Risk Assessment. Marvin Rausand
points for accident scenarios (i.e. initiating events).
Events that are the “center” of the bow‐tie (i.e. hazardous events).
Events and conditions that trigger accidents (i.e. enabling events and conditions).
At an initial stage of a practical risk analysis, we often identify several or all of these when we try to answer the question. We may identify both flammable materials, gas leaks, ignition, fire, and explosion as separate hazards/events to consider, but when we inspect these more closely, we can see that they can form different events in a sequence, that is, an accident scenario.
The important point in this process is to identify as many events and conditions as possible. At this stage, we should not be too concerned about whether these are hazards, initiating events, enabling events, or enabling conditions.
Hazard and event identification may be supported by generic lists of hazards. Examples of such lists can be found in the standards related to machinery safety (ISO 12100 2010) and for major accident hazard management during design of offshore installations (ISO 17776 2016). When looking at these lists, we often find that the lists are also a mix of hazards, initiating events, and enabling events and conditions in the way that it is defined in this book. This may be confusing, but this should not stop us from using these lists for brainstorming purposes because the structuring of the information can be done afterwards.
3.2.3.2 Step 3.2: Define Specific and Representative Events
In this step, we have to be more careful about what we include as events to be analyzed further. From the (often unorganized) list of identified hazards and events, we should specify a set of specific initiating or hazardous events to form the backbone of the risk analysis. Now, the definitions introduced in Chapter 2 help us in the screening process. We should not discard any hazards and events that are not included in the list of hazardous/initiating events, because they can be parts of accident scenarios or causes that we use in later steps in the risk assessment process.
From the generic lists, we may have identified “fire” as an event, but we now need to make this sufficiently specific, stating, for example, “fire in room X during daytime.” The specificity of the events must be balanced with the resources required to perform the analysis. More events typically require more time and resources to perform the analysis so we try to define representative events that can cover a range of more or less similar events.
In most cases, a screening of the identified events may be performed as part of this step. Events that are considered to have a very low probability of occurrence or are expected to have no or negligible consequences are usually screened out and not included for further analysis. This screening should be carefully documented.
3.2.3.3 Step 3.3: Identify Causes of Events
The purpose of the causal analysis is to identify the causes of the hazardous or initiating events that have been identified. How “deep” into the causes we should go depends on a number of factors, including
How detailed is the analysis? The level of detail should be determined in step 1. A more detailed analysis requires that we go into more details on the causes.
What causes can be influenced by the decision‐makers? Causes outside what we can change are less relevant to study in detail except to help us design a robust system that can withstand or compensate for these causes.
Both technical, human, and organizational causes should be considered whenever relevant.
The causal analysis may form an important basis for the frequency analysis.
3.2.3.4 Step 3.4: Determine Frequencies of Events
This step is not a part of all risk analyses or may sometimes be performed in a simplified manner. In some cases, the risk analysis is purely qualitative and the description of causes from the causal analysis are then adequate as a description of risk, combined with a description of the consequences. In some cases, frequency or probability classes are used instead of assigning a numerical frequency to each event. Frequency classes may, for example, be specified as
Assigning frequencies or probabilities may be a difficult task in risk analysis. The data that we have available for this purpose are from the past, whereas we are trying to predict the future. Therefore, the application of data relies on a number of assumptions. The simplest assumption to make (and perhaps most common) is to assume that the past is representative also for the future. Very often, this is not the case, and we need to make assumptions about how we believe that changes in technology and operating context may affect the frequencies or probabilities. Data and data analysis is discussed in more detail in Chapter 9.
In practice, a screening process is conducted also as part of this step. If we conclude that the frequency or probability is very small, we may choose to eliminate the event from further analysis.
3.2.4 Step 4: Develop Accident Scenarios and Describe Consequences
The structure of step 4 is shown in Figure 3.7 . Several analytical methods are available for this step and are described in Chapter 12.
3.2.4.1 Step 4.1: Identify Barriers and Other Factors Influencing the Scenarios
During the initial hazard identification, we have most likely identified a number of events and enabling conditions that influence how an accident scenario develops. In this step, we need to identify any barriers that contribute to control the risk by (i) stopping the accident scenario from developing into an accident or (ii) reducing the consequences. There may also be other factors influencing the scenarios, negatively or positively, that should be included in the accident scenarios to be defined in step 4.2.
3.2.4.2 Step 4.2: Describe Representative Scenarios
From the information assembled in steps 3.1 and 4.1, it is now possible to start describing accident scenarios that may occur, starting from the initiating events. This is usually a chain of events, but may also include enabling conditions and events that influence the probability that scenarios develop positively or negatively.
How far the scenarios should be developed is difficult to define precisely. In most cases, the scenarios are stopped when the immediate effects and consequences have occurred (e.g. when a collision has occurred or a fire has been extinguished). In cases where there also may be long‐term effects on assets, this may be too early.
The scenarios are important to gain a qualitative understanding of what can happen, but they are also important as a basis for quantification of the probability/frequency of the end events.
In many cases, there can be more or less endless numbers of scenarios. We therefore need to select and describe representative sets of accident scenarios. The representative set should, as far as possible, be general enough