Risk Assessment. Marvin Rausand
failure. These failures occur because of a dormant systematic fault of the item (e.g. software bug, maintenance error, and installation error). The systematic failure occurs when a specific demand for the item occurs. The demands may be of a random or nonrandom nature. The first author of this book has experienced persistent software bugs in his washing machine, causing the washing program to abort.
Input/output failures. These failures occur because the required inputs or outputs to the item function are missing or wrong. The inputs to a washing machine consist of electricity, water, detergent, and mobile phone signals (on brand new machines). Output is dirty water to the sewage. The function of the machine is failed when one of these inputs/outputs are missing or deviating from required values. The input/output failures may be random or nonrandom.
Deliberate failures. These failures are nonrandom and occur when a threat actor (also called attacker) uses a physical or cyber threat to harm the item. For some systems, cyber threats may lead to physical harm to assets. A physical threat action is also called a sabotage.
Example 2.7 (Cruise ship near accident)
The cruise ship Viking Sky with 1373 passengers and crew aboard narrowly escaped a major accident on 23 March 2019, when her engines failed during a severe storm. The ship drifted rapidly toward the coast of mid‐Norway in very rough waters, but was finally saved by the anchors less than 100m from land. All engines tripped almost at the same time because of a low‐level signal from the level transmitters in the lubrication oil tanks. This system is installed to protect the engines from being destroyed if the lubrication is lost. The level of oil was not critically low, but the heavy seas probably caused movements in the tanks that fooled the level transmitters. The (preventive) shutdown of the engines was therefore a typical systematic fault, caused by a specification or design error of the lubrication oil tanks and/or the placement of the level transmitters. If not modified, the same engine shutdown will reoccur the next time the ship meets the same weather conditions.
For more details about failures and failure classification, see Rausand et al. (2020).
2.3.9 Terminology Comments
This section has defined a number of commonly used terms in risk assessment. The purpose is to establish a terminology that helps to describe different elements of the problem being addressed in a risk analysis. Unfortunately, as stated already, terminology is a problem within this field. Therefore, we once more warn the reader about the use of these terms in other documents, reports, standards, and scientific publications.
All the terms defined in this section are used in different ways by different authors. In particular the terms “hazard,” “initiating event,” and “hazardous event” are used in many different ways compared to how it has been defined here. Hazard is often used to encompass both hazardous events and enabling events and conditions. Hazard then becomes a term that covers more or less anything that either are events in accident scenarios or conditions that can influence the development of those scenarios. This may be sufficient in some cases, but we see that it can cause confusion and result in an unstructured process to identify what can go wrong. Our opinion is therefore that it is important to have precise definitions. To illustrate the above, an example of what a checklist for hazard identification can look like is shown in Table 2.5 . If this list is compared to the definitions, it contains both hazards, enabling events and enabling conditions.
Table 2.5 Generic hazard list (not exhaustive).
| Mechanical hazard– Kinetic energy– Acceleration or retardation– Sharp edges or points– Potential energy– High pressure– Vacuum– Moving parts– Rotating equipment– Reciprocating equipment– Stability/toppling problems– Degradation of materials (corrosion, wear, fatigue, etc.) Hazardous materials– Explosive– Oxidizing– Flammable– Toxic– Corrosive– Carcinogenic Electrical hazards– Electromagnetic hazard– Electrostatic hazard– Short circuit– Overload– Thermal radiation Thermic hazards– Flame– Explosion– Surfaces with high or low temperature– Heat radiation Radiation hazards– Ionizing– Nonionizing | Noise hazards– External– From internal machines Hazards generated by neglecting ergonomic principles– Unhealthy postures or excessive effort– Inadequate local lightning– Mental overload or underload, stress– Human error, human behavior– Inadequate design or location of visual display units Environmental hazards– Flooding– Landslide– Earthquake– Lightning– Storm– Fog Organizational hazards– Inadequate safety culture– Inadequate maintenance– Inadequate competence– Inadequate crowd control Sabotage/terrorism– Cyber threat– Arson– Theft– Sabotage– Terrorism Interaction hazards– Material incompatibilities– Electromagnetic interference and incompatibility– Hardware and software controls |
To add to the confusion, several other terms are used that overlap our terms, but often without a clear definition. Examples include accident initiator, accident initiating event, accidental event, critical event, undesired event, unwanted event, process deviation, and potential major incident (accident).
2.3.10 Accident
An accident may be defined as:
Definition 2.17 (Accident)
A sudden, unwanted, and unplanned event or event sequence that has led to harm to people, the environment, or other tangible assets.
By this definition, we have moved from talking about the future to considering the past. An accident is an event that actually has caused harm to one or more assets. The definition further implies that an accident is not predictable with respect to whether and when it occurs. The definition emphasizes that an accident is a distinct event or event sequence and not a long‐term exposure to some hazardous material or energy. Suchman (1961) argues that an event can be classified as an accident only if it is unexpected, unavoidable, and unintended.
Accidents can be classified in many different ways, such as according to types of accidents, causes of accidents, and severity of accidents. Some terms that are used to describe accidents are, for example, major accident, process safety accident, personal accident, occupational accident, and disaster. In many cases, the accident types are not clearly defined or the definitions may vary from case to case.
In the process industry, it is common to distinguish between process safety accidents and personal accidents. Process safety accidents are related to the process plant as such, the processes going on and the materials being used in the plant. Common causes of these accidents are that the process comes out of control or that hazardous substances are released. The potential consequences can be very large, both for people, the environment, and other assets. Personal accidents or occupational accidents, usually involve one or few people. Typical examples are falls, cuts, crushing, and contact with electricity. In this case, the categorization is done mainly with respect to the types of accidents (and thereby also causes). In practice, the categorization is also according to the degree of possible consequences that may occur.
Of particular concern are accidents with very large consequences. These accidents – called major accidents – receive a lot of attention, with thorough investigation of causes and sometimes with wide impact on regulations, technology, operations, and public perception of risk. As mentioned previously, process safety accidents is the equivalent term being used in the process industry. There is no generally accepted definition of what this is, but sometimes the term high‐impact, low‐probability event neatly summarizes the main features: they are events of low probability that have a high impact both directly (in terms of direct consequence) and indirectly (e.g. in terms of regulatory and political implications).
Accidents and accident models