See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/271383280

Process Safety Performance Indicators

Article  in  TRANSACTIONS of the VŠB – Technical University of Ostrava Safety Engineering Series · November 2012
DOI: 10.2478/v10281-012-0007-8

CITATIONS READS

3 3,625

1 author:

Hans J. Pasman
Texas A&M University
130 PUBLICATIONS   2,237 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Inherently Safer Design (ISD) in the chemical industries View project

HAZID, data mining, HAZOP View project

All content following this page was uploaded by Hans J. Pasman on 29 April 2015.

The user has requested enhancement of the downloaded file.

 Journal of Loss Prevention in the Process Industries 30 (2014) 197e206

Contents lists available at SciVerse ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

How can we use the information provided by process safety

performance indicators? Possibilities and limitations
Hans Pasman*, William Rogers
Mary Kay O’Connor Process Safety Center, Artie McFerrin Department of Chemical Engineering, Texas A&M University, College Station, TX 77840-3122,
United States

a r t i c l e i n f o a b s t r a c t

Article history: To make further progress towards a safer industry, process safety performance indicators are indis-
Received 13 March 2013 pensable. There are, however, some challenges involved with interpretation of indicator outcomes. By
Received in revised form going too far in detail one loses overview, but in not noticing the important detail a false impression of
10 June 2013
safety may be obtained. Aggregation from a detailed level upward may give relief at this point, but what
Accepted 10 June 2013
to do if indicator values do not improve any further? Is there a means to relate indicators to the plant’s
risk level? The paper will show that when making use of the new technique of Bayesian networks for risk
Keywords:
management, progress may be made. It seems possible to relate technical failure rates with risk factors
Process safety
Indicators
acting over time duration and to take action before something breaks down. While originating in bad
Risk management design, operation, maintenance, or neglect, these risk factors are influenced in the background by
Bayesian networks organizational, management, and human factors, which are subject to indicator monitoring. An example
will be given of results one can expect when the dependencies are modeled in Bayesian network fashion.
Current developments in other areas such as in aviation and offshore platform maintenance appear to be
advancing in the same direction.
Ó 2013 Elsevier Ltd. All rights reserved.

1. Introduction This distinction is with respect to functioning of the safety man-

agement system and the operational condition of the plant in
All management planning, organizing, implementing, and con- which all agreed measures are taken or scheduled plans have been
trol with feedback, according to Deming’s Plan, do, check, and act realized. The leading indicators have the character of how well one
cycle, require indicators on which to base decisions. The Working is prepared. The distinction is not sharply definable, e.g., near miss
Group on Chemical Accidents of the OECD (Organization for incidents, which give an important signal, can be regarded as lag
Cooperation and Development with head office in Paris) issued in but also as lead. Some years ago there was a vivid discussion on this
2003 an interim Guidance on Safety Performance Indicators (OECD, aspect in Safety Science, stirred up by Hopkins (2009) with others
2003), which supported initiatives to establish indicators of, e.g., commenting, e.g., Hudson (2009) who suggested a relation with
the Responsible CareÔ program of the American Chemical Council, bow-tie and risk.
ACC, and the chemical industry. This guidance document was fol- In January 2012 in Brussels, a two-day international conference
lowed in 2005 by a practical guide of the UK HSE (2006) and, dedicated to discussion of process safety performance indicators
following the Texas City explosion at the BP site, by CCPS publica- was organized by the European Process Safety Centre, EPSC, and the
tions (CCPS, 2007a, 2007b, and 2010). In fact, the CCPS guidelines European Chemical Industry Council, CEFIC. This conference was
on the topic of process safety performance indicators result in close very well attended, in particular by industry representatives, from
to 400 possible indicators measuring the effectiveness of 22 man- the entire global community. Apart from the plenary opening and
agement system elements. A major distinction is made between closing sessions with lectures and discussions, the more intensive
lagging and leading indicators, the former based on incidents, in- deliberations were in four parallel working sessions on the
juries, and damages that surpass a certain critical threshold of following topics:
seriousness, and thus can be counted, while the latter are factual
data indicating to what extent one deviates from an ideal situation. I. ‘Implementing PSI: share your story so far’
II. ‘Broaden the basis e quick start for SMEs’
* Corresponding author. Tel.: þ1 31630551535. III. ‘Roadmap towards global PSI reporting’
E-mail address: [email protected] (H. Pasman). IV. ‘Navigating ahead with leading indicators’

0950-4230/$ e see front matter Ó 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.jlp.2013.06.001
198 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206

In the opening session, the Executive Director e Energy, HSE and number of measuring points to perform statistical treatment and
Logistics, of CEFIC, William Garcia, speaking also on behalf of the determine a mean or slope and a confidence interval. Because of the
International Council of Chemical Associations, ICCA/Responsible complexity of a running plant and its organization, another possi-
Care, introduced the thrust of the Safety Governance Perspective bility is to collect information on many different indicators and
for the global chemical industry. He further announced an OECD compile the results. As already mentioned CCPS (2007b and 2010)
initiative launched in the third quarter of 2011 through its Working suggest a number close to 400. This large number of indicators will
Group on Chemical Accidents, to be presented at a meeting with have the disadvantage that one may lose overview e top man-
the industry in Paris on 15 June 2012. The initiative document will agement would only want, e.g., some five indicators e, while in
contain a self-assessment check list, the set-up of a business case, addition the collection of the information will require more effort.
and a “challenge and inspire” paragraph. It all underlined the The effort can of course be mitigated by making good use of existing
importance of developing reliable indicators. sources of information and information technology, IT. The problem
The American position at the Brussels conference was formu- of abundance of indicators shall have to be solved by aggregation to
lated by Kenan Stevick of The Dow Chemical Company on behalf of different levels and feeding each assessing level (department, plant,
the ACC. The objective shall be to develop a single global set of site or floor, middle management, and top management) the in-
lagging process safety metrics. Incident severity shall be a formation that is within their horizon.
component of any metric. The basis of the metric will be loss of Summarizing, in this paper we shall try to shed some light on how
primary containment by unintended releases of hazardous mate- to deal with indicator results other than just looking at downward
rials classified according to the Global Harmonized System, GHS, in going trends. For that purpose, we shall make use of the rapidly
a quantity over certain thresholds; in addition, releases causing becoming popular Bayesian network technique, which is founded on
injuries with lost time greater than one day, and explosions and the strict laws of causality and powerful as a predictive tool based on
fires causing damage larger than V 20,000. The metric scheme evidence and which is becoming widely applied in various fields
should become an ISO standard. It was further concluded that a such as economics, finance, medicine, social sciences, and recently
period of 3e5 years for a company is required to develop a stable also in engineering. However, we shall first briefly explain recent
system with sufficient experience for higher visibility. In connec- work on aggregation of results of numerous indicators.
tion with SMEs, small and medium enterprises, quite a few prob-
lems were mentioned (lack of expertise, large variability in risk 2. Indicator aggregation
awareness, low frequency of incidents hence less stable outcomes,
and fear of liability). There is a definite wish to go public with the Hassan & Khan, 2012 developed a method of aggregation and
indicators but not too early. For leading indicators, flexibility is performed a benchmark study of five facilities involved in oil & gas
needed. Three groups of leading indicators were distinguished: processing, restricting themselves to asset integrity and the effect
mechanical integrity indicators (inspections, controls), action items of maintenance. In the following their main points will be sum-
follow-ups (PHA e Process Hazard Analysis, audit, and near miss marized. They defined about 40 key indicators sorted into three
actions) and training/competence indicators (quality test results, element indicators or main integrity types: mechanical, operational
percent of people trained, number of complete roles in process and personnel. Their method is risk based, which is the optimum
safety). Companies can select according to their needs. way of linking the contribution of an indicator type to its impor-
There was not much discussion about how the metric results tance for the safety of the plant. In principle for a risk based
should be assessed. The very reason to introduce indicators is that method, one or more scenarios must be identified in which the
changes in process operations, the way one does things in a given influence of the particular indicator type on the risk due to a failure
work environment, and changes in safety climate are usually slow. of a hardware component or due to an unsafe act can be deter-
In other words, the time constants of the change processes are mined. The study did not get so far as identifying scenarios but
large, and a day-to-day observer would see no change. So, one has resorted to expert opinion expressed as a weight factor for the
to measure indicator values over considerable time and determine relative importance (safety relevance) of each indicator by the
trends. Most examples shown were of continually improving Analytic Hierarchical Process, AHP, technique, which applies pair-
trends. This has been the case for years, even for decades with the wise comparisons of alternatives. Expert choices were tested on
lost time injury rate (LTIR), the personal safety indicator.1 Yet, there consistency.
has to be expected that trends not always will be so positive, that At the base or operator level, indicators were called specific in-
lines will become horizontal in time and points will also indicate a dicators; after aggregation to level 1 to be assessed by the depart-
deterioration of the situation. An up-going slope of a trend line does ment, they were called key indicators; again a level higher (level 2)
not necessarily mean that the situation has become unsafe, there for the middle management activity indicators; at level 3 as element
could be still sufficient margin, but how to determine and to indicators, being the above mentioned three integrity types, and
explain is the question. finally a merge into the asset integrity indicator, as shown in Fig. 1.
Another intrinsic problematic point not discussed is that in the An impression of the indicators defined by Hassan and Khan for
ideal case, where there are no incidents, lagging indicators would their level 2 and 3 indicators is reproduced in Table 1.
be nil, and if all safety management actions were always executed Subsequently, from each specific indicator value a so-called risk
in time, leading indicators also would tend to zero. Also, if one factor was derived. For a lagging indicator, this is done by multi-
would actually measure only a few indicators and compare results plying the frequency of an incident with its consequence severity
over fixed time spans, it is very likely to find a stochastic behavior of (no details given) and for a leading indicator by multiplying the
the indicator variables due to the many possibilities of how percentage achieved of the ideal score (success) with the impor-
something can go wrong or remain deficient. The stochastic nature tance of success. Related specific indicators are grouped, and each
would impede drawing conclusions easily unless one can deter- group forms a key indicator. The highest risk score in a group is
mine over a given time period of assessment a sufficient large taken as the risk factor corresponding to this key indicator. The next
aggregation step is to the activity indicator level for middle man-
agement. This aggregation is accomplished by multiplying each key
1
As far as the recollection goes of one of the authors, the positive trend in the integrator with its expert determined importance weight and
LTIR is at least present since the mid-1970s. summing over related key indicators together producing an activity
 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206 199

Fig. 1. Levels of indicator aggregation as defined by Hassan and Khan (2012).

indicator. This process is repeated again to obtain the top level, top element indicators estimated directly by only judgment
element indicators, which by weighted summing yield the asset consulting one’s intuition or on too few underlying indicators may
indicator. Hassan and Khan worked this out for a case comparing lead to subjectivity and bias and can turn out to be misleading.
five facilities on a relative basis by converting the indicator values Hence one must specify a larger number of underlying indicator
into a risk index consisting of four levels (0e19; 20e44; 45e74 and values to support decisions at each level. However, the way in-
75e100%). They further performed a sensitivity analysis with dicators were related to risk is in our opinion too coarse. We shall
respect to the choice of the weights and examined how a change of show an alternative way, but we will first analyze the problem field
an indicator influenced the risk index result. further in depth.
It is clear that for an overview of signals needed at each man-
agement level, aggregation is an effective course of action. In case of 3. Scenarios and risk factors
safety, a known adage is “the devil is in the detail”. So, to rely on the
In a paper by Knegtering & Pasman, 2013 it was argued that in a
plant a multiple of risk factors vary in time and have influence on
Table 1
failure, break-down, and process disturbance in different parts of
Activity and Element indicators as these are defined in the paper by Hassan and
Khan (2012) with corresponding weights given by experts and the consistency in
the plant. Temporally enhanced exposure of people, or presence of
expert opinion. Underlying at the lowest level are specific indicators which aggre- vehicles, can also form a risk factor. Examples of short term day-to-
gate to key indicators. day varying factors are rupture of a pipe line, failure of a pump, hot
Indicators Weights Consistency
work, thunderstorm, alarm over-rides, or (important) unattended
alarms. Mid-term factors varying week-to-week or month-to-
Index CI (%) Ratio CR (%)
month are seasonal influences, postponed inspections, delayed
Level 2: activity indicator maintenance, late shutdowns, and changes in process materials or
Area: mechanical integrity
compositions. Finally long-term variations over years are cumula-
Inspection 0.31 0.83 0.93
Maintenance 0.24 tive influences, such as corrosion, wear, degradation of the man-
Inspection & maintenance 0.23 agement system, bad management of change, loss of competence of
management personnel, and deterioration of the safety climate. Short term risk
Engineering assessment 0.22 factors can often be traced by (additional) sensors detecting, e.g.,
Area: operational integrity
Operating performance 0.20 0.54 0.48
vibrations, weather changes, and odors. Even temporal changes in
State of SSC 0.21 densities of people present could be measured. Monitoring of
Plant configuration & modification 0.17 middle and long term factors, however, is not that simple but in
Engineering safety system 0.22 fact, well-chosen leading indicators should produce a measure of
Emergency response arrangement 0.20
process risk trend. So, the possibility of connecting the indicator
Area: personnel integrity
Training 0.30 0.40 0.44 concept and that of risk assessment shall be further explored.
Staff competence 0.24 As we have seen, safety in a certain location is not a constant but
Permit to work (PTW) 0.23 a fluctuating dynamic quantity. Because safety can be quantified
Communication 0.23 only through determining existing risks, the next step will be a risk
Level 3: element indicator analysis on the basis of scenarios identified with tools such as in
Mechanical integrity 0.40 0.71 1.27 PHA (process hazard analysis as described in OSHA’s PSM Standard
Operational integrity 0.34
e OSHA, 1992). In such analyses, the influence of risk factors must
Personnel integrity 0.26
be incorporated, while the risk model must be capable of predicting
200 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206

risk fluctuations. In other words, ultimately one would need a dy- conventional FT, such as in absorbing new evidence, ability to
namic operational risk analysis. propagate uncertainty, and allowing multi-state variables. In three
The bow-tie is a tool to obtain a good overview of credible, with subsequent articles, Khakzad, Khan, and Amyotte (2012, 2013a and
PHA identified scenarios of failing components and possible haz- 2013b) showed how dynamic features can be introduced in the bow
ardous events including preventive and protective risk controls in a tie mapped into a Bayesian network. In Khakzad et al. (2012), this
part of an installation. With the fault tree of the system of possible approach makes use of the property of Bayes theorem by which a
failing components on the left of the critical hazardous material prior probability distribution can be updated to a posterior prob-
release (top) event, at the same time forming the initiating event ability distribution with a new observation represented in a like-
for the event tree of phenomena leading to the major hazards on lihood distribution. This updating pertains to the failure rate values
the right, the bow-tie provides a clear framework for risk quanti- and can take the form of an update of the physical conditions for
fication. One can therefore envisage the possibility of including risk which the failure rate value originally holds (covariate model), a
factors in the bow-tie. Hudson (2009) discussing the difference different component strength than the one for which the failure
between lagging and leading indicators already noted that given a probability is determined (static model), or an update based on the
scenario depicted in a bow-tie, the leading indicators, together with observation of a number of failures or consequence events during a
the preventive controls, would tend to be to the left of the critical certain time period. The paper of Khakzad et al. (2013a) calls the
event, and the lagging indicators, with the protective controls, latter type of updating ‘adapting’ which yields a true dynamic
would be to the right. safety analysis. In addition, full dynamic operational risk analysis
The cause-effect chain depicted in a bow-tie consisting of a fault can be realized by time stepping the network as shown, e.g., by
and event tree is in fact mathematically an example of a directed Montani, Portinale, and Bobbio (2005) and is repeated and
acyclic graph (DAG), which means nodes representing stochastic extended by Khakzad et al. (2013b). The present authors have
variables reflecting a state (here, a failure mode or an arising effect shown advantages of BN applications in LOPA (Pasman & Rogers,
phenomenon) in a causal relationship represented by node con- 2013), such as an easily performed cost-benefit analysis taking
necting directed arrows. A more general DAG that offers more account of distributed failure data and common-cause failure while
possibilities to describe complex cause-event situations and reflect providing confidence bounds. Recently also, a full risk assessment
better the shades of the real world is the Bayesian Network. We shall study has been published (Pasman & Rogers, 2012).
describe this increasingly popular approach in the next section. In the next section, we shall apply the BN technique to a bow-tie
and show the effect of the three top integrity indicators mentioned
4. Bayesian Networks earlier: mechanical, operational, and personnel integrity via the
bow-tie on the final risk of an operation. The software used is that
Bayesian Networks (BNs), also called Bayesian Belief Networks of the University of Pittsburgh, named GeNIe v.2.0 suited to run
(BBNs) to emphasize their ability to include opinion, have been under MS Windows (DSL, 2010). Although a preliminary run was
developed the last three decades in the realm of Artificial Intelli- made in the discrete net set-up, final calculations were made with
gence to structure reasoning for machine applications. BNs are built the continuous node type net (The two cannot be mixed, although
on cause-effect relations and Bayesian statistics. The essence is that discrete variables can be represented by a Bernoulli distribution as
by application of the Bayes theorem, one can learn by updating one of the distributions in the continuous type nodes). Solution of
based on new observations e new evidence e or (subjective) expert the latter net is not exact by deriving conditional probability tables
opinion. Independent variable nodes are called ‘parents’ while but by convoluting the distributions and solving by sampling. Both
dependent variable nodes are ‘children’. Each node can represent a are operating on MS Excel-type infrastructure, and results can be
variable in a multiple of states. The arcs among nodes reflect a further worked out in an MS Excel sheet. Nodes can be clicked open
causal relationship (‘source’ with ‘sink’), and the dependencies of to inspect or modify defined equations and data. Results of the
occurrence probabilities of states are expressed by the child node’s calculations can be shown at each node in figures and graphics as
conditional probability table (CPT). The structure allows inference, averages and standard deviations.
hence diagnosis, to find root causes and to facilitate decision
making, so it is applied widely in medical science, economics, social 5. Bow-tie example
sciences, and to an increasing extent in engineering.
One of the main developers of the causality theory has been As an example of a first-stage oil-gas separator, containing 5
Pearl (2000); an impression of the large variety of present-day BN tons of partly volatile hydrocarbons, was chosen as part of a pro-
applications has been given by, e.g., Fenton and Neil (2013). In the cessing module on an offshore platform. This example was selected,
last decade, several universities (UCLA, Stanford, Pittsburgh, Delft because an earlier study by Khan, Sadiq, and Husain (2002) pro-
University of Technology) have developed BN software, which vided sufficient details and also because Khan’s team recently
saves one from the rather cumbersome arithmetic once the struc- published results of a study on the same platform investigating the
ture has been thought of and the data are available. Also, profes- handling of uncertainty with fuzzy set (Ferdous, Khan, Sadiq,
sional software is available such as HUGIN (2012). BNs are excellent Amyotte. & Veitch, 2012). Here, we include uncertainty by
in dealing with uncertainty. Present-day software can handle be- applying BN. A flow diagram of the processing facility is shown in
side discrete variables also continuous variable distributions. Fig. 2, in which the 1st stage separator is highlighted. In Fig. 3, the
Cooke’s team (Ale et al., 2009) developed non-parametric contin- bow-tie of failure of this separator and its consequences is pre-
uous BBNs and the Uninet software in which arcs can be rank sented as well as the failure rate data of the components. With
correlations which can represent ‘soft’ information or influences respect to the latter, elements nos. 12 and 13, which represent one
such as expert opinion, see, e.g., Morales, Kurowicka, and Roelen component, serve as a first layer of protection to separator over-
(2008). UniNet was also summarized and explained in our previ- pressure. In contrast to Khan et al. (2002) elements no. 17 and 18,
ous paper (Pasman & Rogers, 2013). In Ale et al. (2009) an aviation pressure controller system of separator and pressure or safety
safety application is described. Lately, various applications in risk release inadequate, was thought of here as a vent, an independent
analysis appear, e.g., Khakzad, Khan, and Amyotte (2011) second and last layer of protection, of which the probability of
comparing conventional fault tree with the Bayesian network failure on demand was set rather high at 0.2. The ignition proba-
approach, while finding most convincing advantages of BN over bilities (nos. 19e21) have also been changed as explained later.
 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206 201

Fig. 2. Process flow diagram of oil processing module on off-shore platform according to Khan et al. (2002). A bow-tie of failure of the 1st stage separator is presented in Fig. 3.

Consequence analysis in detail was not the purpose of the ex- after a certain delay, it can explode (VCE or Vapor Cloud Explosion)
ercise and is done rather coarsely. Khan et al. (2002) assumed only and produce destructive blast, especially with the confinement by
one type of consequence in case of the separator, namely a BLEVE the equipment on an offshore platform. If the jet ignites immedi-
with fireball and fire and the throw of fragments. However, the ately a certain area of the platform will be threatened by fire but the
consequences depend on how the separator vessel ruptures. If damage is assumed to be limited and will not be considered here.
rupture is very fast then an immediate BLEVE and combustion can The exits of a safety valve and vent will be chosen such that an
occur, but depending on conditions, such as rate of pressure in- ignited jet will not do much harm.
crease, condition of the metal of the vessel, and the liquid filling Introducing additional damage generating phenomena by VCE
degree, the vessel or a connection to it could rupture or tear slow blast besides a BLEVE, results in a more complex event tree. In
enough for a jet exiting from a hole which in case of no immediate addition, a damage cost calculation has been carried out. This
ignition is forming a cloud of gas and aerosol. If such a cloud ignites calculation could be performed separate from the BN as a discrete

Fig. 3. Bow-tie of the 1st stage separator of Fig. 2 and associated component failure rates, adopted with some modifications (see text) from Khan et al. (2002).
202 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206

Fig. 4. Continuous Bayesian network based on the bow-tie modeled by Khan et al. (2002). Numbered nodes correspond with the component numbers in the Fig. 3 table; OR-and
AND-gates are indicated. The event tree part (right) has been expanded with the additional possibility of a vapor/aerosol cloud explosion with a damage cost calculation. The top
level indicators (left) have been related to the failure rate of some of the components. The corresponding discrete net looks much the same apart from a simpler event tree.

network, but in case of the continuous distribution mode it can be the vapor cloud by, e.g., a hot surface or a spark of remote electric
fully included in the net. This is because the calculation can handle equipment outside the electrically classified area, is assumed as 0.2.
both the probability distributions and also the arithmetic of the As has been shown in Pasman and Rogers (2012), the number of
cost determination, making the computation more convenient. fatalities by multiplying the homogeneous population density with
The effect calculations have been done separately, applying for the area of the 50% lethality contour yields a sufficient approxi-
the BLEVE the data specified in the latest Dutch RIVM Manual mation of the total number of people perished. Based on a density
recommended for QRA (RIVM, 2009, p. 40). Thereby 70% of the of 1 person per 100 m2, in case of the vapor cloud explosion it
mass of 5000 kg hydrocarbon is expected to BLEVE, which yields a means a maximum loss of life of 40 people. For the monetary value
w60 m radius of 50% lethality damage circle (radiant heat 35 kW/ of life, 7 million US$ is taken as recommended by Kip Viscusi
m2; exposure time 9 s). Only part of the people on board will be (2005). It is further supposed that the material damage amounts
exposed directly and going in detail results in many questions. to US$ 5000 per m2 over the area of 50% lethality (hence here for
However, in view of ensuing fires, which certainly will be ignited as BLEVE and VCE, half the rig’s surface area). This material damage
domino effects, this circle is being maintained. For the vapor cloud figure is not really substantiated, but an estimate was made, given
explosion, the Multi-Energy method was applied as described in the cost to build a rig and assuming that half the cost is on the high
the Yellow Book (2005). Assuming that 50% of the released hy- side. Damage by follow-on phenomena is not considered, but these
drocarbon participates in the deflagration, it will result in a 50% expected events may lead to a total loss of the rig.
lethality radius of 105 m at 0.3 bar overpressure.2 Another aspect is The resulting Bayesian network based on the bow-tie, but
that Khan et al. (2002) did not specify the rig’s dimensions, but for extended with respect to the event tree part and cost, is shown in
an estimate of damage assumptions a size must be assumed. So, a Fig. 4. In addition for demonstration of the possibilities, included
fair sized rig is imagined of 80  100 m, costing 800 million USD, are the top three integrity indicators affecting those parts of the
with 80 people on board. In view of the limited size of the platform installation of which it can be assumed that their functioning is
(area 8000 m2) compared to the effect circles of BLEVE (11,310 m2) highly dependent on the quality of operation and maintenance. or
and VCE (34,500 m2), the 50% lethality perimeter will be mostly on appropriate design (component no. 12). In the end, personnel
outside the platform. Therefore, only half the area of the platform is integrity is considered to be dominating, and it is therefore
assumed to be hit severely within the 50% lethality bound. Ignition assumed also to determine operation and maintenance integrity,
probabilities are also chosen to be slightly different. The BLEVE is although personnel integrity’s direct effect on the functioning of
supposed to ignite immediately (due to the heat generated in the the installation will be sensed less. The effect is constituted such
metal by the rupture), while the probability of delayed ignition of that personnel integrity is given a certain constant value, while for
simplicity maintenance and operational integrity are assumed here
to have the same value. In case real inputs would be obtained, these
2
Actually RIVM (2009, p. 40) states 0.3 bar as 100% lethal indoors. Due to sec-
constant values can easily be replaced by probability distributions
ondary and tertiary injuries, this figure is used also for lethality outdoors. UK HSE that can differ from each other and whereby the maintenance and
supports a figure of 0.3 bar for 50% lethality indoors (HSE, 2007). operational integrity are conditionally independent of personnel
 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206 203

integrity. The effect of an integrity value on failure rate is taken Table 3

linearly, that is in case of discrete values affected failure rates are Results of expected annual loss calculations with Bayesian networks at three levels
of the personnel integrity indicator.
multiplied by the reciprocal value of the integrity, while in case of a
triangular distribution both minimum, mode, and maximum are Personnel integrity Costs M$/yr
divided by the integrity value. (In this respect also, the importance indicator
Discrete BN Continuous BN
of the affected components on the functioning of the system as a
Bernoulli Triangular
whole could have been taken into account, but this has not been
Mean Std. Dev.
analyzed). Hence, it is assumed that if personnel integrity varies in
value, both operational and mechanical integrity will change by the 0.5 1.6 1.7 1.65 1.0
same amount. For this assumption, no practical evidence is avail- 1 0.5 0.5 0.5 0.3
2 0.14 0.13 0.14 0.08
able yet, and such changes will also not be simultaneous, so tem-
poral mismatches may be expected. Given more experience,
however, this approach could become refined, and indicator values
most probable value of the failure rate, spanning almost an order of
at lower levels with more direct ties to component functioning
magnitude range. Results of the various BNs at three levels of the
could be used instead.
dominating personnel indicator are collected in Table 3.
Presented in Table 2 are a few essential example equations of
The expected annual losses, EAL, appear to increase by a factor of
variables and conditional probability table relations, which are
10, if integrity decreases by only a factor of 4. In case of applying the
defined in the nodes of Fig. 4 and in comparable nodes of a discrete
skew triangular distributions, the averages increase, because the
network.
‘center of gravity’ of each distribution shifts to the high side.
In a base case with all integrity values assumed at unity, the
At any node in the network, new evidence can be introduced. So,
outcome of the network calculation is an expected annual loss of
if there is a new observation at the location of a certain component
about 0.5 million USD. Because of the sampling to solve the equa-
or in case new indicator data become available to decrease uncer-
tions, the continuous network must repeat the calculation a few
tainty, the effects of the data can immediately be seen in the final
times to reach an average result. This loss may never be sustained,
risk result. As mentioned, the work of Khakzad et al. (2012, 2013a
but it could also be hitting today (or tomorrow) for the full amount
and 2013b) and Montani et al. (2005) shows how wear or other
of 300 million USD (We are only looking here at an incident with
temporal effects, such as spares in the operation or critical time
separator 1. The installation has several other components by
delays, can be introduced as well.
which a release can occur.)
An advantage of the continuous distribution network is the
possibility to include the uncertainty in the data and calculate the 6. Discussion
overall uncertainty in the final result. This calculation has been
performed by assuming triangular probability density functions After having developed the core of this paper, three recent, very
with a lower boundary, a most likely value, and an upper boundary. relevant research contributions were encountered showing that
This type of function can well be used for expressing expert opinion where risk assessors have been working for years to incorporate
and in case only a few data are available. The mode of the distri- management factors and human error in their models, a certain
bution was adapted such that the mean was equal to the discrete breakthrough appears with the application of Bayesian belief net-
value of the failure rates. Because this paper serves to demonstrate works (BBNs). The oldest is by Groth, Wang, and Mosleh (2010)
the method rather than to obtain a reliable numerical result, a proposing hybrid causal logic (HCL) methodology for risk assess-
factor 3 is chosen for both upward and downward bound of the ment. What they mean is that conventional methods using fault

Table 2
Node equations (node probability variable is shown throughout as PN while PN1 is the probability variable of its ‘parent’ or ‘source’ listed in the table of Fig. 3). In the CPT to
obtain PN, the probability of the ‘source’ node in the failed or not-failed state is multiplied by the corresponding conditional probability value in the table.

Node type/name Equations in continuous network CPT’s/equations discrete network

Integrity node Integrity value = Iv Switch
Failure component PN = Bernoulli(p = Failure rate/ Iv) PN = Failure rate; ¬PN = 1- Failure rate
Optional for failure PN = Triangular(Min, Failure rate, Max) Only possible with sensitivity node
OR-gates PN = 1- (1- PN1-1)·(1- PN2-1)·…(1- PNi-1) etc. in case N1-1 Failed (F) Not failed (NF)
of i source nodes N1-2 F NF F NF
N1-i F NF F NF F NF F NF
PN 1 1 1 1 1 1 1 0
¬PN 0 0 0 0 0 0 0 1
AND-gates PN = PN1-1·PN2-1·…..PNi-1 etc. N1-1 Failed (F) Not failed (NF)
(Pressure builds up N1-2 F NF F NF
and Critical event) N1-i F NF F NF F NF F NF
PN 1 0 0 0 0 0 0 0
¬PN 0 1 1 1 1 1 1 1
BLEVE PN1 = 0.5 PN-1 PBLEVE = 0.5
Vapor Cloud (VC) PN2 = 0.5 PN-1 PVC = 0.5
Ignition probability PN = 0.2 PIg = 0.2
Population density PNPd = 1/100
Value of Life PNVl = 7.106 US$
Life value at stake PNLvas = PNPd·PNVl
Effect BLEVE PN1 = PN1-1·4000
Effect VC Explosion PN2 = PN2-1·4000
Damage Costs Cost = (PN1-1+PN2-1)·( PNLvas + 5000) US$/yr Cost = 300.106·PCritEvent (PBLEVE + PVC PIg)
204 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206

trees, event trees, or event sequence diagrams (ESD) based on Actual impact of the RIFs is derived via the input of observed
Boolean logic do not allow incorporation of soft causal factors that scores. A score is the condensed quality information of previous work
are typical for human action and organizational functioning. BBNs obtained by audits or surveys in the offshore petroleum industry
have the capability to model probabilistically such soft causation. placed on a six-point scale (A is best of industry, C is average, F is
They developed a three-layered Hybrid Causal Logic and corre- worst), which makes the score strikingly similar to the concept of an
sponding software called Trilith to model scenarios and to perform indicator. The model, applying generally accepted average human
risk and safety analysis. The application described is within an in- error probabilities influenced by the RIFs and the company specific
ternational aviation safety project, CATS or Causal Model of Air scores collected in a database built over the years, was then validated
Transport Safety already mentioned (Ale et al., (2009)). The top against observed leaks of various installations owned by the respec-
layer consists of an ESD with a fault tree underneath and below that tive companies. This yields human error probability values specific for
the BBN. In the final set-up, the BBN comprised 1400 nodes. Avia- each offshore company, needed to test the potential effects of addi-
tion safety has available multitudinous accident data, which BNs tional risk reducing measures in a variety of offshore applications.
are especially suited to incorporate. Bellamy et al. (2008) developed Summarizing, we can conclude that our approach of middle and
bow-tie type modeling of human caused accidents on the basis of a long-term effect risk factors based amongst others on indicator
large data collection. One can see a link with indicators arising, and values, is not unique. In hindsight it appears that other risk modeling
Ale’s group is elaborating this avenue further. researchers are following similar lines of thought. However, it also
Finally, Vinnem et al. (2012) and Gran et al. (2012) at the Uni- shows that the risk factor approach is still in its infancy and that much
versity of Stavanger applied the approach of including human work still has to be done and data to be collected before the method
factors and management effectiveness to risk modeling of offshore really can be trusted sufficiently to rely on its predictive power.
installation maintenance after many years of performing only In case a trustable relation between (mostly leading) indicators
‘hardware’ oriented barrier and operational risk analysis (BORA). In and risk can be established, the issue of decision criterion will arise.
particular for risk modeling of maintenance activities, incorpora- At what risk level will the alarm bell have to sound and invoke
tion of human factors and organizational aspects is indispensable. management to take action. In our opinion this could be solved the
To that end in a previous study, Vinnem, Seljelid, Haugen, Sklet, and same way as the safeguarding of an installation by a layer of pro-
Aven (2009) had introduced the concept of risk influencing factor tection analysis (LOPA) is deemed sufficient. In a LOPA, conse-
or RIF. The present approach made use of this concept of ‘under- quences are often only looked at in a semi-quantitative way and the
lying’ factors while it was further inspired by the work of Mosleh assessment is based mainly on incident frequency reduction. This
and coworkers mentioned above. Vinnem et al. (2012) and Gran approach would be an option here too, and could be done by
et al. (2012) went further, however, in the use of BBNs just as in applying a well-known risk-matrix coupled to a semi-quantitative
the CATS project (Ale et al., 2009). RIFs are thought to influence consequence matrix, as shown in Fig. 6. For a given case, conse-
both each other and the failure rates; the latter via human error. quence and frequency can be plotted in the matrix and risk reduced
Mean strength of influence of a RIF or its importance is by assigned until the shaded triangular bottom left (green) field is reached. Of
weights and is set by expert judgment. RIFs are structured in two course, in view of accumulated risk, the location of the borderline of
levels, as shown in Fig. 5 where the lowest level RIFs represent the risk acceptance must shift downwards with increasing number of
‘underlying’ management decisions. risk sources at a site.

Fig. 5. BBN of the two level RIF structure by Vinnem et al. (2012) for the example of a maintenance planning activity B1.A (failure is incorrect blinding/isolation: Aa. planning; Ab.
control of the planning). The downwards directed arrows connect to a bottom layer representing nodes of score observations obtained in audits and surveys which are thus
comparable to indicators. (For better readability the quality of the original figure has been enhanced.)
 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206 205

the way for continuous monitoring of the safety level and

providing indications when and where to correct. In aviation
safety and offshore platform maintenance, satisfactory attempts
in the same direction have been made. This approach needs,
however, a number of research projects in operating installations
with safety indicators installed and process safety expert
involvement to test how well it works. So, who is interested?

References

Ale, B. J. M., Bellamy, L. J., Van der Boom, R., Cooper, J., Cooke, R. M., Goossens, L. H. J.,
et al. (2009). Further development of a causal model for air transport safety
(CATS): building the mathematical heart. Reliability Engineering and System
Safety, 94, 1433e1441.
Bellamy, L. J., Ale, B. J. M., Whiston, J. Y., Mud, M. L., Baksteen, H., Hale, A. R., et al.
(2008). The software tool story builder and the analysis of the horrible stories of
occupational accidents. Safety Science, 46, 186e197.
CCPS. (2007b). Guidelines for risk based process safety. Hoboken, NJ: Center for
Chemical Process Safety e AIChE, John Wiley & Sons, ISBN 978-0-470-16569-0.
CCPS. (2010). Guidelines for process safety metrics. Hoboken, NJ: Center for Chemical
Process Safety e AIChE, John Wiley & Sons, ISBN 978-0-470-57212-2. Wiley
2010.
CCPS. (2007a). Process safety leading and lagging metrics. Center for Chemical Pro-
cess Safety e AIChE, Initial release, New York, 20 December http://www.aiche.
org/ccps/.
DSL. (2010). GeNIe (Graphical network interface) and SMILE (Structural modeling,
inference, and learning engine), version 2.0 software. Decision Systems Labora-
tory, University of Pittsburgh. http://genie.sis.pitt.edu/.
Fenton, N., & Neil, M. (2013). Risk assessment and decision analysis with Bayesian
networks. Boca Raton, FL 33487e2742, USA: CRC Press, Taylor & Francis Group,
Fig. 6. Top: Risk matrix (semi-quantitative) with risk reduction action lines indicated ISBN 978-1-4398-0910-5.
and Bottom: Corresponding consequence matrix giving comparable characteristic Ferdous, R., Khan, F., Sadiq, R., Amyotte, P., & Veitch, B. (2012). Handling and
levels of damage and range of media coverage. The more severe levels 105 and 106 will updating uncertain information in bow-tie analysis. Journal of Loss Prevention in
be accompanied by adverse reputation damage of the company concerned. the Process Industries, 25, 8e19.
Gran, B. A., Byeb, R.., Nyheim, O. M., Okstad, E. H., Seljelid, J., Sklet, S., et al. (2012).
Evaluation of the risk OMT model for maintenance work on major offshore process
A nut harder to crack is how much time will be available to equipment. Journal of Loss Prevention in the Process Industries, 25, 582e593.
Groth, K., Wang, Ch, & Mosleh, A. (2010). Hybrid causal methodology and software
correct matters in case an increased risk situation is detected. The platform for probabilistic risk assessment and safety monitoring of socio-
amount of time, e.g., conditional mean or median time to failure, technical systems. Reliability Engineering and System Safety, 95, 1276e1285.
will depend on the nature of the risk causing phenomenon and its Hassan, J., & Khan, F. (2012). Risk based asset integrity indicators. Journal of Loss
Prevention in the Process Industries, 25, 544e554.
time constant of further change. A risk figure itself has no intrinsic
Hopkins, A. (2009). Thinking about process safety indicators. Safety Science, 47,
time dependency. The risk can realize itself in an upset today but 460e465. and Reply to Comments, ibidem, 47, 508e510.
also in a million years. To shed more light on this aspect, a future HSE. (2006). Developing process safety indicators, a step-by-step guide for chemical
effort will be made. and major hazard industries, HSG254, ISBN 978 0 7176 6180 0. http://www.hse.
gov.uk/pubns/books/hsg254.htm.
HSE. (2007). Review of significance of societal risk for proposed revision to land use
7. Conclusions planning arrangements for large scale petroleum storage sites. WS Atkins Consul-
tants Ltd. HSE Books RR512 http://www.hse.gov.uk/research/rrhtm/rr512.htm.
Hudson, P. T. W. (2009). Process indicators: managing safety by the numbers. Safety
 By the introduction of process safety indicators, a further shift Science, 47, 483e485.
to pro-action and to prevention of losses will be made possible. HUGIN. (2012). HUGIN EXPERT graphical user interface/HUGIN decision engine
7.6Available at http://www.hugin.com/productsservices/products/release-
Beside the question which (leading) indicators to choose,
notes/.
several others will be identified if no further improvement of Khakzad, N., Khan, F., & Amyotte, P. (2011). Safety analysis in process facilities:
the indicator level appears. Or in case it is even worse, what to comparison of fault tree and Bayesian network approaches. Reliability Engi-
do if the indicator level decreases? Is it sufficient to focus on the neering and System Safety, 96, 925e932.
Khakzad, N., Khan, F., & Amyotte, P. (2012). Dynamic risk analysis using bow-tie
indicators affected, or is the problem at a higher level? In this approach. Reliability Engineering and System Safety, 104, 36e44.
case aggregation of indicators may help to clarify, but aggre- Khakzad, N., Khan, F., & Amyotte, P. (2013a). Dynamic safety analysis of process
gation may be insufficient by itself to decide whether present systems by mapping bow-tie into Bayesian network. Process Safety and Envi-
ronmental Protection, 91, 46e53.
safety is safe enough. Khakzad, N., Khan, F., & Amyotte, P. (2013b). Risk-based design of process systems
 Analysis of risks in process plant is a matter of identification of using discrete-time Bayesian networks. Reliability Engineering and System Safety,
hazards and possible upset scenarios. The latter consist of 109, 5e17.
Khan, F. I., Sadiq, R., & Husain, T. (2002). Risk-based process safety assessment and
chains of cause and effect events and have been modeled, after control measures design for offshore process facilities. Journal of Hazardous
identification by FMEA or HazOp, by fault and event tree or Materials, A94, 1e36.
bow-tie. Recently, Bayesian network software has become the Kip Viscusi, W. (2005). The value of life. Discussion Paper No. 517 06/2005. Cam-
bridge, MA 02138: Harvard Law School http://www.law.harvard.edu/programs/
tool of preference, because the fundamental properties of the olin_center/papers/pdf/Viscusi_517.pdf.
networks make them a universal infrastructure for scenario Knegtering, B., & Pasman, H. J. (2013). The safety barometer; how safe is my plant
modeling and risk management. BNs enable overview, diag- today? What and how to measure the actual safety level? Journal of Loss Pre-
vention in the Process Industries, 26, 821e829.
nosis of causes of disturbances, and predictive reasoning.
Montani, S., Portinale, L., & Bobbio, A. (2005). Dynamic Bayesian networks for
 With expert judgment input about importance of indicator modeling advanced fault tree features in dependability analysis. In Kolowrocki
values for a specific component or sub-system functioning, the (Ed.), Advances in safety and reliability (pp. 1414e1422). London: Francis & Taylor
effect of indicator changes can in principle be taken into account Group, ISBN 0 415 38340 4.
Morales, O., Kurowicka, D., & Roelen, A. (2008). Eliciting conditional and uncondi-
and made visible in an overall risk level of parts of an installation tional rank correlations from conditional probabilities. Reliability Engineering
or for a system as a whole. The approach would therefore open and System Safety, 93, 699e710.
206 H. Pasman, W. Rogers / Journal of Loss Prevention in the Process Industries 30 (2014) 197e206

OECD. (2003). Guidance for industry, public authorities and communities for devel- RIVM. (01-07-2009). Reference manual Bevi risk assessments version 3.2 e Module B.
oping SPI programmes related to chemical accident prevention, preparedness and http://www.rivm.nl/milieuportaal/images/Reference-Manual-Bevi-Risk-
response (Interim publication scheduled to be tested in 2003e2004 and revised in Assessments-version-3-2.pdf.
2005). OECD environment, health and safety publications series on chemical UniNet, developed by the Risk and Environmental Modeling Group at the Depart-
accidents No. 11, Paris, ISBN 92-64-01910-3. ment of Mathematics of the Delft University of Technology, http://www.
OSHA. (1992). United States Department of Labor, Occupational Safety & Health lighttwist.net/wp/uninet.
Administration, Process Safety Management Standard, 29 CFR 1910.119, 57 FR Vinnem, J. E., Bye, R., Gran, B. A., Kongsvik, T., Nyheim, O. M., Okstad, E. H., et al.
6356, February 24. (2012). Risk modelling of maintenance work on major process equipment on
Pasman, H. J., & Rogers, W. J. (2012). Risk assessment by means of Bayesian net- offshore petroleum installations. Journal of Loss Prevention in the Process In-
works: a comparative study of compressed and liquefied H2 transportation and dustries, 25, 274e292.
tank station risks. International Journal of Hydrogen Energy, 37, 17415e17425 Vinnem, J. E., Seljelid, J., Haugen, S., Sklet, S., & Aven, T. (2009). Generalized
(and erratum 38 (2013) 1662). methodology for operational risk analysis of offshore installations. Proceedings
Pasman, H. J., & Rogers, W. J. (2013). Bayesian networks make LOPA more effective, of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability,
QRA more transparent and flexible, and thus safety more definable! Journal of 223, 87e97.
Loss Prevention in the Process Industries, 26, 434e442. Yellow Book. (2005). Methods for the calculation of physical effects, PGS 2, Dutch
Pearl, J. (2000). Causality, models, reasoning and inference (1st ed.). New York, USA: Government, Ministry VROM (meanwhile changed to Ministry I&M). download-
Cambridge University Press. ISBN-978-0-77362-8; 2nd Edition, ISBN 978-0- able from website http://www.publicatiereeksgevaarlijkestoffen.nl/publicaties/
521-89560-6. PGS2.html.

View publication stats