more detailed level, and

1564

Table 4. Extract from the Preliminary Hazard Analysis for the Fire Distribution Centre subsystem.

No. Component Hazard Possible cause Potential effect Severity Remarks/recommendations

1 General Fire –Short-circuit –Burn injury on I –Mount fire extinguisher–Ember from personnel I –Avoid use of substances cigarette –Personnel toxicated which are flammable or generate

from smoke toxic smoke in fire–Equipment damaged II –Enforce no smoking in FDC

2 Air ACU medium ACU medium –Personnel I –Use non-toxic mediumConditioning penetrates leaks into air toxicated by –Prevent leakage of ACU medium Unit (ACU) into shelter system ACU medium by relevant measures

3 Operator Valid fire SW or HW Missile launched I –Employ rigorous criteria console message malfunction inadvertently for fire message procedure

generated and validityinadvertently –Conduct formal SW and

HW reviews

09048-T-04.qxd 5/15/03 7:40 PM Page 1564

a quantitative Fault Tree Analysis was conducted. Thetop event was defined as “Inadvertent transmission ofFiring Command”. The firing procedure was mod-elled as a Fault Tree, and calculation of the probabil-ity of the top event to occur within the systems lifetime was calculated, based on failure rates for eachbasic event. The results provided evidence that theprobability was well below the quantitative value,which corresponds with the qualitative requirementsspecified in the System Safety Program Plan.

3.4 Verification of residual hazard acceptability(The System/Sub-system Hazard Analysis)

The System Hazard Analysis is a re-evaluation of thepotential hazards included in the Preliminary HazardAnalysis, as well as additional hazards, which areidentified during the design and construction phase.This analysis addresses the hazard severities resultingfrom the measures incorporated in the system design,as well as the associated hazard probability levels.These combinations constitute the risk assessmentcodes, which for each hazard is matched against thehazard acceptance criteria specified in the SystemSafety Program Plan. The evaluations are presented inseparate work sheets, much similar to the PreliminaryHazard Analysis work sheets.

Within the Air Defence System, this analysis wasconducted on two levels: one Sub-system Hazard

Analysis for each of the three basic subsystems(Radar, Fire Distribution Centre and Launcher), and aSystem Hazard Analysis analysing from a birds viewthe top-level hazards associated with the overall sys-tem as a whole.

An extract of the Sub-system Hazard Analysiswork sheets for the Fire distribution centre is pre-sented in the table below (table 5). It includes thesame three hazards as presented in the PreliminaryHazard Analysis work sheet (table 4).

The combination of hazard probability and sever-ity (risk assessment code) for each hazard is com-pared with the hazard acceptance criteria specified inthe System Safety Program Plan. In the example worksheet above, the risk assessment codes associatedwith all three hazards turn out to be within the hazardacceptance criteria.

The system-level System Hazard Analysis is pre-pared correspondingly, including identical work sheetformats, and the resulting risk assessment codes areassessed following the same procedure.

3.5 Safety summary and conclusion (The SafetyAssessment Report)

The Safety Assessment Report comprises a finalassessment of the safety of the system. It goes throughthe various safety tasks conducted as part of the safety

1565

Table 5. Extract from the Sub-system Hazard Analysis.

No. Component Hazard Hazard control measures Potential effect Probability Severity

1 General Fire –The FDC compartment complies –Burn injury on D IIwith fire resistance requirements personnelconsistent with MIL-STD 9070B, –Personnel exposed D IIparagraph 5.3.1. to smoke

–No substance, which is highly –Equipment damaged D IIflammable or generates toxic gases in a fire, is used.

–Smoking is prohibited within the FDC compartment.

–Fire extinguisher is mounted inside the FDC compartment.

–The FDC compartment interior is designed for easy evacuation in case of fire.

2 Air ACU medium –ACU medium circulates –Personnel exposed to D VConditioning penetrates into inside the ACU only, ACU mediumUnit (ACU) the FDC completely separated from

compartment the air system.–Non-toxic ACU medium employed (R134A).

3 Operator Valid fire A detailed Fault Tree –Missile launched E Iconsole message analysis was conducted. inadvertently

generated Probability determined inadvertently to be within level E.

09048-T-04.qxd 5/15/03 7:40 PM Page 1565

program, evaluates the findings from each task, andassesses their impact on the safety assessment.

The results support a final Safety Statement, whichstates that the safety of the system complies with thedefined safety requirements. This statement con-cludes the Safety Assessment Report.

4 CONCLUSION

This paper has presented a framework for a safetyprogram, and how it has been employed on an AirDefence System at Kongsberg Defence & Aerospace

AS. We recognize the fact that such systems are asso-ciated with inherent catastrophic damage potential.The safety program framework has proved a usefulapproach in our struggle to be able to justify the state-ment that the system holds a safety level complyingwith our defined requirements, and to provide ade-quate evidence for establishing confidence in thisstatement.

It is the author’s intention that the framework pre-sented may provide some practical and useful real-lifeideas of how the safety effort on such systems may beconducted.

1566

09048-T-04.qxd 5/15/03 7:40 PM Page 1566


1567

Cognitive analysis in human reliability: the case of a high-risk plant

M. Tucci, A. Bellucci, I. Cappelli & L. GiagnoniDipartimento di Energetica “Sergio Stecco”, Sezione Impianti e Tecnologie industriali, Università degli Studi di Firenze, Italia

ABSTRACT: In order to assess the possible risk and consequence of an initial event, the reliability of the produc-tion systems is studied through methodologies reassumed into the risk analysis; they take into account the techno-logical process and, in general, the mechanical elements that constitute it. In other hand, they neglect the aspects thatdepend on the human factor and on its contribution to the reliability of the system. With this meaning, in order to inte-grate the common techniques of risk analysis, Human Reliability Analysis-HRA aims to assess the human factor.The search on the HRA, with the second-generation methodologies, developed cognitive models and man–machineinterface models, which represent the behaviour of the operator and its interaction with the productive process. Thepresent paper proposes an applicative case of HRA, where the cognitive model defined in CREAM is applied. Theanalysis allows to individualize the more hazardous procedures and the capacity of workers performing them.

1 INTRODUCTION

When the operator performance is a fundamental ele-ment of the production process, in particular, when ahuman error can give rise to an accident with severeconsequences, it’s necessary to consider the humanperformance for correctly evaluating the system reli-ability. Especially in high-risk industry, the HumanReliability Analysis-HRA assumes a relevant role,because in this case the accidents often result in seriousinjuries and fatalities.

The HRA is developed identifying contextual fac-tors (Common Performance Conditions – Hollnagel &Marsden, P. 1996 – and Performance Shaping Factors –Swain & Guttmann, H.B. 1983), classifying humanerror according to different schemes and, fundamen-tally, representing the human behaviour in the workcontest by models.

In particular, the second-generation methodologyof HRA produced man–machine interface models(Kuo-Wei Su, et al. 2000, Cacciabue 1998) and cog-nitive models. These models are focused on describ-ing the worker behaviour through cognitive functions,which represent logical–rational actions. In sequentialcognitive models (Shen, S-H et al. 1996) the workerbehaviour is represented by a closed and rigid step-by-step path going from one cognitive function toanother. In cyclical cognitive models (Hollnagel &Marsden 1996) the worker logic is described like a loopthrough the different functions.

The HRA is relevant in order to find how to reducethe probabilities of human error (which occurs as aworker attempts to carry out a procedure) or proceduralviolation (which represents intentional act by workersto violate procedures). Especially, through the cognitivemodel and its cognitive functions, the analysis can pointout procedural tasks which can be misunderstood orwhich need an excessive cognitive capacity.

This paper describes a human reliability analysisapplied to a real case, that is, a chemical industry forthe plastic materials production. Aim of the analysisis pointing out the lacks of organisational frame and,in particular, identifying the procedures that require ahigh cognitive ability or, in any way, ability superiorto the operator’s one.

In the opening of the analysis, through the riskassessment records (Hazard Operability Analysis,Fault Tree Analysis, What if Analysis) and through theConsequence Analysis jointed to each top event, themore dangerous procedures are identified and the cog-nitive functions needed to complete them are examined.

Among the numerous cognitive models, the authorsadopted the cognitive model defined in CREAM(Hollnagel 1998) and they used it to identify:

– the work load required by the procedure;– the cognitive capacity available in the man.

Concerning the work load, the cognitive model isused strictly as explained in CREAM; in the evalua-tion of the cognitive capacity the model is revised in

09048-T-05.qxd 5/15/03 7:40 PM Page 1567

order to integrate worker interviews and attitudinaltests.

In the second part of this paper, the analysis goes intodetail and the cognitive profile required by the proce-dure is compared with the available cognitive profile ofworker, not only in its cumulative value, but also in eachsingle task.

2 THE ANALYSIS OF THE CHEMICAL PLANT

2.1 The chemical plant

The analysed plant produces plastic materials and it isclassified as high-risk industry because of the quan-tity and the type of materials in storage.

The main department produces ftalic anhydride; in fact, that is a raw material for all the other depart-ments. Its properties determine the quality of the finalproducts.

The ftalic anhydride goes into three departments(Fig. 1):

– D1: special plastic with peculiar chemical andphysical properties;

– D2: main and derived synthetic resins;– D3: general plastic materials.

The plant has redundancy of safety systems, butsome accidents can happen: in particular overpressurescan bring to opening of safety valves, causing leakageof flammable liquid or gas. Following the results of theanalysis of similar facilities, the more common acci-dents generate explosions and fires.

Depending on the plant organization, the emer-gency condition is managed mainly basing on outsidehelp: in fact, in case of accident the fire brigade iscalled immediately and it is entrusted with overcom-ing the situation. On account of that, for internal man-agement of the plant the conduction procedures becomeimportant: only if the process is maintained in the cor-rect conditions and if the procedures are rightly car-ried out, it is possible to avoid an external intervention.Because of that, the authors chose to deeply analyse

the conduction procedures and to verify the operatorcapacity to correctly complete them.

2.2 The analysis phases

The analysis is modelled according to the real caseand it is divided in two main phases: the first one isthe preliminary phase, the second one is the operativephase (Fig. 2).

The preliminary phase started from analyzing safetyreport. Studying it, we got to know the risk analysisapplied to the plant and, in particular, the outcomesderived from Fault Tree Analysis, HazOp Analysis andWhat if Analysis.

According to them, top events were identifiedtogether with their frequencies and their consequences;moreover, for each top event, we considered the relatedprocedures, the affected workers, the quantity of per-sons involved in the area. On account of these records,it was possible to deduce which departments would bemore interesting for applying the human reliabilityanalysis, in this case, the ftalic anhydride facility andthe D2.

The investigation continued in field and it let usconfirm the choice of ftalic anhydride facility and theD2 where to carry out the analysis. In the visits to theplant, the investigation followed two parallel streams:one on the production-level and the other on the men-level. At the production-level, we examined the specificoperative manuals (developed just for these depart-ments) and the organisational chart. At the men-level,we met the operators working in these areas and we

1568

ftalic anhydridefacility

D3general plastic

D2synthetic resins

D1special plastic

Figure 1. Production facilities of the high-risk plant.

Global Analysisof

Safety Report

Analysis in depthof

risk assessment records

Choice of Depart.FAfacility

and D2

OPERATIVE PHASE

Production level

•Organisationalchart

•Operative manuals

Men level

•Menallocation•Men skill

Identifying ofmen and

procedures

REPORT ANALYSIS

INVESTIGATION IN FIELD

Figure 2. Analysis diagram flow.

09048-T-05.qxd 5/15/03 7:40 PM Page 1568

identified the actual allocations and the actual skills ofthe workers. Furthermore, comparing the two levels weassociated each procedure to the men that conduct it.

In general the procedures we individuated can bereassumed in:

– preliminary procedures;– raw materials loading procedures;– final products unloading procedures.

The men working in the same team are:

– the foreman (which coordinates the operation);– the control-panel operator (which oversees the oper-

ation by means of a control interface);– one or more operators (which work in the area and

help foreman, following the instructions).

After the preliminary phase, we applied the opera-tive phase, conforming to guidelines of CREAM in theuse of its cognitive model.

Firstly, the Hierarchical Task Analysis-HTA wasperformed: HTA rereads and rewrites each procedureaccording to a time and logical hierarchical frame. Inthis way, procedures diagrams were built; these show

the temporal–space logic of the procedure which isperformed.

In the present case, in the operative manuals theprocedures are just organised in a time dependent logicand they involve more men; so the HTA was adaptedto their frame and it was built in parallel for all work-ers that cooperate to the same procedure (Fig. 3).

Afterwards, the Cognitive Task Analysis-CTA wasapplied to the same procedures: for each task identi-fied in HTA the activities functions, which are neces-sary to carry it out, were selected. The CTA was theresult of the CREAM table that describes the cognitiveactivities and links them to the main cognitive func-tions. The main functions are four: observation, inter-pretation, planning, and execution. Following this table,for each procedure the total occurrence of the cognitivefunctions was calculated and this was synthesised bythe cognitive profile.

In short, through these steps the Required CognitiveProfile-RCP was obtained and it represents the type ofwork-load that the man has to sustain to complete theprocedure.

1569

Directingwater to

T151

Fillingtank by

manual valve

Checkinginlet valve JV15

closed

Checkingyellow valve

closed

Checkingregolating valve TIC24

set point = 20˚C

Checkingvalve J24 pointing

to atmosphere breather

Checkingoil pumpP01 idle

Foreman CP Operator

Whitishwater?

Checkingregolating valve

TIC01 closed

Checkinginlet valve JV15

closed

END END

6

5

1

2

3

4

Figure 3. Loading procedure hierarchical task analysis.

09048-T-05.qxd 5/15/03 7:40 PM Page 1569

As it was possible to meet the workers and to be onfamiliar terms with them, we were able to propose anattitudinal test in order to evaluate operators’ skill andcapacities.

The proposed test assumes parameters and linksthem to the cognitive functions (Table 1). The identi-fied parameters take into account the physical proper-ties of the man, his level of instruction, his knowledgeof the plant organisation and structure, his relation withthe other team members.

Two types of parameters were defined:

– the cognitive function parameters,– the personal condition parameters.

All parameters were assumed as independent to eachother. The cognitive function parameters are directlylinked to each cognitive function, they are two for eachcognitive function and they are different from a cogni-tive function to another. On the contrary, the personalcondition parameters are the same for all cognitivefunctions.

Each parameter can take 4 values, ranging from 0to 1: if the parameter is 1, it means that the operator isthe best possible match for that parameter.

So if:

– PI and PII are the first and the second parameterlinked to the observation cognitive function;

– (P C)i is a personal condition parameter, with i �1…4;

then the cognitive capacity concerning the observationcognitive function results:

(1)

It is possible to define as perfect operator a man thathas each parameter equal to 1. In this way, as eachparameter is linked to one cognitive functions, thePerfect Operator’s Cognitive Profile-POpCP is built. Inthe other hand, from the test compiled by a “real” oper-ator we came to Real Operator’s Cognitive Profile-ROpCP. This one is always included in the POpCP.

It is a reasonable hypothesis that the perfect operatorwould be able to rightly carry out each procedure, thatis, the POpCP should completely satisfy the RCP. Onaccount of this hypothesis, for each procedure we foundif the real operators was able to complete it or if someof his cognitive functions were inadequate. Actually, inorder to be closed to the actual case, the POpCP wasdecreased of 10% before comparing it to the ROpCP.

Briefly, in the operative phase we obtained the RCPnecessary to carry out each procedure and we comparedit to the ROpCP, taking into account the hypothesis ofPOpCP.

In this part, the outputs depend only on the work-load and on the cognitive capacity theoretically avail-able in the operators, without taking into account theworkshift and the mix of the productive lines, whichthe operators are assigned to. Actually, the responseof the operator to the RCP can be modified accordingto the workshift being at the beginning or at the end.Furthermore the response can be modified if thework-load required is constant or changes from lowlevels to very high ones.

With this meaning, in order to obtain more signifi-cant results, the 8-hours-workshift was divided in fourstages defined as:

– Stage-A: the first hour of the workshift, in this stagethe operator’s cognitive capacity isn’t completelyavailable, because he has to replace his colleague andverify the system state;

– Stage-B: the second and the third hours of the work-shift, in this stage the operator enter in confidence tothe system and he is almost completely operative;

– Stage-C: from the fourth to the sixth hours of theworkshift, in this stage the operator’s cognitivecapacity is at its optimum level (the one whichresults from the attitudinal test);

– Stage-D: the seventh and the latter hours of the work-shift, in this stage the operator feels tired and his cog-nitive capacity greatly decreases.

To each defined stage a different workshift-coefficient was assigned; that modified ROpCP, lettingeach cognitive function available for a different percentof its optimum level according to the stage. For con-venience, this new defined profile was named Cogni-tive Profile in Workshift-CPW. Afterwards, thanks to Gantt diagram, the tasks of the procedures wereallocated along the four stages, in order to comparethem to the right CPW.

1570

Table 1. Cognitive function parameters.

Cognitive I Cogn.Funct. II Cogn.Funct. functions parameter parameter

Observation Defective vision Time in the plantInterpretation School degree Post qualificationPlanning Training Time in the same teamExecution Age Physical conditions

Table 2. Personal condition parameters.

Personal condition

1 Time available2 Extra-working relation3 Motivation4 Distance from the plant

09048-T-05.qxd 5/15/03 7:40 PM Page 1570

Then, a Required Cognitive Level-RCL was assignedto each cognitive function required by the tasks; thankto the RCL, we decided not only if a cognitive functionis or is not required by the task, but also what atten-tion level is necessary to perform it. The RCL is theresult of the application of Table 3 values.

To summarize, for each task we have: the CPWavailable by the real operator and the RLC necessaryto complete the task, furthermore we have still thePOpCP of the hypothetical perfect operator.

On the hypothesis that the perfect operator com-pletely satisfies the RLC, we found if CPW is sufficientto performance the RLC of the task. In particular, wecan define a critical index as:

(2)

where a critical index greater than 1 points out a criticalcondition.

Through this analysis, we found out the critical tasks,considering critical three types of task:

– end-beginning task: the critical index is greater than1 due to the allocation of the task in the workshift:if it would be allocated in other stage, it wouldn’tbe critical;

– high level task: the critical index is greater than 1due to the high quality of the task request or due tothe low cognitive capacity of the real operator;

– gradient task: the critical index isn’t significant inthis case, but it’s important to note the sudden pas-sage from a low RLC task to a high RLC one.

3 CONCLUSIONS

The preliminary phase of the analysis allowed to getknowledge of the plant, both on the production-leveland on the men-level, and to have deep knowledge ofthe organisation and management of the facilities.

The operative phase entered into details and triedto more accurately model the operators.

In particular, the critical index knowledge allowedto detect the possible operator cognitive lacks in order:

– to evaluate if the human resources employed at themoment provides for the cognitive request,

– to plan, if necessary, a specific formation programmeto fill the operators gaps,

– to recruit the best fitted operator for every skill.

As the direct observation in field confirmed, theforeman RCP varies according to the different proce-dures: it requires mostly observation and interpretation,in the row materials loading procedures; on the otherhand RCP requires mostly planning and execution inthe final products unloading procedures. Actually, theforeman is the team coordinator and his versatility ismandatory. This is almost completely satisfied by theforeman ROpCP, that is the 65% of the POpCP inobservation, the 74% in interpretation, the 74% in plan-ning and the 80% in execution.

The control-panel operator RCP requires mostlyexecution and a lot of observation and interpretation.The observation of the actuality confirmed also thisresult; in fact the control panel operator examines andinterprets the display, in order to execute the proce-dures. The control panel operator ROpCP is the 65%of the POpCP in observation, the 76% in interpreta-tion, the 96% in execution and the 48% in planning.

1571

Table 3. Values of required cognitive level.

Cognitive functions

Level Observation Interpretation Planning Execution

0,2 Task requiring very low Task requiring very low Task requiring very low Task requiring very low capacity of observation capacity of interpretation capacity of planning in capacity of execution in in elementary operations in elementary operations elementary operations elementary operations

0,4 Task requiring low Task requiring low Task requiring low Task requiring low capacity of observation capacity of interpretation capacity of planning capacity of execution in usual operations in usual operations in usual operations in usual operations

0,6 Task requiring medium Task requiring medium Task requiring medium Task requiring medium capacity of observation capacity of interpretation capacity of planning capacity of execution in complex operations in complex operations in complex operations in complex operations

0,8 Task requiring high Task requiring high Task requiring high Task requiring high capacity of observation capacity of interpretation capacity of planning capacity of execution in careful operations in careful operations in careful operations in careful operations

1,0 Task requiring very high Task requiring very high Task requiring very high Task requiring very high capacity of observation capacity of interpretation capacity of planning capacity of execution in critical operations in critical operations in critical operations in critical operations

09048-T-05.qxd 5/15/03 7:40 PM Page 1571

This could seem to be a problem, if we didn’t notethat the control-panel operator RCP requires a verylow level of planning.

Finally, the operator RCP requires mostly execution;in fact the operator executes the foreman’s orders. Theoperator ROpCP is not very good because that is the51% of the POpCP in observation, the 62% in inter-pretation, the 34% in planning and the 59% in execu-tion. These deficiencies can be overcome by a righteducation and training program provided by the firm.In this meaning, the firm would aim to specialize theoperator knowledge on different processes and, inparticular, on procedures which resulted more diffi-cult according to the critical index analysis.

An improvement of operator knowledge modifiesdirectly the value of post-qualification and trainingparameters of the attitudinal test, and it lets immedi-ately the POpCP assume better values.

Getting down to the details of the stages, the out-comes focused on which procedures were more diffi-cult to complete. Concerning foreman and control-paneloperator, some end-beginning tasks in observation andinterpretation were recognised. This means that theforeman and the control panel operator qualificationwas generally good enough to complete their work, butthey needed a particular attention at end-beginningstage of their workshift.

Concerning the operator, some high-level tasks in planning were recognised as well as some end-beginning tasks in planning. This means a considerablecognitive gap in the operator qualification, howeverthe operator RCP requires Observation InterpretationPlanning Execution especially execution, therefore aspecific formation to strengthen the operator plan-ning ability may be not necessary.

The analysis finally recognized, for every operator,the procedures mix characterized by the highest num-ber of critical tasks. For the foreman and control paneloperator, the most unfavourable condition is to starttheir workshift with the row materials loading proce-dures, on the other hand for the operator the heaviestcondition is to start with the final products unloadingprocedures.

The result allowed to identify and to provide thebest productive lines assignment mix for the operator,in order to cut down the critical tasks number. Findingsuch a best mix, the human error probability decreaseslinked to the critical index.

4 REFERENCES

Basra, G. & Kirwan, B. (1997) Collection of offshore humanerror probability data Reliability Engineering and SystemSafety 61(1–2): 77–93.

Baument, G. et al. (1999) Quantifying human and organiza-tion factors in accident management using decision

trees: the HORAAM method Reliability Engineering andSystem Safety 70(2): 113–124.

Cacciabue, P.C. (1998) Modelling and simulation of humanbehaviour for safety analysis and control of complex sys-tems Safety Science 28(2): 97–110.

Cacciabue, P.C. (2000) Human factors impact on risk analy-sis of complex system Journal of Hazardous Materials71(1–3): 101–116.

Centre for Chemical Process Safety (CCPS) (1994)Guidelines for Preventing Human Error in Process SafetyAmerican Institute of Chemical Engineers, New York.

Di Giulio, A. et al. (2000) Affidabilità cognitiva dell’opera-tore umano e sicurezza d’impianto: prospettive di inte-grazione nei metodi d’analisi Proceedings ConvegnoNazionale ANIMP/OICE/UAMI 12/13October, Trieste.

Fussel, J.B. (1976) Fault Tree Analysis: Concepts andTechniques – Generic Techniques In System ReliabilityAssessment NATO, Advanced Study Institute.

Gertman, D.I. & Blackman, H.S. (1994) Human Reliability &Safety Analysis Data Handbook John Wiley & Sons, NewYork.

Hollnagel, E. (1998) Cognitive Reliability and Error AnalysisMethod CREAM, Elsevier.

Iliffe, R.E. et al. (2000) The application of active database tothe problems if human error Journal of Loss Prevention inthe process industries 13(1): 19–26.

Kuo-Wei Su, et al. (2000) Architecture and frameworkdesign for preventing human error in maintenance taskExpert System with Application 19(3): 219–228.

Javaux, D.A (2002) Method for predicting errors when inter-acting with finite state system. How implicit learningshapes the user’s knowledge of system ReliabilityEngineering and System Safety 75(2): 147–165.

Jung, W.D. et al. (2000) Structured information analysis forhuman reliability of emergency task in nuclear plantsReliability Engineering and System Safety 71(1): 21–32.

Leung, D. & Romagnoli, J. (2000) Dynamic probabilisticmodel-based expert system for fault diagnosis, Computers& Chemical Engineering 24(11): 2473–2492.

Marsden, P. & Hollnagel, E. (1996) Human interaction withtechnology: The accidental user Acta Psycologica 91(3):345–358.

Mosneron-Dupin, F. et al. (1997) Human-cantered model-ling in human reliability analysis: some trends based oncase studies Reliability Engineering and System Safety58(3): 249–274.

Parry, G.W. (1995) Suggestion for improved HRA methodfor use in Probabilistic Safety assessment ReliabilityEngineering and System Safety 49(1): 1–12.

Paz Barroso, M. & Wilson, J.R. (1999) HEDOMS-HumanError and Disturbance Occurrence in ManufacturingSystems: Toward the Development of an AnalyticalFramework Human Factors and Ergonomics inManufacturing 9(1): 87–104.

Ramabrahman, B.V. & Swaminathan, G. (1999) Disastermanagement plan for chemical process industries. Casestudy: investigation of release of chlorine to atmosphereJournal of Loss Prevention in the Process Industries13(1): 57–62.

Reason, J. (1990) Human Error Cambridge University Press,Cambridge.

Rinaldi, R. & Giagnoni, L. (2001) Estimating the influenceof the human factors in risk analysis: reliability and safety

1572

09048-T-05.qxd 5/15/03 7:40 PM Page 1572

evaluation applied to the organisation management of a petrochemical plant Proceedings ESREL EuropeanSafety and Reliability Conference 16–20 September,Torino.

Sasou, K. & Reason, J. (1998) Teams errors: definition andtaxonomy Reliability Engineering and System Safety65(1):1–9.

Sharit, J. (1993) Human reliability modelling New Trends inSystem Reliability Evaluation by K.B. Misra Elsevier,Amsterdam.

Sharit, J. (1997) Allocation of functions. Handbook of HumanFactors and Ergonomics 2nd Ed. by G. Salvendy JohnWiley & Sons, New York.

Sharit, J. (1998) Applying Human and System ReliabilityAnalysis to the Design and Analysis of Written Proceduresin High–Risk Industries Human Factors and Ergonomicsin Manufacturing 8(3): 265–281.

Shen, S-H. et al. (1996) A methodology for collection and analysis of human error data based on a cognitive

model: IDA Nuclear Engineering and Design 172(1):157–186.

Shen, S-H. et al. (1996) The IDA cognitive model for theanalysis of nuclear power plant operator response underaccident condition. Part I: problem solving and decisionmaking model Reliability Engineering and System Safety55(1): 51–71.

Starter, O. & Bubb, H. (1999) Assessment of human relia-bility based on evaluation of plant experience: require-ments and implementation Reliability Engineering andSystem Safety 63(1): 199–219.

Swain, A.D. & Guttmann, H.B. (1983) Handbook of HumanReliability Analysis with Emphasis on Nuclear Power PlantApplications NUREG/CR-1278 U.S. Nuclear RegulatoryCommission, Washington.

Trucco, P. et al. (2000) Aspetti cognitivi e organizzativi nellasicurezza d’impianto: analisi di un’incidente in una cen-trale di cogenerazione Proceedings Convegno NazionaleANIMP/OICE/UAMI 12/13Octobe, Trieste.

1573

09048-T-05.qxd 5/15/03 7:40 PM Page 1573

09048-T-05.qxd 5/15/03 7:40 PM Page 1574


1575

Draft european standard on safety risk assessment for space missions

R. TuominenVTT Industrial Systems, Tampere, Finland

C. PreysslEuropean Space Agency, Noordwijk, Netherlands

I. Jenkins1, P. Pearson2, J. Lenic3, G. Canepa4, G. Morelli5 & T. Bedford6

1 Astrium GmbH, Munich, Germany; 2 Astrium Ltd., Portsmouth, England; 3 DLR, Bonn, Germany; 4 Alenia Aerospazio, Turin, Italy; 5 Galileo Avionica, Florence, Italy; 6 University of Strathclyde, Glasgow, Scotland

ABSTRACT: In the framework of European Co-operation for Space Standardisation (ECSS), new internationalEuropean standards to support safety of space missions have been developed. The ECSS standards for projectrisk management and system safety specify the foundation of the systematic safety process required on spaceprojects. The analytic part of this process is outlined in further detail in two new complementary standards onhazard analysis and safety risk assessment.

This paper discusses the risk assessment approach in the draft ECSS safety risk assessment standard ECSS-Q-40-03. The paper gives a brief summary of what the proposed standard covers and why the standard is consid-ered important. The paper then describes how the standard is applied: its role in space programmes, how is itmade applicable, how is it to be used, etc. Furthermore, the links to other ECSS standards and the disciplines ofsafety and risk management are explained. While initially written for space systems, the practitioners of safetyand risk analysis are invited to consider the use of the described approach for safety risk assessment also fornon-space applications.

1 INTRODUCTION

As demonstrated by the recent tragic accident of thespace shuttle Columbia, space flight is a risky endeav-our for which safety is of paramount importance.

Space systems are typically complex and contain,or manage, large amounts of energy. New and not nec-essarily fully mature technologies are often applied.Failure tolerance and performance margins are limitedby severe mass constraints. The threats to safety withspace systems originate from the hazardous characteris-tics of the space system design, its operating environ-ment, and from hazardous effects of system failures ofoff-nominal situations.

In the framework of European Co-operation forSpace Standardisation (ECSS), new international Euro-pean standards to support safety with respect to spacemissions have been developed. The ECSS standards forproject risk management (ECSS-M-00-03) and sys-tem safety (ECSS-Q-40B) specify the foundation ofthe systematic safety process required on space projects.The analytic part of this process will be outlined in

further detail in two new complementary standards onhazard analysis (ECSS-Q-40-02) and safety risk assess-ment (ECSS-Q-40-03).

In the context of the ECSS standards for space safety,safety analysis has been defined to comprise hazardanalysis, safety risk assessment, and a variety of sup-porting analyses, listed in the ECSS-Q-40B, to beapplied at the discretion of a particular project. Theobjective of safety analysis is to identify, assess, pro-pose the means to reduce, control, and accept hazardsand the associated safety risks in a systematic, pro-active, and complete manner, taking into account theproject’s technical and programmatic constraints.Safety analysis is implemented through an iterativeprocess. Cycles of the safety analysis process are iter-ated during the different project phases and evolutionof system design and operation.

Safety risk assessment complements hazard analysis – which is defined in the standard ECSS-Q-40-02 and allows the identification of hazard scenariosin the form of sequences of events leading from aninitial cause to an unwanted safety consequence – and

09048-T-06.qxd 5/15/03 7:40 PM Page 1575

comprises the identification, classification and reduc-tion of safety risks in a probabilistic manner. The purpose of safety risk assessment is to determine themagnitude of risks induced by the identified hazardsand the associated hazard scenarios, and to identifyand rank the risk contributors.

It is emphasised that the standards for safety referredabove are applicable to all aspects of space missions,including human spaceflight as well as the unmannedmissions. The standards consider, not only the potentialharm to people, but also the harm that may be caused tothe equipment, property and the environment.

The present paper discusses, in particular, the riskassessment approach specified for the safety riskassessment standard ECSS-Q-40-03. At the time ofthe writing of this paper, the standard is still beingdrafted. The paper has been prepared by the membersof the ECSS working group that has developed both the hazard analysis standard and the current safety riskassessment standard draft.

2 ROLE OF SAFETY RISK ASSESSMENT INSPACE PROJECTS

Safety risk assessment is the principal probabilisticanalysis which assists engineers and managers toinclude safety aspects in the engineering practices andthe decision making process throughout the systemlife cycle. Ranking of safety risks, according to theircriticality for the project success, allows managersand engineers to direct their attention to the essentialsafety issues, as part of the major objectives of riskmanagement.

The information produced on safety risks is used to:

• assess the level of safety of a system in a probabilis-tic way;

• increase the level of safety of a system through safetyrisk reduction;

• drive the definition and implementation of designand operation requirements, specifications, con-cepts, procedures etc.;

• provide a basis for defining adequate safety require-ments, determining the applicability of safetyrequirements, implementing safety requirements,verifying their implementation and demonstratingcompliance or non-compliance;

• support safety related project decisions;• support safety submissions and reviews through

documented evidence;• support safety certification of a system through

documented evidence; and• provide input to overall project risk management.

The probabilistic approach of safety risk assess-ment is considered to be most useful and beneficial inrelation to large and complex systems, possibly with

some novel technologies involved. The risk valuesproduced by the assessments can be used to supportdecisions on system design, operations, or upgrades.Regarding complex systems, the safety risk assess-ment can provide the means needed to point out the riskdrivers (i.e. main risk contributors), or to optimise thesystem with respect to the defences required for theidentified risks. Furthermore, the assessments can showthe safety improvement potential of design changes or upgrades, and make explicit the uncertainties in thestate of knowledge regarding possible accident scenar-ios, showing where the knowledge is weak and whereit needs to be improved.

Safety risk assessment and the corresponding newECSS standard are considered suitable, in particular,to serve the needs of future manned systems (e.g.manned mission to Mars) and complex unmanned systems/missions with significant safety implications.Galileo is an example of a new European unmannedspace programme with important implications for serv-ices, some of which are clearly safety critical (e.g. airtraffic control services).

3 SAFETY RISK ASSESSMENT CONCEPT

3.1 Hazards and hazard scenarios

The ECSS-Q-40-02 defines a hazard analysis conceptin which a clear distinction is made between hazards,intermediate events and consequences. This distinc-tion of hazards and scenarios is considered important to facilitate the identification of all hazards and theassociated possibilities for accidents, as well as to sup-port more structured identification and evaluation ofhazard reduction and control means. It can also befound important in supporting the hazard analysisinterface with the safety risk assessment.

Hazards are defined as potential threats to the safetyof a system. They are not events, but the prerequisitefor the occurrence of hazard scenarios with their neg-ative effects on safety in terms of the safety conse-quences. Hazard scenarios determine the possibilitiesof accidents, by reflecting the system behaviour interms of event propagation from initiating events (i.e.causes) to harmful consequences, as shown in Figure 1.Different hazard scenarios can originate from thesame hazard, and different hazard scenarios can leadto same safety consequence. The collection of hazardscenarios leading to same safety consequence can becollated into the form of a consequence tree.

3.2 Safety risk assessment

The safety risk assessment extends on the deterministichazard analysis by adding a probabilistic dimension(i.e. likelihood and uncertainty) in the identified hazard

1576

09048-T-06.qxd 5/15/03 7:40 PM Page 1576

scenarios and the associated negative consequencesin order to determine the magnitude of risk that theypresent. Safety risk assessment is based on a proba-bilistic analysis, in that the ranking of risks and riskcontributors is jointly dependent on the severity of theassociated consequences and on the likelihood of thoseconsequences occurring. The performance of deter-ministic hazard analysis, which identifies the hazards,the associated hazard scenarios and their negativeconsequences on safety, is a prerequisite to performinga safety risk assessment.

The acceptance of safety risks posed by the scenariosis based on a joint ranking of the consequence severityand the likelihood. Hence certain risks may be acceptedbecause their chance of occurrence is considered suf-ficiently low given the foreseen severity of the conse-quences.

The nature of safety risk assessment can be twofold.Either the assessment can deal with the risks posed byindividual hazard scenarios separately, or it can considersets of scenarios, collectively in the form of the overallrisk posed by them. The safety risk assessment standardECSS-Q-40-03 draft allows for flexibility in determin-ing and using the most efficient approach depending onthe objectives of the assessment, i.e., the intended use ofthe assessment results in a particular project.

Consideration of the hazard scenarios and the asso-ciated risks on the individual basis serves as a tool forrisk acceptance and safety verification. The scenarioswith high risk can be identified and subjected to riskreduction. The risk acceptance criteria are defined atindividual scenario level. In this case, the probabilisticassessment is typically done in a qualitative mannerbased on subjective data using consequence severityand scenario likelihood categorisations and by applyinga risk index scheme and a risk grid (or risk matrix), anexample shown in Figure 2. The risk grid transformsthe severity – likelihood plane (i.e. risk plane) into ajudgementally tractable set of cells and specifies theboundaries for risk tolerance as established in the riskpolicy. The risk grid is used to communicate the riskassessment results and their evolution.

Overall risk assessment deals with the accumula-tion of the risks posed by individual hazard scenariosand provides a holistic view that places the scenarios

in perspective and gives the basis for identifying andranking of risk contributors and optimising safety of thesystems. The assessed overall risk can be compared toa probabilistic target (or acceptance criteria) specifiedfor overall risk in the particular system considered.

Probabilistic Risk Assessment (PRA) based on, forexample, a comprehensive Event Tree and Fault Treemodel, represents one method for performing overallrisk assessment. Dependent uncertainty analysis can beused for the propagation of uncertainties in the hazardscenarios (Bedford & Cooke 2001; ESA 2002).

Importance measures such as ‘risk contribution’provide information on potential safety improvement(i.e. potential reduction of risk) related to a particularscenario event. Design and operation constituents canalso be ranked from risk reduction view point by cumu-lating the contributions of events associated with theparticular constituents.

The uncertainties associated with the estimate of the overall risk (posed by the hazard scenarios) call fora precautionary use of the risk acceptance criteria. Con-servative assumptions with respect to the risk estimateare preferred to optimistic ones to ensure that a sys-tem is not considered to satisfy an agreed risk target(or acceptance criterion) falsely. A representativepoint value in the upper part of the probability distribu-tion for the overall risk, at a confidence level acceptedby the decision-maker, could be used to implementthe precautionary principle for risk acceptance deci-sions, and for risk comparisons.

1577

hazard

hazard

HAZARDMANIFESTATION

HAZARD SCENARIOS

propagation time

cause consequenceevents

cause consequenceevents

Figure 1. The concept of hazard and hazard scenarios.

Risk index Risk magnitude

Risk Acceptability Criteriafor individual risk scenarios

IA, IB, IIA Maximum risk Unacceptable risk

IC, IIB High risk Unacceptable risk

ID, IIC, IIIA Medium risk Unacceptable risk

IID, IIIB, IVA Low risk Acceptable risk

Others

Minimum risk Acceptable risk

Likelihood

A

B

C

D

E

IV II I Severity

Green Yellow Red

III

Figure 2. Example of risk index scheme and risk grid.

09048-T-06.qxd 5/15/03 7:41 PM Page 1577

The estimation of scenario likelihoods can be basedon different sources of data, such as:

• previous experience on the particular system (i.e.measured or observed data);

• data from other systems or projects (i.e. extrapola-tion from generic data, similarity data, or physicalmodels); or

• expert judgement.

Based on these data sources, likelihood estimates ofscenario events are generated. As systematic identifica-tion and treatment of uncertainties is one of the mainobjectives of the probabilistic assessments, the likeli-hood estimates of scenario events are to be presentedwith the associated (lack of knowledge) uncertainty.

4 SAFETY RISK ASSESSMENT PROCESS

The safety risk assessment process, as defined inECSS-Q-40-03 draft, comprises the steps and tasksnecessary to identify and assess the safety risks, tosupport safety risk reduction and to establish rationalbasis for final acceptance of (residual) risks. The basicsteps are:

• Step 1: Define assessment requirements;• Step 2: Identify and assess the safety risks;• Step 3: Decide and act on the safety risks;• Step 4: Track, communicate and accept the residual

safety risks.

The process of safety risk assessment, including iter-ation of its tasks, is outlined in Figure 3.

The 4-step safety risk assessment process is furtherdivided into specific tasks and detailed activities neededto achieve the objectives of each specific task. The taskswithin each of the steps are summarised in Figure 4.

As evident based on Figures 3 and 4, the safety risk assessment process of ECSS-Q-40-03 has beenexpanded from a mere assessment process to show aprocess of assessment (i.e. steps 1 to 3) and manage-ment (i.e. steps 3 and 4) of safety risks. This has beendone simply to align the consideration of safety riskswith the general risk management process for techni-cal and programmatic risks in space projects definedin the management standard ECSS-M-00-03.

The safety risk assessment process of the ECSS-Q-40-03 also presumes the performance of hazardanalysis, according to ECSS-Q-40-02, as a prerequi-site to the performance of safety risk assessment of asystem. The possible accident scenarios and their asso-ciated severity of consequences are identified andassessed by hazard analysis. For more details on thehazard analysis, see Tuominen et al. (2001).

5 SAFETY RISK ASSESSMENTIMPLEMENTATION

Implementation of safety risk assessment on a projectis based on single or multiple i.e. iterative applicationof the safety risk assessment process. The tasks asso-ciated with the individual steps of the safety risk

1578

Iterate tasks

1. Defineasessment requirements

2. Identity and assessthe risks

3. Decide and act onthe risks

4. Track, communicateand accept the residual risks

Are risksacceptable?

Reduce risks

No

Yes

Figure 3. The process of safety risk assessment.

Step 1 Define assessment requirements

• Task 1: Define assessment scope, objectivesand planning

• Task 2: Describe the assessment baseline• Task 3: Support risk target definition, and safety

risk policy

Step 2 Identify and assess the risks

• Task 4: Select scenarios and consequence trees• Task 5: Identify the scenario likelihoods• Task 6: Determine the magnitude of the risks• Task 7: Identify the main risk contributors

Step 3 Decide and act on the risks

• Task 8: Decide if the safety risks are acceptable• Task 9: Reduce the safety risks on acceptable level• Task 10: Provide recommendations

Step 4 Track, communicate and acceptthe risks

• Task 11: Track and communicate the safety risks• Task 12: Accept the residual safety risks

Figure 4. The tasks associated with the 4 steps of the safetyrisk assessment process.

09048-T-06.qxd 5/15/03 7:41 PM Page 1578

assessment process vary according to the scope andobjectives specified for safety risk assessment. Thescope and objectives of safety risk assessment dependon the type and phase of the project.

According to the specified scope and objectives, theimplementation of the safety risk assessment processconsists of a number of “safety risk assessment cycles”over the project duration comprising the necessary revi-sions of the assessment requirements, and the assess-ment Steps 2–4, as indicated in Figure 4.

The period designated in Figure 5 as “Safety riskassessment process” comprises all the phases of theproject concerned. The frequency and the events atwhich cycles are required in a project (note that only3 are shown in Figure 5 for illustration purposes)depend on the needs and complexity of the project, andare defined during Step 1 at the beginning of the project.

Safety risk assessment implementation requirescommitment in each actor’s organisation, and theestablishment of clear lines of responsibility andaccountability. Project management has the overallresponsibility for the implementation of safety riskassessment, ensuring an integrated and coherent safetyrisk assessment approach.

The safety risk assessment process needs to becarefully documented to ensure that the scope andobjectives of the safety risk assessment are established,understood, implemented and maintained, and that anaudit trail can lead to the origin and rationale of allsafety related decisions made during the life of thesystem/project.

6 CONCLUSIONS

The presented safety risk assessment approach isprocess oriented and aimed at providing analyses,

which explicitly state and work towards the goals,objectives and intended use of the analysis results.Analysis results are intended to drive the design andoperation through hazard and safety risk reduction,support specific trades between design options, showcompliance with safety requirements, risk policy orprobabilistic targets, etc.

The presented safety risk assessment approach isan evolution from PRA, which simplifies the conven-tional PRA approach. PRA’s are often found complexand time consuming and are produced for an existingsystem rather than driving the system development. Theuse of the presented safety risk assessment approachallows flexibility regarding the nature of a particularassessment and prioritising the allocation of assess-ment resources. The approach can make risk results to be available in a shorter time, which makes it easierto deal with short cycle times and the introduction ofchanges during space system development.

The proposed safety risk assessment standard is notintended to be prescriptive. It only describes a generalframework and a process for how to properly performsafety risk assessments. It is not prescribing thedetailed methods to be used. The actual implementationof the process can be tailored for particular user needs.The only requirements (“shall’s”) that are expressed inthe standard draft are to emphasise the implementationof the systematic assessment process with specific stepsand tasks, application of particular analysis principles,and the proper documentation of the assessment andits outputs.

The approach adopted for safety risk assessment is fully in line with and supports the ECSS risk man-agement process for space projects defined in themanagement standard ECSS-M-00-03. The approachemphasises the importance and application of thecoherent risk management process to the discipline of safety.

Whilst, initially written specifically for space sys-tems, the ECSS hazard analysis and safety risk assess-ment approaches, as described in the ECSS-Q-40-02and the ECSS-Q-40-03 draft respectively, can also beapplied to non-space systems. The practitioners ofsafety and risk analysis are invited to consider the useof the approaches for non-space applications.

REMARK

The present paper relates to ECSS-Q-40-03 standarddraft as prepared and debated within the correspon-ding ECSS Working Group. At the time of the writingof this paper, the draft standard had not been submittedto ECSS review, and has not therefore received endorse-ment in accordance with the ECSS standard process.The views expressed here are those of the authors and

1579

STEP 1define assessment

requirements

STEP 4track,

communicate &accept risks

STEP 3decide andact on risks

STEP 2identify andassess risks

SAFETY RISK ASSESSMENT PROCESS

STEP 1revise assessment

requirements

STEP 1revise assessment

requirements





STEP 4track,


STEP 4track,


SAFETY RISK ASSESSMENT DOCUMENTATION

project phases

Figure 5. Iterative application of the safety risk assessmentprocess over project lifetime.

09048-T-06.qxd 5/15/03 7:41 PM Page 1579

do not necessarily reflect those of the correspondingorganisations or ECSS.

REFERENCES

ECSS-M-00-03 Space project management – Risk manage-ment. (Available via ECSS web site http://www.ecss.nl/)

ECSS-Q-40B Space product assurance – System safety.(Available via ECSS web site http://www.ecss.nl/)

ECSS-Q-40-02 Space product assurance – Hazard analysis.To be published by ECSS.

ECSS-Q-40-03 Space product assurance – Safety riskassessment. To be published by ECSS.

ESA 2002. ESA “Handbook & Procedure Guide for RiskManagement” RIMOX: available at http://www.estec.esa.nl/qq/RIMOX/Default.htm

Bedford, T. & Cooke, R. 2001. Probabilistic Risk Analysis:Foundations and Methods. Cambridge: CambridgeUniversity Press. ISBN 0-521-77320-2.

Tuominen, R. et al. 2002. From hazard analysis to safety risk assessment and further: the new European safetystandards on hazard analysis and safety risk assessment.In Proceedings of Joint ESA-NASA Space-Flight SafetyConference, Noordwijk (NL), 11–14 June 2002. ESASP-486. Noordwijk: European Space Agency.

1580

09048-T-06.qxd 5/15/03 7:41 PM Page 1580


1581

Extended stochastic petri nets in power systems maintenance models

A.P. Ulmeanu, D.C. Ionescu & A.C. ConstantinescuUniversity POLITEHNICA of Bucharest, Bucharest, Romania

ABSTRACT: The maintenance set of policies for a power system should be done through a coherent policy,complying with the quality service requirements. The cascade failures, common cause failures (environmentalcondition, use of the same components, etc.), protection-system functions, automatic/manual reconfigurationand the maintenance procedures are the most important dependency concepts considered. The dynamic behaviorof the power system is modelled through Extended Stochastic Petri Nets. Their main advantages are considered:modular approach and supporting the integration of several mathematical frameworks (discrete events, stochas-tic processes, simulations, etc.). On the other hand, the Extended Stochastic Petri Nets have an acquired benefitdue to a very rich field for specifying, designing, implementing, verifying and validation. The structural, func-tional and stochastic dependencies are modelled by rule base, and implemented through two basic types of inter-faces: common transitions and marking check. Common transitions describe the occurrence of events that leadto simultaneous marking evolution of the involved modules. The second type of interfaces is the marking check.It is used when the occurrence of an event assigned to a component is conditioned upon the states of other com-ponents. A relevant improvement on existing methods is to consider the condition-based maintenance models forpower systems, subject to deterioration-failures and to Poisson failures. The Poisson failure process represents allhard faults that might occur instantaneously in any deterioration stage of the components’ system. The soft faultsgrow gradually with the time and lead to a predictable condition, modelled by a multi-state continuous-time dete-rioration process. After an inspection, based on the degree of deterioration, a minimal/major action is performed,or no action is taken. Generally, the Poisson failures are restored by minimal repairs while the deterioration fail-ures are restored by major repairs. Extended Stochastic Petri Nets are used to represent and analyze the model,which stand for a inspection-based maintenance strategy. Based on maximization of the system performance, anoptimal inspection policy within the strategy and optimal inter-inspection time are acquired.

1 BASIC OF EXTENDED STOCHASTIC PETRINETS FOR RELIABILITY MODELLING

1.1 Abbreviations, acronyms, and notations

AM – Age Memory;BI – Between Inspections;DF – Deterioration Failure;DI – Degredation Level I;DII – Degredation Level II;DIII – Degredation Level III;EM – Enabling Memory;HF – hard failure mode;I – inspection;MP – Memory Policy;MT – Maintenance Tasks;NA – no Action;NM – no Memory;NH – no Hard Failure Mode;NS – no Soft Failure Mode;

m – minimal maintenance;M – major maintenance;PF – Poisson Failure;r – minimal repair;R – major repair;SF – Soft Failure Mode;SyS – System State;SPL – System Performance Level;d – system degradation level (d � 0, 1, 2, …n);z – system threshold major maintainance level

(0 � z � n);

1.2 Assumptions

By definition (Jensen and Rozenberg 1991), anExtended Stochastic Petri Net (ESPN) is a tuple:

(1)

09048-U-01.qxd 5/15/03 7:43 PM Page 1581

where

• P is a finite set of places• T is the finite set of timed and immediate transi-

tions. T � Tt �� T0

• I is the input function (represented by directed arcsfrom places to transitions)

• O is the output function (represented by directed arcsfrom transitions to places)

• H is the inhibition function (circle-headed arcs fromplaces to transitions)

• PDF is the probabilistic distribution functionsassigned to the set Tt of timed transitions

• M0 is the initial marking

In general, the symbol M is an assignment of a natu-ral number of tokens to each place of the PN. Also, weare using the following symbols for the pre- and post-sets of the ESPN nodes (places or transitions):t� � {p|(p, t) � I} – the set of the input places for atransition t connected through directed arcs; t� � {p|(t,p) � O} – the set of the output places for a transition tconnected through directed arcs; ti� � {p|(p, t) � H} –the set of the input places for a transition t connectedthrough inhibitor (circleheaded) arcs.

A transition t is enabled in a marking M if all placest� are signed, i.e. each type of input place has at leastone token. In the case when ti� � the input places ti�

connected through inhibitor arcs to the transition tshould not be marked in order to ensure that this transi-tion t is enabled. Any enabled transition can fire (imme-diately or delayed). When the transition t is firing, atoken is removed from each input place t� and anotherone is added to each output place t�. Accordingly, anew marking M� is reachable. We denote this asM|{t}→M�. As a rule, a marking Mk is said to be reach-able from the marking M0 whenever there is a sequenceof firings that transforms M0 in Mk. A firing or occur-rence sequence is denoted by a set of the fired transi-tions. If for any marking of ESPN, the number of tokensin any place is finite, and there is at least one enabledtransition, then we have a live and bounded ESPN.

1.3 Stochastic semantics of ESPNs

The main components of the stochastic semantics ofESPNs (Marsan and Chiola 1987) are:

• the sequence policy• the memory policy• the service policy

The sequence rule first which is the transition to befired in a given marking. In this paper we follow therace policy (Sim and Endreny 1993), i.e. among theenabled transitions the one which will fire is the onewith the smallest residual firing time.

Since the non-exponential distributions are no morememoryless, it is very important to specify how is

going to be managed the residual firing times of theremained enabled timed transitions after the systemtransition. In principal, there are three cases:

EM enabling memory: the elapsed time is keptas long as the transition remains enabled;

NM no memory (resampling): the elapsed timeis lost and a new firing delay will be assignedthe next time whenever the transition willbe enabled;

AM age memory: the elapsed time is kept what-ever the system’s evolution. The next timewhen the transition will be enabled theremaining firing time will be the residualtime from the last disabled.

As soon as the stochastic semantics are defined,the distributions of the conditional sejourn times ineach ESPN marking are obtained. Under specifichypothesis, it is possible to define regeneration pointsof the stochastic process. The asymptotic reliability/perform-ability indices are obtained modelling theprocess within two regeneration points (Marsan andChiola 1987).

The service policy defines the Enabling Degree ofa transition. Several clients may be served when ED isgreater than 1.

2 CONSTRUCTION OF AN ESPN – A STUDYCASE

The structural, functional and stochastic dependenciesare modelled by a base rule and implemented throughtwo essential types of interfaces: common transitionsand marking check (Ulmeanu and Ionescu 1999).Common transitions describe the occurrence of eventsthat lead to simultaneous marking evolution of theinvolved modules. Consequently, these involved mod-ules share the common transitions. The second typeof interfaces is the marking check. It is used when theoccurrence of an event ascribed to a component is con-ditioned upon the states of other components. The basicrules for this kind of interface specify that the markingof the places involved in the check procedure shouldremain unchanged. Therefore, only bi-directional andinhibitor arcs could be used to implement this kind ofinterface. Figure 1 presents the ESPN for a condition-based maintenance model for a system, subject todeterioration-failure and to Poisson-failures (Jensenand Rozenberg 1991; Sim and Endreny 1993). Afteran inspection, based on the degree of deterioration, adecision is taken: no action / minimal maintenance /major maintenance. Deterioration (soft) failures arerestored by major repair, while the Poisson (hard) fail-ures are restored by minimal repair. Table 1 gives the setof decision actions, the associated maintenance tasks,as well as the ageing proprieties (memory policy).

1582

09048-U-01.qxd 5/15/03 7:43 PM Page 1582

1583

Figu

re 1

.

09048-U-01.qxd 5/15/03 7:43 PM Page 1583

1584

2.1 ESPN presentation

The initial marking of

• one token in the place labeled No Soft Failure• one token in the place labeled No Hard Failure• one token in the place labeled Waiting

denotes that the system is operating, no degradationlevel (d � 0), waiting for the next inspection. Threedegradation levels are considered in this study case(n � 3), and the threshold major maintenance level isset z � 3. As soon as the degradation level d unveiledby a inspection procedure is greater than the thresholdz then a major maintenance action must be performedin order to ensure that the system returns in NS state.The sejourn probabilistic distribution functions and thesystem performance standards are shown in the Table 2.

An inspection procedure is scheduled at each� � 2200 h in order to reveal the degradation state ofthe system. When the inspection procedure is begin-ning, the token is removed from the place Waiting andanother one is set to the place Maintenance. After theachievement of the inspection tasks (� is assumed to bethe duration of the inspection action), the followingthree cases are possible:

– whether the unveiled degradation level is corre-sponding to the state NS (i.e. a token is found in theplace NoSoftFailures), then just after elapsing the

deterministic delay �, the transition ComponentOKis firing. Consequently, the tokens are removingfrom the place Maintenance and from placeNoSoftFailures respectively, and a token is reap-pearing in the place Waiting and one token in theplace NoSoftFailures as well. The transition E1 isre-enabled, the sejourn time in the state NS is kept,based on the ageing memory property (as shown inTable 1);

– whether the unveiled degradation level is corre-sponding to the state DI (i.e. a token is found in theplace DegradationI), then the transition NoActionis firing just after elapsing the deterministic delay�. As a consequence of the firing, the tokens areremoving from the place Maintenance and fromplace DegradationI respectively, and one token isreappearing in the place Waiting and one token in the place DegradationI as well. The transition N is re-enabled, the sejourn time in the stateDegradationI is kept, based on the ageing memoryproperty (as shown in Table 1);

– whether the unveiled degradation level is corre-sponding to the state DII (i.e. a token is found inthe place DegradationII), then the transition Tm isfiring just after elapsing the random delay that fol-lows the distributionExp(m � 0.16667 h�1). Thetokens are removed from the Maintenance andDegradationII place respectively, and one token is reappearing in the place Waiting and another one in the place DegradationII. The transition W1is re-enabled while the sejourn time in the stateDegradationII is reset. Following the minimal main-tenance action, the system returns to the conditionhad just after the firing of transition N (when pop inthe state DegradationII). The inhibitor arc connect-ing the place Maintenance and the transition W1ensure that during the minimal maintenance actionthe degradation process is not enabled, i.e. to firingthe transition W1.

– whether the unveiled degradation level is corre-sponding to the state DIII (i.e. a token is found inthe place DegradationIII), then the transition Tm isfiring just after elapsing the random delay that fol-lows the distributionExp(m� 0.16667 h� 1). Thetokens are removed from the Maintenance and fromDegradationIII place respectively, and a token isreappearing in the place Waiting and another one inthe place DegradationIII as well. The transitionW2 is not re-enabled, the system returns to the NSstate, as a result of major maintenance (as shown inTable 1).

Based on the race policy, the transition W2 might firebefore falling the inspection task. In this case, the softfailure mode is occurring. A token is removed fromthe place DegradationIII and a token is put in theplace SoftFailureMode. After elapsing the random

Table 2.

SyS Sejourn time SPL d

NS Exp(l� 10�4h�1) 100 % 0DI N(m � 2000 h, � � 100 h) 75 % 1DII Weif(a� 2000 h, b� 2) 50 % 2DIII Weif(a� 2000 h, b� 2.5) 25 % 3SF Exp(m � 0.010417 h�1) 0 –NH Exp(l� 10�3h�1) 100 % 0HF Exp(m � 10�1h�1) 0 –I Deterministic (d � 10 h) 0 –BI Deterministic (� � 2200 h) 0 –m Exp(m � 0.16667 h�1) 0 –M Exp(m � 0.013889 h�1) 0 –

Table 1. The maintenance policy.

State before State after MT MT MT MP

DF R As good as new NMPF r As bad as old AMNS NA As good as new AMDI NA As bad as old AMDII m As bad as old EMDIII M As good as new NM

09048-U-01.qxd 5/15/03 7:43 PM Page 1584

major repair time that follows the distributionExp(m � 0.010417 h�1), the system returns to the NS state.

An independent hard failure mode can occur in anydeterioration stage and stop the system operation. Forexample, a fuse bourn-out can be replaced in shorttime, with no effect on the deterioration of the system.The restoration time follows the distribution Exp(m �10�1h�1).

3 PERFORMANCE ANALYSIS

Structural analysis of the ESPN model denotes a netlive and bounded. Because of the complexity of themodel mainly due to the decision following as inspec-tion, a numerical analysis based on forced Monte Carlomethod is purposed. The steps for the numerical solu-tion of ESPN models are :

• generation of the reachability graph (RG) fromthe ESPN model;

• reduction of the RG, by absorbing the vanishingmarkings, i.e. without sejourn time;

• numerical solution based on Monte Carlo methods.

The expected system throughtput is selected as aperformance criteria, in the system steady state (longrun). Figure 2 shows expected throughtput of the sys-tem versus the inspection periodicity � for two figuresof the inspection duration d.

4 CONCLUSION

We have presented in this paper a study regarding theeffectiveness of Extended Stochastic Petri Nets inmanaging the performability of the maintained sys-tems. The degradation phenomena and the mainte-nance policies are modelled using ESPN in order tofind out an optimal solution, an equilibrium betweenthe loss of performance due to degradation, downtimes for inspection, repair tasks and the gain due tomaintenance actions. Future studies will investigatethe best set of maintenance policies indicated for each

deterioration state of the system, as well as the effectof the maintenance and repair parameters.

REFERENCES

Jensen, K. and G. Rozenberg (1991). High Level Petri Nets.Springer-Verlag.

Marsan, M. A. and G. Chiola (1987). On Petri Nets withDeterministic and Exponentially Distributed Firing Times,pp. 132–145. Springer-Verlag.

Sim, S. H. and J. Endreny (1993, March). A Failure-repairModel with Minimal and Major Maintenance. IEEETransactions on Reliability 42(3), 134–140.

Ulmeanu, A. P. and D. C. Ionescu (1999). The Computer-Assisted Analysis of the Semi-Markovian Stochastic PetriNet and an Application, pp. 307–320. Birkhauser Boston.

1585

0.78

0.8

0.82

0.84

0.86

0.88

0.9

0.92

0 500 1000 1500 2000 2500 3000

10 hrs

0.5 hrs

Inspection Periodicity (hrs)

Inspection Duration

Expected throughput

Figure 2. The effect of the inspection duration.

09048-U-01.qxd 5/15/03 7:43 PM Page 1585

09048-U-01.qxd 5/15/03 7:43 PM Page 1586


1587

An implementation of a life-cycle risk-based design for safety methodology

D. Vassalos & D. KonovessisThe Ship Stability Research Centre, Department of Naval Architecture and Marine Engineering Universities ofGlasgow and Strathclyde Glasgow, United Kingdom

ABSTRACT: Ship safety can be influenced by several factors over time and it is apparent that all such factorsshould be taken into account, in a balanced and formalised manner during the life-cycle of the vessel, in orderto reach an acceptable, viable solution optimally. In this respect, a risk-based methodology addressing design,operation and regulation for ship safety is presented in this paper. Particular attention is paid on the balance ofconflicting risks and costs deriving from different hazards, as well as in techniques used for the estimation ofrisks levels based on first-principles tools. A case study is presented to address the application of the developedmethodology, aiming to provide insight in the proposed procedure as well as to demonstrate its potential forwider application.

1 INTRODUCTION

For a period of more than ten years a safety cultureapproach is being promoted through the theme “Designfor Safety”, which aims at integrating safety cost-effectively in the ship design process, Vassalos (1999).However, the lack, thus far, of a systematic and all-embracing approach to ship safety, offering a frame-work that allows for a strategic overview of safety andthe derivation of effective solutions, meant that thewealth of information amassed over many years ofresearch and development on stand-alone safety-critical areas remains under-utilised, whilst ship safetycontinues to being unnecessarily undermined. One of the main elements of the above mentioned R&Dwork is the assurance of safety within the ship designprocess, in the continuous search for improving the cur-rent state-of-affairs. Through small, albeit bold stepsin the direction advocated by “Design for Safety”, it isslowly but steadily being recognised that this approachcan greatly contribute to the overall cost-effectiveimprovement of safety in shipping whilst nurturingthe evolution of proper practice in the field.

Traditionally ship safety has been dealt with byadherence to rules and regulations, thus treated as aconstraint in the design process. With technology andusers requirements developing faster than knowledgecan be assimilated and best practice produced, thisapproach to safety assurance is expected to be largely

ineffective. Adopting an integrated approach that linkssafety performance prediction, risk assessment anddesign is necessary that treats safety as a life-cycleissue and a design imperative is now becoming pre-requisite to attaining optimal solutions. A key target isa formalised risk-based design methodology utilisingroutinely first principles with safety bestowed as a keyobjective at the core of ship design and operation. Tothis end, a top-down approach is advocated, governedby high-level events and their frequencies and conse-quences, in order to design for safety. The relationshipsbetween risk reduction measures and ship perfor-mance must be established in the early design phases,as keeping this relationship outside the design processwill only result in local optimisation of safety. Theeffects of risk reducing design features on resistance,seakeeping, loading/unloading, stability, etc. shouldbe determined by utilising relevant tools in the designprocess. Cost-effectiveness of safety enhancing designfeatures or measures is used as a basis to achieve bal-ance between costs and safety optimally whilst ren-dering risks as low as reasonably practical whilstaccounting for other design priorities and constraints.

Risk-Based Design, as a life-cycle process, shouldinvolve all the phases of a vessel, i.e. design, produc-tion and operation, as well as facilitate the transfer ofknowledge among these phases. The latter is consideredto be of paramount importance, since it is evidentlythe main cause for many deficiencies during operation

09048-V-01.qxd 5/15/03 7:43 PM Page 1587

and could result in significant improvements for thewhole process.

The paper focuses on the description of the approachadopted, focusing in particular in the methods devel-oped for balancing contradicting risks and costsincurred by different hazards, as well as in techniquesused for the estimation of risks levels based on first-principles tools.

2 ADOPTING A RISK-BASED APPROACH FOR DESIGN, OPERATION ANDREGULATION

The structuring of appropriate safety assurance tech-niques and methodologies into design frameworks,including guidelines for the proper utilisation of toolsand procedures provides the basis for the derivationof unified measures of safety, for ship design, as wellas for operation and rule development. The elementsof the framework, appropriate for different stages ofthe design process are outlined in this section.

To date ship design practice has focused on balanc-ing technical and economic considerations, with adher-ence to safety requirements being a design peripheryat best, if not a design afterthought. Furthermore,within current ship design practice any safety-relatedconsideration is treated with reference to prescriptiveregulations, conformance to which is sought by per-forming deterministic assessments. In this manner,safety is imposed as a constraint to the design processof a ship, an undertaking that has resulted in the ill-based concept that investment in safety compromisesreturns. A second observation, closely related, is thatthis approach is hindering the transfer of knowledgebetween the design, production and operational phases,thus not allowing the development of competitivedesigns to be based on a rational basis but rather onthe designer’s competence.

On this background, the approach presently advo-cated comprises the following principal characteristics:

• Development of working design frameworks appro-priate for various stages of the design process, withparticular emphasis paid to the required design inputand output for their effective application.

• Utilisation of first-principles tools and techniquesfor assessment purposes, with the view to ade-quately take into account prevailing environmentalconditions and vessel responses during the designprocess.

• Transfer of knowledge from the production andoperational phases and utilisation within design inthe form of input to the working frameworks appli-cable to the design process.

In so doing, safety is becoming a central life-cycleissue, addressed critically as early as possible within

design. Appropriate coupling of typical risk assess-ment techniques with first-principles methods and toolsoffers the potential for these requirements, not only toprovide design input and to be implemented within thedesign process, but also to assist in the developmentand assessment of the effectiveness of rules and regu-lations and in the proposal of appropriate criteria. Inthis respect, safety assurance is embedded within theship design process, treated as it should as a coredesign objective.

The scenarios shown in Figure 1 are meant to pro-vide the “structural links” to be used for the develop-ment of the risk-based design framework. Specificelements of the work content include the following:

• In applying first-principles/performance-basedapproaches, a number of appropriate numericaltools for incidents frequency-of-occurrence pre-diction and consequence analysis and modellingare deployed. This work is assisted by the updatingand completion of the relevant technical data andaccident statistics, in order to allow the delivery of comprehensive risk/cost models with referenceto potential societal and economic consequences(losses/gains of human life, cargo, property, envi-ronment etc.).

• Models addressing the issue of socio-economicimplications of shipping (from a organisational/managerial perspective), evaluating individual andsocietal levels of risk, cost and performance, andfinally the way to achieving safety equivalency froma regulatory point of view are required. This infor-mation will be integrated into comprehensive riskmodels (e.g. fault and event trees), which reflect theseriousness of incidents occurring and their poten-tial consequences, with the view to building thereference risk-based design framework.

• The risk-based design framework covers issuessuch as balance between effects on safety and per-formance of various risk contributors or choice ofappropriate risk control options and the implemen-tation of appropriate design trade-offs in a system-atic manner.

1588

SystemHazards

FireExplosion

Flooding

Evacuation

SinkageCapsize

Loss of StructuralIntegrity

Collision &Grounding

Figure 1. Sequence of scenarios.

09048-V-01.qxd 5/15/03 7:43 PM Page 1588

3 LIFE-CYCLE CONSIDERATIONS

Through the interfacing of top-down (consequenceanalysis) and bottom-up (frequency prediction) mod-els, assisted where appropriate with comprehensivedata and knowledge bases and first-principles toolsand techniques pertaining to incident statistics anddesign and operational measures applicable to riskprevention and mitigation, rational decision supportto assist trade-offs between various design and safetyindicators is possible. The latter can therefore lead tothe development of optimised design solutions.

The various systems of the vessel can be analysedusing classical risk analysis techniques, such as FaultTree Analysis (FTA) and Failure Modes and EffectAnalysis (FMEA). An operational procedure that isapplied onboard can also be considered as a ship sys-tem and analysed using the same techniques. Humaneffects and interaction can also be modelled withinthis analysis. Bottom-up models are concerned withthe quantification of these systems’ representations.When a bottom level cause is considered as initiating,the respective representation is yielding a frequency(likelihood) of the top-level event occurring. Startingfrom the top event the outcomes (consequences) andtheir severity are established, utilising the top-downmodels. The analysis starts with the construction of representations of the chain of events that lead topotential outcomes following an accident. This is beingperformed in a generic manner, using Event TreeAnalysis (ETA). Following this, is the task of estab-lishing the branch probabilities of the event trees. Thiscan be achieved in a number of ways, using: availablestatistical data, expert judgement or first-principlesconsequence analysis tools. The overall frequency of the top-level event can be broken down to theexpected frequencies of the final outcomes of thisevent happening. According to the severity of each ofthe individual outcomes (number of implied fatalitiesand/or injuries, extent of environmental pollution andimplied property loss that includes damage repair,insurance costs, business interruption, etc.), the out-comes can be classified and appropriate actions taken.

Figure 2 shows a breakdown of the generic cate-gories, both technical and operational, of the measuresthat can be taken to either reduce the frequency of anaccident occurring (preventive) or mitigate its conse-quences. When considering various safetyenhancingmeasures (also known as risk control options, RCOs)implemented, their costs and benefits can be evaluatedand checked using established criteria, for examplethe Implied Cost to Avert a Fatality (ICAF). Decisionsupport can assist in selecting the best measure avail-able, when taking into account other parameters suchas interaction with other functions of the ship.

Risk-Based Design for Safety, as a life-cycleprocess, should involve all the phases of a vessel,

i.e. design, production and operation, as well as facil-itate the exchange of knowledge among these phases.The latter is considered to be of paramount impor-tance, since it is the identified cause for many defi-ciencies during operation and can result in significantimprovements for the whole process.

3.1 Selection of criteria

The criteria to be satisfied should correspond toacceptable levels of risk, as well as to established tech-nical and economic criteria normally applied.

3.1.1 Risk evaluation criteriaThere are no established explicit risk evaluation crite-ria available within the IMO regime to date. There are,however, criteria proposed in a document submittedto IMO for consideration, IMO (2000).

A criterion for risk evaluation is compatible to thepresentation form that a risk is expressed. For passen-ger ships, the following are complementary forms ofrisk presentation:

• Individual Risk, which can be expressed as:– A risk of death per year for a specific individual;– A Fatal Accident Rate (FAR), which is defined as

the number of fatalities per 100 million person-hours at sea.

• Societal Risk, which can be expressed as:– The Annual Fatality Rate (AFR), which is defined

as the long-term average number of deaths pership year.

– The F–N curve, which relates the frequency andnumber of fatalities in accidents.

3.1.2 Design criteriaTypical technical and economic design criteria thatcould be considered include:

• The requirements for deadweight as expressed bythe specified carrying capacity (number of crewand passengers, private cars and trucks).

1589

Figure 2. Generic measures categories.

09048-V-01.qxd 5/15/03 7:43 PM Page 1589

• The requirement for speed to be fulfilled at mini-mum required installed power.

• Passenger comfort as expressed by hydrostatic andhydrodynamic properties (GM and accelerations).

• Techno-economic performance as calculated bystandard procedures, such as NPV or RFR.

3.1.3 Cost-effectiveness assuranceCost-benefit analysis is a well-known selection tech-nique, which is used when social costs and benefitsneed to be taken into account to evaluate differentalternatives. The assessment is based on the compari-son of the benefit gained by the implementation ofeach alternative, expressed in monetary terms, withthe implied cost deriving from implementing thealternative.

4 A CASE STUDY

The case study pertains to the application of the devel-oped framework, aiming to provide insight in the proposed procedure. The application focuses on thedetermination of the number of transverse bulkheadsrequired for effective subdivision of a conventionalpassenger Ro-Ro vessel, accounting for social andtechno-economic benefits, together with considerationsof collision preventive measures and evacuability.

4.1 Hazards and risk control options considered

An existing North West European passenger Ro-Rovessel was used as the example ship.1 Only collisionincidents were considered for the application, with thefocus on the derivation of an arrangement that reducesthe probability of capsize following large scale flood-ing. Application of the Fujii model for the predictionof the overall frequency of collision incidents for thisvessel, considering her operational route, yields a fre-quency of 3.71 � 10�2 per ship year. Figure 3 showsthe event tree for collision incidents for this case,where all figures are generic except for the overallfrequency of collision incidents. In this respect, thefrequency for the example ship (assumed to be thestruck ship in a collision happening under way thatresults in a serious casualty involving flooding) wasfound to be 1.26 � 10�3 per ship year.

As available risk control options, the followingdesign/operational measures have been considered:

• Collision Avoidance: Crew collision avoidance train-ing or the presence of a second watch officer on thebridge of the vessel or both.

• Subdivision: Varying number of transverse bulk-heads.

• Evacuation: Two alternative accommodation lay-outs (Case A and Case B).

4.2 Risk and cost-effectiveness analysis

For the various risk control options outlined above,risk and cost-effectiveness calculations have beencarried out. The risk analysis for subdivision andevacuability was based on the application of availablefirst-principles tools and techniques, whilst for colli-sion available expert judgement from the literature wasused. Available ICAF criteria range between 3 and 8 million Euros, depending on the concerned countryand authority, as well as on the transport activity theyrefer to, IMO (2000). However, it is stated in (DNVTechnica 1996) that measures yielding an ICAF valueup to 75 million Euros should be carefully evaluatedfor their benefits, in effect meaning that if there are nomore cost-effective alternative measures these shouldalso be considered for possible adoption. Measureshaving an ICAF value higher than this are normallynot considered for implementation.

4.2.1 Subdivision considerationsA damage survivability analysis considering varyingnumber of transverse bulkheads installed below themain vehicle deck was carried out. The probability of survival can be defined as the probability of thesignificant wave height Hs, calculated for a givendamage condition, not exceeding a predetermined sig-nificant wave height Hs90 that characterises the areaof operation of the vessel (usually calculated exclud-ing the top 10% of the available data, for example, asdefined in the Stockholm Agreement for North WestEurope). The probability of capsize, which is the com-pliment of the probability of survival, is calculatedusing the Static Equivalent Method over a range ofpredefined conditions and distributions of the relevantdesign and operational parameters (Monte Carlo sim-ulations), Vassalos & Konovessis (2001).

The results of this analysis were implemented as thecorresponding branch probabilities of the event tree(vessel remaining afloat, sinking slowly or capsizingrapidly). In this manner, varying frequency levels forthe different outcomes were established correspondingto the number of transverse bulkheads to be consid-ered. The steel weight required for the implementationof each of the arrangements was used as the parame-ter to trade-off against the available lane metres. Thisfeature was taken into account within a conventionalcalculation of the Required Freight Rate (RFR). In thisrespect, trade-offs between safety and cost parameterswere taken into account, whilst further trade-offs withperformance parameters were not considered. Derivingfrom relevant literature, DNV Technica (1996), the

1590

1Main Particulars: LBP � 156.45 m, B � 27.60 m, D � 8.9 m(main vehicle deck), T � 6.5 m, centre casing on the mainvehicle deck.

09048-V-01.qxd 5/15/03 7:43 PM Page 1590

following fatality rates were considered: 2% for theslow sinking case and 72% for the rapid capsize case.ICAF values were finally calculated, accounting fordifferential variations of steel and labour costs. Thesecalculations are presented in Table 1 (fatalities reduc-tions and additional costs were calculated with refer-ence to the basis alternative with 8 bulkheads).

The calculations contained in Table 1 indicate thatthe alternative comprising 14 transverse bulkheads isthe most cost-effective over the range of the consideredvariation, since it achieves the best balance betweenrisk reduction and cost. This conclusion is derivedfrom the fact that the calculated ICAF values demon-strate a local minimum for this alternative arrange-ment. Of particular interest are also the high ICAFvalues calculated for the slow sinking case, which aredue to the small reduction in fatalities for these cases,raising the point of presence of localised risk evalua-tion criteria.

When more thorough studies on survivability arecontacted, methods that estimate the probability of sur-vival taking time to capsize into account can be used.Work in this area is on-going having already produceduseful results on the relation of the critical amount ofwater on the car deck with the corresponding signifi-cant wave height, whilst maintaining a survival timeover one hour, Vassalos et al. (1999).

4.2.2 Considerations of collision preventivemeasures

Measures for prevention of collisions, reducing thefrequency of collisions, include a wide range of alter-natives that may be implemented. A number of theseare contained in various IMO conventions and regula-tions, such as the Collision Avoidance Regulations orthe STCW (watch keeping and navigation). The effectof this kind of measures on the frequency of accidentsand the corresponding fatality rates is difficult to quan-tify, since it is mainly derived from analyses based onexpert judgment.

For the purpose of this case study, a 20% reductionon the fatality rates will be considered related to crewtraining for collision avoidance, and a 10% reductionwill be considered for the presence of a second offi-cer at the bridge during navigation. The percentagesderive from (SAFER EURORO 1996) and correspondto the reductions on the fatality rates when the abovementioned measures are implemented. The annualpresent value of collision avoidance training is taken as46,000 Euros, whilst the cost (salary and overheads)of a second officer is considered to have an annualpresent value of 108,000 Euros. Table 2 contains therelevant calculations for a subdivision arrangementcomprising 14 transverse bulkheads.

These calculations clearly indicate that crew trainingfor collision avoidance is a cost-effective measure,

1591

Figure 3. Generic event tree for collision outcomes, DNV technica (1996).

09048-V-01.qxd 5/15/03 7:43 PM Page 1591

since it reduces further the ICAF value for the consid-ered subdivision arrangement, despite the increasedcost, whilst the presence of a second officer on thebridge is by no means cost-effective. Implementation ofboth measures may be recommended, if further reduc-tion of the frequency of collisions is deemed necessary.

4.2.3 Considerations of evacuabilityFor evacuation of Ro-Ro vessels, the time available toevacuate passengers and crew is likely to be the bigunknown (although it may be predicted by computersimulations and controlled through active decisionsupport/active flooding to remain afloat in a stable

1592

Table 2. Risk and ICAF calculations for collision preventive measures (average number of people on-board 1,500).

Alternative Fatalities Fatalities Fatalities Fatalities number of reduction reduction reduction reduction bulkheads (subdivision) (training) (officer) (both)

Remain afloat 14Slow sinking 0.00453 0.00544 0.00498 0.00588Rapid capsize 0.01458 0.01749 0.01604 0.01895Total fatal 0.01911 0.02293 0.02102 0.02484

Additional cost (Euros) 383,971 430,125 491,663 537,817

Alternative ICAF ICAF ICAF ICAF number of (subdivision) (training) (officer) (both) bulkheads (million Euros) (million Euros) (million Euros) (million Euros)

Remain afloat 14Slow sinking 14 84.8 79.1 98.7 91.5Rapid capsize 14 26.3 24.6 30.7 28.4Total fatal 14 20.1 18.8 23.3 21.7

Table 1. Risk and ICAF calculations for varying number of transverse bulkheads (average number of people on-board 1,500).

Alternative Frequencies of Fatalities ICAF number of collision outcomes Fatalities reduction Additional (million bulkheads (per ship year) (per ship year) (per ship year) cost (Euros) Euros)

Remain afloat 8 7.65 � 10�4

Slow sinking 8 4.55 � 10�4 0.01365Rapid capsize 8 4.03 � 10�5 0.04352Total fatal 8 4.95 � 10�4 0.05717


Slow sinking 10 3.95 � 10�4 0.01185 0.00180 128,206 75.8Rapid capsize 10 3.49 � 10�5 0.03769 0.00583 128,206 22.0Total fatal 10 4.30 � 10� 0.04954 0.00763 128,206 16.8


Slow sinking 12 3.60 � 10�4 0.01080 0.00285 255,458 89.6Rapid capsize 12 3.19 � 10�5 0.03445 0.00907 255,458 28.2Total fatal 12 3.92 � 10�4 0.04525 0.01192 255,458 21.4







09048-V-01.qxd 5/15/03 7:43 PM Page 1592

condition). Herald of Free Enterprise capsized in a fewminutes, Estonia in less than 1½ hours, the Greekferry Express Samina went down in about 40 minutes,while Titanic took 2 hours 40 minutes to sink. In sev-eral accidents where fire has broken out onboard, thevessel involved survived (remaining afloat) for manyhours or even days. However, people have been injuredor lost their lives, often due to toxic smoke inhalation(e.g. Scandinavian Star, Sun Vista).

SOLAS II-2/28-1.3, IMO (2002), requires Ro-Ropassenger vessels’(built after July 1st 1999) escape waylayout to undergo evacuation analysis. The simulatedevacuation time should be less than 60 minutes. The60 minutes total evacuation time for Ro-Ro passengerships comprises 30 minutes for mustering and 30minutes for embarkation and launching of lifesavingappliances (SOLAS III/21-1.4). For this duration, the

assumption is made that the survivability of the vesseldue to progressive flooding, which represent the mostprevalent cause of Ro-Ro ship losses, is ensured. Thistime is conginent with the 60 minutes structural fireintegrity of any independent main vertical zones (sub-divided by A-60 class divisions).

The term Evacuability is defined to be the probabil-ity of an environment being completely evacuated nolater than a given time elapsed after the alarm went off,in a given state of the environment and a given state ofinitial distribution of people onboard. With this formal-ism a sound rule may be proposed, e.g., Evacuability(60 min., entire ship- worst anticipated conditions-,worst passenger distribution) � 0.99, Vassalos et al.(2002). Figure 4 illustrates the derived probability density functions for the total evacuation times of twoalternative arrangements. For an evacuation time of

1593

Table 3. Risk and ICAF calculations for evacuation alternatives (average number of people on-board 1,500).

Frequencies of Fatalities ICAF collision outcomes Fatalities reduction Additional cost (million

Alternatives (per ship year) (per ship year) (per ship year) (Euros) Euros)

Remain afloat 14 BHD 9.29 � 10�4

Slow sinking (Generic 3.04 � 10�4 0.00912 0.00453 383,971 84.8Rapid capsize Fatality 2.68 � 10�5 0.02894 0.01458 383,971 26.3Total fatal Rates) 3.31 � 10�4 0.03806 0.01911 383,971 20.1


Slow sinking (Case A 3.04 � 10�4 0.00912 0.00453 383,971 84.8Rapid capsize Fatality 2.68 � 10�5 0.00804 0.03548 383,971 10.8Total fatal Rates) 3.31 � 10�4 0.01716 0.04001 383,971 9.6


Slow sinking (Case B 3.04 � 10�4 0.00912 0.00453 383,971 84.8Rapid capsize Fatality 2.68 � 10�5 0.02412 0.01940 383,971 19.8Total fatal Rates) 3.31 � 10�4 0.03324 0.02393 383,971 16.0

Evacuation time distributionsCase A - primary evacuation case_dayCase A - 95%

Case B - secondary evacuation case_dayCase B - 95%

1.00

0.90

0.80

0.70

0.60

0.50

0.40

0.30

0.20

0.10

0.0014.00 14.50 15.00 15.50 16.00 16.50 17.00 17.50 18.00 18.50 19.00

Evacuation time (min)

Eva

cuab

ility

Figure 4. Probability density functions of the total evacuation.

09048-V-01.qxd 5/15/03 7:43 PM Page 1593

18 minutes, evacuability equals to 1.00 for Case A,whilst for Case B evacuability is equal to 0.60. Makingthe assumption that only half the people survive duringthis evacuated time (to remedy for the effects of expo-sure at the sea environment and incidents related toembarkation and lowering of the LSAs), as well asaccounting for the fact that there is no significant costdifference between the two cases, fatality rates areassumed equal to 20% for Case A and 60% for Case B.

4.2.4 F–N curveTable 4 illustrates the benefits gained by consideringincreased number of transverse bulkheads in the formof selected values of cumulative frequencies of N ormore fatalities. The derived figures indicate a similarresult with the cost-effectiveness analysis in that thebenefit gained when considering more than 14 bulk-heads installed is significantly reduced when comparedwith the benefit gained up to that point, especially for incidents involving large number of fatalities as,for example an incident involving large scale flooding(for N � 585, the benefit of installing 10 bulkheads is 10% over installing 8 bulkheads, for 12 bulkheadsbecomes 16%, for 14 it is 26%, for 16 bulkheads is 31%and finally for 17 the derived percentage is 33%).

5 CONCLUSIONS

A methodology targeting holistic design solutions, bysetting global design goals, through the integration ofsafety-related considerations in the design processhas been described. Expected benefits likely to derivefrom adopting such a procedure include:

• A methodological framework for the risk-baseddesign, whilst keeping costs at an acceptable level;

• Improved knowledge and related data on the risks associated with an incident at sea involving

collision, grounding, large scale flooding, passengerevacuation, seaworthiness, fire/explosion and shipsystems hazards;

• Improved definition of risk evaluation criteria forsafety and environmental protection;

• Improved methods/models for probability of occur-rence and consequences of risks.

REFERENCES

DNV Technica 1996. Safety Assessment of Passenger Ro-Ro Vessels. Joint North West European Research ProjectMethodology Report and Appendices.

International Maritime Organisation (IMO) 2000. FormalSafety Assessment: Decision Parameters including RiskAcceptance Criteria. Maritime Safety Committee. 72ndSession, Agenda Item 16, MSC72/16, Submitted byNorway, 14 February 2000.

International Maritime Organisation (IMO) 2002. InterimGuidelines for Evacuation Analyses for New and ExistingPassenger Ships. Maritime Safety Committee. Circular1033, 6 June 2002.

SAFER EURORO 1998. First Year Report of the RiskAssessment Team. Thematic Network “Design for Safety:An Integrated Approach to Safe European Ro-Ro FerryDesign”.

Vassalos, D. 1999. Shaping Ship Safety: The Face of theFuture. Marine Technology 36(2): 61–73.

Vassalos, D., Jasionowski, A., Dodworth, K., Allan, T.,Matthewson, B. & Paloyannidis, P. 1999. Time-BasedSurvival Criteria For Ro-Ro Vessels. Transactions ofRINA 18 pp.

Vassalos, D. & Konovessis, D. 2001. Damage Survivabilityof Floating Marine Structures – A Probabilistic Approach.Proceedings of the Twentieth International Conferenceon Offshore Mechanics and Arctic Engineering (OMAE2001) Paper No. OFT-1285, 3–8 June 2001, Rio de Janeiro,Brazil, 8 pages.

Vassalos, D., Christiansen, G., Kim, H.S., Bole, M. &Majumder, J. 2002. Evacuability of Passenger Ships at Sea. SASMEX 2002. Amsterdam, The Netherlands.

1594

Table 4. F–N Curve for the case study.

Number of Frequency of N or more fatalities (per year)

bulkheads N � 1 N � 11 N � 68 N � 130 N � 585 N � 1047

8 3.94 � 10�3 1.11 � 10�3 9.53 � 10�4 5.54 � 10�4 2.36 � 10�4 7.83 � 10�5

10 3.88 � 10�3 1.05 � 10�3 8.87 � 10�4 5.14 � 10�4 2.12 � 10�4 7.07 � 10�5

12 3.84 � 10�3 1.01 � 10�3 8.49 � 10�4 4.89 � 10�4 1.98 � 10�4 6.63 � 10�5

14 3.79 � 10�3 9.48 � 10�4 7.87 � 10�4 4.52 � 10�4 1.75 � 10�4 5.90 � 10�5

16 3.74 � 10�3 9.11 � 10�4 7.50 � 10�4 4.29 � 10�4 1.62 � 10�4 5.48 � 10�5

17 3.73 � 10�3 9.02 � 10�4 7.41 � 10�4 4.24 � 10�4 1.59 � 10�4 5.37 � 10�5

09048-V-01.qxd 5/15/03 7:43 PM Page 1594


1595

Availability and failure intensity under imperfect repair virtual age model

J.K. VaurioFortum Power and Heat Oy, Loviisa, Finland & Lappeenranta University of Technology, Lappeenranta, Finland

ABSTRACT: This paper develops analytical and numerical techniques to determine two important compo-nent characteristic, the failure intensity and the availability, when repairs reduce the virtual age of a unit. Finiterepair times are taken into account. An exact Volterra integral equation and an approximate solution are pro-vided for the intensity when component ages during operation and during repairs. A numerical technique isdeveloped and illustrated for the alternative case, i.e. when ageing stops during repairs. The asymptotic behav-iour is described in terms of two measures of the age-dependent expected time to the next failure.

1 INTRODUCTION

Components are usually assumed to be “as good asnew” or “as bad as old” following repair. With perfectrepair the times between failures are equally distrib-uted and mutually independent, and the failure-repair –process in an alternating renewal process (RP). In thelatter minimal repair process the future failure proba-bility of a unit operating at time t is independent ofevents before t, i.e. the same as if the unit never failedbefore t. When repair times are negligible, thisprocess is called a non-homogeneous Poisson process(NHPP) because the number of failures in any finitetime interval obeys Poisson distribution. Practicalanalytical and numerical techniques are available tocalculate the failure intensity for these processeswhen repair times are negligible, given that numericalvalues are available for component reliability param-eters. The failure intensity and the availability calcu-lation with finite repair times usually calls forapproximations or numerical solutions of integralequations (Vaurio 1997). In reality, the RP assump-tions are hardly valid unless the unit is replaced atfailure. The existence of truly minimal repairs is alsoquestionable.

A few models have been developed for more gen-eral imperfect repairs that make the unit “better thanold but worse than new” after repair. Virtual age mod-els are based on the assumption that after repair theunit behaves like a younger unit that never failed.Using this concept Kijima et al. (Kijima et al. 1988)have developed a basic integral equation and anapproximate numerical solution method for the fail-ure intensity in the special case of zero repair timeswhen each repair can reduce only the age accrued

after the previous repair. This paper develops otherperceptible analytical and numerical techniques todetermine two interesting quantities in system reliability and risk analyses, the failure intensity and theavailability, both with finite repair times. Taking intoaccount finite repair times is the main contribution.This is done in two ways. An exact Volterra integralequation and an approximate solution are providedfor the intensity when component ageing continuesduring repairs. A numerical technique is developedand illustrated for the alternative case, i.e. when age-ing stops during repairs. Asymptotic behaviour offailure intervals are also studied.

1.1 Notation

A(t) Availability, A(t) � 1 – u(t)F(x) 1 – e�H(x), Cumulative distribution of time to

first failure, X1f(x) Probability density of X1, f(x) � dF(x)/dxG(t) Cumulative distribution of the repair timeG(t) 1 – G(T)H(t) Cumulative hazard, integral of h(t) over (0, t)H(t) Hazard rate; h(t)dt � dH(t) is the conditional

probability of failure in (t, t � dt), given that nofailure occurred in (0, t)

R(t) Reliability, R(t) � 1 – F(t)u(t) Unavailability, u(t) � 1 – A(t)tf Mean time to first failure, integral of R(t) over

(0, )�r Mean repair time (duration)� Fixed repair timeW(t) Expected number of failures in (0, t)w(t) Failure intensity, w(t) � dW(t)/dtXn Length of the nth lifetime (operational period)

0 9 0 4 8 - V - 0 2 . q x d 5 / 1 5 / 0 3 7 : 4 4 P M P a g e 1 5 9 5

2 BASICS OF PERFECT AND MINIMALREPAIRS

To justify an approach to approximate solutions,some quasi-static or asymptotic results are pointedout for perfect (RP) and minimal repair processes.First, it is well known that the failure intensity of RPin time approaches asymptotically w � 1/(tf � �r)and the unavailability u � w�r.

Secondly, it is well known that the expected num-ber of failures in time t for NHPP (minimal repair)with instantaneous repairs is W(t) � H(t) and the haz-ard rate h(t) equals the intensity w(t). The unavailabil-ity vanishes with instantaneous repairs.

If repair times are finite with minimal repair andthe unit continues ageing during repairs, it has beenshown (Vaurio 1997, Equation 33) that a goodapproximation for both small and large t is

(1)

approaching → h(t)/[1 � �rh(t)] for large t, and theavailability A(t) � w(t)/h(t) → 1/[1 � �rh(t)]. Theseresults motivate development of approximation w(t) �1/(tm � �r), where tm is the time to the next expectedfailure, satisfying H(t � tm) – H(t) � 1. With imper-fect repairs tf and/or tm will be replaced with a mea-sure of time to the next failure when a unit has a certainvirtual age.

2.1 Unavailability

It is assumed throughout this paper that repair times(durations) are identically distributed and mutuallyindependent. Then the exact relationship between theunavailability and failure intensity with all models is

(2)

the sum of the probabilities of all failures for whichrepair is not completed before t. With a fixed repairtime �, the unavailability is exactly u(t) � W(t) fort � � and u(t) � W(t) – W(t � �) for t � �. With ageneral repair time distribution, when w(t) changeslittle within one repair time, Equation 2 yieldsu(t) � w(t)�r for large t.

Because Equation 2 is common to all models, wecan now concentrate on solving the intensity w(t).

3 THE VIRTUAL AGE MODEL

3.1 Instantaneous repairs

Let Vn be the virtual age of a unit immediately afterthe nth repair. This means that the hazard rate of the

unit at time x after the repair is h(Vn � x). The cumu-lative distribution of Xn is

(3)

If an instantaneous repair is completed at time t andthe virtual age V(t) immediately at t� is known, onecan define the distribution of the time to the next fail-ure as a conditional distribution

(4)

The mean time to the next failure of a component atage V(t) is

(5)

The time to the next expected failure tm[V(t)] is the63th percentile of Q(x | V) corresponding to the solu-tion of equation

(6)

A rough failure intensity approximation is w(t) � 1/tav(t) where tav(t) equals tm[V(t)] or tf[V(t)] . Note thatboth tf and tm depend on time t only through the vir-tual age V(t). It is essential that V(t) is known, to beable to solve the average lifetime parameters. This isthe case with the following virtual age model (KijimaType I). It is assumed that the nth repair can removedamages incurred during the nth lifetime and reducesthe additional age Xn to �Xn, where 0 � � � 1. Thismeans that

Thus, when repairs take no time, the age of a unitafter repair at time t is known V(t) � �t, no matterhow many repairs have taken place before. Three the-orems in the Appendix indicate close relationshipsbetween tm(V) , tf(V) and h(V) in many practical situ-ations. Exploratory numerical studies have been car-ried out about the validity of w(t) � h(t) and w(t) �1/tav(t) with a Weibull distribution

(7)

The initial values at V(0) � 0 are tm(0) � � andtf(0) � ��[(1 � �)/�]. For � � 1, h(t) is increasingand tf(0) � tm(0). Equation 6 yields

1596

0 9 0 4 8 - V - 0 2 . q x d 5 / 1 5 / 0 3 7 : 4 4 P M P a g e 1 5 9 6

In case � � 2, tf(V) can be solved numerically fromEquation 5. Studies have shown that the approxima-tion w(t) � 1/tav(t) is not quite satisfactory for small t(t � 2�) even if tm and tf are rather close to each otherfor t � 2�, and both are between the limits 1/h(V)and 1/h[V � 1/h(V)].

For small enough t when failures are unlikely, theintensity is w(t) � h(t). An improved overall approxi-mation is a weighted average of two solutions, onevalid for small t and the other one for large t, i.e. w(t) �R(t)h(t) � F(t)/tav(t). This form is valid rather wellunless the standard deviation of X1 is small comparedto tav(0). In the special case of constant h(t) � � theapproximation is exact w(t) � � because tf � tm �1/�. Studies with the Weibull example have shownthat h(t) is close to f(t) � F(t)/tm(t) and f(t) � F(t)/tf(t), as it should when � � 1. The approximationsslightly overestimate the intensity for increasing h(t),but the accuracy is reasonable over a long period.

Let us now evaluate the integral of the approxima-tion, the expected number of failures

(8)

in an example that was solved exactly in Kijima et al.(1988). The example has

(9)

In this case tf can be solved from Equation 5 in aclosed form

(10)

which is a function of time through V � �t. WithF(t) � Q(x | 0) Equation 8 can also be integrated as

(11)

To verify the accuracy of this formula it is compared incase � � 1 with the exact solution of Kijima et al.(1988) in Table 1 for the parameter values (a, b) � (1.5,1) and (1, 2).

The derivative w(t) � a can be observed for smallt and w(t) � b for large t. The approximation over-estimates in case of increasing hazard rate (b � a) and underestimates in the opposite case (b � a). Itcan be shown that in both cases the integral hazardH[V(t)] is less accurate than the suggested approxi-mation (Eq. 8).

3.2 Finite repair times with ageing during repairs

In this section each repair takes a finite time �, andthe unit ages also during repair. The effect of repairsis as follows. The nth repair reduces the latest accu-mulated age Xn � � to �(Xn � �). Then the virtualage immediately after repair completion at t is againV(t) � �t, no matter how many failures occurredbefore. It is now possible to find the exact integralequation for w(t): w(t)dt is the sum of the expectedfirst failure and failures at t� repaired at t� � � � twith the next failure at (t, t � dt]. Thus,

(12a)

(12b)

This yields Equation 14 of Kijima et al. (1988) asthe special case (� � 0). The integral of 12 is

(13a)

1597

Table 1. Expected number of failures in time t for twocases.

a � 1.50, b � 1.00 a � 1.00, b � 2.00

W(t) W(t) W(t) W(t) t exact approx. exact approx.

0.10 0.1498 0.1495 0.1002 0.10020.30 0.4458 0.4403 0.3037 0.30400.50 0.7330 0.7155 0.5150 0.51720.70 1.0091 0.9748 0.7368 0.74360.90 1.2737 1.2206 0.9704 0.98551.10 1.5274 1.4555 1.2165 1.24391.50 2.0067 1.9017 1.7465 1.80992.50 3.1003 2.9464 3.2722 3.46093.50 4.1277 3.9565 5.0135 5.31624.50 5.1352 4.9587 6.8840 7.26055.50 6.1371 5.9592 8.8229 9.23966.50 7.1376 6.9593 10.7954 11.23197.50 8.1387 7.9594 12.7834 13.22918.50 9.1378 8.9594 14.7783 15.2280

10.00 10.6378 10.4594 17.7756 18.227512.00 12.6378 12.4594 21.7748 22.227414.00 14.6378 14.4594 25.7747 26.227416.00 16.6378 16.4594 29.7747 30.227418.00 18.6378 18.4594 33.7747 34.227420.00 20.6378 20.4594 37.7747 38.227423.00 23.6378 23.4594 43.7747 44.2274

0 9 0 4 8 - V - 0 2 . q x d 5 / 1 5 / 0 3 7 : 4 4 P M P a g e 1 5 9 7

(13b)

where tav can be tf[V(t�)] or tm[V(t�)].

3.3 Finite repair times without ageing duringrepairs

If the unit does not age during repair, the virtual ageafter a repair completion of nth failure at time

is V(t) � �(t – n�). Now n is a random number at afixed time t, and V(t) is a random function not knownin advance. The average age after repairs completedaround t is approximately

(14)

Then Equations 5 and 6 yield times tf and tm that maybe used to calculate the expected number of failuresup to time t from 13. Now W(t) appears on both sidesof 13 and it is necessary to use a numerical procedure.

4 NUMERICAL PROCEDURE AND ANEXAMPLE

A numerical procedure to solve W(t) based onEquations 13 & 14 for ti � i�, i � 0, 1, 2, … withsmall � �� is as follows:

0� Initial values: W0 � 0, u0 � 0, V0 � 0;1� For ti � �: Wi � ui � F(ti);

2° Vi � �(ti – Wi�);3° Solve tm(Vi) from Equation 7; In case of

Weibull model

4° i → i �1, return to 1°.

The availability A(t) � 1 – u(t) is presented in Figure1 in case of Weibull hazard (7) with values � � 0.25,� � 3.0, � � 0.05, � � 1. The expected number of fail-ures W(t) is presented in Figure 2. An alternative is tosolve tf(Vi) from Equation 5 and use it in place of tm(Vi)in steps 3° and 1°.

5 CONCLUSIONS AND DISCUSSION

Analytical and numerical techniques have been devel-oped to determine the failure intensity and the avail-ability of a unit when repairs take time and reduce thevirtual age. An exact Volterra integral equation andapproximate solutions were provided when repairstake time and component ageing continues duringrepairs. A numerical technique was developed andillustrated when ageing stops during repairs. Theapproximations are reasonable when the componentlifetime variance is not very small.

One advantage of this technique is to avoid itera-tive techniques and Monte Carlo simulations thatwould be expensive or prohibitive for large systemswith hundreds of components. Analytical expressionsare also useful when one needs to estimate parametersfor the model. For large t and increasing h(t) studiesso far indicate that Wt(t) � H(�t)/� (in case of instan-taneous or fast repair). This could be fitted to theobserved number of failures N(t) as a “quick andeasy” estimation of � when the parameters (e.g. � and�) of a new unit are known.

The principle of the suggested method can be usedfor imperfect repair models other than Kijima types.

1598

0

0,2

0,4

0,6

0,8

1

0 10 20 30 40 50 60t

A(t)

0100200300400500600700800

t0 10 20 30 40 50 60

W(t)

Figure 1. Availability with Weibull hazard; � � 0.25,� � 3.0, � � 0.05, � � 1.

Figure 2. Expected number of failures with Weibull haz-ard; � � 0.25, � � 3.0, � � 0.05, � � 1.

0 9 0 4 8 - V - 0 2 . q x d 5 / 1 5 / 0 3 7 : 4 4 P M P a g e 1 5 9 8

For example, if minimal repairs are performed duringa warranty period 0 � t � Tw, one can use Equation 1for this period. If repairs after that bring the unitalways to age Vw, slightly modified Equations 8 or 13may be used for t � Tw, with V(t�) replaced by Vw.

Numerical examples have indicated that the sug-gested approximations may have some bias. Withincreasing h(t) they tend to overestimate W(t) becausethey underestimate the times between failures around t.The intensity at t is more related to the hazard rate andage at an earlier point in time, roughly at t – tf or t –tm. Such improvements and the relative merits of tf(t)and tm(t) in the current formalism remain subject tofuture work.

REFERENCES

Vaurio, J.K. 1997. Reliability characteristics of componentsand systems with tolerable repair times. ReliabilityEngineering and System Safety 56: 43–52.

Kijima, M., Morimura, H. & Suzuki, Y. 1988. Periodicalreplacement problem without assuming minimal repair.European Journal of Operational Research 37: 194–203.

APPENDIX

Theorem A.

If h(t) is non-decreasing for t larger than some t*, thenbounds of tm � tm(t) for virtual age V � V(t) � t* are

If V(t) and h(t) increase without limit for t → ,the bounds are tight for large t and tm → 1/h[V(t)].

Proof: From the definition H(tm � V) – H(V) � 1and monotonic h(t) follows first h(V)tm � 1 (the firstinequality) and h(V � tm)tm � 1; then V � 1/h(V) �V � tm leads to the second inequality. With increas-ing h[V(t)] the bounds merge for increasing t.

Theorem B.

If h(t) is asymptotically constant for increasing t andV(t) is asymptotically increasing without limit or isasymptotically constant, then both tm(t) → 1/h[V(t)]and tf(t) → 1/h[V(t)] for large t.

Proof: The condition H(tm � V) – H(V) � 1 withasymptotically constant h[V(t)] yields h[V(t)]tm → 1.

The definition (Equation 5) of tf(t) becomesasymptotically

For finite t it may be more useful to know the boundsof tm and tf if the bounds of h(t) are known:

Corollary: If h(t) is known to be between somebounds ha and hb for all t � t*, then both tm and tf arebetween 1/hb and 1/ha for V(t) � t*.

Proof: This follows from the fact that there is a y suchthat H(V � x) – H(V) � h(y)x and V � y � V � x,and h(y) then is between ha and hb when V � t*.

Theorem C.

If h(t) is non-decreasing for t � t*, then tf(t) �1/h[V(t)] for V(t) � t*.

Proof: The non-decreasing h(t) means H(x � V) –H(V) � h(V)x for V � t*. From the definition(Equation 5) then follows tf � 1/h(V) for V � t*.

1599

0 9 0 4 8 - V - 0 2 . q x d 5 / 1 5 / 0 3 7 : 4 4 P M P a g e 1 5 9 9

0 9 0 4 8 - V - 0 2 . q x d 5 / 1 5 / 0 3 7 : 4 4 P M P a g e 1 6 0 0


1601

Quantification and uncertainties of common cause failure rates andprobabilities

J.K. VaurioFortum Power and Heat Oy, Loviisa, Finland & Lappeenranta University of Technology, Lappeenranta, Finland

ABSTRACT: Simultaneous failures of multiple components due to common causes at random times are mod-elled for standby safety systems by multiple-failure rates rather than probabilities per demand. Extensions andimprovements are made to estimating such rates from single- or multiple-plant event data with uncertainties, andto determine basic common cause event probabilities for explicit fault tree models in terms of the rates, test inter-vals, test schedules and repair policies. Such models are needed especially in standby safety system reliabilityanalysis, testing optimisation and in risk–informed applications. The probabilities are derived such that the correcttime-average system unavailability can be obtained with a single fault tree quantification. Improvements are madein the rate estimation with generalised impact vectors, and the probabilities now include higher-order terms andare independent of the system logic (success criterion).

1 INTRODUCTION

Common cause events are defined as events that causesimultaneous failed states of multiple componentsdue to a common cause. Such common cause failures(CCF) often dominate the unavailability of a standbysafety system designed to react to a threatening inci-dent. Most earlier CCF –models still in use are basedon constant probabilities per demand, and genericratios (alpha- or beta-factors or multiple Greek letters)between them. Failures that occur at random times inreality have to be modeled by general multiple-failurerates li, lij, lijk… etc., defined so that lij…dt is the prob-ability of event failing specific components i, j, … ina small time interval dt. These failures remain latent in a standby system until discovered by a scheduled test.Components are tested periodically to detect and repairpossible failures. Because single failures and CCF canoccur at any time, the system unavailability can be acomplicated function of time in terms of the event rates,test intervals, test scheduling and repair policies. Whena system fault tree is drawn and the system unavail-ability is computed step by step as a time-dependentfunction, the time-dependent CCF event probabilitiescan be determined as

P[Zij…(t)] � lijk…(t – Tt) � probability of failed statesof components i, j, k, … at time t due to a commoncause failing exactly these components simultane-ously with rate lijk…, when the last possible discovery(test) and repair of such failure was at Tt.

In fault tree models such basic events are inputthrough OR –gates to components i, j, k, …, as illus-trated in Figures 1 and 2. Modern computer codes for fault tree quantification should use such modelsand input data, especially for on-line monitoring ofsystem unavailability or risk. This model properlydescribes the random entry of CCF’s and provides cor-rect quantification of the time-dependent and averageunavailabilities of a system, as explicit functions of

2-out of-3

2/3

X1 X2 X3

Figure 1. Component-level fault tree (example).

09048-V-03.qxd 5/15/03 7:44 PM Page 1601

test intervals and schedules. Unlike the probability-per-demand models, this model allows risk and costbased optimisation of test intervals.

The first topic of this paper deals with estimationof the rates lijk… under uncertainties associated withincomplete records and ambiguities of event observa-tions and interpretations. The moments of the rates areobtained with a method that extends earlier results(Mosleh et al. 1989, 1993, Siu & Mosleh 1989, Vaurio1994a) to more complex observations.

The second problem solved here is: how to definethe input probabilities of a fault tree model so that thecorrect time–average risk or system unavailabilitycan be obtained with a single fault tree computation,avoiding the multiple step-by-step calculations dis-cussed above. The following features extend the earlierresults of Vaurio (1994b):

– probabilities depend only on system (group) size nand not on the system success criterion;

– non-linear functions in terms of the test interval T;an earlier method produced only linear terms;

– probabilities for general groups of n non-identicalcomponents and non-symmetric probabilities.

Three testing and repair policies are considered: con-secutive testing, staggered testing with extra tests, andstaggered testing without extra tests.

1.1 Notation

lk/n � rate of CCF events failing specific k trains or channels (and no others) in a system with n redundant trains or channels; lk/ndt is the probability of a CCF event in a small time interval dt; k � 1, 2, …, n, n � 2, 3, 4

lij… � rate of CCF events failing exactly compo-nents i, j, …; due to space limitations results are

presented here only for the symmetric case li � l1/n, lij � l2/n for all i, j…, etc.

k/n-event � an event able to fail exactly k trains in a system with n trains

�k/n � rate of CCF events failing exactly k (any k) trains per event in a group of n trains,

(1)

Nk/n � number of k/n-events in exposure time TnT � test interval; duration of each test and

repair is assumed �� T, and lij…T �� 1 for all rates

Tn � observation time for a group of n trains.

2 UNCERTAINTY ANALYSIS

This section addresses data uncertainties in standbysystems where failures are discovered mostly by peri-odic tests. For example, when four failures are dis-covered in a test cycle, they could be due to a single4/4-event, or a coincidence of 3/4- and 1/4-events, ortwo 2/4-events, or even more overlapping events. Con-sequently, we do not truly know the number of events(“shocks”) associated with a single observation (testcycle). It makes a difference to uncertainty assessmentwhether there is a single k/n-event in two observationsor two k/n-events in a single observation. There is aneed to accept impacts with the possibility 0, 1 or 2k/n-events at least (of the same multiplicity) in a singleobservation. Since failures are rare events in the sensethat the probability of occurrence in a single test inter-val is small compared to unity, the probability of morethan two k/n-events in one interval is assumed to benegligible: not more than two k/n-events of the samemultiplicity k can be associated with any observationi, i � 1, 2, …, N. The number of events is a randomnumber while the number of observations (e.g. testcycles), N, is fixed or known. Allowing impact vectorcomponent values 0, 1, 2, the assessor has to estimatethe following weights for each observation (test) i andfailure multiplicity k:

wi,d(k/n) � the probability (conditional on the symp-toms and characteristics seen by theassessor) of exactly d (d � 1, 2) k/n-events in observation i (i � 1, 2, …, N).

Multiple events of different multiplicities k/n areallowed in one observation. Actually wi,0(k/n) doesnot affect the rate estimation. For given multiplicityk/n the estimator �k/n has a gamma distribution withmean (Nk/n � 1/2)/Tn and variance (Nk/n � 1/2)/Tn

2

when Nk/n is known. But now Nk/n is unknown due tothe assessment uncertainties. The following mean andvariance can be obtained for the k/n -event rates(Vaurio 2002a).

1602

X2

Z2 Z23 Z123Z12

Figure 2. Component event X2 modelled by cause-events Zij...

09048-V-03.qxd 5/15/03 7:44 PM Page 1602

(2)

(3)

where the moments of Nk/n are

(4)

(5)

These results combine assessment uncertainties withstatistical uncertainties.

Moments for the CCF –rates of specific k compo-nents are, based on Equation1,

(6)

E(lk/n) is the best estimate and both moments togetherdefine the uncertainty distribution.

3 CCF PROBABILITIES FOR FAULT TREEMODELS

The task in this Section is to show how the rates lk/ncan be used to determine probabilities of a fault treemodel so that correct time –average risk or systemunavailability can be obtained with a single fault treecomputation, avoiding multiple step-by-step calcula-tions as a function of time.

3.1 Simultaneous or consecutive testing

When parallel trains of a system are tested simulta-neously or consecutively and the test duration is smallcompared to T, the average residence time of failuresoccurring with any rate lk/n is approximately ½T.However, using the average failed state probabilities½lk/nT for the basic events does not generally yieldthe correct time-average unavailability for the system.Correct values can be obtained by first calculating thetime-average joint unavailabilities of the trains underthe shocks, and then transforming these to the proba-bilities of explicit events Zij…. These transformationshave been introduced at ESREL 2000 and more thor-oughly later (Vaurio 2002b). Through the system faulttree these transformations yield correct explicit-event

probabilities independent of the system success crite-rion. The probabilities are

(7)

These improve earlier results (Vaurio 1994b) in twoways:

1. the values depend on system size n but not on sys-tem success criterion;

2. non-linear terms are included, improving the accuracy.

Using only linear terms the system unavailability couldbe underestimated by a factor of 3.

3.2 Staggered testing with extra tests and repairs

Uniformly staggered testing of n components meansthat there is a time delay T/n between the tests of components 1, 2, …, n, and each component is testedat intervals T. Figure 3 illustrates the time-dependent

1603

TRAIN 2

TRAIN 1t

u1(t)

u2(t)

u12(t)

T

Figure 3. Staggered testing scheme for n � 2 trains.Single failure unavailabilities u1(t) and u2 (t), CCF unavail-ability u12(t).

09048-V-03.qxd 5/15/03 7:44 PM Page 1603

unavailabilities in case n � 2. With such staggeringthe average residence time of a CCF is generally shorterthan with simultaneous testing. Consider the followingExtra Testing and Repair Rule (ETRR):

Whenever a component is found failed in a test, theother n-1 trains are also tested or inspected, andany failed components are repaired.

The joint unavailabilities of components can be solvedanalytically under a slightly different assumption thatonly CCF –specific failures are repaired at the extratests. Transforming the joint unavailabilities to theprobabilities of explicit events Zij… yields the follow-ing results, only slightly conservative for ETRR:

(8)

These improve earlier results by the non-linear termsand by being independent of system success criteria.

1.3 Staggered testing without extra tests

Another possibility with staggered testing is the fol-lowing Individual Testing and Repair Policy (ITRP):

Components are tested and repaired individuallywith intervals T. No other component is testedimmediately even if one is found to be failed.

Exact analysis is rather complicated because a triplefailure changes to a double failure in one test/repair, anda double failure to a single failure. This is why higherorder rates appear in lower order joint probabilities.Transforming the time-average joint probabilities toexplicit event probabilities yields

(9)

Only linear terms have been solved for n � 4 in thiscase. Also these results improve the earlier ones bynon-linear terms (for n � 2, 3) and by being inde-pendent of system success criteria. Note that someprobabilities for n � 4 are not symmetric (z12 � z13)even when the rates are symmetric (l12 � l13 � l2/4).

4 QUANTIFICATION PROCEDURE

A suggested comprehensive CCF quantification pro-cedure is presented in Figure 4. It starts with a collec-tion of available generic CCF –event data sources,including data for the plant under study. For a specificsystem and component type the target plant has a cer-tain number of components, n. Option 1 is to selectplants (systems) v with the same n, and determine theimpact vector weights wi,d(k/n) for all events i observedover the times Tn(v) of those plants. For each plantindividually one can estimate the moments of therates using Equations 2 through 6, and then use themean values E(lk/n) to determine the best-estimateCCF –event probabilities through Equations 7, 8 & 9.

One can also estimate “group rates” by adding upthe observation times Tn(v) and the event momentEquations 4 and 5 for all plants with the same n, anduse these in Equations 2 and 3. These would be validunder the assumption of completely identical plants.

However, because plants are individual and CCFare rare events, it is generally believed that one canimprove the estimates by using an empirical Bayesmethod that uses data from many selected plants togenerate a prior distribution (population distribution),

1604

09048-V-03.qxd 5/15/03 7:44 PM Page 1604

and then get plant-specific posterior rates for the inter-esting plant. Such methods use input data in the form ofpairs (N~ k/n, T

~n) for each plant, where N~k/n is a Poisson

distributed number of events in observation time T~n.Due to the assessment uncertainties such known N~k/n arenot available. But one can determine effective event sta-tistics, values N~k/n and T~n. that yield the same momentsas Equations 2 & 3, i.e. satisfying the conditions

(10)

(11)

Using such data (N~k/n, T~n) as input to the empiricalBayes process one can obtain a common prior distribution and plant-specific posterior distributionsfor all CCF –rates of interest. The mean values arethen used for the best-estimate CCF –event probabil-ities in Equations 7, 8 & 9.

This method has been demonstrated using interna-tional common cause failure data (Vaurio & Jänkälä2002) in case � � 2. Examples of posterior CCF –rates for groups of n � 4 pumps and diesel generatorsat Loviisa 1 power plant are given in Table 1 using twodata sources, EPRI and ICDE.

Another option is indicated in Figure 4 by the box“Mapping down/up”. It is a way to utilise data fromplants that have a group of n� � n similar compo-nents in a CCF group, transforming the weightswi,�(k�/n�) to the weights wi,�(k/n) suitable for the tar-get plant. Rules that have been recommended formapping down are based on the assumption lk/n �lk/n�1 � lk�1/n�1. This assumption is inher-ent inmany earlier CCF models (Vaurio 1994b) but has notbeen empirically validated. Nevertheless, it yields themapping down rule w(k/n) � [(n �1 � k)w(k/n �1) � (k � 1) w(k � 1/n � 1)]/(n � 1). Mapping upmay be based on assuming some generic ratio r �lm�1/m�1/lm/m.

It is worth noticing that the current model and quan-tification does not need any other parametric modelsor ratios (alpha- or beta-factors, multiple Greek letters

1605

Individual plant CCF - RATESλk/n(ν) mean & variance

Group rates λk/n (OPTION)

EXPLICIT CCF BASIC EVENTPROBABILITIESfor plant-specific PSAPr(Zjm..) = ck/n λk/n T + higher terms

EVENT DATABANK

(ICDE, EPRI, NRC)

PLANTS (SYSTEMS), νEVENTS, iImpact Vector Weights wi,δ(k/n;ν)

Mapping down/up

PLANTS (SYSTEMS), νEquivalent dataNk/n(ν), Tn(ν)

- Prior- Posteriors

EMPIRICAL BAYESESTIMATION λk/n(ν)

~ ~

Figure 4. Common cause failure quantification procedure.

Table 1. Loviisa 1 posterior mean values of CCF –rates with two prior data sources [hr�1].

CCF–rate: �2/4 �3/4 �4/4

System and component Data Source: EPRI ICDE EPRI ICDE EPRII CDE

HP safety injection pumps 5.48E-07 4.62E-07 3.04E-07 2.73E-07 0.91E-07 0.56E-07LP safety system pumps 2.96E-0 0.33E-07 0.91E-07 0.42E-0 0.91E-07 0.56E-07Service water pumps 2.28E-07 1.35E-07 0.91E-07 0.76E-07 0.91E-07 0.63E-07Component cooling pumps 0.77E-07 0.40E-07 0.91E-07 0.44E-07 0.91E-07 0.44E-07Diesel generators 8.92E-07 10.8E-0 0.95E-07 4.21E-07 29.1E-07 35.0E-07

09048-V-03.qxd 5/15/03 7:44 PM Page 1605

or binomial parameters) as intermediate steps: theCCF rates can be estimated directly from observedevent data and used directly to create numerical inputprobabilities for the basic CCF –events in fault treemodels or other logic representations of a system. It ispossible to calculate such ratios and parameters after-wards, if the system analysis software so requires.Ratios can be calculated for the rates (lk/n) or for thebasic event probabilities (zk/n), depending on therequirements of the software in use. There are no uni-versal generic ratio-parameters anymore, becausethey are different for different testing schemes andintervals, even in the same system.

If the plant under study is new and has no operatingexperience, one can use the prior (population) meanvalues in this process, and prior distributions in uncer-tainty studies.

It is also possible to use data collected from plants(systems) that have a different number of componentsthan the plant under study. But then one has to assumesome transformation rules for mapping up or downthe impact vector weights (or the rates) to be applicableto the plant under study.

5 CONCLUSIONS

Simultaneous failures of multiple components due tocommon causes at random times have been modelledfor standby safety systems by general multiple-failurerates (GMFR) rather than probabilities per demand.This is considered more realistic than many traditionalprobability-per-demand models. Actual event evalua-tions have demonstrated that many causes of CCF enterbetween tests rather than due to tests or true demands.Some of the other features and advantages are:

• Correct time-dependent system risk/unavailabilitycan be obtained with the GMFR –model

• GMFR parameters can be estimated directly frommultiple-failure event data over a specified time,– there is no need to know the total number of

demands– there is no need to tie the GMFR parameters to

single-failure rates (that generally have differentcauses than CCF)

– assessment uncertainties and statistical uncer-tainties can be synthesised

– empirical Bayes method is available to utiliseuncertain data from multiple plants

• GMFR does not need to assume or calculate anyratios between the rates of different multiplicities, orartificial mapping down or mapping up equations

• The probabilities obtained here for the basic eventsfor steady-state calculation– yield correct average system risk/unavailability in

a single system quantification

– are explicitly dependent on test intervals andtesting schemes, facilitating optimisation ofthese based on risk and/or cost

– depend on the system/group size but are inde-pendent of the system success criterion

In this paper improvements were made to the procedurefor estimating CCF –rates from single- or multiple-plantevent data with uncertainties, allowing more than oneCCF event of a certain multiplicity in a single obser-vation (test episode). This required use of general-ized impact vectors. Advancements were also made to determine basic common cause event probabilities forexplicit fault tree models of standby systems in terms ofthe rates, test intervals, test schedules and repair policies.These probabilities yield the correct time-average sys-tem unavailability with a single fault tree quantification.The probabilities obtained are now independent of thesystem success criterion and include non-linear terms.

Future efforts should be directed towards effectiveCCF event data collection and evaluation. Quantitativeanalysis of the efficiency of various defences againstCCF, including redundancy, diversity and programma-ble digital systems, is a worthy objective for futureresearch.

REFERENCES

Mosleh, A., Fleming, K.N., Parry, G.W., Paula, H.M.,Worledge, D.H. & Rasmuson, D.M. 1989. Procedures forTreating Common Cause Failures in Safety and ReliabilityStudies. NUREG/CR-4780 (EPRI NP-5613).U.S. NuclearRegulatory Commission.

Mosleh, A., Parry, G.W. & Zikria, A.F. 1993. An Approachto the Parameterization of Judgement in the Analysis ofCommon Cause Failure Data. Proceedings of PSA’93,Clearwater Beach, January 26–29, 1993: 818–822.American Nuclear Society.

Siu, N. & Mosleh, A. 1989. Treating Data Uncertainties inCommon Cause Failure Analysis. Nuclear Technology84: 265–281.

Vaurio, J.K. 1994a. Estimation of Common Cause FailureRates Based on Uncertain Event Data. Risk Analysis 14:383–387.

Vaurio, J.K. 1994b. The Theory and Quantification ofCommon Cause Shock Events for Redundant StandbySystems. Reliability Engineering and System Safety 43:289–305.

Vaurio, J.K. & Jänkälä, K.E. 2002. Quantification of CommonCause Failure Rates and Probabilities for Standby-SystemFault Trees Using International Event Data Sources. In E.J.Bonano et al. (eds), Proceedings of PSAM 6 Conference,San Juan, Puerto Rico, 23–28 June 2002. Elsevier.

Vaurio, J.K. 2002a. Extensions of the UncertaintyQuantification of Common Cause Failure Rates. ReliabilityEngineering and System Safety 78: 63–69.

Vaurio, J.K. 2002b. Treatment of General Dependencies inFault Tree and Risk Analysis. IEEE Trans. Reliability 51:278–287.

1606

09048-V-03.qxd 5/15/03 7:44 PM Page 1606


1607

Risk assessment for offshore installations in the operational phase

ABSTRACT: Risk assessments for offshore petroleum installations have for more than 20 years focused on devel-opment of new installations or major modifications, using both qualitative and quantitative risk assessments. Therisk assessments have often, especially the quantitative studies, placed an emphasis on major hazards. There is nowfocus on how risk assessments may be used most efficiently for installations in the operational phase. In this paperwe review the challenges for use of risk assessment studies for installations in the operational phase, with the mainemphasis on quantitative studies. The focus should mainly be on aspects that are available for influence in the oper-ations phase, so-called free variables. When these are of a different nature from those that apply in the developmentphase, this should have strong impact on the studies being conducted. However, these changes to analyticalapproach have yet to be fully implemented.

1 INTRODUCTION

1.1 Background

1.1.1 Historical review regulationsThe Norwegian safety regime for offshore petroleuminstallations and operations is founded on internalcontrol. The licensees have the full responsibility forensuring that the petroleum activities are carried out incompliance with the conditions laid down in the leg-islation, and the authorities’ supervisory activities aimto ensure that the licensee’s management systems areadequately catering for the safety and working envi-ronment aspects in their activities.

The initial petroleum legislation from the 1970swas technically oriented, with detailed and prescrip-tive requirements to both safety and technical solu-tions. The authorities, with the Norwegian PetroleumDirectorate (NPD) in a key role, have graduallychanged the legislation to a functional or goal-basedorientation. Although regulations concerning internalcontrol and safety were issued as early as 1985, themajority of the “new generation” regulations wereissued in the early 1990s. From 1.1.2002 a substantialrationalization was implemented with 14 regulationsreduced to 4.

Quantitative risk assessment (QRA) techniques werefirst given wide application in Norwegian offshore oiland gas industry in the early 1980s. Of particularimportance were the NPD regulatory guidelines forconcept safety evaluations (CSE) studies, which wereintroduced in 1980. The guidelines introduced aquantified cut-off criterion related to the impairmentfrequency for nine types of accidents that could bedisregarded in further evaluation processes, the so-called 10�4criterion (i.e. a criterion of 10�4 per year forthe so-called Main Safety Functions and for each acci-dent type, and a total risk of up to nearly 10�3 per year).Introduction of this criterion, which in practice wasimplemented as a risk acceptance criterion, attractedconsiderable attention worldwide. Until then, therewere few attempts by authorities to approach the sen-sitive issue by making risk visible and subject to opendebate.

The development of the Norwegian legislativeregime was prompted by several serious accidents in theNorwegian Sector, culminating with the AlexanderKielland capsize in 1980, which resulted in 123 fatal-ities. A similar development of regulations occurredabout 10 years later in the UK, based upon the PiperAlpha inquiring report (Lord Cullen, 1990) following

J.E. VinnemStavanger University College/Preventor, Bryne, Norway

T. AvenStavanger University College, Stavanger, Norway

H. HundseidDNV, Høvik, Norway

K-A. VassmyrAcona Group, Stavanger

F. VollenSafetec Risk Management, Trondheim

K. ØienSINTEF Industrial Management, Trondheim, Norway

09048-V-04.qxd 5/15/03 7:45 PM Page 1607

the catastrophic explosion and fire in 1988 with 167fatalities.

In the Norwegian regulations relating to implemen-tation and use of risk analyses, which came into force in1990, focus was on the risk analysis process. The scopeof application of the regulations was extended com-pared to the CSE guidelines. Provisions were laid downfor a more integrated and dynamic use of risk analyses,with suitable quality controls on the process, coveringthe whole life cycle of the petroleum activities.

Pursuant to the regulations, risk analyses are to becarried out in order to identify the accidental eventsthat may occur in the activities. Further to evaluate theconsequences of such accidental events for people,for the environment and for assets and financial inter-ests. The purpose of the risk analyses is to provide abasis for making decisions with respect to choice ofarrangements and risk reducing measures. The opera-tor is to define safety objectives and risk acceptancecriteria. The objectives express an ideal safety level.Thereby they ensure that the planning, maintainingand the further enhancement of safety in the activitiesbecome a dynamic and forward-looking process. Thismeans that accidental events must be avoided, thelevel of risk is kept as low as reasonably practicable(ALARP), and attempts are made to achieve reductionof risk over time, e.g. in view of technological devel-opment and experience. The need for risk reducingmeasures is assessed with reference to the acceptancecriteria, for which the basis shall be documented in anauditable manner.

In 1992 NPD also issued a regulation on emergencypreparedness (safety barriers). The most importantelements of this regulation was that:

• The emergency preparedness of the activity in ques-tion shall be established on the basis of some definedsituations of hazard and accident (i.e. scenariosdefinitions).

• The operator shall define specific requirementsrelating to the effectiveness (performance standards)of the emergency preparedness measures.

• Analyses shall be carried out as a basis for the designof the emergency preparedness system.

New regulations replaced the old in 2002, but themain requirements related to risk analysis remainedunchanged. However, a stronger focus has been placedon the context and the use of risk analysis, as well as onassessment and monitoring of barrier performance.

It has been recognized that current practices forquantitative studies have several deficiencies in relationto the requirements in the new regulations.

1.1.2 ChallengesBoth qualitative and quantitative risk assessments arebeing used, for different purposes. This paper, however,has the main emphasis on quantitative studies. Further,

major hazards as well as more limited, occupationalhazards are being considered. The risk assessmentshave often, especially the quantitative studies, placedan emphasis on major hazards.

There has been in recent years focus on how riskassessments may be used most efficiently for installa-tions in the operational phase. Qualitative studies maybe used much in the same way as in the developmentphase. The transfer of the quantitative studies from theapproach used in the development phase has been seenas a challenge, and a commonly accepted approachhas yet to be developed. The focus of such studiesshould be on aspects that are available for influence inthe operational phase, such as operational and main-tenance measures. These are often called “free vari-ables”, and are different in the operational phase fromthe development phase. The analytical approach shouldbe tailored to the free variables. When these are of adifferent nature from those that apply in the develop-ment phase, this should have strong impact on thestudies being conducted. However, these changes toanalytical approach have yet to be fully implemented.Quantitative studies for installations in the operationalphase are still being conducted in much the same wayas in the development phase.

The protection against major hazards in the offshorepetroleum industry is based on the “defence in depth”concept, with multiple barriers, (see Reason, 1997).Maintenance of the integrity of barriers is thereforean important aspect for risk management in the oper-ational phase. This also implies that risk assessmentsin some cases will need to model how integrity of bar-riers may be impaired and what effect this will have onthe risk levels.

Another important aspect in the operational phaseis the performance of activities of short duration, withassociated high risk levels, often in combination withspecial conditions and premises.

The above challenges are not only relevant for theoil and gas industry in Norway. In for example UK andAustralia the safety regime is similar to the Norwegian,and the use of risk analysis in the operational phase isalso in these countries a topic for further research anddevelopment.

1.2 R&D context

The Norwegian Government has initiated a researchprogram to improve the safety level offshore. The pro-gram is led by the Norwegian Research Council and anetwork of Norwegian institutions has been establishedto realize the program. The ambition is to obtain moreadequate risk analysis tools, in general and for theoperational phases in particular. The present work is apart of this program.

In coordination with this research program theAssociation of Norwegian oil companies has initiated

1608

09048-V-04.qxd 5/15/03 7:45 PM Page 1608

a development activity to establish models of the safetybarriers. Together these initiatives are considered togive a strong push forward for the application of riskanalyses in the operational phase.

The first phase of this work considered needs forrisk assessments as input to decision-making, and wasconducted in 2002, see Acona Group (2002) andDNV/ScP (2002).

1.3 Purpose of paper

The purpose of the paper is to provide the followingdocumentation:

• Review current status, use and experience• Describe objectives for use of operational risk

assessment (ORA)• Identify areas for further improvement• Suggest possible new approaches

Use of risk assessment for other purposes, like riskbased inspection, reliability centered maintenance, etc.is not covered.

2 OBJECTIVES OF USE OF OPERATIONALRISK ASSESSMENT

2.1 Overall objectives

Proposed objectives for operational risk assessment areas follows:

• Assess overall risk level in the operational phase,reflecting modifications and operational status (suchas activity level and manning)

• Identify important improvement areas for operation• Provide input to operational decisions relating to risk

issues• Identify how operational tasks and special operations

may be safely carried out• Identify adequate maintenance strategies• Assess barrier performance and demonstrate effects

on the risk level of barrier deterioration• Communicate risk results and important factors to

the workforce.

“Operational risk assessment” (ORA) is possiblymore a “family of methods”, rather than one singlemethod, in contrast to Design risk assessment (DRA),by which most people will understand a specific analy-sis, usually referred to as “TRA”, “QRA” or “PRA” inthe nuclear power generation industry. The differencebetween ORA and DRA has been illustrated as shownin Figure 1 (Veire, 2002).

DRA studies are often relatively coarse, also due tothe fact that not all details are known in the develop-ment phases. DRA studies have the main emphasis onmain concept issues, and do not need to be verydetailed.

ORA studies are indicated as rather different fromthis, very detailed in some selected areas, but could beeven more coarse that DRA studies in other respects.The areas where fine details are analyzed may changeover time, depending on what the needs are, accord-ing to the operational decisions that require inputfrom the ORA study.

2.2 What is a good risk analysis?

The purpose of risk analysis is to provide support fordecision-making, by producing descriptions of risk foralternative concepts, arrangements, systems, activitylevels and measures. Furthermore, the analyses pro-vide insights into the phenomena being studied andthis can be used to improve the design and operation.The analysis can also be used to identify contributingfactors to risk. Further, intermediate results may beused for dimensioning of capacities of emergencysystems and functions. The analyses give support forchoosing among alternatives, and they provide basisfor deciding on risk being acceptable or not, and onthe need for risk reducing measures.

A risk analysis is considered generally good if it canmeet these objectives. The question is how we can judgethat these objectives are met; and to what degree?

Basically, we see six main elements for being able toperform such a judgment and thus obtain a high qual-ity of the analysis:

1. The degree that the user of the analysis is satisfiedwith the analysis as a basis for making decisions

2. The fulfillment of requirements set by the riskanalyst discipline for an analysis to be good

3. The analysis team’s understanding of the phenom-ena being analyzed and the decision makingprocess and context

4. The analysis team’s competence on risk analysis;principles, methods and models

5. The ability of the analysis to produce interme-diate results for input to planning and emergency procedures

6. The accuracy and quality of the results of theanalysis.

1609

DRA ORA(?)

Figure 1. Difference between Design risk assessment andOperational risk assessment.

09048-V-04.qxd 5/15/03 7:45 PM Page 1609

These aspects are discussed in more detail in Vinnemet al. (2003b).

2.3 Qualitative or quantitative analysis

The scope of work in the OLF project (see AconaGroup, 2002; DNV/ScP, 2002) was focused on bothqualitative as well as quantitative studies. It has beena typical situation that all risk assessment studies thatare performed with direct application in the operationalphase (except updating of Design QRA studies) havebeen qualitative studies.

This is considered to be a reflection of unsuitablemethodologies for quantitative studies for operationalmatters, rather than a reflection of correct use ofmethodologies. In fact some of the authority require-ments actually call for quantitative studies in areaswhere the normal approach currently is basically qual-itative studies.

One of the purposes of the paper is to define the dis-tinctions between applications of qualitative and quan-titative studies. Qualitative and quantitative studies aretherefore discussed separately in Section 3–4 below.

There are roughly two stages of risk assessment foroffshore activities:

• Risk assessment during planning of offshore activ-ities. This is normally undertaken onshore, but withparticipation of key offshore personnel.

• Risk assessment just prior to execution of an activity.This is undertaken using the Work Permit System,Procedures and Safe Job Analysis.

3 USE OF QUALITATIVE STUDIES

For offshore operations, the use of qualitative studieshas increased significantly over the last decade. Inparticular, the introduction of risk based safety man-agement systems has encouraged the use of qualitativestudies, both prior to specific offshore operations, andmore recently, during all aspects of “management ofchange”.

This section concentrates on the use of qualitativestudies for offshore activities in the Norwegian sectorof the North Sea. Maintenance and inspection planningto ensure adequate integrity of safety barriers have notbeen evaluated.

3.1 Offshore activities

Some categories of offshore activities may from time totime be subjected to some form of qualitative studies:

• Drilling and well services• Production, maintenance and minor modifications• Marine operations• Transportation• Organizational changes

Within these 5 categories, there are a number ofspecific activities that are either executed as a singleactivity or as part of several activities that are under-taken simultaneously. The risk associated with theseactivities will be dependent on a number of parameters,such as:

• Type of activity• Technical integrity of equipment and structure• Available documentation• Communication• Organization• Human Factors• External Factors• Extent of simultaneous activities

Each of the above parameters could be split into anumber of sub-issues (e.g., competence, experience,complacency, stress, etc. for human factors). Thus, theoverall risk picture for a specific activity can be rathercomplex. The above parameters are included in vari-ous checklists that are being used as guidewords toidentify hazards during qualitative studies.

Current use of qualitative studies is briefly outlinedin Vinnem et al. (2003b).

4 USE OF QUANTITATIVE STUDIES

4.1 Current use of quantitative studies

Quantitative Risk Assessment may include quantifi-cation of the probability and the consequences ofaccidental events with respect to one or several of thefollowing risk dimensions; personnel, environment andassets. The study further includes a comparison withquantitative risk acceptance criteria established by theoperator. This will typically include quantitative criteriafor Fatal Accident Rate (FAR) and/or Individual Risk(IR) and quantitative criteria for safety functions likee.g., support structure, escape ways, evacuation, con-trol room and sheltered area.

For effective planning, execution and use of riskanalysis reference is given to NORSOK standard Z-013(NTS, 2001). Current requirements set by the Norwe-gian Petroleum Directorate makes references to thisNORSOK standard.

Current use of quantitative studies is briefly outlinedin Vinnem et al. (2003b).

4.2 Decisions where quantitative input is required

The decision processes are complex and are normallyrelated either to economic or safety related aspects.Either the offshore organisation or the onshore organ-isation takes the initiative to changes. Typical problemswhere decisions are required in the operational phaseand where decision support from a well developedORA will increase the probability for the “correct”

1610

09048-V-04.qxd 5/15/03 7:45 PM Page 1610

decision, are identified to be:

• Whether the activity should be carried out or not• What restrictions and safety related aspects that

should be taken care of in daily operation• What the requirements to the equipment are• What the requirements to the personnel and the com-

petence are• Whether the production should be shut down• Whether the manning level must be changed• What simultaneous operations that can be carried out• Whether compensating measures are necessary and

which of them are effective• Whether maintenance and improvements could be

delayed.

Several of the decisions related to the listed problemsmust be taken on a daily basis, and use of quantitativeanalyses as a decision support tool will in many situ-ations not be optimal. This is discussed in more detailin Vinnem et al. (2003b).

4.3 Shortfalls and deficiencies in QRAmethodology application

There are several shortfalls and deficiencies in theQRA methodology with regard to decision support inthe operational phase. They are identified among oth-ers to be:

• Focus on long term risk rather than short term riskwhich is necessary to consider in the operationalphase.

• The acceptance criteria are often inappropriate forshort term risk.

• Knowledge about QRAs is not sufficiently commu-nicated to offshore personnel.

• QRA teams often consist of risk analysts only withnegligible experience from operations. Operationalpersonnel should be involved.

• Often the risk level is not presented in an under-standable and trustworthy manner.

• To carry out a QRA is often time consuming and notnecessarily adjusted to the time schedule for thedecision processes in the operational phase (deci-sions to be taken on daily basis).

• Relevant data to carry out a QRA in the operationalphase (such as data relating to operations) are oftendifficult to obtain.

• Today the QRA normally only includes technicalaspects, but for operational aspects also human,organizational and cultural factors must be taken intoaccount. Human reliability analyses (HRA) arerarely used in offshore QRAs, even though methodsexist. It is important to make better use of existingHRA and also to improve these methods in order tosucceed in development and use of QRAs in theoperational phase.

5 ANALYSIS OF BARRIERS

5.1 The barrier concept and barrierrequirements

The requirements for principles to be adopted for use ofbarriers are stated in the so-called management regu-lations (NPD, 2001).

Barrier is not a totally new concept in the petroleumindustry, but the previous interpretation has usuallybeen restricted to physical measures, e.g., as in MORT(Management Oversight and Risk Tree; Johnsen, 1980).

The management regulations (NPD, 2001) empha-size that barriers shall include administrative or orga-nizational measures as well as physical measures, i.e.physical and non-physical barriers. Organizational bar-riers or safety measures are those measures that shallensure continuous adequate performance of the tech-nical and human barriers.

5.2 Potential achievements using barrier analysis in ORA

The management regulations’ requirements on barriersmay be broken down in the following parts:

1. Stipulate the strategies and principles on which thedesign, use and maintenance of barriers shall bebased

2. Know what barriers have been established andwhich function they are designed for, and what per-formance requirements have been defined

3. Know which barriers are non-functional or havebeen impaired

4. Initiate necessary actions to correct or compensatefor missing or impaired barriers.

Further discussion of these aspects is presented inVinnem et al. (2003b).

5.3 Future analysis and modeling of barriers

A future development toward more detailed modelingof physical barriers (e.g., safety systems) in the riskanalysis (ORA) will support the potential achievementsmentioned in Section 5.2. This may enable one orseveral of the following, depending on future deci-sions about usefulness:

• Establishing safety system requirements based onrisk assessment, i.e., the reliability of a particularsafety system, may be used as a requirement whenthe safety integrity level (SIL) is determined for thatsystem (in order to meet the overall risk acceptancecriteria).

• Obtain information on risk status for safe dailyoperation using living risk assessment and RMS.

• Risk based configuration control, i.e. to manage andcontrol concurrent unavailability of components, the

1611

09048-V-04.qxd 5/15/03 7:45 PM Page 1611

possibility of functional alternative components, theoutage times of the unavailable components andthe frequency of the critical configurations.

• Evaluation/rating of operational events, i.e. to carryout an operational events analysis in order to evaluatethe safety significance of the events and to establishan event importance ranking.

• Establishing allowed outage times for safety systems inorder to minimize the risk from equipment unavail-ability while maintenance is in progress.

A more detailed modeling of physical barriers mayalso support risk-informed decision making withinmaintenance management, e.g., RCM, in-service test-ing, in-service inspection, etc.

The broadening of the concept of barriers, includ-ing non-physical elements is in line with prevailingthinking about major accident prevention. The notionof organizational accidents (Reason, 1997) underlinesthe fact that most major accidents are not caused bysimple technical failures or human errors but ratherorganizational deficiencies. To include models of non-physical barriers in risk assessments (e.g., in ORA,QRA, PRA, PSA, etc.) is, however, not an easy task(see e.g., Hale et al. 1998b). For qualitative assess-ments (audit type of methods) and accident investiga-tions the inclusion of non-physical barriers is moremanageable. This is also the area in which worksalready have been initiated in the petroleum industry,(ref. the TTS project and the MTO-method).

Another challenge for future analysis and modelingof barriers is the adequate treatment of dependencies.Some of the dependencies between similar physicalcomponents are accounted for in the models. However,dependencies between systems are rarely consideredand this is of special relevance with respect to potentialorganizational dependencies (e.g., same maintenanceteam using the same (lack of) knowledge, (less thanadequate) procedures, etc., working on different sys-tems). This has been addressed by Relcon in a projectfor NPD (Bäckström & Vinnem, 2003).

6 ANALYSIS OF RISK TRANSIENTS

“Transient” in this context implies short duration activ-ities, say from one hour up to several days duration,that imply increased risk during the time it takes tocomplete the activities in question.

6.1 Requirements

Section 14 of the “Management regulations” (NPD,2001) requires quantitative assessment of risk in orderto identify contributions to major hazard risk from haz-ards such as:

• Drilling and well operations

• Modifications, during and after implementation• Helicopter transportation

Although not explicitly stated, the implicit require-ment in this formulation is that transient risk levelsneed to be addressed.

The NPD requirement further state that the effectof these temporary activities on the total risk levelshall be presented. It is therefore required that tempo-rary risk levels and durations are analyzed and docu-mented.

6.2 Objectives of activity based modeling

The objectives of adopting activity or condition basedmodeling are:

• To allow a representation of risk which shows clearlyat least the main variations in risk levels accordingto the activities or conditions.

• To provide, through the representation of risk, anexplicit demonstration of the effects of the domi-nating risk factors.

• To allow monitoring of risk to address instantaneousrisk levels rather than average risk levels.

• To enable risk modeling to be used as a planningtool.

7 CONCLUSIONS AND RECOMMENDATIONS

7.1 Recommended use of qualitative studies –offshore operations

Qualitative studies have been established in most oper-ator’s safety and risk management system. It is consid-ered to be a practical and efficient tool to provideessential information for decision making of a practicalnature. The method combines utilization of qualifiedpersonnel with a systematic approach to identify haz-ards, assess consequences and probabilities, and evalu-ate prevention and mitigation measures for the ongoingmanagement of risk.

Qualitative studies are recommended for the follow-ing use:

• Practical risk evaluation during planning of majoroffshore activities

• Practical risk evaluation of simultaneous activities• Practical risk evaluation of organizational changes

Qualitative approaches may not be suitable to eval-uate barriers or maintenance strategies and intervals.Further, for design and process modifications, quanti-tative expressions are appreciated by many as it is eas-ier to compare.

Thus, quantitative approaches should be developedto account for such issues, and are discussed in thefollowing.

1612

09048-V-04.qxd 5/15/03 7:45 PM Page 1612

7.2 Recommended use of quantitative studies

As already argued, there are a number of decisions inthe operational phase that need a quantitative basis fordecision-making. This need appears to be agreeable tomost HES management experts.

The next issue is whether the oil companies need toknow the instantaneous risk level on their installations.It may be argued that this is implied by the new NPDmanagement regulations (NPD, 2001), this would behowever, a rather conservative interpretation of therequirements. Also the requirements for risk acceptancecriteria in the NPD regulations indirectly call for sucha detailed quantitative study, but should neverthelessalso be open for debate and discussion. This is a sep-arate subject for a future study.

After all, maybe a more cost effective and sufficientsolution from a HES management perspective, is theapproach indicated in Figure 1, whereby the “total risk”level in general is assessed relatively crudely, whereasa number of subjects are assessed in more detail,according to what the need may be. Not all of thesedetailed studies may be possible to integrate into anoverall value, if they do not have a common expressionof the consequence dimension.

Some of the areas where more detailed modelingoften may be required, are:

• Modeling of barriers, their impact on the risk leveland interactions with performance of operational andmaintenance activities.

• Improved illustration of and insight into differentaspects of the risk level.

• Improved modeling and illustration of operational,short term and local risk conditions.

When carrying out a quantitative study for the oper-ational phase it is important that the team carrying outthe work includes both onshore and offshore personnelcovering all relevant aspects. The results must also bepresented for the users in an understandable and trust-worthy manner. Other decision support tools togetherwith the QRA are also needed to develop a safe dailyoperation, and it is recommended to evaluate how thedifferent decision tools better can be integrated witheach other.

7.3 Analysis of barriers

The analysis of barriers is in need of substantialimprovement with respect to:

• More explicit modeling of the various barrier ele-ments, and their contributions to the overall barrierfunction.

• More explicit modeling of the performance of barriers, in relation to the relevant performanceparameters.

• Modeling of barriers which allow dependencies andcommon causes to be explicitly addressed.

• Explicit modeling of the coupling between barriersand the performance of operational and maintenanceactivities.

7.4 Analysis of risk transients

It may be inferred from the discussions in Section 6 thata detailed quantitative analysis of all transients isrequired. But this is far from an obvious conclusion.

The opposite approach would be to perform an over-all quantitative assessment which gives the opportunityto compare with general risk acceptance limits, address-ing annual accumulated values (often referred to as“annual average values”), without considerations oftransients.

But detailed assessment of some transients may berequired for certain conditions:

• Particularly critical transient conditions (e.g. activ-ities that have a high risk intensity, but a low con-tribution to annual fatality risk dose, because ofshort duration).

• Transients that are vital in order to identify riskreducing measures and/or actions (e.g. where riskreducing measures need to be defined relative to the transient conditions rather than “averageconditions”).

It is not obvious that risk acceptance criteria need tobe available for analysis of such transients. The mainconclusion offered here is that analysis of transientsmay be carried out also when risk acceptance criteriafor transient are not introduced. The analysis resultswill in such cases be evaluated in a relative sense, aswell as in an ALARP context.

TERMINOLOGY

ALARP As low as reasonably practicableCSE Concept safety evaluationsDRA Design risk assessmentFAR Fatal accident rateFIREPRAN Fire protection risk analysisHAZID Hazard identificationHAZOP Hazard and operability studyHES Health, environment and safetyHRA Human reliability analysesIR Individual riskMORT Management Oversight and Risk TreeMTO Human Technology OrganisationNPD Norwegian Petroleum DirectorateOLF Norwegian Oil Industry AssociationORA Operational risk assessmentPFD Probability of Failure on DemandPSA Probabilistic safety assessment

1613

09048-V-04.qxd 5/15/03 7:45 PM Page 1613

QRA Quantitative risk assessmentRMS Risk Monitoring SystemSAFOP Safe Operations AnalysisSIMOPS Simultaneous operationsSJA Safe job analysisTATO “Take two” (“Ta to” in Norwegian)TRA Total Risk AnalysisTTS State of Technical Safety

ACKNOWLEDGEMENT

The authors are indebted to NFR for the funding of thework and their parent organisations for the permissionsto publish this paper. During the preparation of thepaper, a large group of specialists has been consultedat various stages, orally and in writing. We are obligedto all those that have provided comments, for the timethey have taken to review and provide very valuableinput to the process.

REFERENCES

Aven, T., 2003. Foundations of Risk Analysis. Wiley NY, toappear.

Acona Group AS, Operational Risk Analysis – Phase I, ReportAJ-10260, 2002.07.17.

Bäckström, O., Vinnem, J.E., 2003. (to be presented)Bedford, T., Cooke, R., 2001. Probabilistic Risk Analysis;

Foundations and Methods, Cambridge, UK.Bento, J-P., 1999. Human – Technology – Organisation;

MTO-analysis of event reports. OD-00-2. (In Swedish).Restricted.

Det Norske Veritas & Scandpower, Operational RiskAnalysis – Phase I, DNV Report 2002-0717, 2002.10.04.

Hale, A.R., Guldenmund, F., Smit, K., Bellamy, L., 1998.Modification of technical risk assessment with managementweighting factors. In Lydersen, S., Hansen, G., Sandtorv,H. (eds) Safety and Reliability, Proceedings fromESREL’98, Rotterdam, Balkema, pp. 115–120.

Hansen, G.K., Aarø, R., 1997. Reliability Quantification ofComputer-Based Safety Systems. An Introduction to PDS.SINTEF report STF38 A97434.

Husebø, T., Ravnås, E., Lauritsen, Ø., Lootz, E., BrandangerHaga, H., Haugstøyl, M., Kvitrud, A., Vinnem, J.E., Tveit, O., Aven, T., Haukelid og, K., Ringstad, A.J.,(2002). Utvikling i risikonivå-norsk sokkel. Fase 2 rap-port 2001 (Oljedirektoratet, OD-02–07, www.npd.no).

IAEA, 1998, IAEA, Draft-document, PSA Applications toImprove NPP Safety, IAEA-J4-97-CT-06876, February1998, Vienna, Austria.

IAEA (2001). IAEA-TECDOC-1200. Applications of prob-abilistic safety assessment (PSA) for nuclear power plants.ISSN 1011–4289. IAEA, Vienna, Austria.

IEC 61508. “Functional safety of electrical/electronic/pro-grammable electronic (E/E/PE) safety related systems”,part 1–7, Edition 1.0 (various dates).

ISO, 2000. Petroleum and natural gas industry – Offshore pro-duction installations – Guidelines on tools and techniquesfor identification and assessment of hazards, ISO 17776.

Johnson, W.G., 1980. MORT Safety Assurance Systems,Marcel Dekker, New York, USA.

Kafka, P., 1994. Living PSA – Risk Monitor: Current Devel-opments. IAEA TCM, Budapest 7–11 Sept. 1992, IAEA-TECDOC-737, March 1994, IAEA, Vienna, Austria.

Lord Cullen, 1990. Inquiring into the Piper Alpha Disaster,HMSO 1990.

NTS, 2001. NORSOK Standard Z-013, Risk and EmergencyPreparedness Analysis, 2001.

Norwegian Petroleum Directorate. (2001). Regulationsrelating to Management in the Petroleum Activities (theManagement Regulations). (http://www.npd.no/regelverk/r2002/frame_e.htm).

Norwegian Petroleum Directorate. (2002). Guidelines toRegulations relating to Management in the PetroleumActivities (the Management Regulations). (http://www.npd.no/regelverk/ r2002/frame_e.htm).

OLF guideline 070 on the application of IEC 61508 and IEC61511 in the petroleum activities on the NorwegianContinental Shelf, OLF, Rev. 01, 26-01-2001; (seehttp://www.itk.ntnu.no/sil).

Reason, J., 1997. Managing the Risks of OrganizationalAccidents, Ashgate, England.

Sørum, M., Firing, F., Endresen, I., Øvrebø, R., Storhoug, O.,Berg, F.R., Hvam, C., Holmboe, R.H., Austbø, J.S., 2002.Mapping of state of technical safety in Statoil; Mainreport. (In Norwegian). Restricted.

Veire, G., 2002. Private communication with Gunnar Veire,Statoil.

Vinnem, J.E., 1998. Use of performance indicators for mon-itoring HSE operating achievement. Proceedings ofESREL’98, Trondheim, Norway, 16–19 June: 127-35:Balkema.

Vinnem, J.E., 1999. Risk Assessment of Offshore Platforms,Keynote note paper to ESREL 1999, Munich, October,1999.

Vinnem, J.E., 2000. Risk Monitoring for Major Hazards,SPE61283, SPE International Conference on Health,Safety and the Environment in Oil and Gas Explora-tion and Production in Stavanger, Norway 26–28 June2000.

Vinnem, J.E., Aven, T., Sørum, M., Øien, K., 2003a. Structuredapproach to risk indicators for major hazards, ESREL2003,Mastricht, 15–18 June, 2003 (to be published).

Vinnem, J.E., Aven, T., Vassmyr, K-A., Vollen, F., Øien, K.,2003b. Risk Assessments for Offshore Installations in theOperational Phase, NFR report.

Øien, K., Sklet, S., Nielsen, L., 1997. Risk Level Indicatorsfor Surveillance of Changes in Risk Level. Proceedingsof ESREL’97, Lisbon, Portugal, 17–20 June, Pergamon,pp. 1809-16.

Øien, K., Sklet, S., Nielsen, L., 1998. Development of risklevel indicators for a petroleum production platform.Proceedings of the 9th International Symposium of LossPrevention and Safety Promotion in the Process Industries,4–7 May, 1998, Barcelona, Spain, pp. 382–393.

Øien, K., Sklet, S., 1999. Risk Control during Operation of Offshore Petroleum Installations. Proceedings ofESREL’99, Munich, Germany, 13–17 September, Springer,pp. 1297–1302.

Øien, K., 2001. Risk Control of Offshore Installations – AFramework for the Establishment of Risk Indicators.NTNU 2001:04, Trondheim, May 2001.

1614

09048-V-04.qxd 5/15/03 7:45 PM Page 1614


1615

Structured approach to risk indicators for major hazards

J.E. VinnemStavanger University College/Preventor, Bryne, Norway

T. AvenStavanger University College, Stavanger, Norway

M. SørumStatoil, Stavanger, Norway

K. ØienSINTEF Industrial Management, Trondheim, Norway

ABSTRACT: Risk indicators for major hazards in offshore petroleum operations have not been widely used untilquite recently, and the uncertainty about what is the preferred approach is considerable. This paper attempts todescribe a structured approach to such indicators, and to recommend a consistent approach. Proposed termi-nology for barriers and indicators is given. General requirements for development of risk indicators are pre-sented from a theoretical as well as a HES management perspective. These requirements are presented inrelation to broad categories of use on a national level, a company/installation level and an equipment level. Abasic approach for development of risk indicators is presented, relating to incidents, barrier performance, activitylevels, causal factors, management systems and cultural aspects. Suggestions for loss related and process relatedindicators, as well as indicators relating to causal factors are presented.

1 INTRODUCTION

Risk indicators in the offshore petroleum industry havetraditionally been based on occurrence of injuries topersonnel. This implies that the indicators that may bepossible to present, are:

• Trends in the occurrence of injuries to personnel andnear-misses, classified according to severity orpotential severity

• Injury causation statistics

Such indicators are suitable for performance moni-toring in the context of workplace injury (consequenceup to one fatality). It has been claimed that such indi-cators can provide information about all safety aspectsof an installation, i.e. also aspects of major hazard risk.

It may be argued that there is considerable similaritybetween occupational and major accidents, when itcomes to root causes of organisational nature. Other-wise, the similarity would be expected to be very lim-ited. Therefore, indicators for personal injuries havevery limited applicability for monitoring of major haz-ard risk.

This may be further emphasized as follows: A tra-ditional focus on near misses and motivation is noguarantee for the functioning of normally dormantsafety barriers. The indicators based on events and HESculture therefore need to be supplemented with indi-cators reflecting the status of safety barriers, in orderto illustrate the total picture.

In the recent NPD management regulations (NPD,2001a) there is a clear requirement to monitor risk andpresent trends in indicators, which shall illustrate therelevant aspects of major hazard risk.

1.1 Objectives

The Norwegian Government has initiated a researchprogram to improve the safety level offshore. The pro-gram is led by the Norwegian Research Council and anetwork of Norwegian institutions has been estab-lished in order to realise the program. The ambition isto obtain more adequate tools for risk assessment andsupport for decision-making, in general and for theoperational phases in particular. The present work is apart of this program.

09048-V-05.qxd 5/15/03 7:45 PM Page 1615

The purpose of the paper is to propose a structuredapproach to definition of suitable risk indicators formajor hazards for the offshore petroleum industry,based on a brief review of current usage, developmentplans and experience from existing projects.

1.2 Terminology

1.2.1 Risk dimensionsThere are three main dimensions of risk according toNorwegian regulatory requirements, which has thefollowing main elements:

• Risk to personnel– Occupational accidents– Major accidents– Occupational diseases

• Risk to environment– Accidental spill– Continuous release

• Risk to assets and production/transportation capacity– Accidental disruption

Unplanned and planned maintenance are also con-tributions to disruption of production and transport.These contributions are normally considered withinregularity analysis. Regularity analysis may be consid-ered as part of risk assessment, if a wide interpretationof the term is used, but may be more efficiently con-sidered a separate analysis.

The main focus in the paper is risk to personnel, inparticular major hazard risk in offshore systems.

1.2.2 Proposed terminology for barriersThe new Norwegian regulations for offshore installa-tions and operations make extensive references to theterm “barriers”. This term is not defined, but com-ments given in the regulations (NPD, 2001a) imply thatbarriers are actions that are intended to reduce the prob-ability that faults or hazards develop into accidents orto limit or reduce injury, damage and other unwantedeffects.

ISO Standard 17776 defines barrier as follows:“measure which reduces the probability of realising ahazard’s potential for harm and of reducing its conse-quence. Barriers may be physical, (materials, protec-tive devices, shields, segregation, etc.) or nonphysical(procedures, inspection, training, drills)”.

This implies that NPD has adopted the ISO defini-tion. This definition is wide and general, and includesa wide range of actions which may be considered abarrier. More precise or limited definitions have beensearched for by several specialists.

Another application of the barrier concept is inrelation to MTO analysis of accidents and incidents inthe offshore petroleum sector (Bento, 1999). The term“barrier” is in this application given a wide definition,in line with the ISO definition.

The following definitions are proposed as more pre-cise definitions of barrier related expressions, within thegeneral definition adopted from ISO 17776. These def-initions are proposed in the context of the present paper,for use in relation to barriers for major hazards and indi-cators in relation to such risk elements. The term “majorhazard barrier” has been proposed in order to give amore precise definition of the wide term “barrier”:

Major hazard barrier “Line of defence” relatingto overall functions, as explained below.

Barrier element Part of barrier, but not sufficient alone in order to achieve the required overall function, as explained below.

[Barrier performance] Factors that influence the Influencing factor performance of barriers.

The NPD management regulations (NPD, 2001a)makes a distinction between physical barrier [elements]and non-physical barrier [elements]. The former arethe “hardware” systems, whereas the latter are organ-isational, procedural or human elements.

The influencing factors are particularly importantfor non-physical barriers.

Barriers may be regarded as “lines of defence”, asillustrated in Figure 1 below.

Each of these levels will consist of several barrierelements, for instance (but not limited to) the followingfor the ignition prevention barrier:

• Automatic gas detection• Manual gas detection• Shutdown logic• Procedures to limit open flame exposure, such as

hot work procedures• Area classification rules affecting protection of

electrical equipment

[Barrier performance] Influencing factors are factorsthat influence the performance of barriers. Consideras an example the manual gas detection performed by

1616

Contonment barrier

Hydro-carbonsource

Ignition prevention barrier

Limit energy potential barrier

Escalation prevention barrier

Protect life barrier

Figure 1. Illustration of “lines of defence” principle.

09048-V-05.qxd 5/15/03 7:45 PM Page 1616

personnel performing manual inspection in the hydro-carbon processing areas. Factors that will influence theability of such personnel to detect possible gas leaksare as follows:

• Procedures for manual inspections• Organisation of work, work patterns• Training of plant operators• Experience of plant operators• Motivation of plant operators• etc.

Indicators may be defined for each of these factors,some of these are briefly suggested in Section 4 below.

Please note that what we here consider as influencingfactors will often be considered as “barriers” accordingto the ISO or NPD definition as stated above.

1.2.3 Proposed terminology for indicatorsThis section proposes a structured terminology forindicators:

Risk indicator: A measurable quantitywhich provides informa-tion about risk

Risk indicator related A measurable quantity to activity: related to execution of

defined operational activities, which provides information about risk

Risk indicator based A measurable quantity on barrier performance: related to barrier

performance, which provides information about risk

Risk indicator related A measurable quantity to incidents: related to occurrences of

accidents, incidents and near-misses, which provides information about risk

Risk indicator related A measurable quantity to causal factors: related to causal factors

for barrier performance, which provides information about risk

Risk indicator related A measurable quantity to safety culture: related to safety

climate/culture and its influence on the performance of barriers, which provides information about risk

Proactive (leading) A measurable quantity risk indicator: which provides

information about risk, explicitly addressing an aspect of future

performance (example; anticipated number of hot work hours next year)

Reactive (lagging) A measurable quantity risk indicator: based on outcomes of

accidents and incidents

It may be discussed whether “causal factors” and“influencing factors” are synonymous expressions, andto some extent they are. It may be argued that “influ-encing factors” is a wider term than “causal factors”,but little emphasis is placed on this here.

Sometimes the term “safety indicator” is used instead of or in addition to the term “risk indicator”. Weuse these terms as synonymous terms in this paper,meaning that safety indicator is a measurable quantitywhich provides information about safety. Both theterms safety and risk are used in a wide sense and forthe purpose of this paper we have not distinguishedbetween them. The term “risk indicator” is usedthroughout the paper.

2 RISK INDICATORS, OBJECTIVES ANDREQUIREMENTS

2.1 Requirements to the use of risk indicators

2.1.1 HES related requirementsThe overall objectives may be broken down into spe-cific requirements. Performance indicators for all typesof offshore related accidents should meet the followingrequirements for indicator “goodness”:

• The total set of indicators should address a range ofincidents, from the insignificant near-misses up tothe most severe and complex accident sequences.

• If very different hazards are studied, an incidentbased indicator reflecting the potential for majoraccidents should be considered, alongside withindividual indicators.

• Indicators such that they are discussed in this papershould primarily reflect aspects that are possible toinfluence from an operational point of view, althoughsome indicators may not satisfy this requirement,but still be useful.

• Such indicators that are considered as intuitivelyimportant for personnel with practical operational/HES experience, should ideally be given priority.

• Indicators should give opportunities for risk reduc-tion potentials that reflect physical accident mech-anisms or causes which may be related to physicalor non-physical aspects, as opposed to synthetic,simplified or artificial modelling parameters. Vol-ume density of hydrocarbon processing equipmentmay illustrate such an artificial modelling parameter.Volume density is used as a parameter in escalationmodelling. Volume density would be a rather uselessrisk indicator, as it is purely a synthetic modelling

1617

09048-V-05.qxd 5/15/03 7:45 PM Page 1617

parameter, which is not considered in design or oper-ation [although there are aspects considered thatimplicitly have influence on the density].

The suitability of indicators is also dependent onwhich level the indicator is used for. This may also berelated to the so-called “free variables”, i.e. quantitiesthat are possible to change.

As an example, let us consider the activity risk indi-cator, the number of days with a certain [hazardous]activity, such as drilling. Clearly this indicator pro-vides interesting information about risk, and conse-quently is a useful indicator, but it can be discussed towhat extent it is related to a free variable. On thenational level, the extent (or volume) of drilling activitymay be considered a “free variable”, in relation towhich regions or fields to be developed, whereas it isnot at the same degree a free variable on the installationlevel as this activity in practice must be done, given theframe conditions for the activity on this installation.

On the installation level, more detailed indicatorsneed to be added, to establish a proper set of indica-tors, and in order to reflect aspects that may be influ-enced through operational decisions. Such indicatorsinclude the type of drilling of well intervention activ-ity, the number of effective barriers, porosity of theformation, the weight margin of the drilling fluid, etc.

Another aspect is related to whether to expressannual values, or accumulated over the field lifetime.This is a general problem, but can be illustrated withreference to drilling. If a certain number of wells isneeded in order to develop or maintain production, itwill usually not imply overall reduced risk even if thedrilling activities is spread out over several years, asopposed to completing the program in just one year.

One solution for this and similar cases is that theindicator reflects some kind of accumulated values.The disadvantage of such a solution will be a morecomplicated indicator, which will need to be consideredover several years before conclusions may be drawn.

2.1.2 Formal requirementsThere are a set of formal requirements that indicatorsshould satisfy, in addition to the requirements relatingto offshore petroleum HES management as outlinedin Section 2.1.1 above. The indicators should satisfy thefollowing formal requirements, and thus be (cf. Kjellén,2000):

• observable and quantifiable• sensitive to change• transparent and easily understood• robust against manipulation• valid

It must be possible to observe and measure perform-ance by applying a recognized data collection methodand scale of measurement. Usually, the indicators are

expressed on a ratio scale of measurement, such as theLost Time Injury (LTI) rate which expresses the num-ber of injuries resulting in absence from work per onemillion hours of work. It is difficult to establish a datacollection method that gives reliable data, i.e. the datacorresponds to the quantity we would like to observe.For example, measuring the true number of LTIs is inpractice often difficult. Recording of the events may bepoor, and the data may be contaminated by extraneousfactors such as rumours and direct manipulation.

Psychological and organizational reasons could inmany cases result in a too low reporting. An example,we may think of an organizational incentive structurewhere absence of injuries is rewarded. Then we mayexperience that some injuries are not reported as theincentive structure is interpreted as “absence ofreported injuries”.

A risk indicator must be sensitive to change. It mustallow for early warning by capturing changes in ansocio-technical system that have significant effectson accident risks. Clearly, the number of accidentsleading to fatalities would not normally be sufficientlysensitive to change. The LTI rate is more sensitive,but also this indicator could be considered to be tooinsensitive for changes.

The “good” set of indicators will reflect changes inrisk as well as point to aspects where improvementsshould be sought.

The risk indicators must also be robust againstmanipulation. The point is that the indicator should notallow the organisation to “look good” by for examplechanging reporting behaviour, rather than making thenecessary basic changes that reduce accident risk.

This leads us to the requirement of validity, whichis a critical point in the evaluation of the goodness ofan indicator. Is the indicator a valid indicator for theaccident risk? Does the indicator actually measure whatwe intend to measure? Consider for example the indica-tor defined by the number of lost time injuries. Clearly,this indicator say something about accident risk, butof course, the accident risk is more than the number oflost time injuries, so we cannot use just this indicator toconclude on development in the accident risk level as awhole. The validity of a statement concerning the acci-dent risk based on observations of the injury rate only,would thus in most cases be low. But restricting atten-tion to this specific type of injuries, there should beno validity problem, in this respect. But still we haveproblem in concluding on any development in theinjury risk based on the observations from the indicator.This is discussed further in Aven (2003), Section 2.1.

2.2 Use of major hazard indicators at different levels

The following levels are discussed below:

• National level for offshore petroleum industry

1618

09048-V-05.qxd 5/15/03 7:45 PM Page 1618

• Company/Installation level• Equipment level

One aspect which is valid on all levels is the needto address variations between the best and the worstunits in addition to average levels.

It should also be noted that development of indicatorson a higher level, may in theory be done by aggregatingfrom a lower level. This is in practice seldom so simple,because other indicators may be more relevant on ahigher level than just summing up from a lower level.

3 BASIC APPROACH – INDICATORS FORMAJOR HAZARDS

3.1 Classification of indicators

There are various ways to classify indicators, two clas-sification schemes that are discussed in this paper, arethe following:

• Classification of indicators reflecting how the datais collected

• Classification of indicators reflecting steps in the“accident chain”

Kjellén (2000) has classified indicators as:

• Loss based indicators• Process based (i.e. accident sequence) indicators• Indicators based on causal factors (including indi-

cators related to safety “climate”)

Only for quite frequent occurrences indicators maybe based on recording of actual losses, otherwiseindicators for risk will have to be based on hydrocar-bon processing parameters or causal factors.

Based on the discussion in the previous sections, thefollowing types of indicators are required for majorhazards:

• Incident indicator• Barrier indicator• Activity indicator• Indicators related to causal factors (including indi-

cators related to safety “climate”)

Incident indicators are based on occurrence ofaccidents, incidents and near-misses, and are as suchreactive indicators. This type of indicator is neverthe-less needed, as they give important information of whathas occurred in the past. Indicators based on occurrenceof accidents are loss related indicators, whereas indi-cators based on near-misses and similar are processrelated indicators.

Activity indicators are almost entirely proactiveindicators, which are required in order to manageactively planning of activities on the installations andthereby minimise major hazard risk. Activity indicators

have not been utilised to any significant extent so far,but shall reflect major hazard risk due to execution ofoperational activities on the installations.

Indicators related to causal factors are a separatecategory by both classifications. This category will nat-urally include safety “climate” indicators.

3.2 Use of indicators and risk assessments

The following principles are used as basis for devel-opment of risk indicators for major hazards:

• The main perspective is to provide tools for express-ing quantities which provide information aboutfuture risk exposure, with basis in current statusand past performance, in order to provide input todecision-making.

• Risk indicators should have the main emphasis onillustrating effect on risk of variable parameters.

• A mix of proactive and reactive indicators may berequired in order to give a comprehensive presen-tation of risk levels.

The results from risk analysis may be used to giveweights to different risk indicators, and such use isvaluable. It is on the other hand not recommended touse risk indicators in a “mechanistic” updating of over-all expressions of risk levels. Indicators, usually basedon observations, will have to be combined with adjust-ments and evaluations, if an evaluation of the risklevel shall be produced. If this is done in a justifiablemanner, then risk indicators may be used for updatingoverall estimations of risk levels.

The risk assessment results may also be used foridentification of and setting of priorities for differentrisk mechanisms, based on their contribution to totalrisk. The risk assessment results may also be used as abasis for establishing weights for the different contribu-tions, if they are being added up to some kind of totalvalue.

3.3 Accidents, incidents and near-misses

Loss based indicators will imply indicators reflectingoccurrence of accidents. This requires as mentionedabove, that the volume of accidents is sufficiently highfor the extent of installations and operations beingconsidered, in order to establish an indicator based onsuch events. This will usually be the case, if at all, foronly some kind of hazards, for instance occupationalinjuries.

But even if the number of occupational injuries maybe substantial, it will rarely be sufficient accident datato establish an indicator for fatality risk due to occu-pational hazards.

Indicators based on incidents and near-misses(process related indicators) are therefore required.

1619

09048-V-05.qxd 5/15/03 7:45 PM Page 1619

All these indicators are based on actual occurrences,where the valuable information will be much more thanjust the number of occurrences. Actual cases may alsogive very valuable qualitative information about mech-anisms, causal factors, etc.

Indicators based on accidents, incidents andnearmisses may be weighted and normalised as follows:

Weighted Rating of types or categories ofevents according to severity, therebyimplying that weighted indicatorsmay be combined in order to createoverall indicators of different kinds.

Normalised Rating of indicators (may beregarded as weighting) in relation to volume of exposure measuredaccording to a relevant parameterreflecting the type of risk exposure.

3.4 Barrier performance

Indicators that are reflecting barrier performance (ina wide sense) belong to the category “process relatedindicators”, together with indicators based on occur-rence of incidents and near-misses as well as activityindicators. The performance should cover the followingbarriers:

• Physical barriers• Non-physical barriers (organisational, administra-

tive, procedural, etc)

The performance should in general cover a widerange of capabilities (cf. NPD, 2001b):

• Functionality and effectiveness• Reliability and availability• Robustness (antonym to vulnerability)

In certain circumstances incident indicators andindicators related to barrier performance may be com-bined into an overall indicator (see further discussionin Section 4).

3.5 Activity level

A review of hydrocarbon leaks on the NorwegianContinental Shelf in 2001 and 2002 has revealed(Husebø et al., 2003) that less than one third of the leaksoccur during normal operations, whereas a dominatingmajority occurs when special operations are being car-ried out, such as maintenance, inspection, manual inter-vention, trips etc. This situation emphasises the need todevelop risk indicators that reflect major hazard risk asa function of the activities being carried out.

Activity indicators are almost entirely proactiveindicators. The basis for development of activity indica-tors has not yet been developed extensively. The basis

will have to reflect risk exposure due to:

• Performance of single activities, and/or• Performance of simultaneous activities, and/or• Absence of completed maintenance activities on

safety critical equipment according to plan.

Activity indicators may be used in order to estimatethe expected risk exposure according to activity plansand combinations, and also for optimisation of opera-tional plans. A development project has been launchedas part of the programme outlined in Section 1.1.

3.6 Causal factors

Indicators for causal factors may cover a wide rangeof aspects, relating to causes of incidents and near-misses, as well as failure of physical barriers (technicalsafety systems) and non-physical barriers (human,administrative and organisational functions).

One example of causal factors behind occurrenceof incidents can be the split of ongoing operations atthe time of occurrence of hydrocarbon leaks, asreferred to in Section 3.5. Other examples may includerecords showing the percentage of personnel havingparticipated in vital safety training or safety motivationcourses or campaigns.

To establish accurate models of how causal factorsrelate to possible accidents and losses, is difficult –the uncertainties are very large. Extensive R&D effortsare required to obtain models with sufficient credibil-ity. Data directly supporting the models will seldom bepresent, and extensive assumptions need to be made toestablish the models. Nonetheless, such models maybe useful to get insights – what are the critical factorsand how do different factors correlate? – and studythe impacts on risk of various theories and hypothesesrelated to the importance of causal factors. The modelsshould be seen as instruments for structuring knowl-edge and uncertainties, more than accurate tools forprediction.

Causal factors also include what could be calledmanagement system factors and cultural aspects.

4 RECOMMENDED INDICATORS

There are few hazards where major hazards relatedindicators based on actual loss may be used, implyingthat indicators for most of the hazards have to bebased on process related indicators. Indicators for thesetwo hazards on a national level may be found in theNPD annual report for risk level on the NorwegianContinental Shelf, see Husebø et al. (2002).

There are few loss based indicators that are possi-ble for major hazards. There are therefore many indi-cators for major hazards that need to be based onmodelling of losses.

1620

09048-V-05.qxd 5/15/03 7:45 PM Page 1620

Causal factors for major hazards are limited to per-formance of barriers for major hazards. Potential causesfor major hazards may be classified as:

• Technical• Human performance• Organisational

5 CONCLUSIONS

The following indicators are required for a compre-hensive risk monitoring of major hazard risk:

• Incident indicator• Barrier indicator• Activity indicator• Indicators related to causal factors, including indi-

cators related to safety “climate”

Few loss related indicators are feasible for majorhazards, only on the national level. For major hazardrisk, most of the indicators will have to be of the processrelated type and causal indicators.

The recommendations for use of loss related indica-tors, process related indicators and indicators relating tocausal factors are briefly indicated in Section 4.

TERMINOLOGIES

HSE Health and Safety ExecutiveHES Health, Environment and SafetyISRS International Safety Rating SystemKPI Key Performance IndicatorLTI Lost Time InjuryMTO Man, Technology, OrganizationNFR Norwegian Research CouncilNPD Norwegian Petroleum DirectoratePFEER Prevention of Fire and Explosion, and

Emergency ResponseQRA Quantified Risk AssessmentRNNS Risk level on the Norwegian Continental

Shelf (“Risikonivå norsk sokkel”)TTS Technical condition of safety systems

(“Teknisk Tilstand Sikkerhet”)

ACKNOWLEDGEMENT

The authors are indebted to NFR for the funding of thework and their parent organisations for the permissionsto publish this paper. During the preparation of thepaper, a large group of specialists has been consultedat various stages, orally and in writing. We are obligedto all those that have provided comments, for the timethey have taken to review and provide very valuableinput to the paper writing.

REFERENCES

Aven, T., 2003. Foundations of Risk Analysis. Wiley, N.Y. toappear.

Bento, J-P., 1999. Human – Technology – Organisation;MTO-analysis of event reports. OD-00-2. (In Swedish).Restricted.

Husebø et al., 2002. RNNS report 18.4.2002.Husebø et al., 2003. RNNS report April 2003 (to be published).Kjellén, U., 2000. Prevention of Accidents Through

Experience Feedback. Taylor & Francis, London & NY.NPD, 2001a. Regulations relating to the management in the

petroleum activities, (The management regulations), issued3.9.2001.

NPD, 2001b. Guidelines to the management regulations,issued 3.9.2001.

The learning lab, 2002. http://www.laeringslaben.no/index_english.php?side�2

Statoil. 2002. “Technical safety Conditions in Statoil, Mainreport”, Statoil F&T MST 2001-0181, January 2002

Vinnem, J.E., 2000. Risk Monitoring for Major Hazards,SPE61283, SPE International Conference on Health,Safety and the Environment in Oil and Gas Explorationand Production in Stavanger, Norway, 26–28 June 2000.

Vinnem, J.E., Tveit, O.J., Aven, T., Ravnås, E. 2002. Use ofrisk indicators to monitor trends in major hazard risk on anational level, ESREL 2002, Lyon, France, 18–21 March2002.

Øien, K., Sklet, S., 1999. Risk indicators for the surveillanceof the risk level on Statfjord A. (In Norwegian.Confidential). SINTEF Report STF38 F98435, Trondheim:SINTEF Industrial Management, Norway.

Øien, K., Sklet, S., 2001. Risk Analyses during Operation(The Indicator Project) – Executive Summary. SINTEFReport STF38 A01405, Trondheim: SINTEF IndustrialManagement, Norway.

1621

09048-V-05.qxd 5/15/03 7:45 PM Page 1621

09048-V-05.qxd 5/15/03 7:45 PM Page 1622


1623

A contribution to vehicle life cycle cost modelling

Z. Vintr & R. HolubMilitary Academy in Brno, Czech Republic

ABSTRACT: This article deals with a method of maintenance concept optimization that allows reduction oflife cycle costs (LCC) of a vehicle on the basis of knowledge of operating reliability data. The authors presenta theoretical model of optimization, describing the basic relationships between the LCC of the main vehicle’ssub-systems and the frequency of their scheduled (preventive) repairs. This article describes in detail an appliedmathematical model and it also analyses the possibilities and conditions of its practical use for optimization ofthe conception of vehicle maintenance. Practical application of the proposed method is demonstrated on anexample of optimization of the period of replacement of the vehicle drive train subsystem that is performed asa part of its preventive maintenance.

1 INTRODUCTION

In the Army of the Czech Republic, a large number ofheavy military vehicles were observed in service overa long time period to collect data on their reliabilityand maintainability, including relevant economicdata. The data obtained were used for determinationof basic dependability characteristics of the vehicleand its main sub-systems and for analysis of the vehi-cle’s LCC. Among other findings, the results of thisanalysis showed an unsatisfactory level of the costsassociated with maintaining the vehicle. For this reason,it was decided to look for ways to reduce maintenancecosts through a change of the maintenance concept ofthe vehicle.

The solution was limited by the requirement not tochange the basic principles of the maintenance concept,which are determined by the general maintenancepolicy of the army. This meant that the improvementdesired could be achieved only through a change in thefrequency of preventive maintenance. The originalmaintenance concept of the vehicle included in additionto classical preventive maintenance actions, scheduledrepairs with the aim to replace or repair the statedvehicle’s sub-systems and parts whose life cycle isshorter than the expected vehicle life cycle. Theaccomplishment of these scheduled repairs is veryexpensive and represents a decisive part of preventivemaintenance costs of the vehicle. For these reasons, itwas decided to analyze especially the influence of theserepairs’ frequency on the amount of maintenancecosts.

As a solution to the above-mentioned tasks, thearticle’s authors created a mathematical model describ-ing relationships between the overall life cycle costs(LCC) of the vehicle and frequency of the prescribedmaintenance actions. This model allows us to determinethe frequency of repairs in which LCC of the vehiclereaches the minimal level.

2 NOTATION

c(t) average unit cost during operating time t;C(t) cumulative cost during operating time t;u(t) instantaneous unit cost in the operating

time instant t;uR(t) instantaneous unit cost for repairs in the

operating time instant t;t operating time;topt optimal length of maintenance period;CC total life cycle cost of the subsystem;cC(t) average unit cost of life cycle;cC min minimized average unit cost of life

cycle;CB acquisition price and costs related to

subsystem replacement;cB(t) unit acquisition cost related to the

operating time t;CM total cost for preventive maintenance;CM(t) cumulative cost for preventive

maintenance during the operating time t;cM(t) average unit cost for preventive

maintenance during the operating time t;

09048-V-06.qxd 5/15/03 7:46 PM Page 1623

CR total cost for repairs of the subsystem;CR(t) cumulative cost for repairs during the oper-

ating time t;cR(t) average unit cost for repairs during the

operating time t;LCC life cycle cost.

3 DESCRIPTION OF VEHICLE LIFE CYCLECOSTS

To express the dependencies under research, the pre-sented mathematical model employs three differentmethods to describe the LCC of the vehicle. The modelexpresses the costs as cumulative or average unit costs,or so-called instantaneous unit costs are used.

3.1 Cumulative costs

At each instant of time, the cumulative costs representthe sum of all costs of a given type from the beginningof service up to that certain instant of time. In general,these costs gradually increase with the operating time.In experiments (in service), the cumulative costs areusually the easiest to identify, as it is the most oftenevaluated economic value. Dependency of cumulativecosts upon the operating time usually does not have acontinuous character, and therefore various mathe-matical models often substitute for this dependency.

3.2 Average unit costs

At a given instant of a time t, average unit costs aredefined as the quotient of cumulative costs expendedduring the operating time t to the operating time t:

(1)

Average unit costs express the average costs attributedto the unit of operating time in any instant of operatingtime t.

3.3 Instantaneous unit costs

Instantaneous unit costs are defined by the followingrelationship (if the appropriate derivative exists):

(2)

Instantaneous unit costs in each instant of time char-acterize “speed” with which the pertinent costs areexpended. It is obvious from the above-mentionedrelationship that:

(3)

Graphical presentation of dependencies expressed byEquation 3 is shown in Figure 1.

4 OPTIMIZATION OF MAINTENANCEPERIOD MODEL

Consider a vehicle in the design of which a certain sub-system is used, and a periodic replacement is carriedout as a form of preventive maintenance.

The subsystem’s faults detected in service are cor-rected by repair of the subsystem. In addition, thesubsystem under research undergoes a scheduled pre-ventive maintenance consisting of a simple checkoutand setting-up. The aim of optimization is to determinea period of replacement for the subsystem so as to min-imize the vehicle unit life cycle costs. Let us assumethat all necessary subsystem technical-economic dataare known.

The proposed optimization model disregards thosecomponents of LCC which are not influenced by thescheduled maintenance action and that cannot influenceour optimization. In this case, it is possible to expressthe total LCC of the subsystem by:

(4)

It is further assumed that the subsystem acquisitionprice is constant and does not depend on the operatingtime and that preventive maintenance costs and subsys-tem repair costs depend on the operating time. Basedon these assumptions and using Equation 4, the aver-age unit LCC of the subsystem can be expressed as afunction of the operating time:

(5)

1624

t10

u, c

t

C(t1)c(t1)

u(t1)C(t1) = c(t1)⋅t1= ∫ u(t)⋅dt

t1

0

u(t)

c(t)

Figure 1. Graphical presentation of relationship betweenunit costs and instantaneous cost rate.

09048-V-06.qxd 5/15/03 7:46 PM Page 1624

All terms of the sum at the right-hand side of Equation5 have the character of average unit costs of the respec-tive type. For further solution, it is assumed that termwhich expresses the average unit costs for preventivemaintenance is constant:

(6)

Detailed justification of this assumption is providedin the next section. With this presumption, we canadjust Equation 5 into the following form:

(7)

The aim of optimization is to find, for a subsystemunder research, the length of the maintenance period –operating time to replacement of the subsystem t –which will ensure that the unit costs expressed byEquation 5 will be minimized. Our solution of thisoptimization task consists in identification of localminimum of the function cC(t). For that, Equation 7should be differentiated with respect to time:

(8)

Using the Equations 1 and 2, which define unit costsand instantaneous costs rate, for further solutions, thefollowing values can be established:

– average unit cost for acquisition of the subsystem:

(9)

– average unit cost for repairs of the subsystem:

(10)

– instantaneous unit cost for repairs:

(11)

Using these values, the Equation 8 has the form:

(12)

Setting Equation 12 equal to zero yields:

(13)

From this equation, it is evident that optimum lengthof maintenance period of the subsystem is the valueof t for which the instantaneous unit costs for repairsequals to the sum of average unit costs for subsystemrepairs and acquisition.

Figure 2 shows a graphical representation of themathematical model above described. From Figure 2,it is obvious that optimization condition expressed byEquation 13 is met for a maintenance period of topt,where the function cC(t) attains its minimum (point D

1625

uR(t)cC(t)

cR(t)

cB(t)

cM

cR(t) + cB(t)

uR(t) = cR(t) + cB(t)

D(topt, cC min)c, u

cC min

0 t opt t

Figure 2. Graphical representation of optimization model.

(8)

09048-V-06.qxd 5/15/03 7:46 PM Page 1625

on the graph of this function). Thus, if the subsystemunder research will always be disassembled after theoperating time topt and replaced by a new one, the unitLCC of the subsystem will be minimized:

(14)

5 ANALYSIS OF THE OPTIMIZATION MODEL

A basic condition for application of the described opti-mization method is to have a suitable (convex) shapeof the curve cC(t). An important condition for opti-mization is a sufficiently strong local minimum in pointD (topt ; cc min), which will enable relatively preciseidentification of a location of this point even if thetechnical-economic data are not complete.

This section provides a more detailed discussionabout the character of individual elements of costs(functional dependencies), which are included in theoptimization model and a possibility of how to deter-mine them.

5.1 Average unit cost for acquisition of asubsystem

Function cB(t) expressing a dependency of average unitcosts for acquisition of a subsystem upon the operatingtime is defined by Equation 9. Graphical representa-tion of this function is an equilateral hyperbola. Thevalue of this function decreases with extending ofoperating time.

5.2 Average unit cost for preventive maintenance

The function cM(t) expresses the dependency of unitcosts for preventive maintenance upon the operatingtime:

(15)

where CM(t) expresses the sum of all costs connectedwith execution of subsystem preventive maintenanceduring the operating time t. Material, wage and supportequipment costs connected with maintenance execu-tion are included. The presented optimization model isbased on the assumption that preventive maintenance iscarried out in accordance with a schedule and consistsin execution of periodic stated maintenance actions.The extent of individual preventive maintenanceactions does not substantially vary with operating time,thus the average unit cost for preventive maintenancecan be considered constant:

(16)

This conclusion implies that knowledge of costs forexecution of preventive maintenance is not necessaryfor optimization. In other words, the preventive main-tenance costs affect the value of total life cycle cost ofa subsystem – see Equation 5, but they do not influ-ence the value of the optimum maintenance period topt– see Equation 13.

5.3 Average unit cost for repairs of the subsystem

Equation 10 expresses the dependency of the averageunit cost for repairs of a subsystem upon its operatingtime. A graph of the function cR(t) shown in Figure 2intersects the co-ordinate origin and it increaseswithin the whole scope of studied values of operatingtime of functions. This interpretation is rather simpli-fied because a real course of the function cR(t) usuallyincludes three different parts – running in, phase ofconstant failure rate a phase of wear-out failures. Apossible actual course of the function cR(t) is depictedin Figure 3.

Despite all mentioned deviations of the theoreticalmodel from reality, it is obvious that the assumptionabout the increasing character of the function cR(t) isquite acceptable and not in contradiction with reality.If this precondition is not met in certain portions ofservice time, the optimization model will be affectednegligibly.

However, knowledge of the function cR(t) is a pre-condition for optimization. The presented modelassumes that the course of this function will be basedon the results of observation of a group of vehicles inservice (several hundreds of vehicles). The wholetime of subsystem service will be divided into a finalnumber of the same time periods and in each of theseperiods, the cumulative costs expended for repairs ofa given subsystem in all vehicles will be observed.

From these costs, the average cost per vehicle in eachperiod of service can be easily established, and fromthem, a number of discrete values representing the timedevelopment of cumulative costs for repair of the sub-system can be determined. These discrete values can

1626

t

cR(t)

cR

0

Figure 3. Example of actual course of unit repair costs.

09048-V-06.qxd 5/15/03 7:46 PM Page 1626

be, for the purpose of further solution, approximatedby a suitable function CR(t) (e.g. by a method of leastsquare). This function can be used to obtain the aver-age unit repair cost cR(t) and the instantaneous unit costfor repairs uR(t). Figure 4 shows an example of usingdiscrete values to develop the cumulative costs forrepairs function.

6 EXAMPLE OF PRACTICAL APPLICATIONOF THE OPTIMIZATION MODEL

The proposed mathematical model was used for opti-mization of the maintenance concept of military heavytracked vehicles fielded in the Army of the CzechRepublic. In this section the process of optimizing themaintenance period for the vehicle drive train is pre-sented. The applied concept of vehicle maintenancerequired performing a scheduled preventive repair, con-sisting in a given subsystem replacement, after covering12,000 km.

Based on long-term observation of a great numberof vehicles, the costs related to repairs of failures of thissubsystem were evaluated. The subsystem life cyclewas divided into 12 sections (1000 km each), and foreach section of service, the average costs attributed tothe subsystem repairs were determined. The observa-tion results are shown in Table 1.

From these data, the values characterizing a timedevelopment of cumulative costs for the subsystemrepairs were calculated. Table 1 provides a survey ofthe calculated values. The method of least squares wasapplied to these discrete values to develop a third-order polynomial approximation of the cumulativerepair costs of the subsystem (Fig. 5). Then, by suit-able conversion of this polynomial function, a courseof the average unit cost for repairs and the instanta-neous unit cost for repairs was obtained. A mileage of1 kilometer was used as a unit of service to which the

unit costs are related. From the subsystem acquisitionprice of $12,000, a time dependency of the averageunit cost for subsystem acquisition was also derived.

Graphical presentation of the resulting dependen-cies is shown in Figure 6. As evident from the chartsin Figure 6 the subsystem is replaced much sooner thanits optimum period of service is achieved. If the sub-system was not replaced and left in the vehicle for fur-ther use (until its optimum length of operating time isachieved), then the total unit costs would continue todecrease. Thus, replacement of the subsystem aftercovering 12,000 km is not optimum in terms of costefficiency.

In this case, it is not possible to establish an exactoptimum maintenance period since no data about thebehavior of the subsystem after 12,000 km are avail-able. However, from the charts in Figure 6 it can beanticipated that optimum operating time will probablybe within 15,000 – 17,000 km. In accordance with theabove-mentioned conclusions, a change of operating

1627

∆t ∆t∆t ∆t ∆t ∆t

CR

CR(t)

CR(t1)CR(t2)

CR(t4)

CR(t3)

CR(t6)CR(t5)

t1 t2 t3 t4 t5 t6

t0

Figure 4. Approximation of discrete values by a suitablefunction.

Table 1. Survey of observation results and calculated results.

Interval of Average Time development operating repair of cumulativetime (km) costs ($) repair costs CR ($)

0–1000 333 3331000–2000 260 5932000–3000 242 8353000–4000 307 11424000–5000 326 14685000–6000 296 17646000–7000 287 20517000–8000 361 24128000–9000 338 27509000–10,000 412 3162

10,000–11,000 503 366511,000–12,000 661 4326

0

1000

2000

3000

4000

0 2000 4000 6000 8000 10,000 12,000 t (km)

CR ($)

Figure 5. Approximation of the time development ofcumulative costs for repairs.

09048-V-06.qxd 5/15/03 7:46 PM Page 1627

1628

time to the replacement of the observed subsystem from12,000 km to 15,000 km was recommended. Using thedescribed method, a suitable replacement time for allsubsystems and vehicle parts where the applied conceptof maintenance (replacement) is used was evaluated.

In cases when this evaluation revealed that theoperating time to replacement of the subsystem or partis not optimum (it is shorter or longer), the appropriatechanges were recommended. Justification of recom-mended changes in the conception of vehicle mainte-nance would be verified in the next observation ofvehicles with modified periods of maintenance.

7 CONCLUSION

The presented method indicates that data from observa-tion of vehicle operational reliability can be with suc-cess employed for optimization of conditions of theirmaintenance. By means of proposed model, it is rela-tively easy to find reserves in conception of vehiclemaintenance and by using a simple measure – adminis-trative change of maintenance periods – to attain sig-nificant savings in the vehicle LLC.

ACKNOWLEDGEMENT

We are pleased to thank the Ministry of Defense of theCzech Repubic that supported development of thismethod of optimization.

REFERENCES

Havlicek, J. et al. 1989. Operating Dependability of Machines.Prague: SZN. (in Czech)

Vintr, Z., Holub, R. & Stodola, J. 2002. Optimization ofVehicle Life Cycle Costs with Usage of Operating Data.Proceedings of 2002 FISITA – World Automotive Congress,Helsinki, 9–11 May 2002. Helsinki: SALT. (CD-ROM).

Vintr, Z. & Holub, R. 2003. Preventive MaintenanceOptimization on the Basis of Operating Data Analysis.Proceedings of Annual Reliability and MaintainabilitySymposium, Tampa, 27–30 January 2003. Tampa: IEEE.

Villemeur, A. 1992. Availability, Maintainability and SafetyAssessment. New York: John Wiley & Sons.

0

0.4

0.8

1.2

1.6

2.0

4000 6000 8000 10,000 12,000 14,000 16,000 18,000 t (km)

($/km)

uR(t)

Expecteddevelopment

cR(t) + cB(t)

Original time ofsubsystem replacement

cR + cBuR

Figure 6. Graphical model of optimization.

09048-V-06.qxd 5/15/03 7:46 PM Page 1628


1629

Method for correlation of failure data from durability tests and field ofautomotive engine parts with spontaneous failure mode

M. Vogt & H.R. NeuRobert Bosch GmbH, Schwieberdingen, Germany

ABSTRACT: Determining of the level of fatigue present in components that were used in the field, is animportant basis for the implementation of accelerated testing. This paper presents a method which enablesfatigue determination of intact but pre-aged components that fail spontaneously. In the beginning componentswhich have been field tested are exposed to additional laboratory testing. Then a fictitious lifetime is computedfrom the weighted sum of the field lifetime and the laboratory lifetime. These components are then comparedagainst pure laboratory-aged, reference parts using the maximum-likelihood method as the comparison crite-rion. The weighting coefficient is then determined so that the distribution of the fictitious lifetime agrees wellwith that of the reference parts. Finally the ratio of the failures can be derived from the comparison of field-agedand laboratory tested parts.

1 INTRODUCTION

The modern automobile is becoming not only techno-logically more complex but also the customers expecttheir cars to last longer. For these reasons componentand system reliability has high importance in theautomotive industry. During the process developingproducts for the automotive industry, testing is becom-ing an increasingly time- and cost-consuming process.But the decreasing development time for new auto-motive products leads to minimized testing time beingrequired. Additionally, legal and market requirementsconcerning warranty and life expectancy are rising.Especially the US-market demand of 240,000 kmuseful life has led to a new definition of testing conditions.

To determine the product lifetime accelerated test-ing is usually carried out. The purpose of acceleratedtesting is to find laboratory conditions which aremost representative to field conditions that the com-ponents experience.

2 TESTING OF AUTOMOTIVE COMPONENTS

Automotive components can be fatigued by many dif-ferent physical or chemical mechanisms (e.g. temper-atures, temperature cycles, chemical media, water,salt spray, vibrations etc.). These mechanisms occur

with different stresses which can be quantified in thefollowing units

• mileage in kilometers• operating time in hours• useful life in years• number of starts n• number of cold starts m• …

In reality these different influences arise coupled. Butthe aging of the component can usually be describedwith one main fatigue mechanism.

The method described in this paper is based ona classic Weibull Method (Fahrmeir et al. 1997; Hartung 1998; VDA (Hrsg.) 2002; Robert BoschGmbH (Publ.) 2000), which is often used to evaluatefailure data from technical parts. It is applied in thesecond order-parametric form. Therefore, the reliabilityR(t) of a part can be described by means of the time t by

(1)

with the characteristic lifetime T and the parametricvariable b.

During laboratory testing methods are used toaccelerate the component testing and aging are used.But first, theoretical methods must be used to derive

09048-V-07.qxd 5/15/03 7:46 PM Page 1629

the laboratory test conditions which best represent theloads components experience in the field. In practice,sometimes theoretically determined values used inlaboratory testing does not quantitative correlate toactual load values seen in field service. Often fieldparts show substantially smaller fatigue or wear, thenis expected based on the laboratory testing results.For this reason a method is required to provide a bet-ter correlation between laboratory and field results(Vogt & Neu 2002).

2.1 Survey of field data

It should always be taken into account that laboratorytesting is always just a model of the field. From sta-tistical point of view, the field itself is the best datasource, due to the large sample population. Therefore,it is useful to analyze parts, which have seen field usein order to gain extra information. This practice also isa significant step required to fulfill the laws demand-ing that a product be observed over its entire lifetimein the field.

During the warranty period, there is usually a goodbasis for field data, in that all defective parts are reg-istered and evaluated. But this data is often insufficientfor developing an end-of-life test, because the partsusually exhibit no wear. These parts fail accidentallyat a premature point in time. Data from the end-of-lifeis under-represented with only few data points fromwarranty information.

The access to fatigued parts from the field and thecorresponding time of failure is difficult. The regis-tration of all failed field parts during the vehicle andcomponent lifetime would be very complex, espe-cially for suppliers. As such the total number of partsthat have failed in field, during the whole lifetime, isunknown. Therefore, as an alternative method to gen-erate end-of-life data, intact parts are taken out of thefield and their level of fatigue and remaining lifetimeis determined.

2.2 Evaluation of intact field parts

The basis of the developed method is the collection ofused field parts, which are intact and have not yetfailed. The data

• mileage in kilometers• first date of registration• date taken out service or demounted• vehicle type• motor type

has to be known to interpret the results.In the following example derivation, the mileage is

used to represent load. But the variables for the num-ber of starts, cold starts etc. which were described inpart 2 could be used as well. The hours of service oroperating time is used to describe the laboratory load.Alternatively, temperature or stress cycles could alsobe used. It is only important that component fatigueincreases with increasing time or cycles.

The level of fatigue has to be determined exactly toobtain a quantitative connection between the labora-tory and field data. The basic assumption is that thetesting time tL in laboratory leads to an equivalentlevel of fatigue S compared the mileage sF in thefield. If the fatigue of the part is measurable andquantifiable, this comparison will be simple. In thiscase a measurable characteristic exists. The compari-son of parts aged in laboratory with those field agedleads to a quantifiable connection between laboratorytesting time and mileage accumulated in the field.

This leads to the correlation coefficient cKdeduced from laboratory wear SL and field wear SF to

(2)

with the mileage in field sF and the testing time tL.The degree of mechanical wear can be described withthis method (Fig. 2).

1630

development testing field

a,�,h, ...

� �...

km, years

Figure 1. The influence of field experience on the testing of automotive parts.

09048-V-07.qxd 5/15/03 7:46 PM Page 1630

The level of fatigue in many parts cannot be quan-tified, e. g. broken wires, or the short circuiting of iso-lators. The stress leads to a fatigue building up but withfull functionality of the part still being maintained.Then, at the end of its lifetime the part fails sponta-neously, but the point in time when this failure occursis not predictable. The remaining lifetime of intactparts taken from field can not be given exactly,because of this spontaneous failure mechanism.

3 QUANTIFYING THE LEVEL OF FATIGUE

As the level of fatigue in parts returned from fieldservice is not directly measurable, intact parts from thefield are operated in laboratory until they fail (Fig. 3).These parts fail, spontaneously after the operatingtime tA. This time is shorter than that of a new part t�A,because the field part is pre-aged1.

These field-aged parts undergo an additional agingin laboratory are fatigued twice with two differentlevels of stress. To take this into account, the fatigueaccumulation hypothesis analog to (Haibach 1989)that with the thesis of Palmgren/Miner is used. Underthis premise, the sequence of loading is not signifi-cant. The sum of the wear and tear on the part Ssum isthe sum of the individual fatigues. This leads to

(3)

with the individual fatigues Si from laboratory andfield.

The assumption that both experienced fatigues areinterchangeable, leads to the fictitious summing ofthe operating time tsum which can be defined as

(4)

1631

0 50 100 150 200 250 3000

0.2

0.4

0.6

0.8

1

mileage in 103 km

wea

r ou

t / fu

nctio

n lim

itfield

0 100 200 300 400 5000

0.2

0.4

0.6

0.8

1

operating time in h

wea

r ou

t / fu

nctio

n lim

it

laboratory

Figure 2. Scaled wear to correlate field and laboratory with variable characteristics.

field components

field

laboratory

laboratory components, reference lot

taking from field

failure

1/cK ⋅ sF tAtA

t t

'

Figure 3. The principle of evaluating attributive characteristics.

1Reference values are marked with an apostrophe.

09048-V-07.qxd 5/15/03 7:46 PM Page 1631

with the sum of mileage sF in field converted intotime and length of time operating in laboratory tAuntil the point of failure. The correlation coefficienthas the range cK � 0 … � and is unknown at the begin-ning. For cK � 0 one extreme is defined as the lengthof time that the part was only aged by field stress. Theother extreme cK → � is defined when the part isonly fatigued by laboratory testing. The value of cKincreases with increasing stress in laboratory, such ase.g. elevated temperatures. As the factor relating tolaboratory fatigue increases the sum total fatigueincreases Proportionally. The value of the coefficientcan be interpreted as a measure of the test acceleration.

To separate the factors of laboratory and fieldaging according to Eq. (4) and to determine the cor-relation coefficient, a reference value is needed. Forthis comparison new parts are used which are onlyfatigued in laboratory until they fail at the time t�A(Fig. 3).

The previous mileage sF and the time to failure tAin the laboratory must be known. If the life expectanciesof the components do not vary or deviate signifi-cantly, one field-aged part and one reference compo-nent would be enough to determine the unknowncorrelation coefficient cK according to Eq. (4). But inpractice, the component life-expectancy has a statisti-cal distribution, so that a larger sampling of partsmust be investigated to reliably determine this corre-lation coefficient.

Usually, the first step is a classic Weibull-analysisof component failure times t�A using new, referenceparts fatigued only in laboratory testing (VDA (Hrsg.)2002; Ronninger 1999). This provides the two Weibull-parameters of characteristic lifetime T�0 and the gradientb�0 as reference values. With the assumption that fieldand laboratory stress are convertible, the fictitiouslifetime of field parts with the characteristic Weibull-parameters

T, b � f(cK) (5)

has the same distribution, because the fatigue is equaland the parts identical. Thus the Weibull-parametersare assumed to be the same as

T(cK) �! T�0 � b(cK) �

! b�0 (6)

those determined from reference parts t�A. To solvethis equation the correlation coefficient cK is varieduntil such that the Weibull curves for the referenceparts and field-aged parts, with their fictitious life-time, fits one another as best as possible.

The maximum likelihood method according to(Hartung 1998; Fahrmeir et al. 1997) is used to describethe level of fit between both curves. The likelihoodfunction L with

(7)

will be maximum, if the distributions of fictitious life-time tsum and reference parts t�A fit as well as possible.Eq. (6) and (7) lead to the desired correlation coeffi-cient. The scaled value L/L0 is used to check the result(Fig. 5). For this scaling the Likelihood function L0 ofthe reference curve is used.

Finally, the correlation coefficient cK gives theratio between the field and laboratory stress, where

� � � � �

� � � �

�

�

log ( , | )

log ( , | )

L f T b t

f T b t

ii

i

n

i

log sum,

sum,

01

0

01

0

∏

∑

1632

Figure 4. Weibull curves for different correlation coeffi-cients cK.

Figure 5. Scaled Maximum Likelihood Function L/L0 fordifferent correlation coefficients cK.

09048-V-07.qxd 5/16/03 3:41 PM Page 1632

the Likelihood function is maximum

L�L0 �! max (8)

as shown in Figure 5.Because of the non-linear problem, an optimization

algorithm is used to determine the optimum (Fig. 6).For this the Golden section and the Brent algorithmare implemented (The Mathworks Inc. 2000a; TheMathworks Inc. 2000b; Press et al. 1986). The nega-tive logarithm of the Likelihood function is used asthe goal function, which has to be minimized. Theoptimum is reached after 10 … 15 iterations (Fig. 7).The automatic search is much more faster than a clas-sic parametric study with approximately 100 points,which are necessary to determine the minimum.

4 EXAMPLE OF USE

The developed method is demonstrated with an artifi-cial example to test the implementation. The values

are generated randomly, these then supposedly describea failure behavior according to Weibull distribution.The numbers are generated with the assumption thatthe fatigue is caused by 105km in field is equivalentto a fatigue level caused by 31.3 h in laboratory. Thisleads to cK � 3200 km/h.

4.1 Scenario

To find the quantified connection n � 50 intact partswith varying mileage are withdrawn from field use.These parts are operated in laboratory until they fail(Fig. 3). Simultaneously, new parts are tested to fail-ure as a reference. The necessary data is shown inTables 1 and 2.

The frequency distribution of the life span up onfailure shows the characteristic way in which theseparts fail (Fig. 8). The field parts are fatigued differ-ently because of being their stochastic pre-aging andvarying mileage. In this respect, the failure data is notdistributed according to Weibull form (Fig. 8 a.). Butthe frequency distribution of the reference parts isconform to Weibull distribution (Fig. 8 b.). The aver-age lifetime of the reference parts is longer then theaverage life span of the pre-fatigued parts.

1633

Figure 6. Sketch of optimization process to determine cK.

Figure 7. Correlation coefficient cK and goal function dur-ing the optimization process.

Table 1: Mileage sF in 103km and life span tA in h of fieldparts up on failure in laboratory testing.

No. 1 2 3 4 5 … 50

sF 134 159 78 120 127 … 15tA 18.1 3.1 13.3 27.9 20.1 … 37.3

Table 2: Life span of reference part up on failure t�A in h todetermine T�0 and b�0.

No. 1 2 3 4 5 … 50

t�A 47.1 55.1 58.4 65.0 65.9 … 56.4

09048-V-07.qxd 5/16/03 3:41 PM Page 1633

4.2 Determination of the correlation coefficient

The characteristic Weibull parameters are determinedto T�0 � 62 � 103km and b�0 � 4.8. These values thenare the reference for the calculation of the desired cor-relation coefficient. The Likelihood function showsusing Eq. (4) and (6) the maximum at cK � 2840 km/h.This value corresponds well with the value cK,decl. �3200 km/h which was defined for checking the method.The Weibull parameters for the components possess-ing a fictitious lifetime are determined to be T �61.7 � 103km and b � 5.2.

Different scenarios with similar Weibull parame-ters and identical correlation coefficients lead to sim-ilar results (Tab. 3). The correlation coefficient is inthe range of cK � 2.84 … 3.52 � 103km/h. These valuesagree well with cK,decl. � 3200 km/h which was used tocreate the artificial data. The calculated coefficientenables the conversion from field to laboratory condi-tions. Which allows one to make reliable statementsto field behavior for the components in question.

4.3 Influencing parameters

To determine the accuracy of the previously describedmethods, various different examinations have beencarried out. But the most important question is the in-fluence of the point in time when the field aged partsare demounting or removed from the field. To clarifythis question the Monte-Carlo Method is used.

Several fictitious data sets were generated usingrandom numbers with the same Weibull parametersand the same correlation coefficient cK,decl., using dif-ferent lengths of field aging with the respective mileageand time periods. These data sets were examined withthe method described. The correlation coefficient iscalculated and compared with that which was used togenerate the random numbers.

The examination is carried out with each 25 sam-ples from field and as reference parts.

The result is defined as permissible if

(9)with � �1.05…1.3

used with the declared coefficient cK,decl. and thedeviation �. The result is the share of the simulationswhich fulfill the condition Eq. (9). This measure isused to determine the accuracy and the confidence ofthe calculation method. The Monte-Carlo simulationsshow, that the accuracy of the statement increaseswith increasing mileage (Fig. 9). For an deviation of30% and a confidence of 80% a scaled demountinglifetime of 30% is satisfactory.

The described relationship is valid for the generalconditions mentioned above. Additionally examina-tions with different Weibull parameters are stillrequired.

4.4 Evaluation

The examples shown, which are based onWeibull distributed random numbers, deliver good results forthe relationship between field an laboratory agingconditions developed with this method. Both the

1634

0 20 40 60 80 1000

5

10

15

failure time in laboratory in h

abso

lute

freq

uenc

y

a. field

0 20 40 60 80 1000

5

10

15

failure time in laboratory in h

abso

lute

freq

uenc

y

b. reference

Figure 8. Absolute frequency of life span at laboratoryfailure of each 50 parts; a. field tA, b. reference t�A.

Table 3: Results for different sample sizes n.

T cKn (h) b (103km/h)

defined 62.5 5.4 3.205 56.0 7.7 4.01

10 64.2 5.4 3.5220 62.1 5.8 3.0250 61.7 5.2 2.84

100 60.9 4.7 3.16

09048-V-07.qxd 5/15/03 7:46 PM Page 1634

implementation of the algorithm and the duration ofcomputation are well suitable in practice.

But reliability of the results obtained depend sig-nificantly up on the quality of field data. If outliers orfalse data occur, the result can be corrupted. Largedispersions in field stresses can also negatively influ-ence the accuracy of the result. If the fatigue in field isconsiderably lower then those in laboratory, the devi-ation can be larger. For this reason, often the differ-ences in fatigue levels that should be identified areveiled by the dispersion in laboratory conditions. In thiscase the testing parameter should be reassessed, as thetesting conditions is much harsher then those experi-enced in the field. In the case of well correlated test-ing parameters the new method provides additionalinformation about the expected lifetime in the field.

5 CONCLUSIONS

The method developed enables the quantification offatigue levels present in intact components exhibitinga spontaneous failure mode. The examples shown,demonstrate good results in deriving a quantification

between laboratory and field conditions. An importantbasis is the field parts data set, which must be bigenough. Additionally, initial investigations concern-ing the accuracy of the results have been carried out.

But the accuracy of the method must be investi-gated further. The quality of the results can be influ-enced significantly by several factors including: usingdifferent data sets, Weibull parameters, or changing theratio between field and laboratory stresses. Furtherinvestigations to improve the accuracy are planned.

The developed method makes a significant contri-bution to better correlating field an laboratory testing.Additionally, this method contributes not only to a moreefficient product development process but also canresult significant savings in time and costs during thecomponent testing period.

REFERENCES

Fahrmeir, L., R. Künstler, I. Pigeot & G. Tutz (1997).Statistik – Der Weg zur Datenanalyse. Springer-Verlag,Berlin u. a.

Haibach, E. (1989). Betriebsfestigkeit. VDI-Verlag,Düsseldorf.

Hartung, J. (1998). Statistik – Lehr- und Handbuch derangewandten Statistik, 11. Aufl. Oldenbourg Verlag,München.

Press, W.H., B.P. Flannery, S.A. Teukolsky & W.T. Vetterling(1986). Numerical Recipes, The Art of ScientificComputing. Cambridge.

Robert Bosch GmbH (Publ.) (2000). Automotive Handbook.5th ed., Stuttgart.

Ronninger, C.U. (1999). Zuverlässigkeitsanalyse mit Weibullin Entwicklung und Serie. ATZ 101 (99), pp. 942–949.

The Mathworks Inc. (2000a). Matlab, The Language ofTechnical Computing; Vers. 6. Natick.

The Mathworks Inc. (2000b). User’s Guide Statistics Toolbox,For use with Matlab; Vers. 3. Natick.

VDA (Hrsg.) (2002). Qualitätsmanagement in der Automo-bilindustrie, Zuverlässigkeitsmethoden und -Hilfsmittel;Band 3, Teil 2, 3. Aufl. Frankfurt.

Vogt, M. & H. Neu (2002). Auswertungsverfahren zurKorrelation von Felddaten und Erprobungsbedingungenvon Kfz-Komponenten. TTZ 2002, Zuverlässige Produkte,Düsseldorf, pp. 161–174.

1635

0 20 40 60 80 1000

20

40

60

80

100

taking from field/lifetime in %

conf

iden

ce in

%

1.05 1.1 1.2 1.3

Figure 9. Confidence of calculations with different devia-tions �.

09048-V-07.qxd 5/15/03 7:46 PM Page 1635

09048-V-07.qxd 5/15/03 7:46 PM Page 1636


1637

Time-dependent reliability analysis of coastal flood defence systems

H.G. VoortmanARCADIS Infra, Amersfoort, The Netherlands

J.K. VrijlingDelft University of Technology, Faculty of Civil Engineering and Geosciences, Delft, The Netherlands

ABSTRACT: Risk- and reliability-based design methods are useful tools in the design of coastal flood defencesystems. Applications to date often neglect the effects of climate change on the optimal design of a flood defencestructure. In the paper, a method is proposed to incorporate climate change in design optimisation. The methodis based on the use of fragility curves to quantify the effects of climate change on the probability of failure of aflood defence structure. The combination of fragility curves with scenarios of climate changes then leads to an estimate of the hazard rate of the flood defence structure. A case study demonstrates the application of the proposed method.

1 INTRODUCTION

Risk- and reliability-based design methods prove to beuseful tools in the design of flood defence systems.Uncertainties in load and strength of flood defencescan be explicitly accounted for in the design by appli-cation of reliability-based methods. The consequencesof flooding and the cost of protection form the basis forestablishing an appropriate reliability level by applica-tion of risk-based optimisation.

Very often, in the application of reliability- and risk-based methods to the design of flood defences, it isimplicitly assumed that the environmental conditionsdo not change over time. However, there are indica-tions that the environmental conditions do change. Theincrease of the mean sea level along the Dutch coast is clearly present in observations of the water level.Furthermore, there are indications that world-wide cli-mate change is imminent.

In this paper, a method will be proposed to deal with climate change in the risk-based design of flooddefence systems. The method is aimed at applicationin practice, which implies that the method should beapplicable to large-scale systems. To this end, the risk-based design strategy proposed by Voortman andVrijling (2001) will be used (see also Voortman, 2002).

2 PROBLEM OUTLINE

The level of protection provided by a flood protectionsystem is ideally obtained by balancing the cost of

protection with the obtained reduction of the floodingrisk in the protected area. Based on this idea, risk-based design methods for flood defences have beendeveloped, starting with the economic optimization ofthe safety level of Dutch dikes by Van Dantzig (1956).Van Dantzig’s analysis considered the water level infront of the protection system as the only randomvariable.

In the 1960s and 1970s, probabilistic methods weredeveloped in the realm of structural engineering (seefor instance Turkstra, 1962, 1970. This developmenttook place largely independent of the aforementionedrisk-based design method for flood defences. In thelate 1970s and 1980s, probabilistic methods were againrecognised as important tools for design in coastalengineering (Vrijling & Bruinsma, 1980; Bakker &Vrijling, 1980). Recently, the concepts of risk-basedoptimisation have been integrated with up-to-dateprobabilistic methods, resulting in a method for risk-based design of large-scale flood defence systems(Voortman, 2002).

The risk-based design method as shown in Voortman(2002) implicitly assumes an unchanging natural envi-ronment for which the defence structure is designed.Recent research appears to indicate that major climatechanges are imminent (Intergovernmental Panel onClimate Change, 2001; Dutch Meteorological Institute,2001). Since a flood defence system should be designedfor the future, a method needs to be found in whichfuture climate changes can be incorporated in the risk-based design method.

09048-V-08.qxd 5/15/03 7:47 PM Page 1637

3 ECONOMIC OPTIMISATION OF FLOOD DEFENCES

3.1 Time-independent formulation

As stated before, risk-based design aims at achieving anappropriate balance between the cost of the protectionsystem and the consequences of flooding. A variety ofmonetary and non-monetary costs and consequencesmay be relevant to the decision on the design safetylevel of a flood protection system. See Voortman (2002)for an overview.

In this paper, the decision problem will be limitedto monetary aspects of the decision only, which resultsin economic optimisation of the protection level.Mathematically, an optimally designed flood protec-tion system is achieved by solving:

(1)

Where Clife denotes the life-cycle costs of the flooddefence and Pflood the flooding probability. The life-cycle costs of the protection system are given by:

(2)

Where I denotes the direct cost of protection, b0 theloss of production capacity in case of flooding, d0 thematerial damage in case of flooding, re the rate ofeconomic growth, i the inflation, r the market interestrate and T the planning period.

Every value of the flooding probability Pflood cor-responds to a geometry of the protection system thatcan be constructed on site. Thus, the process of eco-nomic optimisation has a strong link with the actualdesign practice of flood defences. The cost of the pro-tection system can be found by estimating the directcost of the system as a function of the geometry of theflood defence. Monetary consequences of floodingfollow from an inventory of the value of the protectedarea. The rates of interest, inflation and economicgrowth may be estimated from historic data. In theformulation of equation 2, fixed values are assumedfor these three parameters.

3.2 Time-dependent formulation

Economic optimisation as formulated in the previoussection assumes an unchanging value of the floodingprobability over time. This can only be achieved if:

– The properties of the climate and of the structuredo not change over time, or

– The changes in the structure exactly balance thechanges of the climate.

Both options are unlikely, so that in generalchanges of the flooding probability over time need tobe accounted for in a risk-based design approach. Inprinciple this is achieved by replacing the floodingprobability in equation 2 with the hazard rate h:

(3)

Where Pflood;0 denotes the flooding probabilityimmediately after construction (design flooding probability).

The cost of construction is a function of the flood-ing probability just after construction. The hazard rateis a function of time and of the design flooding prob-ability. Once a flood defence structure is constructed,it will respond autonomously to changes in climate.The flooding risk over time can in principle be influ-enced only through the value of the design floodingprobability Pflood;0.

4 THE HAZARD RATE OF A COASTALFLOOD DEFENCE SYSTEM IN ACHANGING CLIMATE

4.1 General

The hazard rate of a flood defence system is influ-enced both by time-dependent changes of the structureand by time-dependent changes of the climate. In thispaper, only changes of the climate will be considered,but the proposed method can also be applied to quan-tify the consequences of changes of the structure.

Sea level rise and its effects on the optimal designof flood defences were studied by Vrijling and VanBeurden (1990). This work considered only the waterlevel as a random variable.

In practice, the water level in front of a coastalflood defence depends on two important influences:

– The mean sea level and the tidal amplitude;– The wind field over the neighbouring water body.

Especially in shallow seas like the North Sea,strong winds may cause a considerable increase in thewater level. This increase due to the wind is denoted“wind setup”. Furthermore, the wind field is respon-sible for the intensity of the wave attack on coastalflood defences.

It is often suggested that climate changes not onlycause a rise of the mean sea level, but also lead to anincrease of the frequency and intensity of storms.

1638

09048-V-08.qxd 5/15/03 7:47 PM Page 1638

If this is true, the extreme water levels will show a largerincrease than the mean sea level, due to increased windsetup. Furthermore, increased intensity of storms willcause an increase of wave attack. In summary: an analy-sis of the effects of sea level rise only is insufficient tofully appreciate the effects of climate change on thelevel of flood protection.

4.2 The use of fragility curves

Fragility is defined by Casciati and Faravelli (1991) asthe probability of failure conditional on a specificvalue of the loading. Dawson and Hall (2001, 2002)used fragility curves to characterise the quality of aflood defence structure without the necessity toanalyse the loading conditions.

Fragility curves can also be used to quantify theeffects of changes in the loading due to climate change.In that case, the fragility is given as a function ofchanges in the parameters of the probability distribu-tions of the loading. Figure 1 shows an example.

The fragility curve in figure 1 shows the probabilityof failure of the flood defence for given values of theinitial (design) failure probability and a given value ofthe sea level rise. Sea level rise changes the mean of theastronomic tide in front of the structure and thus influ-ences the loading.

4.3 Uncertainties in climate change

The fragility curve in the previous section shows theprobability of failure for a given value of the sea levelrise. However, in the design stage of a flood defence,future sea level rise is unknown. At best, estimates areavailable of the temporal development and the uncer-tainty of the sea level rise. A scenario for sea level risethus provides a probability distribution of the sealevel rise a number of years in the future. Figure 2shows an example where the assumption is made that

the sea level rises linearly over time but the rate of sealevel rise is uncertain.

The rate of the sea level rise is assumed to be nor-mally distributed with fixed values of the mean andstandard deviation. The effect is that both the mean andthe standard deviation of the sea level rise increase overtime. Thus, the climate scenario provides estimates ofthe distribution of future sea level rise. The probabilityof failure at a time in the future is then given by:

(4)

Where p is a vector of parameters that change as afunction of time. Equation 4 is easily extended toincorporate other aspects of climate change.

5 TIME-DEPENDENT RELIABILITY OFA FLOOD DEFENCE ALONG THESOUTHERN NORTH SEA COAST

5.1 General

The analysis of the time-dependent reliability of acoastal flood defence will be demonstrated in a casestudy taken from Voortman (2002). Figure 3 showsthe location of the case study area.

In the case study, the probability of failure of acoastal flood defence system in the Dutch province ofGroningen is calculated with the wind speed and theastronomic tide as dominant input variables. Assump-tions will be made regarding the effect of climatechange on the probability distribution of the astronomictide and the probability distribution of wind speed. Theassumptions do not affect the generality of the method.

1639

0 0.2 0.4 0.6 0.8 1

1.10�5

1.10�4

1.10�3

0.01

Sea level rise (m)

Prob

abili

ty o

f fa

ilure

(1/

year

)

Figure 1. Example of a fragility curve for sea level rise.

100

0.5

1

Mean sea level rise90 % confidence bounds

Time since construction (years)

Incr

ease

of

mea

n se

a le

vel (

m)

806040200

Figure 2. Example of a scenario for climate change includ-ing uncertainty.

09048-V-08.qxd 5/15/03 7:47 PM Page 1639

5.2 Sea level rise

In observations of the water level along the Dutchcoast, an 18.6-year cycle and a trend are clearlyobserved. (See Table 4).

The mean long-term sea level rise amounts to0.20 m per century. The cycle is a well-known tidalphenomenon (Godin, 1972).

For policy studies, the Dutch Institute for Coastaland Marine management uses three deterministic sce-narios and one scenario including uncertainty. Table 2

shows an overview. Based on the indicated values ofsea level rise and wind speed change in the year 2100,in this paper functions are proposed for the time-dependent changes of the climate. Sea level rise willbe modelled as a linear function of time, according to:

(5)

The value and distribution of the parameter ahdepends n the scenario considered. Figure 5 showsthe probability distribution of sea level rise at differ-ent times in the future according to scenario 4.

5.3 Change of wind climate

Based on the work of Wieringa and Rijkoort (1983)and on an analysis of 20 years of wind observations,Voortman (2002) derived the distribution of the five-hour averaged wind speed at the case study location.Table 1 provides an overview.

It is suggested that climate change may increase thefrequency and the intensity of storms over the NorthSea, but information is highly limited. The DutchInstitute for Coastal and Marine Management suggests

1640

Figure 3. Case study location in the southern North Sea.

1920 1940 1960 1980 2000

0.05

0.05

0.1

ObservationsTrend 0.20 m per century

Year

Mea

n se

a le

vel s

tatio

n D

elft

zijl

(CD

+m

)

Figure 4. Yearly averaged sea level observed at the waterlevel station Delfzijl (information obtained from the DutchInstitute for Coastal and Marine Management.

0.2 0 0.2 0.4 0.6 0.8 1 1.2

5

10

15

20

Sea level rise 2010 according to scenario 4 Sea level rise 2050 according to scenario 4 Sea level rise 2100 according to scenario 4

Sea level rise (m)

Prob

abili

ty d

ensi

ty (

1/m

)

Figure 5. Distribution of future sea level rise according toclimate scenario 4.

Table 1. Probability distribution of five-hour averaged wind speed in the case studyarea (Voortman, 2002).

Property of distribution Value

Distribution type WeibullShift parameter 19.8 m/sScale parameter 2.83 m/sShape parameter 1.2

09048-V-08.qxd 5/15/03 7:47 PM Page 1640

an increase of the wind speed in storms of 10%. In thispaper, the increase of the wind speed will be assumedto influence the shift parameter of the wind speed dis-tribution in the case study area. The shift parameter isassumed to increase linearly over time according to:

(6)

The distribution and parameter values of au dependon the scenario considered. Figure 6 shows an exam-ple for scenario 4.

5.4 Deriving the fragility curve

Voortman (2002) derived optimal geometries for theflood defence structure for failure probabilities rang-ing from 10�1 per year to 10�6 per year, using fourdifferent failure modes and six different design vari-ables for a dike cross section. The effect of sea levelrise and increased wind speed are quantified by cal-culating the probability of failure for combinations ofstructure geometry, sea level rise and wind speedincrease in a level II method, using the optimalgeometries derived by Voortman (2002). The resultsof the model runs can be summarised by a parametricmodel of the following form:

(7)

Where Pf;0 is the design flooding probability, �hthe sea level rise, �u the change of the wind climateand a and b model parameters.

The values of the parameters of the model arederived using the least-squares method. The fitted

model shows a satisfactory match with the data (figure 7).

5.5 Calculation of the hazard rate

Combining the climate scenarios with the fragilitycurve provides the hazard rate for the flood defencestructure. Not only the marginal distributions of the climate changes but also the dependencies betweenthem influence the final result. Figure 8 shows the haz-ard rate calculated for a structure with an initial proba-bility of failure of 10�4 per year using scenario 4. Thehazard rate is calculated for two cases of dependence;

1641

6 4 2 0 2 4 6

0.5

1

1.5

2

2.5

Change of wind climate 2010 according to scenario 4 Change of wind climate 2050 according to scenario 4 Change of wind climate 2100 according to scenario 4

Change of wind climate (m/s)

Prob

abili

ty d

ensi

ty (

s/m

)

Figure 6. Distribution of future changes in wind speedaccording to climate scenario 4.

1.10�7 1.10�6 1.10�5 1.10�4 1.10�3 0.01 0.1 1

1.10�7

1.10�6

1.10�5

1.10�4

1.10�3

0.01

0.1

Failure prob. numerical model (1/yr)Fa

ilure

pro

b.pa

ram

etri

c m

odel

(1/

yr)

Figure 7. Comparison of parametric fragility curve withresults of numerical model.

0 50 100 150 200

1.10�4

1.10�3

0.01

Changes of wind and sea level independentChanges of wind and sea level fully dependent

Time (years since construction)

Prob

abili

ty o

f fa

ilure

(1/

year

)

Figure 8. Hazard rate calculated for two cases of depend-ence between climate changes.

09048-V-08.qxd 5/15/03 7:47 PM Page 1641

independence between sea level rise and wind climatechange and full dependence between sea level rise andclimate change.

As expected, dependence between sea level riseand wind climate change leads to a larger increase of the flooding probability over time than independ-ence. Since the changes of sea level and wind climateboth stem from the same cause, some degree of depend-ence appears to be realistic. In the following, fulldependence will be assumed. Figure 9 shows the hazard rate for the four scenarios shown in Table 2.

Up to 150 years after construction, the maximalscenario (scenario 3) leads to the highest values of thehazard rate. After 150 years, scenario 4 leads to thehighest values of the hazard rate. The reason for thisis that in scenario 4, the uncertainties on the climatechanges increase over time. For times after construc-tion longer than 150 years, the increased uncertaintyin scenario 4 dominates over the larger increase of themean climate change in scenario 3.

6 OPTIMISATION OF A FLOOD DEFENCE IN A CHANGING CLIMATE

6.1 General

With the hazard rate calculated in the previous sec-tion, the risk-based optimisation of the flood defencesystem can be performed for different scenarios ofclimate change. In this section economic optimiza-tion of the flood defence system is performed for sev-eral scenarios for climate change.

6.2 Input data

The construction cost of the coastal flood defencesystem as a function of the flooding probability isderived in Voortman (2002) by reliability-based opti-misation. The construction cost is given by the fol-lowing function:

(8)

Where Pf;0 is the design flooding probability and aand b are parameters. The costs are given in euro.

The damage in case of flooding consists of materiallosses and loss of production capacity in the protectedarea. The economic input used in the optimization isshown in Table 3.

6.3 Results of the optimisation

Figure 10 shows the life-cycle cost of the flood defencesystem for the four scenarios of climate change incomparison to the case without climate change. Theinfluence of climate change on the lifecycle cost andon the optimal flooding probability is clearly visible.A summary of the optimal designs for the five casesis given in Table 4.

As expected, climate change lowers the optimaldesign flooding probability. This implies an increaseof the direct cost of protection by at maximum 10% inscenario 3. The expected value of the future flooding

1642

0 50 100 150 200

1.10�4

1.10�3

0.01

Scenario 1 Scenario 2 Scenario 3 Scenario 4

Time (years since construction)

Prob

abili

ty o

f fa

ilure

(1/

year

)

Figure 9. Hazard rate of the flood protection system forfour different scenarios of climate change.

Table 2. Climate scenarios used by the Dutch Institute for Coastal and Marine Management (2000).

Mean sea Standard Mean increase Standard deviation level rise deviation of of wind speed of increase of

Distribution of in 2100 sea level rise in 2100 wind speedScenario Description climate changes (m) in 2100 (m) (m/s) in 2100 (m/s)

1 Minimal scenario Deterministic 0.2 n.a. 0 n.a.2 Middle scenario Deterministic 0.6 n.a. 0 n.a.3 Maximal scenario Deterministic 0.85 n.a. 1.98 n.a.4 Probabilistic Normal 0.6 0.25 0 1.98

scenario

09048-V-08.qxd 5/15/03 7:47 PM Page 1642

damage (flooding risk) also shows an increase incomparison to the case without climate change.

7 DISCUSSION

A method has been presented to incorporate climatechange in reliability- and risk-based design of flood

defences. Uncertainty in climate changes is dealt within a consistent way.

The analysis as it is presented is aimed at applica-tion in the design stage of a flood defence. Historicinformation may be used to establish scenarios for cli-mate change. The final decision on the optimal designincorporates the knowledge of climate changes at thedesign stage.

1643

Table 3. Input for economic optimisation of the flood defence system.

Parameter Description Value Remark

a Slope of investment function 0.18 Voortman (2002)b Intercept of investment function 8.81 Voortman (2002)d0 Monetary value of the area Ga34,- Taken from PICASO study*b0 Yearly gross domestic product Ga14.40 Value of 1998#

r Interest rate 0.07 per year Average over 1960–2001#

re Rate of economic growth 0.03 per year Average over 1960–2001#

i Inflation 0.02 per year Average over 1960–2001#

T Reference period 100 years Assumed value

* RWS, 2001.# Data obtained from the database of the Dutch Central Bureau of Statistics.

1.10_6 1.10

_5 1.10_4 1.10

_33

4

5

6

7

8Scenario 1 Scenario 2 Scenario 3 Scenario 4 No climate change

Design flooding probability (1/year)

Lif

e-cy

cle

cost

(G

Eur

o)

Figure 10. Life-cycle costs of the flood protection system as a function of design flooding probability.

Table 4. Results of risk-based optimisation for different scenarios for climate change.

Scenario Optimal flooding Direct cost of Expected future climate probability protection flooding damage Life-cycle change (10� 4/year) (GEuro) (GEuro) cost (GEuro)

1 2.1 2.99 0.48 3.482 1.9 3.04 0.51 3.553 1.3 3.26 0.61 3.874 1.7 3.12 0.55 3.66None 2.2 2.98 0.47 3.44

09048-V-08.qxd 5/15/03 7:47 PM Page 1643

As time after construction passes, more and moreknowledge on the actually occurring climate changescomes available. This information can then be used to update the initial scenarios for climate changes.Bayesian methods may be applied for this purpose.

The methods as presented can not only be used to quantify the effects of climate changes, but also toquantify the effect of time-dependent changes in thestructure itself. Like in the case of climate change, ascenario may be defined that describes the ageingprocess of the defence structure and the uncertaintyaround it.

The information on the state of the structure andthe state of the climate can be combined to supportdecision-making on upgrading or replacement ofolder deteriorated flood defences.

8 CONCLUSIONS

Recent climate research indicates that importantchanges in the world climate are to be expected.Climate change will influence the loading and thus thereliability of coastal flood defences.

Because flood defences are built for the future,design choices should reflect the knowledge of futureclimate changes. A method is proposed to incorporateclimate scenarios in a risk-based approach to flooddefence design.

In a case study, economic optimisation of a flooddefence system in the southern North Sea is per-formed. Inclusion of scenarios for climate changeleads to lower optimal design flooding probabilitiesthan in the case where climate change is neglected.Consequently, the direct cost of protection and the life-cycle costs of the protection system increase.

The proposed method may also be used in combina-tion with deterioration models for flood defences, inwhich case also the resistance of the structure is a func-tion of time. Finally, during the life of the protectionsystem, observations may be used to constantly updatethe climate scenarios using Bayesian methods. Thus,the model can be used to support decisionmaking onupgrading of older deteriorated flood defences.

ACKNOWLEDGEMENT

The basis of the work in this paper was establishedwhile the first author was employed as research assis-

tant at Delft University of Technology. The fruitfulcooperation with Dr. P.H.A.J.M. van Gelder is grate-fully acknowledged.

REFERENCES

Bakker, W.T. & Vrijling, J.K., 1980, Probabilistic design of seadefences, Proceedings of the International Conferenceon Coastal Engineering (ICCE).

Casciati, F. & Faravelli, L., 1991, Fragility analysis of com-plex structural systems, Taunton: Research Studies Press.

Dawson, R.J. & Hall, J.W., 2001, Improved condition charac-terization of coastal defences, Proceedings of the confer-ence “Coastlines, structures and breakwaters”, London:Institution of Civil Engineers.

Dawson, R.J. & Hall, J.W., 2002, Probabilistic conditionscharacterisation of coastal structures using impreciseinformation, Proceedings of the International Conferenceon Coastal Engineering (ICCE).

Dutch Institute for Coastal and Marine Management, 2000,Third report on coastal development, tradition, trendsand future (in Dutch).

Godin, G., 1972, The analysis of tides, Liverpool UniversityPress, Liverpool.

Intergovernmental Panel on Climate Change (IPCC), 2001,IPCC Third Assessment Report – Climate Change 2001,www.ipcc.ch.

Royal Dutch Meteorological Institute, 2001, Weather andwater in the 21th century, a summary of the third IPCCclimate report for water management in the Netherlands(in Dutch).

Turkstra (1962, 1970), Theory of structural design deci-sions, University of Waterloo.

Van Dantzig, D., 1956, Economic decision problems forflood prevention, Econometrica, Vol. 24, pg. 276–287.

Voortman, H.G. & Vijling, J.K., 2001, A risk-based optimization strategy for large-scale flood defence sys-tems, Proceedings IABSE-conference Safety, Risk andReliability – Trends in Engineering.

Voortman, H.G., 2002, Risk-based design of large-scaleflood defence systems, Phd-thesis, Delft: Delft Universityof Technology.

Vrijling, J.K. & Bruinsma, J., 1980, Hydraulic boundaryconditions, Symposium on hydraulic aspects of coastalstructures.

Vrijling, J.K. & Van Beurden, I.J.C.A., 1990, Sea level rise: a probabilistic design problem, Proceedings of the International Conference on Coastal Engineering(ICCE).

Wieringa, J. & Rijkoort, P.J., 1983, Wind climate of theNetherlands, Royal Dutch Meteorological Institute (inDutch).

1644

09048-V-08.qxd 5/15/03 7:47 PM Page 1644


1645

Adding a new perspective to the existing results by baseline NPP PSAmodel: parameters uncertainty implementation

Ivan VrbanicNuclear Power Plant Krško, Vrbina, Krško, Slovenia

Romana Jordan Cizelj“Joz�ef Stefan” Institute, Reactor Engineering Division, Jamova, Ljubljana, Slovenia

ABSTRACT: The paper describes the ongoing project of introducing parameters’ uncertainty into the baselinePSA model of Nuclear Power Plant Krško (NEK). Up to now, the values of parameters in PSA model wereexpressed as point estimates. As more and more stress has been put to the importance of uncertainty analyses whenusing PSA in risk-informed applications, the decision was made to incorporate parameter uncertainty analysis intoNEK PSA model for internal events. The major categories of parameters that are treated in this paper are proba-bilities of components’ failure per demand, failure rates and unavailability due to test and maintenance (TM).Uncertainty distributions of these types of parameters have been introduced into the model and uncertainty hasbeen propagated to the core damage frequency (CDF) level. The paper presents uncertainty distribution of CDFand provides a discussion on some relevant issues associated with the subject.

1 INTRODUCTION

The PSA model of Krško Nuclear Power Plant (NEK)was developed during the early nineties following theUS IPE (United States’ Individual Plant Examination)methodology (US NRC 1988) and in accordance to theInternational Atomic Energy Agency (IAEA) guides(IAEA 1992). The results (core damage frequency,various systems unavailability, etc.) were expressed aspoint estimates. To address the impact of potentialuncertainty of data on PSA results, various sensitivitycases were run and evaluated. This served the primarypurpose of IPE-type analysis, which was focused onevaluation of existent plant design. Upon the comple-tion of IPE, NEK started to use the PSA model for var-ious applications. As the usage of PSA in NEKincreased with time, so did the awareness of need toperform uncertainty analysis as an integral part of thebaseline PSA model and its applications. In order tofacilitate the Living PSA program and applications,NEK subsequently performed the transfer of initial IPEPSA model into Risk Spectrum, an integral PSA tool,which, among other advanced features, supportsuncertainty analyses.

During the recent past years, the PSAs becameworldwidely recognized tools for various risk-informedapplications in the field of nuclear power plants

operation and design. Guides have been developed as an attempt to achieve certain level of standardizationin PSA applications (e.g. ASME 2002 and US NRC1998), which also put additional stress to the impor-tance of uncertainty analyses.

Consequentially to these issues and concerns camea decision to incorporate parameter uncertainty analy-sis into NEK PSA model for internal events. It is per-formed in two phases. The first phase of project iscoming to a conclusion (Jordan Cizelj & Parzer 2002,Vrbanic et al. 2003 in prep.). The major categories ofparameters that were treated in the first part of theuncertainty analysis are probabilities of components’failure per demand, failure rates, unavailability due toTM and some special parameters, for example expo-sure times.

Categories such as initiating events’ frequenciesand human error probabilities are being treated in thesecond phase of the project. The uncertainty distribu-tions for the parameters from the first phase have beenestablished and introduced into the baseline PSAmodel. The uncertainty has been propagated to CDF,based on Monte Carlo simulations built into the RiskSpectrum. The paper presents CDF uncertainty distri-bution and discusses some relevant issues associatedwith the subject.

09048-V-09.qxd 5/15/03 7:47 PM Page 1645

2 UNCERTAINTY ANALYSIS OFPARAMETERS IN PSA MODEL

The PSA model of concern is a Level 1 model withinternal initiating events (Westinghouse-NEK 1994).The top event represented is a core damage due tointernal initiating events. So, the model is used to cal-culate the frequency of occurrence of core damageevent (i.e. core damage frequency or CDF). There are16 categories of initiating events with corresponding16 event trees, each one representing a plant responseto the given initiator. Responses of plant systems thattake part in event trees’ sequences are presented bymeans of fault trees. The overall model relies on thefault tree linking methodology, meaning that supportsystems’ fault trees are linked into the fault trees offrontline systems, which in turn are linked into theevent tree sequences.

The model contains, roughly, some 2500 fault treegates. In the fault tree structure there is approxima-tively 1500 basic events, not accounting those repre-senting common cause failures (CCF). (The CCF-typebasic events are created in an automated manner on thebasis of specified CCF groups, whenever a minimalcutset analysis is being performed.)

The probabilities of these 1500 basic events arecalculated by means of more than 350 parameters. Arough breakdown of types of parameters contained inNEK PSA model for internal initiating events is pre-sented by Table 1.

Out of 350 parameters from Table 1, the uncertaintydistributions have been defined and introduced in thePSA model for categories 1 (probabilities of failuresper demand), 2 (failure rates) and 3 (unavailability dueto test or maintenance), which makes somewhat morethan half of the overall parameters’ population. Uncer-tainty distributions for remaining categories will beadded in the second phase.

Uncertainty of various exposure times included inthe model was also evaluated during the first phase.However, in the runs considered in this paper theseparameters were treated as point estimates. It is alsonoted that the Table 1 does not contain frequencies ofinitiating events. As already mentioned, there are 16 ini-tiators. Eleven of them are presented by means of basicevents (frequency-type) while remaining are modeledas fault trees. Uncertainties of parameters representinginitiating events’ frequencies will be treated and intro-duced in the model in the second phase also.

The CDF, as calculated from minimal cutsets gener-ated prior to introduction of any parameter uncertainty,was 3,17E-05/yr (Vrbanic et al. 2002). Absolute trun-cation value applied was 1E-10 (/yr).

Uncertainty distributions for probabilities of failuresper demand and failure rates were established by com-bining generic and plant specific data input, in accor-dance with well-known practices (e.g. Hickman, J. W.,

et al. 1983, Bari, R. A et al. 1985). Binomial andPoisson likelihood functions were applied for demand-related probabilities and failure rates, respectively.Obtained posterior distributions were fit to analyticalprobability distributions allowed by Risk Spectrum. In almost all of the cases this resulted in lognormal dis-tributions that were incorporated into the model.Uncertainty distributions of equipment unavailabilitydue to TM were defined as lognormal distributionsdirectly. Details on the determination of uncertaintydistributions are provided in the report (Jordan Cizelj &Parzer 2002) and series of papers (Jordan Cizelj &Vrbanic 2001, Jordan Cizelj & Vrbanic 2002a,b,Jordan Cizeljat et al. 2002).

Upon introducing parameter uncertainties into themodel, the first step was to re-generate minimal cut-sets under the pre-defined conditions and to obtain a“new” point estimate of CDF. In the case of parame-ters with newly defined distributions a point estimatorof parameter of concern is mean value of specifieddistribution. Point estimate of CDF obtained was3,13E-05/yr (Vrbanic et al. 2003 in prep.), which isonly slightly different from old point estimate value of 3,17E-05/yr. The difference was generally attribut-able to differences introduced between distributions’mean values and “old” point estimates, due to numeri-cal Bayesian integration. Both point estimates wereobtained by 3rd order approximation (Berg & Sardh1994).

The same set of minimal cutsets was then used as abasis for uncertainty propagation to CDF. Figure 1shows CDF uncertainty distribution curve from a seriesof ten runs with number of Monte Carlo simulationsgrowing from 1000 to 10000 (maximum allowed byRisk Spectrum).

As it can be seen, the distribution curve becomesrelatively smooth at 8000–9000 simulations. Figure 2presents characteristic values (5th and 95th percentiles,mean and median) of the same set of distributioncurves. The 5th percentile is approximately at 2,0E-05/yr, while the 95th percentile fluctuates around the val-ues of 5,6E-05 to 5,7E-05/yr.

1646

Table 1. Breakdown of parameters in PSA model of concern (Level 1, internal initiating events).

Number of par.Parameter type (approximately)

1. Prob. of Failure per Demand 902. Failure Rate 603. TM Unavailability 404. Human Error Probability 905. Recovery and Phenomena 306. Common Cause Factors (MGL) 40

Total Number of Parameters: 350

09048-V-09.qxd 5/15/03 7:47 PM Page 1646

It is important to note that in an uncertainty analy-sis Risk Spectrum quantifies minimal cutsets using socalled “min cut upper bound approximation” (Berg &Sardh 1994), which yields somewhat higher resultsthan 3rd order approximation.

Table 2 presents the mean values of CDF curvesobtained in series of ten successive uncertainty propa-gations with 9000 Monte Carlo simulations each.

The average value taken from the ten results is3,31E-05/yr. On the other hand, the min-cut-upper-bound-approximation of CDF based on point esti-mates on the same set of cutsets is 3,26E-05/yr. Thus,introduction of parameters’ uncertainty distributions(for, roughly, one half of parameters’ population)results in a slight shift in CDF value. This shift is generally explainable by the effect of coupling ofparameters, which is discussed in the section that follows.

3 COUPLING THE FAILURE PROBABILITY

In Risk Spectrum code (Berg, U. & L Sardh. 1994),the uncertainty propagation is based on the set of pre-generated minimal cutsets (Berg, U. & L Sardh. 1994).The data for basic events and parameters included inminimal cutsets are read from the project data base. Inthe simulation process, the top event result is calcu-lated specified number of times. In each of those sim-ulations, all of the parameters are looped through. Foreach parameter, a value is simulated from parameter’suncertainty distribution.

One important effect of simulating at the parameterlevel (rather than at the basic event level) is that param-eter dependencies (“coupled failure data”, “state-of-knowledge-dependence”) are taken into account (Berg& Sardh. 1994). As noted earlier, the quantification ofminimal cutsets in individual simulation is carried onby using the “min cut upper bound approximation”.

To demonstrate an impact of coupling the parame-ters’ values in uncertainty propagation, a simple exam-ple was designed and carried out. It is based onevaluating two hypothetic redundant components Aand B that appear in the minimal cutset M:

M � A B (1)

It is assumed that components have identical failureprobability, i.e. PA �PB �q. Assuming, further, thatbasic events A and B are independent from each other(common cause failures are left out from this exam-ple), the probability of the minimal cutset M is:

(2)

In the case that no parameter uncertainty is takeninto the account, the probability of M is obtained bymeans of point estimate, which is:

(3)

1647

1,61

E-0

5

2,29

E-0

5

2,52

E-0

5

2,80

E-0

5

3,09

E-0

5

3,49

E-0

5

4,56

E-0

51000

3000

5000

7000

9000

0,00E+00

1,00E-02

2,00E-02

3,00E-02

4,00E-02

5,00E-02

6,00E-02

7,00E-02

8,00E-02

9,00E-02

1,00E-01

pdf

unavailabilitynumber ofsimulations

Figure 1. Core damage frequency distribution curve withgrowing number of simulations.

1,0E-05

2,0E-05

3,0E-05

4,0E-05

5,0E-05

6,0E-05

0 2000 4000 6000 8000 10000no. of simulations

Mean Median 5th 95th

Figure 2. Characteristic values of CDF distribution curvesfrom Figure 1.

Table 2. Series of ten propagationsof uncertainty to CDF-level.

Run # CDF (/yr)

1 3,33E-052 3,29E-053 3,31E-054 3,32E-055 3,34E-056 3,28E-057 3,33E-058 3,34E-059 3,28E-0510 3,28E-05

Average 3,31E-05

09048-V-09.qxd 5/15/03 7:47 PM Page 1647

When consideration of parameters’ uncertainty isintroduced, parameter q becomes a random variable(Q) subjected to a specified uncertainty distributionwith mean value q. Probability of minimal cutset PMbecomes a random variable itself, which distributionis determined by sampling out the values of Q. In thisexample, sampling is done in two ways:

1) with “uncoupled” failure probabilities, and2) with “coupled” failure probabilities.

In the case of uncoupled failure probabilities, thesampling is performed at the basic event level, i.e.probabilities PA and PB are random variables PA � QA,PB � QB, which are sampled independently. Theexpected value of minimal cutset probability PM thatwould be obtained by this kind of sampling is:

(4)

In other words, the expected value equals the pointestimate value that existed before the introduction ofuncertainty considerations.

On the other hand, when coupling of failure proba-bilities for this example is applied, the sampling isperformed at the parameter level. This means thatprobabilities PA and PB are represented by the samerandom variable Q, i.e. PA � PB � Q. The expectedvalue of probability of minimal cutset, PM, when thistype of sampling is applied, is:

(5)

This means that the value of minimal cutset proba-bility, as obtained by sampling, would be higher bythe value of variance V[Q] than the value obtainedfrom point estimate (Eq. 3).Assuming that random variable Q is subjected to log-normal distribution with mean q and error factor EF,variance V[Q] is expressed as:

(6)

where 1,645 is 95th percentile of standard normal dis-tribution. The expected value of minimal cutset proba-bility is then equal to:

(7)

Thus, mean value of minimal cutset probabilityobtained by sampling from coupled failure probabil-ity would be higher than point estimate by factor:

(8)

which increases exponentially with squared error factor.Calculated values of factor z for error factors rang-

ing from 1 to 6 are presented in the second column ofTable 3. An appropriate example has been simulatedby Risk Spectrum in order to obtain estimates of z forthe same values of error factors. It consisted of hypo-thetical two redundant components (AND-ed togetherin a trivial fault tree) with assigned coupled failureprobability subjected to lognormal distribution withmean value of 1,0E-04. For each assumed error factorvalue from Table 3, ten successive uncertainty analy-ses were performed based on 10000 Monte Carlosimulations (samplings). In each analysis a value offactor z was calculated by dividing the obtained meanvalue of minimal cutset probability distribution withq2 (i.e. 1,0E-08). Average values taken from sets often results for each error factor from Table 3 are pro-vided in the third column in the table.

Comparison between calculated values of z andestimates from Risk Spectrum is shown in Figure 3.

As could be seen, values obtained on the basis ofruns follow very closely the calculated values.

Risk Spectrum sampling and uncertainty propaga-tion to PM has also been performed for the same exam-ple (two redundant components with failure probabilitysubjected to lognormal distribution with mean value of1,0E-04) for the case of uncoupled failure probabilities.In this case, the expected value of z (Eq. 4 and Eq. 8) is:

(9)

1648

Table 3. Calculated values of factor z (Eq. 8) vs. corresponding risk spectrum esti-mates (coupled failure probabilities).

EF Calculated Risk spectrum

1 1,00 1,001,5 1,06 1,072 1,19 1,202,5 1,36 1,363 1,56 1,563,5 1,79 1,764 2,03 2,014,5 2,31 2,325 2,60 2,745,5 2,93 2,836 3,28 3,38

09048-V-09.qxd 5/15/03 7:47 PM Page 1648

In the manner similar to the above, for each assumederror factor value ten successive uncertainty analyseswere performed based on 10000 samplings. In eachanalysis a value of z was calculated by dividing theobtained mean value of PM distribution with q2 (i.e.1,0E-08). Average values taken from sets of ten resultsfor error factors ranging from 1,5 to 5 are provided inTable 4.

As can be seen from the Table 4, Risk Spectrumperforms uncoupled sampling in the way that is invery good agreement with Equation 9.

Thus, coupling of parameters can have very signif-icant effect on the result in the case of redundant com-ponents, i.e. the case when representative basic eventsappear in the same minimal cutset(s).

The coupling does not have such an effect in thecase when the components appear “in series”, whichmeans that the representative basic events do notappear in the same minimal cutsets. This is particu-larly the case when rare event approximation applies,which mostly is the case with PSA models. For theabove example this would mean:

(10)

Point estimate of top event probability PM is:

(11)

In the case of uncoupled sampling, the expectedvalue of PM is:

(12)

while the expectation in the case of coupled samplingwould be:

(13)

Thus, in the case of rare event approximation, bothuncoupled and coupled sampling would result in amean value that equals point estimate. This has alsobeen simulated by Risk Spectrum in an example sim-ilar to the one above. It consisted of hypothetical twoidentical components OR-ed together in a trivial faulttree, with assigned failure probabilities subjected tolognormal distribution with mean value of 1,0E-04.Thus, the point estimate of assumed top event probability equaled 2,0E-04. (Second order term isnegligible.)

For a set of error factor values ranging from 1.5 to5 uncertainty analyses were performed with uncou-pled as well as with coupled failure probabilities. Foreach error factor, in each of the two cases ten succes-sive uncertainty runs were performed based on 10000samplings.

Average values taken from sets of ten results foreach error factor (for the case with coupled as well asuncoupled parameters) are provided in Table 5.

As could be seen, the simulations yielded expectedresults.

1649

Calculated "z" vs. RS Estimate by Sampling for Coupled q

0,00

0,50

1,00

1,50

2,00

2,50

3,00

3,50

4,00

1 1,5 2 2,5 3 3,5 4 4,5 5 5,5 6Error Factor (EF)

z(E

F)

Calculated z RS Estimate

Figure 3. Comparison of calculated values of z vs. esti-mates based on risk spectrum simulations.

Table 4. Risk spectrum simulationsof factor z (Eq. 9) for the case ofuncoupled failure probabilities).

EF Simulation of z

1,5 1,0002 1,0002,5 1,0073 0,9983,5 0,9954 1,0034,5 1,0085 1,007

Table 5. Simulation of top event probability with 2 identical components in series for coupled and uncoupledparameters.

EF Coupled (�10� 04) Uncoupled (�10� 04)

1,5 2,000 1,9992 1,996 2,0012,5 1,995 2,0053 2,010 2,0043,5 2,001 1,9984 2,006 2,0144,5 1,999 2,0055 2,001 2,000

09048-V-09.qxd 5/15/03 7:47 PM Page 1649

4 EFFECT OF MOST IMPORTANTPARAMETERS

In order to get more insight on the impact of intro-ducing parameters’ uncertainty distributions and sam-pling at parameter level on the CDF result, an analysisof importance of parameters was performed.

Parameter importance lists based on Risk IncreaseFactor (RIF) and Fractional Contribution (FC) wereexamined and a group of parameters from the top ofboth lists was selected (Table 6), based on the follow-ing considerations.

– Parameter must be defined with an uncertainty distribution. Parameters that appeared at the top ofany list, but were, otherwise, represented as pointestimates were ignored.

– For convenience, parameter’s uncertainty distribu-tion must be lognormal. This lead to exclusionfrom the list of only one parameter.

– Parameter must contribute to the coupling effect.This lead to removing from the list some parame-ters that were related to single basic events (e.g.failures of AF TDP, which is a single component ofa kind).

– Retained in the list were parameters with RIF �1000 or FC � 2%.

On this basis, the list of 22 influential parameterswas obtained, which is presented in Table 6. To observethe impact of their uncertainty on the estimate of meanCDF value, sensitivity cases were designed with

increased values of error factors of these parameters’distributions. In a specific case, all 22 error factorswere multiplied by a factor k. In four cases analyzed,values of k were being increased from 1 (i.e. nominalerror factors) to 3. In all cases the mean parameters’values were left unchanged.

The results are presented in Table 7 and illustrated byFigure 4. For each case from Table 7, a series of tenuncertainty propagations, based on 9000 Monte Carlosimulations, was performed. Mean CDFs given inTable 7 represent averaged values taken from tenresults.

As it could be seen, increasing the error factors in uncertainty distributions of only a limited set of 22 parameters (out of, roughly, 190 parameters withuncertainty distributions introduced) can have a sig-nificant effect on the estimate of CDF mean value dueto the coupling effect.

5 CONCLUSIONS

In the PSA model considered, introducing uncertaintydistributions for probabilities of failure per demand,failure rates and TM unavailabilities (which is approx-imately one half of all parameters in PSA model)introduced only a slight shift (of the order of 1–2%) in mean CDF value, with respect to existing point estimate.

1650

Table 6. Top parameters in RIF and FC lists.

Parameter Equipment RIF FC (%) EF

1 R-411 AC Buses 3,4E �5 – 102 R-58 MOVs 3,0E �5 – 33 R-83 AC Buses 3,1E �4 – 54 Q-64 Check Val. 1,2E �4 3,0 35 R-84 Circ. Break. 9,0E �3 – 36 R-182 CCW Pumps 5,7E �3 6,5 2,737 R-67 MDP 5,3E �3 – 108 Q-114 Spec. Valv. 5,2E �3 4,1 1,759 Q-191 Relays 5,0E �3 – 10

10 R-180 ESW Pumps 4,1E �3 2,1 3,7511 R-141 Relays – 3,7 1012 Q-55 MOVs 2,2E �3 7,9 1,513 R-90 DC Invert. 1,4E �3 – 314 Q-138 Relays 1,4E �3 – 1015 R-73 DGs – 22,2 2,1916 Q-72 DGs – 18,7 1,517 Q-85 Circ. Break. – 6,5 1018 Q-179 ESW Pumps – 2,7 2,519 Q-181 CCW Pumps – 2,7 2,9920 Q-99 Air Compr. – 2,4 321 Q-165 AFW MDP – 2,3 2,6422 Q-51 AOVs – 2,2 1,31

0,00E+00

5,00E-06

1,00E-05

1,50E-05

2,00E-05

2,50E-05

3,00E-05

3,50E-05

4,00E-05

4,50E-05

1 1,5 2 2,5 3

k

Mea

n C

DF

Val

ue

Figure 4. The effect of increasing the error factors of influ-ential parameters on mean CDF value.

Table 7. Mean CDF sensitivitycases with Increased error factors of22 parameters.

k Mean CDF

1 3,31E-051,5 3,54E-052 3,69E-052,5 3,92E-053 4,21E-05

09048-V-09.qxd 5/15/03 7:47 PM Page 1650

The effect of parameters’ coupling can have signifi-cant impact in the case of components appearing in thesame minimal cutsets (e.g. redundant components).

The error factors of influential parameters, such asthose from the top of parameter importance lists, canhave significant impact on the estimate of mean CDFvalue.

REFERENCES

ASME 2002 Standard for Probabilistic Risk Assessment forNuclear Power Plant Applications, ASME RA-S-2002,The American Society of Mechanical Engineers.

Bari, R. A., Buslik, A. J., Cho, N. Z., El-Bassioni, A.,Fragola, J., Hall, R. E., Ilberg, D., Lofgren, E., O’Brien, J.,Papazoglou, I. A., Samanta, P. K., Teichmann, T., Vesely, W.,Unione, A. and Youngblood. R. 1985 Probabilistic SafetyAnalysis Procedures Guide. NUREG/CR-2815. Upton,USA: Brookhaven National Laboratory.

Berg, U. & Sardh, L. 1994 Risk Spectrum User’s Manual.Relcon Teknik AB, Sundbyberg, Sweden.

Hickman, J. W., et al. 1983 PRA Procedures Guide, A Guideto the Performance of Probabilistic Risk Assessments forNuclear Power Plants. NUREG/CR-2300. USA: NuclearRegulatory Commission, 1983.

IAEA 1992 Procedures for Conducting Probabilistic SafetyAssessments of Nuclear Power Plants (Level 1). SafetySeries No. 50-P-4. Vienna, Austria: International AtomicEnergy Agency.

Jordan Cizelj, R. & Parzer, I. 2002 Uncertainty Analysis of NEK IIE PSA Component-related Parameters, IJS-DP-8634, Institut “Joz�ef Stefan”, Ljubljana, Slovenija.

Jordan Cizelj, R. & Vrbanic, I. 2001 Parameter Estimation ofComponent Reliability Models in PSA Model of KrškoNPP. Nuclear Energy in Central Europe 2001, Portoroz�,Slovenia Ljubljana: Nuclear Society of Slovenia.

Jordan Cizelj, R. & Vrbanic, I. 2002a Modelling UncertaintiesWhen Estimating Component Reliability (Unpublished).

Jordan Cizelj, R. & Vrbanic, I. 2002b Transformation ofBayesian Discrete Posterior Distribution into a ContinuousDistribution, International Conference “Nuclear Energyfor New Europe”, September 9–12, 2002, Kranjska Gora,Slovenia.

Jordan Cizelj, R., Vrbanic, I., and Mavko, B. 2002 UncertaintyAnalysis of Fault Tree Parameters, International TopicalMeeting on Probabilistic Safety Assessment, AmericanNuclear Society, October 6–9, Detroit, Michigan, USA.

US NRC 1988 NRC GL 88-20: Individual Plant Examinationfor Severe Accident Vulnerabilities – 10 CFR 50.54(f) WithSupplements.

US NRC 1998 An Approach for Using Probabilistic RiskAssessment in Risk-Informed Decisions on Plant-SpecificChanges to the Licensing Basis, Revision 0. RegulatoryGuuide 1.174.

Vrbanic, I. & Jordan Cizelj, R. 2002 Uncertainty Analysis ofComponent Failure Model Parameters in PSA: A CaseStudy. PSAM 6, San Juan, Puerto Rico, USA.

Vrbanic, I., Kaštelan, M. & Košutic, I. 2002 NEK Base-line PSA Model “NEKC18”, NEK ESD TR-07/01,Revision 0.

Vrbanic, I., Košutic, I. & Jordan-Cizelj, R. 2003. Propagationof Parameters’ Uncertainty from Task 1 in Baseline NEKPSA Model, NEK ESD TR-20/02 (in preparation).

Westinghouse-NEK 1994 Probabilistic Safety Assessmentof Nuclear Power Plant Krško, Level 1 Report, Volumes1–14, Westinghouse Electric Corporation – NEK.

1651

09048-V-09.qxd 5/15/03 7:47 PM Page 1651

09048-V-09.qxd 5/15/03 7:47 PM Page 1652


1653

Impact of river morphology on extreme flood level prediction: aprobabilistic approach

S. van Vuren, M. Kok & S.J. OuwerkerkDelft University of Technology, Section of Hydraulic Engineering, Delft, NetherlandsHKV Consultants, Netherlands

ABSTRACT: The dike rings along the Rhine in the Netherlands have a level of protection of 1/1250 per year.The design water levels are estimated on the basis of one random variable: the river discharge. Van Vuren & VanBreen (2003) show the existence of large spatial and temporal variation in bed level position in the river Waal. Inthis paper the impact of river morphology on extreme flood level predictions is investigated. Therefore, themethod to compute design water levels is extended with another random variable: the river morphology. The resultsshow that the impact of river morphology on design water levels is limited. A random bed level prior to the designwater level computations leads to small changes (order of 0.01–0.06 m) in design water levels. The impact of seasonalvariations in the river morphology and morphological changes during the flood wave can be neglected.

1 INTRODUCTION

The Netherlands is unique in the fact that a large partof it exists solely because of the presence of dikesalong the coast and rivers, (TAW, 1998). Flood protec-tion is therefore embedded in many laws, but is sum-marized in the Flood Protection Legislation. Accordingto this Legislation the Netherlands is divided in 53dike ring regions of which each has its own level ofprotection. The dike rings along the Rhine brancheshave a level of protection of 1/1250 per year. Thismeans that river dikes are designed for water levelswith a yearly exeedance probability of 1/1250 – thedesign water level (DWL).

So far, the DWLs are estimated on the basis of onerandom variable: the design discharge. A 1D hydrody-namic model for the Dutch Rhine branches (Van derVeen, 2001) is used to compute the DWLs. A marginis applied to account for among others wave and windset-up. The DWLs do not only depend on this dischargeand the set-up factors. Uncertainties in the DWLs areintroduced with among others the schematization ofthe hydrodynamic model and the specification of themodel input (boundary conditions, initial conditionsand model parameters). For example, uncertainties inthe model calibration (hydraulic roughness modeling)and the geometrical river schematization (morpho-logical state) may affect the computed DWLs. Eachuncertainty source will contribute differently to the

exeedance probability of the water levels. Accordingly,each uncertainty source will affect differently thecomputed DWLs.

In this paper we investigate the impact of rivermorphology in the river Waal on extreme flood levelpredictions. Therefore, the DWL computation methodis extended. The present situation in the Waal withoutany additional human intervention is considered. Theextended method includes the contribution of two ran-dom variables in the DWL computation: the river dis-charge and the river morphology. The method containsdifferent steps. With the help of Monte Carlo simula-tion with a 1-D morphodynamic model, a large numberof possible morphological states are simulated. Thesemorphological states form the basis of a large number ofwater levels computations: for each simulated morpho-logical state, water levels are computed for a range ofsteady discharges. Numerical Integration combines thelikelihood of the simulated morphological state and thedischarge levels to estimate the probability of the com-puted water levels. The set of outputs resulting from allcomputations is used to determine per location alongthe river a curve showing the exeedance probability ofwater levels. On the basis of this curve the “new” waterlevel with a probability of occurrence of 1/1250 per yearcan be derived. This can be compared with the DWL thatis derived with the traditional method using only onerandom variable: DWL0. Also, this curve can be used toestimate the “new” exeedance probability of the DWL0.

09048-V-11.qxd 5/15/03 8:23 PM Page 1653

Concerning river morphology two aspects are con-sidered:

1. The effect of variation in the morphological stateprior to DWL computations.

2. The impact of morphological changes during theflood wave.

2 DESIGN WATER LEVELS ANDMORPHOLOGY

2.1 Design water levels

In the Netherlands, the dike rings along the Rhinebranches have a protection level of 1/1250 per year(Flood Protection Legislation, 1996). Every five years,the DWLs are revised to adapt for changes in the designdischarge, in the river morphology, in the dischargedistribution at bifurcation points and in the lateral dis-charges of tributaries.

Flood protection measures are taken on the basis ofthe revised DWLs. In the past the dikes were strength-ened and heightened in order to protect the Netherlandsfrom flooding. Recently, a new flood protection policy,called Room for the Rivers, has been implemented forthe Dutch rivers. Measures other than dike strength-ening are considered in order to increase the floodconveyance capacity of the river. Examples of suchmeasures are lowering groynes, repositioning riverdikes, establishing detention basins, lowering flood-plains and removing summer dikes.

The estimation of DWL is embedded with a numberof uncertainties, as shown for instance by Kok et al.(2003). Apart from statistical uncertainties which arecaused by the limited amount of observed river dis-charges, also model uncertainties (caused by the factthat the actual probability density from which “naturegenerates its realisations” is unknown) can lead touncertainties of the design river discharges of up to 20%(Van Gelder, 2000). The DWL computation method isonly stochastic in a certain way: a design dischargewith a yearly probability of 1/1250 is applied. Theinclusion of more than one random variable in the DWLcomputation method may result in a change in theDWLs. In this paper the importance of river morphol-ogy on flood level prediction is investigated.

Van Vuren & Van Breen (2003) show the existenceof large spatial and temporal variation in bed levelposition in the river Waal. The river’s geometricalschematization (morphological state) in the hydrody-namic model used for the DWL computation is derivedon the basis of annual bathymetric soundings in theperiod between April and November – a series of snap-shot taken at different points in time. This means thatthe sampling has a seasonal bias. The geometricalschematization might therefore be an arbitrary choice,

as the bed level state in September can be differentfrom the one in February.

Moreover, the riverbed can be very active in the Waalduring floods. This leads to a large uncertainty rangein the bed level, which affects the predicted height ofthe flood wave. This important role of morphologicalchanges at high discharge conditions is encountered inmany rivers. In the Yellow River, for instance, it isimpossible to accurately predict the flood levels with-out accounting for the morphological changes duringthe flood (Kemink, 2002).

2.2 Morphodynamic sobek rhine branches model

The morphodynamic Rhine branches model (Jesse &Kroekenstoel, 2001), a 1-D Sobek model (WL, 2001),is used to simulate the morphological response and tocompute the DWLs. This morphodynamic modelsolves the 1-D cross-sectionally integrated shallowwater equations, distinguishing between the main chan-nel, the flow conveying floodplain and the storage area.In addition the sediment transport rate and the sedimentbalance equations are used to determine the morpho-logical changes.

In reality many irregularities occurs in the riverWaal, such as variations in geometry, in floodplainwidth, in floodplain vegetation type, in the presenceor absence of summer dikes, flood-free areas andstorage and conveying parts in the floodplains. Eachirregularity acts as a generator for new bottom waves.Irregularities such as variations in river geometry,bottom groynes (Erlecom) and fixed bottom layers(Nijmegen and St. Andries) are included in the SobekRhine branches model. The morphological model iscalibrated on the basis of bathymetric data in theperiod between 1987 and 1997. The model predicts forthe period between 1997 and 2097 erosion in the upperpart (867 km–915 km) and large-scale sedimentationin the lower part (915 km–963 km) of the Waal.Although some sedimentation is expected becausemaintenance dredging is not incorporated in the model,the sedimentation cannot be completely explained bythe neglect of dredging. The sediment transport islikely underestimated. Therefore, in this study onlythe upper part of the Waal – Waal section betweenPannerdense Kop (km 886) and Tiel (km 915) – isconsidered next.

2.3 Design flood wave

The DWLs are estimated on the basis of the designdischarge that has a yearly probability of occurrence of1/1250. The design discharge is derived with a statisti-cal analysis on yearly peak discharges out of a rangeof 100 years of daily discharge measurements at Lobith,where the Rhine enters the Netherlands. This timeseries is homogenized to compensate for the river

1654

09048-V-11.qxd 5/15/03 8:23 PM Page 1654

regulation works in Germany (canalization works andthe placement of weirs). A combination of three proba-bility distributions (a Gumbel distribution, a Pearson-IIIdistribution and a lognormal distribution) is applied toderive the design discharge (Parmet, et al. 2002).

The design discharge is revised every five years,recently in 2001. The time series is extended with peak discharges in the period between 1992 and 1998.As a consequence of extreme discharges in 1993(11,039 m3/s) and 1995 (11,885 m3/s) the design dis-charge has gone up to 16,000 m3/s. The relationbetween the averaged return period T and the riverdischarge – Q [m3/s] – at Lobith is described by:

(1)

The wave shape of the design flood wave is derivedby upscaling 21 historical flood waves (Klopstra &Duits, 1999). The discharge levels of each flood waveare multiplied with the ratio design discharge/peakdischarge of the flood wave. The average wave shape(Figure 2) of the resulting 21 upscaled flood waves isused for the traditional DWL computation method.

2.4 River morphology in the waal

Van Vuren & Van Breen (2003) investigated the bedlevel variation in the Waal in the present situationwithout additional human interventions. A short sum-mary of their findings is given in this section. Themorphological response in the river Waal (Figure 3) isanalysed with a 1D-morphodynamic Sobek model ofthe Dutch Rhine branches (Jesse & Kroekenstoel,2001). The model shows further evolution of the sys-tem without any additional human intervention.

The morphological computations are affected byvarious uncertainties, including uncertainties in the model schematization and uncertainties in the

specification of the model input. Monte Carlo simu-lation is applied to quantify the uncertainties in themorphological response. Van der Klis (2003) and VanVuren et al. (2002) showed that the relative contribu-tion of an uncertain discharge to the uncertainty in themorphological response is one of the most relevantfactors. Therefore, the effect of an uncertain river dis-charge on the uncertainty in the morphologicalresponse is analysed. Uncertainties introduced by themodel schematization are not considered.

1655

Q (

m3 /

s)

Design flood wave at Lobith

-20 -15 -10 -5 0 5 10 15 20 25 30

2000400060008000

1000012000140001600018000

period (days)Average return period T (years)

Q (

m3 /s

)

02000400060008000

100001200014000160001800020000

1 10 100 1000 10000

Relation between averaged return period andRhine discharge at Lobith

Figure 1. Relation between river discharge at Lobith andthe averaged return period.

Figure 2. Design flood wave at Lobith.

Figure 3. The river Waal in the Netherlands.

09048-V-11.qxd 5/15/03 8:23 PM Page 1655

Monte Carlo simulation (Hammersly andHandscomb, 1964) involves a large number of modelsimulations with statistically equivalent inputs. Foreach 1D Sobek model simulation a discharge timeseries of a hundred years duration is randomly generatedaccording to the prescribed probability distribution.This distribution accounts for the seasonal dependencyof the discharge and the correlation of the discharge insuccessive periods. On the basis of the outputs of 500 ofthese model simulations, the morphological responsestatistics (e.g. the expected value and 90% confidenceband of the bed level change) are analysed.

The results show that a large variation in bed leveluncertainty exists in the river Waal: in space (due toirregularities in the river geometry) and in time (due toseasonal variation in discharge).

Figure 4 shows the spatial variation of the morpho-logical response statistics in the main channel after100 years in January. This figure presents the mean bedlevel changes and the (size of the) 90% confidenceinterval of the bed level changes in the Waal sectionbetween the Pannerdende Kop (km 886) and Tiel (km915). The 90% confidence interval means that with aprobability of 90% the bed level changes are withinthis range.

Figure 4 illustrates that the irregularities in the river,such as width variation and man-made structures (suchas riverbed protection), in combination with an uncer-tain river discharge lead to an uncertain morphologicalresponse. Each irregularity in the river acts as a gen-erator of new bottom waves. At locations with largediscontinuities, a local increase in bed level variabilityis observed – reflected by an increase in the 90% con-fidence band in the panel of Figure 4.

At Erlecom (km 873–876) submerged groynes andat Nijmegen (km 882–885) an armoured layer arepresent in the bend of the riverbed. These constructionsare designed for navigation purposes. In the modelthe river bed constructions are schematized as fixedbed layers imposing a lower bound on the bed level.At both locations the morphological response after100 years shows a bar in the riverbed and a reductionof the confidence band. The fixed layers prevent furthererosion, while they lead to extra erosion and bed levelvariability downstream.

Figure 4 indicates the locations with large varia-tion in the floodplain width: Hiensche waarden andAffendensche waarden (km 898–901); OchtenseBuitenpolder (km 902–906) and Willemspolder andDrutense waard (km 906–913). At these locations anincrease in the size of the confidence band is noticed.E.g. a large open water area exists between km 906 andkm 908 in the floodplain “Willemspolder” (Figure 5).An increase in floodplain width results in sedimenta-tion. A decrease leads to erosion. At the transitionpoints this results in an increase in bed level variabilityand hence to a larger size of the confidence band.

In Figure 6 the temporal variation of location907.4 km in the floodplain “Willemspolder” is shown.At this location, the temporal variation in morpholog-ical response statistics is considerable. This temporalvariation reflects the seasonal variation of the riverdischarge. At this transition from a narrow to a wide

1656

Figure 4. Spatial variation of statistical properties of thebed level change after 100 years in the Waal section betweenPannerdense Kop (km 886) and Tiel (km 915).

Figure 5. River section “Willemspolder” (km 906–908)with large variation in the floodplain width (courtesy ofDON).

09048-V-11.qxd 5/15/03 8:23 PM Page 1656

cross section (see Figure 5) sedimentation in the mainchannel takes place. The seasonal fluctuation of the90%-confidence band is significant. The largest 90%confidence interval is found in the high water period.The smallest interval is found in the low water period.The 95%-percentile strongly oscillates, while the 5%-percentile is more or less constant. This can beexplained by the fact that during discharges higher thanthe bankfull discharge bottom waves (sedimentation)are initiated in the main channel. These bottom wavesmigrate downstream and (partly) decay during dis-charges lower than the bankfull discharge. Therefore,the seasonal variation in the 5%-percentile is limited. Atother locations along the river with small irregularitiesthis temporal variation is less (or hardly noticeable).

Van Vuren and Van Breen (2003) concluded thatlarge-scale floodplain lowering in combination withsummer dike removal lead to more bed level variabilitythan in the present situation without any additionalhuman interventions.

3 METHOD

3.1 Proposed methodology for DWL computation

The extended method not only includes the dischargeas a random variable. It includes the “uncertain” rivermorphology as well. The method covers that a peakdischarge in combination with a particular morpholog-ical state may result in water levels that are higher orlower than the DWLs derived with the traditionalcomputation method. The extended method involvesthe following steps (Figure 7):

1. With the help of Monte Carlo simulation with the1-D morphodynamic Sobek model for the Rhine

branches, a large number of morphological statesare simulated (similar to section 2.4). In this study500 morphological simulations are performed.

2. The simulated morphological states form the basisof a large number of water level computations withthe 1-D morphodynamic Sobek Rhine branchesmodel. For each simulated state, water levels arecomputed for a range of steady discharges between13,000 m3/s and 20,000 m3/s, with a discretisationstep of 500 m3/s. This results in 15 water levelcomputations per simulated morphological state:

(2)

3. Numerical Integration combines the probability ofthe two random variables. The likelihood of thesimulated morphological state and the dischargelevels is combined to estimate the probability ofthe computed water levels. The probability of eachsimulated morphological state is the same:

(3)

in which N is the number of morphological simula-tions with the Sobek Rhine branches model (in theMonte Carlo simulation). The probability of thedicharge level Qi is derived with the help of for-mula (1):

(4)

1657

Figure 6. Temporal variation of statistical properties of thebed level change in the Waal at location 907.4 km in theWillemspolder.

Model input

yes

i = 0

yes

i = i + 1

1.

2.

stop

i <15

j <=N

no

no

Random generatedischarge time series ofT years durationaccording to prescribedprobability distribution

Numericalsimulation 1-DmorphodynamicSobek Rhinebranches model

Model output:morphological statejat T

Model input:dischargeQi = 13,000 + i · 500

Numericalsimulation 1-DmorphodynamicSobek Rhinebranches model

Model output:water levels alongthe river Rhine

Storage outputs: waterlevels (x,j,i)x = river locationj = simulatedmorphological state ji = discharge level i

j = 1

j = j + 1

Figure 7. Design water levels: computation method withthe random variables: discharge and bed level.

09048-V-11.qxd 5/15/03 8:23 PM Page 1657

The multiplication of the probability of the simu-lated morphological statej and the probability ofthe discharge level Qi lead to the combined proba-bility of the water level computation:

(5)

Equation (5) holds since the morphological state jis considered independent of the discharge i.

4. The set of outputs resulting from all computationsis used to determine per river location a curveshowing the exeedance probability of water levels.

On the basis of the exeedance probability curve the“new” water level with yearly a probability of occur-rence of 1/1250 can be derived. This can be comparedwith the DWL that is derived with the traditionalmethod using only one random variable: DWL0. Also,this curve can be used to estimate the “new” exeedanceprobability of the DWL0.

3.2 Cases

Three cases are considered to analyse the impact ofriver morphology on extreme flood level prediction.

In Case 1 “Long-term variation in morphology” theimpact of stochastic morphological changes over alonger period – years – is considered. The modelscheme in Figure 7 is run through for different pointsin time T:

in which t0 is the starting point of the morphologicalsimulation, �T is a period of 5 years. The morpholog-ical changes during floods are not included. The sim-ulated bed level state at time T is held fixed during thewater level computations.

In Case 2 “Seasonal variation in morphology” theimpact of seasonal variation in the morphological stateprior to the water level computation is considered.The model scheme in Figure 7 is run through for differ-ent points in time T:

in which t0 is the starting point of the morphologicalsimulation, �T is a period of 1 month. Similar to Case1, the morphological changes at high water condi-tions is not considered.

Case 3 “Morphology during floods” is similar toCase 1. The morphological changes during flood cir-cumstances are considered in this case. The simulatedbed level state at time T is not held fixed during thewater level computations, but morphodynamicchanges at high water conditions are included.

4 RESULTS

For the three cases the model scheme in Figure 7 isused. For each case this resulted per future momentsin a set of computed water levels and correspondingprobabilities. These are used to derive a curve show-ing the exeedance probability of water levels per riverlocation, see for example Figure 8.

The DWL0 in this curve represents the design waterlevel at time t0 that is derived with the traditionalmethod using only one random variable. The curve isused to derive the “new” water level with a yearlyexeedance probability of 1/1250 and “new” exeedanceprobability of the DWL0. In Figure 8 it is shown thatthe DWL (at location 892.3 at time t0 � 2*T) willdecrease with 0.06 m. The exeedance probability ofthe DWL0 decrease from 1/1250 to 1/1450.

4.1 Case 1: “Long-term variation in morphology”

The results of case 1 (Figure 9 and Figure 10) showsus that the influence of a random bed level on theDWL is not high. This is partly the result of a negativetrend in the bed level: it is expected that in the futurethe bed level will be lower than the current situation(Figure 11). This trend has a positive impact on theDWL: these water levels will also be lower. The uncer-tainty in the bed level can, however, increase the DWL.In the calculations we combine these two affects.

Figure 9 and 10 show that the influence of the ran-dom bed level results in higher safety, but thisdepends on the location along the river. The maximumchange is 0.08 m, and this influence is not very large.

Figure 12 shows the DWLnew derived with theextended method and some DWL computations derivedwith the traditional method (using only one randomvariable, the design discharge) for single simulated

1658

Figure 8. Exeedance probability of water levels at location892.3 km at time t0 � 2·T for Case 1.

09048-V-11.qxd 5/15/03 8:23 PM Page 1658

morphological states at time t0 � 3 �T. The figureillustrates that each simulated morphological stateresults in slightly different DWLs. The differencedepends on the location along the river and is in theorder of 0.01 m.

4.2 Case 2 “Seasonal variation in morphology”

Figure 13 shows the impact of seasonal variation inmorphology on DWL computations. The figure illus-trates that the impact of seasonal variation in mor-phology is small: order of less than 0.01 m. It seemsthat the seasonal bias in the morphological river statedoes affect the DWL computation.

4.3 Case 3 “Morphology during floods”

The morphological changes during floods have littleimpact on DWL computations. Figure 14 shows

1659

Figure 9. Impact of morphology of DWL-levels along theriver Waal: change in DWL level with respect to DWL0.

Figure 10. Impact of morphology on exeedance probabil-ity of the DWL0 levels along the Waal.

Figure 11. Spatial variation of the statistical properties of themorphological response in the Waal at time t0 � T andt0 � 4·T.

Figure 12. Impact of morphology of DWL-levels along theriver Waal: change in DWLnew levels and DWL levels of sin-gle morphological simulations with respect to DWL0.

09048-V-11.qxd 5/15/03 8:23 PM Page 1659

difference between the computed DWL levels if mor-phological changes during floods are neglected and ifthey are considered in the DWL computation. Consid-ering morphological changes at high water conditionsresults in slightly higher DWLs – order of less than0.01 m.

5 CONCLUSIONS

In this paper the traditional DWL computationmethod is extended. The extended method includes thecontribution of a second random variable: the rivermorphology. The impact of a random bed level on the

DWL is not high. The large spatial and temporal variation in the bed level position, investigated in VanVuren & Van Breen, depends very much on the loca-tion along the river. The contribution of the uncertaintyin these local bed level patterns to DWLs is reflectedsmoothly. The large-scale negative trend in the bedlevel has more impact on extreme flood levels.This paper shows that:

– Each morphological state prior to DWL computa-tions results in DWLs that differ in the order of0.01–0.06 m.

– Over a longer period – years – a negative trend inthe bed level in the Waal section betweenPannerdense Kop (km 886) and Tiel (km 915) hasa positive impact on the DWLs in this section. TheDWLs will decrease.

– The impact of seasonal variation in the morphologycan be neglected. In the traditional DWL computa-tion method the geometrical river schematizationis derived on the basis of annual bathymetric sound-ings. These soundings have a seasonal bias. How-ever, this will hardly affect the DWL computations.

– The impact of the morphological changes duringfloods on DWL computations is hardly noticeable.

In this paper we investigated the impact of one ran-dom variable (the variability of the discharge) on thebed level. Other random variables such as the uncer-tainty in the morphological process equations and theinfluence of the bed level might also be important. Werecommend to investigate these influences on thevariability of the bed level and the resulting conse-quences on the DWLs.

ACKNOWLEDGEMENT

This paper is embedded in the project “Stochasticmodeling of low-land river morphology no. DCB5302” founded by the Foundation for TechnicalSciences (STW). The authors wish to acknowledgethe Institute for inland water management and waste-water management (RIZA) for the permission to usethe Rhine-branches model. They also would like tothank Professor Huib de Vriend of Delft University ofTechnology for his valuable input in this project.

REFERENCES

Hammersly, J.M. & Handscomb, D.C., 1964. Monte CarloMethods. Methuen & Co Ltd., London.

Jesse, P. & Kroekenstoel, D.F., 2001. 1-D MorphodynamicRhine branches model. RIZA rapport 2001.040. ISBN9036953952 (in Dutch “1-D Morfologisch modelRijntakken”).

1660

Figure 13. Impact of seasonal variation in morphology onDWL computations: each line represents the change in DWLwith respect to DWL0 in one month after 5 years.

Figure 14. Impact of morphological changes during floodcircumstances: difference between DWL levels if morpho-logical changes during floods are neglected and considered.

09048-V-11.qxd 5/15/03 8:23 PM Page 1660

Kemink, 2002. Flood management in the lower reach of theYellow River. MSc thesis. Delft University of Technology.Civil Engineering. Section hydraulic Engineering.

Klopstra, D. & Duits, M.T., 1999. Methodiek voor vast-stelling van de vorm van de maatgevende afvoergolf vande Maas bij Borgharen. HKV Consultants in opdrachtvan WL|Delft Hydraulics en Rijkswaterstaat RIZA.Lelystad, maart 1999.

Kok, M., Stijnen, J.W. & Silva, W., 2003. UncertaintyAnalysis of river flood defense design in the Netherlands.ESREL 2003.

Parmet, B.W.A.H., Van de Langemheen, W., Chbab, E.H.,Kwadijk, J.C.J., Diermanse, F.L.M. & Klopstra, D., 2001.Design discharge of the Rhine at Lobith. Rapport2002.012. ISBN 9036954347 (in Dutch “Analyse van demaatgevende afvoer van de Rijn te Lobith”).

TAW – Technical Advisory Committee on Water Defences inThe Netherlands, 1998. Fundamentals on Water Defences.English translation of the Dutch Guidelines “Grondlagenvoor Waterkeren”.

Van der Klis, H., 2003. Stochastic morphology. PhD-thesisDelft University of Technology. Civil Engineering. Sectionhydraulic Engineering.

Van Gelder, P.H.A.J.M., 2000. Statistical Methods for theRisk-Based Design of Civil Structures , PhD-thesis (249pp), Delft University of Technology, ISBN 90–9013452–3.

Van Vuren, S. & Van Breen, L.E., 2003. Morphologicalimpact of floodplain lowering along a low-land river: a probabilistic approach. XXX-IAHR Congress waterengineers and research in a learning society: ModernDevelopments and Traditional Concepts in Thessalonikiin Greece, 24–29 August 2003.

Van Vuren, S., Van der Klis, H. & De Vriend, H., 2002.Large-scale floodplain lowering along the River Waal: astochastic prediction of morphological impacts. In: RiverFlow 2002 – Volume 2 edited by D. Bousmar and Y. Zech.A.A. Balkema Publishers. ISBN 905809 516 9. pp.903–912.

WL, 2001. Sobek River Estuary, User manual. Technicalreport. WL | Delft Hydraulics.

1661

09048-V-11.qxd 5/15/03 8:23 PM Page 1661

09048-V-11.qxd 5/15/03 8:23 PM Page 1662


1663

Efficiency and accuracy of Monte Carlo (importance) sampling

P.H. WaartsTNO, The Netherlands

ABSTRACT: Monte Carlo Analysis is often regarded as the most simple and accurate reliability method. Besidesit is the most transparent method. The only problem is the accuracy in correlation with the efficiency. MonteCarlo gets less efficient or less accurate when very low probabilities are to be computed in combination with limitstate functions that use a lot of computational time. The efficiency of Monte Carlo simulations can be improved bymeans of importance sampling. This however requires pre-information on the state function that may affect theaccuracy. Several Monte Carlo simulation methods are compared with respect to efficiency and accuracy:Crude Monte Carlo, Importance Sampling, Increased Variance Sampling, and Directional Sampling. Furthermorea comparison is made with a special kind of response surface method.

1 BASIC FORMULATION OF THERELIABILITY PROBLEM AND REQUIRED ACCURACY

A reliability problem is defined by a limit state func-tion g(x) and a set of n random variables x. Failure isdefined by the event g(x) � 0. The equality g(x) �0 iscalled the limit state equation, the corresponding sur-face is called the failure surface. The failure probabilitycan be formally expressed as:

(1)

fX(�) is the joint probability density function of x.

The primary purpose of reliability methods is toevaluate integral (1).

How accurate the calculation of this reliability indexshould be is debatable. In Waarts (2000) V(�) � 0.05is chosen as the limit for a sufficient accurate result.The reliability index � is defined as:

(2)

In this paper the amount of samples that are neededby the reliability methods to meet this accuracy willbe used as a measure for the efficiency.

In this paper the methods will be compared usingstandard normally distributed variables. Each set of nbasic random variables (x-space) can namely be trans-formed into a set of m (m � n) independent standardnormal variables (u-space). The (dependent) basic

random variables are first remodelled into standardnormal variables by equating the cumulative distribu-tion functions for the basic random variable and thestandard normal variable:

(3)

( ) is the standard normal distribution function.Correlated variables may have to be transformed

into non-correlated variables. There are several meth-ods for the transformation of correlated variables intouncorrelated variables.The Rosenblatt transformation(Rosenblatt 1952) is the most used. Other methods pro-posed for transformation are proposed in (Nataf 1962),and (Johnson 1972).

2 STANDARD MONTE CARLO TECHNIQUES

2.1 Crude Monte Carlo sampling

Well-known and straightforward Monte Carlo (MC)sampling techniques (Rubinstein 1981) are known tobe accurate. Errors can only be caused by a too lownumber of simulations in MC.

The Monte Carlo technique consists of samplingrandom x-values from their distributions f(x) and cal-culating the relative number of simulations for whichg(x) � 0:

(4)

09048-W-01.qxd 5/15/03 8:23 PM Page 1663

where N is the total number of simulations; Nf thenumber of simulations in the failed state (g(x) � 0);I(g(x)) � 1 if g(x) � 0 and I(g(x)) � 0 if g(x) � 0.

The minimum required number of samples inMonte Carlo sampling, given a target for V(Pf), can becalculated from (Vrouwenvelder 1994):

(5)

For � � 4, the coefficient of variation of the reliabilityindex V(�) � 0.05 can be translated into the coeffi-cient of variation of the probability of failure estimateV(Pf) � 0.57. The number of samples is then equal toN � 3/Pf. �� N � 3�104.

The number of samples depends on the probabilityof failure and is independent of the number of randomvariables. The lower the probability of failure, the moresamples have to be used.

2.2 Crude directional sampling

Deák (1980) first suggested the method of transform-ing the normal coordinates (u-space) into polar coordi-nates. The basic idea is to remodel the basic variables uinto polar co-ordinates (�, �). The unit vector � definesthe direction and a scalar quantity � defines the lengthof the vector in u-space. Equation (1) is altered into:

(6)

where f(�) is the (constant) density on the unit sphere.For each direction �i the value of �i is determined

for which the limit state function equals zero:

(7)

In other words �i is a measure of the distance from theorigin to the limit state in the direction defined by thevector ��. The factor �i is found via an iteration proce-dure and requires several Limit State Function Evalu-ations (LSFE). An estimate of the probability of failurePf can be obtained by performing N directional MonteCarlo simulations of the �-vector. Every simulationresults in a sample value Pi:

(8)

Where 2 (..) is the chi-squared distribution function;n is the number of random variables in the limit statefunction.

An estimate for the probability of failure is calcu-lated as the mean value of the sample values Pi:

(9)

An estimate of the standard deviation is given byDitlevsen (1988):

(10)

When the number of samples N is sufficiently large,the estimator for Pf is assumed to be normally distrib-uted. The confidence intervals of the probability offailure are calculated from:

(11)

According to Ditlevsen (1988), the probability of fail-ure lies between the confidence limits with a proba-bility approximately equal to 1–2!(k).

Figure 2 shows the required number of samples Nfor a coefficient of variation V (�) � 0.05, for reliabil-ity indices � � 2, 3 and 4. This required number ofsamples is calculated as the mean of 50 numericalexperiments on a linear limit state function g, where all(standard normal) variables ui have equal importance:

(12)

1664

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

0 10 20 30 40 50 60 70 80n

N

β = 5, N = 110 nβ = 4, N = 48 n

β = 3 β = 2

Figure 1. Required number of samples N before the esti-mator is sufficiently close to the criterium.

10

100

1000

10000

100000

1000000

0 20 40 60 80 100 120number of variables

num

ber

of s

ampl

es

MC

β=3

DSβ=4

MC

DS

β=2 MCDS

NI

MC = Monte Carlo sampling, DS = Directional sampling

Figure 2. Required numbers of samples, all variables haveequal importance in the limit state function (eq. 9).

09048-W-01.qxd 5/15/03 8:23 PM Page 1664

The number of necessary samples N increases with thenumber of variables n in the limit state function andwith increasing �.

2.3 Comparison of the efficiency of the crude MCand directional sampling

Figure 2 shows the required number of samples for thelevel III standard reliability methods. The number ofsamples (under constraint of V(�) � 0.05) is shownfor MC and DS. The directional sampling proceduresconverges into an increase of samples linear to thenumber of variables. For � � 4, the required numberof samples for directional sampling approximatesN � 160 n. For � � 4 and 100 random variables MonteCarlo simulation requires 105 samples, where direc-tional sampling requires 1�6 � 104 samples. Bear in mindthat Monte Carlo simulation uses one Limit StateFunction Evaluation (LSFE) per sample, where direc-tional sampling uses approximately 4 LSFE per sam-ple (for use of iteration). The difference is thereforeapproximately a factor 2 in the number of LSFE. Theprofit of directional sampling grows as less randomvariables are applied in the limit state function.

It is concluded that for problems with less than 100random variables, directional sampling performsbest. Monte Carlo simulation becomes appropriateonly for high (n �100) dimensional problems.

3 IMPORTANCE SAMPLING

3.1 Monte Carlo importance sampling

The Monte Carlo procedures can be speeded up bymeans of importance sampling. A sampling densityh(x) is used instead of the actual probability densityfunction f(x). For Monte Carlo importance samplingthe probability of failure is calculated by:

(13)

In practice, importance sampling usually means thatthe sampling is concentrated in the area with a highlikelihood of failure (see left part of Figure 3, wherethe dotted line equals the original distribution f(x) andthe solid line the sample distribution h(x)). The prob-lem is that prior knowledge is needed of the failurearea, which in most cases is not available. A reliableprocedure, for cases where no prior knowledge exist onthe influence of variables on the limit state function, isto increase the variance of all variables to �h (see rightpart of Figure 3): Increased Variance sampling (IV).

The number of samples is calculated here, by meansof numerical experiments on limit state function (12).

A normal distribution with �h �1 is used in theimportance sampling density h(x). Figure 4 shows therequired number of samples as a function of the numberof variables n and the importance sampling standarddeviation �h. The situation with � �1 is equal to crudeMonte Carlo sampling (without importance sampling).The required number of samples for this case is in linewith equation (5). Figure 4 shows that a small increaseof � results in a considerable decrease of the requirednumber of samples. It shows furthermore that therequired number of samples increases with the numberof variables.

The optimal importance sampling strategy (�h)depends on the number of variables. On the basis ofthe simulation results, an empirical relation has beenderived. The optimal �h is approximately equal to:

(14)

Figure 4 shows that for this optimal �h in relation withthe number of variables n, the number of samplesequals approximately N � 300 n. This means that the proposed Monte Carlo importance sampling,

1665

u1

u2

LSF, g(x)

Standard importance sampling

f(x)

h(x)

h(x)

u1

LSF

u2

f(x)

Increased variance sampling

Figure 3. Importance sampling.

100

1000

10000

100000

1000000

1 10 100n

num

ber

of s

ampl

es σh=4

σh=3

σh=2

σh=1.5

σh=1.25 σh=1

Figure 4. Required number of samples by Monte CarloIncreased Variance sampling (IV), all variables have equalimportance to the limit state function (eq. (12), � � 4).

09048-W-01.qxd 5/15/03 8:23 PM Page 1665

requires more samples than crude directional sampling(Figure 2). Directional sampling uses approximately4 LSFE per sample, where Monte Carlo simulationuses only one LSFE per sample. A disadvantage, how-ever, is that an estimate of the reliability index � has tobe known on forehand in order to choose an optimal�h. The amount of samples can be higher than withoutimportance sampling when a non-optimal �h is chosen.

It can be observed from Figure 4 that a slight devi-ation in �h easily leads to a factor 2 increase of therequired number of samples N. For example for DS,NLSFE �160 n * 4 �640 n and for MCIV �300 n *2 �600 n.

It is therefore expected that Monte Carlo importancesampling and crude directional sampling are approxi-mately equally efficient.

3.2 Directional importance sampling

For directional sampling, basically, sampling in u-spaceis replaced by sampling in a limited number of direc-tions. Equation (8) is rewritten as:

(15)

h(") is the importance sampling density of the vector ".An estimate of the probability of failure is calculated

from sample values:

(16)

(17)

The distribution f(") uniform density. The density ofh(") can be computed numerically. The computationof f(")/h(") requires considerable computational effort.Performing this operation for high n is therefore discouraged.

Several authors have suggested methods for impor-tance sampling in combination with directional sam-pling (Bjerager 1988, Ditlevsen 1988 and 1990, andKijawatworawet 1992). All methods require priorknowledge on the influence of variables on the limitstate function. In general, in structural reliability, thereis little prior knowledge on the influence of variableson the limit state function. Even little knowledge mayhowever speed up the computations considerably. Ingeneral there are five methods of importance sampling:

– Decrease variance of unimportant variables.– Truncate distribution function of variables with

known importance to the limit state function.

– Apply weighting functions.– Skip unimportant variables.– Shift variables.

3.2.1 Decrease the variance of unimportantvariables

Decreasing the variance of non-dominating variablescan be performed in combination with a shift of themean value. This procedure should help to increasethe number of samples to important directions. Thisrequires that non-dominating variables are known onforehand, or are recognized by the procedure itself.Choosing a variable to be non-dominant where in factit is dominant leads to an erroneous result. The proce-dure can therefore only be generally accurate when apossible incorrect choice of non-dominating variablesis recognized and adjusted. Figure 5 shows an examplewith two standard normal variables. An importancesampling density h(") is used instead of the originalsampling density f("). The importance density is basedon a reduced variance of variable u1, which is totallyunimportant to the limit state function.

Figure 6 shows the results (required number of sam-ples) of an example with two standard normal variablesu1 and u2, using a limit state function g � 4 � u1. Vari-able u2 is totally unimportant to the limit state func-tion. Here, a required accuracy of V(�) � 0.005 is usedinstead of V(�) � 0.05, because V(�) � 0.05 wouldgive a number of samples which is too low to show theinfluence of decreasing the variance.

3.3 Truncate the variable distribution

Truncating might be useful when it is known that onlythe positive side of the distribution is of importance tothe limit state function. In most cases the importantdirection of only a part of the variables is known. It can

1666

u1

u2 limit state function g = β - u2

h(κ)

f(κ)

Figure 5. Decreasing the standard deviation of non-dominating variables.

09048-W-01.qxd 5/15/03 8:23 PM Page 1666

be shown that the number of samples approximatelyreduces by a factor 2 for each truncated variable. Given10 truncated variables, the reduction is maximum fac-tor 210 � 1024. The correct result can even be found ifan incorrect truncation is used. The condition is thatsome samples (approximately 10% of the total num-ber of samples) are chosen in the truncated directions.Sampling is continued until V(�) is sufficiently low.The fact that only few samples are performed in thecorrect direction leads consequently to many requiredsamples.

4 RELIABILITY METHODS USINGRESPONSE SURFACES

The previous chapter indicated that a fast reliabilitymethod can be searched in directional sampling orMonte Carlo importance sampling. Several authors(Faravelli 1989, Bucher 1988) claim that response sur-face techniques are the only possible way to computethe probability of failure when response is only avail-able from experiments or complex computations (likestructural FE computations). An analytical limit statefunction replaces the real response function. The mainidea is that the response consisting of a complex func-tion of input variables is approximated by a simplefunction of the input variables. In combination withFinite element analysis, the RSM technique is usedby, for instance, Faravelli (1989) and Bucher (1988).The standard procedure is as follows:

1. Select the most important random variables on thebasis of engineering judgment;

2. The value of each important random variable is varied individually and a real LSFE is performed(the other variables remain unchanged);

3. A response surface is constructed through theresponse data;

4. A reliability calculation is carried out using theresponse surface instead of the real response.

The type of reliability method used is of little impor-tance since the time consuming LSFE are replaced byanalytical expressions. Of main importance to the ques-tion whether every important random variable has beentaken into consideration and whether the responsefunction is accurate enough in the neighbourhood ofthe estimated design-points. In the simplest case, thevalue of each random variable is varied individuallyin positive and negative direction with a factor f �. Asa result, the sampling points are located at #i � ei �i,where e is the vector (0, 0, 0, 0, …. $f, …., 0). Thefactor f is advised to be equal for all variables (Box1978). Bucher (1990) suggests fitting a quadraticfunction without cross terms to these sample points.This yields that the fitted response surface is sensitiveto the choice of the coordinate axes. Several authorssuggest therefore to include the cross terms. This way,the interaction between variables is taken care of. Thisso-called “Central Composite Design” requires 2n � 2nLSFE. For a high number of variables, this leads to anenormous increase of the required number of samplepoints and is therefore not advisable. Improving thefirst step with relevant samples near the limit state isprobably a far better option. In fact, samples shouldbe searched on the limit state surface and close to theorigin in the u-space. This is equivalent to the findingof the parameter � in the directional sampling proce-dure. Special care should be taken in case of non-convex limit state functions and limit state functionsthat have cross terms only. In these cases the responsesurface may not find all important regions (seeFigure7).

In this section a procedure is suggested and demon-strated, combining the advantages of directional sam-pling, response surface and importance sampling. In theprevious section the following starting procedure wassuggested for the response surface method:

1. Increase the value of each random variable individ-ually until the limit state is reached;

2. Fit a quadratic response surface;3. Perform the reliability analysis on the fitted response

suface.

1667

00.10.20.30.40.50.60.70.80.91(u2)

0

200

400

600

800

1000

1200

1400

1600

1800

2000

Num

ber

of s

ampl

es N

Incorrectµ(β)

Figure 6. Number of samples needed for V(�) � 0.005, 2variables, g � 4 � u1.

u1

u2

u1

u2

Piecewise linearconvex limit state function

Non-convexlimit state function

Figure7. Non-linear limit state functions.

09048-W-01.qxd 5/15/03 8:23 PM Page 1667

Step 1 can be seen as a coarse directional integrationprocedure. Since the sampling is only performed in thecoordinate axis directions in the u-space, it is calledAxis Direction Integration (ADI). The ADI resultalready gives an estimate of the failure probability. ALSFE is performed in the origin of the u-space (0, 0,0, 0,…., 0) and the point (0, 0, f, 0, …., 0). The factor fis set equal to the expected reliability index �*. Mostlyafter approximately 4 iterations LSFE the root is found.

Consequently, a response surface can be fitted tothe data points. It has been chosen to fit the responsesurface to the data in:

– origin (0, 0, ………., 0)– the points (0, 0, $3, …., 0)– the roots (0, 0, $ �, …., 0) (when available).

These data points are most times sufficient to fit aquadratic response surface to. Otherwise a linear sur-face has to be fit to the data.

The Directional Sampling (DS) procedure can nowbe performed on the response surface. Only in direc-tions with, according to the response surface, a rela-tively high probability Pi an LSFE is used instead ofthe response surface to compute the distance �. Con-sequently, the accuracy of the DS procedure is high inimportant regions and low in non-interesting regions.The question whether or not a failure probability isrelatively high can be transformed into a measure % onthe minimum found distance %min (a direction is notimportant when �RS � %�min). Harbitz (1986) proposesin to skip a direction when � � �min � �add, with�add � 3. Contrary to this proposal, the direction hereis not skipped but the real �LSFE is replaced with �RS.The proposed directional sampling procedure can notbe applied under the following circumstances:

– The failure domain is highly convex (see a);– The origin in u-space is inside the failure domain

(see b);– The failure domain is non-coherent (see c).

A more general explanation of the method can befound in (Waarts 2000 and Waarts & Vrouwenvelder2001).

5 COMPARISON OF THE RELIABILITYMETHODS

5.1 Evaluation criteria

In the previous sections the following reliabilitymethods were discussed:

– Crude Monte Carlo simulation (MC),– Monte Carlo importance sampling (MCI)– Crude Directional Sampling (DS),– Directional Adaptive Response surface Sampling

(DARS).

By way of evaluation, in this section, all methods arecompared based on relatively simple artificial limitstate functions, most of them found in literature. Inorder to judge the different reliability methods, thefollowing criteria are used from (Engelund 1993) toselect the artificial limit state functions:

1. Robustness against multiple critical points;2. Robustness against noisy boundaries;3. Capability to handle unions and intersections;4. Efficiency and accuracy with respect to:

a) the number of variables (space dimension);b) the probability level;c) strong curvatures of the limit state function;

The reliability methods are compared on the basis ofartificial limit state functions, summarised in Table 1,Figure 9 and Figure 10. The limit state functions arechosen in such a way that it is expected that the reli-ability methods may have difficulties. The efficiency is

1668

b: Origin inside failure domain

u2 u2

u1

u1

u2

u1

a: Convex failure domain

c: Non-coherent failure domain

Figure 8. Failure domains that are not supported in theadaptive response surface sampling procedure.

09048-W-01.qxd 5/15/03 8:23 PM Page 1668

expressed as the number of limit state function evalu-ations (LSFE). The results are presented in Table 2.

5.2 Evaluation procedure and used reliabilitymethods

The crude directional sampling (DS) result is consid-ered to be the “exact” result when the theoretical reli-ability is not available. The crude Monte Carlo

technique has been applied only in case the variousmethods give different results. The results of the crudedirectional sampling procedures are the mean of 5 arbitrary runs. The coefficient of variation of the prob-ability of failure V(Pf) is chosen such that V(�) � 0.05.The efficiency of Monte Carlo importance sampling(MCI) depends on the number of variables and the

1669

Table 1. Artificial limit state functions (all variables are normally distributed).

Random Case variables ref

A LSF with 25 quadratic R � N(0.5, 0.1)terms Si � N(0.2, 0.1)

B Convex failure domain ui � N(0,1) Borri et al. (1997)

C Oblate spheroid R �10Si � N(0,1)

D Saddle surface ui � N(0,1)g �3 �u1u2

E Concave failure domain ui � N(0,1) Katsuki et al.(1994)

0 0.5 1 1.5 2 2.5 3 3.5 4

LSF

Initial RS

Final RS

0

0.5

1

1.5

2

2.5

3

3.5

4

u1

u2

β

Figure 9. Convex failure domain (case B).

β

u1

u21 2 3 4

-1

-2

-3

β=1.66

β=3.0

LSF Branch 1

LSF Branch 2

Figure 10. Concave failure domain (case E).

09048-W-01.qxd 5/15/03 8:23 PM Page 1669

correctness of the estimate of �. Since � is not knownbeforehand, here the importance sampling is opti-mised for � � 4. As a result, for other outcomes of thereliability index �, the importance sampling will notbe optimal. The COMREL code offers the opportu-nity for adaptive Monte Carlo sampling (adsamp). Thisis a kind of adaptive importance sampling. The meanvalue of the sampling density h(x) is chosen in thepoint that has the absolute minimum g-value. The num-ber of samples has been set equal to 105 in all cases.

In the DARS procedure, the limit state functionresults are used when according to the response sur-face the vector length � is less than the minimum valuefound so far plus 3 (�add � 3) otherwise �RS is used.

The results (except importance sampling) are sum-marised in Table 2 as a reference. Detailed informa-tion on the limit state function and results is found in(Waarts 2000). Table 2 shows a wide range of requiredLSFE.

Level III methods can not give an error message.As a result, it is not sure whether DARS finds the cor-rect answer. The results in Table 2 show however littlereason for doubt. All level III procedures lead to thecorrect answer where DARS is the best in efficiency.

6 CONCLUSIONS

Summarising the previous sections the followingnumber of Limit state function evaluations (LSFE)are needed in the methods:

– Crude Monte Carlo simulation: 3/Pf– Monte Carlo importance sampling: 600 n– Crude Directional sampling: 640 n– DARS 28 n

Directional sampling is often forgotten as optionfor Monte Carlo sampling. For a low number of vari-ables ( �100) it is much faster than standard MonteCarlo sampling. Importance Monte Carlo samplingshould be dealt with carefully. Increased Variance sam-pling is a good and robust method. DARS is a good

option, certainly for cases where limit state evaluationsper sample take much computational effort.

REFERENCED LITERATURE

Borri, A., Speranzini, E., Structural reliability analysis usinga standard deterministic finite element code, Structuralsafety, Vol. 19, No. 4, 1997.

Box, W.G., Hunter, J.S., Statistics for experimenters, Anintroduction to design data analysis and model building,John Wiley & Sons, 1978.

Bucher, C.G., Adaptive sampling – an iterative fast MonteCarlo procedure, Structural Safety, Vol. 5, No. 2, 1988.

Bucher, C.G., Bourgund, U., 1990, A fast and efficientResponse Surface approach for structural reliability prob-lems, Struct. Saf, Vol. 7, 1990.

Deak, I., 1980, Three digit accurate multiple normal proba-bilities, Num. Math., 35, 369–380.

Ditlevsen, O., Melchers, R.E., Gluver, H., 1990, Generalmulti-dimensional probability integration by directionalsimulation, Comp. & Struct. Vol. 36, No. 2.

Ditlevsen, O., Bjerager, P., Olesen, R., Hasofer, A.M., 1988,Directional simulation in Gaussian process, Prob. Eng.Mech., Vol. 3, No. 4.

Engelund, S., Rackwitz, R., A benchmark study on impor-tance sampling techniques in structural reliability,Structural Safety, Vol. 12, 1993.

ENV 1991-1: Eurocode 1: Basis of design and actions onstructures –Part 1: Basis of design, CEN 1994.

Faravelli, L., 1989, Response Surface Approach for Reliabilityanalysis, J. Eng. Mech. ASCE, 1150(12), 1989.

Harbitz, A., 1986, An efficient sampling method for proba-bility of failure calculations, Structural Safety, Vol. 3,

Johnson, N.L., Kotz, S., Continuous multivariate distribu-tions, John Wiley & Sons, New York, 1972.

Katsuki, S., Frangopol, D.M., 1997, Advanced hyperspacedivision method for structural reliability, proceedings ofICOSSAR ‘97, Structural safety and reliability, Shiraisa,Shinozuka & Wen, Eds., november, Balkema, Rotterdam.

Kijawatworawet, W., 1992, An efficient adaptive importancedirectional sampling for nonlinear reliability problems,Universität Innsbruck.

Nataf, A., 1962, Détermination des distribution don’t lesmarges sont donées, Comptes rendus de l’academie dessciences, vol. 225, pp 42–43.

STRUREL users manual, RCP, Munchen, 1997.Rosenblatt, M., Remarks on a Multivariate Transformation,

The annals of Mathematical Statistics, Vol. 23, pp470–472, 1952.

Rubinstein, R.Y., 1981, Simulation and the Monte Carlomethod, John Wiley and Sons, New York, 1981.

Vrouwenvelder, A.C.W.M., Vrijling, J.K., 1994, Probabilis-tisch ontwerpen, Lecture nodes b3, Delft University ofTechnology, The Netherlands.

Waarts, P.H., 2000, Structural reliability using FiniteElement Analysis, – An appraisal of DARS: DirectionalAdaptive Response surface Sampling, Thesis DelftUniversity of Technology, Delft University Press.

Waarts, P.H., Vrouwenvelder, A.C.W.M., 2001, Structuralreliability using the finite element method, Proceedingsof ASRA, Glasgow.

1670

Table 2. Number of LSFE needed by the various reliability methods.

MC adsamp§ MCI DS DARS

25 quadratic terms 103 # 6501 2540 188

Convex failure domain 103 105 513 208 47

Oblate Spheroid 102 # 1682 170 160

Saddle surface 102 # 385 299 225

Concave failure domain 102 105 1172 260 240

# erroneous answer without error message (�� 0.08 �);§ adaptive sampling is performed with N � 105

09048-W-01.qxd 5/15/03 8:23 PM Page 1670


1671

Optimizing software system design with recovery blocks consideringreliability estimation uncertainty

N. WattanapongsakornKing Mongkut’s University of Technology Thonburi, Bangkok, Thailand

D.W. CoitRutgers University, New Jersey, USA

ABSTRACT: In this paper, we consider software system optimization design with Recovery Blocks consid-ering uncertainty in component reliability estimate. The design objective is to maximize an estimate of systemreliability and also minimize the variance of the reliability estimate. Recovery Block is one of the most com-mon fault-tolerant system architectures, and it is applied for system redundancy, if needed, in this system opti-mization research effort. We present an optimization model where the system has a serial configuration, andeach of the subsystems has choices of with or without RB/1/1 redundancy; a single software fault and a singlehardware fault are tolerated. The model is designed under cost constraints. Our model can be easily applied forother types of fault-tolerant system architecture. This is the first time that a technique to optimize reliability of asystem using multiple software versions with different reliabilities and correlated failures is proposed. We believethat our reliability optimization of redundant systems consists of realistic assumptions of failure correlationbetween/among software versions.

1 INTRODUCTION

In software system design, very often the informationof available components, such as component reliability,is not known but can be approximated with a degreeof uncertainty. This is the case, particularly when the system consists of new components with few failuredata recorded. Therefore the system/component relia-bility is uncertain and can only be approximated. Meanand variance of the system/component reliability esti-mate are considered as reasonable parameters to rep-resent the reliability estimate and its confidence interval(Coit & Jin 2001). Selecting components with highreliability uncertainty would result in a designed sys-tem with high reliability uncertainty. This is undesirablebecause system designers and users seek an optimalsystem design choice with high reliability estimate,while the reliability uncertainty is low.

This paper describes an optimization model for soft-ware system design with recovery blocks consideringreliability estimation uncertainty. Recovery Block (RB)(Laprie et al. 1990) is one of the most common fault-tolerant software system architectures, where compo-nent redundancy is applied. This model is an extended

work from Wattanapongsakorn and Levitan (2001)where component reliability is exact and known.

We consider software systems that consist of bothsoftware and hardware components. Failures of soft-ware components/versions are the major causes of sys-tem failures. To provide fault-tolerance to a system,component redundancy is one of the most commonapproaches. Thus, multiple software versions and hard-ware components are considered in our optimizationmodel.

Unlike most research papers, we provide a techniqueto optimize system reliability considering software ver-sions with different reliabilities and correlated failures.For many experimental studies, multiple software ver-sions, which are functionally equivalent, do have failurecorrelation even if they have been independently devel-oped (Dugan 1994, Eckhardt et al. 1985 & Eckhardtet al. 1991). The failure correlation may come fromfaults in the software specification, faults from the vot-ing algorithm, and or related faults from any two soft-ware versions. Our approach considers this correlationof failures in formulating our optimization model.

The systems that we model are series-parallel fault-tolerant systems. The redundancy allocation problem

09048-W-02.qxd 5/15/03 8:24 PM Page 1671

for series-parallel systems is known to be difficult(NP-hard). Many researchers have proposed a varietyof approaches to solve this problem using, for example,integer programming, branch-and-bound, dynamic pro-gramming, mixed integer and nonlinear programming.Recent optimization approaches are based on heuris-tics such as Genetic Algorithms (GA), and Tabu Search(TS). All of these approaches were developed for eitheroptimizing reliability for software systems or hard-ware systems. In this paper, we consider systems con-sisting of both software and hardware components.The software failure behavior, which is different fromthe hardware failure behavior, is considered.

GA is used as the optimization approach. The term“genetic” derives from the roughly analogous naturalre-producing new-born population by crossover andmutation. There are competitions among the popula-tion; the stronger ones will survive to the next gener-ation and the weak ones will soon die out. GA is aheuristic optimization model that has been appliedeffectively to solve many difficult problems in differ-ent fields such as scheduling, facility layout, and graphcoloring/graph partitioning problems. It is a stochasticalgorithm with performance depending on the solutionencoding, crossover breeding operator, elitist selectionand mutation operator.

Our optimization model is developed to select bothsoftware and hardware components and the degree ofredundancy to optimize the overall system reliability,with a total cost constraint. In the system, there are aspecified number of subsystems in series. For each sub-system, there are several hardware and software choicesto be made. The system is designed using components,each with estimated reliability, but with known cost.

This paper is organized as follows. The assump-tion and notation used in this paper are listed next. In section 2, the software system design with recoveryblock architecture is discussed. Section 3 provides theconcept of reliability estimation uncertainty. Section 4presents our optimization model to maximize reliabilityconsidering uncertainty. Section 5 discusses the GA asour optimization approach. In section 6, we demon-strate our model with an example system, where reason-able and interesting results are obtained and discussed.

1.1 Assumptions

1) Each software component, hardware component orthe system has two states: functional or failed

2) Reliability of each software or hardware componentis unknown, but estimable

3) There is no failure repair for each component orsystem

4) Hardware redundancy is in active mode (i.e. hotspares)

5) Failure of individual hardware components are sta-tistically independent

1.2 Notation

RB/i/j system architecture RB with i hardware faultstolerated and j software faults tolerated

n Number of subsystems in the series systemmi Number of hardware component types avail-

able for subsystem Ipi Number of software versions available for sub-

system IR Estimated reliability of the distributed systemRi Estimated reliability of the subsystem IRhwij Reliability of hardware component j at sub-

system iRswik Reliability of software component k at sub-

system iChwij Cost of using hardware component j at sub-

system iCswik Cost of developing software version k at sub-

system iCost Maximum allowable cost (constraint)Px Probability that event X occursQx Probability that event X does not occur;

Qx � 1 � PxPvi Probability of failure of software version IPrvij Probability of failure from related fault between

two software versions, i and jPall Probability of failure from related fault among

all software versions, due to faults in specifi-cation

Pd Probability of failure of decider or voterPhi Probability of failure of hardware component

i. If only one hardware is applied, Phi � Ph for all i

2 SOFTWARE SYSTEM DESIGN WITH RECOVERY BLOCKS

2.1 Recovery Block (RB): RB/1/1 architecture

The RB model consists of an adjudication modulecalled an acceptance test, and at least two softwarecomponents, called alternates (Laprie et al. 1990, Lyu1996), as indicated in Figure 1. At the beginning, theoutput of the first or primary alternate is tested foracceptance. If it fails, the process will roll back to thebeginning of the process, and then let the second alter-nate execute and test its output for acceptance again.This process continues until the output from an alter-nate is accepted or all outputs of the alternates havebeen tested and fail.

RB/1/1 has a single hardware fault tolerated and asingle software fault tolerated. The system consists oftwo hardware components, each running two independ-ent software versions; primary and secondary. The pri-mary version is active until it fails, and the secondaryversion is the backup spare. System failures occur whenboth versions fail, or both hardware components fail.

1672

09048-W-02.qxd 5/15/03 8:24 PM Page 1672

The probability that an unacceptable result occurs dur-ing a single task iteration, P is presented by Equation 1where ai, kij and hij values for RB/1/1 architecture arelisted in Table 1.

(1)

where,s � number of additive terms when all failure prob-

abilities have been enumerated; s � 6 for thisRB1/1 architecture

ai � integer coefficientCi � component type set for ith additive termkij � power coefficient for jth component reliability

in set Cihij � power coefficient for jth component unreliabil-

ity in set Cipj � unreliability of jth type of componentqj � reliability of jth type of component, pj � qj � 1

for all jpj and qj definitions and comparisons with notation

from Wattanapongsakorn and Levitan (2001) are asfollows,

With RB/1/1 architecture, we develop an opti-mization model for a fault-tolerant embedded system considering reliability estimates with uncertainty. Thecomponents, which are available for the system design,each has reliability estimation uncertainty measured bythe variance of the reliability estimate.

In the next section, we formulate equations for sys-tem reliability estimate and variance for the reliabilityestimate for the RB/1/1 fault-tolerant architecture.These equations will be used in our optimization model,discussed later in section 4.

3 RELIABILITY ESTIMATION UNCERTAINTY

Usually the exact component unreliability, pj, or reli-ability, qj, is not known. They are estimated from lifetest data or field failure records. The estimated pj or qjare used to replace the true but unknown in Equation 1.

(2)

Direct calculation of E[P] and Var(P) are difficultdue to the coupling of pj and qj. Therefore, Equation 2has been rearranged, as follows.

(3)

Equation 3 can be rearranged by expanding (1�qj)kij

terms, resulting in Equation 4.

(4)

wheret � number of additive terms after expansion, t � sbi � integer coefficient

t is the number of terms after the expansion. bi and nijare determined by grouping similar terms. This expan-sion procedure is conducted automatically usingMatlab code based on the parameters in Table 1. Due tothe length of the expansion, detailed computational pro-cedure is omitted. Table 2 lists all the expansion results.

From the table, t � 25. Based on the coefficients nij,bi and component reliability information, Equation 4can be used to obtain the mean and the variance ofunreliability P. Together with the higher-order momentinformation of component reliability estimates, themean and the variance of unreliability P, can be obtainedas follows (Jin & Coit 2001).

1673

primary

secondary secondary

primary

H H

Hardware error confinement area

Software error confinement area

Idle version RB/1/1

Figure 1. RB/1/1 fault-tolerant architecture.

Table 1. ai, kij and hij expressed in a matrix form for RB/1/1architecture.

kij hij

i j � 1 2 3 4 5 6 i j � 1 2 3 4 5 6 ai

1 1 0 0 0 0 0 1 0 0 0 0 0 0 12 0 1 0 0 0 0 2 1 0 0 0 0 0 13 0 0 1 0 0 0 3 1 1 0 0 0 0 14 0 0 0 0 0 2 4 1 1 1 0 0 0 15 0 0 0 1 1 0 5 1 1 1 0 0 0 16 0 0 0 1 1 2 6 1 1 1 0 0 0 1

09048-W-02.qxd 5/15/03 8:24 PM Page 1673

(5)

(6)

where Cim � Ci � CjTo show the relationship of reliability estimate and

variance of reliability estimate for each component,we provide a few numerical examples. Table 3 listscomponent reliability estimates or unreliability esti-mate values. These data are selected directly fromWattanapongsakorn and Levitan (2001). Equations. 5& 6 are also valid, as long as high moments of com-ponent reliability estimates are known. Without lossof generality, it is assumed Bernoulli test and appliedbinomial distribution theory was used to estimate highmoments (Jin & Coit 2001). �� [h1, h2, h3, h4, h5,h6, h7] is a variance-factor vector, and hi � integer.For example, when �� [6, 4, 2, 2, 4, 3, 6], the corre-sponding component variances are given in Table 3.

Table 4 lists four results with respect to differentcomponent variance. It is shown that system unrelia-bility is unchanged even if component variances varyas �� changes. It can be observed that as componentvariances become small, the overall variance of the sys-tem unreliability estimate P also decreases.

4 OPTIMIZATION MODEL

In this section, we present our optimization model forreliability of software systems. The objective is to findthe optimal set of software and hardware allocations

1674

Table 2. nij and bi Expressed in a matrix form for RB/1/1architecture.

nij

i j � 1 2 3 4 5 6 bi

1 0 0 0 0 0 0 12 1 0 0 0 0 0 13 1 1 0 0 0 0 14 1 1 1 0 0 0 15 1 1 1 0 0 0 16 1 1 1 0 0 0 �17 1 0 0 0 0 0 �18 1 1 0 0 0 0 �19 1 1 1 0 0 0 �1

10 1 1 1 0 0 1 �211 1 1 1 0 0 2 112 1 1 1 1 0 0 �113 1 1 1 0 1 0 �114 1 1 1 1 0 0 115 1 1 1 0 1 0 116 1 1 1 0 0 1 217 1 1 1 0 0 2 �118 1 1 1 1 1 0 119 1 1 1 1 1 0 �120 1 1 1 1 0 1 �221 1 1 1 1 0 2 122 1 1 1 0 1 1 �223 1 1 1 0 1 2 124 1 1 1 1 1 1 225 1 1 1 1 1 2 �1

Table 3. Parameters and definition of component’s variance of reliability estimate.

Unreliability estimate Reliability estimate Variance of reliability estimate

Prv � 0.004 Qrv � 0.996 Var(Prv) � (Prv � Qrv)/h1 � 0.000664Pd � 0.02 Qd � 0.98 Var(Pd) � (Pd � Qd)/h2 � 0.0049Pall � 0.005 Qall � 0.995 Var(Pall) � 0.0024875Pv1 � 0.035 Qv1 � 0.965 Var(Pv1) � (Pv1 � Qv1)/h4 � 0.016Pv2 � 0.046 Qv2 � 0.954 Var(Pv2) � (Pv2 � Qv2)/h5 � 0.012Pv3 � 0.09 Qv3 � 0.910 Var(Pv3) � (Pv3 � Qv3)/h6 � 0.03Ph � 0.03 Qh � 0.970 Var(Ph) � (Ph � Qh)/h7 � 0.004

Table 4. Parameters of components and system unreliability P, system unre-liability estimate E[P], and system variance of unreliability estimate Var(P).

h P E[P] Var(P)

[1, 1, 1, 1, 1, 1, 1] 0.05571 0.03716 0.03578[2, 2, 2, 2, 2, 2, 2] 0.05571 0.06317 0.02801[8, 8, 8, 8, 8, 8, 8] 0.05571 0.06068 0.00777[12, 12, 12, 12, 12, 12, 12] 0.05571 0.05925 0.00521

09048-W-02.qxd 5/15/03 8:24 PM Page 1674

for all subsystems (with or without RB/1/1 redun-dancy). The problem formulation is to maximize thesystem reliability estimate, subjected to a specifiedcost constraint, Cost. The system has all subsystemsconnected in series. This model is suited for systemsthat handle relatively critical tasks. The problem for-mulation for this model allow each subsystem to haveRB/1/1 redundancy allocation as its reliability esti-mate and variance of the reliability estimate, calculatedaccording to the RB/1/1 redundancy configuration.The parameters considered for the reliability of theRB/1/1 architecture are available as component relia-bility estimate and variance of reliability estimate. Eachallocated software version is allowed to have a differentreliability estimated value, unlike several proposedmodels where all of the software versions have the samereliability value (Lyu 1996).

The problem formulation is to maximize systemreliability estimate with its variance of reliability esti-mate by choosing the optimal set of hardware and soft-ware components for each subsystem by:

The design objective is to identify solutions withvery high reliability, but also with a low variance of thereliability estimate. If the decision maker is risk-neutral,then the design objective is to maximize the reliabilityestimate. If the person is risk-averse, where the worstcase with high variance of the reliability estimate isunacceptable (i.e., highly critical & life-dependent sys-tems), then minimizing the variance is also an impor-tant design objective. One approach is to consider theproblem as a multi-criteria optimization: to maximizethe system reliability estimate and at the same timeminimize the variance. This approach was proposedby Coit and Jin (2001). Another approach, which is ourapproach, is to penalize the estimation uncertainty bypenalizing the system reliability estimate with its esti-mation variance. The “penalty” is a tunable parameter

based on a system designer’s tolerance for risk, i.e.actual reliability deviation from the estimate. By penal-izing the variance, the final solution represents a com-promise between high reliability and low variance.

5 GENETIC ALGORITHM OPTIMIZATION APPROACH

GA requires that the system design (phenotype) beencoded as a solution vector (genotype). Then, geneticoperators (crossover, mutation) are applied over suc-cessive generations until the GA converges to a solutionor a pre-determined maximum number of generationsis reached.

5.1 Encoding

For an embedded (hardware and software) system withn subsystems connected in series, the string encodingcan be represented as:

H1 S1 | H2 S2 | H3 S3 | … | Hn Sn

where Hi, with 0 & i & n is the selected hardwarecomponent for subsystem i, and Si is the selected soft-ware component/version for the specified subsystem.

5.2 Initial population

We set the initial population by randomly generating aset of chromosomes consisting of genes, and calculatetheir fitness value according to the fitness function.

5.3 Selection

The chromosomes or population are sorted by their fit-ness values. The top 85% of the population with highfitness values are selected for the crossover process.

5.4 Crossover

We randomly select two systems or chromosomes fromthe current population for crossover, to produce twonew chromosomes. Also we randomly select a subsys-tem for crossover. The positions P1 and P2 are labeledwith bold font for crossover.

Example: 1 2 | 1 3 | 1 1 | 3 41 1 | 2 3 | 3 5 | 4 4

Random subsystem � 3, P1 � 1, P2 � 2Results: 1 2 | 1 3 | 3 5 | 3 4

1 1 | 2 3 | 1 1 | 2 4

We select the highest 15% of the population withthe maximum fitness values from the current popula-tion generation and combine with the best 85% fromthe crossover to be the next population generation.

1675

09048-W-02.qxd 5/15/03 8:24 PM Page 1675

5.5 Mutation

The current population generation is initially sortedby fitness values. Then, each chromosome in the gen-eration, except the best 5%, is mutated with a mutationrate which is usually less than 10%. The chromosomesresulted from mutation are combined and considered asthe chromosomes in the current population generation.

5.6 Penalty function

A dynamic penalty function is an effective approach todeal with problems with cost constraint (Coit et al.1996). It is applied to the selected chromosomes thatviolate the constraint (i.e. infeasible solution). For exam-ple, if the system cost is not greater than the “Cost” con-straint, no cost penalty is applied, else the cost penaltywould be applied to the objective function. Doing this,the selected infeasible solution search space is exploredand considered as local or temporary solutions whichmay lead in finding feasible global solutions.

6 AN EXAMPLE SYSTEM: DESIGN AND SIMULATION RESULT

We select the problem originally solved in Wat-tanapongsakorn and Levitan (2001) to provide an

example problem considering the reliability estimateand variance of reliability estimate as multiple objec-tives. This example reliability optimization problem is aseries system with six subsystems, having n � 6,mi � 3, and pi � 4. As an extension of the previouswork, the known component reliabilities used in theprevious paper are now considered as reliability esti-mates with an associated variance. The componentcosts are unchanged and considered in this optimizationproblem. Table 5 shows the reliability estimate and itsvariance as well as cost of all the available components.

We apply this input data to our optimization modelwith various system design cost constraints at 180,320, 460 and also with unlimited cost constraint. Thepenalty value (variance penalty), which is the weightof the variance of reliability estimate is set arbitrarilyto 0.01, 0.1, 1, 2, 3, 4, 5, 10 and 100 for various system design cost constraint i.e. 180, 320, 460 andunlimited. Other design conditions are Prv � 0.004,Pall � 0.005 and Pd � 0.002, with the correspondingvariance-factors (h) each is equal to 20. We apply agenetic algorithm as our optimization approach. Thesimulation results, each is based on 10 runs, are pre-sented in Tables 6–11.

From the GA results presented in Table 6 at varioussystem cost constraints, we can see that with no costconstraint, each model can offer the highest system

1676

Table 5. Available components and their reliability estimates, variances, and costs.

Inputs

HW HW HW SW SW SW(i, j) Costij Rij Variance-factor hik (i, k) Costik Rik Variance-factor hik

11 30.0 0.995 4 11 30.0 0.950 312 10.0 0.980 5 12 10.0 0.908 213 10.0 0.980 4 13 20.0 0.908 4

14 30.0 0.950 221 30.0 0.995 2 21 30.0 0.965 122 20.0 0.995 3 22 20.0 0.908 323 10.0 0.970 1 23 10.0 0.887 3

24 20.0 0.908 231 20.0 0.994 4 31 20.0 0.978 432 30.0 0.995 1 32 30.0 0.954 133 100.0 0.992 2 33 20.0 0.860 2

34 30.0 0.954 341 30.0 0.990 2 41 20.0 0.950 142 10.0 0.980 4 42 10.0 0.908 243 10.0 0.985 1 43 20.0 0.910 3

44 20.0 0.950 751 30.0 0.995 3 51 30.0 0.905 252 20.0 0.980 10 52 20.0 0.967 853 30.0 0.995 1 53 10.0 0.967 1

54 30.0 0.905 561 30.0 0.998 3 61 10.0 0.908 162 20.0 0.995 4 62 30.0 0.968 263 20.0 0.994 2 63 20.0 0.968 3

64 20.0 0.955 2

09048-W-02.qxd 5/15/03 8:24 PM Page 1676

reliability estimate and the lowest variance of the reli-ability estimate compared to all the solutions with lowor high cost constraints. With a very tight cost con-straint, where cost �180, the best possible obtainedsolutions are not as good as when the cost constraintis relaxed to 320 or 460. With a more relaxed costconstraint, better solutions can be obtained. The selectedcomponent allocations for the corresponding cost con-straints are depicted in Table 7. Better solution means

the solution with higher reliability estimate and lowervariance of the reliability estimate.

From Table 7, at cost 180, no component redundancycan be obtained, indicated by a software version and ahardware component selected for each subsystem. Athigher cost constraints, the results show replicated soft-ware and hardware components allocated, for examples,at subsystems 1, 2, 4, and 5.

The GA optimization results with arbitrary valuesof variance penalty at system cost constraints equal to180, 320, 460 and unlimited are depicted in Tables 8,9, 10, and 11, respectively. From the results, at a cer-tain cost constraint, the GA seeks for solutions with lessvariance of the reliability estimate when the variancepenalty is set higher. However, these solutions also havelower reliability estimate as well. In other words, systemdesign choice with high reliability estimate also hashigh variance. The design choice with high reliabilityestimate can be obtained when the uncertainty or

1677

Table 6. Optimization results from GA with variancepenalty � 1.0.

Cost �Estimate Cost � 180 Cost � 320 Cost � 460 Unlimited

E[R(x)] 0.632460 0.862231 0.909249 0.914257Var(R(x)) 0.090987 0.019648 0.006210 0.005914

Table 7. Component allocations for the results shown in Table 6.

Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4 Subsystem 5 Subsystem 6 i � 1 i � 2 i � 3 i � 4 i � 5 i � 6

HW SW HW SW HW SW HW SW HW SW HW SWCost j � k � j � k � j � k � j � k � j � k � j � k �

180 2 2 3 3 1 1 2 4 2 3 2 3320 2 2,3 2 2,3 1 1 2 2,4 2 2,3 2 3460 2 1,4 2 1,3 1 1,4 2 1,4 2 2,3 2 3,4unlimited 1 1,4 2 1,2 1 1,4 2 1,4 1 2,3 2 2,3

Table 8. Optimization results from GA with variousvariance penalties atcost � 180.

Variance penalty E[R(x)] Var(R(x))

0.01–0.1 0.635687 0.0909871–3 0.632460 0.0851784 0.632460 0.0851785 0.632460 0.08517810 0.632460 0.085178100 0.604499 0.083446

Table 11. Optimization results from GA with variousvariance penalties at cost � unlimited.


0.01 0.914486 0.0066750.1 0.914257 0.0059141–3 0.914257 0.0059144 0.914257 0.0059145 0.914257 0.00591410 0.913637 0.005779100 0.909938 0.005572

Table 10. Optimization results from GA with variousvariance penalties at cost � 460.


0.01–0.1 0.909249 0.0062101–3 0.909249 0.0062104 0.908004 0.0058985 0.908004 0.00589810 0.908004 0.005898100 0.906183 0.005796

Table 9. Optimization results from GA with variousvariance penalties at cost � 320.


0.01 0.862231 0.0196480.1 0.862231 0.0196481–3 0.862231 0.0196484 0.862231 0.0196485 0.847706 0.01531010 0.847706 0.015310100 0.847706 0.015310

09048-W-02.qxd 5/15/03 8:24 PM Page 1677

variance of the reliability estimate is affordable i.e.when the variance penalty is not significant.

7 CONCLUSION

This paper analyses and identifies system designchoices when component reliability information isavailable in the forms of reliability estimate and vari-ance of the reliability estimate. The system designobjectives are to maximize the system reliability esti-mate, and at the same time, minimize its variance. Thesemultiple objectives are in contrast with one another.When one objective is more importance than anotherone, a certain design choice is suggested. Therefore thesystem design decision depends on the degree of impor-tance of the objective function.

REFERENCES

Coit D.W. & Jin T. 2001. Multi-Criteria Optimization: Max-imization of a System Reliability Estimate and Mini-mization of the Estimate Variance, Proceedings of theEuropean Safety & Reliability International Conference(ESREL), Turin, Italy.

Coit D.W., Smith A. & Tate D. 1996. Adaptive PenaltyMethods for Genetic Optimization of ConstrainedCombinatorial Problems, INFORMS Journal onComputing, Vol. 8, NO. 2, pp. 173–182.

Dugan J.B. 1994. Experimental Analysis of Models for Cor-relation in Multiversion Software, Proceedings of the Inter-national Symposium on Software Reliability Engineering,Los Alamitos, CA, pp. 36–44.

Eckhardt D.E., Caglayan A.K., Knight J.C., Lee. L.D.,McAllister D.F., Vouk M.A. & Kelly, J.P. 1991. An Exper-imental Evaluation of Software Redundancy as a Strategyfor Improving Reliability, IEEE Transactions on SoftwareEngineering, Vol. 17, NO. 7, pp. 692–702.

Eckhardt D.E. & Lee L.D. 1985. A Theoretical Basis for theAnalysis of Multiversion software Subject to CoincidentErrors, IEEE Transactions on Software Engineering, Vol. 11, pp. 1511–1517.

Jin T. & Coit D.W. 2001. Variance of System ReliabilityEstimates with Arbitrarily Repeated Components, IEEETrans on Reliability, Vol. 50, NO. 4, pp. 409–413.

Laprie J. C., Arlat J., Beounes C. & Kanoun K., July 1990. Definition and Analysis of Hardware- and Soft-ware-Fault-Tolerant Architectures, IEEE Computer, pp. 39–51.

Lyu M.R. (Editor in Chief) 1996. Handbook of SoftwareReliability Engineering, IEEE Computer Society Press,McGraw-Hill.

Rubinstein R., Levitin G., Lisnianski A. & Ben-Haim H.1997. Redundancy Optimization of Static Series-ParallelReliability Models Under Uncertainty, IEEE Transactionson Reliability, Vol. 46, NO. 4, pp. 503–511.

Wattanapongsakorn N. & Levitan S.P. 2001. Reliability Opti-mization Models for Fault-Tolerant Distributed Systems,Proceedings of Annual Reliability & Maintainability Sym-posium, pp. 193–199.

1678

09048-W-02.qxd 5/15/03 8:24 PM Page 1678


1679

The fireworks disaster in Enschede: overview, reconstruction, safety andpyrotechnics

J.Weerheijm, R.M.M. van Wees & L.H.J. AbsilTNO-PML, Rijswijk, The Netherlands

P.C.A.M. de Bruyn & J.W. KarelseNFI, Rijswijk, The Netherlands

ABSTRACT: Saturday afternoon May 13, 2000 a major fireworks incident occurred at the company S.E.Fireworks in the city of Enschede, the Netherlands. Twenty-two people were killed and more than seven hun-dred were injured. Within a radius of hundreds of meters houses were destroyed by the blast and debris gener-ated by the explosions and burnt because of the scattered fireworks.

The possible causes, safety regulations and safety control were investigated. By order of the PublicProsecutor, the Netherlands Forensic Science Institute (NFI) and TNO Prins Maurits Laboratory (TNO-PML)performed the forensic and technical investigations into the reconstruction and the cause of this disaster.

Within an hour the incident developed from a moderate fire and some initiated fireworks in one of the build-ings into a series of three explosions of increasing violence. Many people witnessed the accident (at distance) andnumerous video recordings from different angles were made. After the disaster an extensive investigation wasstarted. The observed explosion effects, the inventory of the damage in the area and all the forensic evidence wereanalysed. They form the basis for the reconstruction of the disaster. Scenarios for possible causes of each of theevents were developed and analysed. In addition, the most probable chain of events and the lessons to be learnedconcerning the (bulk) storage of pyrotechnics in general and fireworks specifically were dealt with.

1 INTRODUCTION

Saturday afternoon May 13, 2000 a major fireworksaccident occurred at the company S.E. Fireworks in thecity of Enschede, the Netherlands. Within an hour theincident escalated from a moderate fire and some initi-ated fireworks in one of the buildings into a series ofthree explosions of increasing violence. The first was arelatively small explosion in a container. Within aminute seven garage boxes (prefab concrete storagefacilities) exploded. This was followed 66 seconds laterby a further explosion of storage cells in the centralstorage building, whereby the most violent explosionoccurred in storage cell C11. The resulting blast wavewas comparable to an explosion with a mass between4000 and 5000 kg TNT. The possible causes, safetyregulations and safety control were investigated.

The observed explosion effects, the inventory of thedamage in the area and all the forensic evidence wereanalysed by NFI and TNO. They form the basis for thereconstruction of the disaster. In this paper the observedfacts and identification of the main, crucial elements in

the chain of disastrous events will be described. For themajor events, the possible initiation mechanisms andpossible consequences will be discussed. Lessons andgeneral conclusions are drawn from these analyses. Thepaper only gives a summary of the research and high-lights the main research steps. The research is reportedin Bruyn & Karelse (2000) and Weerheijm et al. (2000).It should be noted that there is no complete certaintyabout the stored quantities and type of fireworks. Thelicensed quantities are given in the paper.

2 SITUATION MAY 13, 2000

May 13, 2000 was a warm sunny day. Many peoplewere outside enjoying the weather and attracted to theS.E. Fireworks (SEF) area due to the increasing fire-work effects. The SEF firework depots were situated ina residential area of the city of Enschede. The locationand the layout of the SEF-depot is given in Figure 1.Figure 2 gives the identification numbers of all storagecells. The company S.E. Fireworks performed firework

09048-W-03.qxd 5/15/03 8:24 PM Page 1679

displays and shows, imported fireworks and did sometrade in fireworks. The depot consisted of a centralstorage building (cells C2–C15), seven prefab (garage)boxes and 14 ISO-containers. The central building hadwooden doors and was constructed in cast, reinforcedconcrete with a wall and roof thickness of 20 cm. Cell 2was the fireworks preparation and reparation room, theinternal dimensions of the cells C12, C14 and C15were 2.5 � 4.0 � 2.8 m3 (width � depth � height).The other, larger cells had a width of 4 m.

The walls and roof of the prefab concrete garageboxes had a thickness of 50 mm. The dimensions ofthe boxes M1–M6 were 2.6 � 5.2 � 2.3 m3 (volume30.4 m3). M7 was slightly larger and had a wooden

door, the others had the original thin, corrugated steelsheet doors.

In order to prevent direct flame contact betweencell doors in case of fire, the walls in the central build-ing and the garage boxes were extended externally by50 cm. The ISO containers were standard 20 ft trans-port containers, with wooden floors and no additionalfire protective measures were applied.

The total licensed quantities for storage were158.500 kg (gross mass) of 1.4S or 1.4G fireworks. Insome cells firework of the class 1.3G was allowed tobe stored. The license permitted in total a maximumof 2000 kg 1.3G, while 136.500 kg of the class of 1.4could be stored. The maximum and class (transportclassification) of fireworks are given in Table 1.

3 SEQUENCE OF EVENTS

Due to the many people that were attracted to theaccident, several video recordings from variousangles are available. For learning and evaluation pur-poses, one member of the fire brigade was speciallytasked to record fire fighting actions. Especially hisrecordings of the events have been very helpful in thereconstruction of the disaster.

The global time frame was:

14:45 Firework effects witnessed15:00 Fire reported to fire brigade15:08 Reconnaissance SE Fireworks terrain15:16 Fire in C2 under control15:24 Smoke and fire effects from C415:33 Smoke from container E2 visible (video

recording, time referenced to seismicrecordings of the massive explosions)

15:34 Small explosion, massive deflagration ofcontents E2

1680

Figure 1. The layout of SE Fireworks and the central stor-age building (Delta photo, Enschede, adaptions NFI).

M1

M5M4

M2M3

M6M7

C1 C2

C4

C3

C6

C5

C8

C7

C10

C9

C15

C13

C12 C14

C11

E3

E1

E2

E4

E5E6

E7E8

E9

E11

E10

E12E13

E14

E16E15

MB-6

A-77B-16

MB-4MB-5

MB-3

A-73

MB-1MB-2

A-15

A-20

A-76

A-19

A-75

CW

A-14A-18

A-71 A-41

A-55

A-61

A-67

A-57

A-72

A-68

A-56

A-63

A-62

A-48

A-49

A-51

A-52

A-54

A-53

A-47

A-46

A-50

A-26

C-07

A-74A-70

C-04 C-03

A-65

A-66

A-69 A-64

C-02 C-01

C-10

A-22

C-09

A-21

A-27

C-08 C-06

A-58

A-31

A-37A-60

A-59

C-05

C-12C-13 C-11

A-40

A-36

A-35

A-30

A-29

A-32

A-45

A-44

A-43

A-39 A-42

A-38

Figure 2. Scheme of the storage cells and containers ofS.E. Fireworks.

Table 1. Licensed storage capabilities.

Location: Gross mass Transport Central building per cell (kg) classification

Cells C3–C11 7000 1.4S/1.4GCell C13 500 1.3G

or 7000 1.4S/1.4GSmall cells C12,C14,C16 500 1.3G

or 5000 1.4S/1.4GPreparation room C2 500* 1.4S/1.4GGarage boxes M1–M7 3500 1.4S/1.4GContainers E1–E14 3500 1.4S/1.4G

Total 158.500 1.4S/Gor 136.500 1.4S/G and

2.000 1.3G

* only during working hours.

09048-W-03.qxd 5/15/03 8:24 PM Page 1680

15:34:40 Massive explosion garage storage boxesM7-M1

15:35:46 Explosion C11 (central building). Almostsimultaneously the other cells and a num-ber of containers exploded.

The Figures 3 and 4 illustrate the situation and theescalation of the firework reactions in the period of15.16–15.33 hours. The pictures of Figure 4 and 5,respectively, show the final explosion (from a distanceof about 600 m) and a top view of the explosion areawith search sections taped out for the forensic investi-gation. The detailed time scheme and extensive eventand damage descriptions are given in (Weerheijm et al. 2000). In this paper only the headlines are given.

3.1 Initial fire in cell C2

From the chronological accident facts, the paramountquestion emerges about the cause of the fire in theworkshop, preparation cell C2 of the central storagebuilding. Extensive forensic investigation was per-formed to examine the possibilities of:

– Sabotage, arson or improvised explosive devices;– Malfunctioning, defects of the electrical and gas-

installation or other equipment;– Fire caused by human activities at the S.E. Fireworks

terrain;– (Self) ignition of firework articles, pyrotechnics or

other fuels caused by instability or external effects.

In spite of the extensive forensic effort no definiteproof was found for one of these scenarios. It shouldbe noted that the strength of the final explosions hada devastating effect and most of the evidence of theinitial fire was destroyed. Other forensic investigationconcerned the possible traces of high explosives andammunition. No traces of high explosives were found,therefore the explanations for the cause and the devel-opment of the disaster had to be found in the storedfireworks and storage conditions.

3.2 Observed explosion effects

The major explosion effects are the crater, fireball,blast and debris. The video recordings and the dam-age at the explosion area showed that the major threeexplosions, respectively container E2, garage boxesand the central building, had an increasing strength.Consequently the final explosion destroyed evidenceand traces of the preceding explosions and hampersthe detailed analysis. Nevertheless the following con-clusions could be drawn from remaining evidence.

3.2.1 Firework reactions in container E2No crater or evidence for blast damage due to the E2explosion was found. A very severe firework fire and

the projection of firework articles characterise the“explosion” in E2. The observed effects correspondto fireworks of transport classification 1.3G, see alsoMerrifield and Myatt (2001).

3.2.2 Explosion in garage boxes M7–M1The second major event occurred in the garage boxes.From the video recordings it is seen that the fireballof the explosion swells to a diameter of about 85 m in

1681

Figure 3. Situation at 15.16 hours.

Figure 4. The escalation between 15.24 and 15.33 hours(pictures R. van Willegen).

Figure 5. Final explosion (taken from 600 m).

09048-W-03.qxd 5/15/03 8:24 PM Page 1681

0.3 s. The explosion appeared to be a sympatheticreaction of the contents of the boxes from M7 towardsM1. The boxes were completely destroyed, noremaining debris could be recollected. The videorecordings show debris launch velocities of the orderof 200 m/s. The reactions were severe but a detonationdefinitely did not occur. The concrete floors showsevere cracking, and the floor slab of M7 was movedmore than 1 m horizontally and a large depression ofthe soil at the original location was found. No craterwas formed. The walls of the boxes were clearlysheared off and the direction of the deformed rein-forcement bars formed clear evidence for the propa-gation direction of the sympathetic reactions in thecells (M7 towards M1). In most cases the blaststrength of an explosion can be quantified from thebuilding damage in the surroundings and especiallyfrom the window breakage. The final explosiondestroyed most of this evidence. At one video record-ing of the second explosion, however, window androof tile damage is visible. More information aboutthe strength of the explosion is obtained from theseismic signals that were recorded of both majorexplosions. The ratio of the signals, the local damageand the blast damage to the surrounding area con-cluded that the explosion had a strength of about800 kg TNT equivalence. The radius of the fireballcorresponds to 17.000 kg propellant.

3.2.3 Final explosionThe relation between the events in E2, the garageboxes and the central building is described in(Weerheijm et al. 2000). The strength of the explosionin the garage boxes was by far sufficient to blow thewooden doors into the cells of the central buildingand the fireball engulfed the whole building. The con-tents of all cells were probably ignited. The centralbuilding was completely destroyed, see Figures 6 and7. Sympathetic reactions occurred but the explosionin the central building was clearly dominated by theC11 reaction. This emerges from the facts that:

– In C11 a crater was formed with a depth of 1.3 m.The crater extended to the other cells and wasclearly the result of one explosion event;

– the floors of the other cells show no damage ofindependent, severe explosion reactions, only theedges of the cell floors adjacent to C11 are severelydamaged and contribute to the crater (see Figure 7);

– the remaining reinforcement stubs of the floor-wallconnections of all cells show deflection directedaway from cell C11.

Debris from the central building caused many casu-alties and severe damage to buildings. Debris was foundup to a distance of 580 m (see Figure 8). The angle ofimpact, the throw distance of the major debris wererelated to the “required” launch velocity. Because the

launch angle is unknown, only an approximate range oflaunch velocities could be determined. Most of thecollected debris had a launch velocity in the range30–100 m/s. Maximum reconstructed velocity was150 m/s. It should be noted that most of the debris thatcould be collected was most probably not from C11 orthe adjacent cells, because these were broken in smallpieces due to the high explosion pressures in the cells.

1682

Figure 6. Explosion area after the accident (SFOB).

Figure 7. Damage central building.

Figure 8. Debris at 165 m.

09048-W-03.qxd 5/15/03 8:24 PM Page 1682

Most evidence for the final explosion strength wasobtained from the window breakage and the observeddamage in the surroundings. Window breakage wasinventoried in three different directions up to a dis-tance of 850 m. The distance, position, dimensionsand breakage percentage of about 700 houses servedas input for the calculation of the source strength. Themethodology to determine the failure probability cou-pled to the dynamic load is given in Weerheijm et al.(2000). The damage to the houses, within the radiusof 500 m, were categorized to levels A, B, Cb, Ca, or D. These categories were developed during the second World war II and are commonly accepted. The zones are given in Figure 9 with the radius fordamage level Ca is about 230 m.

The final, devastating explosion proved to be in therange of 4000–5000 kg TNT equivalence. The size ofthe fireball was 135 m, corresponding to 86.500 kg pro-pellant. It is evident that these effects are not caused bythe contents of cell C11 alone. Sympathetic reactions ofthe other cells and also the containers contributed to theobserved effects. On the video recordings the shape ofthe fireball shows clearly some additional “sub-sources” which may be caused by container reactions.

4 THE EXPLOSION EFFECTS AND THESTORED FIREWORKS

For the lawsuit the question about the relationbetween the explosion effects that occurred and the

quantities and type of fireworks involved is para-mount. Hitherto, no definite information is availableof the quantities and type of fireworks that werestored in the different cells. Information is availablefrom the sales list of SE Fireworks and the hearings.This information is insufficient to answer the ques-tion. It should be noted that the local damage to thefloors, and the visual effects on the videos give usinformation about the firework reactions in the spe-cific cells, while fireball, debris and damage iscaused by the sum of all firework reactions (a combi-nation of mild and very severe reactions).

The license show that only a limited amount of1.3G class articles were allowed (2000 kg) to be storedin some specific storage cells of the central building.The bulk of the storage capacity (136.500 kg) con-cerned class 1.4 G articles. The safety regulations arebased on the principle that the effects observed in theUN transport classification tests are also representa-tive for the potential effects in (bulk) storage andtransport conditions. Or in other words, the test condi-tions should cover the scale effect and confinement instorage conditions.

It is obvious that the effects in the Enschede disas-ter do not match with the 1.4G and 1.3G transportclassification criteria. This means that large amountsof 1.3G, or even 1.1 articles were stored or the trans-port classification methodology is not well suited tocover bulk storage conditions and define storagesafety regulations. Classification tests were performedon various kind of firework articles. Based on the saleslist of SE Fireworks a selection was made of articlesthat could be of a class 1.3G or higher. Comparable,similar articles (display and sound effects) were pur-chased and tested for transport classification. Theselection covered cakeboxes, roman candles, colour-and report shells as well as fountains and rockets.Especially the titanium report shells and the largershells showed severe reactions. Some of the articlestested were classified as 1.1. Figure 10 illustrates one

1683

Figure 9. Damaga radii.

Figure 10. Effects during UN 6c test with report shells.

09048-W-03.qxd 5/15/03 8:24 PM Page 1683

of the 6c tests with report shells. The test series aregiven in Dirkse en de Jong (2000) and de Jong &Dirkse (2001). The tests learned that the selected itemswere of class 1.3G or 1.1. Because no definite infor-mation is available of the amounts and types of storedfireworks it cannot be concluded that the disaster wascaused due to the kind of stored fireworks only. Scaleeffect and confinement conditions may have been ofmajor importance.

5 INITIATION AND POSSIBLECONSEQUENCES OF FIRE IN C2

In spite of the extensive forensic research and hear-ings no evidence is obtained for the cause of the firein the firework preparation and reparation cell, C2.On Saturday 13th of May the company and the terrainwere closed. Therefore we start with the facts that thefire was noticed at about 14:45 hour when activatedfirework was ejected and landed outside the S.E.F.premises. A small fire in a garden was reported.When the fire brigade arrived the doors of cell C2were open at both sides and the plastic skylights weregone. Some fast pressure build up must have occurredbecause the doors on both sides were blown out. Noexternal blast damage was noticed. The fire wasfought at both sides of the central building. The fire-men at the north side (side of garage boxes) werekilled in the accident; no direct witness reports of thefire development at the north side are available.

The effects of the fire in C2 are:

1. Fire; heat loading on walls of adjacent cells;2. Fire jet and heat radiation directed to the opposite

garage boxes and containers;3. Ejected fireworks, with possibility of fire ignition.

The following comments are made concerningthese effects:

Ad 1: The wooden doors of the other cells wereclosed and locked; the internal walls of cast rein-forced concrete had a thickness of 200 mm and werefire resistant. Only the wall between cells C2 and C4had an opening (diameter 70 mm). Afterwards con-crete samples were taken from the floor slabs of thecentral building. Laboratory research showed no evi-dence for heat loading. Combined with the firebrigade reports, the conclusion was drawn that thefire in the central building was not passed on to othercells except to C4. Fire in C4 started before 15:28.

Ad 2: Dependent on the content of C2 and theintensity of the flame jet and heat radiation, fire maybe initiated in the opposite garage boxes with thincorrugated steel doors. However, there are no indica-tions that the firemen observed any fire effects.

Ad 3: At the north side small fires were noticedand extinguished. Firemen reported that in between

the containers E1 and E2 smoke development wasobserved and fire was fought (15:28 hour).

On the S.E.F. premises the effects of the fire in C2 were most probably limited to the fire passed on toC4 and the initiation of small fires due to the ejectedarticles.

The effects of the fire in C4 are similar as reportedfor C2 with the comment that C4 was a storage cell,while C2 was the workshop with no licensed storagecapacity after working hours.

The performed analyses confirmed that the build-ing (cast concrete, 20 cm thick walls and roof) pro-vided sufficient heat resistance between the storagecells. Of course openings between the cells are notallowed. The analyses also confirmed the requirementon fire resistance of doors. Automatic fire suppres-sion systems like sprinklers should be a standardrequirement.

Finally, one should be aware of the large area withpotential fire hazards when the ejection of fireworkscan occur. Requirements on fire resistance of otherfacilities are paramount as will be clear from theevents in the container E2.

6 INITIATION AND POSSIBLECONSEQUENCES OF REACTION IN E2

The following initiation mechanisms were examinedtheoretically:

– External fire;– Fireworks on and, or under the container;– Burning magnesium (ejected from the workshop)

on top of container;– Fireworks before door slit.

From previous research it was known that theresistance of steel ISO containers to the standardisedfire loading is limited to a few minutes. However, inthe current investigation the intensity, size and dura-tion of the external fire were the parameters.

The TNO Centre of Fire Research performed theo-retical calculations and the very poor fire resistance ofthe steel containers was stressed. Considering thetimeframe, the very limited fire resistance of the con-tainer, the presence of an old small trailer with woodenfloor between E1 and E2, a small fire was possible andsufficient to initiate a fire and fireworks in E2. Theother potential initiation mechanisms appeared to beless likely and were rejected.The successive effects ofthe E2 reaction were: smoke from door slit, strongsmoke development followed by intensive fireworkreactions, flame jet (in two pulses), ejected fireworksand very severe (external) massive reaction of fire-work. Similar effects were observed and reported byMerrifield and Myatt [1] with 1.3G fireworks tests.Figure 2 illustrates these effects.

1684

09048-W-03.qxd 5/15/03 8:24 PM Page 1684

For the possible consequences of the E2 reactionthe following effects were theoretically examined:

1. Ejection of debris (doors);2. Failure of container (fragments and blast);3. Flame jet (and possible external fireball);4. Ejected fireworks.

Ad 1: If a container door is ejected from E2 andimpacts on a door of the central storage building, thisdoor will fail and cause damage to the stored fireworkpackages. The successive fire jet and heat radiationcould initiate the contents of the cell. The possibleconsequences were predicted assuming that the burn-ing pyrotechnics led to an explosive reaction. The cal-culated local and structural failure modes howeverdid not correspond to the observed effects and postaccident damage.

Ad 2: The blast effects due to door failure orroof/wall failure were calculated. The blast levelproved to be insufficient to cause damage to the doorsof the garage boxes or central building.

Ad 3: The first jet had a duration of 2 s and a lengthof 17–30 m (distance to central building was 17 m, thejet was deflected upwards leading to a total length of30 m and a diameter in the order of 20 m). A few sec-onds later the reaction intensified and a second jetwas formed with a length of 35 m and duration of 1 s.The thermal loading on the doors of the other cellsand the stored fireworks was calculated. Experimentswere performed to determine the thermal load behindthe steel sheet doors and the required duration toignite the packages or fireworks. The required load-ing time proved to be in the order of 12 s. Consequentlyescalation of the accidents to the garage boxes or con-tainers could be excluded. The possible escalation tothe central building was rejected because of the con-siderations mentioned at “ad 1”.

Ad 4: The hearings learned that in E2 shells werestored of at least 6 inches. The video recordings con-firmed the presence of mortar shells. The ejected fire-works caused fire and damage in a wide area.Because the accident escalated within a minute afterE2, the possible local “breaching” damage of mortarshells to wooden and garage doors was examinedexperimentally. Note that the contents of E2 wereunknown at the time of the experiments. 8 and 12 inchmortar shells and 3 inch titanium report shells weretested. The 12 inch shell had a devastating effect onboth door types; the other shells caused severe dam-age but not complete failure. It is most likely thatmultiple hits and loading by the latter shells wouldlead to door failure and ignition of the cell contents.

Conclusion on E2 effects for the escalation of theaccident is: No definite evidence is found for a fastescalation to the garage boxes. Most likely is thebreaching of the M7 door by multiple shell reactions.

The performed analyses and tests confirmed andlearned that:

– steel ISO containers have negligible fire resistanceand are not suitable for storage or transport of flam-mable goods without additional counter measures,

– planning the lay out of a firework storage facilityone should count with the combined threat of doordebris and flame jet (1.3 bulk storage),

– when 1.3 G articles in a storage cell react, the pres-sure build up can be sufficient to throw the con-tents out which leads to extensive external effectsand a considerable increase of the risks,

– The pressure effects at short distance of reactingshells can be sufficient for local damage and breach-ing of wooden or steel sheet doors is possible. Con-sequently the out throw of shells lead to new risks.Strength requirements for doors are recommended.

1685

Figure 11. Effects of E2 reaction (video by G.Poort,enhanced by NFI).

09048-W-03.qxd 5/15/03 8:24 PM Page 1685

7 POSSIBLE CONSEQUENCES OF REACTIONIN GARAGE BOXES M7–M1

The initiation possibilities in the garage boxes fromthe fire in the central building and the effects from E2were already mentioned. In this section we focus onthe sympathetic reactions in the garage boxes. Figure 12gives two frames from the video recordings that illus-trate the effects of the explosion.

The damage proofs that the most severe explosionoccurred in M7, but the local damage clearly showedthat no detonation occurred. The observed debrisvelocity of 200 m/s was related theoretically to therequired reaction velocity of pyrotechnics and the localdamage to the remaining floor slabs. These aspectscould be related without any contradictions. It is evi-dent that the “required reaction velocity” can beachieved by the properties of the pyrotechnic materials

themselves, and/or the number of ignition pointsand/or the 3D expansion of the reaction front and thusthe length scale and size of the storage cell.

The next question was about the mechanism to ini-tiate the contents of the other garage boxes. Mostlikely is that the 5 cm thick walls (of prefab box M7)failed and were launched with an initial velocity inthe order of 100 m/s. The resulting severe crushing ofthe fireworks in M6 and thermal loading caused thesympathetic chain reaction of the fireworks in M6,and subsequently in the other cells. The reactions inthe garage boxes occurred in the time frame of lessthan 0.5 seconds.

The effect of the explosion was a blast, equivalent toa TNT explosion of 800 kg. A fireball was formed witha radius of 85 m. The garage boxes were completelydestroyed and fragmented into small debris. The com-bined blast and debris formed a severe loading for the

1686

Figure 12. Effects of explosion in garage boxes (video byG.Poort, enhanced by NFI).

Figure 13. Mass explosion in central building (video byG.Poort, enhanced by NFI).

09048-W-03.qxd 5/15/03 8:24 PM Page 1686

central building and the containers. In combinationwith the thermal loading and ejected burning fireworkarticles escalation of the accident was inevitable.

Conclusions and discussion on the sympathetic reac-tions in the different cells are given in the next sectionabout the explosion in the central storage building.Figure 13 illustrates some of the explosion effects.

8 INITIATION AND EXPLOSION EFFECTS OF EXPLOSION IN CENTRAL STORAGE BUILDING

Considering the central building, the strength of theexplosion in the garage boxes was far sufficient toblow the wooden doors into the cells and the fireballengulfed the whole building.

The contents of all cells could have been ignited.The local damage however showed clearly that theexplosion in storage cell C11 was most severe anddominant. A single explosion in C11 and the sequen-tial sympathetic reactions in the other cells canexplain the total damage. In analogy with the garagebox analysis, the required local pressure and gas pres-sure were related theoretically to the required reactedmass of pyrotechnics per second to explain theobserved damage and the sympathetic reactions in theadjacent cells.

Crucial in the explanation is the reaction velocityof the fireworks in C11. Hypotheses to explain thedevastating mass explosion in C11 are:

1. Storage of firework of the transport class 1.1;2. Combined storage of 1.3G and 1.1 fireworks;3. Fireworks of the class 1.3G were stored, but due to

door impact the packages were severely damagedand the firework obtained the 1.1 characteristics;

4. After initiation of the stored 1.3G class fireworks,temperature and confinement conditions acceler-ated the deflagration process towards a detonation-like reaction.

None of these hypotheses was proven during thetechnical research program for the ministry ofJustice. It should be noted that UN transport classifi-cation tests were performed on a selection of fireworkarticles based on the sales list of S.E. Fireworks.Some of the tested fireworks obtained the 1.1 trans-port classification. The second comment is that thehearings learned that in C11 6-inch mortar and 6 inchtitanium report shells were stored. The tested reportshells were classified as 1.1.

In order to learn from the observed effects let usdiscuss the effects in storage cell C11 in more detail.

– Crater: The evidence for the local pressures isgiven by the crater. The crater extended to the adja-cent cells but the shape of the crater showed that itwas caused by a single explosion and that the reac-tions in the neighbouring cells did not contribute tothe crater. Relating the strength of the explosion inC11 with a TNT detonation by the crater dimen-sions, the explosion strength is in the range of 750–2000 kg TNT equivalent. It should be noted thatthe concrete floor was not breached, so the localpressures in the firework reaction were much lowerand not comparable with the pressures in a TNTreaction.

– Acceleration of walls and roof: Due to the shockwave of the explosion the roof will be torn from thewalls and the walls from the foundation. Referringto the crack pattern and damage to the floor slab,the walls and roof were broken most probably intosmall debris. No good prediction of the debrisvelocities was possible. From explosion tests withconcrete ammunition storage cells it is known thatthe velocities are in the range of 100–300 m/s. Forthe C11 reaction, the debris velocity had the sameorder of magnitude.

– The effect on the adjacent cells: The floor slabswere pushed downwards which proofs that theexplosion pressure of C11 expanded through thefailed walls to the adjacent cells. The required pres-sure to deform the floors was definitely sufficientto brake and eject the roofs and walls. However, theexplosion pressure of C11 would never be able tothrow the roofs of the next adjacent walls. Time isneeded for the failure process and in the mean timethe explosion pressure in C11 has vented throughthe door opening. Consequently, the conclusionmust be that sympathetic reactions occurred in theadjacent cells.

– Blast pressure and damage: The explosion in C11produced severe blast, but it must be excluded thatthe total blast damage in the surrounding livingarea (equivalent to damage of a 4000–5000 kgTNT explosion) was caused by the single explo-sion in C11. Referring to the licensed quantity to store 7000 kg gross weight (1.4G) fireworks,

1687

Figure 14. Overview explosion area (Picture SFOB).

09048-W-03.qxd 5/15/03 8:24 PM Page 1687

50% net weight and estimating a TNT equivalenceof 0.5 for the stored fireworks, a rough number forthe (maximum) explosion strength is 1750 kg TNT.

– Fireball and firework projections: The observedfireball had a diameter of 135 m. The storagecapacity of C11 was too limited that a single explo-sion in C11 could produce a fireball of this size.

It is clear that sympathetic reaction occurred inmost of the cells in the central building (and contain-ers). A likely but still unproven explanation emergefrom the above given facts and observations. Theexplosion in C11 caused failure of the walls, thesewere blown into the adjacent cells (velocities in theorder of 100 m/s). It is most likely that due to theimpact, severe friction because of the non-uniformlydistributed load, and also combined with the subse-quent thermal load, large quantities of fireworks wereinitiated. High pressures were generated in short timeleading to the break-up of the building and contribut-ing to the total explosion blast and fireball.

From the firework disaster in Enschede and theobservations made it emerges that internationalresearch effort is needed to understand and quantifythe explosion effects of firework in bulk storage con-ditions. Consequences of mixed loading, confine-ment and scale have to be known to define safetyregulations and evaluate the current UN transportclassification methodology. It is mentioned thatrecently a joint research project of TNO, HSL (UK)and BAM (Germany) on these topics was granted bythe European Commission.

9 CONCLUDING REMARKS

• The explosions at S.E. Fireworks in Enschede onMay 13, 2000 caused 22 lethalities, 947 injuries, acomplete residential area was destroyed. 500houses were completely demolished and 1350houses were damaged. The main cause of the dam-age in the neighbourhood was the massive confla-gration of the old houses with wooden floorscaused by the throw out of fireworks.

• The present paper was focussed on the observa-tions and facts. Besides the initial fire in the centralbuilding, three crucial events are identified thatdominate the escalation of the accident. These arethe severe firework reactions in container E2, fol-lowed by the explosions in the garage boxes andfinally the massive explosion in the storage cellC11 of the central building and the sympatheticreactions of the other storage cells and containers.

• In spite of the extensive forensic investigation no definite evidence for the initial cause of thechain of events was found. There was no indica-tion of sabotage. No traces of high explosives

were detected; all traces indicated fireworks relatedsubstances.

• Window breakage, structural damage, craterdimensions, debris and the seismic signals enabledthe quantification of the two major explosions. The explosion in the garage boxes had a strength of the order of 800 kg TNT equivalence while thestrength of the final explosion is within the rangeof 4000–5000 kg TNT.

• Probably the classes of stored firework articles,quantities and storage conditions caused the initialfire to escalate into the disastrous explosions.

• If the situation at S.E. Fireworks would have beenin conformity with the licenses, the fire in theworkshop of the central storage building nevercould have escalated to the disaster May 13th,2000.

• Much more firework of the class 1.3G was stored(and probably also class 1.1) than licensed. Thefacility was not suited to control and contain theeffects.

• The minimal fire resistance of the containers andthe lay out of the premises, containers and garageboxes at short distance and opposite to the centralbuilding, contributed to the escalation of the fireaccident.

• The fireworks disaster is caused by the transitionof firework fires into mass explosions. This hap-pened in the garage box M7 as well as in the stor-age cell C11. Hypotheses were defined but couldnot be proven so far. Initiatives are taken to studythe reaction characteristics of 1.4G and especially1.3G fireworks in bulk storage conditions. If nec-essary the UN classification methodology for trans-port classification have to be modified in order tobe suitable for safety regulations of bulk storageand bulk transport of fireworks.

• For the storage and transport of fireworks fireresistant containers have to be required.

• When 1.3G fireworks are stored, impact resistantdoors are recommended in order to prevent demo-lition by close-in firework reactions.

REFERENCES

Bruyn, P.C.A.M. de and Karelse J.W., The forensic inves-tigation Firework Disaster Enschede, The NetherlandsForensic Institute, report 2000.05.17.018.

Commissie Preventie van Rampen door Gevaarlijke stoffen,“Methods for the determination of possible damage topeople and objects resulting from release of dangerousmaterials”. Sdu Publishers, CPR-16E, second edition,The Hague.

Jong, E.D. de and Dirkse, M.W.L., Classification investiga-tion on display fireworks of SE Fireworks, Part 2:Classification experiments, TNO report 2001-C29.

1688

09048-W-03.qxd 5/15/03 8:24 PM Page 1688

Dirkse, M.W.L. and Jong E.G. de, The explosion at S.E. Fireworks, Part 2: Transportclassification judge-ment for confiscated firework, TNO report PML 2000-C121, vs 2.0.

Merrifield, R. and Myatt, S.G., The effects of External Fireon Fireworks Stored in Steel ISO containers. Journal ofPyrotechnics, 2001.

Weerheijm, J., Wees, van R.M.M., Doormaal, van J.C.A.M.and Rhijnsburger, M.P.M., The explosions at S.E. Fire-works; TNO report, PML 2000-C120 and C122. Part 1:The explosion strengths based on observed damage, Part 3:The reconstruction of the chain of events.

Mercx, W.P.M. and Kodde, H.H., “The explosion of the dis-play fireworks assembly plant ‘MS Vuurwerk’ onFebruary 14, Culemborg, The Netherlands”, 25th DoDExplosives Safety Seminar, Anaheim, California, 18–20August 1992.

Vretblad, B., Weerheijm, J. en Guerke, G., “The KLOTZgroup’s debris dispersion program”, 29th US DoDExplosives Safety Seminar, 18–20 juli 2000, NewOrleans, Louisiana.

1689

09048-W-03.qxd 5/15/03 8:24 PM Page 1689

09048-W-03.qxd 5/15/03 8:24 PM Page 1690


1691

Consequence modelling of gas explosion scenarios in traffic tunnels

J. Weerheijm, A.C. van den Berg & N.H.A. VerslootTNO Prins Maurits Laboratory, Rijswijk, The Netherlands

ABSTRACT: To be able to assess the social acceptability of hazardous materials transport through tunnels riskanalysis is an appropriate technique. In order to be able to perform a sound hazard analysis two tools have beendeveloped. A screening tool set to determine quickly the consequences in a wide spectrum of scenarios. A one-dimensional gas dynamic model of a gas explosion computes the pressure loading. This model requires input interms of flame propagation behavior in tubes. Subsequently, damage criteria in pressure-impulse graphs determinethe response of the tunnel structure. Secondly, a tool set for detailed numerical simulation. A three-dimensionalCFD gas explosion simulator is capable of computing the consequences of gas explosion scenarios as well as theeffects of any possible mitigating measure in detail. The resulting blast loading serves as input to an FE-model thatis able to simulate dynamic response of the tunnel structure in any wanted detail.

1 INTRODUCTION

In the Netherlands, future road and rail infrastructureis increasingly projected underground or covered in.Consequently, risk assessment related to the transportof hazardous goods is an issue for the planning of newinfrastructure, for the exploitation and maintenance ofthe tunnels, and the design and realisation of emergencycounter measures. First responsibility for these tasks iswith the government. Different ministries are involved,as there are the ministry of Housing, Spatial Planningand the Environment, the ministry of Transport, PublicWorks and Water Management and the ministry of theInterior and Kingdom Relations. Combined and conflict-ing interests of community, safety and economy requirea sound tool for judgement and decision making.

Within the entire spectrum of risk of hazardousmaterials transportation, the probability of gas explo-sion in a tunnel may be relatively low but, on the otherhand, the geometry of a tunnel constitutes optimalconditions for a gas explosion to develop devastatingconsequences. In the Netherlands the explosion sce-nario is not included or considered in the tunneldesign. Consequently, a gas explosion is mostly fatalfor the current tunnel structure as well as for all peo-ple present inside. With the increasing demand forunderground infrastructure, it becomes inevitable andnecessary to include the explosion scenario in theplanning and design process.

To be able to assess the social acceptability of haz-ardous materials transport through tunnels risk analysis

is an appropriate technique. In order to be able to per-form a sound hazard analysis, the TNO Prins MauritsLaboratory develops the proper tools and consequencemodels. These tools and models can also help to definethe counter measures to limit the explosion effect anddamage to an acceptable level.

This paper describes both a screening and a full sce-nario simulation approach. A simple one-dimensionalgas dynamic model describes the explosion pressure ina tunnel. The load prediction forms the input for thedynamic response calculation and damage assessmentgiven in PI-diagrams (iso-damage curves given as afunction of Pressure and Impulse) for characteristictunnel elements. This screening approach overesti-mates the consequences. More accurate load predic-tions are possible with the 3D-CFD gas explosionsolver AutoReaGas™. The gas explosion modelling issupported by an experimental research programme in asmall-scale model (1:20) of a traffic tunnel. At theTNO Prins Maurits Laboratory advanced numericaltools are available for the prediction of the dynamicresponse of concrete structures. In order to limit thescope, this aspect is not covered by the current paper.This paper summarises the characteristics and featuresof the CFD gas explosion solver and the screening tool.

2 EXPERIMENTAL PROGRAM

Hitherto, reliable data on gas explosions in tunnelgeometries was lacking. To enable good and reliable

09048-W-04.qxd 5/15/03 8:25 PM Page 1691

numerical simulation of gas explosions in traffic tunnelsthis data is essential. Therefore, TNO PML decided toperform an extensive experimental program. Theexperimental program has been performed in a steelchannel of 0.25 � 0.5 m2 cross section and 8 m long.This small-scale model (1:20) of a traffic tunnel wasprovided with a configuration of steel obstacles to sim-ulate a standing traffic jam (Fig. 1). The channel wasfilled with a flammable gas-air cloud and ignited at aclosed end, simulating central ignition in a two-sidedopen channel twice as long. The cloud length was var-ied as being 1/4, 1/2, 3/4 and 1/1 of the channel length. Thefuels used were methane and propane at three differ-ent compositions.

The overpressure-time development was recorded atseven different stations positioned at more or less reg-ular distances along the channel length. All the exper-iments were performed in triplicate. The full details ofthe experimental method and results are described byDe Maaijer et al.(2002). This paper just summarisessome data required for the calibration and validationof the gas explosion modelling.

2.1 Variation of cloud length

The maximum overpressures developed in the channelshowed relatively little difference for cloud lengths of1/2, 3/4 and 1/1 of the channel length. Contrarily, for acloud length of 1/4 of the channel length, significantlylower overpressures were observed. Because the flam-mable mixture in front of the flame is set into motion,it mixes up with air and the flame, after having passedthe 1/4 channel length position, propagates into leanerand leaner mixture. With cloud lengths of ½, ¾ and 1/1 of the channel length, the flame does not run into substantially leaner mixture before the end of the channel with relatively less effect on the internaloverpressure.

2.2 Variation of cloud composition

For a cloud length of 1/1 of the channel length both leanand rich mixtures developed substantially lower over-pressures than the stoichiometric mixture, as to beexpected. For a cloud length of 1/4 of the channel length,however, the rich mixture developed substantially higheroverpressures than the comparable stoichiometric mix-ture. This is due to the fact that the mixture in front ofthe flame mixed up to stoichiometry before combustion,which resulted in a longer effective cloud length.

The data and phenomena are used as a reference forthe gas explosion solver tool. Besides this advancedtool, interest was expressed in a tool for quick scans andrough parameter studies. For these purposes a screen-ing tool was developed with simplifications, but witha sound basis of physics.

3 SCREENING TOOLS

3.1 Gas explosion loading

3.1.1 ModelThe pressure loading of a tunnel structure due to a gasexplosion is approximated by the one-dimensional gasdynamics of a column of perfect gas. The gas dynam-ics is driven by an energy source, a flame that is propa-gated at any prescribed development of its speed. Theheat of combustion is gradually added to the mediumduring the passage of a zone (flame) of a few cellsthick (Fig. 2).

The gas dynamics is modelled by the Euler-equationsfor compressible inviscid flow and a conservation equa-tion for the energy addition parameter. The equationsare solved by means of a Flux-Corrected Transportscheme (Boris 1976) in a numerical mesh consisting ofa row of cells. The entries at either end of the tunnel aresimulated by imposing atmospheric pressure in thebegin and end cells of the mesh. This simplified modelof the gas dynamics of a gas explosion in a tunnelrequires data for flame speed development as input.

3.1.2 Model inputIn a tube a gas deflagration develops a continuouslyincreasing flame speed and pressure, if the tube is long

1692

Figure 1. Scale model (1:20) of a traffic tunnel containingobstacles that simulate a standing traffic jam.

Figure 2. One-dimensional numerical model of a gas explo-sion in a tunnel. Flame propagation modelled as a moving zonein which the heat of combustion is added to a perfect gas.(Q � heat of combustion; b � flame front thickness; energyadded to cell i � a/b * Q).

09048-W-04.qxd 5/15/03 8:25 PM Page 1692

enough resulting in transition to detonation. For sim-plicity a linear flame speed development was assumedin this model. Although deflagration–detonation tran-sition (DDT) is characterised by highly probabilisticfeatures, in this model a deterministic DDT-criterionwas assumed. DDT was assumed to occur at a flamespeed of 800 m/s. Deflagration to detonation transi-tion is accompanied with an abrupt jump in the propa-gation velocity, which has been modelled by a suddentransition from 800 m/s to the Chapman-Jouguet wavespeed. The CJ-wave speed is calculated from:

(1)

where MCJ � CJ-wave Mach number; g1 � ratio spe-cific heats combustion products; Q � heat of com-bustion (J/kg); c0 � ambient speed of sound (m/s).

The schematised development of a gas explosionin a tube, by which the one-dimensional gas dynamicsis driven, is graphically represented in Figure 3.

Experimental data for gas explosion developmentin tubes completes the simplified gas explosion modelling:

• For empty tubes detonation runup (Rdet) distancesare taken from Steen & Schampel (1983).

• For a tunnel containing a traffic jam, data on flamespeed and overpressure development are taken fromthe experimental program addressed in section 2 (De Maaijer et al. 2002).

The small-scale experimental data were extrapolatedto other flammable mixtures and to full-scale traffictunnels on the basis of Karlovitz number similarity(Taylor & Hirst 1988, Catlin 1991, Catlin & Johnson1992).

3.1.3 Model validationTo validate the model a test from the (1:20) scaleexperimental program was run. The tunnel tube of0.5 � 0.25 m2 cross-section was 8 m long and wasprovided with rows of obstacles at the floor to simulatea standing traffic jam. The tube was filled with a stoi-chiometric methane–air mixture and ignited at its closedend. Both, the computed and the observed overpressure-time development are represented in Figure 4.

The figure shows that the assumption of a linearflame speed development is not unreasonable. In addi-tion, it shows that the gas dynamics and the pressureloading of the tunnel structure is properly reproduced.However, the cloud length in this case was equal to thechannel length and the dilution of the flammable mix-ture in front of the flame during transport in the expan-sion flow was zero.

1693

Rdet

SCJ

800

distance

Flame speed(m/s)

Figure 3. Schematised flame speed development in a tun-nel tube.

0.00 0.05 0.10 0.15 0.20 0.25-100

0

100

200

300

400

500

600

over

pres

sure

(kP

a)

time (s)

0 50 100 150 200 250 300-100

0

100

200

300

400

500

600 P1 P5 P7

over

pres

sure

[kP

a]

Time [ms]

Test 1, 4 bakken, 9.7% Ch4, project tunnels 2Test1t2PvI 21/09/1999

014.11049

Figure 4. Computed (left) and observed (right) overpressure–time development in a 1:20 scale model of a tunnel containinga traffic jam (solid: closed channel end; dashed: halfway channel length; dotted: near channel exit).

09048-W-04.qxd 5/15/03 8:25 PM Page 1693

The mixing of the flammable mixture with air inthe expansion flow in front of the flame cannot bedescribed in this simplified one-dimensional modelof a gas explosion in a tunnel tube. Instead, the flam-mable mixture in front of the flame is simply trans-ported and remains undiluted. In addition, the assumedlinear flame speed development applies only to a flamepropagating a homogeneous mixture. Therefore, thisscreening tool substantially overestimates the tunnelstructure loading for clouds of limited length.

3.2 Structural response modelling

A basic and simple model for the dynamic response ofstructures is the Single Degree of Freedom (SDOF)system. With a dominant deformation mode, the struc-tural deformation resistance represented by a “springcharacteristic” and the equivalent mass to representthe inertia effect, the dynamic response can be calcu-lated for dynamic loading. This basic technique is suit-able for the screening tool when some conditions arefulfilled or simplifications are acceptable.

The main assumption (or condition) of the SDOFapproach is that the dynamic response is dominated byone deformation mode. For the envisaged tunnel appli-cation, this condition should be valid for the wholeresponse and damage range from elastic response tothe stages of initial cracking and reinforcement yield-ing into the phase of final failure. Let us go step bystep through the schematisation of the tunnel structureand see which assumptions and simplifications haveto be made.

3.2.1 LoadingConsidering the duration of the gas explosion blastload, the duration is in the order of 0.2–0.6 seconds.The minimum length of the blast wave is in the orderof 40–100 meter. The cross span of tunnels in theNetherlands is 9 or 12 meters wide. For the structuralresponse the variation of the loading in axial tunneldirection is limited, therefore the cross section will beconsidered to determine the resistance of the tunnel toexplosion load. With this simplification the load bear-ing capacity of the tunnel in axial direction is neg-lected and consequently, the result will be slightlyconservative.

In the previous section, the blast load was calcu-lated and the results show that the shape of the blastload depends on the ignition point, the cloud lengthbut changes also along the tunnel. Because the shapeof loading can influence the dynamic response con-siderably (see for instance Biggs 1964) we decided toschematise the load as depicted in Figure 5. The triangleshape of the load is characterised by the parametersPmax (maximum pressure), the phase duration td, andthe parameter � to characterise the rise time (� � td).

3.2.2 Tunnel cross sectionsThe Ministry of Transport selected five characteristic,and representative tunnel cross sections. The crosssections were schematised to the set of basic elements.In Figure 6 an example of one of the five variants isgiven. It is a rectangular tunnel cross section with twotraffic tubes. In the figure an explosion is sketched inone of the tubes. It is assumed that the roof and theintermediate wall are the two most critical components.The schematisation of these components is sketched at the right side of the figure. The connection betweenintermediate wall and roof is stiff enough to considerit as clamped. The intermediate wall is loaded with thedynamic gas explosion load only, while the roof is alsoloaded with an initial gravity load of the roof structureitself and the soil on top of it.

3.2.3 Resistance curveWe assumed that the response of the cross section isdominated by the first response mode and bendingfailure will occur. Based on the moment–deformationcurves (M–" diagrams) of the selected tunnels aresistance curve (spring characteristic) for the SDOFis calculated. An overview of the calculation process isgiven in Figure 7.

So, the resistance curve of the element cross sectionis given by a linear elastic response branch up to initialconcrete cracking. Then the stiffness decreases givenby the second linear branch. When the reinforcementstarts to yield the additional load bearing capacity is

1694

td td

P

t

Figure 5. Schematised blast load from gas explosion.

Figure 6. Basic elements of one of the five selected tunnelcross sections.

09048-W-04.qxd 5/15/03 8:25 PM Page 1694

almost zero, which is represented by the third linearbranch. The damage level in this last branch is charac-terised by the deformation angle ". We decided to adoptthe criterion of the TM 5-1300 (military guidelinesfor the design of protected structures) for completefailure given by a rotation angle of 2° at the clampedsupport. These resistance curves are combined with thestructural response and (plastic) hinges of the elementas illustrated in Figure 7.

Note that for the roof panel the influence of the soilcover on the inertia and the initial gravity loading isimplemented in the SDOF model of the roof. Also theasymmetric reinforcement of the roof and its corre-sponding plastic hinges and resistance is accounted for.

3.2.4 P–I diagramsFor the given cross sections the SDOF models wereconstructed and the iso-damage curves were calculatedfor the different blast loads (characterised by theparameter �) as a function of the maximum pressure

level and the impulse. The results are given in P–I dia-grams. Figure 8 gives two examples for the separationwall of the cross section with 12 meter span and� � 0.0 and 0.25.

3.3 Combination of load and response

With the simple load prediction the input is generatedfor the response calculations. The maximum pressure,the pressure rise times (given by the parameter �) andthe total impulse are calculated. In a study for theministry of Ministry of Transport, Public Works andWater Management a whole range of scenarios wasconsidered and quantified. For the tunnel cross sec-tions as mentioned in the previous section the damagelevel was quantified. These calculations learned thatfor the predicted loads the response and damage thres-holds were in the region of the pressure asymptote ofthe P–I diagram. These results show that for gas explo-sions the assumption that the response is dominatedby the first eigenmode was good. For other situationswhere the load is more impulsive and the impulseasymptote becomes representative, more accurateanalyses with FE calculations are recommended.

4 FULL SCENARIO SIMULATION

4.1 Gas explosion model

A gas explosion is a process of flame propaga-tion through a flammable mixture. The increase of

1695

Initial crackingof concrete

Yielding of thereinforcement

M

κ

M

κ

M-κ diagrams correspondingwith possible plastic hingelocations near the clampededge and in the middle

R

∆

2° supportrotation

Initial cracking of concrete(edge or middle)

Yielding of the reinforcement(edge and middle)

10

100

1000

10000

1 10 100 1000Impulse (kPa*s)

Pre

ssur

e (k

Pa)

Initial cracking of the concrete

Yielding of the reinforcement

Failure at 2 degrees support rotation

Figure 7. Typical calculation procedure of a tunnel roofstructure.

Beta=0.0

10

100

1000

10000

0.1 1 10 100 1000Impulse (kPa*s)

Initial cracking of concrete

Yielding of reinforcement


Beta=0.25

10

100

1000

10000

0.1 1 10 100 1000Impulse (kPa*s)

Pre

ssur

e (k

Pa)

Pre

ssur

e (k

Pa)

Initial cracking of concrete

Yielding of reinforcement


Figure 8. PI–diagram with iso-damage curves for a tun-nel separation wall with � � 0.0 (top) and 0.25 (bottom) respectively.

09048-W-04.qxd 5/15/03 8:25 PM Page 1695

temperature due to combustion induces an expansionflow in which the flame is carried along. The devel-opment of explosive combustion consists in the con-tinuous interaction of the flame propagation processwith its own expansion flow. The turbulent structureof the expansion flow, which is determined by theboundary conditions to the flow field, is the key fac-tor in the development of this process. Full scenariosimulation of a gas explosion requires, therefore, thethree-dimensional simulation of all aspects of this com-plicated process: the gas dynamics, the (turbulent)flow structure and the flame propagation process.

In the gas explosion simulator AutoReaGas™ (TNOand CDL 2002), the full process of a gas explosion ismodelled by a perfect gas that expands under energyaddition through combustion:

• The gas dynamics of expansion is modelled by con-servation equations for mass, momentum (Navier–Stokes equations) and energy.

• The turbulent flow structure is modelled by conser-vation equations for the turbulence kinetic energyand its dissipation rate.

• The flame propagation is modelled by a conserva-tion equation for a reaction progress parameter inwhich the combustion rate is a source term.

• The composition of the diffusing cloud in the expan-sion flow is computed from a conservation equationfor the mixture stoichiometry.

A special version of the AutoReaGas software wastailored to the problem of a gas explosion developingin a tunnel tube containing a standing traffic jam. Thecode was calibrated and validated on the results of the experimental program addressed in section 2 (DeMaaijer et al. 2002).

The simulation of a realistic tunnel problem at fullscale with presently available CPU, necessitates a

numerical mesh of approximately 1 m3 cell size. Thisis far too coarse to be able to resolve any physics ofthe flame propagation process. Therefore, the flame ismodelled as a numerical interface, propagated at aburning speed that is prescribed through a theoreticalrelation with the characteristics of the turbulent flowstructure (Peters 1999). In addition, special modellingwas required to be able to simulate proper turbulencegeneration by coarsely resolved solid objects (thevehicles in the traffic jam).

4.2 Model validation

To demonstrate the model’s capabilities, two experi-ments from the experimental program in section 2.1have been simulated. The channel including someopen space around the exit was modelled in a numer-ical mesh of 200 � 20 � 10 cells of 0.05 m3. A stoi-chiometric mixture of methane–air was specified over1/1 and 1/4 of the channel length respectively andignited in the centre of the closed channel end. Theoverpressure development was recorded at the samestations as in the experiments. The results are shownin Figures 9 and 10.

Figures 9 and 10 clearly demonstrate the capabili-ties of the software in various aspects. If the channelis filled with a stoichiometric cloud over 1/1 of thechannel length, the overpressure runs up to more than300 kPa and choking outflow conditions are met inthe exit, witness the narrow pressure spike observednear the exit in Figure 9. If the cloud length is only ¼of the channel length, the overpressure developed ismuch lower and the outflow in the exit remains sub-sonic. Then the overpressure observed in the channelnear the exit remains near-ambient.

The experiment with a cloud of ¼ of the channellength (Fig. 10) is particularly significant because it

1696

0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300

-50

0

50

100

150

200

250

300

350

400

450

500

550

600

over

pres

sure

(kP

a)

0 50 100 150 200 250 300-100

0

100

200

300

400

500

600P1P5P7

Test 1, 4 bakken, 9.7% Ch4, project tunnels 2Test1t2014.1104921/09/1999PvI

over

pres

sure

[kP

a]

Time [ms]time (ms)

Figure 9. Numerically simulated (left) and experimentally observed (right) overpressure–time development at 3 stationsalong the channel length. Cloud of stoichiometric methane–air over 1/1 of the channel length (solid: closed channel end;dashed: halfway channel length; dotted: near channel exit).

09048-W-04.qxd 5/15/03 8:25 PM Page 1696

covers various phenomena that play a determining rolein the development of a gas explosion:

• The mixing of the flammable mixture with air inthe expansion flow in front of the flame.

• The flame propagation in the continuously intensi-fying turbulent flow.

• The flame propagation through a non-homogeneousconcentration field.

The computational results in Figure 10 show thatthe software is capable of a satisfactory simulation of the structure loading as a consequence of a realis-tic gas explosion scenario in a traffic tunnel.

5 CONCLUSIONS

A screening tool set to determine quickly the conse-quences in a wide spectrum of scenarios has beendeveloped. A one-dimensional gas dynamic model ofa gas explosion computes the pressure loading and,subsequently, damage criteria in pressure–impulsegraphs determine the response of the tunnel structure.This tool requires input in terms of flame propagationbehaviour in tubes.

As long as the flammable cloud length covers thegreater part of the tunnel length, the simplified one-dimensional model of a gas explosion is capable ofcomputing the pressure loading with a satisfactoryaccuracy. However, for smaller cloud lengths, the mix-ing of the flammable mixture in front of the flamebecomes a significant phenomenon. Because thescreening tool lacks the possibility to describe this phenomenon, it will substantially overestimate thepressure loading of the tunnel structure for smallercloud length.

A tool set for detailed numerical simulation hasbeen developed. A three-dimensional CFD gas explo-sion simulator is capable of computing the conse-quences of any gas explosion scenario as well as theeffects of any possible mitigating measure in detail.The resulting blast loading may serve as input to aFE-model that is able to simulate the dynamicresponse of the tunnel structure.

The three-dimensional gas explosion simulator hasshown to be able to reproduce the entire complex ofphenomena that determine the development of a gasexplosion in a satisfactory way. Combined with thescreening approach a proper tool box is available toquantify the gas explosion loads in tunnels.

In analogy with the CFD explosion solver, thenumerical response calculations with FE-codes willbe applied when the global response schematisation isinsufficient (e.g. dominant high frequency response;more accurate damage prediction required; 3D effects).

With the research into gas explosion phenomena in tunnels and the developed tools, TNO PML rea-lised the required basis for sound hazard analysis forthe transportation of hazardous materials throughtraffic tunnels. The gained expertise will also beapplied for the development of explosion suppressionequipment.

REFERENCES

Biggs, J.M. 1964. Introduction to structural dynamics. NewYork: McGraw-Hill Book Company.

Boris, J.P. 1976. Flux-corrected transport modules for solv-ing generalized continuity equations. NRL Memorandumreport 3237. Washington D.C., USA: Naval ResearchLaboratory.

1697

0 50 100 150 200 250 300-60

-40

-20

0

20

40

60

80

100

120

140

over

pres

sure

(kP

a)

0 50 100 150 200 250 300-50

-25

0

25

50

75

100

125 P1 P7 P5

Test 5, 1 bak gevuld, 9.6%Ch4, project tunnels 2Test5t2014.1104924/09/1999PvI

over

pres

sure

[kP

a]

Time [ms]time (ms)

Figure 10. Numerically simulated (left) and experimentally observed (right) overpressure–time development at 3 stationsalong the channel length. Cloud of stoichiometric methane–air over ¼ of the channel length (solid: closed channel end;dashed: halfway channel length; dotted: near channel exit).

09048-W-04.qxd 5/15/03 8:25 PM Page 1697

Catlin, C.A. 1991. Scale effects on the external combustioncaused by venting of a confined explosion. Combustionand Flame 83: 399–411.

Catlin, C.A. & Johnson, D.M. 1992. Experimental scaling ofthe flame acceleration phase of an explosion by changingfuel gas reactivity. Combustion and Flame 88: 15–27.

De Maaijer, M., Van den Berg, A.C. & De Bruijn, P.C.J.2002. VOI – tunnel safety: Small-scale experiments andnumerical simulation of gas explosions in tunnels. TNO-Prins Maurits Laboratorium report nr. PML 2002-IN##.

Peters, N. 1999. The turbulent burning velocity for large-scaleand small-scale turbulence. Journal of Fluid Mechanics384: 107–132.

Steen, H. & Schampel, K. 1983. Experimental investigationon the run-up distance of gaseous detonations in large

tubes. 4th Int. Symp. on Loss Prevention and SafetyPromotion in the Process Industries, 1983. Sympos-ium Series No.82: E23–E33. The Inst. of Chem.Engineers.

Taylor, P.H. & Hirst, W.J.S. 1988. The scaling of vapourcloud explosions: a fractal model for size and fuel type.Poster presented at the 22nd Int. Symp. on Combustion,Seattle, USA, 1988.

TNO & CDL, 2002. AutoReaGas™ – The interactive soft-ware for reactive gas dynamics and blast analysis. TNOPrins Maurits Laboratory and Century Dynamics Ltd.

Van den Berg, A.C., Rhijnsburger, M.P.M. & Weerheijm, J.2001. Guidelines for explosion loads and structuralresponse of traffic tunnels (in Dutch). TNO Prins MauritsLaboratory report no. PML 2001–C121.

1698

09048-W-04.qxd 5/15/03 8:25 PM Page 1698


1699

Scenario Analysis for Road Tunnels

D. de WegerCivil Engineering Service, Ministry of Public Works ad Water Management (Steunpunt Tunnelveiligheid), LA Utrecht

ABSTRACT: Risks of tunnel accidents are not only measured by probabilistic quantitative risk analyses, alsomore qualitative scenario analyses are an important contribution to achieving an optimal tunnel safety level.Scenario analyses may be carried out during all stages of the development process. Most of the experiences upto now result from scenario analyses during the design stage, at the point where only a limited number of tun-nel design options have survived. The scenario analysis described in this paper aims at optimising the manage-ment of the processes occurring before, during and after an accident. The focus is on self rescue and emergencyresponse. At an earlier stage, a scenario analysis may be useful when making an overview of the required safetymeasures for both large an small scale accidents. Furthermore, scenario analyses may be input to the decisionmaking process regarding the construction of a tunnel.

In this paper, scenario analyses for road tunnels are described from the point of view of (i) the organisationaland administrative environment, (ii) the differences between quantitative risk analyses and scenario analyses,(iii) the structure and elements of a scenario analysis. Furthermore, the first version of the Guideline ScenarioAnalysis for Tunnel Accidents and some preliminary application results are reported.

1 INTRODUCTION

Risk analysis in the Netherlands is carried out in twoways. In the early 1970’s the Dutch governmentadopted the probabilistic risk evaluation as the lead-ing philosophy for the Dutch safety policy. Quantita-tive risk analyses was strongly supported and widelyapplied as a decision making tool in land use and spa-tial planning. Especially risks of fixed industrialfacilities were evaluated with a QRA (VROM, 1979).

The other view is advocated by those responsiblefor emergency response, such as the fire brigade, policeand health department. Their interests lay not so muchwith the number of deaths but rather with the possi-bilities of casualty reduction, i.e. the number ofwounded who can be rescued and transported to hos-pitals or other locations where they can receive propertreatment. According to this view, a risk evaluationshould focus on optimising the emergency responseprocesses, both technically and organisationally. Thistype of questions is concerned with specific accidentscenarios, including the pre-accident events and the roleplayed by the response services and the technical facili-ties. Probabilities are not of primary interest, or are evendisregarded completely (Ministry of the Interior, 1995).

One could say that the quantitative risk analysisand the scenario analysis are located somewhere

between a full probability (or frequency) analysis anda consequence analysis (see Figure 1). Fortunately, inthe Netherlands the contradictions between bothviews are losing ground in favour of the similarities,which is for example illustrated by the developmentof an integrated tunnel safety philosophy by theDutch Civil Engineering Service (Centre for TunnelSafety, 2001).

2 CURRENT STATUS OF SCENARIOANALYSIS

2.1 Scenario analysis during the design andconstruct process

Ask five tunnel safety experts to define a “scenarioanalysis” and you will probably get five different

Probability (frequency)

analysis

Probabilisticapproach

(quantitative risk analysis)

Deterministicapproach (scenario analysis)

Consequenceanalysis

Figure 1. QRA and scenario analysis at the scale betweenprobability analysis and consequence analysis.

09048-W-05.qxd 5/15/03 8:25 PM Page 1699

answers. The meaning of the term scenario analysis isstrongly influenced by someone’s perception of themoment in time when the scenario analysis is to becarried out, especially as related to the different tun-nel design and construction stages.

In the earliest design phase, the general objective isto give a global definition of the required solution. Atypical question at this stage would be “Are we going tobuild a bridge or a tunnel?” Part of answering such aquestion is a general risk inventory, which providesinsight into the relevant risks of both alternatives andwhich may also help drawing up the guidelines for pos-sibly required documents such as an EnvironmentalImpact Assessment.

As the design process goes on, the selected optionsgradually will become more specific. Consequently,at the later stages the level of detail of the analysesincreases (“from coarse to fine”). Prior to the actualdesign, the safety objectives have to be written down,which requires a very general scenario analysis.During the design process, a qualitative scenarioanalysis may be carried out, which may include a fewindicative calculations. Typically, at this stage also aQuantitative Risk Analysis would be suitable.

When optimising the final design – which by thattime has already passed the QRA-test – a moredetailed Scenario Analysis is appropriate. At thisstage, the technical and organisational safety meas-ures have to be defined and agreed in detail.

Finally, during the construction and operationphases of the tunnel, design modifications may beimplemented because of which a repeated QRAand/or SA is necessary.

2.2 Scenario analysis organisation

A striking difference between QRA and SA is theirorganisation. Generally speaking, a QRA will be car-ried out by one or more risk analysis experts who aresupported by tunnel construction experts. In theNetherlands, the Terms of Reference of the QRA haveto comply with official regulations. The analysis itselfwill to a great extent be carried out by dedicatedexperts on their own, while the other parties such asthe tunnel owner and the authorities will be part of thesteering committee which is only involved at certainmoments in time.

For scenario analyses, things are different. A sce-nario analysis is acknowledged more an more as anessential part of the overall risk evaluation, comple-mentary to the QRA. An SA is carried out by an analy-sis team that actively contributes during every stage ofthe analysis. A typical scenario analysis team will con-sist of the representatives of the local and regionalauthorities, the tunnel owner and operator, the emer-gency response services and one or more scenarioanalysis experts. Up to now, no official SA guidelines

exist. However, the Dutch Civil Engineering Serviceof the Ministry of Public Works has issued a first ver-sion of preliminary guidelines for road tunnels whichare going to be tested in a few pilot studies this year(De Weger et al. 2003). Most of the current paper isbuilt around material and experiences from the devel-opment of these preliminary SA guidelines.

3 QUANTITATIVE RISK ANALYSIS VS.SCENARIO ANALYSIS

A quantitative risk analysis (QRA) and a scenarioanalysis (SA) are strongly related to one another. Infact, they are variations of a combined, probability-and-consequence-analysis. Both consider the effectsand consequences of unwanted events which aredescribed as “accident scenarios”, and in both analy-ses probabilities play a certain role. The differencesbetween QRA and SA are e.g. that in a QRA proba-bilities are specifically taken into account, while ascenario analysis focuses on the consequences.

The probabilistic risk assessment is the basis for theDutch external safety policy for both fixed industrialfacilities and the transport of dangerous goods. Con-sequently, in a probabilistic tunnel risk assessment theprobabilities and consequences of a large number ofaccident scenarios are calculated. The aggregatedresults are presented as a complementary cumulativefrequency diagram (CCFD or fN-curve), representingsocietal (or “group”) risk; alternatively, the risk maybe presented as the expected value. The use of individ-ual risk contours as a measure of internal tunnel safetyis not very common; however, individual risk is usedto indicate risk levels at both ends of the tunnel andalongside the tunnel area to evaluate the risks of severeaccident (e.g. explosions) in the tunnel.

A Scenario Analysis, being a mere variation of aQRA, is built from the same elements as a QRA: (1)system description, (2) calculation of physical effectsand damage (a.o. health effects), (3) calculation offrequencies and probabilities, and (4) risk presenta-tion and evaluation. The focus of an SA is on optimis-ing the accident process management. In an SA onlya limited number of scenarios is analysed; however,each scenario is subject to a more thorough analysisthan would be the case in a QRA. Especially, all acci-dent processes, including population behaviour, sta-tus of tunnel safety measures, details of emergencyresponse operations and of course the possible accidentdevelopment scenarios are part of the analysis.Accident frequencies and accident development prob-abilities are for the greater part left out of the SA,which is an important contrast with a QRA. Theresults of an SA is not presented in graphs or diagramsbut, depending on the required level of quantification,may be in a narrative form or as a combination of text

1700

09048-W-05.qxd 5/15/03 8:25 PM Page 1700

and (semi)quantitative information in a sequence oftables. Graphics may be used to illustrate the studiedaccident situations and their developments. If detailedcalculations are carried out, their results will generallybe presented in the analysis’ appendices.

4 ACCIDENT PROCESSES

A key concept in modern risk evaluation is the notionthat an unwanted events does not arrive out of theblue but starts with some (often minor) disturbance ofnormal operation, which results in a minor or majoraccident, which in its turn may develop in severalways depending on the quality of the accident response,not only by the fire brigade and other emergencyresponse services but also including human behaviourand technical and organisational safety measures. Thisconcept has been developed in the process industriesand is well known as the bow tie model (De Weger et al.2001). In fact, the bow tie’s knot in the middle repre-sents the accident and links a fault tree at the left rep-resenting the cause part and an event tree at the rightwhich stands for the consequence or “damage” part(see Figure 2).

The Bow Tie Model offers a widely acceptedframework for risk reduction. It is immediatelyrelated to the accident chain, which in its simplestform consists of cause – accident – consequence, butin a more sophisticated way transforms into the emer-gency management sequence:

prevention – preparedness –mitigation – response – recovery.

One of the basic principles when applying the bow tiemodel is to look for safety enhancing measures in thefront part of the accident chain. This principleexpresses the preference of accident prevention. Animportant element in the bow tie model is the pres-ence of Lines of Defence throughout the accidentchain, each one of which serves as a starting point forsafety measures. Examples of Lines of Defence toimprove tunnel safety are automatic fire fighting sys-tems such as sprinklers, automatic car or train speeddetection, closed circuit television systems, commu-nication equipment (telephones, public address sys-tems), etc. But also incorporating safety into the cardriving education programme or public awarenessmedia campaigns will contribute to safety improve-ment and thus are some sort of line of defence.

The processes that are encountered before, duringand after an accident are (De Weger et al. 2001):

1. disturbance of ordinary traffic;2. incident;3. incident detection and warning of operator and

emergency response services;

4. self rescue by tunnel population;5. response by fire brigade, police and health

services.

Generally, stage 3 will be rather short. The start ofstage 4 (self rescue) coincides with the start of stage3. The response phase includes reconnaissance i.e.determination of the exact location of the incident,the number of vehicles involved, number of people inand outside the vehicles, and possibly present haz-ardous substances. As soon as all relevant informa-tionhas been collected, the actual accident combatmentwill begin. This is for instance fire fighting, switchingoff electrical current (in case of train accidents), res-cuing victims, and removing or covering hazardoussubstances.

During all stages, interaction occurs between allelements in the tunnel system. Traffic detection andregulation systems are meant to detect and if possiblecorrect disturbances of the ordinary traffic conditionsin order to prevent dangerous situations. Safety mea-sures such as vehicle guiding barriers contribute todamage minimisation (“soft landings”). Self rescue isonly possible if those present in the tunnel during orimmediately after the accident are able to reach a safehaven, such as a rescue area or a tunnel tube which isnot involved in the accident. Emergency response canonly be successful if certain conditions are fulfilled,such as a quick alarm and proper communicationwith the tunnel operator.

A scenario analysis is carried out in order to findout whether the whole tunnel system, including alltechnical and organisational measures, is fit to dealproperly with all relevant accidents and their possibledevelopments and – if this is not yet achieved – whichare the weak spots that have to be improved. Thisobjective is different from that of a QRA, which iscarried out to establish whether the tunnel meets therisk standards, as described in section 3.

1701

Causes Consequences

Accident

Back To Normal

Lines of Defence

Figure 2. The Bow Tie Model.

09048-W-05.qxd 5/15/03 8:25 PM Page 1701

5 SCENARIO ANALYSIS METHODOLOGY

A scenario analysis consists of the following elements:

a. system description;b. selection of relevant scenarios;c. analysis of effects and consequences;d. evaluation of results and optimisation of design.

5.1 System description

Starting point of a scenario analysis is the preliminarydesign. This includes the tunnel itself, all mechanicaland electrical installations like lighting, ventilation sys-tems, communication equipment, traffic detection andwarning systems, fire detection and fighting equip-ment, etc. The scenario analysis also comprises thoseparts of the tunnel operating organisation responsiblefor calamity response.

The public emergency response services can be acti-vated by the tunnel operator, by a message from one ofthe tunnel users involved in an accident, or by a mes-sage from one of the other services. The tunnel opera-tor is responsible for keeping all emergency pathwaysand doors accessible to the emergency response ser-vices. However, passing on the alarm to the responderson duty is the responsibility of the receiving party anddoes not belong to the tunnel organisation. Responseservice organisation is relevant in sofar it directly influ-ences the activities in the tunnel.

5.2 Scenario selection

Following the system description, the scenarios thatare suitable for analysis are selected. For scenarioselection a number of criteria have been determined.Scenarios should be realistic, test the system bound-aries, and be representative and reproducible.

The first condition means that scenarios must bephysically possible and acceptable to all partiesinvolved. In order to reach agreement on the requiredsafety level, all parties must support – or at least donot reject – the selected scenarios. Scenarios withextremely low probabilities or extremely high conse-quences should be selected only if all parties are con-vinced of their necessity, as too extreme scenarioswill lead to oversized measures.

Maybe the most important criterium is that scenar-ios must test the system boundaries, because this is theactual goal of the scenario analysis: to find outwhether the system’s safety level is high enough, espe-cially as far as the safety measures are concerned. Thisis best established by checking the performance of allsystem parts under unusual circumstances.

Thirdly, the set of scenarios must be representativeand balanced. Scenarios should vary sufficiently in sizeand nature. The analysis should include “developing

scenarios” that start small, grow quickly and reach a fullsize calamity level. To limit the analysis effort, the num-ber of selected scenarios should not exceed 5–10.

Finally, scenarios should be reproducible, i.e. thesame scenario calculated for a different tunnel shouldlead to roughly comparable results.

To determine whether the criteria mentioned abovehave been met in an actual analysis, in the GuidelineScenario Analysis (see section 2) the user is offered achecklist referring to the tunnel and traffic propertiesare key factors in tunnel safety. The selected set ofscenarios should cover all key safety parameters. Theparameters have been derived from accident processdescriptions, in which fault trees have been developedto identify the parameters that play a role in processeslike the pre-accident phase, detection and alarm, inci-dent, self rescue, and emergency response.

At a high level of abstraction the a set of scenarioswould for instance be:– car or train collision, train derailment;– fire;– release of hazardous materials.

Scenarios for road tunnels are different from thosefor train tunnels. Smaller fires, say below 10–20 MW,are distinguished from large fires, up to 300 MW in case of a fully loaded truck fire. In a road tunnel, the condition “congestion behind the accident” may severly increase the consequences especially in caseof fire. An example of a set of scenarios that have beenanalysed for one of the new tunnels in the Netherlandsis presented in Table 1.

5.3 Analysis of effects and consequences

Once the scenarios have been selected, the actualanalysis can be carried out at a qualitative or at aquantitative level. The analysis framework is builtaround the accident processes mentioned before.Every process step relates to the transition from onetime step to another. During the analysis, a “picture”is taken of every transition moment. Each picturegives an overview of the system status and in key-words, key-figures or brief text an account is given of

1702

Table 1. Scenarios for road tunnels (Molag, 2001).

1. Traffic disturbance without damage2. Accident with material damage only3. Accident with casualties (wounded)4. Small car fire (�5 MW)5. Bus fire, small truck fire (�20 MW)6. large truck fire (liquid, �300 MW)7. LPG BLEVE8. LPG gas cloud explosion9. Accident with release of toxic liquids

10. Toxic gas release

09048-W-05.qxd 5/15/03 8:25 PM Page 1702

the system development in the previous accidentdevelopment phase.

In the quantitative analysis, the “system pictures”are illustrated with calculated data like the number ofpeople in the tunnel, the fire load, the effect distancesand the numbers of casualties.

5.3.1 Physical effect modellingThe physical effects that may occur after an accidentdepend on the kind of accident and on the involve-ment of hazardous substances. The majority of acci-dents only causes material (vehicle) damage. Biggeraccidents, for instance a fire, may occur in vehicleswith or without dangerous substances. The absence ofhazardous materials however, does not necessarilylimit the accident consequences. Possibly the bestknown example of an “ordinary fire” with dramaticconsequences is the Mont Blanc Tunnel Fire, where atruck loaded with flour and margarine caused a largefire with a lot of casualties (Ministère de l’Interieur,1999); (Guigas, 2001). If a fire occurs, not only theskin burns due to direct heat radiation is important.Health damage may also be caused by high tempera-tures of the tunnel atmosphere (lung damage) and byexposure to the smoke which contains a cocktail oftoxic compounds.

The accident development in terms of fire devel-opment, temperature increase, smoke dispersion andbehaviour of other hazardous substances, may be cal-culated with the effect models that are well knownfrom quantitative risk analysis (outflow, evaporation,dispersion, various types of explosions, etc). Thesemodels have been developed for application in theopen air; for calculations in tunnels some of thesemodels can be applied directly. Because of the prop-erties of a tunnel, however, calculation of some of thesubstance behaviour phenomena requires specificmodels (Kootstra & Molag, 2003).

For instance, in ordinary outflow models a stan-dard pool surface is assumed which is only dependentof the underground type (small, e.g. 1500 m2 for per-meable surfaces such as sand or little rocks, or10,000 m2 for a flat smooth surface). Modelling ofliquid outflow in a tunnel has to take into account theslopes at both ends of the tunnel and the sewer facili-ties. A release at the entrance of the tunnel will flowdownwards and form a large but shallow pool, fromwhich the initial evaporation will be very high butduring a short period of time. Pool formed at the bot-tom of the tunnel may be readily dispatched of by thesewers, which will result in smaller surface areas.

Another, more important difference between tun-nels and open air is the modelling of smoke dispersion.In a contained space like a tunnel, hot gases will ini-tially spread in the upper layer just below the tunnelceiling. After some time the smoke will cool down andwill mix with the cooler air layer in the lower part of the

tunnel. In case of a burning fire, an air flow is gener-ated in the direction of the fire; the cooling smoke thatmixes with the tunnel air will be transported towardsthe fire. This effect is not described by ordinary disper-sion models. Furthermore, vehicles and other obstaclesin a tunnel may significantly influence gas dispersion.For temperature development and smoke dispersion incomplex environments like tunnels special modelshave been developed, varying from relatively simplezone models (Rylands et al. 1998) to sophisticatedCFD models (Rhodes, 1998).

5.3.2 Tunnel population modellingThe number of victims is directly proportional to thenumber of people present in the tunnel, which in turnis a result of the in- and outflow. Increase of the tunnelpopulation is caused by the continuous traffic flow. Onthe other hand, the tunnel population is reduced by“natural outflow” (cars downstream driving out of thetunnel), self rescue (drivers and/or passengers who mayor may not be injured leaving the incident location on their own), and organised evacuation by tunnel personnel or emergency response services.

Incoming traffic may be stopped relatively easy.Car tunnels may simply be closed off by traffic lightsor barriers at the tunnel entrances. This is in generalthe tunnel operator’s responsibility.

Trains on their way towards a tunnel can also bestopped easily. The tunnel operator or the emergencyservice in charge has to instruct the train traffic con-trol centre. This is an additional communication step,which may cause some delay in the closing down procedure.

In the Guideline Scenario Analysis, “natural out-flow” is only part of the evaluation if it is blocked bycongestion downstream of the accident. The combi-nation of fire and congestion may cause severe expo-sure of the people in the downstream part of thetunnel; if there are inadequate emergency exit facili-ties this will result in a significant increase of thenumber of casualties.

5.3.3 Self rescueSelf rescue may be measured by the total time requiredto reach a safe area. This time period is determined by(a) the wake-up period, i.e. the time needed for the tun-nel users to realise the seriousness of the situation andtake action, and (b) the fleeing period, which isdirectly dependent of the fleeing speed and distance tothe next emergency exit. The total self rescue timeappears to be dominated by the wake-up period. Alarge evacuation experiment carried out last year in theDutch Benelux-tunnel in the Rotterdam Port area(Centre for Tunnel Safety, 2002) demonstrated that thewake-up period can last as long as 5–10 minutes, evenif car drivers are watching the smoke coming out of atruck which is on fire. Furthermore, the experiments

1703

09048-W-05.qxd 5/15/03 8:25 PM Page 1703

demonstrated that the attention level and visibility ofthe emergency routes and exits may significantlyinfluence the total self rescue time.

There are several other factors that influence theself rescue speed. If a tunnel is provided with a publicaddress system, if good information texts have beenprepared and if the operators are properly instructedabout how to use the system, this may greatly improvethe self rescue effectivity and efficiency. It is veryimportant that messages are issued timely andrepeated at regular intervals, that the texts are clearlyaudible and that the contents of the messages is con-sistent. Informing train passengers is easier than try-ing to reach car drivers. Furthermore, car drivers aremore apt to stick to their vehicle, while it is easier tomobilise train passengers as they will be showinggroup behaviour. Apart from this, technical detailslike the width of the fleeing pathway, the percentageelderly and handicapped and the total number of flee-ing persons will influence the self rescue perfor-mance of the whole system.

Self rescue models offer both qualitative and quan-titative representations of human behaviour. Qualitativemodels are found in psychology and are descriptivemodels (Galea, 1999); (Steyvers, 1999); (Helbing,2000); (Centre for Tunnel Safety, 2002). Quantitativemodels such as Exodus or Simulex calculate theescape time from parameters such as distance, walk-ing speed and escape route capacity. There are three“sub-categories”: rules of thumb, which are relativelysimple, empirically based formulae; physical modelsin which population movement is modelled as particleflow; and computer simulation models, which com-bine elements from the previously mentioned cate-gories. Every model category has its own advantagesand disadvantages. Psychological models lack a firmquantitative basis. The basic assumption of particleflow models is that human behaviour much resemblesideal gas behaviour. In tunnel evacuation experimentshowever, strong evidence for deviating behaviour hasbeen found. When escaping from a tunnel in densesmoke, exit visibility is an important factor forhumans which is not accounted for by ideal gas mod-els. Computer simulation models combine a sophisti-cated approach with a lack of transparency: the modelrelationships are often not specified in the programmedocumentation which gives these models much of a“black box-nature”.

The (preliminary) conclusion that has been drawnfor the Guideline Scenario Analysis is that at themoment the best possible self rescue predictions areoffered by a combination of a qualitative (psycholog-ical) analysis and application of empirical models(rules of thumb). The latter produce mere indicativeresults that are at the same time a sufficient descrip-tion of self rescue behaviour. Their greatest advantageis their simplicity. Approaches in the quantitative

models should be tested with a qualitative analysis. Ifit is assumed, for instance, that every person insidethe tunnel will start escaping within 2 minutes afterthe accident, it should be demonstrated that the facil-ities enable such a quick response.

Computer models are an interesting, though expen-sive, alternative option. Most software programmes,however, lack the transparency which makes rules ofthumb so easily accessible.

5.3.4 Organised evacuationEvacuation of the tunnel population by the emergencyresponse services can only start after one of theseservices has arrived on the accident scene and hasestablished which operations can be carried out safelyreconnaissance). Furthermore, roll-out of responseequipment will take some time. Actual saving of peo-ple trapped in cars or trains may not start earlier than20–30 minutes after the accident. Therefore, self res-cue is seen as the primary source of casualty reduc-tion (Bockholts et al. 1999). The emergency responseoperations contribute to fire fighting, clearing the tun-nel and providing professional health care to the injuredwith zero or limited mobility.

5.3.5 Health effect modellingHealth damage is evaluated from two points of view:the self rescue capacity and the need for health care.Firstly, health impairment will decrease the self res-cue abilities and thus increase the number of victims.This is important in a scenario analysis, as safetymeasures like the number and spacing of emergencyexits immediately affect the number of casualties.

Secondly, a scenario analysis will evaluate theplanned health service capacity, i.e. will there beenough personnel to give first aid and preliminarytreatment, and do the health services provide sufficientambulances for transportation of the casualties to ahospital.

In the Guideline Scenario Analysis, two healtheffect classification systems are used. For self rescueevaluation, a classification system was adopted thathas been developed by the American IndustrialHygiene Association (AIHA, 2002). It divides healtheffects into four categories (detectability, discomfort,disability and death). The transitions from one cate-gory to another are marked by the so called EmergencyResponse Planning Guidelines (ERPG-1, -2 en -3).The ERPG-1 is the maximum airborne concentrationbelow which nearly all individuals could be exposedfor up to one hour without experiencing other thanmild transient adverse health effects or perceiving aclearly defined objectionable odor. The ERPG-2 is themaximum concentration below which exposure forup to one hour would cause no irreversible or otherserious health damage or symptoms that could impairan individual’s ability to take protective action.

1704

09048-W-05.qxd 5/15/03 8:25 PM Page 1704

Exposure to concentrations below ERPG-3 is tolera-ble for nearly all individuals for up to one hour with-out experiencing or developing life-threateninghealth effects. Above ERPG-3, life-threatening healtheffects are to be expected when exposure lasts morethan an hour.

Because human responses do not occur at preciseexposure levels – they can extend over a wide range ofconcentrations – the values derived for ERPGs shouldnot be expected to protect everyone, but should beapplicable to most individuals in the general population.For scenario analysis purposes, recalculation of ERPG-values for shorter exposure durations seems appropri-ate, since self rescue will start immediately after anaccident and emergency response will in general starteffectively some 20–30 minutes after the accident.

For health service response the so called triageclassification methodology is used, which has alreadybeen in use with the military for a long time (De Boer,2000). This classificiation system is based on healthcare urgency. There are three categories: T1-patientsneed immediate care; if treatment does not startwithin one hour, patients in this category will proba-bly die. Patients who need treatment within 6 hoursare classified as T2. For patients classified as T3, firstaid is sufficient.

Concentrations below ERPG-1 or below ERPG-2will not affect an individual’s self rescue ability.Between ERPG-2 and ERPG-3 self rescue is reduced,and people exposed at levels above ERPG-3 will notbe able to reach a safe haven without help.

As regards health care urgency, the triage cate-gories do not relate directly to the ERPG-categorisation(Van der Torn, 2003). As for mechanical injuries, T1-victims may still have their full self rescue abilities.On the other hand, toxic T3-victims exposed to anorganic substance with anaesthetic properties mayhave lost their self rescue abilities, while health careis not urgent at all.

6 EVALUATION AND OPTIMISATION

The results of the qualitative and quantitative analysisare evaluated against criteria on prevention, mitiga-tion, self rescue and emergency response. This is con-sistent with application of the Bow Tie Model wheresafety measures are preferably taken early in the acci-dent chain.

Evaluation of the safety performance of a tunnel isdone by comparing the qualitative scenario descrip-tions of the different tunnel alternatives. In a full quan-titative scenario analysis, the numbers of casualties thatare expected to occur in the tunnel options may becompared with each other. A more sophisticated eval-uation method is based on casualty distributions,which may be calculated from the distributions of the

underlying parameters, like spill volume develop-ment, fire growth, distance to accident, individualevacuation speed, exit door capacity, etc.

Currently, no generally accepted evaluation criteriahave been found in the Dutch regulation or in litera-ture. In recent studies, prevention, self rescue andemergency response were measured by means ofqualitative histographics. In this approach, alterna-tives are compared without being judged as to theirabsolute safety performance. It is expected that uponissuing the Guideline Scenario Analysis tunnel-specific criteria will be established by those responsi-ble for the scenario analysis. A view shared by parti-cipants of a working party during the development ofthe Guideline is, that (a) prevention, mitigation, selfrescue and response must meet certain minimum stan-dards, but (b) exchange between these four parametersis acceptable (De Weger, 2002). Consider for instanceadditional mitigation measures with a safety benefitof X at a certain cost; if additional response measureswould result in a similar safety benefit against lowercosts, this measure is to be preferred, provided that bothmitigation and response meet the minimum standards.

7 CONCLUSIONS

Scenario analysis is a tool that fills the gap in thedeterministic field next to quantitative risk analysis.In tunnel risk evaluation, scenario analysis can beused at different stages, both early and later on.Scenario analysis provides a qualitative description ofthe accident development at several critical stages.Models for the calculation of physical effects andcasualties in most cases are not the same as modelsfor risk calculation in an open environment. Theresults of behaviour models and health effect calcula-tions have to be used cautiously. At the moment,given the current state-of-the-art, evaluation and opti-misation have to be carried out based on tunnel-specific evaluation criteria.

ACKNOWLEDGEMENTS

The work presented in this paper has been commis-sioned by the Netherlands Centre for UndergroundConstructions (Centrum voor Ondergronds Bouwen,COB) and was largely funded by the CivilEngineering Service of the Ministry of Public Worksand Water Management.

REFERENCES

AIHA, 2002. Washington: American Industrial HygieneAssociation, http://www.aiha.org/publicationsadvertising/html/poerpgweels.htm

1705

09048-W-05.qxd 5/15/03 8:25 PM Page 1705

Bockholts, P. et al. (1999). Integrated Safety PlanWesterscheldetunnel (in Dutch). Terneuzen, NVWesterscheldetunnel.

Centre for Tunnel Safety (2001). Project Plan IntegratedSafety Philosophy. Utrecht: Civil Engineering Service,Rijkswaterstaat.

Centre for Tunnel Safety (2002). Safety Test. Utrecht: CivilEngineering Service, Rijkswaterstaat.

De Boer, J. (2000). Order in chaos: modelling medical man-agement in disasters. In: De Boer, J. & Dubouloz, M.(eds), Handbook of Disaster Medicine. Utrecht: VSPInternational Science Publishers.

De Weger, D., Hoeksma, J., Schaaf, J. van der (2001). Pro-cess Descriptions MAVIT (in Dutch). Utrecht: BouwdienstRWS (Ministry of Transport, Public Works and WaterManagement, Civil Engineering Division).

De Weger, D., Waterschoot, A. van. Vliet, C. van der,Jonkman, S.N. (2002). Report of the Workshop ScenarioAnalysis Tunnels (in Dutch). Utrecht: Bouwdienst RWS(Ministry of Transport, Public Works and Water Man-agement, Civil Engineering Division).

De Weger, D., Waterschoot, A. van. Vliet, C. van der,Jonkman, S.N. (2003). Ontwikkeling Leidraad Scenario-analyse Tunnels (Development of a Guideline ScenarioAnalysis in Tunnels, (in Dutch). Utrecht: BouwdienstRWS (Ministry of Transport, Public Works and WaterManagement, Civil Engineering Division).

Galea, E.R., Owen, M., Gwynne, S. (1999). Principles andPractice of Evacuation Modelling – A Collection ofLecture Notes for a Short Course. 2nd Edition 29

Guigas, X., Weatherill, A., Trottet, Y. (2001) New MontBlanc Tunnel Ventilation Systems. In: Tunnel Manage-ment International 4(1): 7–13.

Helbing D., Farkas I., Vicsek T. (2000) Simulating dynami-cal features of escape panic. In: Nature 407, 487–490.

Kootstra, F. & Molag, M. (2003). Applicability of PhysicalEffect Models for Accident Scenario’s in Tunnels.Apeldoorn: TNO.

Li, S., Harvey N. (2001). Simulation of escape from roadand rail tunnels using SIMULEX. In: A.E. Vardy (ed.),Proc. of Safety in Road and Rail Tunnels Madrid, Spain,2–6 April 2001: 323–334. Bedford: University ofDundee.

Ministère de l’Interieur, 1999. Mission administrative d’enquête technique sur l’incendie survenu le 24 mars1999 au tuinnel routier du Mont Blanc. Htttp://www.equipement. gouv.fr/actualites/rapport_tmb.htm

Ministry of the Interior, 1995. Fire Safety Concept. TheHague: Ministry of the Interior, Directorate Fire Servicesand Crisis Management.

Molag, M. (2001). Scenario Analysis for the Leidsche RijnTunnel Options. Apeldoorn: TNO.

Rhodes, N. (1998). The accuracy of CFD modelling tech-niques for fire predicition. In: A.E. Vardy (ed.), Proc. ofthe 3rd International Conference on Safety in Road andRail Tunnels, 9–11 March, Nice: 109–115. Bedford:ITC/Universiy of Dundee.

Rylands, S., Davis, P., McIntosh, A.C. & Charters, D.A.(1998). Predicting Fire and Smoke Movement in TunnelsUsing Zone Modelling. In: A.E. Vardy (ed.), Proc. of the3rd International Conference on Safety in Road and RailTunnels, 9–11 March, Nice: 127–138. Bedford: ITC/Universiy of Dundee.

Steyvers, F.J.J.M., Waard, D. de, Brookhuis, K.A. (1999).General Aspects of Tunnel Use and Safety (in Dutch).COV 99-09.

Van der Torn, P.(to be publ.).VROM, 1979. Omgaan met Risico’s (Dealing with risks, in

Dutch). The Hague: Ministry of Housing, SpatialPlanning and the Environment.

1706

09048-W-05.qxd 5/15/03 8:25 PM Page 1706


1707

Risk based maintenance of civil structures

G.H. WijnantsTNO Building Research Dept. Civil Infrastructure, Delft, Netherlands

ABSTRACT: The use of risk based maintenance approaches for civil structures today are limited to relativelyfew specific cases. Nevertheless, application of the methodology provides the means needed in present societywhere ageing constructions, multiple use of the built environment and increasing intensity of transport andtravel introduce the need to reassess and manage the safety of the situation encountered.

This article presents the requirements that have to be met in order to incorporate enduring cost-effective risk-assessment procedures for the risk-management of large structures – with lots of components and approaches – bycombining various approaches in one information model. The volatility of present cost-intensive risk-assessmentmethods, which disables many applications, is tackled by categorising the determining factors using “typicals”.

1 INTRODUCTION

1.1 Risk management principle

The principle of risk management in order to manageboth ongoing costs and failure probabilities is clearlygaining acceptance and interest. Important leaps aremade in the last decade due to the awareness inIndustry that risk based maintenance strategies provide a basis for knowledge management whilecomplying with the need for cost-effective processes.The fact that approaches have been found in whichencountered results can be reviewed using practicalperspectives without “black-box” assessment types,finally has transformed scepticism into support forrational approaches.

In the process of civil maintenance management,nevertheless, the use of risk management concepts isstill mostly limited to processes where priorities haveto be set for quality management during constructionand safety control. Explanations for the lack of use ofrisk concepts during the maintenance phase can befound in the fact that the failure probabilities arerelated to safety measures for structural failure andtherefore set that low, that the effect of common main-tenance procedures are hard to link to those probabil-ities. Besides, the empirical approach followed inmost maintenance processes does not comply wellwith probabilistic approaches.

In order to integrate the benefits of rational riskbased approaches in the empirical maintenanceprocess, a couple of barriers have to be addressed and

tackled. One dominant barrier is the inaccessibility ofdeterioration models; another is the elaborateness ofrisk calculation procedures and the volatility in timeof data incorporated. Nevertheless, due to the factthat it is only cost efficient for a few situations torequire detailed analyses while most situations canadequately be approached using straightforward firstorder failure and risk predictions, an approach thatcombines the strengths of both approaches will pro-vide clear yields. As a first step to such an approach,the requirements that have to be met are to be statedand integrated in one approach.

2 REQUIREMENTS

The requirements to be met by risk-based mainte-nance information models are stated. These require-ments will be implemented by examples in section 3.

2.1 Durability of input parameters

The circumstances of use that determine the dete-rioration mechanisms and the consequences of fail-ure, vary with time. Since a durable approach thatdescribes reality is needed, the parameters involvedshould have a specific durability for changes withtime. This means that decisive parameters are to becategorised in clearly discerned groups in order toprovide descriptions that are change resistant, easyrecognisable and hence easy to maintain.

09048-W-06.qxd 5/15/03 8:26 PM Page 1707

2.2 Mutual compatibility of multilevel approaches

The deterioration mechanisms present can bedescribed accurately by incorporating much detailedinfluence factors while on the other hand in manycases effective values using integrating parametersprovide sufficient accuracy. Therefore first orderdeterioration models should be applicable that areupgradeable to second and third order approacheswhen increased accuracy and detail is beneficial. Ofcourse, in order to safeguard safety, the first ordermodels should provide a more extreme image in com-parison with the more detailed approaches.

2.3 Unambiguous risk assessment criteria

In order to provide unambiguous effect assessmentsin comparison with other risk assessment modelsused, the effects accounted for in the models shouldcomply with the approaches used in the assessment ofother safety systems. This implies that the most crispconsequence assessment methods will prevail abovequalitative methods. In this case the IEC61508 assess-ment method is viewed to have the best qualificationsfor a leading role.

2.4 Delivery of an “HSE operating window”

The possibility of safe maintenance approaches (withrespect to legal requirements for Health, Safety andEnvironment, “HSE”) that nevertheless pay too littleattention to the economic risks should be tackled.Hence within the boundary values imposed by HSEmeasures, optimisation of the integral costs of main-tenance and failure should take place.

2.5 Tagging of actual, agreed and optimalsituation

In order to enable optimisation evaluations, mainte-nance intervals that have been determined by costeffective clustering with other activities, should beclearly discernible from those activities that haveexcessive maintenance demand or a shortage in main-tenance. These triple states of every maintenance sys-tem should be clearly discernible in order to facilitateefficient evaluations.

3 APPROACH

The next straightforward approach with focus onmaintenance interval assessment has been imple-mented in actual practise and has yielded effectiveresults over approximately 4 years now.

3.1 Quantitative deterioration prediction

The deterioration mechanisms to be expected are tobe evaluated by quantitative measures. The bottomline is a level I approach, which has the next charac-teristics.

It contains four predictability levels, 4 to 1, compa-rable with cost prediction levels (see Nowak A.S.2002), that relate to an absolute effective deteriorationrate. These levels have the next qualities: 4 � $100%,3 � $50%, 2 � $25%, 1 � $10%. This can bedescribed by predictability qualifications: 4 � “bad”,3 � “average”, 2 � “good”, 1 � “very good”. Oneshould be aware that this approach facilitates thedescription of situations with extreme behaviourbetween “no deterioration” and “extreme deteriora-tion”. These can be described by “bad prediction” andthe “effective deterioration rate”, represented by thecentre value.

When this level I approach is to costly due it’s inac-curacy, a more accurate prediction of the deteriorationprocess needs to be filled in. This process is charac-terised by validated description of mechanisms suchas the S-N curves for fatigue in specific cases.

3.2 Tagging deterioration mechanism

The deterioration mechanisms ought to be tagged by “pattern-tag”. This tag is needed in order to proofthat the underlying mechanisms are understood andaccounted for. Therefore discrimination into the nextmechanisms is needed in order to enable predictions:a) time of use dependant behaviour (typically gradualcorrosion processes) b) load dependant behaviour(typically mechanisms as fatigue related deteriorationprocesses) c) case type behaviour (typically incidentmechanisms like collateral damage up to a specificimpact level, that cannot be foreseen but can be pre-dicted using statistics) and finally d) non-trendablemechanisms.

The difference between c) and d) is that the “non-trendable” mechanisms are labelled as mecha-nisms that can cause overrun for the reliability limitsthat are to be met while maintenance is well performed.

All mechanisms a) to c) can be described by meansof “overall” terms, using effective values. When amore accurate prediction is needed, what may resultwhen there is a need for assessing the possibility ofdelay of planned preventive measures, a fitness forpurpose approach needs to be implemented by intro-ducing FORM or SORM methods.

An implementation of a maintenance system bymeans of a level I approach provides a “quick scan”when compared with the actual maintenance situa-tion, thus enabling in a second step a more thoroughevaluation of the items that appear to provide risk.

1708

09048-W-06.qxd 5/15/03 8:26 PM Page 1708

3.3 Recognisable category sizes that last

Unambiguous effect determination can only beachieved by creating effect categories that are clearlydiscernible given the variations in the actual “situationof use”. As an example: a common situation as “theamount of passengers that are subject in traffic to a cer-tain type of incident” can increase over the years withup to 15% per year (or 100% in 5 yrs). Hence it will beclear that an increment in effect size with a factor 10 canprovide both durability of data for a period of at least 5 yrs and prevail ineffective discussions. For examplefor maintenance purposes, for which the serviceabilitylimit state (SLS) is of interest, a cost category listing ingroups as Catastrophic, Critical, Large, Marginal, andNegligible (respective limits 1 Ma; 0,1 Ma; 10 ka; 1ka, smaller than 1 ka), will provide guidance. Withinthe SLS area, effects on health and environment are tobe integrated into these categories as well.

3.4 Optimisation in “HSE maintenance window”

Within the maintenance intervals provided by safetyrequirements, the remaining failure rates and failureeffects can still be responsible for excessive financiallosses. Therefore within the time limits imposed bythe “HSE maintenance window”, the cost optimalinterval is to be determined by assessing the mini-mum of preventive and corrective costs as a functionof the interval.

Clearly the resulting interval does not bear an“imperative” but a “preferable” status.

The approach to be used for the cost optimisationneeds to be unambiguous and not sensitive for per-sonal interpretation. Primary direct effects of failuresand secondary effects of repair actions are to be takeninto account. For example for traffic flow this sec-ondary effect can be assessed by incorporating theeffects of incident rate and delay (both for user andequipment) to total costs C (see Ehlen 1997).

with the parameters: – number of days of work N,number of passing vehicles Adt, length of affectedroad L, normal and reduced traffic speed Sn respec-tively Sr and R � average of hour costs car � hourcosts transported people, Ca is average costs per cardue to an accident, An respectively Ar is average inci-dent day-rate per km during normal respectively dur-ing road repair activities.

3.5 “Ist”, “Soll” and “Darf” approach

In order to facilitate clear assessment of the actual sit-uation which in this case relates to intervals, the next

system states need to be defined and retrieved in anyrisk assessment system: the “Ist” interval, which isencountered in the actual operational situation. The“Soll” interval, which represents the result of obliga-tory and optimisation procedures (internal factors),and finally the “Darf ” interval, which represents theultimate value as resulting from legislative require-ments (external factors). When evaluations takesplace, it should be clear at all times which character-istic intervals need to be compared with each other.

4 STEP BY STEP METHOD

In order to implement a risk-based approach a clearsequence of steps is recommendable in order to struc-ture the process. A number of these steps are eluci-dated in the case descriptions in section 6.

The steps A–E discussed here are shown in fig. 1.

(A) Determine work packages (for example inspec-tion and repair of inspected unit) that can effec-tively be treated as one approach within an“integrity unit”. Such a package includes tasksthat need to be taken in account and yet may beskipped during the actual process.

(B) Determine criteria for status assessment on “unitlevel”, incorporating the possibility for groups ofdefects.

(C) Determine deterioration mechanisms andaccompanying acceptance limits for defects.

(D) Determine ultimate maintenance intervals basedon Health, Environment and Safety precautions(HSE window).

(E) Determine maintenance intervals based on cost-effectivity criteria, including activity clustering.

1709

Figure 1. Steps for assessing unit level in RBM approach.

09048-W-06.qxd 5/15/03 8:26 PM Page 1709

5 METHODOLOGY

In the methodology used, the assumption is made thatthe maintenance methods that have been selected com-ply with the specified performance and cost charac-teristics in that situation. This implies that evaluations

have already taken place like the one shown in fig. 2,in which the effectivity of various maintenance con-cepts are evaluated, resulting in the selection of theappropriate approach.

So within the step by step method, only thosemaintenance processes are used that have proven tobe effective.

So the problem definition is in this case: “given aspecific set of effective maintenance procedures and astructure with specific deterioration characteristics,how often should specific tasks be applied”.

This question mainly focuses on determination ofthe rate of deterioration for a specific structure.

The methodology to tackle this question isdepicted in the scheme shown below in fig. 3. Oneshould note that in reality not all information is read-ily present in the format as displayed.

6 CASE DESCRIPTIONS

The next cases illustrate steps discussed in section 4.Accompanying models that are needed may differ

1710

-0,2

0

0,2

0,4

0,6

0,8

0 10 20 30 40 50 60

Structure Age (Year)

Pro

babi

lity

of F

ailu

re

without maintenancewith essential maintenancewith preventive maintenancetarget level

Figure 2. Probability of Failure for various maintenanceapproaches (Ying 2002).

Figure 3. Integration scheme for deterioration mechanisms and failure effects.

09048-W-06.qxd 5/15/03 8:26 PM Page 1710

widely and are therefore not discussed in this frame-work.

6.1 Painted steel bridges

In this case the definition of a cost effective work-package (steps A) and subsequent steps (�E) will bediscussed.

In the case of painted steel bridges the deteriora-tion mechanisms that ought to be addressed in thefirst step, is the deterioration of the steel itself due tolack of coverage, and the deterioration of paint due tothe effects of shrinkage and cracking as influenced byweather circumstances.

A reliability approach based on the constructionalfailure is clearly linked to damage mechanisms inwhich relative large surfaces of the bridge will show corrosion (for a level III approach see Nowak2002).

Without stepping to detail, it will be clear that thecosts for repainting processes increase rapidly withthe amount of corrosion. If this is not clear then thisshould strike the eye when viewing fig. 4.

Lets consider the perspective “under the circum-stance that painting should be as cost-effectivelyplanned as possible with the boundary condition thatcost intensive corrective strengthening procedures areto be avoided”. This approach clearly lies within theboundaries set by reliability requirements. A costeffective approach in this case, clearly provides a dif-ferent view, especially when cost calculations incor-porate secondary effects like traffic delay (see Purvis1999).

The optimization that then takes place (step E) bal-ances the costs that follow from interval reductionand job repetition against the increase in costs thatarises due to the increasing intensity of paint andderusting activity in order to recuperate the layer.

In this case the definition of a cost-efficient work-package leads to restrictions that lie so clearly withinreliability boundaries for the structure that explo-ration of the reliability details can be omitted.

6.2 Sewerage system

In this case of a buried sewerage system the main-tenance typicals are defined as follows: periodicinspection by means of a preventive cleaning task fol-lowed by a camera inspection.

The acceptance limits that are needed in order todecide upon the optimal maintenance interval aredetermined by the next criteria: a) the groundwaterlevel on a section of 1acre may not be changed withmore than 0,1 m due to leaking into the sewerage sys-tem. This leads to an acceptance criterion based oneffective performance criteria which are situationdependant. b) blocking occurring due to deformation

is allowable to the amount of excess capacity incor-porated, which is typically 25%.

The failure mechanism that is dominant in thiscase, a concrete system, is leakage due to settling ofthe individual tubes. This mechanism (type a; gradualbehaviour with time) has clearly predictable behav-iour (overall rate: 0,01 m/yr.); corrective action willinvolve the system, not just parts.

Step A yields the “assessment unit level” in thiscase: from T-joint to other T-joint (multiple tubes; typ-ical 16–160 cm Ø; inserts that are not able to “switchof ” the infrastructure when being taken out of serviceare not being considered).

Using a level I assessment of the development ofthe failure rate for the system (step C; transferringsettling rates to a prediction of misfit-aperture sizeand leakage rates) can lead to an assessment intervalof 20 yr. (step D).

Using an repair decision criterion “functionalacceptance criterion for new systems” (after inspectionthe system should be fit to for another 20 yr), step Dresults in a 20 yr, with a “functional level � ‘as new’ ”acceptance criterion.

Within the timeframe of this HSE window, step E,the economic perception, yields the next perspec-tives: costs of inspection are smaller than 1% of ancorrective measure (digging).

The time of initiation of leakage to exceeding theleakage level, can be determined to be 4 yr.

Incorporating step E within the HSE window,enables delay of corrective actions when adapting theacceptance limits. Since the costs involved are clearlysmaller than the interest rate for a corrective costs,inspection is clearly a cost effective measure, com-plying with the functional requirements within theHSE window.

1711

Figure 4. Costs increment as a function of maintenancelevel (100% � “well maintained”) (Nowak 2000).

09048-W-06.qxd 5/15/03 8:26 PM Page 1711

7 CONCLUSIONS

An approach has been presented in which a cost-effective implementation of timely maintenance taskshas been the starting point in order to implement arisk-based maintenance strategy.

The examples presented have shown that the nextaspects need to be implemented in models in order todecide for cost-effective scenarios:

– the borders set by functional requirements yield aset of acceptance limits and maintenance intervals.

– within the borders set by functional requirements,cost optimisation with another set of both accept-ance limits and maintenance intervals is possible.

– requirements applied should be clearly linked tolimits and intervals determined in order to facili-tate an unambiguous approach that meets therequirements set.

– the increase of labour effort with time (in terms of costs/m2) has to be modelled in order to yield an

adequate description of the actual situation, an effectthat has been surpassed by previous approaches.

REFERENCES

Nowak A.S. and Thoft-Christensen P. 2002. In “InternationalContribution to the Highways Agency’s Bridge RelatedResearch”, Thomas Telford Publications, London.

Purvis R.L. 1999. “Integrating Preventive Maintenance Man-agement into BMS”. Proceedings international bridgemanagement conference 1998. Denver, Colorado. April26–28, 1999.

Li Y. and Vrouwenvelder T. 2002. “Probabilistic inspectionand maintenance for concrete bridge structures”.Proceedings of the First International Conference onBridge Maintenance, Safety and Management IABMAS2002. Barcelona, 14–17 July 2002.

Ehlen Mark A. 1997. “Life-Cycle Costs of New ConstructionMaterials”. Journal of Infrastructure systems, Vol. 3, No.4, 129–133, December 1997.

1712

09048-W-06.qxd 5/15/03 8:26 PM Page 1712


1713

Modelling a probabilistic safety management system for the Eastern-Scheldt storm-surge barrier, the basin and the surrounding dikes

A. Willems & P.B. WebbersMinistry of Transport, Public Works and Water Management. Department of Risk Analysis, Netherlands

ABSTRACT: The Dutch government wants to have a computer model that calculates the annual probabilityof flooding the area around the Eastern-Scheldt. This model should also be able to determine the impact ofmaintenance and control management of the Eastern-Scheldt storm-surge barrier and dikes surrounding thebasin. In this paper an approach is presented to obtain a model of this so-called safety management systemusing the design tool IDEF0. The model consists of a deterministic description of the system and will be trans-lated into annual probabilities using Monte Carlo (MC) simulation.

1 INTRODUCTION

1.1 Background

The Eastern-Scheldt storm-surge barrier was builtfrom 1979 to 1986 to protect the south-west of theNetherlands against flooding. It consists of 62 move-able steel gates which only close in case of (expected)high water levels.

Together with the dike rings surrounding theEastern-Scheldt, the second flood defence line, theEastern-Scheldt storm-surge barrier forms the defencesystem that protects the hinterland against flooding.Of course, this flood defence system must be very reliable to guarantee an acceptable safety level of thehinterland. The Dutch government accepts a maxi-mum annual probability of flooding of 2.5 �10�5 forthe storm-surge barrier and dikes surrounding theEastern-Scheldt, and a maximum annual probabilityof flooding of 2.5 �10�4 for the compartment dams.The reliability of the storm-surge barrier and dikesmust be determined at least once every five years tosee if they still meet these safety requirements.

In case of an oncoming storm the expected waterlevels on the Eastern-Scheldt are calculated by awater movement computer model. If the expectedwater level exceeds NAP1 �3.0 m the model willadvise to close all 62 gates. For the Eastern-Scheldtstorm-surge barrier the so-called “changing strategy”is in use on environmental considerations. This strat-egy implies specific moments of closing and opening

of the barrier. These moments lead to the adjustmentof an average water level on the Eastern-Scheldt chang-ing from NAP �1.0 m to NAP �2.0 m to NAP�1.0 m et cetera.

It is important to emphasise that the moments ofclosing and opening of the barrier, given by the model,are only meant as an advise and should be evaluatedand executed by humans. This is in contrast with theDutch Maeslant storm-surge barrier near Rotterdam,which closes and opens fully automatically. There isone exception however: in case the water level near theEastern-Scheldt storm-surge barrier actually reachesthe level of NAP �3.0 m all 62 gates close automati-cally. This is called the “emergency closure”.

Both the manual closure and the backup emergencyclosure are tested twice a year. Since 1986 the barrierhas been closed twenty times for safety reasons.

Figure 1. The Eastern-Scheldt storm-surge barrier.

1Dutch reference plane.

09048-W-07.qxd 5/15/03 8:26 PM Page 1713

Due to sea level rise, settlement of bottom leveland deterioration of materials, the flood defence sys-tem must be maintained every year in order to keepup to the required reliability levels. Nowadays, theregular checks on reliability of the storm-surge bar-rier and the dikes are done separately. Good insight inthe interactions between the reliability of both struc-ture types in the total system is preferable. Since main-tenance of both barrier and dikes is expensive, theeconomical benefit of such insight could be signifi-cant. For example, changing the closing strategy ormaintenance of the storm-surge barrier could possi-bly allow no heightening of the dikes for many years.

1.2 Problem

From an economical point of view optimisation ofmaintenance for the whole flood defence system ismore profitable than doing this for the individualparts separately. To make this optimisation possiblewe should be able to calculate the over-all reliabilityof the flood defence system and determine its impacton maintenance costs.

The Dutch government wants to have a computermodel, which can automatically calculate the reliabil-ity of the flood defence system in probabilistic terms.This model must be compatible with both existingand future tests of dikes. Of course, it must be able todetermine the effects of maintenance on the reliabil-ity of the flood defence system. An additional prefer-able feature is the determination of effects on thereliability due to changes in the closure strategy of thebarrier. In other words, it would like to have a com-puterised safety management system (SMS).

One of the difficult matters is the time-dependencyof the system in combination with the uncertainty ofthe water movements in the Eastern-Scheldt during astorm. For example, failure of the storm-surge barrierdoes not necessarily have to lead to flooding of thehinterland. This depends, among others, on the typeof storm, the local water depths, the strength of thedikes and the capacity of the Eastern-Scheldt basin.Since this capacity is not exactly known, it is not onlydifficult to predict if flooding takes place, but alsowhen this takes place.

Additional difficulty is the large amount of differ-ent storm types, together with the number of failuremodes of the storm-surge barrier, for which thebehaviour of water in the Eastern-Scheldt should be modelled. Furthermore, since only a very smallnumber of these storms may lead to flooding of thehinterland, the SMS model should be able to deal withsmall probabilities.

It is therefore an interesting challenge to develop a computerised SMS which takes into account the inter-action between the reliability of a storm-surge barrierand the reliability of the dikes lying behind the barrier.

Especially since the same principle could be used forother storm-surge barriers, e.g. the Dutch Maeslantstorm-surge barrier.

1.3 Approach

The first step in developing a computerised SMS isdescribing the system that has to be modelled. Anotherimportant aspect is the outcome of the model. Itshould obviously be a probabilistic measure of safetyagainst flooding of the hinterland (the “safety level” ofthe system), but which measure should be taken?

Secondly, an overview of the state-of-the-art isnecessary: which studies have been made related tothis subject and which useful methods and modelsalready exist?

Third step is to describe a relationship between thesuitable methods to determine the reliability of thestorm-surge barrier and the reliability of the dikes. Infact, all relevant relationships within the system shouldbe described. For this purpose the so-called IDEF0method is used. Consequently, the system is describedin a deterministic way. The necessary translation to aprobabilistic outcome will be accomplished by using aMonte Carlo (MC) simulation technique.

To limit the amount of work some simplificationsare carried out in modelling this complex system. TheIDEF0 description will be used to see the effect ofeach simplification on the over-all model.

At this stage the impact of maintenance of thestorm-surge barrier and dikes on the safety level isnot yet taken into account.

2 SAFETY MANAGEMENT SYSTEM


The system that needs to be modelled incorporatesthe North Sea, the Eastern-Scheldt storm-surge bar-rier, the Eastern-Scheldt basin, the surrounding dikerings 26–31 and four so-called compartment dams,i.e. Grevelingendam, Philipsdam, Oesterdam andZandkreekdam. The system boundaries are shown infigure 2.

Basically the relevant sequence of actions withinthe system can be described as follows:

– A storm occurs, which causes a water level risenear the Dutch coast;

– If necessary, the storm-surge barrier has to closeall 62 gates;

– If the barrier works properly the amount of waterin the Eastern-Scheldt basin will only increase dueto leak through the barrier;

– The dikes surrounding the basin have to preventflooding of the hinterland.

1714

09048-W-07.qxd 5/15/03 8:26 PM Page 1714

However, if the barrier fails to close all 62 gates anextra amount of water will leak through the barrier.This will lead to higher water levels in the basin. Con-sequently, the loads on most of the dikes increase andflooding of the hinterland will become more likely.

2.2 Safety level

The safety level of the SMS can be determined usingsystem reliability techniques. In this context thesafety level of the system is the same as its reliability,so we can define a so-called undesirable top event.Occurrence of this event can be seen as failure of the system. In this way the safety level of the SMS is equivalent to the probability of occurrence of theundesirable top event.

Looking at the required safety levels of the systemused since the design of the storm-surge barrier wesee some significant differences.

For the design of the barrier a maximum probabil-ity of failure of the system has been used of 10�7 peryear (see Road and Hydraulic Engineering Division(1994)), while BARCON (1985) uses 2.5 �10�5 peryear. The first requirement however corresponds withthe undesirable top event of exceeding the averagewater level on the Eastern-Scheldt of NAP �4.3 m,while the second one corresponds with exceedingNAP �3.5 m. More recently, in 2000, the occurrence

of a “flood disaster” has been used as an undesirabletop event, and has been set to a maximum probabilityof 10�7 per year by the Directorate Zeeland (2000).

In defining the undesirable top event of the SMSstructural failure of the storm-surge barrier is left outof consideration. For, however it may be an undesir-able event, the safety system does not always fail ifthe storm-surge barrier (partly) fails. Failure of theSMS takes place not before at least one of the dikessurrounding the Eastern-Scheldt fails.

Therefore we use the undesirable top event “failureof one or more of the dike rings surrounding theEastern-Scheldt basin”. Since an important feature ofthe model will be the compatibility with both existingand future tests of dikes we mean by failure the occur-rence of one of the failure modes summed up in Table 1.

2.3 Existing studies, methods and models

Since the design of the Eastern-Scheldt storm-surgebarrier a long list of articles has been published.Studies have been made of the reliability of thestorm-surge barrier (Van den Beukel & Kooman(1980), BARCON (1985)) and its control (Vereekeand Vroon 1999). Calculation methods to determinethe reliability of the dikes are also known (TAW(1999), Vrouwenvelder et al. (1999)) To calculate thewater levels on the Eastern-Scheldt several water

1715

storm-surge

barrier

Eastern-

Scheldt basin

North Sea

Dikes

Figure 2. Boundaries of the safety system.

09048-W-07.qxd 5/15/03 8:26 PM Page 1715

movement models can be used, i.e. Simplic (used inBARCON (1985)) and Implic. The latter one has beenused to determine the reliability of the dike revet-ments by calculating the water levels near the dikesfor all possible storm types taking into account theprobabilities of occurrence per storm (Stroeve F.M.2000). Determination of the reliability of the dikeswhile taking into account a (partly or completely)failed storm-surge barrier is not common practice.

For practical reasons the focus is on using existingmethods and models as much as possible duringbuilding of the SMS. This does not only reduce theamount of work; it will probably also reduce some ofthe “teething problems” that exist when developing acompletely new model. On the other hand, the prob-lem in using existing models and methods could bethe lack of compatibility between them. To controlthis problem as much as possible we have made use ofa design tool, called “IDEF0”.

2.4 IDEF0 method

IDEF0 is a method designed to model the decisions,actions, and activities of an organisation or system.IDEF0 was derived from a well-established graphicallanguage, the Structured Analysis and Design Tech-nique (SADT). The United States Air Force commissioned the developers of SADT to develop afunction modelling method for analysing and commu-nicating the functional perspective of a system. As acommunication tool, IDEF0 enhances domain expertinvolvement and consensus decision-making throughsimplified graphical devices. As an analysis tool,IDEF0 assists the model designer in identifying whatfunctions are performed, what is needed to performthose functions, what the current system does right,and what the current system does wrong.

With IDEF0 we managed to combine the relevantaspects of the safety system into one integral model,such as the storm variables, the water movement, thefailure of the storm-surge barrier and dikes and theoccurrence of flooding.

3 SMS MODEL

3.1 Monte Carlo simulation

The annual probability of occurrence of the top eventis the applied measure for the safety level of the hin-terland. However, due to the complexity of the systemthis annual probability is not easily determined ana-lytically. Therefore MC simulation will be used. Asmentioned in the introduction, the model should beable to deal with small probabilities of occurrence. At this stage it is not clear to what extent the “tradi-tional” MC will be sufficient for reliable calculations,or that we will have to use directional sampling tech-niques in order to reduce the number of MC runs.

3.2 Monte Carlo model

The over-all SMS model will be built as a MC model.The core of this MC model is a deterministic systemdescribing a storm, the following water movements,the working of the storm surge barrier and whether ornot the top event occurs.

The deterministic variables are drawn from proba-bility density functions. By running the model a largenumber of times (for example 10,000 times) andchecking every run whether or not the undesirable topevent occurs, the percentage of runs in which thisevent does occur can be considered as the probabilityof occurrence of it. This can be done per year. Themodel will be set up in such a way that the impact of maintenance and management (for example theclosing strategy) can easily be taken into account bychanging the probability density functions of the stateof the dikes, the state of the barrier or the moment ofclosing the barrier. Figure 3 shows the diagram of theSMS model.

3.3 Deterministic system description

In figure 3 the inner block represents the determinis-tic description of the system. This description hasbeen made using IDEF0.

IDEF0 has the feature to describe the model on dif-ferent levels of detail. Parts of the model can bezoomed in or zoomed out. The complete model hasbeen described in IDEF0 schemes. In this paper wewill only show two levels of detail, named A-0 andA0; see figures 4 and 5.

Figure 4 shows the highest level of the model. Oneblock that represents the action “determine whetheror not the undesirable top event takes place”. Theinput consists of the water depths and capacity of theEastern-Scheldt basin, together with the wind param-eters and the astronomical tide. The output consists of not only the (non-) occurrence of the undesir-able event, but also of the renewed water depths and

1716

Table 1. Failure modes of a dike ring (Vrouwenvelder et al.1999).

OvertoppingWave overtoppingSlip circle inner slopeSlip circle outer slopeErosion outer slopeFailure revetment en Erosion coreMacro instability outer slopeMacro instability inner slopeMicro instability inner slopeBurst of cover layer and PipingFailure of constructions in the dike

09048-W-07.qxd 5/15/03 8:26 PM Page 1716

remaining capacity of the basin. This is where thetime-dependency should be taken into account. Themodel represents the working of the system for a timeinterval [tn, tn�1]. During this interval water comes in from the North sea to the Eastern-Scheldt basin.The amount of water depends on the number ofsquare meters opening in the storm-surge barrier,which – in turn – depends on the number of steel gatesthat failed to close plus the leak of the barrier. So,after a period of time the water depths and remain-ing capacity of the basin have changed and should be renewed and used again for modelling the timeinterval [tn�1, tn�2].

The same thing goes for the state of the storm-surge barrier (the number of failed gates or otherparts of the barrier) and the number of square metersopening. As stated above, this information is neces-sary for determining the amount of water comingfrom the North sea into the Eastern-Scheldt basin andshould also be used again for the next time interval.This iteration continues until the end of the storm, oruntil the undesirable top event takes place.

The determination of the relevant hydraulic vari-ables, e.g. Hs and Tp, the state of the storm-surge bar-rier, the remaining capacity of the basin and the waterdepths is being described in figure 5.

3.4 Modelling water movements

As mentioned in paragraph 2.3, apart from whether ornot the undesirable top events occurs, the steps in fig-ures 4 and 5 have been done before by Stroeve (2000).Using the computer model Implic for modelling thewater movements in the Eastern-Scheldt, water levelsnear the dikes have been determined for 3600 differ-ent storm types. These calculations were made basedon a fully closed barrier. Closing the barrier manuallyaccording to the computer advise as well as the emer-gency closure has been taken into account.

We can use these results for the situation in whichall 62 gates of the barrier work properly. In case oneor more of the gates fail to close the impact on thewater levels is unknown. New (computer) calculationsshould be made for each combination of the numberof failing gates and the type of storm. This wouldresult in 3600 � 62 � 223,200 calculations. However,the moment of gate failure and the duration of failureare also important. The number of combinations willincrease enormously if all these options are taken intoaccount. Simplifications are necessary in order toreduce the amount of calculations.

3.5 Simplifications

In order to model the system properly and keep the number of required calculations within bounds,

1717

A0

Determine whether ornot the undesirable top

event occurs

Remaining capacity basin and water

depths [t_n]

Wind and astronomicaltide [t_n]

Condition barrier and dikes [t_n]Closing strategy barrier

Occurrence top event (yes/no)and condition dikes [t_n+1]

Condition barrier and# m2 opening [t_n+1]

Figure 4. IDEF0 A-0 scheme of the SMS.

Probabilityofoccurrenceof theundesirabletop event inyear n

drawhydraulic variables

Occurrenceof theundesirabletop eventYes/No

Probability density functionstate of the barrier in year n

Probabilitydensity functionstate of the dikes

in year n

Closingstrategyin year n

Probabilitydensity function

hydraulic

bathymetry NS +Eastern-Scheldt

in year n

Probabilitydensity function

storms

in year n

Maintenance of barrier and dikes until year n

drawa storm

draw # failedbarrier gates

X # si ulations (f.e. 10,000)

Draw strength

dikes

Deterministicsystem

description(IDEF0)

drawhydraulicvariables

vars in year n

a

in year n

drawa storm

draw # failedbarrier gates

X # simulations (f.e. 10,000)

Drawstrength

dikes

Deterministicsystem

description(IDEF0)

Figure 3. Diagram of the safety management model.

09048-W-07.qxd 5/15/03 8:26 PM Page 1717

simplifications have to be made. The most importantones are the following:

– Failure of the storm-surge barrier means failure ofone or more of its gates. Other failure modes likestructural failure will not be taken into account.

– Failure of the storm-surge barrier can only takeplace while closing or opening the barrier.

– The number of failing gates is categorised to 1, 2, 3,4 and more than 4. The last one is set to all 62 gates.

– The duration of failing is categorised into less than1 hour, 1 closing operation (about 12.5 hour) andlonger than 1 day.

– The position of a failing gate is not relevant.

The moment of failure has not been simplified yet.First the idea was to consider each failure of a gateduring a storm at the beginning of that storm, but thatwill probably be too conservative.

Another simplification was that failure to open the barrier would not be relevant for the flood riskHowever, since the changing strategy uses the oppor-tunity to sluice water out of the Eastern-Scheldt basininto the North sea during the “low tide-period” in astorm, opening the barrier could be relevant to reducethe risk of flooding.

In one of the further steps these simplificationswill be checked and determined by making some cal-culations using Implic.

4 PRELIMINARY RESULTS

At this stage the system description and model designhave been made using IDEF0 schemes for all relevant

levels of detail. We managed to use existing methodsand models in a consistent over-all concept of thesafety management system.

The IDEF0 method proved to be a powerful model-ling tool. It is helpful in getting a complete overviewof the system, especially the relevant relationshipsthrough all levels of detail. The IDEF0 schemesappeared to be very useful in making a project break-down in such a way that different aspects of the modelcould be assigned to different project team membersto be worked out, without losing compatibility.

In modelling the system one of the most difficultaspects was the time-dependency of the relationbetween failure of the storm-surge barrier, the follow-ing water movements and the failure of the dikes surrounding the Eastern-Scheldt. Some significantsimplifications had to be made in order to reduce thenumber of calculations. Again, IDEF0 proved to behelpful in assessing the effect of each simplificationon the over-all model.

There is still a lot to be done though. Some of themost important further steps are mentioned in the nextchapter.

5 FURTHER STEPS

At this stage the system description and model designhave been made. In building a computerised SMS, thefollowing steps have to be made:

– Making test calculations to check simplifications.– Choosing the proper MC simulation technique.– Building a pilot model. This is a “quick prototype”

of the model in which the most important relations

1718

A1

Determinehydraulic

parameters [t_n]

A2

Determine conditionbarrier and # m2 opening

[t_n+1]

A3

Determineremaining

capacity basin andwater depths

[t_n+1]

A4

Determine whetheror not the top event

occurs [t_n+1]

Condition barrierand # m2

opening [t_n]

Condition barrier and dikes [t_n]

Remaining capacitybasin and water

depths [t_n]

Wind andastronomical

tide [t_n]

Closing strategy barrier

Remaining capacitybasin and waterdepths [t_n+1]

Hydraulic parameters [t_n]

Condition dikes [t_n]

Occurrence of thetop event (y/n) [t_n+1]

Condition barrier and # m2opening [t_n+1]

Condition dikes[t_n+1]

Figure 5. IDEF0 A0 scheme of the SMS.

09048-W-07.qxd 5/15/03 8:26 PM Page 1718

are defined. The input numbers, however, are notrevised.

– Testing the pilot model.

After testing the pilot model, we can decide whetheror not the pilot model should be upgraded to a fullyoperational SMS model. In case it should, some of theinput information and simplifications should possiblybe reconsidered. This implies that the probability offailure of the storm-surge barrier should be calculatedwith the most recent information. In the end, the SMSmodel should be linked with maintenance models ofboth the storm-surge barrier and dikes in order tooptimise the maintenance strategy for the whole flooddefence system.

With the results presented in this paper a first stephas been made in reaching that objective.

REFERENCES

BARCON project. 1985. Part report: Safety aspects of man-agemnt of the storm-surge barrier in the Oosterschelde(Concept). Ministry of Transport, Public Works and WaterManagement, Directorate Zeeland. Middelburg.

Directorate Zeeland. 2000. 2nd generation Maintenance PlansEastern-Scheldt storm-surge barrier. Starting-points document 1. Report no. E5897A152.OSK.

Road and Hydraulic Engineering Division. 1994. DesignPlan Oosterschelde Storm-surge Barrier, Overall Designand Design Philosophy, Ministry of Transport, PublicWorks and Water Management, Rotterdam: Balkema.

Stroeve, F.M. 2000. Testing Framework for Block Revetmentsalong the Eastern Scheldt (in Dutch). Ministry of Transport,Public Works and Water Management, Civil EngineeringDivision.

TAW. 1999. PC-Toets. Pc-program Guidelines for Evalu-ating Safety (in Dutch). Technical Advisory Committeefor Water Defences.

U.S. Airforce. 1993. Integration Definition for FunctionModelling (IDEF0). Draft Federal Information ProcessingStandards Publication 183.

Van den Beukel, A. & Kooman, D. 1980. Failure ProbabilityAnalysis of the Eastern-Scheldt Storm Surge Barrier (InDutch). Institute TNO for Building Materials and Con-structions. Report no. B-80-62/62.3.2002. Delft.

Vereeke, S. & Vroon, J. 1991. Safe Tide, Maintenance and useof Storm Surge Barrier Eastern Scheldt, experience andadjustment (in Dutch). Ministry of Transport, Public Worksand Water Management, Directorate Zeeland. Middelburg.

Vrouwenvelder, A.C.W.M., Steenbergen, H.M.G.M. &Slijkhuis, K. 1999. User’s Manual PC-Ring (in Dutch).TNO-Bouw, Delft.

1719

09048-W-07.qxd 5/15/03 8:26 PM Page 1719

09048-W-07.qxd 5/15/03 8:26 PM Page 1720


1721

Reliability of vibration predictions in civil engineering applications

M.S. de Wit & P.H. WaartsTNO Building and Construction Research, Delft, The Netherlands

P. HolscherGeodelft, Delft, The Netherlands

H.G. StuitHolland Railconsult, Utrecht, The Netherlands

ABSTRACT: The reliability of vibration predictions distinguishes itself from other reliability problems becauseof the highly non-linear behavior of the underlying models. Over the last two years, a combination of four insti-tutes in the Netherlands has studied the reliability in this type of predictions. For the sake of comparison, besidessophisticated computational prediction models, also simple empirical models and expert judgment was analyzed.The paper describes the experimental set-up and the results of the project. Conclusions are drawn about the relia-bility of the predictions and the reduction that may be achieved from an increase in model sophistication.

1 INTRODUCTION

In densely populated areas, damage and discomfortfrom vibrations is an important issue. Vibrations aregenerated by e.g. road and rail traffic, by constructionactivities like pile driving and sheet piling, and byindustrial production processes. They may result indiscomfort for occupants of buildings in the neigh-borhood, damage to these buildings and/or disruptionof sensitive equipment.

For the construction and exploitation of infrastruc-tural works, vibrations often are an impediment. Toavoid trouble, it is customary in The Netherlands topredict vibration levels on the basis of calculationmodels at the beginning of or prior to the constructionphase. The predicted levels are compared to targetvalues in codes or guidelines.

Predictions can be made at various levels of sophis-tication. At one end of spectrum are expert predictionswithout explicit models. At the other end are the multi-body and Finite-Element-models, which have a strongbasis in first principles. Empirical models are some-where in-between. At present, the reliability of vibrationpredictions in situations of practical interest is unknown.It is even uncertain whether a sophisticated modelgives more accurate results than a simple approach.

To gain more insight in these issues, a Delft Clusterresearch project was initiated with participants from

four institutes in The Netherlands with an establishedreputation in the field of vibration prediction andmeasurement.

2 PREDICTION OF VIBRATION LEVELS

Just like sound, vibrations are a short disturbance ofbalance. Sound can be seen as a vibration of air. It ischaracterized by a power level in dB, a pitch and a frequency. The frequency reproduces the number ofvibrations per second. This is expressed in Hertz (Hz).As for sound the vibration of solid objects (soil, build-ings) are characterized with vibration level and vibra-tion frequency in Hertz. Mostly the top value of thevibration velocity (vmax) is used for the assessment ofdamage to buildings due to vibrations. The effectivevalue of the vibration velocity (veff) is mostly used forthe assessment of nuisance for people in buildings dueto vibrations.

Prediction of vibration levels can be done at variouslevels of sophistication. Here we distinguish three levels:

– without explicit models (“expert judgment”)– with an empirical model– with a model derived from first principles

The first level concerns predictions, which are madeon the basis of experience without the help of explicit

09048-W-08.qxd 5/15/03 8:26 PM Page 1721

models. Predictions at this level are often elicited fromspecialists in cases where a quick and cheap assess-ment has to be made, e.g. to determine whether a prob-lem may potentially occur or not. We will refer to thistype of predictions as “expert judgments”.

Empirical models are primarily constructed fromexperimentally obtained input/output data, with onlylimited or approximate recourse to laws concerningthe fundamental nature and properties of the systemunder study. With this type of models predictions canbe produced on the basis of concise and often coarse-grained input about the system.

At the highest level of sophistication are the predic-tions based on models, which are derived from firstprinciples. Among this type of models are the FiniteElement Models (FEM) and the multi-body models,which are regularly used in vibration modeling. Thesemodels require detailed input and are generally expen-sive to build and to run. They are typically applied inalleged problem situations and/or to evaluate mitigat-ing measures.

Models for vibration predictions commonly consistof three submodels, which are connected as shown inFigure 1.

The figure expresses that vibrations are generatedby a source on one place, propagate through the soilby some mechanism and subsequently result in vibra-tions in a construction or building at another location.It is common practice to model the three subsystemsseparately, and to connect them afterwards to makepredictions.

3 UNCERTAINTY

The central question in this paper concerns the relia-bility of vibration predictions. To answer this question,the uncertainty in the predictions has to be analyzed.This uncertainty may result from essentially foursources:

1. incomplete information about the specification ofthe (sub)system under study.

2. incomplete information about the input and bound-ary conditions of the (sub)system.

3. simplifications and approximations in the physicalmodeling of the (sub)system.

4. discretizations and approximations in the numeri-cal modeling of the (sub)system.

As an example we consider the soil subsystem. Whenmodeling the behavior of the soil, uncertainty from thefirst source is always present. Indeed, only limitedinformation about the soil structure and properties isavailable in practical contexts. The second source alsocontributes to the uncertainty. First, there is the uncer-tainty in the input data from source model. Second, the source model may not provide all required input/boundry conditions. Uncertainty from the third sourceis directly related to the modeling level discussed in theprevious section. For practical situations, uncertaintyfrom this source in case of a FEM modeling approach isexpected to be small compared to an empirical model-ing approach. Theoretically, the translation of the phys-ical soil-model into a numerical model may introduceextra uncertainty in the FEM-approach, but we willassume here that this is a negligible contribution.

In the remainder of this paper we will refer touncertainties from the first two sources as “parame-ter” uncertainty. Loosely stated, this is the uncertaintythat arises from our limited knowledge about the stateof the world: which system are we modeling and whatexactly is driving it? Uncertainty from the third andfourth sources is addressed as “model” uncertainty.This uncertainty may be associated with our lack orneglect of knowledge about how the system works:given that we know the structure of the system, itsproperties and the forces driving it, what is the sys-tem’s response? In practice, the distinction betweenparameter and model uncertainty is not always clear,especially as the models become more empirical. Wewill not dwell on this subject here. A more elaboratediscussion can be found in Wit (2001).

In practice, uncertainty is not explicitly accountedfor. Vibration predictions are point-estimates (“bestguesses” or “conservative” estimates), which have anunknown deviation from the actual values. We write:

(1)

where:vobs observed or actual vibration levelvpoint point estimate of vibration levelg correction factorand consider g a random variable. If we assign g aprobability distribution, which, on the long run, matchesthe frequency distribution of vobs/vpoint, we may con-sider this probability distribution a measure of the(average) uncertainty in vibration predictions. Hencethe approach in this paper will be to assess frequencydistributions on the basis of recorded values for bothvpoint and vobs in a large number of cases. Note that weassume here that the observed value vobs equals theactual value without observation error.

1722

source soil building

Figure 1. Subsystems in a model for the prediction ofvibrations, and their connections.

09048-W-08.qxd 5/15/03 8:26 PM Page 1722

4 EXPERIMENTS

4.1 Introduction

As mentioned in the previous paragraph, we esti-mated the prediction uncertainty on the basis of a sta-tistical analysis of values for vobs/vpoint, recorded in a large number of cases. In this process we distin-guished between the three levels of sophisticationmentioned in section 2. For each level we assessed thetotal uncertainty, i.e. the uncertainty in predictions:

– for the whole system including source, soil andbuilding subsystem

– based on a level of information as commonlyavailable in practice

For predictions on the basis of first principles models(level 3), a start was made to break down the totaluncertainty into:

– contributions from the various subsystems– contributions from the various sources of uncer-

tainty (model versus parameter uncertainty)

In this paper only a partial breakdown was investi-gated as shown by Table 1.

All uncertainty assessments are based on statisticalanalyses of the ratio between measurements and pre-dictions. Hence, predictions were collected for casesor situations, where reliable measurements were orcould be made available. In all cases it was seen tothat the predictions were done without any prior knowl-edge of the measured values.

The next sections describe the experimental set-upfor the three different levels of prediction sophistica-tion separately.

4.2 Expert judgment (level 1)

As shown in Table 1 only the total uncertainty wasestimated at this level. As experts do not use explicitmodels, decomposition of the uncertainty not sensible.

Eight experts were selected as a representativesample of professional consultants active in the build-ing and construction industry in the field of vibrationmodeling and/or measuring. The experts had to make24 predictions of vibration levels in 7 different cases.These cases were selected from a large number of historical cases to form a representative section. Allthree subsystems were involved. The cases weredescribed at a level of detail that is customary in prac-tical situations. For a description of cases and mea-surements see Wit & Molenaar (2002).

To prepare themselves, the experts received global,qualitative information about the cases 2 days prior tothe elicitation session.

The experts’ assessments were obtained in anE(lectronic) B(oard) R(oom)-session. The experts

were located in the same room, each seated behind a separate computer connected to a network. Allexperts received the same information and explana-tion, and made their assessments solely on the basisof their experience and background literature theybrought along. They simultaneously and indepen-dently entered their assessments into their computer,without discussion with the other experts.

The assessments consisted of values for veff,max orvmax (see section 2). For each variable, two predic-tions were required, i.e. a median value or “bestguess”, and a value which in their opinion would notbe exceeded with 95% probability.

The prediction uncertainty was calculated fromcomparisons between the predictions and the mea-surements (see section 3). A preliminary analysis wascarried out immediately after the elicitation session.The results were presented to the experts in the samesession as immediate feedback. For more informationsee Wit & Molenaar (2002).

4.3 Empirical model (level 2)

At this level, one single prediction tool was used, cal-led D11 (CUR 1995). This tool is based on empirical models. As the user has hardly any influence on theresults (limited number of choices to make in doingthe predictions, choices quite obvious) all predictionswere done by one single person, a TNO employee,behind his own desk. This person had no specific expert-ise in the field of vibration modeling.

Vibration predictions were made for the samecases and variables that were used in the expert judg-ment study (see previous section). The predictionswere point estimates, i.e. the values produced by theprediction tool.

Again the uncertainty was calculated from a sta-tistical analysis of the ratio between predictions and

1723

Table 1. Breakdown of the uncertainty in vibration predic-tions into modeling level, subsystem and type of uncertainty(“par”: parameter, “mod”: model, “tot”: total). The crossesindicate which items are addressed in this paper.

level\ subsystem 1. expert 2. empirical 3. FEM

source parmodtot

Soil par Xmod Xtot X

building parmodtot

Total X X X

09048-W-08.qxd 5/15/03 8:26 PM Page 1723

measured values. Only the total uncertainty wasassessed as the program does not give intermediateresults. For more information about the predictions seeEsposito (2002).

4.4 First-principles model (level 3)

4.4.1 Total uncertaintyFor this level of prediction sophistication another setof cases was used. Indeed, to be able to break down the uncertainty, specific measurements were required.These measurements were done near the building pit of the “Tunnel Rotterdam Noordrand” in TheNetherlands. Two grids of vibration sensors wereinstalled in the soil, one at surface level and one at adepth of 14 m below surface level. Both horizontal andvertical vibration components were measured. Notethat in these measurements the subsystem “building”was not involved. Moreover, all measurements werecarried out in the same soil. Various vibration sourceswere used though: pile driving, sheet piling and heavytraffic over a speed ramp. The measurements were car-ried out by TNO.

Prior to the measurements, the vibration levels at the various sensor positions had been predicted(vmax-values) by three different Dutch institutes, i.e. GeoDelft, Holland Railconsult and TNO. All threeinstitutes regularly carry out Finite Element Model-vibration predictions in civil engineering projects.

From a comparison of the predicted and en mea-sured vibration levels, the total uncertainty has beenestimated. Note that these uncertainty estimates con-cern a system that only consists of a source and soilsubsystem, without the component “building”.

For more information about the predictions, seeKoopman (2002a), Hölscher & Waarts (in prep.).More info about the measurements can be found inKoopman (2002b) and Wit (in prep.)

4.4.2 Uncertainty contribution from soil-subsystem

To assess the contribution of the soil-subsystem to the total uncertainty, separate predictions and measure-ments were done. These predictions and measurementsconcerned the same subsystem “soil” (same grid ofsensors), but a different source: a drop weight. Duringthe measurements, also the impulse-like force that thisweight exerts on the soil was measured. The force mea-surements were used as input of all prediction modelsfor the soil system. In this way a source model could beavoided and hence the resulting uncertainty could beattributed to the subsystem “soil”. For details seeHölscher & Waarts (in prep.).

4.4.3 Parameter uncertainty and model uncertainty

To discriminate between parameter uncertainty andmodel uncertainty, two sets of FEM-predictions were

carried out for the subsystem “soil”, excitated by thedrop weight. These predictions were produced in twosubsequent phases, phase 1 and phase 2. For the pur-pose of the predictions in phase 1, information aboutthe structure and properties of the soil was providedat a level, which resembles the level of informationthat is available in common practical situations. Thiswas the same information that was also used for theassessment of the total uncertainty in FEM-based pre-dictions. This information is limited and thereforegives rise to uncertainty in the model parameters:parameter uncertainty.

In phase 2, extra information about the soil hadbecome available through extra sophisticated meas-urements (see Pruiksma et al. 2002, Hölscher 2002).This information implied a reduction of the parameteruncertainty. The reduction of the prediction uncer-tainty in phase 2 compared to phase 1 gives an indi-cation of the relative contribution of the parameteruncertainty to the overall uncertainty for the subsys-tem “soil”.

5 RESULTS AND DISCUSSION

5.1 Expert judgment (level 1)

For each vibration velocity, the experts gave two asses-sments, i.e. a best guess (median value) and a 95-percentile. These assessments are subsequentlydiscussed in the next subsections.

5.1.1 Best guessesIn the expert judgment study, 8 experts gave their best estimates for 24 vibration velocities each, giving a total of 192 predictions. For each of the 24 velocities, ameasured value was available. Realizations of the ran-dom factor g (see equation 1) were obtained by divi-sion of each prediction by the corresponding measuredvalue. A frequency distribution of the resulting ratios isshown in Figure 2. More details about the measure-ments and the predicted values can be found in Wit &Molenaar (2002).

The values of g in the sample cover a range of almost4 orders of magnitude, which is a considerable spread.This suggests that we consider the logarithm of grather than g itself. This choice is also supported bythe apparent goodness of fit between the frequencydistribution of 10log g and the normal distribution. Wewill interpret the observed frequency distribution asan estimate for the probability distribution of g. Theunderlying assumption is that the realizations of g are(sufficiently) independent. Estimates of the mean andstandard deviation of 10log g are shown in Table 2.

Both Figure 2 and the mean value of 10log g in Table 2 show that on average the experts’ estimates are hardly biased. This is consistent with the assignment

1724

09048-W-08.qxd 5/15/03 8:26 PM Page 1724

to generate best guesses, so as a group the experts arewell-calibrated in this respect.

The variation between the experts is not too large.If we select the best expert (median value close to 0and small standard deviation) the statistics are shownin Table 3.

5.1.2 95% percentilesThe same procedure as described in the previous sub-section can be repeated with the experts’95-percentiles.We will refer to the ratios between measurement and95-percentile as g95%. If the experts would be well-calibrated in their 95-percentile assessments, the fre-quency distribution of g95%. would cross g95% � 0 at aprobability level of 95%. Only then the measured values would exceed the predicted values in only 5%of the cases.

Figure 3 shows, however, that the observed fre-quency distribution crosses g95% � 0 at a probabilitylevel of 75%.

This indicates that the experts as a group are over-confident: they choose their 95-percentile values toolow, a factor 6 on average. Further analysis of theuncertainty in the experts’ predictions is elaborated inHölscher & Waarts (in prep.).

5.2 Empirical (level 2)

The predictions were made with prediction tool“D11” for the same cases as presented to the experts(see section 4). Few cases fell outside the scope ofapplication of the tool and were skipped. A total of 18 predictions resulted. The predicted values weredivided by the corresponding measured values toobtain realizations of g. Figure 4 shows the frequencydistribution of g.

Figure 4 shows that the D11 predictions are some-what conservative on average as the probability of find-ing a measurement exceeding the predicted value is only25%. The figure also shows that the frequency distribu-tion of the D11 results is very similar to the distributionof the experts’ 95-percentiles. The D11-tool is appar-ently successful in the sense that with this tool a non-expert can produce “conservative” predictions, whichare equally well (or poorly) calibrated as conservativepredictions from an arbitrary expert. The degree of con-servatism, although, is probably less than expected.

Table 4 summarizes the statistics of g for the D11-results.

5.3 First principles (level 3)

As the predictions at this level were made with thehelp of FEM-models, they are also referred to asFEM-level predictions.

1725

Figure 2. Frequency distribution of 10log g, the logarithmof the ratio of measured values and the experts’ best guesses.The frequency distribution is plotted on normal probabilitypaper.

Table 2. Estimates for the mean and standarddeviation of 10log g for best guesses of all experts.

mean �0.2standard deviation 0.77

Table 3. Estimates for the mean and standard devi-ation of 10log g for best guesses of the “best” expert.


Figure 3. Frequency distribution of 10log g95%, the loga-rithm of the ratio of measured values and the experts’ 95-percentiles. The frequency distribution is plotted on normalprobability paper.

09048-W-08.qxd 5/15/03 8:26 PM Page 1725

5.3.1 Total uncertaintyA total of 560 predictions were produced by threeinstitutes, which were compared with measured valuesas in the previous sections. The frequency distributionof the ratio between measured and predicted values isshown in Figure 5.

Again, the lognormal distribution appears todescribe the frequency distribution well. The predic-tions are not significantly biased as the median valueof 10log g is close to 0. A summary of the total uncer-tainty statistics is given in Table 5.

These numbers are an indication for the uncertaintyin the predictions of an arbitrary institute. When weextract the results for the best performing institute inthe study (median value close to 0 and smallest stan-dard deviation) we find the statistics in Table 6.

The limited reduction of the variance in 10log g thatis obtained when using FEM-based predictions instead of instant expert judgment is striking. If wecompare the predictions of all experts with the pre-dictions of all institutes we find a factor of (0.6)2/(0.8)2 � 0.6. Comparison of the best expert with thebest institute gives a variance reduction of about 0.7.If we bear in mind that the FEM-predictions only con-cerned the subsystems source and soil, whereas theexperts had to predict the behavior of source, soil and

building in several cases, the reduction in practicalcases might even be less.

5.3.2 Uncertainty in soil subsystemTo assess the uncertainty in predictions of the soil subsystem only, predictions for and measurements of the drop weight experiment were compared and statistically analyzed (see section 4.4.2). The predic-tions were carried out in phase 1, i.e. on the basis ofthe same soil data that were used for the analysis of thetotal uncertainty (section 5.3.1). The frequency distri-bution of the ratio between measured and predictedvalues is shown in Figure 6.

The most important observation is that the slope of the distribution for the soil system only is signifi-cantly steeper than the slope of the distribution asso-ciated with the system source � soil. This means thatthe uncertainty in the predictions increases once theinput from the subsystem “source” is fixed without

1726

Figure 4. Frequency distribution of 10log g, the logarithmof the ratio of measured values and the D11 predictions. The frequency distribution is plotted on normal probabilitypaper. For reference the distribution fitted to the experts’ 95-percentiles is also shown (dashed line).

Table 4. Estimates for the mean and standarddeviation of 10log g for D11 predictions.


Table 5. Estimates for the mean and standarddeviation of 10log g for all FEM-predictions.

mean 0.1standard deviation 0.6

Table 6. Estimates for the mean and standarddeviation of 10log g for FEM-predictions of “best”performing institute.

mean 0.1standard deviation 0.5

Figure 5. Frequency distribution of 10log g, the logarithmof the ratio of measured values and the FEM-predictions.The frequency distribution is plotted on normal probabilitypaper. For reference the distribution fitted to the experts’best guesses is also shown (dashed line).

09048-W-08.qxd 5/15/03 8:26 PM Page 1726

uncertainty. This remarkable result implies that adependency exists between the source model and thesoil submodel (“negative correlation”). At first glance,this is awkward as the physical systems underlyingthese models are driven by separate and most proba-bly statistically independent variables. However, thecommon factor in these two models is the user. Thisuser is an expert, who, based on his experience in thefield, has a certain expectation of the outcome of the prediction. Hence in choosing point estimates forthe model parameters, he will avoid those values whichgive unrealistic results. As source models generallycontain more parameters for which no direct empiri-cal evidence is available, tuning of parameter esti-mates is most easily done in the source submodel. Atthe moment that this tuning opportunity disappears(source is fixed) and predictions have to be made fora rather unfamiliar vibration source (drop weight), thecorrective opportunities of the user are ruled out andthe real uncertainty in the submodel appears.

This mechanism would also explain why the uncer-tainties in FEM-predictions and expert judgments are similar. As the user strongly guides the FEM-prediction process, it is the expertise of the user, which determines the results in the end.

At this stage we consider the above explanation aplausible and promising hypothesis, but no verifica-tion steps have been taken yet.

5.3.3. Model uncertainty soil subsystemTo analyze the contribution of the soil parameters tothe uncertainty, predictions for the soil system have

been made in phase 2, based on extra, measured dataon the soil parameters. This reduces the uncertainty inthe model parameters compared to phase 1. Table 7shows the statistics of the frequency distributions ofg, the ratio between measured and predicted values.

The table shows that the extra information aboutthe soil parameters does not significantly improve thepredictions. This indicates that either the reduction inparameter uncertainty obtained by the measurementswas negligible or the model uncertainty is the domi-nant source of uncertainty in the predictions. At thispoint, only one single soil system was investigated, dif-ferent results might be obtained for other soil systems.

6 CONCLUSIONS AND RECOMMENDATIONS

1. The uncertainty in vibration predictions in civilengineering applications is quite large, typically 1order of magnitude.

2. The uncertainty in vibration predictions hardlyreduces when in stead of expert judgment, empiricalmodels or even sophisticated computational modelsare used. A possible explanation is that the modelingchoices that have to be made are decisive for theuncertainty in the predictions. These choices are, inthe end, based on expert judgment.

3. The experts in this study tend to choose their 95-percentile predictions too low: these predictions areexceeded by the measured values in about 25% ofthe cases.

4. Prediction uncertainty should not be attributed to amodel or a modeling approach alone as it dependson the interaction between the model and its user.

REFERENCES

CUR 1995, Prediction model vibration discomfort (inDutch), Report 95-2. Gouda: Civieltechnisch CentrumUitvoering Research en Regelgeving (CUR).

Esposito, G. 2002, Vibration predictions with the D11 model(in Dutch), Report 01.05.02-006. Delft: Delft Cluster.

Hölscher, P. 2002, Reliability of global assessments ofdynamic soil parameters (in Dutch), Report 01.05.02-011.Delft: Delft Cluster.

1727

Table 7. Estimates for the mean and standard deviation of 10log g for FEM-predictions of in phase 1 (standardparameter uncertainty) and phase 2 (reduced parameteruncertainty).

phase 1 phase 2

mean �0.4 �0.3standard deviation 0.9 0.9

Figure 6. Frequency distribution of 10log g, the logarithmof the ratio of measured values and the FEM-predictions forthe soil only. The frequency distribution is plotted on normalprobability paper. For reference the distribution fitted to theFEM-predictions for the system source � soil is also shown(dashed line).

09048-W-08.qxd 5/15/03 8:26 PM Page 1727

Hölscher, P. & Waarts, P. in prep., Final report of DCproject 01.05.02, Report 01.05.02-020. Delft: DelftCluster.

Koopman, A. 2002a, Description of predictions (in Dutch),Report 01.05.02-007. Delft: Delft Cluster.

Koopman, A. 2002b, Measurements at the building pitTunnel Rotterdam Noord (in Dutch), Report 01.05.02-009. Delft: Delft Cluster.

Pruiksma, J., Hölscher, P., Stuit, H. Duin, F. van 2002,Reliability of vibration prognosis by FEM for extensivemeasurements at Rotterdam North building pit; part 4,

input parameters phase 2, Report 01.05.02-016. Delft:Delft Cluster.

Wit, M.S. de 2001, Reliability of vibration predictions –general philosophy (in Dutch), Draft Report 01.05.02-001. Delft: Delft Cluster.

Wit, M.S. de & Molenaar, D.J. 2002, Expert judgment studyon vibration predictions (in Dutch), Report 01.05.02-002. Delft: Delft Cluster.

Wit, M.S. de, in prep. Post-processing of the measurementsat the building pit Tunnel Rotterdam Noord, Report01.05.02-017. Delft: Delft Cluster.

1728

09048-W-08.qxd 5/15/03 8:26 PM Page 1728


1729

The development of software tools for chemical process quantitative riskassessment over two decades

DRE Worthington & NJ CavanaghDNV Software, Risk Management Solutions

ABSTRACT: This paper reviews the advances in Chemical Process Quantitative Risk Assessment (CPQRA)techniques made over the last 20 years in the light of the widespread development of ICT technology. It exam-ines the present situation and summarises the progress made in a number of areas. These include the steps takento bring CPQRA up-to-date with 21st Century ICT, use of graphical user interfaces and other new technologysuch as databases, GIS systems and Internet technology, improvements in the underlying modeling technology,use of the risk analysis results to make decisions and communication of findings to stakeholders. A vision forthe ideal CPQRA framework is postulated given the latest technology and a gap analysis is carried out betweenthe vision and the present situation using the leading CPQRA tool SAFETI as a benchmark. The paper con-cludes that CPQRA techniques have exploited only a fraction of the available advancements in ICT and sug-gests how the methodology can be further improved.

1 INTRODUCTION

Quantitative Risk Assessment (QRA) in the contextof process plant safety provides a methodology forquantifying the risks associated with the activitiesinvolved in the production and processing of chemi-cals and petrochemicals. In order to quantify risks itis necessary to first identify all possible risk situa-tions, quantify them in terms of event consequenceand likelihood and compare them with acceptable criteria.

The main questions to be answered by a QRA arewhat can go wrong, what are the potential effects if itdoes go wrong, how often will it go wrong and is itimportant. Or, in QRA terms, identify the hazards,analyse the consequence, estimate the frequency,combine consequence and frequency to quantify therisks and put measures in place to mitigate and man-age those risks. The key objectives of any QRA are toidentify the major hazards, quantify the overall risk,optimise the risk reduction measures to be imple-mented and to help the decision making process withregard to acceptable risk criteria.

Typical outputs of a QRA study are individual riskcontours as illustrated in Figure 1 and the F/N curvefor representation of societal risk as illustrated inFigure 2. Individual risk can be defined as “the fre-quency at which an individual may be expected to

sustain a level of harm from the realisation of speci-fied hazards” and is usually taken to be the risk ofdeath expressed as a risk per year. Societal risk isdefined as “the relationship between the frequencyand the number of people suffering a given level ofharm from the realisation of specified hazards”. It isnormally taken to refer to the risk of death expressedas a risk per year and displayed as FN curves.

The first commercially available software tools forQRA in the chemical and process industries, com-monly known as Chemical Process Quantitative RiskAssessment (CPQRA), were developed in the early1980’s. The terms QRA and CPQRA in the context ofthis work are interchangeable although in the genericsense QRA can refer to any type of quantitative riskmethodology (financial, environmental, etc.).

This early work was as a direct result of recommen-dations made following the public enquiry into thesafety of the many chemical installations operating inthe Rijmond area of Holland in the late 1970’s. In 1981the Dutch Ministry of Health and Environment com-missioned Technica, later to become part of DNV, todevelop a software system for risk assessment of chem-ical plants using the simplified classical method.Christened “Software for the Assessment of FlammableExplosive and Toxic Impact” (SAFETI) in 1982,SAFETI (Cavanagh, 2001, Worthington & Witlox,2002) was subsequently delivered to the Dutch Ministry

09048-W-09.qxd 5/15/03 8:27 PM Page 1729

of Housing, Physical Planning and Environment inApril 1983.

At that time, the techniques and methodologiesdeveloped to enable large scale QRA to be performedchallenged the computing power generally available.This limited the development possible and meant that

the software architecture had to be carefully designedto enable the necessary calculations to be madewithin the IT limitations of that time.

Since then Information and CommunicationTechnology (ICT) has developed rapidly and continu-ously. The so-called Moore’s law shows that price/

1730

Figure 2. Typical F/N curves for societal risk displayed in SAFETI.

Figure 1. Typical individual risk contours displayed in SAFETI.

09048-W-09.qxd 5/15/03 8:27 PM Page 1730

performance ratio has doubled every 1.5 years. Thissuggests an improvement ratio in the last 20 years ofover 10000. In addition, over the same period, therehave been major advances in the development ofGraphical User Interfaces (GUI), operating systems,databases, Geographical Information Systems (GIS)and Internet technology. At the same time there arethose who challenge the value of the investment in thistechnology and point to the “productivity paradox”which suggests that there has been a failure of ICT todeliver improved corporate performance, at least infinancial terms. The question we ask is what impacthas there been in the area of CPQRA?

This paper reviews the advances in CPQRA tech-niques made over the last 20 years in the light of thewidespread development of ICT technology. It exam-ines the progress made in a number of these areasincluding the steps taken to bring CPQRA up-to-datewith 21st Century ICT, use of graphical user interfacesand other new technology such as databases, GIS sys-tems and Internet technology, improvements in theunderlying modeling technology, use of the risk analy-sis results to make decisions and communication of findings to stakeholders. A vision for the “ideal”CPQRA framework is postulated and a gap analysis isperformed to benchmark this against the SAFETIQRA software package.

2 CPQRA TECHNIQUES – THE CURRENTSITUATION

As mentioned earlier, the last 20 years has seen mas-sive advances in ICT. However, the methodologiesused in performing QRA have generally remainedrelatively static. Most QRA’s still follow the ClassicalRisk Analysis Methodology as illustrated in Figure 3.Although individual components of the QRA haveimproved in-terms of both modeling accuracy andspeed of operation, the underlying architecture stilllargely supports the methodology shown above. Thisis the case for a number of reasons, not least the factthat QRA studies in tools like SAFETI have been cre-ated over many years and have taken many man yearsof effort which their owners are loath to “throw-away”. Often the cost of recreating these studies fromscratch is prohibitive given the current difficulty withdata reusability from other sources.

But there are limitations to maintaining this structure.New EU legislation encapsulated within the Seveso IIDirective (Council Directive 1996), implemented in theUK as COMAH (HSE 1999), includes additionalrequirements such as the inclusion of domino effects(Petrolekas & Andreou 1999, Ballocco et al. 2001 forexample). These are difficult to account for using theclassic approach, which is largely a series of sequentialcalculations or summations and assumes that hazardous

events are independent of each other. Furthermore,restrictions associated with this sequential approachmake it more difficult to take full advantage of ICTadvances such as improved multi-tasking operating sys-tems and client-server architecture as well as much morepowerful client-server databases and network systems.

The data collection requirements when using toolslike SAFETI for QRA are extremely labour intensive.The data used in QRA studies has historically been collected manually and is often stored in product specific databases which are essentially standalone.Although technologies like Computer Aided Design(CAD), Enterprise Asset Management (EAM) andComputerised Maintenance Management Systems(CMMS) contain much of the data required for a QRAstudy, links, where they exist, are rudimentary andlargely unintelligent. Because of this data re-use hasbeen poor and similar data may have been acquired in anumber of separate places for process design, processsimulation, maintenance management, inspectionplanning and QRA. Maintenance of data is a burdenand yet neglect leads to degradation of its value. SevesoII also has additional requirements over its predecessorin respect of change management when performingrisk assessment (Malmen 2001). This has repercus-sions for data management and version control of exist-ing QRA studies which is very difficult within existingsystems. However, if this data were available within a

1731

PlantData

DeriveFailureCases

CalculateFrequencies

CalculateConsequences

GenericFailure Rate

Data

MeteorologicalData

SafetyManagement

Factor

AssessRisks

IgnitionData

PopulationData

CalculateRisks

Figure 3. Classic risk analysis methodology.

09048-W-09.qxd 5/15/03 8:27 PM Page 1731

CMMS or EAM system or even a data warehouse likeIntergraph’s SmartPlant Foundation (Intergraph, 2002),then providing facilities and procedures for changemanagement could be comparatively straight forward.

3 DRIVERS FOR CHANGE

To put the ICT developments into context withrespect to CPQRA Figure 4 explores the range ofdrivers and constraints on the development of thistechnology. Technical advances in ICT have been dra-matic over the last 20 years and there are many otherforces that have influence.

Relevant areas of ICT development are

• Computing “Power”– Processor speed– Computer memory– Storage capacity

• Distributed computing (PCs)• Graphical User Interfaces• Databases• Networks• Internet

These areas are considered in the following sections.

4 INCREASES IN COMPUTING POWER

At the time when the CPQRA techniques were devel-oped (TNO 1980) computer limitations were a majorconstraint. As an example the dispersion modelsdeveloped at that time simplified the problem toenable an integral approach to be taken. The resultingmodels could be executed in a practical time framebut took a simplistic view of the time varying natureof real clouds and neglected any local obstacles.Computation Fluid Dynamics (CFD) modeling was

available at that time and overcomes the limitation ofthe integral model approach. However, it is a far morecomputationally intensive technology and could notbe conceived in the context of a QRA where manydispersion simulations are required.

With computing power increasing by more than 5 orders of magnitude over the last 20 years, it mightseem logical that the simpler modeling techniqueswould have been displaced by the more completemodels. However, CFD dispersion models are used inpractice very rarely in the context of a QRA and theapplication of integral models remains the most nor-mal approach. Furthermore, the conclusions of theEU model evaluation project SMEDIS (CambridgeEnvironmental Research Consultants, 2002) supportthe continued use of such models. These models con-tinue to be developed to deal with obstacles (Cooper2001) and terrain (Dutrieux and Van Mulder 1999)without resorting to CFD modeling.

Other areas of modeling employed in CPQRA maybe visited to assess changes in this period in the lightof the increase in computing power. Reviewing thechanges in the Dutch “Yellow Book” between versionspublished in 1980 (TNO, 1980) and 1997 (Committeefor the Prevention of Disasters, 1997) is one way toview the changes. Typically the changes are incre-mental rather than radical suggesting that computingpower has had little influence.

It could be argued that explosion modeling meth-ods have advanced more significantly over the last 20 years than the other techniques. Confined zonemodeling is now a mainstream approach with theemergence of the Multi Energy and the BakerStrehlow Models (Baker et al., 1983). These tech-niques may now be used in QRA studies on a routinebasis (Woodward J.L. & Crossthwaite P.J., 1995). Thesetechniques are more computationally intensive in thecontext of QRA than the simple TNT equivalencemodels (Technica, 1988, Lees 1980); mainly due tothe calculation of the intersection of the cloud and theconfinement zones for a range of times and winddirections. However, again this increase in computingrequirement is relatively small compared to the avail-able increase in power. Furthermore these methods donot apply the full modeling capabilities of the mostadvanced class of model, again CFD based. In con-trast, in the offshore safety context, CFD has becomean established method for analysing explosions andthis remains a method that demands the maximumpossible computing power.

Considering the SAFETI model, the changes withrespect to modeling technique have also been incre-mental, rather than radical. When the first versionwas developed, numerous devices were required toenable the volume of data to be handled in terms ofcomputation time, computer memory capacity anddisk storage. As an example, flammable effect zones

1732

Constraints DriversHerd Behaviour Public Perception of RiskPeriods without Incident Value of LifeDemand for Products Company ReputationLack of Validation of Risk Models

New ICT Technology

Infeasability of Realistic Experiments

Feasability of Model Formulation

Computing Limitations Increasing Computer PowerUncertainty of results New Experimental DataPeriods without Incident Accidents

Near missesSatisficing Cost of AccidentsCost of Experimental Work Value of LifeCommercial Competition Insurance RequirementsShareholder Expectations Company ReputationCost Benefit Justification Understanding of Financial RisksPeriods without Incident AccidentsGeneral History of Industry Near Misses

Legislation/RegulationsValue of Life

Constraints Drivers

Political

Social

Technical

Environmental

Economic

Figure 4. Constraints and drivers for change in QRA technology.

09048-W-09.qxd 5/15/03 8:27 PM Page 1732

were represented as a single elliptical zone becausethis information could be represented by just 3 num-bers. Of course in reality the effect zone could haveany shape depending on the radiation modeling butthe approximate method was an acceptable approachat the time. Within the zone a single vulnerability fac-tor was applied to any population present. A more rig-orous approach is to use the calculated boundary ofthe effect zone directly. This requires the storage ofmore data which, with today’s hard disk capacity, isno longer a constraint. As a further extension the con-cept of flammable probits can now be applied in aQRA (Ale & de Haag, 1999) because, whilst thisapproach is more computationally intensive, thedemand is relatively small compared with the avail-able increase in computing power.

Overall, while there have been some specificadvances in modeling techniques in the last 20 yearsthese changes are far less significant than theadvances in computing power. We now look at theimpact of advances in other areas of ICT.

5 DISTRIBUTED COMPUTING ANDGRAPHICAL USER INTERFACES

The advent of the PC in this period has revolutionizedthe way users work with computers. When SAFETIwas first developed it was installed on a central com-puter but now it is most commonly installed and runon local PCs. Calculations that might have taken daysto run on a mainframe 20 years ago can now be runquickly on a PC. This is an area that has changed sig-nificantly within this time frame and has conse-quently had far more effect than advances in themodeling techniques themselves.

The software itself now employs graphical userinterfaces as a significant advance from the teletypeor menu driven interfaces of the past. The input dataand results can be manipulated and presented in a farmore visual way as illustrated in Figures 1 and 2.These are areas where ICT has had a major impact onthe software tools.

6 DATABASES, NETWORKS AND INTERNET

Handling data using ICT has developed substantiallyover the last 20 years. State-of-art approaches to man-aging data within an organization now involve enterprise-wide systems with integrated financial, personnel and production software applications. Theyeither handle the data within an application from onevendor or more commonly employ a number of appli-cations that are interfaced so that they can share data.These developments have had a dramatic effect on theway data is used and shared. The data itself has a valueto the organization in proportion to the extent it can be

distributed and shared. The synergy with network andinternet technology developments makes enterprise-wide data sharing possible, adding enormous value toknowledge based organizations.

The concept of the “information asset” is illustratedin Figure 5 in the context of the process industry. As theplant progresses through its lifecycle the informationasset grows as information is contributed and sharedthroughout the organization.

A case has been made for such integration in theNuclear Industry (McPhater, 2002). Typically, the dif-ferent types of input data required for a QRA willexist in datasets belonging to different departments.The software applications used to manage the datamay come from different vendors and it is likely to bestructured in different ways. This necessitates a com-mon data modeling system so that the applicationscan communicate. Such systems are now emerging,like Intergraph’s SmartPlant Foundation for example.

A QRA needs data from many sources as input tothe calculations. Often this data will already exist inother applications within the organization but theentry and manipulation of this data for QRA remainsa largely manual process.

Undertaking a QRA without software tools islabour intensive and this was a major motivation forthe computerisation of the process and the develop-ment of SAFETI in the first place. In spite of suchtools, QRA remains a time consuming and thereforecostly task. Whether the analysis is performed usingspreadsheets or a specific software tool designed forthe purpose, like SAFETI, it is the preparation of theinput data and the presentation of results that takes upmost of the time and cost.

The latest version of SAFETI has taken a first step towards enabling integration by incorporating

1733

Product LifecycleInformation Growth

Information Asset

Application1

Applications Application1



Applications

OperationPhase

ConstructionStartupDesignPlanning

Figure 5. Information asset growth over the plant lifecycle.

09048-W-09.qxd 5/15/03 8:27 PM Page 1733

Intergraph’s GeoMedia GIS system and this also per-mits publication of the results using the built-in inte-gration capabilities. However, this addresses only apart of the input data requirements and the potentialfor better results communication.

7 THE FUTURE POTENTIAL

If the software applications used for the QRA werepart of the organisation’s integrated system then itwould have two direct benefits. One would be thereduced time to conduct the QRA as a direct saving ofdata input costs. Another would be the publication ofthe results. This concept of an integrated approach toQRA is something of a “vision” because of the lack ofprogress in this direction so far. Such a vision has the

potential to transform the QRA exercise from being astatic analysis to providing live operational manage-ment information.

Currently, presentation of QRA results involvesvolumes of information normally presented in paper-based reports. These will often sit passively on theSafety Manager’s bookshelf, never providing all thepotentially useful feedback possible. Web technologytransforms the accessibility of all the information. Ifthe input data were also live and the QRA resultsupdated constantly then the risk information providedtakes on a direct relevance not previously possible.

Figure 6 illustrates the potential with the QRA sys-tem linked to all other relevant applications via a shareddata system. The QRA information would be availableto all those with authorization via a Web browser.Version control of the data is facilitated through the data

1734

CPQRA

PlantData

DeriveFailureCases

CalculateFrequencies

CalculateConsequences

GenericFailure Rate

Data

MeteorologicalData

SafetyManagement

Factor

CalculateRisks

AssessRisks

IgnitionData

PopulationData

WAN/LAN/INTERNET

Data1

Application 1Eg CAD

Data 2

Application 2Eg GIS

DataWarehouse

Ada

pter

Ada

pter

Ada

pter

App

licat

ion

Inde

pend

ent

Rep

ortin

gR

evie

wA

ppro

val

StakeholdersOperators

PublicRegulator

Figure 6. Integration of applications over the network/web.

09048-W-09.qxd 5/15/03 8:27 PM Page 1734

management system and change management can bedemonstrated as required by SEVESO II.

Synergy between the QRA analysis and other ana-lytical views such as Environmental risks and RiskBased Inspection means such a live data connectionhas multiple uses. An integrated approach to viewingsafety, environmental and financial risks becomes

possible and has multiple benefits. A business infor-mation “Dashboard” approach could make the resultsof such an integrated analysis live and online.

We speculate further that if such integration wereimplemented then there would be synergy betweenbeing able to take advantage of the more intensivecomputational methods. Figure 7 also illustrates the

1735

Figure 7. Integration potential for CPQRA.

09048-W-09.qxd 5/15/03 8:27 PM Page 1735

potential for the use of applications during the QRAprocess that are currently regarded as too costly.

Dynamic process simulators for instance could beused to help improve the source term modeling. CFDmodels could be used routinely if the geometry couldbe input directly from CAD or GIS systems. The sameinformation could be used directly for the considera-tion of domino effects. GIS systems are the naturalplace for population information, route informationand objects relevant for ignition source identification.This information can be used directly in the QRAanalysis and the analysis could be extended to takeinto account people’s behaviour in buildings and alongevacuation escape routes.

The enabling step for these developments is theintegration of the QRA tools with the mainstreaminformation systems. Currently, investments in themainstream systems are primarily business informa-tion driven and QRA is not really a consideration.

8 CONCLUSIONS

We conclude that CPQRA techniques have exploitedonly a fraction of the potential advances offered byICT developments. In the last 20 years the positionhas reversed regarding CPQRA and ICT with theadvancement of the former now apparently laggingsignificantly behind the latter. No longer can it beclaimed that the ICT environment limits CPQRAtechniques. Moreover, CPQRA tools and techniqueshave not taken full advantage of all the possibilitiesmade available by the technological revolution of thelast 20 years.

The reasons can be assessed by viewing the driversand constraints on CPQRA techniques. Factors otherthan ICT have varying influences and we concludethat these are the reasons for the exploitation of somebut not all ICT developments in the period.

Looking forward we review the potential for fur-ther development and conclude that only by embrac-ing integration possibilities, already proven in otherapplication areas, will QRA step forward in utilizingICT technology.

REFERENCES

Ale, B.J.M. and Uijt de Haag., 1999. Guidelines forQuantitative Risk Analysis, (CPR18) RIVM (PurpleBook).

Baker, W.E., Cox, P.A., Westine, P.S., Kulesz, J.J. andStrehlow, R.A., 1983. Explosion hazards and evaluation.Fundamental Studies in Engineering, Vol. 5, Elsevier,Amsterdam.

Ballocco, G., Carpignano, A., Di Figlia, G., Nordvik, J.P.and Rizzuti, L., 2001. Development of new tools for the

consequence assessment of major accidents. ESREL2001, Towards a Safer World, Turin, September 2001.

Cavanagh, N., 2001. Calculating Risks, HydrocarbonEngineering, Volume 6, Number 6, June 2001, PalladianPublications, London.

Committee for the Prevention of Disasters. Methods for thecalculation of physical effects, 1997. The Hague: SDU(Yellow Book).

Cooper, G., 2001. A model for jet dispersion in a congestedenvironment. Research Report 396/2001, The Health andSafety Executive.

Council Directive 96/82/EC, 1996. On the control of major-accident hazards involving dangerous substances,Official Journal of the European Communities, No L10,14.1.1997

Dutrieux, A. and Van Mulder, G., 1999. The Seveso expert sys-tem “SEVEX”; an integrated approach for off-site effectsanalysis and effective emergency planning. In Seveso2000, Editor G.A Papadakis, European Conference onRisk Management in the European Union of 2000: TheChallenge of Implementing Council Directive 96/82/EC“SEVESO II”, Athens, November 1999.

HSE (Health and Safety Executive), Environment Agency andScottish Environmental Protection Agency, 1999. A guideto the Control of Major Accident Hazards Regulations.

Intergraph, The Engineering Framework, Integrating thePlant Information Asset throughout the Plant Lifecycle,Intergraph Process, Power and Offshore, 2002.

Lees, F.P., Loss Prevention in the Process Industries, 1980.Butterworths, London.

McPhater, N., 2002. IT software in the nuclear industry. TheChemical Engineer, December, Institute of ChemicalEngineers, UK.

Malmen, Y., 2001. Is EU’s Seveso II Directive leading to amore systematic use of risk assessment methods? – AFinnish case-study. ESREL 2001, Towards a Safer World,Turin, September 2001.

Petrolekas, P.D. and Andreou, I., 1999. Domino effectsanalysis for LPG storage installation of HellenicPetroleum Aspropyrgos refinery. In Seveso 2000, EditorG.A Papadakis, European Conference on RiskManagement in the European Union of 2000: TheChallenge of Implementing Council Directive 96/82/EC“SEVESO II”, Athens, November 1999.

Salzano, E., Marra, F.S. and Russo, G., 2001. Gas explosionconsequences in industrial environment. ESREL 2001,Towards a Safer World, Turin, September 2001.

TNO, 1980. Methods for the calculation of the physicaleffects of the escape of dangerous materials (liquids andgases). Netherlands Organisation for Applied ScientificResearch, Directorate General of Labour.

Worthington, D.R.E. and Witlox, H., 2002. SAFETI RiskModelling Documentation – Impact of Toxic andFlammable Effects, DNV Software Risk ManagementSolutions, October 2002.

Cambridge Environmental Research Consultants Ltd., 2002.SMEDIS Model Evaluation Report on UDM Version 6.0,SMEDIS/00/9/E.

Technica, 1988. Techniques for assessing industrial hazards –manual. World Bank technical paper no. 55a.

Woodward J.L. and Crossthwaite P.J., 1995. How to setexplosion protection standards. Hydrocarbon Processing,vol. 74, no. 12.

1736

09048-W-09.qxd 5/15/03 8:27 PM Page 1736


1737

Introduction of an easy-to-use risk assessment tool for natural gastransmission pipelines

Jeroen Zanting, Johan Duinkerken & Robert KuikGasunie Research, The Netherlands

Rein Bolt & Eric JagerGastransport Services, The Netherlands

ABSTRACT: A new pipeline safety program has been developed by Gasunie Research to carry out a quickrisk survey of (part of) a pipeline. The survey results in appropriate proximity distances, individual risk con-tours, societal risk and gas dispersion levels. This program is meant to fill the gap between applying rules ofthumb and an extensive risk analysis. All the results are graphically presented on a topographical map of thearea. The program uses data from validated and internationally acknowledged models, which are approved bythe Dutch Government. Although the program is developed to carry out risk assessments according to Dutchstandards, it can be easily adapted to comply with other standards. The amount of input parameters is limited toa few network and surroundings parameters, which makes it very suitable to carry out a preliminary study ofthe risk in the design phase of the pipeline. It can also be used for existing pipelines in changing surroundings.Some of the major characteristics of the program are: It saves money and time on risk assessments of new andexisting pipelines and is to be used by non-specialists. The graphical interface enables quick and easy use.

1 INTRODUCTION

Gastransport Services owns and operates most of thenatural gas transmission network in the Netherlands.The pipeline system consists of about 11600 kilome-tres of steel pipe. Most of it has been in use for over30 years. The system is divided into a 66 bar high-pressure part (about 5100 km) with diameters rangingfrom 18' to 48' (HTL) and a 40 bar regional system(about 6500 km) with diameters ranging from 4' to16' (RTL).

A lot of effort is invested to maintain the excellentsafety record of the gas transmission network. Duringdifferent stages in the life cycle of pipelines, the safetyperformance is subject to study. In the planning andconstruction phase, the safety aspect is a very impor-tant factor to establish the most suitable route. Whenthe pipeline is in operation, the surroundings of the nat-ural gas pipelines are subject to change: due to expan-sion of residential, commercial or industrial areas moreand more people are likely to live or work relativelyclose to the pipeline. In some cases destination plansalter. The rural surroundings of the pipeline can changeinto heavily populated recreational facilities or othervaluable infrastructure facilities are built in the vicin-ity of the pipeline.

2 THE PROBABILISTIC APPROACH

The risk-based approach has been used in theNetherlands for several centuries. In the long struggleof the Netherlands against the flooding seawater andrivers, risk assessment appeared to be very useful toassess the risk of flooding. To avoid flooding, dikes(and other infrastructure) were built. A higher level of protection required an enormous increase in costs.Therefore, risk assessments were used to estimate theheights of the dikes to achieve an acceptable risklevel. This saved a considerable amount of money.After a major flooding occurred in the province ofZealand (Netherlands) in the fifties of the last century,a major delta plan was developed to reduce the flood-ing risk. For this risk reduction a quantitative riskapproach was used.

2.1 Individual risk

The Netherlands have developed two risk criteria forthe industry. The first deals with the risk of an indi-vidual who lives near a potentially hazardous loca-tion. This is called individual risk. The criterion is thatthe individual risk should be lower than 10�6 year�1.It is defined as the fatality rate at a point if someone

09048-Z-01.qxd 5/15/03 8:27 PM Page 1737

would be present at that point 100% of the time unpro-tected by clothes or buildings. Also the individual isnot allowed to escape if the incident takes place, buton the other hand the scenario takes into account only20 seconds of the incident. So in case of a fire theindividual will dose up radiation for 20 seconds.

The origin of the risk level of 10�6 year�1 is basedon the natural fatality rate for people. Statistical datalead to the distribution of the natural fatality rate pre-sented in figure 1.

The approach chosen by the Dutch government isthat the risk on people caused by industrial activitiesshould be lower than a factor 100 compared to thatperiod in a human life with the lowest natural fatalityrate. This lowest fatality rate is 10�4 year�1 at the ageof 15. Therefore the risk due to industrial activityshould be at maximum 10�6 year�1. Therefore themaximum allowed risk due to pipelines is set at10�6km�1 �year�1.

2.2 Societal risk

The second criterion deals with societal risk. It isdefined as an F–N curve: The maximum frequency Ffor N or more people that would suffer loss of life inone incident. For point sources like compressor sta-tions or chemical plants (anything with a fencearound it) the criterion is F �N2 � 10�3 year�1. Fortransportation type locations like motorways, rail-roads, canals and pipelines the criterion is F �N2 �10�2km�1 year�1. In the societal risk calculationagain 20 seconds exposure and no escape is assumed,but the fraction of the persons that are inside a build-ing which is located outside the house burning dis-tance will survive. Also for societal risk peopleoutside will be protected by clothes.

The criteria for the individual risk and the societalrisk are described in detail in “purple book” [1]. For

pipeline fires the dose effect calculation is based onthe “green book” [2].

The F–N curve for transportation facilities is dis-played in figure 2.

If the societal risk in figure 2 is in the area markedwith a plus sign (�) the risk is acceptable, if the soci-etal risk value crosses the black diagonal and reachesthe area marked with a minus sign (�), the societalrisk is unacceptable.

3 NECESSITY OF RISK ASSESSMENT FOR TRANSMISSION PIPELINES

For transmission pipelines it is not necessary to makerisk assessments for all locations. There is a list ofproximity distances for different diameters and pres-sures. These are in the pipeline code [3] and in a min-isterial circular letter [4]. It is assumed that if peoplewould build houses outside the proximity distance the individual risk would be low enough. Because ofthe fact that understanding of risk has developed in thelast two decades, these distances are now recalculatedwith PIPESAFE [5]. To accommodate for the societalrisk tables are developed to allow a maximum numberof people per hectare outside the proximity distance.It is assumed that these tables will be published by theregulator in 2003, most likely as an order in council.Only in special cases (proximity distance infringe-ments, population concentrations which can not beassumed to be evenly distributed) risk assessmentshave to be carried out.

The gap between applying the numbers from theabove mentioned table and a full size risk analysis isconsiderable. Therefore, within Gasunie Research anew tool has been developed to carry out a simplifiedrisk assessment to fill this gap. With minimal effort,individual and societal risk are (graphically) comparedwith the appropriate criteria. If, according to the newtool, the criteria are exceeded, a full risk assessment is still necessary, due to the conservative approach in

1738

1

0 20

Nat

ural

fata

lity

rate

[yea

r�1 ]

Age [year]

0,1

0,01

0,001

0,000140 60 80 100

Figure 1. Natural fatality rate for people in 2000 (source:CBS, 2002).

1,0E-08

1,0E-06

1,0E-04

10 100 1000Number of casualties [-]

Fre

quen

cy [

year

�1 ]

+

-

Figure 2. Societal risk.

09048-Z-01.qxd 5/15/03 8:27 PM Page 1738

the tool. When this tool indicates that the criteria arenot exceeded, the costs of a detailed risk assessmentcan be saved. This may lead to a significant costreduction.

4 FULL RISK ASSESSMENT

When a full risk assessment is carried out, GasunieResearch uses the PIPESAFE package. PIPESAFE isa package that consists of various modules, forinstance: failure frequency analysis models, gas out-flow models, heat radiation models and lethality mod-els resulting in the individual and societal risk. Thesemodels have been developed by a group of interna-tional gas transport companies and have been approvedby the Dutch government for use in risk assessmentsof high-pressure natural gas pipelines. In these models about a hundred parameters are used, catego-rized in: pipeline (or network) data, gas properties,environmental/atmospheric data (including wind dis-tribution), specific data for failure frequency analy-sis, model parameters for gas outflow calculations,crater formation parameters, ignition probability, heatradiation parameters, exposure and escape options andsite properties.

Gathering the data for these parameters is verytime consuming. Very often, with a few well-chosenparameters, a conservative estimate of the situationcan be made with the new tool. If the calculated risksdo not fulfil the criteria for individual risk and socie-tal risk, a full size risk calculation has to be made.

5 NEW APPROACH

The approach that has been chosen in the simplifiedrisk assessment model is that with five essential param-eters of a gas transportation network the risk can becalculated. These calculations are carried out in thefollowing steps: failure rate assessment of the pipelines,determination of the gas outflow, calculation of theheat radiation and the corresponding lethality for peo-ple. The five parameters are: Pipeline diameter (D),wall thickness (w), internal pressure (P), depth ofcover (z) and steel type (S). Besides these parameters,coordinates of the pipeline and coordinates of build-ings are needed.

5.1 Model description

In this paragraph is explained how the existing mod-ules in PIPESAFE have been used to generate therequired results for the simplified model.

5.1.1 Failure frequencyThe failure rate is calculated with historical pipelinefailure data, resulting from over 30 years incident

registration. In these incident databases the differenttypes of incident causes, like external interference,corrosion, material defects et cetera are distinguished.Also the incident type is registrated, for instance: adent, a hole, or a full bore rupture. From all these inci-dents the pipeline parameters like diameter, wallthickness, steel type and depth of cover are entered inthe table as well. This enables statistical analysis of theincidents. With fracture mechanics the probabilitythat a hit pipeline will fail is calculated. With the incident registration and fracture mechanics, the influ-ence of extra wall thickness, extra depth of cover, andthe steel grade is quantified. This leads to a very reliable number for the failure frequency. In thismodel, only the frequency of a full bore rupture of apipeline is used, since this dominates the risk for thesurroundings.

Apart from the corresponding failure frequency,also the failure frequency when mitigation measureshave been taken to protect the pipeline from thirdparty interference (i.e. buried warning ribbon abovethe pipeline, buried concrete slabs or a combinationof both) can be used in the risk assessment. The fail-ure frequency is corrected for the depth of cover witha formula derived by Gasunie Research. This formulais based on incident data analysis [6].

5.1.2 Gas outflowFor pipeline ruptures the gas outflow can be calcu-lated by BRAM [7], developed by Gasunie Research.In this model the physical phenomena that occurwhen a pipeline depletes through a hole or a full borerupture are mathematically solved. Also, the outcomeof BRAM has been tested against field tests. Thesefield tests proved that BRAM provides reliable results.

To be able to use this model, a parameter fit hasbeen carried out for all relevant RTL and HTLpipelines. This resulted in a simple parametric func-tion with only pressure and diameter dependency thatyields the gas outflow as a function of elapsed time.With the current directions in the Netherlands, theaverage outflow of the first twenty seconds is used tocalculate the subsequent heat radiation.

5.1.3 Heat radiationIn the simplified risk assessment model the risk cal-culations are carried out assuming that once a pipelineis ruptured, the gas will always ignite (the ignitionprobability is one). Incident reports show that in reallife only a certain part of the incidents has lead toignition of the released gas. In order to be conserva-tive on the heat radiation, the decision was made tocalculate the heat radiation downwind from the out-flow, assuming an average wind velocity. For severalRTL and HTL configurations the heat radiation fieldhave been calculated, by the PIPESAFE module

1739

09048-Z-01.qxd 5/15/03 8:27 PM Page 1739

CRISTAL. The resulting values have been incorporatedin a database that is used as a look-up table. With thediameter, the pressure, the elapsed time and the dis-tance to the ruptured pipeline, the corresponding heatradiation can be read. When non-standard pipelinesare to be assessed, the radiation is interpolated betweenpipelines with lower and higher diameters.

5.1.4 LethalityThe calculation of the lethality is carried out with theso-called dosage that is the input for the Probit equa-tion. The dosage is calculated by equation 1

(1)

where:Q � heat radiation (kW/m2)

t � exposure time (s)

The Dutch guidelines on risk assessment statesthat people are exposed to the heat radiation fortwenty seconds, without the possibility to escapefrom the heat source. To calculate the lethality, thedosage is entered in a Probit function, equation 2.

(2)

where:A and B are constants

Consequently the Probit is inputted in the cumula-tive standard deviation distribution, which leads to amortality, equation 3.

(3)

where:p � mortality (�)� � standard deviation (�1)# � mean (�5)

For use in the societal risk calculation, the lethalityfor persons is subsequently corrected. Within the35 kW/m2 heat radiation level, it is assumed thathouses will burn and all persons present, inside oroutside, will become fatalities. The number of inhab-itants is corrected by the fraction of absence duringthe day and night. Outside the 35 kW/m2 heat radia-tion level the assumption is people indoor will survivethe heat radiation and that people outside will have aprobability of suffer loss of life that is calculated bythe lethality. Furthermore, people are supposed to bepartly shielded by their clothes, this lowers the mor-tality rate significantly.

5.1.5 CoordinatesTo be able to study the consequence of pipeline fail-ure to the surroundings, the position of the pipeline tothe neighbouring buildings is necessary. Therefore, acoordinate system had to be chosen. For the Dutchversion, the coordinates used are from the nationalcoordinates system. This coordinate system has itsorigin Amersfoort (a city centrally situated in theNetherlands, such chosen that no negative values forthe coordinates exist within the boundaries of the coun-try). For each pipeline segment that is to be examined,the appropriate coordinates from these segments areentered. These are the basics for the graphical presen-tation of the results. The locations of buildings areentered in the computer program as well. The coordi-nates of each house, residential block, hospital, officebuilding, workplace or recreational facility are enteredwith the corresponding population.

5.1.6 Individual riskThe calculation is carried out in a grid with a grid sizeof one metre. For each grid cell, the failure rate of thepipeline is multiplied with the lethality at this loca-tion. This results in the individual risk value at thiscell. The cells that approximate one of the 10�5, 10�6

or 10�8 year�1 risk number best, are connected andform the desired risk contour.

5.1.7 Societal riskWith the distribution of the buildings around thepipeline, the societal risk is calculated. Again the fail-ure frequency and the lethality field are used. In thiscalculation, the lethality regimes (within and outsidethe 35 kW/m2 distance) are needed as well. This cal-culation divides the pipeline in small segments andcounts the number of victims if an incident occurs atthat segment.

With the distribution of casualties along the sta-tioning, a subroutine checks if a kilometre of pipelinecan be identified where the societal risk criterion isexceeded. If the criterion (F �N2 � 10�2km�1�year�1)is indeed exceeded, the section of pipeline of onekilometre that is used to calculate the F–N-curve ischosen such that the worst case F–N-curve is identi-fied. The F–N-curve displays the frequency that N (N is any whole number starting by ten) or more casu-alties are expected.

So, the F–N-curve is constructed from a cumula-tive table. For example: there are n1 sections withfailure frequency F1 that can lead to N casualties(with N is the maximum number of casualties) andthere are n2 sections with failure frequency F2 thatcan lead to N-1casualties. In the F–N-curve, the cor-responding failure frequency of N casualties is n1F1[year�1], the failure frequency of N-1 casualties willbe n1F1 � n2F2 [year�1]. This procedure is repeateduntil N � 10.

1740

09048-Z-01.qxd 5/15/03 8:27 PM Page 1740

6 GAS DISPERSION

If a full bore rupture of the pipeline occurs, there is ahigh probability that the resulting gas outflow doesnot ignite at all. In this case, a gas cloud is the resultof the pipeline failure. The size of the gas cloud cancover a large area and is of course dependent of thepressure and the diameter of the pipeline. Also theatmospheric conditions have a major influence on thissize. In case of a pipeline rupture, the size of the gas cloud is important information. To prevent the gascloud from igniting after some time, all buildingswithin a certain fraction of the lower flammabilitylevel are evacuated by the emergency services. There-fore the size of a possible gas cloud should be used ina risk assessment.

In this tool, for every pipeline diameter and pres-sure combination, gas cloud calculations have beenmade, again assuming an above average heavy windspeed. Since no information on wind directions isavailable on forehand, the approach is to calculate thedownwind cloud size and project this in a circularcontour around the ruptured pipeline. Due to the ini-tial momentum of the gas outflow and the buoyancythe released gas will rise quickly. Therefore, the indi-cated cloud size (presented at 50% of the lower flam-mability limit) is calculated at a height of ten metres.It is assumed that at this height no ignition sources arepresent (in situation where facts do not agree with thisassumption, a detailed calculation is advised).

7 USER INTERFACE

One of the key features of the new easy to handle riskassessment tool is that it enables the users to do aquick survey of the risk that the pipeline in questionpose on the surroundings. This is guaranteed by twoaspects: restricting the number of input parametersand maintaining a clearly structured user interface.Therefore, all inputs and outputs are on one screen.On one side the pipeline and the inhabitants parame-ters. On the other side of the screen a large overviewof the site is displayed, which is directly updated uponinput of one of the input parameters. Some other but-tons are necessary to select the desired criteria forindividual and societal risk. When selecting the criteria,the program directly calculates the risks and drawsthe appropriate individual risk contours on the sitemap. The pipeline (section) is marked if it exceeds thesocietal risk criterion. Finally, a report is generatedwith the conclusions regarding the safety of the site:is this site acceptable in risk terms, or is an advancedrisk assessment necessary in this case. In this shortreport the input parameters and the graphical lay outof the site with the selected risk results are presented.

8 OUTPUT

To demonstrate how the outputs of a risk survey withthe risk assessment tool can be carried out, in this sec-tion some example are shown. From part of a pipelineof Gastransport Services the coordinates and proper-ties are inputted in the program. These coordinatesand properties lead to the individual risk as plotted asthe red outer lines in figure 6. In the next step thenearby houses and other buildings are identified. Thebuildings appear as blue-circled objects. The result ispresented also in figure 3.

The societal risk criterion is met in this situation.This leads to the F–N-curve in figure 4.

The gas dispersion cloud in case of a pipeline rup-ture on this individual is displayed in figure 5. Thecircular shape indicates where the gas concentrationreaches 50% of the lower flammability limit.

1741

Figure 3. Screen output of 10�6 year�1 individual risk contour.

Figure 4. F–N-curve.

09048-Z-01.qxd 5/15/03 8:27 PM Page 1741

9 CONCLUSIONS

The developed easy-to-use pipeline safety programworks very intuitively and enables users to make aquick survey whether a pipeline fulfils the risk crite-ria. This can be used in the design phase of a pipelinewhen an optimal pipeline route needs to be found. Byaltering the pipeline properties (increasing the wallthickness or depth of cover) the minimum configura-tion of the pipeline for the studied route can be found.For existing pipelines when improved failure rate dataof the transmission system becomes available, checkscan be made whether the safety situation is still up tostandards or mitigating measures have to be taken. Incase of proposed changing of the surroundings of thepipeline it is possible to check whether the changescomply with the risk regulations. Recommendationsto destination plans can be made with the results of therisk study. Especially in a densely populated country

as the Netherlands and indeed a lot of other countries,this type of calculations is often needed. With thesimple but efficient approach of this program a sig-nificant amount of valuable time can be saved.

Due to the very advanced failure rate and failureconsequence models that are used, a highly reliablethough conservative answer can be expected. If theeasy-to-use pipeline safety program indicates that thepipeline meets the criteria, than no further risk studiesare needed. If the criteria are exceeded, a further riskinvestigation is recommended. With the PIPESAFEpackage a full risk assessment can be carried out todetermine whether the approach in the easy-to-usetool might be too conservative in that case.

With this approach, this new tool is very useful tofill in the gap between simply applying the rules ofthumb and carrying out a complete risk assessment.

LITERATURE

[1] Committee for the Prevention of Disasters, Guidelinesfor Quantitative Risk Assessment CPR18E, 1999.

[2] Committee for the Prevention of Disasters, Methods forthe determination of possible damage CPR 16E, 1992.

[3] Nederlands Normalisatie Instituut, NEN 3650 Eisenvoor stalen transportleidingen (requirements for steelpipeline transportation systems), 1992.

[4] VROM (Ministry of Housing, Spatial Planning and theEnvironment), Zonering langs hogedrukleidingen (zon-ing along high pressure pipelines), 1984.

[5] Acton, M.R., Baldwin, P.J., Baldwin, T.R., and Jager,E.E.R., The development of the PIPESAFE Risk Assessment Package for Gas Transmission Pipelines,Proceedings of the International Pipeline Conference,ASME International, Book No. G1075A-1998.

[6] Eric Jager, Robert Kuik, Jeroen Zanting, GerardStallenberg: The Influence of Land Use and Depth ofCover on the Failure Rate of Gas Transmission Pipelines,Proceedings of the International Pipeline ConferenceIPC02-27158, ASME International, 2002.

[7] Internal Report.

1742

Figure 5. Gas dispersion cloud size.

09048-Z-01.qxd 5/15/03 8:27 PM Page 1742


1743

Towards a qualitative predictive model of violation in transportation industry

Z. Zhang, P. Polet, & F. VanderhaegenLaboratoire d’Automatique, de Mécanique et d’Informatique industrielles et Humaines (LAMIH), University of Valenciennes, Valenciennes Cedex, France

ABSTRACT: This paper focuses on the prospective analysis of potential violation, called Barrier Removal(BR) with emphasis on the transportation applications. Based on BR indicator data in terms of different per-formance criteria and the corresponding statistics, probabilistic prediction of the removal of a changed/new bar-rier is implemented. This is called the removal prediction based on a Neural Network model. Moreover, a conceptof Erroneous Barrier Removal (EBR) is discussed. EBR can be identified in terms of different performancescriteria. The feasibility study on a research simulator is finally illustrated.

1 BARRIER CONCEPT

The risk analysis of a Human-machine system (HMS)contributes to identify combinations of technical fail-ures and human errors that lead to unwanted events.In order to avoid the occurrence of these events thedesigners provide the system with means. These meansaim at decreasing the event occurrence probability(prevention means) and/or at reducing the event impact(protection means). These means of prevention/protection constitute a set of defence-in-depth (Reason,90). They are called barriers. A barrier is defined asan obstacle, an obstruction or a hindrance that mayeither (Hollnagel, 99a):

– Prevent an action from being carried out or a situ-ation to occur,

– Prevent or lessen the severity of negative conse-quences.

Four classes of barriers are distinguished:

– Material barriers: barriers that physically preventan action or limit the negative consequences of asituation,

– Functional barriers: barriers that logically or tem-porally link actions and situations,

– Symbolic barriers: barriers that require inter-pretation,

– Immaterial barriers: barriers that are not physicallyin the work situation.

The barrier concept is common in the field of nuclearsafety, but also in other areas (Lars Harms-Ringdahl,

1998). Based on barrier classification, several retro-spective accident analyses have been conducted. It isnoted that the barrier concept also plays an essentialrole in system design. Barriers are placed by the design-ers in order to guarantee a safe space of use. The studyof the barriers placed in a HMS can be used to iden-tify the normal functioning mode accepted and pre-scribed by the designers (Cf. Fig.1).

Three reasons can explain in exploitation phase theobservation of non-tolerated, regarding designer pointof view, functioning mode:

– Lack of barrier: some situations are not consideredby the designers and there is no barrier to prevent

Figure 1. Delimitation by the designer of accepted func-tioning modes, regarding barriers.

09048-Z-02.qxd 5/15/03 8:28 PM Page 1743

or protect human operators from particular eventleading to non-tolerated space.

– Failure of barrier: a barrier is a component of thesystem that can fail and become non-operational toensure its function.

– Inhibition of barrier: a material or a functional barrier can be deactivated by users, and symbolicor immaterial barriers can be not respected byusers.

This third reason is our subject of study. It refers tothe notion of human error.

2 HUMAN BEHAVIOUR FACING BARRIERS

The human error is defined as the result of “actionsthat exceed some limit of acceptability” (Swain, 83).Reason /90/ distinguishes errors such as slips, lapsesor mistakes and violations. The consequence or theoccurrence of a slip/lapse/mistake is unintentionalwhereas the occurrence or the consequence of a violation is intentional.

Regarding designer viewpoint, the inhibition of abarrier can be an error or a violation of users: it iseither a non-intentional inhibition (slip, lapse or mis-take) or an intentional deviated behaviour (violation).In the first case “traditional” human reliability assess-ment methods may be used to predict this kind oferrors. In the second case Polet et al. (2002) propose amodel of these violations so-called barrier crossing1.A barrier removal is an intentional misuse or disobey-ing of a barrier provided that adequate conditions arepresent. The causes of a barrier removal may be:

– A motivation to improve the performance by meansof improving the working conditions, or

– A motivation to realise a triumph over the automa-tion (based on operational experience).

The operational risk of a barrier removal is a combi-nation of a cost of the removal, of an immediate ben-efit after a removal and a possible deficit due to theremoval:

– The immediate cost of removal: in order to removea barrier the human controller has to modify some-times the material structure (essentially for mate-rial and functional barrier), and/or the operationalmode of use (essentially for symbolic and immate-rial barriers). It usually leads to an increase ofworkload, but can have negative consequences onproductivity or quality.

– A barrier removal is goal driven. Removing a bar-rier is immediately beneficial. The benefits out-weigh the costs.

– A barrier that is removed introduces a potentiallydangerous situation. So, the removal of a barrierhas also a possible deficit.

3 REMOVAL PREDICTION OF ACHANGED/NEW BARRIER

To identify the BR during the analysis of a new bar-rier or of a new risk for the designer during the earlierdesign phase or in the re-design, a method integratingthree different neural network algorithms have beendeveloped (Zhang et al., 2002a):

– In the Unsupervised SOM2 (Kohonen, 1990, 2001;Hérault et al., 1994), the input data are the subjec-tive evaluations of benefit, cost and possible deficitin terms of different performance criteria;

– In the Supervised SOM, the input data are as sameas the ones of Unsupervised SOM, but with aremoval label of the corresponding barrier (Zhanget al., 2002c);

– In the Hierarchical SOM (Zhang et al., 2002a), theinput data are as same as the ones of SupervisedSOM, the network can be realized by classifyinginto certain parallel subset according to the charac-teristics of human controller, e.g. experimental BRdata may be grouped into several subset in terms ofcontrollers’ nationalities.

However, the subjective evaluation was made class byclass without considering the differences between thebarriers of a same class. The removal prediction istherefore performed for a class of barrier, not for asingle barrier. The judgment of whether a barrier willbe removed or not is subjective and concerns the traf-fic controllers’ opinion.

In order to study the human (un)reliability in thesafety and conformity assessment on the transporta-tion system, a systemic analysis approach for humanfactor impact on Functional Requirements Specifica-tion (FRS) is being studied. This approach finallyprovides designers tools to support the prediction ofremoval of a changed/new barrier. It should be able todeal with not only the subjective judgment accordingto the BR indicators, but also the objective data on theperformance criteria.

3.1 Reconfiguration of BR indicator data

During the identification of the final removal result, a barrier has been judged “removed” so long as onebarrier of a same class is removed. Some controllersremoved a few number of signals, and the othersremoved all signals of the same class, both of caseshave been identified “removed” before. E.g. it was

1744

1 In the transporation domain, “Barrier Removal” is used. 2SOM: Self-Organizing Maps.

09048-Z-02.qxd 5/15/03 8:28 PM Page 1744

observed that arrival signals at the depots are alwaysremoved whereas the ones for departure movementwere sometimes respected. Both of them have beenconsidered as same barriers. In a same barrier class,different controllers can remove different number ofbarriers.

In order to make the prediction of the removal of achanged/new barrier as close as possible to its objec-tive result, the subjective evaluation in terms of dif-ferent performance criteria are made barrier by barrier.Fig. 2 shows the structure of input data during theSOM learning and removal prediction.

In the figure, the horizontal axe is represented bythe different BR indicators in terms of different per-formance criteria. In case of mono-performance mode(Zhang et al., 2002b) the horizontal direction can be,for instance, criterion 1: workload-benefit, criterion2: workload-cost, criterion 3: workload-deficit3; atthe vertical axe, all scenarios are listed. Each controllercan remove several classes of barriers, (s)he can removedifferent barriers in the same class as well.

3.2 Discovering & memorising the similaritiesbetween all BR scenarios

The similarities between all BR scenarios can be dis-covered and memorised by training relative neuralnetworks. The SOM networks are used in this paper.

The SOM consists of two layers: the input layerand competitive layer (output layer), which is usuallya two-dimensional grid. Both of these layers are fullyinterconnected. The input layer has as many neuronsas it has indicator data (e.g. workload-based criteria:workload-benefit, workload-cost, workload-possibledeficit). Let m be the number of neurons in the inputlayer, and let n the number of neurons in the outputlayer that are arranged in a hexagonal pattern (seeFig. 3). Each neuron in the input layer is connected toeach neuron in the output layer. Thus, each neuron in

the output layer has m connections to the input layer.Each one of these connections has a synaptic weightassociated with it. Let Wj the weight vector associatedwith the connection between m input neuronsi � 1, …, m and one output j � 1, …, n. The neuronsof the maps are connected to adjacent neurons by aneighborhood relation. Each neuron k is representedby a m-dimensional prototype vector Wk � [Wk1, …,Wkm], where k � j � 1, …, n. On each learning step, a data sample j is selected and the nearest unit, bestmatching unit (BMU)4 is found from the map. Theprototype vectors of the BMU and its neighbors onthe grid are moved towards the sample vector.

Based on learning in terms of indicator data, removalpredictions can be made prospectively for a changed/new barrier (for more detail, please see Zhang et al.,2002c).

In Fig. 4, a structural illustration of statistics on theBR indicator data is shown. The removal probability/frequency of a barrier corresponding to a combina-tion of different indicators parameters can be obtained.

Based on the data about the different BR indi-cators and the corresponding removal probabilities/frequencies, the probabilistic similarities between all input scenarios can be found out and memorisedthrough training neural network with input data matrix.Based on the statistical data and perception data onremoval of barriers, removal predictions can be madefor the changed/new barriers. The removal predictionresult will be removal state (removal or not removal),as well as relative probability.

Note that the data sources for learning of the con-nectionist network may belong to either of two cate-gories: Human-machine system, and system simulators(Hollnagel, 1981). Within each of these categories onemay distinguish several different types. For instance,

1745

Figure 2. Structure of input data of BR.

3If it concerns Supervised SOM, there will be the criterion4: result of removal.

Figure 3. Graphical illustration of a SOM architecture.

4BMU: the ouput layer neuron whose weight vector is clos-est to the input vector j is called Best-Matching Unit(BMU).

09048-Z-02.qxd 5/15/03 8:28 PM Page 1745

the following distinct sources of data could be considered,

– Routine event reports, it includes near-miss report,incident/accident report, etc.

– Audit, inspection reports, interview.– Training simulator data (if exist).– Research simulators– Etc.

Research simulators data (Data on TRANSPAL) areused in the paper. Based on the learning phase,removal predictions can be made for the changed/newbarriers.

4 ILLUSTRATION ON TRANSPAL

4.1 Research simulator

TRANSPAL (Vanderhaegen et al., 2002) is an exper-imental platform developed in order to study barrierremoval (Cf. Fig. 5). The platform aims at simulatingpallets movements on railway system from depots toseveral workstations. Several barriers were defined:

– Depot, station and switching device signals. Thereare signals that are red to stop a pallet or green toauthorize it to move. When a pallet has removed thesignal, the signal fire has to be put back on red.

– Minimum distance control. It is prohibited toauthorize a pallet movement if the separationbetween this pallet and another one is under adefined distance.

– Switching control. It is prohibited to operate on aswitching device if there is a train moving on thecorresponding route.

Two experiments are planned:

– One with all the designed barriers,– One with the barriers selected by the human con-

troller who controlled the traffic.

Several performances will be considered:

– The respect of scheduled time,– The synchronisation of the announcement before

arriving into and leaving from a workstation,– The traffic safety,– The human workload in term of number of action.

After each experiment, a questionnaire focuses on theevaluation of the interest of all barriers in terms ofbenefit, cost, potential deficit.

4.2 Removal prediction of the probabilisticsimilarities for a changed/new barriers

In order to verify the feasibility of the proposedmodel, Depot signals, Shunting signals and Stop

1746

Figure 4. Illustration of statistics on the BR indicator data.

09048-Z-02.qxd 5/15/03 8:28 PM Page 1746

signals at transformation area (see Fig. 5) are consid-ered as the existing barriers, and the fourth barrier –Flow signals is supposed as a barrier which needs tobe changed or a new barrier for this system.

Along the experiment schedule, the data from 22controllers who have performed the experiment onTRANSPAL have been studied. Their data for previ-ous three barriers and respective removal probabilitiesare gathered to implement the learning of constraintbased similarity.

In this application, as connectionist network, theSupervised SOM is used in discovering and memoris-ing the similarities between all BR scenarios. Before,the subjective evaluation were made class by class,the prediction is therefore performed for a class ofbarrier, not for a single barrier. However, there is dif-ference between the barriers in a same class. It can befound in Table 1, the removal probabilities are differentbetween the arrival signals of pallets (No. 2, No. 72,No. 93) and the departure ones (No. 1, No. 71, No. 94).So the learning of the supervised SOM is performedin terms of different performance criteria by inputtingthe BR indicator data considering each barrier.

Once the learning phase is completed, the data interms of removal indicators for the new barrier – eachflow signal at transformation area – are input into thenetwork, the removal probability for this barrier isgiven one by one for each controller.

Table 2 illustrates an example of removal predic-tion results of the removal probability for a new bar-rier and actual results in terms of the respect ofscheduled time. The column of “observation” is theobserved result during the experiment. In the columnof “removal probability”, e.g. the controller No. 5(Cf. Table 2), 83.3% means the evaluation is same asthe observed result in terms different BR indicators,its removal probability is predicted as 83.3%.

The removal prediction accuracy is defined as:

(1)

where N(s) is number of scenarios which have samepredictive removal status as ones from the observa-tions, N(ji), i � 1, …, m means the total number ofscenarios whose removal results have been anticipated.

Prediction accuracy of the example in Table 2 is59.1%. It is noted that there are not only the predic-tive removal state for a changed/new can be made, butalso its relative removal probability. In Table 2, thereare some removal probabilities whose values aremarked “ – ”, since there were no such cases in thestatistics for the former three barriers during thelearning of SOM network.

1747

Figure 5. The TRANSPAL platform.

09048-Z-02.qxd 5/15/03 8:28 PM Page 1747

5 TOWARDS A PREDICTION OF “ERROR OF VIOLATION”

Similarities between different barrier classes havebeen studied (Zhang et al., 2002b). The prediction ofremoval and removal probabilities for a changed/newbarrier is further implemented in above subsection.There are two sets of barriers during the prediction: a

set of barrier non-removed, and another one of barriersremoved. If we focus on the latter one, i.e. the removalset, the correct and erroneous removal of barrier willbe met.

The motivation to remove a barrier, i.e. to make aviolation, can be erroneous, e.g. difference between theperception of the benefit, cost and potential deficitand the real benefit, cost and potential deficit. There-fore, there is an “error of violation” or differencebetween the viewpoint of several references such asdesigners and users.

5.1 Correct & erroneous barrier removal

In order to statute about error, it is essential to definea referential. Two referential are commonly used:

– The prescribed task,– The result of the activity.

For the first referential, a human operator commits anerror when (s)he does not respect the prescriptions(usually procedures). For the second referential, theoperator commits an error when (s)he does not obtainthe expected result.

Moreover the status of error depends on the “judge”.For instance an action may be considered as an errorfor the designer but as a correct action for the user.

1748

Table 1. The removal probabilities of all 45 barriers studied.

Total Removal Classes Barrier removed probability (%)

Depot No. 2 18 81,8signals No. 72 19 86,4

No. 93 19 86,4No. 1 13 59,1No. 71 11 50,0No. 94 9 40,9

Flow No. 13 10 45,5signals No. 14 3 13,6

No. 15 3 13,6No. 19 4 18,2No. 20 3 13,6No. 21 8 36,4No. 52 9 40,9No. 53 4 18,2No. 54 3 13,6No. 58 3 13,6No. 59 3 13,6No. 60 9 40,9No. 79 3 13,6No. 80 4 18,2No. 81 8 36,4No. 91 9 40,9No. 92 3 13,6No. 95 1 4,5

Shunting No. 11 6 27,3signals No. 12 11 50,0

No. 28 6 27,3No. 29 6 27,3No. 30 12 54,5No. 33 7 31,8No. 42 6 27,3No. 43 5 22,7No. 44 6 27,3No. 45 6 27,3No. 67 6 27,3No. 68 15 68,2

Stop No. 16 1 4,5signals No. 17 0 0,0

No. 18 0 0,0No. 55 0 0,0No. 56 0 0,0No. 57 0 0,0No. 82 0 0,0No. 83 0 0,0No. 84 0 0,0

Table 2. Example of removal prediction results of theremoval probability for a new barrier.

Removal RemovalController state probabilityNo. Observation prediction prediction (%)

No. 1 Not removed Removed 83.3 No. 2 Not removed Removed –No. 3 Not removed Removed 54.2 No. 4 Not removed Not removed 44.4 No. 5 Removed Removed 83.3 No. 6 Removed Not removed –No. 7 Removed Removed 83.3 No. 8 Not removed Removed 83.3 No. 9 Removed Removed 83.3 No. 10 Not removed Not removed 50.0 No. 11 Removed Removed 44.4 No. 12 Not removed Removed 54.2 No. 13 Not removed Removed –No. 14 Removed Removed –No. 15 Not removed Not removed 50.0 No. 16 Not removed Removed –No. 17 Not removed Not removed –No. 18 Removed Removed 16.7 No. 19 Removed Removed –No. 20 Removed Removed 50.0No. 21 Not removed Removed 8.3 No. 22 Removed Removed 50.0

09048-Z-02.qxd 5/15/03 8:28 PM Page 1748

Following the definition of barrier removal, it is anerror and more precisely a violation regarding thedesigner viewpoint. Regarding user viewpoint the bar-rier removal is not necessary a negative violation. Thebarrier removal model proposed by Polet et al. (2001)defines it as a behaviour motivated by an improvementof the performance. The performance can be evalu-ated considering several criteria such as the workloadof the human operator, the safety, the quality, the pro-ductivity, etc. The barrier removal can be seen as agamble. If it is a success, the human operator does notconsider it as an error. The barrier removal is an errorregarding the user viewpoint when it leads to theunexpected result. So two kinds of barrier removalcan be distinguished:

– Correct barrier removals: regarding designer view-point they are violations, but regarding user view-point they correspond to correct barrier removalbecause they lead to the expected result;

– Erroneous barrier removal: they are also, viola-tions regarding designer viewpoint and regardinguser’s viewpoint they are intended behaviours withintended actions, and lead to the negative andunexpected consequences.

It is important to note that an erroneous barrierremoval is not necessary considered as an error forthe user. For instance, a Barrier Removal (BR) canlead objectively to decreasing of the performance. Soit is an Erroneous Barrier Removal (EBR). But theuser may subjectively estimate that the result of thisbarrier removal contribute to an improvement. In thiscase it is an error of perception or an error of assess-ment from the user.

5.2 Towards a predictive model of EBR

Violations do not solely lead to undesired events. Theyare actions that intentionally break procedures (Parkeret al., 1995; Reason, 1987), e.g. aiming at easing theexecution of a given task. When they are coupled witha valid mental model, they can ensure or even increasethe safety level of a system (Besnard, 2002). They canbe seen as the two facets of the same coin. Keeping inmind this paradox, the probability of erroneous removalof barrier can be given as following,

(2)

where CBR means Correct BR.During the identification of the EBR, the removal

evaluation of barrier should be implemented with notonly subjective data (subjective evaluation of BenefitCost and possible Deficit on BR), but also the objec-tive data on the controller’s performance (e.g. produc-tivity, quality, safety and workload).

By comparing the subjective removal evaluationwith the objective performance variation, the statis-tics on EBR can be implemented in terms of differentperformance criteria.

The similarity of BR can be found out and thenmemorised in a connectionist network for a givenHMS system in terms of mono-performance modeand multi-performance mode (Zhang et al., 2002b).Furthermore, the probabilistic similarities can be pro-vided by adding in the connectionist network the rel-ative statistical data (see section 3). By same way, thestatistical similarities between all input scenarios canbe found out and memorised through learning of aconnectionist network with the data about the differ-ent BR indicators and the corresponding EBR statis-tics (as a supplementary criterion in the Fig. 2).

The learning by the connectionist network is relatedto the right part in Fig. 6. Based on the statistical sim-ilarities learning, predictions of EBR can be made forthe changed/new barriers.

The identification of the EBR can be helpful for,

– The designer as a predictive analysis support toolfor the (re)design of the changed/new barriers.

– The human controller as a decision-making sup-port facing removal of a barrier.

– The regulatory authorities as verification means.

The ultimate goal is, in each period of defence-in-depth, to reduce the probability of EBR by,

– Reducing the benefit of removal of a barrier, byincreasing the cost and the possible deficit.

– Making the human controller’s perception of thebenefit low, the cost high and the possible deficithigh, e.g. improving the human-machine interface,reducing the perception error.

– Surveillance or monitoring of states of the barriersin terms of benefit, cost and possible deficit.

– Protection and mitigation measures for erro-neous BR.

1749

Figure 6. The predictive model of EBR.

09048-Z-02.qxd 5/15/03 8:28 PM Page 1749

5.3 Identification of EBR

The EBR could be distinguished from the correct BRthrough comparing the performance variation (betweenprior-removal and posterior-removal) of human con-troller. Table 3 gives an example of Identification ofEBR based on variation between the subjective judg-ment and the objective sources.

Secondly, there is improvement according to sub-jective judgment, the controller removes barrier. Butthere is degradation regarding the objective sources,so it is considered as an EBR.

There is the third case (see “traffic safety” in Table3), controller removes the barrier even if (s)he assessesthere will be a degradation, in fact, there is improve-ment regarding the objective sources. It is marked as“additional” in the table.

From the overall viewpoint of the experiment, thenumber of EBR may be identified with the aboveassessment. Table 4 provides EBR statistics in termsof different performance criteria. In the future, as asupplementary criterion (Cf. Fig. 2), EBR statisticscan be integrated into the learning of the connection-ist network. The prediction of EBR can be ultimatelyrealized.

6 CONCLUSIONS

The paper presents a prospective approach aiming atpredicting the removal of a changed/new barrier. The

approach is based on a Neural Network model thatintegrates data on the removal of barrier into a learn-ing phase. The predictive results include the removalstate, as well as its removal probability. It indicates if a changed/new barrier will be removed, and the certainty level on this removal is given by a probabil-ity. The feasibility study on a research simulatorTRANSPAL is illustrated.

Then erroneous & correct barrier removal are dis-cussed and distinguished regarding the viewpoints ofdesigners and users in this paper. The concept of EBRis then established. Moreover an example of identifi-cation of EBR is provided.

It should be noted that EBR should be identified interms of different performance. As a supplementarycriterion in Fig. 2, EBR statistics can be integratedinto the learning of the connectionist network. Theprediction of EBR can be finally implemented. Theultimate goal is to try to reach an “EBR-free” system.

As applications in transportation industry, thereare two stages: the study on a research simulatorTRANSPAL in the paper is the first stage; the secondstage is the application of proposed model to the gen-eral safety conceptual approach and guidelines forFRS in UGTMS project.

ACKNOWLEDGEMENT

This work is a part of European framework project of Urban Guided Transport Management System(UGTMS) founded by the European Commissionunder the transport R&D Programme of the 5th frame-work Programme (contract n° GRD2-2000-30090).

REFERENCES

Besnard, D. & Greathead, D. 2002. A cognitive approach tosafe violations. Cognition, Technology and Work, in review.

European Commission, 2002. Deliverable D1, First reportfor a preliminary definition of UGTMS, GROUTHGRD2-2000-30090-UGTMS.

1750

Table 3. Illustration of identification of EBR (� improvement, � degradation).

Performance Subjective Objective Identificationcriteria judgment sources Variation of EBR

Respect of � � None –scheduled time

Percentage of � � Yes EBRproduct treated

Traffic safety � � Yes AdditionalNumber of � � None –

action

Table 4. EBR statistics in terms of different performancecriteria.

Performancecriteria Total variation EBR Additional

Quality 11 55% 4 20% 7 35%Productivity 17 85% 5 25% 12 60%Safety 12 60% 4 20% 8 40%Workload 8 40% 0 0% 8 40%

09048-Z-02.qxd 5/15/03 8:28 PM Page 1750

Free, R. 1994. The role of procedural violations in railwayaccidents. Ph.D. Thesis, University of Manchester.

Harms-Ringdahl, L. 1998. Proc. of Society for Risk Analysis –Europe. The 1998 annual conference: Risk analysis:Opening the process. Paris.

Hérault, J. et al. 1994. Réseaux neuronaux et traitement dusignal, Hermès, Chapitre VII, p. 173–204.

Hollnagel, E. 1999a. Accident and barriers. In: Proc. of the 7th European Conference on Cognitive ScienceApproaches to Process Control, Villeneuve d’Ascq,France, p. 175–180.

Hollnagel, E. 1999b. Accident analysis and barrier func-tions. Report of the project TRAIN, Version 1.0, Sweden.

Hollnagel, E., Pedersen, O. M. & Rasmussen, J. 1981. Notes on Human Performance Analysis, RISO-M-2285,DK-4000, Riso National Laboratories, Roskilde, Denmark.

Kohonen, T. 2001. Self-Organizing Maps. Springer-Verlag,Third edition, Berlin, Heidelberg, Germany.

Kohonen, T. 1990. The self-organizing map. In: Proc. of theIEEE 78(9):1464–1480.

Parker, D., Reason, J., Manstead, S. R. & Stradling, S.G.1995. Driving errors, driving violations and accidentinvolvement. Ergonomics, 38, 1036–1048.

Polet, P. 2002. Modélisation des Franchissements deBarrières pour l’Analyse des Risques des SystèmesHomme-Machine, Thèse de l’Université de Valenciennes,France.

Polet, P., Vanderhaegen, F. & Wieringa, P.A. 2002a. Theoryof safety-related violations of system barriers. Cognition,Technology and Work, (2002) 4:171–179.

Polet, P., Vanderhaegen, F., Millot, P. & Wieringa, P. 2001.Barriers and risk analysis. In: Proc. of the 8thIFAC/IFIP/IFORS/IEA Symposium on Analysis, Designand Evaluation of Man-Machine Systems, Kassel,Germany.

Polet, P., Vanderhaegen, F., Amalberti, R. 2003. Modelingborder-line tolerated conditions of use (BTCUs) and

associated risks. Safety Science. Vol 41, Issues 2–3,March 2003, pp. 111–136.

Reason, J. 1990. Human error. Cambridge University Press,New York.

Reason, J. 1987. Chernobyl errors. Bulletin of the BritishPsychological Society, 40, 201–206.

Swain, A.D. & Guttmann, H.E. 1983. Handbook of HumanReliability Analysis with Emphasis on Nuclear PowerPlant Applications. NUREG/CR-1278.

Valancogne, J. & Nicolet, J.L. 2002. Defence-in-depth: anew systematic and global approach in socio-technicalsystem design to guarantee better the timelessness safetyin operation. In: Proc. of lm13/Esrel2002, Lyon, France.p. 298–305.

Vanderhaegen, F., Polet, P., Zhang, Z. & Wieringa, P.A.2002. Barrier removal study in railway simulation, PSAM6, Puerto Rico, USA.

Vanderhaegen, F. 2001. A non-probabilistic prospective and retrospective human reliability analysis method –application to railway system. Reliability Engineeringand System Safety 71(1):1–13.

Zhang, Z. & Vanderhaegen, F. 2002a. A method integratingSelf-Organizing Maps to predict the probability ofBarrier Removal. C. Warren Neel Conference on the NewFrontiers of Statistical Data Mining and KnowledgeDiscovery, Knoxville, Tennessee, USA, June 22–25,2002. In press by the Chapman & Hall/CRC.

Zhang, Z., Polet, P., Vanderhaegen, F. & Millot, P. 2002b.Towards a method to analyze the problematic level ofBarrier Crossing. In: Proc. of lm13/Esrel2002, Lyon,France. p. 71–80.

Zhang, Z., Polet, P., Vanderhaegen, F. & Millot, P. 2002c.Artificial Neural Network for Violation Analysis. Relia-bility Engineering and System Safety. In review.

1751

09048-Z-02.qxd 5/15/03 8:28 PM Page 1751

09048-Z-02.qxd 5/15/03 8:28 PM Page 1752


1753

Measuring the reliability importance of components in multi-state systems

E. Zio & L. PodofilliniDepartment of Nuclear Engineering, Polytechnic of Milan, Italy

ABSTRACT: Several concepts of importance measures have been proposed and used in system engineering,based on different views of the influence of the components on the system performance. The standard defini-tions of importance measures hold for binary components in binary systems (i.e., the components, as well as thewhole system can only stay in two states: working or failed). However, a multi-state modelling of componentsand systems is often required in practice.

In this paper, the most frequently used importance measures are generalized to the case of multi-state systemsmade of multi-state components. The introduced extensions characterize the importance of a component achiev-ing its different possible levels of performance with respect to the overall mean multi-state unavailability.

The work is methodological in nature. An illustrative example is provided with regards to a simple multi-statesystem.

1 INTRODUCTION

Importance measures (IMs) are widely used in systemengineering to identify the components that mostlyinfluence the system behaviour with respect to reli-ability as well as to safety. The information providedby importance measures gives useful insights for thesafe and efficient operation of the system, allowingthe analyst to trace system bottlenecks and providingguidelines for effective system improvement.

Different definitions of IMs exist in the literature,based on different views of the influence that com-ponents may have on the system performance. TheBirn-baum measure, the Fussell-Vesely measure, therisk achievement worth and the risk reduction worthare some of the most frequently used [Birnbaum 1969,Fussell 1975, Cheok et al. 1998, Vasseur & Llory 1999,van der Borst & Shoonakker 1999, Borgonovo &Apostolakis 2001].

Importance measures have been typically applied tosystems made up of binary components (i.e., compo-nents which can be in two states: working and failed).This hypothesis does not fit with the real functioningof many systems, such as those, for example, employedin production and transportation engineering. For suchsystems, an overall performance measure is defined,and depending on the operative conditions of the multi-state components, the system may work at, say, 100%,80%, 50% of the nominal performance capacity.

Systems characterized by different levels of perform-ance are referred to as Multi-State Systems (MSS)[Levitin & Lisnianski 1999].

It is worth pointing out, as a limit situation, that inpractice there are systems whose performances may becharacterized in terms of an infinite set of continuousstates. This, for example, is the case of the passive sys-tems whose utilization is growlingly advocated in thenew generation of nuclear power plants and whosephysical behaviour dictates the system performance,much in a continuous fashion.

Recently, then, efforts are being made to evaluate theimportance of components of multi-state systems. Forexample, in [Levitin & Lisnianski 1999], the Birnbaummeasure is extended to the case of multi-state systemscomposed by binary components; in [Armstrong 1997]the case of components with dual failures-modes isconsidered.

In this paper, the most frequently used IMs aregeneralized to multi-state systems made of multi-statecomponents. The introduced extensions character-ize the importance that a component achieves a givenlevel of performance with respect to the overall meanmulti-state unavailability. It is noteworthy that theintroduced measures are directly extendable to continuous-state systems and components.

The paper is organized as follows. In the followingSection 2, we introduce the concepts of availability andperformance of multi-states systems. In Section 3, the

09048-Z-03.qxd 5/15/03 8:28 PM Page 1753

classical importance measures are briefly summarized.Then, in Section 4, we propose the extension of theseIMs to multi-state systems made up of multi-statecomponents. A numerical example is provided in Sec-tion 5 to illustrate the informative content borne bythe proposed extended measures. As for the systemmodelling tool, we resort to the Monte Carlo (MC)method which, in principle, allows handling manyrealistic issues of the multi-state system dynamics[Marseguerra & Zio 2002]. We close the paper withsome remarks and suggestions for future work.

2 MULTI-STATE SYSTEM AVAILABILITY

When applied to MSS, the concept of availability isrelated to the capacity of the system to meet a requireddemand. In the following, the formal definition of MSSavailability is given [Levitin et al. 1998].

Consider a system made up of NC components. Each component i may stay in one of NS(i) states,i � 1, 2, …, NC. The system is characterized by a setS of Nsys states:

(1)

Concerning the generic i-th component, each state ischaracterized by a different level of performance. Wenumber the states of component i according to decreas-ing performance levels, from state 1 (100%) to stateNS(i) (0%) and denote by wi

ji the performance of com-ponent i when operating in state ji, ji � 1, 2, …, NS(i).Concerning the whole system, let Wj denote its per-formance level when in state j � (j1, j2, …, jNc).

In practice, some systems are requested to operateat different performance levels at different times. Forexample, the production of electrical and thermal powerplants follows the daily and seasonal load demands.Assume that at time t a minimum level of system per-formance W*(t) is required to meet the current demand.The system availability, usually defined in terms ofthe system safe state, is generalized according towhether its performance is larger or smaller than W*(for ease of notation, in the writing we shall often neg-lect the dependence on t). Then, the MSS availabilityAMSS(W*, t) of the system at time t is the probabilitythat at that time the system is in any state j with per-formance Wj- � W*. If the probability that at time tthe system is in state j- is denoted by Pj-(t), the avail-ability is:

(2)

Obviously, the MSS unavailability UMSS (W*, t) is:

(3)

3 IMPORTANCE MEASURES

With reference to a given risk metric R (e.g. the unavail-ability), the standard definition of importance meas-ures holds for binary systems constituted by binarycomponents. In our notations this implies NS(i) � 2and ji � 1, 2, i � 1, 2, …, NC. Coherently with ourordering of component states, we assume that for eachcomponent i, state ji � 1 is the working state (100% of performance) and ji � 2 is the failed state (0% ofperformance).

For the definition of the IMs, it is useful to intro-duce the following quantities:

Ri�(t) � R[t| ji � 2 in (0, t)]:value of the risk metric R

when component i has been in its failed stateji � 2 throughout the time interval (0, t). It rep-resents the maximum risk achievement if com-ponent i is considered failed with certainty andpermanently, or, which is equivalent, removedfrom the system.

Ri�(t) � R[t| ji � 1 in (0, t)]: value of the risk metric R

when component i remained in the workingstate ji � 1 throughout the time interval (0, t). Itrepresents the maximum reduction in risk ifcomponent i is considered perfect, i.e. always inthe working state.

The definition of four of the most frequently usedIMs is here recalled with reference to the generic i-thcomponent [Cheok et al. 1998]:

– Risk achievement worth

(4)

The risk achievement worth is the ratio of the riskwhen component i is considered always failed in(0, t) (i.e. in state 2) to the actual value of the risk.

– Risk reduction worth

(5)

The risk reduction worth is the ratio of the nomi-nal value of the risk to the risk when component iis always available (i.e. in state 1). It measures thepotential of component i in reducing the risk, by

1754

09048-Z-03.qxd 5/15/03 8:28 PM Page 1754

considering the maximum decrease in risk achiev-able when optimising the component to perfection.

– Fussell-Vesely measure

(6)

The Fussell-Vesely measure represents the maxi-mum fractional decrement in risk achievablewhen component i is always available.

– Birnbaum measure

(7)

The Birnbaum measure is the maximum varia-tion of the risk when component i switches fromthe condition of perfect functioning to the condi-tion of certain failure. It is a differential measureof the importance of component i.

4 MSS UNAVAILABILITY IMPORTANCEMEASURES

Considering a multi-state system and a given requiredperformance function over the mission time Tm, W*(t),t ∈ (0, Tm), we introduce the mean multi-state unavail-ability, U–MSS(W*):

(8)

Furthermore, with reference to the generic i-th com-ponent of the system, i � 1, 2, …, NC, we introduce:

��i: the set of those states of component i character-

ized by a performance level below or equal to ��–�

i: the set of those states of component i character-ized by a performance level above � (complement setof ��

i)U– i

MSS,� �(W*) �–UMSS(W*|ji � ��

i in (0, Tm)): meanMSS-unavailability when the performance of the i-thcomponent is restricted to be below or equal to � (i.e.,ji � ��

i in (0, Tm).–UiMSS,��(W*) �

–UMSS,(W*| ji �–��

i in (0, Tm)): meanMSS-unavailability when the performance of the i-thcomponent is restricted to be above � (i.e., ji �

–��

i ) in(0, Tm).

Note that the values of the above mean MSS-unavailabilities are within the closed interval [0, 1] andthat the above definitions hold also for continuous-states components and systems. In the latter case ofcontinuous states, the �-level can continuously assumeany intermediate value within its range (e.g. � � [0%,

100%]) and the state indicator variable ji can varycontinuously within the continuous sets ��

i, –��

i and�i � ��

i ∪–��

iGiven the above definitions, we extend the stan-

dard IMs for binary systems to the case of multi-statesystems (for simplicity of notations, the inherentdependence on W* of –Ui

MSS(W*), –UiMSS,��(W*) and–Ui

MSS,��(W*) is omitted):– Unavailability Achievement Worth of �-level

(9)

The numerator represents the mean MSS-unavailabil-ity of the system over the mission time Tm when com-ponent i evolves only through states with performancebelow, or at most equal to �, i.e. ji � ��

i in (0, Tm); thedenominator represents the mean MSS-unavailabilitywith all components freely evolving through all theirpossible states (i.e. the real system mean unavailability).

The uaiMSS,� depends on the mean unavailability

achieved by the system when component i is obligedto operate with a performance at most equal to � in(0, Tm). Thus, uai

MSS,� is a measure of the importance,with respect to system performance unavailability, ofthe fact that component i assures at least a level � ofperformance.

– Unavailability reduction worth of �-level

(10)

The numerator is the MSS mean unavailability overTm when all states can be reached by the components;the denominator represents the MSS mean unavail-ability when component i evolves only through stateswith performance above �, i.e. ji �

–�i

� in (0, Tm).Hence, uri

MSS,� represents the reduction in MSS meanunavailability (i.e. the improvement in MSS meanavailability) which can be achieved when the outputperformance of component i is maintained abovelevel �.– Fussell-Vesely unavailability measure of �-level

(11)

The Fussell-Vesely measure is the ratio of the decre-ment in the mean multi-state system unavailabilitydue to the component i operating with a level of per-formance above � in (0, Tm) to the nominal value ofthe mean unavailability. Also in the case of multi-statesystems, uFVi

MSS,� and uriMSS,� produce the same

ranking of component importance.

1755

09048-Z-03.qxd 5/15/03 8:28 PM Page 1755

– Birnbaum unavailability measure of �-level

(12)

The Birnbaum measure is the maximum change insystem mean unavailability over Tm when the perform-ance of component i is changed from always below orequal to the �-level to always above the �-level ofperformance.

When continuous-states components and systemsare considered, the above definitions are still applica-ble: in such case, the importance measures uai

MSS,�,uri

MSS,�, uFViMSS,� and uBi

MSS,� are continuous func-tions of the � level.

5 NUMERICAL EXAMPLE


Let us consider a system made up of a series of Nn � 2macro-components (nodes), each one performing agiven function (Figure 1). Node 1 is constituted byNp(1) � 2 components in parallel logic, whereas node2 is constituted by a single component (Np(2) � 1) sothat the overall number of components in the systemis Nc � 3. The mission time Tm is 1000 hours.

For each component i �1, 2, 3 there are NS(i) �5possible states, each one corresponding to a differenthypothetical level of performance wi

ji, ji �1, 2, …, 5.

Table 1 gives the values of the performances wiji

(in arbitrary units) of the three components in corre-spondence of all the possible states ji �1, 2, …, 5.Note that state 5 corresponds to zero-performance,i.e. component failure.

Each component is assumed to move stochasti-cally from one state ji to another state ki, according to

exponential time distributions with rate �iji→ki

(h�1). For each component i �1, 2, 3, we then have atransition matrix �i of the values of the transitionrates:

(13)

The output performance Wj- associated to the systemstate j- � (j1, j2, …, jNc) is obtained on the basis of theperformances wi

jiof the components constituting the

system. More precisely, we assume as in [Levitin &Lisnianski 1998] that the performance of each node l,constituted by Np(l) elements in parallel logic, is thesum of the individual performances of the componentsand that the performance of the two-nodes seriessystem is that of the node with the lowest performance,which constitutes the “bottleneck” of the system. Forexample, with reference to the system configuration j-* � (1, 3, 2), the first node is characterized by avalue of the performance equal to w1

1 � w23 � 120,

while the second node has performance w23 � 75.

This latter node determines the value of the systemperformance Wj*-

� 75.To catch the complex dynamics of multi-state

systems, a Monte Carlo simulation code has beendeveloped in Fortran. The simplifying assumption of exponentially distributed transition times is not alimitation of the approach but simply allows us toobtain analytical solutions in a simplified case ofbinary components, for verification of the code.

5.2 Standard importance measures

In this Section we compute the risk achievementworth ai, i � 1, 2, 3, (Section 3) for the components ofthe system of Figure 1. Results obtained both analyti-cally and by Monte Carlo simulations are provided for

1756

1

3

2

Figure 1. System sketch.

Table 1. Components’ performance data.

Performance (wiji)

Component (i) ji � 1 ji � 2 ji � 3 ji � 4 ji � 5

1 80 60 40 20 02 80 60 40 20 03 100 75 50 25 0

09048-Z-03.qxd 5/15/03 8:28 PM Page 1756

code verification purposes. The other IMs of Section 3,with the corresponding extended ones in the multi-state system case (IMsMSS), have been investigated toobut for brevity the results are not presented here (theinterested reader should consult [Zio & Podofillini2002]).

Given that the standard IMs of Section 3 are definedfor binary components, we consider a system equiva-lent to that of Figure 1 in which the three components,1�, 2�, 3�, have only two states, the first one (1) gath-ering the four operative states 1–4 of the multi-statecase and the second (2) corresponding to the failed state5. To do so, we have proceeded as follows: the transi-tion rates of the binary components, �i�

1→2 and �i�2→1,

i� � 1�, 2� 3� are established such as to give an averageprobability over the mission time Tm of being in thefailed state (2), −p2

i�(Tm), equal to the average probabil-ity of the original multi-state components of being inthe zero-performance state 5 over the mission time,−p5

i �(Tm), i � 1, 2, 3. Table 2 reports the values of−p2

i�(Tm), �i�1→2 and �i�

2→1 for the three components.Note how component 3�, in series, is significantlymore reliable than the other two in parallel logic.

For the calculation of the measures ai, the risk met-ric considered, R (Section 3), is the average unavailabil-ity –U over the mission time Tm. The results, reported inTable 3, show the agreement of the analytical valueswith the MC estimates, within one standard deviation.

As for the ranking produced, component 3� is rankedfirst. Indeed, component 3� is in series to the otherstwo so that obviously its removal, as specified in thedefinition of the risk achievement worth, implies thesystem complete unavailability throughout Tm, so thatR�

3� � 1. In this sense, component 3� is the major con-tributor to the overall system unavailability. As for the

relative ranking among components 1� and 2�, com-ponent 2� is ranked highest. Indeed, in a parallel logicblock, the risk achievement measure a ranks highest themore reliable component (from Table 2, component 2�is more “available” than component 1�, i.e.−p2

2�(Tm) � −p21�(Tm)).

5.3 MSS-unavailability importance measures

With reference to the multi-state system described inSection 5.1, we now apply the MSS importance meas-ure uaiMSS,� presented in Section 4, i � 1, 2, 3. In thecase of MSS the analytical solution becomes impracti-cal and thus only the Monte Carlo results are reported.

From Section 2, we know that the required per-formance level, W*(t), affects the MSS mean unavail-ability –UMSS(W*). In turn, the importance measuresdepend on W*(t), too: indeed, the performance of acomponent may turn out to be more important for theachievement of a given system performance level andless important for another. The effects related to dif-ferent required performance levels, W*, have also beenstudied but are not reported here, for brevity’s sake. Fora discussion of such effects the reader should refer to[Zio & Podofillini 2002]. Here, in order to underlinethe improvement in informative content provided bycalculating the IMs

MSS with respect to different levels� of components’ performance, the case of a systemrequired performance function W* � 50 (in arbitraryunits), constant in (0, Tm), is considered.

For the assigned level of required minimum systemperformance W* � 50, Figure 2 reports, in logarithmicscale, the values of uaMSS,� for each of the three com-ponents as a function of their �-level (i.e. for differentcomponents’ reference states ji with correspondingperformances wi

ji� �, ji � 2, 3, 4, 5, i � 1, 2, 3).

The numerical values are reported in Table 4. Notethat, for state ji �1, i �1, 2, 3 (corresponding to� � wi

1 � 80 for i �1, 2 and � � w31 � 100 for the

third component) the sets ��i and ��

i reduce to thewhole set of components’ states and to the empty set,respectively, and the corresponding importance meas-ures loose meaning, so that such anomalous case(ji �1) is not considered.

Let us examine first how the risk achievement worthof component 3 changes with the different �-levels.Consider the values of the IMMSSs calculated in corre-spondence of the �-level identified by the last stateji �5, i.e. that corresponding to zero performance(Table 1, � � wi

5 � 0, i � 1, 2, 3). According to themeasure uaMSS,�(50), component 3 is the most impor-tant one. Such ranking is in agreement with thatobtained with the corresponding standard IMs appliedto the binary system of Section 5.2 and this is truealso for ji � 4, i � 1, 2, 3. Indeed, due to the systemseries-parallel logic, the whole system performance

1757

Table 2. Average probabilities -pi�2 (Tm) and corresponding

transition rates, �i�1→2 and �i�

2→1 for the equivalent system ofbinary components 1�, 2�, 3�.

Component (i�) -pi�2 (Tm) �i�1→2 �i�2→1

1� 0.113 5.000 � 10�4 2.560 � 10�3

2� 0.103 1.000 � 10�3 7.510 � 10�3

3� 2.031 � 10�4 5.000 � 10�5 2.450 � 10�1

Table 3. Values of the a importance measure for the com-ponents 1�, 2�, 3� of the equivalent system.

ai�

Component (i�) Analitical Monte Carlo

1 8.097 8.092 $ 0.1062 8.786 8.775 $ 0.1143 77.922 77.836 $ 0.965

09048-Z-03.qxd 5/15/03 8:28 PM Page 1757

W cannot exceed the performance w3j3 of the “bottle-

neck” series-component 3 operating in its state j3, i.e.W � w3

j3. Thus, when component 3 is forced to evolvethrough states j3 with corresponding performance� � w3

j3 below the required W* � 50 (i.e. states j3 � 4,corresponding to w3

4 � 25, and j3 � 5, correspondingto w3

5 � 0), it fully impacts the system mean perform-ance and unavailability (–UMSS,��(50) � 1). (–U3

MSS,��

(50) � 1). Indeed, states j3 � 4 and j3 � 5 are verycritical since, due to the system series-parallel logicwhich implies W � w3

j3, when component 3 transfersin any one of these two states, there is no chance for thesystem of providing the required performance W* � 50:hence, the high values of the measures ua3

MSS,�(50)when component 3 is restricted by the �-level to livein states j3 � 4, 5. On the contrary, when considering,still in Figure 2, the highest two values of components’�-levels, corresponding to states ji � 2 and ji � 3,component 3 becomes the least important component.

Hence, the significance of a multi-state importanceanalysis which accounts for the different performancelevels of the components. The ranking inversion, athigh �-levels, between component 3 and the other twocan be explained as follows. Due to the high “availabil-ity” of component 3 (i.e. low values of “failure” rates�3

2→5, �33→5, �

34→5 and high values of “recovery” rates

�35→2, �3

5→3, �35→4, or equivalently low values of

−p23�(Tm) in Table 2), the criticality of component 3

is softened at �-levels allowing the visit of states 3, 4, 5 or 2, 3, 4, 5, which are such to provide the systemwith a chance of achieving a performance W � W*:hence, the low values of ua3

MSS,�(50) when compo-nent 3 is restricted to live in states j3 � 2–5 or 3–5 bythe � level.

Examining components 1 and 2, we note in thesame Figure 2 that the ranking provided in correspon-dence of � � 0 (ji �5, i �1, 2), indicates that compo-nent 2 is slightly more important than component 1.Indeed, the relevant numerical values of Table 4 are:

The same ranking is confirmed also for Nsys �(NC Ns(i) (ji � 4, i � 1, 2) and � � 40 (ji � 3, i � 1, 2)and agrees with the findings of the binary system ofSection 5.2. Instead, for the highest �-level of 60 units corresponding to ji � 2, i � 1, 2, the rankingis inverted, the corresponding values in Table 4 being:

1758

2345

101 u

aiw

i j i(50

)

comp. 1comp. 2comp. 3

100

�-level (j i)

Figure 2. Values of uaiMSS,�(50) as a function of the reference �-level state for each component.

Table 4. Values of uaMSS,�(50).

�-level for i � 1,2/ Component (i)i � 3 (state ji) 1 2 3

0/0(5) 4.768 $ 0.066 5.088 $ 0.070 17.415 $ 0.22320/25(4) 3.760 $ 0.053 4.903 $ 0.067 17.372 $ 0.22240/50(3) 3.247 $ 0.047 3.713 $ 0.053 2.271 $ 0.03560/75(2) 2.372 $ 0.036 2.072 $ 0.032 1.113 $ 0.020

09048-Z-03.qxd 5/15/03 8:28 PM Page 1758

This behaviour is mainly due to the fact that the contribution of component 2 to the MSS-meanunavailability, –U2

MSS,��(50), is higher than that ofcomponent 1, –UMSS,��(50), when the considered �-level is such that the components evolve only throughthe lowest-performance states 3, 4 and 5: in this case,component 2 is on average “more unavailable” thancomponent 1 due to the higher value of the rate of tran-sition to the failed state 5 when in state 4(�2

4→5 � 410�2h�1 and �1

4→5 � 8 10�3h�1, in the last column ofthe first two matrices of eq. (13). On the contrary, thecontribution of component 1 to the MSS-meanunavailability, –UMSS,��(50), is higher than that of com-ponent 2 when the performance threshold � is such toallow the components transferring among states 2, 3,4, 5 since the transition rates to failure �1

2→5, �13→5

of component 1 are higher than the corresponding�2

2→5, �23→5 of component 2.

5.4 Design retrofit

The information content provided by the introducedimportance measures can be exploited for decisionmaking at the design or operation level to identify themost important components within the system, tackinginto account their performances. In this multi-stateframework, the decision maker holds information rel-evant for driving design and operative actions to addressthe most critical components’ performance states.Again, we refer to our example in which the system isrequested to provide a performance W* �50 through-out the mission time Tm: the decision maker is inter-ested in tracing which components’ performance

levels are to be guaranteed for the system to be avail-able at the required performance threshold W*. Theranking provided by the unavailability achievementworth, uaMSS,�(50), can be exploited to the purpose.The twelve values of uai

MSS,�(50) (� � wi2, w

i3, w

i4, w

i5,

i � 1, 2, 3) are ranked in decreasing order andreported in Figure 3 and Table 5. The correspondingvalues of –Ui

MSS,�(50) � uaiMSS,�(50)–UMSS(50) � i � 1,

2, 3, are also reported in the Table and in the right-handvertical axis of Figure 3. These latter values representthe mean unavailability achieved by the MSS whencomponent i never reaches a level of performanceabove �. The largest values of uai

MSS,�(50) in theTable are those of component 3 in correspondence ofthe lowest performance �-levels (j3 � 5 and j3 � 4,

1759

(3,5) (3,4) (2,5) (2,4) (1,5) (1,4) (2,3) (1,3) (1,2) (3,3) (2,2) (3,2)

(componet, state)

20

16

12

8

4

0

uaiM

SS

,�(5

0)

1.15

0.92

0.69

0.46

0.23

u iM

SS

,��(5

0)

Figure 3. Values of uaiMSS,�(50) (� � wi

2, wi3, w

i4, w

i5, i � 1, 2, 3) in decreasing order (Table 5).

Table 5. Values of of uaiMSS,�(50) (� �wi

2, wi3, wi

4, wi5,

i � 1, 2, 3) in decreasing order.

Component i ji (�-level) uaiMSS,�(50) U

__iMSS,��(50)

3 5 (0) 17.400 1.0003 4 (25) 17.372 0.9982 5 (0) 5.090 0.2922 4 (20) 4.903 0.2821 5 (0) 4.770 0.2741 4 (20) 3.760 0.2162 3 (40) 3.710 0.2131 3 (40) 3.250 0.1871 2 (60) 2.370 0.1363 3 (50) 2.270 0.1302 2 (60) 2.070 0.1193 2 (75) 1.110 0.063

09048-Z-03.qxd 5/15/03 8:28 PM Page 1759

corresponding to � � w35 � 0 and � � w3

4 �25). Asabove stated, these are obviously the most criticalstates of the system which remains always unavailable(–U3

MSS,�0(50) �–U3

MSS,�25(50) � 1), due to the “bot-tleneck” component 3 having performance w3

j3 belowthe required threshold W*. Then, as expected, it isimportant to invest efforts in preventing also the othercomponents 1 and 2 from transferring to their lowerperformance states 4 and 5. Hence, in general, actionsaimed at reducing the transition rates �i

ji→ki, i � 1, 2, 3from any state ji to state ki � 5 and 4 should be prioritar-ily performed. Following these most effective actions,possible further efforts should be devoted to ensure the other intermediate levels of performance � � 0. Asexpected, the least effective actions are those aiming atimprovements of performances already above high �-levels, in particular those pertaining to component 3.

6 CONCLUSIONS

Importance measures associated to the components of asystem are extensively employed both in the designphase and in operation to trace the system weaknessesand guide actions for effective system improvement.They have been commonly used for systems made up ofbinary components (i.e. only two possible conditions ofthe components are considered: working and failed).Actually, in many systems, e.g. the production andtransportation ones, the components can operate at dif-ferent conditions, characterized by different perform-ance levels. Consequently, the system itself providesdifferent performances. In the limit, continuous-statesystems exist whose performance can range continu-ously from perfect functioning to failure. This is thecase, for example, of the passive safety systems fore-seen for use in the nuclear power plants of the futuregenerations: in this case, the physical state of the systemaffects, in a continuous fashion, the system perform-ance. For such systems, the criticality of the componentsmust be measured with reference to their performancelevel with respect to the overall system performance.

In this paper, we have extended the definitions ofthe most frequently used importance measures to thecases of multi-state systems made up of multi-statecomponents. The extensions are intended to quantifythe relevance, with respect to the mean system unavail-ability, of a component achieving a given level of per-formance. For this purpose, we have introduced anextension to multi-state systems of the concept ofunavailability, which is related to the capability of thesystem of meeting a required performance demand.

The defined measures have been applied to a simplemulti-state system defined in such a way to highlightthe dependence of the obtained rankings on differentlevels of components’ performance. The comparisonwith an “equivalent” binary system has shown that a

given multi-state component may have performancestates that are “more critical” than others for the systemavailability and performance. Furthermore, althoughnot shown here, a component performance level canturn out to be more important for the achievement of agiven system performance and less important foranother.

The work presented is methodological in nature andits application to practical systems is yet to be tested.Particularly worthwhile seems a future extension of theconcepts here presented to continuous-state systemssuch as the passive systems employed in the currentnuclear engineering design practice.

ACKNOWLEDGEMENTS

The authors are indebted to Professor MarzioMarseguerra for his precious suggestions and comments.

REFERENCES

Birnbaum L. W. 1969. On the importance of different compo-nents in a multi-component system. Multivariate analysis 2.New York: Academic Press.

Fussell J. B. 1975. How to calculate system reliability andsafety characteristics. IEEE Trans. on Reliab. R-24(3):169–174.

Cheok, M. C., Parry G. W., Sherry R. R. 1998. Use of impor-tance measures in risk informed applications. Reliab.Eng. Sys. Safety 60: 213–226.

Vasseur D., Llory M. 1999. International survey on PSAfigures of merit. Reliab. Eng. Sys. Safety 66: 261–274.

van der Borst M, Shoonakker H. 1999. An overview of PSAimportance measures. Reliab. Eng. Sys 72(3): 241–245.

Borgonovo E., Apostolakis G. E. 2001. A new importancemeasure for risk-informed decision making. Reliab. Eng.Sys 72: 193–212.

Levitin G., Lisnianski A. 1999. Importance and sensitivityanalysis of multi-state systems using the universal gener-ating function method. Reliab. Eng. Sys; 65: 271–282.

Armstrong M. J. 1997. Reliability-importance and dual failure-mode components. IEEE Trans. on Reliab. 46(2): 212–221.

Levitin G., Lisnianski A. Beh-Haim H., Elmakis 1998.Redundancy optimization of for series parallel multi-state systems. IEEE Trans. on Reliab. 47(2): 165–172

Lisnianski A. 2002. Continuous-state system reliability mod-els as an extension of multi-state systems. Proceedings ofMMR, Mathematical Methods in Reliability, June, 17–20,Throndheim, Norway: 401–404. Throndheim: H. Langsethand B. Lindqvist.

Zio E., Podofillini L. 2002. Importance measures of multi-state components in multi-state systems. Invited paper for“special issue on multi-state systems” of the InternationalJournal of Reliability, Quality and Safety Engineering.

Marseguerra M., Zio E. 2002. Basics of the Monte CarloMethod with Application to System Reliability. Hagen:LiLoLe-Verlag GmbH (Publ. Co. Ltd.).

1760

09048-Z-03.qxd 5/15/03 8:28 PM Page 1760


1761

Probabilistic aspects of maritime transport of tunnel elements

T.J. ZitmanDelft University of Technology, the Netherlands

ABSTRACT: After being prefabricated in a dry dock, elements of the Wijker tunnel (the Netherlands) havebeen transported over the North Sea to the location of the tunnel where they have been submerged. For transportoperations an upper limit had been defined with respect to the probability of an element not being able to with-stand the wave loads to be expected offshore. Implementation of this safety criterion necessitated an assessmentof two sources of uncertainties. One of them is that only a forecast of wave conditions is available at the momentof deciding upon initiating or postponing a transport operation. The other is that this forecast concerns generalcharacteristics of wave conditions, whereas wave loads on the element depend on the properties of individualwaves. To deal with these uncertainties, a probabilistic tool has been developed that relates a wave forecast tothe probability of meeting the safety criterion for transport.

1 INTRODUCTION

In the second half of the 18th century the North SeaChannel was constructed to connect the port ofAmsterdam (the Netherlands) to the North Sea. Tofacilitate road traffic across this channel ferries wereinstalled at various locations. About half a century afterits completion, socio-economic developments neces-sitated widening of the channel and it became clear thatin due time the capacity of the ferries would becomeinsufficient to satisfy the envisaged increasing demandfor road transport. As an alternative for the ferry atVelsen, the Velser tunnel was constructed. It wasopened for traffic in 1957. In response to the ongoingincrease of road traffic, it was decided in the early1990’s to construct a second tunnel close to the exist-ing one: the Wijker tunnel. Since its opening in 1996,the Wijker tunnel is used for through traffic, whereasthe local traffic is concentrated in the old Velser tunnel.

Like most Dutch tunnels for rail and road traffic,the Wijker tunnel consists of a series of prefabricatedconcrete elements. They are transported in floating con-dition from their construction site to the location of thetunnel where they are submerged in a trench dredgedbetween the banks of the channel.

Commonly, tunnel elements are prefabricated in adry dock fairly close to the actual location of the tun-nel. That contributes to the efficiency of the buildingprocess for instance, and it limits adverse effects onshipping along the transport route. For mainly econom-ical reasons it was considered not feasible to install a

dry dock near the location of the Wijker tunnel. In stead,it was chosen to construct its six elements in an alreadyexisting and available dry dock along the river Meussenear the port of Rotterdam (see figure 1). Measuredin a straight line this dock is about 70 km away from

Figure 1. Schematic map of the Netherlands, indicatingthe transport route from the dry dock to the tunnel.

09048-Z-04.qxd 5/15/03 8:29 PM Page 1761

the location of the tunnel. At the time, this was byDutch standards unusually large a distance. In addition,transportation of tunnel elements over inland water-ways that connect the river Meusse and the North SeaChannel was practically impossible. Maritime transportwas considered a feasible alternative, although it hadnever been done before in the Netherlands.

The main challenge of maritime transport lies inthe inevitable exposure of a tunnel element to waves.That is attained with loads on the structure that have adynamic nature not encountered during transport overinland waterways, to which experience was limited atthat time. In particular, there are two sources of uncer-tainties associated with these dynamics that play a cru-cial role in transport planning. One of them is thatwhen deciding upon initiating the transportation of anelement, only a forecast is available of the wave condi-tions that will be encountered. The reliability of such aforecast is limited. The other uncertainty is that thewave forecast concerns the general characteristics of anentire wave field, whereas momentary wave loads onthe structure depend on the properties of individualwaves.

To deal with these uncertainties a tool has beendeveloped that shows for any (physically) realisticwave forecast whether the probability of overloadingan element during transportation exceeds some prede-fined safety level. The details of this tool are presentedhereafter.

2 SAFETY LEVEL

As the design of the elements of the Wijker tunnel wasnot focused on achieving a high degree of seaworthi-ness, transportation could take place only during peri-ods of fairly moderate hydrodynamic conditions.Actually, in an early stage of the design it was decidedto concentrate transportation in late spring and sum-mer. Laboratory tests carried out on a scale model haveprovided the design criteria necessary to ensure thattunnel elements would be able to withstand wave con-ditions that are not exceeded during major part of thisperiod of the year. This does not mean however thattransportation of an individual element could be initi-ated at any arbitrary moment. As also during summerwave conditions may show considerable temporalfluctuations, it had to be ensured prior to the transporta-tion of each element that the wave loads to be expectedduring transport would not exceed the strength of theelement.

How to go about this became an issue only a fewmonths before the first element was ready for transport.Evidently, the design of the elements was beyond dis-cussion at that time. In other words, a fully probabilisticdesign including all relevant aspects of maritimetransport was not an option. In stead, the structural

characteristics of the tunnel elements turned intoboundary conditions for transport planning.

A safety level for transporting the six elements ofthe Wijker tunnel was formulated against this back-ground. It is focused on preventing flooding of an ele-ment. This is considered a highly unfavourable event,as it will lead almost inevitably to uncontrolled immer-sion of the element, most likely well away from itsactual destination.

For a proper understanding of the safety level cho-sen for the transportation of the tunnel elements, wewill briefly consider how they are constructed. Theimmersed part of the Wijker tunnel consists of aseries of 24 segments. The connection of two adjacentsegments is flexible in the sense that they may rotateslightly relative to one another. This way, the seg-ments form a look-alike of a chain, hung up betweenthe two (spatially fixed) approaches of the tunnel. Tocombine this flexibility with the necessary watertight-ness, rubber profiles are placed in the joints betweenadjacent segments.

The segments are transported from the dry dockalong the river Meusse to their destination in the NorthSea Channel in sets of four. Such a set is called an ele-ment. During transportation and immersion, the seg-ments in an element are kept together by prestressedcables in the roof and the floor (see figure 2). This pre-stressing is intended to have an element behave like acoherent, more or less stiff object. Simultaneously it ismeant to prevent leakage in the joints, which is assumedthe most likely cause of flooding.

When wave-induced bending moments become solarge that this latter effect of prestressing perishes,leakage may occur anyway. Hence, the applied pre-stressing determines the maximum bending moment anelement may be exposed to without endangering theessential watertightness of the joints. This sets an upperlimit to the wave conditions that can be accepted duringtransportation.

For transportation of tunnel elements over inlandwaterways, it was common to demand that the pressurein the joints must be at least 0.2 N/mm2 at all times.

1762

Figure 2. Schematic cross-section of an element.

09048-Z-04.qxd 5/15/03 8:29 PM Page 1762

As the conditions at sea are considerably more dynamicthan those on inland waterways, this demand has beensharpened rather arbitrarily to 0.3 N/mm2. This how-ever, is not a guarantee against leakage, in particularas wave loads on the structure have a random character.In view of this, the party responsible for the maritimetransport reasoned that in conventional design meth-ods this demand would be associated with 1.8 timesthe expected load. Assuming that loads on the struc-ture are normally distributed, it then follows that theprobability of the pressure in the joints becoming lessthan the prescribed 0.3 N/mm2 must not exceed 3.5%.

With this reasoning the demand regarding the min-imum pressure in the joints was transformed into arequirement appropriate for a probabilistic approach.In addition, it has been chosen to focus elaboration ofthis requirement on wave loads on the structure. Thisis not entirely correct, as wave loads do not determinethe actual pressure in the joints only. Random devia-tions of structural characteristics from design specifi-cations may also affect the actual pressure in the joints,but they are assumed negligible compared to the ran-dom fluctuations in wave loads.

With the above, a safety level has been defined forthe maritime transport of elements of the Wijker tunnel.It is focused on preventing leakage in the joints betweenadjacent tunnel segments. It is not clear beforehandhowever, what this safety level means in terms of theprobability of complete structural failure. In view ofthis, a second safety level has been defined. It sets anupper limit of 0.01% to this latter probability. This valueis meant to express aversion against potential failure; itis not the result of for instance a risk optimisation.

The method we have applied to elaborate a safetylevel into maximum wave conditions that can beaccepted during transportation is explained hereafter.As it is identical for both mentioned safety levels, it issufficient to focus this explanation on one of the two.In this respect, we have chosen the one meant to preventleakage.

3 ANALYSIS

3.1 Describing wave conditions

In general, an individual wave can be characterised byits height, its period (to which the wavelength is directlyrelated) and its direction of propagation. In a naturalwave field, these properties may vary from one waveto another. Yet a clear coherence exists that allowsdescription of the entire wave field in terms of gener-alised versions of the mentioned three parameters.Wave heights for instance, are by fair approximationRayleigh distributed. The parameter of this distributionis a measure for the diversity of wave heights that occurin the wave field at hand. It is commonly associated to

the so-called significant wave height Hs, defined asthe average of the 1/3 highest waves.

The distribution of wave energy over periods (thewave energy density spectrum, in short “wave spec-trum”) is commonly used to characterise the diversityof wave periods. As wave fields show noticeable sim-ilarity with respect to the shape of this distribution, itforms a natural basis for deriving a characteristicwave period. One example often used in engineeringapplications is the so-called peak period Tp. It coin-cides with the maximum of the energy distribution.Due to interaction between waves, there is a continuoustransfer of energy to waves with ever-larger periods.As a result, the peak period increases with the age ofthe wave field.

As the scale of the energy distribution over periodsis directly related to the significant wave height, the combination of wave peak period and significantwave height yields a fairly complete description of awave field. To include information on the direction of wave propagation, this combination is commonlycomplemented with the average wave direction.

3.2 Forecasting wave conditions

Offshore wave conditions are almost without exceptiona combination of locally generated waves (called sea)and waves generated previously by a different windfield and at some distant location (this is called swell).

The numerical wave model deployed for transportplanning, produced forecasts of wave peak period andsignificant wave height for sea (Tp and Hs), as well asa significant wave height for swell (henceforth denotedby D). A characteristic period for swell was not partof the model output. However, from experience weknow that along the transport route swell can be asso-ciated on average with a wave period of 10 s or more.We have used this wave period throughout our proba-bilistic computations to characterise swell. This is aconservative approach as waves with a period of 10 syield the most adverse loads on the elements (this isexplained in the next section on wave loads).

Although the wave forecasts are quite reliable, theyare not exact. A part of the deviation between pre-dicted and actual wave properties will have a randomcharacter, whereas the other part is bias. To gainquantitative insight into both parts, we have evaluatedover 400 previous model predictions against corre-sponding field observations. All these predictionsconcerned the period from May up to September astransportation of tunnel elements was scheduled forthis part of the year. Experience has learned that it ismore difficult to predict the comparatively moderateconditions in this period than the “bad weather”encountered during autumn and winter. Focusing the analysis on the entire year might therefore lead toan estimate of the model performance not entirely

1763

09048-Z-04.qxd 5/15/03 8:29 PM Page 1763

representative for predictions concerning late springand summer.

For all three wave properties predicted by the model,we have assumed that the bias can be described as

(1)

in which j stands for either Tp, Hs or D and the ^ indi-cates that it concerns a model prediction. The only rea-son for choosing a relation of this form is that itagrees reasonably well with the data.

Application of linear regression to the mentionedselected sets of predictions and corresponding obser-vations has provided estimates of the coefficients aand b (see figure 3). For simplicity, we have henceforthdisregarded the inherent limited reliability of theseestimates and we have interpreted any disagreementbetween (1) and individual sets of observed and pre-dicted j as random error. Hence, for the i-th set, it canbe written that

(2)

in which c is the random error. In our analysis, wehave approximated the joint probability distributionof the three c by a multi-normal distribution. The cor-responding (co-)variances have been estimated fromthe results of the applied linear regression.

3.3 Wave loads

The actual pressure in the joints between adjacent seg-ments in an element is primarily the combined result ofprestressing and wave-induced bending moments. Toobtain an impression of the relation between thesebending moments and wave properties, we consideran element exposed to unidirectional, monochromaticwaves propagating along the longitudinal axis of anelement.

If the length of the waves is large compared to thesize of the element, the spatial variations in wave loadswill be comparatively small. Seen at the length-scale ofthe element, a passing wave has the character of a grad-ually changing surface level elevation (see figure 4a). Itwill force the element into a mild oscillating motion,not attended with substantial bending moments.

In the case of relatively short waves on the otherhand, wave forces will show variations at such smallspatial intervals that they closely resemble an equallyspread load on the element (see figure 4c). Conse-quential bending moment will be small.

Comparatively large bending moments can beexpected if the wave length is close to or equal to thelength of the element (ic. 96 m, corresponding to a waveperiod of about 10 s, at least along major part of thetransport route). In the sketch given in the figure 4b forinstance, the element more or less spans the wave troughbetween two consecutive crests. In situations like this,the length-scale of spatial variations of wave loads iscomparable to that of the size of the element. That maylead to bending moments that are substantially largerthan those induced by shorter or longer waves.

With the above sketch we have obtained a fairimpression of how bending moments vary with wave-length. This relation applies also to pressure in thejoints. However, neither bending moments nor pressuredepend on the length of the waves only. Their heightplays a role as well and so does the angle of wave inci-dence relative to the element. In addition, the pressure

1764

2 1 0 1 2 2

1

0

1

2

ln(forecast)

ln(o

bser

vatio

n)

wave height (sea)

1 1.5 2 2.51

1.5

2

2.5

ln(forecast)

wave period (sea)

2.5 2 1.5 1 0.5 0 2.5

2

1.5

1

0.5

0

ln(forecast)

ln(o

bser

vatio

n)

wave height (swell)

��

�

�

�

�

�

��

�

Figure 3. Estimating bias and random error in forecasts ofwave parameters. As wave heights for swell are rounded tomultiples of 0.1 m, each � in the graph may concern morethan one occurrence.

Figure 4. Wavelength and characteristic length of an element.

09048-Z-04.qxd 5/15/03 8:29 PM Page 1764

may differ from one joint to another. Actually, therelation between pressure in the joints on the one handand wave properties on the other hand is far too com-plicated to be quantified sufficiently accurate on thebasis of a purely theoretical assessment of the physicsinvolved. As an alternative, we have revisited the resultsof the aforementioned laboratory tests that have beenconducted in support of designing the tunnel elements.

These laboratory were meant to arrive at a relationbetween the general characteristics of a wave field (seaonly) on the one hand and the probability distributionof the minimum pressure that may occur during trans-portation on the other hand. The test results haveshown that temporal variations of the pressure resemblea Gaussian process. Momentary values are by goodapproximation normally distributed and peaks in thepressure are roughly Weibull distributed. As thesafety level defined for the transportation of tunnel ele-ments concerns the minimum pressure encounteredduring a transport operation, the evaluation of testresults was focused on these peaks (ic. minima).

Temporal fluctuations in pressure vary from onejoint to another and so do the properties of the corre-sponding Weibull distribution. They depend on thegeneral characteristics of the wave field (wave peakperiod and significant wave height) as well as on thedirection of wave propagation relative to the element.In the laboratory tests the pressure in the joints hasbeen monitored for various combinations of waveperiod, height and direction. Subsequently, the testresults have been elaborated into estimates of Weibullparameters for all considered combinations of waveproperties and joint. In addition, for each combina-tion of considered period and direction, the significantwave height has been determined that corresponds to aprobability of 1% of the minimum pressure thatoccurs during transportation, nonexceeding the pre-scribed 0.3 N/mm2. These wave heights are indicatedin figure 5.

Only the latter significant wave heights were avail-able for the present analysis. Unfortunately these waveheights provide insufficient information to reproducethe parameters of the underlying Weibull distributions:it is not possible to determine the two Weibull parame-ters from a single quantile. To deal with this we havereasoned that the safety level concerns the entire ele-ment, not one joint in particular. Hence we may focuson the joint where the lowest pressures occur as that onedetermines the wave conditions that can be acceptedduring transportation of the elements. In addition, wehave chosen to disregard the influence of the directionof wave propagation on the pressure in the joints. Instead, we have assumed that during transportationwaves continuously propagate in the most adversedirection (ic. parallel to the element). In other words,we conservatively focus our analysis on the lower enve-lope of the significant wave heights shown in figure 5.

Furthermore, we have approximated the Weibulldistribution for the minimum pressure in the joint bya single parameter exponential distribution. The cor-responding probability density function is given by

(3)

in which �t is the wave-induced (random) reductionof the pressure in the joints relative to the one thatresults from the applied prestressing and �tmax is themaximum allowed reduction, equal to the differencebetween the pressure due to prestressing and thesafety limit (ic. 0.3 N/mm2). As wave-induced bend-ing moments will be attained always with an increaseof the pressure on one side of the structure and a simul-taneous pressure decrease on the other side, �t� 0 andhence, m � 0. Furthermore, the encountered minimumpressure is larger than the safety limit when m � 1.

The parameter mm of the exponential distribution isa function of wave peak period Tp and significantwave height Hs. We have assumed that mm is propor-tional to Hs. The corresponding proportionality con-stant depends on Tp such that for combinations (Tp, Hs) on the lower envelope of the test results, theprobability of �t� �tmax (or, identically, m �1)equals 1%. This yields

(4)

in which Hs*(Tp) refers to the lower envelope of thetest results.

1765

2 4 6 8 10 12 14 16 18100

101

102

sign

. wav

e he

ight

Hs

[m]

peak period Tp [s]

Figure 5. Combinations of wave height and period forwhich the non-exceedance probability of the prescribedminimum pressure equals 1%. Each � refers to a differentdirection of wave propagation and joint in the element.

09048-Z-04.qxd 5/15/03 8:29 PM Page 1765

This concludes our approximation of the relationbetween the statistical properties of the minimumpressure in the joints between adjacent segments in anelement on the one hand and the general characteristicsof a natural wave field on the other hand. It is importantto note however, that it applies to sea only. The reasonfor this is that the laboratory tests used to arrive at this relation were focused on sea and did not includeswell.

4 DECISION SUPPORT TOOL

Maritime transport of elements of the Wijker tunnel issubjected to a demand with respect to the pressure inthe joints between adjacent segments in an element. Itsets a maximum of 3.5% to the probability of the min-imum pressure encountered during transport non-exceeding a prescribed lower limit (ic. 0.3 N/mm2).Prior to the transportation of each element it must bejudged on the basis of a forecast of wave conditions,whether this demand will be met. The relations derivedin the previous sections between forecasted and actualwave conditions and between actual wave conditionsand loads on tunnel elements during transportation areused for this purpose. They are combined into a toolthat shows for any wave forecast whether the non-exceedance probability of the minimum allowed pres-sure in the joints is larger or less than 3.5%. If it islarger, transportation of the element at hand needs tobe postponed.

A complicating factor in this respect is that theconditions offshore are determined by a combinationof sea and swell. This has been taken into account inforecasting wave conditions, but the relation we havederived in the previous section between actual waveconditions and loads on the element, applies to seaonly. To deal with this, we have assumed that swellcan be treated as a deterministic quantity. A first step inthis direction has been made already when we fixed thewave period for swell to 10 s.

With these two assumptions we have simplified theeffect of swell to a continuously present reduction ofthe pressure in the joints. Assuming in addition thatthe effects of sea and swell may be superimposed, wemay write the wave-induced pressure reduction �tintroduced in (3) as the sum of a deterministic swell-related part (�tswell) and a random part resulting fromsea (�tsea). This way,

(5)

and the probability of the actual minimum pressureencountered during transport being less than the safetylimit becomes

(6)

To the analogy of the test results obtained for sea,we have defined

(7)

With this definition, we cannot accept any sea whenD � Hs*(10). In such a situation, P(m � 1) � 100%for any Hs � 0. On the other hand, if we consider seawith Hs � Hs*, then in the absence of swell,P(m � 1) � 1% (this holds by definition: it is the basisfor the definition of mm, see (4)). This difference sug-gests that definition (7) leads to conservative estimatesof acceptable combinations of sea and swell.

With expressions (6) and (7) the probability of meet-ing the safety level can be estimated for any combina-tion of sea, characterised by (Tp, Hs) and swell describedby D. Prior to the transportation of an element however,only forecasts of the wave parameters Tp, Hs and Dare available and they may deviate from the onesreflecting the actual wave conditions encounteredduring transport. Combining this with (6)–(7) yields

(8)

in which Nc � Nc(cT, cH, cD) is the probability density function of the multi-normal distributionassumed for the random errors c in the wave forecast.The corresponding bias as given in (1) is used in com-bination with (4) and (7) to relate mm and mswell to pre-dictions of the wave parameters Tp, Hs and D.

The above expression yields for any wave forecast(prediction of Tp, Hs and D) the probability of theminimum pressure in the joints of the elements encoun-tered during transport, being less than the safety limitof 0.3 N/mm2. If this probability does not exceed3.5%, the wave forecast gives no reason to believethat wave conditions will lead to undesired low pres-sure in the joints of the element to be transported.

In essence, expression (8) is the intended decisionsupport tool. However, in this form it is not very suit-able for use in the field. To cope with this, we haveused the expression to obtain sets of predicted Tp, Hsand D for which P � 3.5%. The result is presented in

1766

09048-Z-04.qxd 5/15/03 8:29 PM Page 1766

figure 6. Each curve in this graph reflects an upperlimit. They show for a specific prediction of D therelation between predicted Tp and Hs for which thesafety level is only just satisfied. In deciding upon initi-ation of a transport operation, the point reflecting thepredicted (Tp, Hs) is plotted in this graph. When thispoint is below the curve corresponding to the predictedD, the safety level is not exceeded so that transportationmay commence.

The angular character of the curves in figure 6 canbe explained to a large extend from the computationalmethods that have been applied to evaluate expression(8). In addition, figure 6 also includes the results of anassessment similar to the one presented above but withrespect to safety against structural failure of an element.Which of the two is determinative differs from onewave forecast to another.

5 EVALUATION

With the graph in figure 6 an easily manageable,probabilistic tool has been obtained to evaluate on thebasis of a forecast of wave conditions whether the safety

level set for transporting elements of the Wijker tunnelwill be satisfied. This tool has played a central role inthe decision making process with respect to the trans-portation of those elements. Its principles are widelyapplicable in offshore operations planning.

The first element was transported over a very calmsea (Tp � 1.0 s, Hs � 0.1 m and negligible swell). Inthe case of element number 2 adverse wave condi-tions had been forecasted and transportation had to bepostponed (the encircled 2 in figure 6 corresponds tothe second attempt to transport element 2). The waveforecast made prior to the transportation of the fifthelement read Tp � 5.5 s, Hs � 1.5 m and D � 0.4 m(see the encircled 5 in figure 6). This only just satis-fies the safety level. After the element had reached itsdestination, the wave forecast was compared to fielddata gathered during transport. It appeared that theforecast was slightly optimistic in the sense that themaximum Hs observed during the transport operationwas almost 1.9 m. If the forecast had been fully accu-rate, transportation of element 5 would have beenpostponed as well. Some people have concluded fromthis observation that more risk had been taken thanintended. Evidently, this conclusion is incorrect.

ACKNOWLEDGEMENT

The probabilistic exercise described in the presentpaper has been carried out within the framework ofthe advisory services rendered by Tunnel EngineeringConsultants (the Netherlands) in support of the mar-itime transport of the six elements of the Wijker tunnel.The co-operation of this firm in realising this paper isappreciated.

LITERATURE

Glerum, A. 1998. Developments in immersed tunnelling inHolland. Tunnelling and underground space technology10 (4): 455–462

Hakkaart, C.J.A. 1996. Transport of tunnel elements fromBaltimore to Boston, over the Atlantic Ocean. Tunnellingand underground space technology 11 (4): 479–483

Stiksma, K. 1988. Tunnels in the Netherlands, undergroundtransport connections. Rotterdam: Illustra

Zitman, T.J. 2002. Zeetransport elementen Wijkertunnel. In:Kansen in de Civiele techniek, part 2 (in Dutch). CURpublication 209: 80–105

1767

3 4 5 6 7 8 9 100

0.5

1

1.5

2

2.5

D = 0.1mD = 0.2mD = 0.3m

D = 0.4m

D = 0.5m

peak period Tp [s]

sign

. wav

e he

ight

Hs

[m]

2

3

4

5

6

Figure 6. Curves reflecting the wave forecasts for whichthe safety level is only just satisfied. Actual forecasts (sea)for the transportation of elements 2–5 are indicated by encir-cled numbers.

09048-Z-04.qxd 5/15/03 8:29 PM Page 1767

09048-Z-04.qxd 5/15/03 8:29 PM Page 1768


1769

Foundations of the UPM common cause method

Athena Zitrou & Tim BedfordUniversity of Strathclyde, Glasgow, UK

ABSTRACT: Common cause failures (CCF) have a significant impact on the risk of complex engineering sys-tems, such as nuclear plants. Consequently, modelling this class of events is an important part of risk assessments,and the authorities that are responsible for the safe and efficient functioning of the aforementioned systems havetaken this issue on board. The current approach in the UK towards CCF modelling is the Unified Partial Method(UPM), which is based on the Partial Beta Factor Model and the Cut-Off Methodology. The UPM scoring systemitself is based on an additive weighting factors approach. This is closely allied to the additive value functionapproach of Multiattribute Value Theory. However, within MAVT there are many other possible models. Weexplore whether the preferential independence axiom, required for an additive value function, is conceptuallyappropriate. In addition we discuss the impact of new data availability, in particular from the ICDE project. Theresearch discussed here is part of an on-going research project, funded by the Health and Safety Executive.

1 INTRODUCTION

High reliability and safe design play an important rolein complex technological systems like nuclear powerplants, since their inefficient or irregular operationwould have enormous environmental, social and polit-ical impacts. Nuclear power plants are designed inaccordance with the Defence-In-Depth philosophy,which employs redundant systems to serve as multipledefence layers. Given the assumption that the compo-nents fail independently, multiple systems/componentsoffer a major level of defence: in case one componentfails, others can perform its designed function. How-ever, operating experience and collected data revealedthat the risk posed to these systems is higher than esti-mated. This is due to the fact that events are oftendependent. Probabilistic Risk Analyses (PRAs) havelong recognised the contribution of dependent fail-ures to accidents and system unavailability and mod-elled this in principle through the use of common causefailure models. This paper looks at some of the assump-tions implicit in the UPM method, which is the currentapproach of the UK.

Common Cause Failures (CCFs) are “simultaneous”failures of a number of components due to some com-mon event. They pose a major threat to redundant sys-tems, as they can defeat the defence design. Within aPRA scope some events leading to CCFs may be explic-itly modelled while there are a host of other which arenot. For this second category numerous approaches

have been proposed to quantify their impact on the sys-tem of interest: these are mostly parametric models. Afew examples of such models are the Multiple GreekLetter Model (Apostolakis & Moieini, 1987), theBinomial failure Rate Model (Atwood, 1996), the AlphaFactor Model (Siu & Mosleh, 1998) and the UnifiedPartial Method (UPM) (Brand, 1996). The primaryobjective of parametric models is to quantify the fre-quency of multiple component failures through theassessment of model parameters.

2 UNIFIED PARTIAL METHOD

There are various levels of complexity among theparametric models, starting from very simple models interms of assumptions and data input, like the Beta Factormodel, and shifting to more complex ones, like theMarshall-Olkin model. The simplest approaches haveoften been criticised for embracing over-simplifyingassumptions. On the other hand, the more complexones can loose predictive accuracy due to lack of suf-ficient data.

Nuclear industries in many countries use parametricmodels of intermediate complexity level. However, UKhas developed its own approach towards CCF model-ling, the Unified Partial Method (UPM) (Brand, 1996).UPM is a methodology that introduces a single sys-tematic structure based on the Beta-Factor model andthe Cut-Off method. Once the analyst has decided the

09048-Z-05.qxd 5/15/03 8:29 PM Page 1769

physical boundaries of the system of interest, a Pre-Analysis table is filled, which aims to identify thedata available and the time to be spent in the analysis.At this point the level of the analysis is being decided(system/component). In both cases similar steps are followed.

Within the UPM framework, the system is calibratedacross a number of subfactors/areas such as redundancyor operator interaction. This is done through a numberof tables, each of which is related to a different systemdesign or operation, and scores are given depending onthe categories assigned to the system.1 Finally, a Betafactor (component level) or a Cut-Off (system level) isobtained, which represents the common cause failurerate of the system of interest.

UPM offers a step-by-step, auditable methodology.The framework proposed is easy to implement, even byan analyst who does not have in-depth knowledge ofanalytical procedures. During the application of UPM,the analyst is encouraged to study the system of interest,in order to classify it across the generic categories, thusgaining insight into the potential for CCF events (theinsight gained may also indicate possible modificationsthat would increase the reliability of the system).

Despite all the above advantages of UPM, there areaspects which are ready for further research. First of all,changes in the design and age of the system raise theissue of whether a recalibration of the UPM scoringsystem is needed. The recent availability of datathrough the ICDE database, which represents manyreactor years and includes information from varioussources across a number of countries, gives an oppor-tunity for further development. In addition, both theBeta-Factor and Cut-Off approach used in UPM makeuse of an additive weighting system. Throughout therest of the present paper, the recalibration issue will be explored and the implications of this additive sys-tem will be highlighted. Some conceptual inconsis-tencies will be identified, which give directions tofurther improvement by using theoretical tools suchas Multiattribute Value Theory (MAVT). We high-light those similarities of the UPM structure withMAVT that give grounds for alternative approaches.

3 INTERNATIONAL COMMON CAUSEFAILURE DATA EXCHANGE (ICDE)PROJECT

3.1 Introduction

The availability of reliability data is of vital importance,not only because data is used for the quantification of

parameters in the models, but also because it may beused in a qualitative way for identifying and under-standing the various failure mechanisms. However, anumber of pitfalls arise in data collection procedures.Firstly, CCF events are rare events and consequently itis difficult to gather enough plant-specific data in orderto perform robust parameter estimations and crediblereliability analyses. Secondly, due to the complex natureof CCF failures, a considerable amount of ambiguityexists in their classification.2 Certainly data may begathered from well-run tests, but it has been recognisedthat this type of data fails to capture the particularitiesand complexity of CCF events in the way that opera-tional data can (Walls, 1989, Atwood, 1996).

In order to overcome these drawbacks and producecredible analyses, efforts have been made to collectinformation and failure data from multiple sources andto create a generic database. One important effort in thisdirection is the International Common-Cause FailureData Exchange (ICDE) Project. The philosophy behindthis initiative is to encourage multilateral co-operationin the collection and analysis of data relating to CCFevents (ICDE project, 2001). Once pitfalls such as dataheterogeneity3 have been overcome, the ICDE databasewill be a valuable source of information, which couldbe used in both qualitative and quantitative ways.

3.2 ICDE and UPM

The ICDE database contains a large amount of infor-mation concerning CCF events; nonetheless it is notcurrently used for quantification purposes in the UK.The current approach is to use it for the identificationof CCF events, and it is mainly used as a means forgaining insight into the relevant failure mechanisms.Since ICDE is a generic database, the data that it con-tains comes from various sources; this fact leads toproblems regarding the interpretation of the informa-tion when it is intended to be used for specific quan-tification purposes. Nevertheless, the observations inICDE are relatively homogeneous because a system-atic data-collection-procedure is shared. In addition,we expect in the future there will be further moves tocommon data collection procedures.

As has been already mentioned, UPM is used exclu-sively by the UK. The other national members of theICDE project have adopted different approachestowards the issue of CCF quantification. Therefore, thefailure reports included in the ICDE database do not

1770

1These scores have been deduced from surveys conductedon historical data and engineering judgment and charac-terise the vulnerability of the system towards CCF events.

2There is no fixed rule for distinguishing a multiple depen-dent failure from coincident multiple independent failures; ora single failure from a CCF event that happened to cause thefailure of only one component.3System-to-system and plant-to-plant variation impact on theanalyses’ results and this issue should be taken into consider-ation when using generic reliability data.

09048-Z-05.qxd 5/15/03 8:29 PM Page 1770

incorporate information regarding the subfactors ofUPM. If that were the case, statistical techniques suchas regression might be applied to assess the impact ofsubfactors.

Assuming the ideal case, every failure report in theICDE database incorporates information regarding thedifferent UPM subfactors. Then, for every failure eventthe categories characterising the system would be avail-able in the event reports. Moreover, for every system thepartial beta factor (b) can be estimated, based on thedata gathered during the operational years contained inthe database. Therefore, the data available for quantifi-cation purposes would be of the form given in Table 1.

The beta factor of a system describes the probabilityof a component failing due to a common cause, giventhat the component fails. It is estimated as a fraction ofthe total common cause events over the total number oftimes that a component belonging in the redundantgroup of the system failed. In other words,

The model that the UPM methodology proposesfor estimating the beta factor of the system of interest isof the form:

(1)

wherexij (j � 1, …,8) are the scores of the categories

assigned to system I across the eight subfactorsandwj (j � 1, …8) are the weights determining the

impact that each subfactor has to the determination ofthe overall failure rate.

Given that the proposed model is linear, then byapplying the method of multiple linear regression to thedata available, the weights of each subfactor are esti-mated, and the dependencies of the failure rate on theseveral subfactors are determined based on actualfailure data.

This is one potential way to address the issue ofrecalibration of UPM in the light of the new informa-tion contained in the UPM database. Nonetheless, two

pitfalls exist: firstly, it is doubtful whether the amountof available data is sufficient to produce statisticallysignificant results, even if the UPM scores had beencollected in previous data collecting exercises; sec-ondly, a linear relationship between the failure rates andthe subfactors is an a priori assumption of the method-ology just described. Hence, the readjustment of theweights of the different subfactors, an issue of majorimportance, can in principle be tackled; yet, the issueof the existence of a linear relationship remains unset-tled and constitutes an area of further research. Weshall now consider this latter issue further.

4 CONNECTION BETWEENMULTIATTRIBUTE VALUE THEORY AND UPM

4.1 Multiattribute Value Theory

Multiattribute Value Theory (MAVT) is a modellingtool that supports the decision-making process. Givena decision problem and in the general case, the decision-maker is free to choose among a number ofalternatives/actions. For each course of action there isan effect, which has implications across multiple criteria. In the scope of MAVT, it is assumed that theeffects/outcomes of each action are well defined,known to the decision-maker with certainty, prior to the choice of action. MAVT is concerned with thedefinition of a trade-off structure among the different outcomes that reflects the preferences of the decision-maker. A value function is defined, that assigns a valueto each set of outcomes consistent with the preferencestatements of the decision maker. The definition of the preference relation and the value functions shouldcomply with the axioms and conditions of MAVT. Inthe rest of the paper the similarities of UPM and MAVTare going to be highlighted and to assess what impli-cations this has for the UPM model structures.

4.2 UPM structure

Within the framework of MAVT, in order to com-pletely describe the outcomes of a specific course ofaction, each objective is broken down in a number ofmeasurable qualities (attributes) and a hierarchy is

1771

Table 1. Data available for quantification purposes.

Scores at Subfactors

System Total common Total number S1 S2 … S8cause events of times a

component failsi mi ni xi1 xi2 xi8

09048-Z-05.qxd 5/15/03 8:29 PM Page 1771

formed. Similarly, within the UPM context multipleperformance measures are used; the initial objectiveis the determination of the system’s defence level, whichis broken down to eight different measurable qualities,the different subfactors. The hierarchy formed isillustrated at Figure 1.

The level of defence of a system against dependentfailures is estimated across eight different areas (sub-factors), each of which corresponds to five differentcategories (having letters A, B, C, D and E). The systemof interest is assigned to one of these categories acrossall areas. Scores are given accordingly and the overallfailure rate of the system of interest is estimated as thesum of all the scores.

For the purposes of this paper, let:A1, A2, …, A8 denote the different subfactorsxi

j( j � 1, 2, …, 8, i ∈ Z�) denote the categoryassigned to subfactor Aj in assessment i

)j(xij)( j � 1, 2, …, 8, i ∈ Z�) denote the score corre-

sponding to each category in assessment i.If � denotes the failure rate of the system of interest,

then the UPM model assumes that:

(2)

Within UPM we might identify a particular set ofscores as an “action”, namely the act of accepting asystem with these specific scores. Therefore, a set ofactions {B1, B2, …} is defined, where each action leadsto a specific outcome (the categories that are assignedto the system of interest). The configuration of the sys-tem is being done across eight subfactors, which can beconsidered as attributes. The eight-dimensional set ofassigned categories can be considered as the set of out-comes. Thus, each act bi ∈ {B1, B2, …} corresponds an8-attribute outcome vector. In other words,

where Xi is the domain of attribute Ai.

The actions and the attributes in UPM form a matrixin which each row corresponds to an action and eachrow to an attribute (different performance measures).See Table 2.

4.3 Definition of the preference structure

UPM implies the existence of a preference structureas follows:

“The smaller the failure rate obtained, the bigger thedefence level of the assessed system, and, therefore, themore preferable the action yielding this outcome is.”

This preference structure can be expressed as abinary relationship � defined over the outcomes spaceV � X1 � X2 �… � X8. Note that � is a negatively ori-ented relationship, since the lower scores are preferred.

Definition: If x, y ∈ V,

(3)

where

(4)

The relationship � represents a preference structure,as it obeys the axioms of comparability, transitivity,consistency of indifference and weak preference, andconsistency of strict preference and weak preference.

1772

Defence levelof system

Design Environment

TestsControlAnalysisUnderstandingSeparationRedundancy

&Diversity

Safety CultureOperator

Interaction

Operation

Figure 1. UPM hierarchy.

Table 2. Acts and attributes in UPM.

Attributes

Acts A1 A2 A3 … A8

B1 x11 x1

2 x13 x1

8

B2 x21 x2

2 x23 x2

8

� � � � � �

09048-Z-05.qxd 5/15/03 8:29 PM Page 1772

A relationship defined on a set for which the aboveaxioms hold is known as a weak order; consequently,set V is a weakly ordered set (French, 1993).

Every element of the act space is mapped to an 8-dimensional outcome space, as equation (4) is a func-tion � : V � X1 � X2 � … � X8 → R, where Xj is thedomain of attribute Aj and uj : Xj → R, j � 1, 2, …8.See Figure 2.

So far, UPM’s preferences are expressed through a weak order � and a real-value function � is definedsuch that (3) holds. Then, we say that � is an ordinalvalue function representing �.

The properties below stem from the definitions andassumptions made so far:

1. The smaller the failure rate of an action, the more“preferable” for a decision maker this action is:

For x,y ∈ V,

2. (Marginal Orders over sets Xl, l �1, 2, …, 8). Thesmaller the score of a category, the more “prefer-able” to the decision maker this category is, sinceit results to a smaller failure rate:

For x,y ∈ Xj

These properties imply that functions � and uj, j � 1,2, …, 8 are monotonic functions.4 Therefore, � is avalue function that represents � and uj, j �1, 2, …, 8are marginal value functions (single attribute functions)(French, 1993).

4.4 Additive form and mutual preferentialindependence

Equation (4) implies that � is a value function for thepreference relation defined in (3). This is clearly an

additive value function. However, in MAVT the exis-tence of an additive value function over the set Vrequires that the attributes are mutually preferentiallyindependent.5 This statement says that every subset ofattributes Y � V is preferentially independent of itscomplementary set Z � V � Y [7]. Or, in other words,the conditional preference structure of the subset Y doesnot depend on the level of the subset Z; therefore, thetrade-offs between the attributes belonging to subsetY do not depend on the level of the attributes belongingto set Z (Keeney, 1976). Mathematically expressed,

If y�,y� ∈ Y,

(5)

for all z, z� ∈ Z

4.5 Preferential independence within the context of UPM

The form of the Multiattribute Value Function (4) usedwithin the UPM framework makes the assumption ofmutual preferential independence. Transferring thisnotion in the UPM framework implies that a given setof attributes influences the overall failure rate in a fixedway, regardless of the level of the rest of the attributes.However, this may not be consistent with our ownjudgement about how the model should behave. Thisinconsistency will be illustrated by considering threehypothetical cases:

Case 1: In order to demonstrate this argument, we assume an assessment of a particular system. Wechoose typical categories x�4, x�5, …, x�7 for all the attrib-utes except Safety Culture (A1), Redundancy (A2) andAnalysis (A3) and we keep them fixed. We are goingto examine the preference structure in the subspaceY � X1 � X2 � X3. More precisely, we are going toexamine the trade-offs between the subfactors ofRedundancy and Safety Culture, when modifying thelevel of Analysis.

First we assume that the system of interest has beenclassified as category A at the subfactor of Analysis(x3 � x1

3 � A),6 as category A at the subfactor of

1773

Attributes A1, A2,…, A8

),...,(81

xxx =

R Act Space{B1, B2…}

Outcome space

r(x)

Figure 2. The mapping of acts.

4 If X → Y is monotonic, then* x1, x2 ∈ X, x1 � x2 ⇔ ϕ(x1) � ϕ(x2)

5Apart from the conditions of weak ordering and mutual pref-erential independence, there are other necessary conditionsfor the existence of an additive value. These are restrictedsolvability, the Archimedean and essentiality conditions (seeReference i). Even though the random variable xi

j, j � 1,2, …, 8, i ∈ Z�can take only five values (there are only fivecategories), we assume that it could be conceptuallyextended to a continuous random variable with the aboveconditions met.6 Category A in the attribute of Analysis means that no formalsafety assessment has taken place and that there is no designknowledge of dependent failure issues.

09048-Z-05.qxd 5/15/03 8:29 PM Page 1773

Redundancy (x2 � x12 � A)7 and as category D at the

subfactor of Safety Culture (x1 � xh1 � D).8 Redun-

dancy is considered to impact significantly on thedefence level of the system; therefore, if the SafetyCulture level drops (x1 � xl

1 � B),9 redundancy shouldsignificantly increase (x2 � xh

2 � D)10 for the failurerate of the system to stay at the same level. Expressingthat mathematically, we have just argued that

(5)

We now assume that the configuration of the systemin terms of Analysis is high, meaning that previousanalyses have taken place (x3 � x2

3 � E).11 In this casewe can presume that the aspect of redundancy or diver-sity has been taken into consideration during the pre-vious assessments, and the present design has beenrecognised as the one that functions better in case of a Common Cause event. Therefore, the impact ofRedundancy on the determination of the overall failurerate should be smaller. Then, having low redundancy(A) and high safety culture (D) would yield a higherdefence level (lower failure rate) than high redundancyand low safety culture. In other words,

(6)

However, the UPM structure implies that the pref-erence structure stays the same, regardless of the levelof analysis. Consequently it should hold

(7)

which contradicts our expectation about the behaviourof the model.

Moreover, an additive value function implies from(5) and (6) that the range u2(x

h2) � u2(x

l2) is constant;

consequently, the weight of the subfactor of Redun-dancy does not depend on the level of Analysis. Thismeans that the trade-offs between a subset of subfac-tors do not depend on the categories that the rest ofthe subfactors have received, fact that is not coherentwith what we intuitively expect.

Case 2: In the same view, if the level of Analysiswere high, someone would expect that the issue ofDiversity would have been considered. Therefore, theconfiguration of the system in terms of diversity is notexpected to have the same impact on the overall levelof defence, as it would have if previous analyses hadnot taken place and defence measures had not beenadopted. In the second case, non-diversity would impactmuch more on the overall failure rate, compared to thefirst case.

Case 3: If we consider the subspace comprised by theattributes of Redundancy, Safety Culture and OperatorInteraction, the preference structure is disturbed again.Let it be that, at a specific assessment, the attribute ofOperator Interaction receives category A (it is beingfixed at a low level). That would suggest that there areno written procedures regarding the functioning of thesystem, whereas operator interaction is at a normallevel. In this case the impact of Safety Culture (howexpert the operator is) on the overall failure rate shouldbe stronger, compared to the one that it would have ifOperator Interaction was fixed in a higher level, sug-gesting that there is minimal operator interaction withthe system and written procedures available.

5 CONCLUSION

CCFs are major contributors to system unavailability.This has been recognised in Probabilistic Risk Analysesand many models have been proposed so far for theirefficient and robust modelling. The UK has adopted itsown CCF quantification approach: UPM.

UPM makes use of an additive value function, whichassumes the condition of mutual preferential independ-ence between the subfactors. This fact leads to concep-tual inconsistencies. The similarities that the UPMstructure shares with MAVT, a decision tool, are of greatimportance. This may give directions towards the incor-poration of MAVT value functions that weaken the con-dition of preferential independent subfactors. In anycase the above arguments suggest that in further enhanc-ing UPM, a non-linear model should be considered.

The establishment of the ICDE Project offers meansfor further development of the UPM framework: theinformation accumulated in the database offer oppor-tunities for reassessing the UPM structure. However,pitfalls exist in the collection of failure data, eventhough efforts are made towards the establishment ofa more coherent collection method across the differentcountries.

1774

7Category A in the attribute of Redundancy means that thereis simple redundancy (1oo2).8Category D in the attribute of Safety Culture means thatthere is simulator training of normal operation AND there isdedicated staff and evidence of good safety culture includingsystematic training of emergency conditions.9Category B in the attribute of Safety Culture means thatthere is systematic regular training covering general andemergency operations.10Category D in the attribute of Redundancy means thatthere is unusually high redundancy 1oo8 or higher in a pas-sive system with engineering diversity.11Category E in the attribute of Analysis means that previ-ous reliability assessment has taken place with clear evi-dence of results feedback and management support ANDthere is evidence of designer knowledge of dependent fail-ure issues.

09048-Z-05.qxd 5/15/03 8:29 PM Page 1774

REFERENCES

Apostolakis, George & Moieini, Parviz, 1987. The foun-dations of models of dependence in Probabilistic SafetyAssessment. Reliability Engineering. Vol. 18. p. 177–95.

Atwood, Corwin L. 1996. The binomial failure rate commoncause model. Technometrics. Vol. 28. No. 2. p. 139–148.

Brand, P.V. 1996. UPM3.1: A pragmatic approach to depen-dent failures assessment for standard systems, AEATechnology plc.

French, Simon, 1993. Decision Theory: An Introduction to theMathematics of Rationality, Chichester: Ellis HorwoodLimited.

ICDE Project, Terms and Conditions for Project Operation25/10/01.

Ralph L. Keeney & Howard Raiffa, Decisions with MultipleObjectives: Preferences and Value Tradeoffs, New York:John Willey & Sons Inc, 1976.

Siu, Nathan & Mosleh, Ali, 1998. Treating data uncertaintiesin common-cause failure analysis. Nuclear Technology.Vol. 84. p. 265–81.

Walls L.A & Bendell, 1989. Exploring field reliability data forpotential dependent failures, UK Reliability Symposium,Reliability 89. Paper 4Ab/3.

1775

09048-Z-05.qxd 5/15/03 8:29 PM Page 1775

09048-Z-05.qxd 5/15/03 8:29 PM Page 1776


1777

Author index

Absil, L.H.J. 537, 543, 1679Achalakul, T. 1047Åkerlund, O. 237Albeanu, G. 19Albrechtsen, E. 25Ale, B.J.M. 1, 993Altavilla, F. 1227Andersen, H.B. 575Aneziris, O.N. 1205Anoop, M.B. 73Ansell, J. 33Antão, P. 37Appa Rao, T.V.S.R. 73Aprili, P. 305Aprili, P.G. 45Arbaretier, E. 53Archibald, T. 33Ardon, J. 53Arends, B. 863Argiento, R. 1345Arild, Ø. 1375Arjas, E. 151Asche, F. 59Aubry, J.F. 1401Aven, T. 59, 807, 821, 969,

1375, 1607, 1615

Båjenescu, T.I. 67Baker, R.L. 635Balaji Rao, K. 73Balderstone, M. 813Balfanz, H.-P. 1409Ballesio, J.E. 447Ballocco, G. 81Baraldi, P. 1069Barón, J.H. 91, 1189Barros, A. 99Baskoro, G. 107Basso, B. 113Bâzu, M.I. 67Becker, G. 119, 127, 321, 331Bedford, T. 133, 1113, 1575Behr, A. 127, 141Bellucci, A. 1567Benedikt, S. 147Bérenguer, C. 99Berg, H.P. 1409

Bertsche, B. 1255Beugin, J. 1301Bhattacharjee, M. 151Bianchi, M. 1085Bieber, P. 237Billy, F. 195Blanco, H. 165Blanco, J.A. 171Bocquet, J.C. 195Böde, E. 237Boersma, J. 191, 1041Bolt, R. 1737Bonanos, G. 1205Boonstra, H. 1437Bot, Y. 201Bottelberghs, P.H. 1383Botterhuis, A.A.J. 213Bougnol, C. 237Boulanger, J.L. 221Bouwman, E.C.J. 661Bouzaïène, L. 195Bovalini, R. 229Bozzano, M. 237, 247Braband, J. 1307Brandowski, A. 255Bretschneider, M. 237Brinkhuis, M. 1053Brinkhuis-Jak, M. 261Briombacher, A.C. 1041Briš, R. 271Brombacher, A.C. 107, 191Bubbico, R. 279, 287, 1543Bucciarelli, G. 297, 305Buchlin, J.-M. 741Buijs, F.A. 311Bunea, C. 321, 331, 1105Burgazzi, L. 339Bye, R. 157

Cagno, E. 347Caires, S. 353Callies, U. 363Camarinopoulos, L. 119Candeloro, L. 439Canepa, G. 1575Cappelli, I. 1567Carlos, S. 1093, 1099

Caron, F. 347Carpignano, A. 81Carta, R. 1543Caruana, S.A. 695Casal Fabrega, J. 479Casal, J. 1247Castel, C. 237Cauffriez, L. 1301Cavallero, D. 373Cavallo, A. 237Cavanagh, N.J. 1729Cepin, M. 381Chaddock, P. 171Chantelauve, G. 387Charitos, T. 321Châtelet, E. 271Chbab, E.H. 1179Chelakara, S. 1233Chen (Frank) H.-K. 397Chery, O. 591Christou, M. 479Cifaldi, M. 237Cimatti, A. 237Circelli, I. 287Cizelj, R.J. 1645Coit, D.W. 1295, 1671Commandeur, A.J. 403, 411Constantinescu, A.C. 1581Cooke, R.M. 321, 331, 363,

1315, 1321Coolen, F.P.A. 417Cope, A. 1233Corneliussen, K. 423Coroiu, N. 623Cozzani, V. 1365Cremonini, M.G. 439Cross, R.B. 447Csenki, A. 457Curbach, M. 1263Curry, R. 411

da Silva, L.F.M. 1497Daghigh, M. 465, 1433Dandrieux, A. 741, 1543Davies, P.A. 471, 475, 695de Boer, A. 179de Boer, J. 185, 523

09048-Index.qxd 17/May/03 4:00 PM Page 1777

de Bruyn, P.C.A.M. 1679De Franchi, G.B. 439de Lange, G. 999de Marcellis-Warin, N. 1061De Souza Jr. D.I. 1487De Varti, A. 229de Weger, D. 1699de Wit, M.S. 1721Debernardi, M.L. 373Debray, B. 575Delvosalle, C. 479, 1247den Heijer, F. 495den Heijer-Aerts, M. 689Denning, R. 489Di Cave, S. 279, 287, 1543Di Giulio, A. 503, 513Dibitonto, C. 113Diermanse, F.L.M. 495Dijkerman, E.M. 185, 523Diniz, S. 1233Djordjevic, I. 643Donders, J. 531Drab, A. 567Drewett, L. 1497Duijm, N.J. 575Duinkerken, J. 1737Duriez, S. 591Dusserre, G. 741, 1543

Edigarov, A. 1357Eid, M. 599Eisinger, S. 599, 735Elrada, H.A. 801Erdos, G. 769, 775Evandt, O. 1289

Fabbrocino, G. 615Fadier, E. 591Felea, I. 623Fiévez, C. 479, 1247Finkelstein, M.S. 629Fontana, R. 1153Franciotti, D. 45, 297, 305Frank, M.V. 635Fredriksen, R. 643, 701

Gaido, G. 113Galle, L.F. 605Gargiulo, M. 81Gaston, D. 1543Gaver, D.P. 649Geerse, C.P.M. 495Gerboni, R. 653Geri, F. 287Ghalandarzadeh, A. 667Ghodrati Amiri, G. 667

Giagnoni, L. 1567Giannone, B. 339Ginestar, D. 1093, 1099Giovinazzi, S. 671Girish, T. 681Göb, R. 1289Goldstein, M. 417Goossens, L. 575Goossens, L.H.J. 689, 1315,

1321Gopalakrishnan, S. 73Gould, J.H. 471, 475, 695Grabski, F. 255Grall, A. 99Gran, B.A. 643, 701Griffault, A. 237Groeneweg, J. 707Gucma, L. 713Guedes Soares, C. 37, 719Guida, M. 727Guilhem, E. 1401Guillon, B. 53Gurley, K. 1233Gustavsson, F. 735Guttormsen, G. 1197

Hagen, O. 719Haïk, Ph. 195Hald, K. 741Hale, A. 575Hale, A.R. 431, 747, 783, 853,

1315, 1321Hall, J.W. 311Hamid, S. 1233Han, S.H. 901Hansson, L. 157, 755Harms-Ringdahl, L. 763Harvey, J. 769, 775Hauge, S. 1197Haugen, S. 1469Heijer, T. 783, 853Held, M. 791Henderson, E.M. 801Herfjord, K. 1015Hjorteland, A. 807Hodge, R. 813Hofer, E. 907Hokstad, P. 25, 821Holmås, T. 1015Holscher, P. 1721Holterman, S.R. 261Holub, R. 1623Hourtolou, D. 431, 829Hubert, E. 1543Hukki, K. 837Hundseid, H. 1607

Hussels, U. 127Hutinet, T. 1401Hwang, M.J. 897

Iervolino, I. 615Imhof, D. 843Inoue, K. 915, 923Ionescu, D.C. 1581

Jacobs, P.A. 649Jager, E. 1737Jagtman, H.M. 853Jang, S.C. 901Jayaram, J.S.R. 681Jenkins, I. 1575Jo, Y.R. 1211Jonkman, S.N. 261, 863

Kabranis, D. 119Kalk, H.J. 1179Kallen, M.J. 873Kang, D.I. 897Kanis, H. 583Karelse, J.W. 1679Kari, O. 977Kehren, C. 237Kenett, R.S. 881Kermisch, C. 889Kim, K. 897Kim, K.Y. 901Kim, S.H. 901Kloos, M. 907Kohda, T. 915, 923Kok, M. 261, 927, 1653Kolowrocki, K. 937Kongsvik, T. 157Konovessis, D. 1587Konstantinidou, M. 1167Koornneef, F. 783Kootstra, F. 947Korving, H. 959Kouniali, S. 1145Kraggerud, A.G 735Kragh, E. 719Krijnen, F.J. 1383Kristensen, V. 969Kruidhof, W. 185, 523Krzykacz-Hausmann, B. 907Kuik, R. 1737Kumar, D. 977Kun, I. 147Kurowicka, D. 363Kwon, J.G. 1211

Labeau, P.E. 889Lagomarsino, S. 671

1778


Laheij, G.M.H. 993Lam, S.W. 681Lancioni, G.E. 707Lannoy, A. 195Lassing, B.L. 1005Lauridsen, K. 719Lawrence, B. 237Le Coze, J-C. 431Lecomte, O. 53Leira, B.J. 1015Lenic, J. 1575Li, J.-P. 1025Linsenmaier, B. 1409Lisi, R. 1031Lodder, G.H. 537Loh, H.T. 191, 1041Loke, G. 191, 1041Lombardo, P. 439Londiche, H. 575Lopuhaä, R. 1315, 1321Lu, Y. 191, 1041Luansritisakul, Y. 1047Luccone, L.G. 1543Lüdtke, A. 237Lumbard, D. 813Lyridis, D.V. 1271

Madsen, H.G. 1113Madsen, M.D. 575Maggio, G. 801Mancini, M. 347Mariano, G. 221Marmo, L. 373, 1153Marseguerra, M. 297, 1069,

1077, 1085Marshall, J. 813Martorell, S. 1093, 1099Maschio, G. 1031Maskuniitty, M. 1389Mathisen, S. 701Mazzarotta, B. 279, 287, 1543Mazzini, M. 229Mazzuchi, T.A. 331, 559McCaffrey, A. 213McCollin, C. 1105McDonald, G.J. 1113Medonos, S. 1121, 1129, 1137Merad, M.M. 1145Metaal, N. 707Metge, S. 237Middleton, C.R. 843Mikulicic, V. 1447Milanolo, S. 1153Milazzo, F.M. 1031Miyabayashi, A. 977Monsen, J. 1197

Morelli, G. 1575Motamed, R. 667Mravak, I. 1503Mushtaq, F. 479Muzi, F. 297

Neerincx, M.A. 1351Nellen, Ph.M. 791Neu, H.R. 1629Nikolovski, S. 1503Nilsen, E.F. 1161Nivolianitou, Z.S. 1167Norstrøm, J.G. 1113Núñez Mc Leod, J.E. 91, 1189

Odisharia, G. 1357Øien, K. 1197, 1607, 1615Ouwerkerk, S.J. 1653Ovtcharov, S. 1357Øygarden, B. 1469

Pabst, I. 1281Paci, P. 439Papadopoulos, C. 237Papageorgiou, L.G. 1241Papazoglou, I.A. 1205Pardi, L. 719Park, S.D. 1211Park, S.J. 1211Parkhi, R.S. 959Parozzi, F. 1153Passarello, R. 237Passenier, P.O. 1351Pearce, J.J. 1215Pearson, P. 1575Pecvarac, D. 1219Pedrali, M. 503, 513Peikenkamp, T. 237Pelliccioni, A. 1227Pérès, F. 195Persson, P. 237Pertusio, R. 1553Peschke, J. 907Petersen, E.S. 1271Piccini, M. 81Pietersen, C.M. 689Pievatolo, A. 347, 1289, 1345Pinelli, J.-P. 1233Pipart, A. 479, 1247Pixopoulou, N. 1241Planas, E. 479, 1247Plot, E. 431Podofillini, L. 1753Polet, P. 1743Ponte, E. 653Popentiu-Vladicescu, Fl. 19, 623

Post, J.G. 993, 1383Pozsgai, P. 1255Preyssl, C. 1575Prinsen, G.F. 495Proske, D. 1263Psaraftis, H.N. 1271Pulcini, G. 727Pulkkinen, U. 837

Quigley, J. 133, 813

Radford, N. 107Raffetti, A. 1271Rakowsky, U.K. 1281Ramalhoto, M. 1105Ramalhoto, M.F. 881, 1289,

1497Ramirez-Marquez, J. 1295Randazzo, G. 513Rapicetta, C. 439Renaux, D. 1301René van Dorp, J. 551, 559Renpenning, F. 1307Reunanen, M. 1389Rivera, S.S. 91Robotto, A. 113Rodrigues, N. 1543Roelen, A.L.C. 1315, 1321Romano, D. 1329Rosmuller, N. 1337Rouvroye, J.L. 107Roy, B. 1145Ruggeri, F. 347, 1345Rypkema, J.A. 1351

Safonov, V. 1357Salina, E. 1153Salmikuukka, J. 1289Salmon, R. 1145Salvi, O. 829, 1543Salzano, E. 615, 1365Sánchez, A. 1093, 1099Sandøy, M. 1375Sarsama, J. 1389Satish, B. 73Sayers, P.B. 311Schäbe, H. 1395Schoenig, R. 1401Schott, H. 1409Schouten, S.P.F. 1415Schubert, B. 119Schueremans, L. 1425Seglie, E.A. 649Seguin, C. 237Serbanescu, L. 19Shabakhty, N. 465, 1433, 1437

1779


Shade, J. 881Sheberstov, E. 1357Shetty, N.K. 719Silva, W. 927Silvetti, B. 1543Šimic, Z. 1447Simiu, E. 1233Simons, M. 1321Skjong, R. 1453, 1461Sklet, S. 423, 1197Soma, H. 1469Soma, T. 1477Sonnenkalb, M. 907Sørum, M. 821, 1615Steiro, T. 1197Sterl, A. 353Stewardson, D.J. 1497Stijnen, J.W. 927Stojkov, M. 1503Stølen, K. 643Strong, A. 775Stuit, H.G. 1721Suddle, S.I. 1511, 1519, 1527Suleimanov, V. 1357Szász, G. 147

Teixeira, A.P. 719Terrinoni 439Thomas, L. 33Thompson, G. 1025Tiemeyer, B. 1535Tixier, J. 1543Tommasini, R. 1553Tomter, A. 1561Trotta, L. 237Trucco, P. 503, 513Tucci, M. 1567Tuominen, R. 1575

Uittenbogaard, M. 185, 523Ulmeanu, A.P. 1581

Valacca, L. 237Valk, P.J.L. 1321van ‘t Sant, J.P. 1383van den Berg, A.C. 1691van den Boogaard, H.F.P. 495van der Graaf, H.J. 1415van der Hoeven, B. 185, 523van Dongen Ph. 537van Doormaal, J.C.A.M. 543van Duijne, F.H. 583van Erkel, A. 605Van Gelder, P. 1437van Gelder, P.H.A.J.M. 311,

863, 959, 1337, 1415Van Gemert, D. 1425Van Gestel, P.J. 661van Manen, S.E. 1053van Noortwijk, J.M. 873, 959,

1179van Vuren, S. 1653van Wees, R.M.M. 1679Vanderhaegen, F. 1743Vassalos, D. 1587Vassmyr, K-A. 1607Vatn, J. 821Vaurio, J.K. 1595, 1601Veldkamp, J.G. 999Ventikos, N.P. 1271Ventulini, M. 297Venturino, C. 1271Verdel, T. 1145Vermey, P. 531Versloot, N.H.A. 1691Vicario, G. 1329Villafiorita, A. 237, 247Vinnem, J.E. 1607, 1615Vintr, Z. 1623Voets, H.J.L. 747Vogt, M. 1629Vollen, F. 1607Voortman, H.G. 1637

Vrbanic, I. 1645Vrijling, J.K. 311, 863, 1637Vrouwenvelder, A. 719Vrouwenvelder, A.C.W.M. 11,

311, 1005Vukovic, I. 1447

Waarts, P.H. 179, 1005, 1511,1663, 1721

Walls, L. 813Wassing, B.B.T. 999Wattanapongsakorn, N. 1047,

1295, 1671Weaver, M.A. 635Webbers, P.B. 1713Weerheijm, J. 1679, 1691Wehrung, M.J. 311Wery, S. 1307Wever, R. 1315, 1321Wijnants, G.H. 1707Willems, A. 1713Winther, R. 701Wooff, D.A. 417Worthington, D.R.E. 1729Wosinska, L. 791

Yalaoui, F. 271Yazdpour, S.J. 801

Zacco, G. 237Zambardi, F. 339Zanting, J. 1737Zhang, L. 1233Zhang, Z. 1743Zio, E. 297, 1069, 1077, 1085,

1753Zitman, T.J. 1761Zonato, C. 113

1780


Documents

paper126c-balkema