Some (Critical) Comments on Risk Analysis

7/31/2019 Some (Critical) Comments on Risk Analysis

http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 1/12

Some critical comments on risk analysis Page 1C MacFarlane; 11 November 1994

Some (critical) Comments On Risk Analysis

A paper to be delivered at a conference

on

OFFSHORE SAFETY IN A COST CONSCIOUS ENVIRONMENT

atStavanger, Norway November 15/16 1994

by

Professor Colin MacFarlane, Strathclyde University, Glasgow, Scotland

&

Ms Catherine Parry, RM Consultants Ltd., Warrington, England

(Formerly at Strathclyde University)

1. Introduction

I have a rather critical view of risk analysis as used in concept design and safety case arguments.

Events are taken in isolation from their true environment and judged on a basis which seems

absolute but which disguises subjectivity and misconception. The decisions made are flawed.

I have gathered a selection of criticisms together in sections as follows,

Incompleteness

The failure to attack those events which do occur and which do cause loss and hurt. Theemphasis is on disaster mitigation rather than accident prevention. This will be

highlighted by considering the annual averaged losses due to small accidents and the

extent to which these can be reduced by design.

The incompleteness of the cases used to justify the results. Risk analysis as used at

present is only justified in dealing with consequences of defined events and is

inapplicable for definition of initiating events. Problems that arise when trying to

quantify the reliability of software or to justify its integrity can be used to throw light on

this.

Assumptions made about the independence of events at conceptual levels is at odds withthe known interdependence of circumstances in accident initiation and escalation.

Non absoluteness/inequality

The application of ALARP which gives different results depending on when remedial

measures are taken. It is shown that companies that do not design properly can benefit

from this principle and justify lower standards than those who are more comprehensive

in their safety process.

Reliance on organisational solutions

An ol d paper t hat I t houghtwor t h r e- i ssui ng as I ’ ve been

t hi nki ng about r e- wor ki ng someof t he i deas C MacF 2012




The problems arising when 'organisational' fixes are used to cover for the failure to fix

safety problems by physical means - essentially a criticism of self regulation based on

Tversky & Kahneman's 'prospect theory'. This will be exemplified by discussion of

measurements of stability in service on drilling semi-submersibles and by consideration

of the introduction of automated drilling in the UK and Norwegian sectors

The conclusion is that risk analysis as it stands is flawed. It does not address critical aspects of

offshore safety and, where it does address problems it does not do so rigorously, or completely

or on any absolute basis. It is suggested that the essentially complementary tool of cost benefit

analysis is equally flawed unless all organisations are at the same level of control and industry

self regulation provides no easy way out: modern safety theory concludes that safety matters

will, on average, always lose out to commercial interest. The inescapable conclusion is that

measures of prescriptive legislation are essential and emphasis on discrete work areas and on

'local' management of safety must be high until further developments are made in risk analysis

and design project management.

That is the case put in this paper. It is intended to provoke discussion and the author would

welcome any comments or criticisms.

2.0 Incompleteness

2.1 Misdirected effort

Risk analysis as it is commonly understood is the process of identifying hazards, quantifying

their likelihood of realisation and either selecting form options or seeking to mitigate the effects

of occurrence. In the UK safety framework risk analysis is strongly linked to the Safety Case

Regulations which are, of course, concerned with major accidents and it is with this meaning of

risk analysis that we are concerned here - the techniques used to justify the design and operation

of offshore production systems.

Risk or reliability analysis is also used, however, in a more general sense in structural design and

fire and explosion analyses, for example; both of which are concerned with a number of small

initiator events (fatigue cracks, gas leaks) with the potential to escalate to disaster. Moreover, it

has always been the case that it is the engineer's job to avoid accidents being turned into disasterand probabilistic techniques have been available for some time in a wide range of industries so

that little has been changed at a technical philosophical level by the emphasis put on quantitative

risk assessment within safety cases.

It is this emphasis, however, which disguises a very real imbalance of effect. In a paper on the

problems 'left behind' by Project Teams I attempted to quantify the losses arising from major

disasters and from 'day to day' accidents [1]. I tried to get an estimate of the cost of accidents

with relatively small effects where faulty project design work has contributed, by using

published information on the costs of accidents and other incidents and by analysing court cases

in which I had been involved so that I could obtain a percentage of incidents that had been

affected by design.

Very roughly the figures for annual average costs for a UK platform are shown in Table 1.

UPDATE af t er Macondo£3 mi l l i on/ pl at f or m year




Major accidents £1 million/platform year

Accidents/incidents with a

contribution from flawed design

£1.2 million/'platform year

Other accidents/incidents due to

poor operational mngt. or other

causes

£2.5 million/platform year

Losses due to non-compliance

with specification

Not known, but large

Table 1: Coarse estimates of annual average losses per UK platform [1]

I could not obtain costs for commercial losses caused by failure to produce a design within

specification, but I believe these to be very substantial and that the causes of such losses are

related generically to the design flaws which cause accidents.

Thus, regulations and analyses which over-emphasise 'major' events may be criticised because

they detract attention and funds from approaches which attempt to minimise 'pathogenic' design

flaws as defined by Reason and others [2].

Figure 1 shows in a simplified way where effort can be applied to avoid accidents.

Taking the points of action in turn it is noted that point C is in the region of operation of Safety

Case style risk analysis. This relies on the identification of events and then seeks to engineer

away the escalation to disaster. Where engineering solutions are not judged economically

justified (a topic which is discussed further below), then point B is activated. Point B, in any

event, is clearly in the region where operational safety management and 'safety cultures' operate

to reduce in some way the number of 'events' which occur.

Over the past few years, however, the concept of a safety culture and its linkage to the idea that

workers are in some way 'responsible' for accidents has been criticised. Safety specialists suchas Brehmer [3] have pointed out that there is little or no evidence that workers at lower levels in

an organisation consciously and deliberately choose unsafe actions. Their behaviour is very

much controlled by higher level decisions (or lack of decision). The same author has also

suggested that there are very clear and well attested reasons why such higher level decisions will

not give safety a high priority. That also is discussed further below.




initiator 1

initiator 2

.

.

.

.

.

initiator n

.

.

set of circumstances

'triggered' to eventEvent

escalates toMajor outcome

neglected area of action possible management actions possible engineering actions

to minimise to mitigate/control

A B C

Figure 1: The progression from initiator to disaster

These relatively new ideas on 'human error' have had little impact on safety thinking in the UK

where there is a strong mind set to numeric/technocratic thinking.

Indeed, in the UK, the latest fashion is to place great emphasis on human errors under the

heading of 'violations' with the implicit picture of an individual transgressing some well

developed and defined and sensible rule.

There is still great potential for action at point B, but it is not 'safety culture' which will produce

most effect. That will come from emphasis on the middle and senior management decision

makers.

Point A lies in a very neglected region of safety management. As far as I can judge, around 30%

to 40% of small accidents and incidents are related to initiators which can be removed in detailed

(not conceptual) engineering design. This suggests that there is scope for both cost saving and

safety improvement by concentration on the more detailed aspects of project engineering such as

the establishment of communication channels and information assimilation. There is a need to

concentrate more time and effort at the project stage of offshore system development in order to

save time, money and lives later.

Recognition of this has obviously influenced some thinking in Norway [4] where it is heartening

to find some effort to influence and extend the design processes in a major project.

Unfortunately, in the UK, design is usually seen as the first target of cost cutting exercises and

very significant cuts in the time apportioned for detailed engineering were made long before

CRINE.

The fact that risk analysis concentrates on major losses and ignores the small events which cause

most loss might be acceptable if it was applied to complement other efforts instead of as an

alternate to them and if it performed the function of deflection major loss adequately. It is not

clear, however, that it does that job well and that is a very serious criticism.

2.2 Lack of rigour in application




An HSE paper by McIntosh and Birkinshaw [5] sorts hazards into 4 groups

(i) those filtered out by the level of consequential harm,

(ii) those adequately covered by existing codes and standards,

(iii) those which are the 'null' set of items 1 & 2 - that is live and 'important' hazards,

(iv) a residual set which should be covered by standards but for which experience is

missing.

The first filter is an incomplete one. Some events are a priori catastrophic, but most

catastrophes have arisen from small events interacting with other circumstances. Risk analysis

cannot, therefore, hope to identify and neglect as inconsequential any particular set of initiating

events because it cannot know the circumstances in which they might be realised. Theunderlying assumption is that events are independent of circumstances so that each can be taken

in isolation and the outcomes are predictable - this is false.

A supporter of risk analysis would then point to the broad band filter imposed by codes and

standards to justify an assumption that certain events will not occur within the life of the

structure. This is the regime of quality control and it is built on far from satisfactory

foundations. It is noted in [5] that structural design standards can have up to 10% of their

contents revised in a year - not all of it, by any means, as an enhancement of standards. Indeed,

attempts to increase safety through standards and codes will almost always be resisted by

industry. A system of 'equivalent safety' for reduced cost prevails and it is also never clear

whether a standard represents a minimum or a level of best practice [6].

Reliance cannot be placed, therefore, on codes and standards to filter out the occurrence of low

consequence events.

In fact, risk analysis, does not even attempt to consider all possible initiator events. It starts from

the opposite end and selects in a fairly arbitrary way a set of major events which are considered

'live' and of 'high consequence'.

A useful analogy can be made with the 'dependability' assessment of software. Figure 2 is the

classical description or visualisation of software faults. Areas Ai on the input field map throughthe software onto the output field areas Bi. For example A1 and A2 map through correctly, A3

and A4 do not. A3 is an obvious boundary value where an error might be intuitively suspected.

A4 on the other hand is a state dependent value, scarcely distinguishable from A2, but having

markedly different output characteristics. How does one test for A4?

How also can we be sure that our input set is complete and there is not an A5 lurking outside our

assumed input range and mapping onto an unsafe output B5?




A

A

A

A

4

2

1

3

B

B B

B

2

4 1

3

INPUT S ETS

SAFE OUTPUT

UNSAFE OUTPUT

A

B

5

5

ASS UMED

KNOWN

Figure 2 Mapping of inputs to outputs for software

Similar visualisations or maps can be produced for any complex system. The analogy with

software is, however, not precise. Software, once written, is fixed for ever: the same input will

map to the same output every time and yet there are still these very real problems with detection

of errors. . If there is state dependency in software - which is a fixed and finished tool then there

is very definite state dependency in the complex socio-technical system which is an offshore

platform.

Table 2 is also derived from work with safety critical software. It is based on a draft British

Standard and describes the ways that the input for tests of safety critical software can be

partitioned [7]. the various techniques are,

Random selection (Table 2) relies on a most accurate and rigorous definition of the

environment within which the system works. Without this it has no validity.

Equivalence partitioning is an attempt to reduce the extent of random selection by groupingevents into classes. It adds uncertainty in the classification to a need for rigorous definition of

the environment.

Boundary value selection is often added to equivalence partitioning. It relies on an ability to

relate the magnitude of output to the value of the input. That is, to apply this there must be 'a

priori' knowledge of the input/output relationship to be tested.

Fault guessing is a sort of 'expert system' approach which relies on experience. If enough

experts are used over sufficient time this is equivalent to random selection in the same way

that monkeys can write Shakespeare.




PARTITION TYPE RELIABILITY

RELATIONSHIP

ADVANTAGES DISADVANTAGES

Random selection weighted to thedefined

environment

accuracycredibility

large number of testsand depends on

accurate & complete

environment

definition

Equivalence

partitioning

/ boundary value

selection

model relates

equivalence class to

reliability

performance or

consequence

efficiency of

sampling and

concentration on

failure causes

effort in vigorously

demonstrating

equivalence and

associated risk of

assumptions

Fault guessing model relates 'guesses'

to general case and

environment

efficiency of

concentration on

error causes

risks in assumptions

and non completeness

Table 2 Input partitioning for testing of safety critical systems [7]

Before considering where the offshore industry's approach lies in such a scheme it is noted that itis accepted by those engaged in producing and applying safety critical software that there are

clear and presently intransigent difficulties in proving the reliability of even relatively small

pieces of code.

A quote from a document on this subject is of interest [8],

" The two major schools of thought concerning risk analysis and assessment.

qualitative and quantitative, are often at odds with each other. In fact this

represents a confusion between the goal of achieving dependability and that of

measuring what has been achieved. Any claims for efficacy can only be

substantiated scientifically if they can be shown quantitatively to deliver thatwhich they promise.

Safety assessments should ideally be quantitative and empirical evidence about

systems is normally quantified probabilistically via reliability growth modelling

or random testing. However, it is easy to demonstrate that these techniques are not

plausible ways of acquiring confidence that a program is ultra-reliable: the testing

times needed become astronomically large as a result of a law of diminishing

returns and the issue of whether the test inputs are truly representative of those the

system will meet in operational use becomes serious.

There are also problems with a qualitative approach and there is evidence thathuman judgement even from expert subjects shows fairly consistent bias when




unaided by a formal framework that can check for such errors. Unfortunately,

current practice is perceived to be overly dependent upon this sort of informed

engineering judgement, which includes expert subjective opinion and is often

conducted in a very informal manner. The approach is primarily process and

resource based, implying that having the right people and using the right methods

will enable one to have confidence in the dependability of a system. Unfortunatelythere is almost no empirical evidence to confirm that specific recommended

techniques can ensure an adequate level of safety. "

Now the offshore industry do not apply random selection from a defined equivalent environment

in their risk analysis quantification. They do not take the necessary care to develop a full

'demand' environment nor do they have any proof that their assumed map of events at the

extreme boundaries of their classes will adequately 'test' the system and identify potential flows.

In fact, what they are involved in is a system of 'fault guessing' using general past experience and

accepted 'common' knowledge without any proof that they are achieving an adequate level of

safety nor, indeed, any formally complete ways to demonstrate it.

Clearly as a means of rigorously defining and partitioning the 'demand' space offshore risk

analysis does not match up well. How well does it perform at the interface between a realised

event and its consequences?

2.3 The independence assumption

A difficulty arises in the early stages of design when major conceptual decisions are made about

the configuration of the offshore system. At this stage, so far in the UK, it has been specialist

'risk analysts' who have been involved - not a group who can be accused of much offshore

operational experience and it is here that the assumption of the independence of the postulated

events and the real environment in which they occur becomes very critical. There appears to me

to be tremendous potential for these risk analysts not only to ignore situations where major

hazards are generated by a sequence of trivial circumstances, but also to make decisions which

require very costly alteration at later stages in the design as the operating environment becomes

clearer and as operators become more closely involved.

In the second case the potential is very high for the changes to be made in an unstructured and

unsatisfactory way which introduces new 'pathogenic' flaws into the system.

3.0 Inequitable ALARP

The question of changes at a later stage in design or even in operation brings us to the next item

of criticism - that risk analysis and the ALARP principle which in the UK and Europe is

inseparable from it are inequitable and non-absolute. Such criticism should be fatal for a key

area of legislation.

It seems that in the UK, the industry maximum justifiable expenditure to avert one fatality is

settling around the £6M mark: a value that is used irrespective of the time period of risk. This

figure is, however, presented in a number of ways and presentation of cost-benefit calculations inthe Safety Cases I have seen so far has caused difficulties, particularly with respect to time.




Let us consider costs first. I am not aware that any standard discounting convention is applied

throughout the UK industry and yet standardisation of all costs to a net present value with

assumptions of time and interest rates made explicit is essential for equitable comparisons to be

made. There will be expenditure which is spread over time and equally there will be expenditure

which is heavily concentrated in time posing different economic problems for differentOperators. The essence of an ALARP presentation, however, should be the justifiable cost to

reduce a unit of risk with modifiers attached to that primary information to account for the nature

of the expenditure.

The risk side of the equation is also presented in different ways. If we consider an event which

has a certain probability of occurring in any one year then, obviously, the chance of it happening

in the 20 year life of a big field is higher than for the 5 year life of a small field. The risk per

year for the worker on each production unit is, however, the same. I have seen cost benefit

analyses presented in terms of the likelihood of an event occurring in the life of the platform and

also in terms of reduction of a unit increment of risk per year. The second way is a more

coherent and rational method which allows equality of exposure to risk to be considered.

It is also a fact that changes in operation cost more than changes during construction which

themselves cost much more than changes at the design stage so that if a cost benefit sum is

performed on a finished platform it will show vastly increased expenditure for treatment of the

same annual average level of risk than for a platform in the construction or design stage. One

can quite easily envisage a situation where a problem may be allowed to remain under ALARP

for an existing platform whereas it would most certainly be removed in the design stages - even

during construction- of a new platform. This has been considered to some extent in a recent

paper from the UK HSE/OSD [9]

In the safety case arguments where decisions have been founded upon the length of time the

hazard might exist as opposed to the annual average risk at present, the argument of what is

reasonable expenditure is set against a short period of financial return. This obviously requires

mobilisation of auxiliary arguments concerning the likelihood of the time period being exceeded

and, if such auxiliary arguments are offered and accepted then they cannot be extended. For

example, if additional products were to be brought into a platform, the cost-benefit need for a

previously rejected system, say a sub-sea safety valve, should be considered with the inclusion of

the history of non-protected risk. Auxiliary arguments, in general, must retain their status asone-off exemptions from a naturally occurring outcome.

The point, however, is that the same level of risk is being treated differently depending on the

position of the platform in its life cycle and the length of that life cycle so that no account is

taken of a past period of risk exposure nor is the Operator credited for any efficiency in finding

problems at a stage where the cost of changes allow changes to be made.

It seems that by keeping the same 'price' over different periods of time it is risk which is being

discounted and the result is inequitable both for the workers on different platforms and for the

Operators themselves. If it could be assumed that all organisations were at equal levels in their

control of risk and if a unified price were set for a unit reduction of risk per year then the field

might be level and the game fair.

In principle it is possible for an Operator who is not very good at safety engineering to constructa platform for a short life field and then discover a hazard. The commercial constraints will then




be used to justify reliance on 'management' of the risk through organisational solutions rather

than by removal of the problem. A more concerned and efficient Operator might have spent

money at the design stage to produce an inherently safer platform.

Both sell their oil in the same market so they compete at cost level. The company with the

poorer safety engineering performance is the one which is having to rely on its safetymanagement to ensure safe operation. Something of a 'Catch 22'.

4.0 Reliance on organisational solutions

How acceptable is that reliance on organisational or safety management solutions? Brehmer has

suggested [3] that, in general it is impossible for an organisation to place equal weight on safety

goals and production goals. His arguments are based on Prospect Theory [10] and its twin

characteristics of'

o over-weighting of certainty which places known loss from safety spending againstuncertain gains,

o under-weighting of gains compared to losses which is an essentially careful

characteristic of humans and has allowed us to survive as a race.

They are powerful arguments and he concludes that there is a need for legislation and for the

legislator to ensure that the losses from devaluing safety exceed the gains from emphasising

production and arise with equal certainty. A very significant problem because, in work I have

done with Michael Bradley on the measurement of the stability of drilling and other semi-

submersibles we have been able to show [11] that there is no significant correlation between the

Certifying/Classification body and the standard of stability safety achieved. There is, however, a

correlation significant at 95% between the stability results and a characterisation of the

companies on a scale of their attitudes to safety management. In that paper we have remarked

that good companies don't need regulators and poor safety managers don't need them either

because they ignore them.

It is interesting, however, that we have found that neither the good nor the bad companies can

use their self-regulation to maintain the stability of their vessels within acceptable limits withoutapplying regular measurement of the control variables. What are the control variables used in

the offshore industry to measure and manage their performance - they are usually past records of

accidents which are post facto and (in the UK at least) have some dubiety.

In her paper presented at this Conference, Catherine Parry will discuss some results from the

drilling industry which will show some of the difficulties in learning lessons from measurements

of accident rates in one specific area of the offshore industry [12]. She also then discusses the

difficulty of legislating without prescription and her comments amplify the case put in this paper.

She has also prepared a critique of UKOOA's (United Kingdom Offshore Operators'

Association) very flawed presentation of the industry's safety record [13] which has been used

recently by Ronnie MacDonald of OILC to demonstrate that safety in the UK sector is at best

staying more or less at the same level - or perhaps rising,




5.0 Conclusions

At present my work in the field of safety is based on measuring safety performance in the

Scottish whisky industry and in the testing of safety critical software for the marine and offshore

industries.

The management work is founded on my belief that the greatest effect can be achieved by

working with middle managers and supervisors to modify their decision making processes by

providing them with adequate tools to apply safety measures and record their effect. It is only

partly based on my love of whisky.

The work on safety critical software has confirmed my view that the present techniques used in

the offshore industry to demonstrate acceptable levels of risk hide very imprecise assumptions

behind a cloak of technology. As a subsea engineer I can perform probabilistic reliability

calculations reasonably well, but I know their limitations. I particularly know the problems in

assuming independence of events. I do not know, and nobody else does, the limitations of the

arguments on which approval is given to produce oil.

We should not stop performing such work - it is very valuable. We must, however, correct an

over-emphasis on risk studies as opposed to ensuring that detail design is performed properly.

More emphasis is needed on the project stages of offshore design and construction - considerable

economic loss is built into offshore systems at this stage.

The biggest problem that the UK regulators have is applying the necessary cost pressures to

ensure that safety goals are given weighting against commercial goals without appearing to be

'prescriptive' even though they must be. Parry's work on drilling emphasises this dichotomy

[12].

With regard to cost-benefit sums and ALARP, we are still, at present, locked in the 'Who

benefits? ....Who pays?' argument because unequal exposure of workers to risk is set against the

profitability of the company. When the benefit to the burglar equals the loss to the householder

then the cost-benefit sum is in balance!

ALARP must be regularised so that there is equality of exposure to risk for the workforce rather

than an accountant's equivalence of discounted cost. It is unfair to everyone that a poor companycan gain from their poor performance and it is a harsh irony that the worst companies will rely

most on their operational safety management.

References

1 MacFarlane, C J 'Maximising Safety Through Better Project Management: Understanding

the problems that Projects leave behind"; presented at an IIR Conference, Aberdeen 1993.

2 Reason J, 'Risk management and resident pathogens'; World Bank workshop on safety

control and risk management, Washington DC, 1988

3 Brehmer, B; 'Cognitive aspects of safety'; contained in Reliability and safety in hazardous

work systems, edited Wilpert & Qvale, published L Erlbaum, 1993.




4 Qvale, T; 'Design for safety and productivity in large scale industrial projects: the case of

the Norwegian offshore oil development'; contained in Reliability and safety in hazardous

work systems, edited Wilpert & Qvale, published L Erlbaum, 1993.

5 McIntosh A R & Birkinshaw M; 'The Offshore Safety Case: Structural Considerations' ;

Int. Conference on 'Structural Design against Accidental Loads'; London, Sept 1992.

6 Birkinshaw M, Kam J C P & McIntosh A R; 'The applications of risk and reliability

management to offshore structural integrity assessment'; presented at the Engineering

integrity assessment conference in Glasgow, 1994.

7 British Standard draft for public comment 94/408553 'Draft BS guide to test methods for

dependability assessment of software'.

8 'A framework for developing Credible Evidence for a Safety Case based on Testing'; a

document produced within the CONTESSE project on the testing of safety critical

software. Doc. No. 1ED4/1/9021, 1994. Although this document is confidential to theCONTESSE partners this full quotation is relevant and can be treated as authoritative.

9 Birkinshaw M; 'Some experiences with harmonisation' source not known.

10 Kahneman d & Tversky A; 'Prospect theory; an analysis of decision under risk';

Econometrica, 47, 263-291.

11 Bradley, M S & MacFarlane C J; 'Some lessons to be learned from the stability control of

semi-submersibles'; paper to be presented at the Institute of marine engineers, London,

1995.

12 Parry C H & MacFarlane C J; ' ' paper presented at this conference

13 Parry C H; MSc thesis, University of Strathclyde, 1994

__________________________

Documents

Some (Critical) Comments on Risk Analysis