Accidentinvestigationisthecollectionandexaminationoffactsrelatedtoanoccurredspecificincident.
QuantitativeRiskAnalysis(QRA)isthesystematicuseofavailableinformationtoidentifyhazardsand
probabilities,andtopredictthepossibleconsequencestoindividualsorpopulations,propertyorthe
environment.Traditionallybothmethodshavebeenusedseparately;howeverbothaccidentinvestiga-
tion andQRAdescribehazardsinasystematicway.Theextensiveresearchthatisdonerelatedtothat
includinghumanandorganisationalfactorsinQRAbringsaccidentinvestigationandQRAcloser
together.Everyyeartherearealargenumberofprecursorincidentsrecordedwiththepotentialto
cause majoraccidentsrisksintheNorthSeaoilandgasindustry.Thisarticledescribeshowaccident
investigationandQRAcanbecombinedusingavailableinformationfromaprecursorincidentasinput
to QRA-methodologytoidentifyhazards,probabilities,safetybarriersandpossibleconsequences.
The combinedmethodisshortenedasQRAPII(QuantitativeRiskAnalysisPrecursorIncident
Investigation)andmakesuseofwellknownhazardanalysistechniquestoproduceamorecomplete
cause andriskpictureincomplexsystems.Thisincludesanextendedunderstandingofhumanand
organisationalfactorsinaccidentsandpreventionofthese.
Product Catalog Bandung Home Decor Design Furniture
Combining QRA and investigations
1. Combining precursorincidentsinvestigationsandQRAinoilandgasindustry
Jon EspenSkogdalen n, JanErikVinnem 1
Faculty ofScienceandTechnology,UniversityofStavanger,Stavanger,Norway
a r t i c l e info
Article history:
Received 8April2011
Received inrevisedform
22 November2011
Accepted 8December2011
Available online18January2012
Keywords:
Quantitative riskanalyses
Investigation
Precursor incident
Oil andgasindustry
a b s t r a c t
Accidentinvestigationisthecollectionandexaminationoffactsrelatedtoanoccurredspecificincident.
QuantitativeRiskAnalysis(QRA)isthesystematicuseofavailableinformationtoidentifyhazardsand
probabilities,andtopredictthepossibleconsequencestoindividualsorpopulations,propertyorthe
environment.Traditionallybothmethodshavebeenusedseparately;howeverbothaccidentinvestiga-
tion andQRAdescribehazardsinasystematicway.Theextensiveresearchthatisdonerelatedtothat
includinghumanandorganisationalfactorsinQRAbringsaccidentinvestigationandQRAcloser
together.Everyyeartherearealargenumberofprecursorincidentsrecordedwiththepotentialto
cause majoraccidentsrisksintheNorthSeaoilandgasindustry.Thisarticledescribeshowaccident
investigationandQRAcanbecombinedusingavailableinformationfromaprecursorincidentasinput
to QRA-methodologytoidentifyhazards,probabilities,safetybarriersandpossibleconsequences.
The combinedmethodisshortenedasQRAPII(QuantitativeRiskAnalysisPrecursorIncident
Investigation)andmakesuseofwellknownhazardanalysistechniquestoproduceamorecomplete
cause andriskpictureincomplexsystems.Thisincludesanextendedunderstandingofhumanand
organisationalfactorsinaccidentsandpreventionofthese.
& 2011 ElsevierLtd.Allrightsreserved.
1. Introduction
Experiences frommajoroffshoreaccidentsinthepastareimpor-
tant sourcesofinformationtopreventtheoccurrenceofsimilar
accidents inthefuture.Therewere anumberofmajoraccidentsin
the NorthSeathatoccurredinthesecondhalfofthetwentieth
century, includingtheAlexanderKielland [1], EkofiskBravoBlowout
[2] and PiperAlfa [3]. Alloftheaccidentsmentionedleadto
significant changesintechnology,operations,supervisionandregula-
tion. Therehasbeenapositivesafetytrendduringthelast15–20
years, resultinginfewermajoraccidents.Thisisastepintheright
direction,butithasonechallenge,inthesensethattheexperiences
from themajoraccidentinvestigationshavetobecomplementedby
new toolsforfurtherimprovementwithinriskmanagement.
Human errorhasbeenjudgedtobetherootcauseofmany
major accidents,forexampletheaccidentatEssoAustralia’sgas
plant atLongfordinVictoriainSeptember1998 [4]. Essoargued
that operatorsandtheirsupervisorsondutyatthetimeshould
have knownthattheattempttoreintroduceawarmliquidintoa
cold pipecouldresultinbrittlefracture.Essoclaimedthat
operators hadbeentrainedtobeawareoftheproblem.However,
the accidentinvestigationcommissiontooktheviewthatnoneof
those ondutyunderstoodjusthowdangerousthesituationwas,
which indicatedasystematictrainingfailure.Thecommission
concluded thatinadequatetrainingofoperatorsandsupervisors
was the‘‘realcause’’oftheaccident [5].
It wasforalongtimeassumedthatoccupationalaccidents,
often summarisedastrips,slipsandfalls,werearelevant
indicator onwhichtojudgethemajorhazardrisk.TheBPTexas
City refinerydisasterin2005createdahighawarenessthat
management ofmajorhazardsisnotthesameasmanagement
of occupationalhazards [6]. Thelackofthecoherencebetween
personnel injuriesandmajoraccidentswasalsoillustratedbythe
Deepwater Horizonaccident [7]. TheverysamedaythatBP
officials werevisitingtherigtopraisesevenyearswithout
personnel injuries,gasexplodedupthewellboreontothedeck
of therigandcaughtfire.Elevenworkerswerekilledinthe
explosion [8]. Theblowoutcausedoiltogushoutofthedamaged
well fortwomonths,theworstenvironmentaldisasterinUS
history, impactinglocaleconomies,sensitivecoastlinesandwild-
life throughouttheGulfregion [9].
Hydrocarbon leakshaveamajoraccidentpotential,well
illustrated bythetotallossof‘PiperAlpha’in1988ontheBritish
continental shelf,leaving167dead [3]. Agasleakcausedagas
Contents listsavailableat SciVerse ScienceDirect
journalhomepage: www.elsevier.com/locate/ress
ReliabilityEngineeringandSystemSafety
0951-8320/$ -seefrontmatter & 2011 ElsevierLtd.Allrightsreserved.
doi:10.1016/j.ress.2011.12.009
Abbreviations: CFD, ComputationalFluidDynamics;DOE,USDepartmentof
Energy; EER,Evacuate,EscapeandRescue;HSE,Health,SafetyandEnvironment
and HealthandSafetyExecutive,UK;HOF,humanandorganisationalfactors;
HRO, HighReliabilityOrganisation;MTO,Man,TechnologyandOrganisation;NRC,
US NuclearRegulatoryCommission;O&G,oilandgas;OTS,OperationalSafety
Condition; PSA,PetroleumSafetyAuthorityNorway;QRA,QuantitativeRisk
Analysis; QRAPII,QuantitativeRiskAnalysisPrecursorIncidentInvestigation;RIF,
risk influencingfactor;RNNP,RiskLevelProject;TTS,TechnicalSafetyCondition
n Corresponding author.Tel.: þ47 99024171.
E-mail addresses: jon.espen.skogdalen@gmail.com (J.E.Skogdalen),
jan.erik.vinnem@uis.no (J.E.Vinnem).
1 Tel.: þ47 91152125.
Reliability EngineeringandSystemSafety101(2012)48–58
2. cloud, whichignited.Theexplosioncausedbreakageofapipe
transporting oilandafire,whichrageduncheckedduetowater
not beingavailableforthefirewatersystem.Thiscausedtheother
large pipesconnectedtogas-andoil-pipelines(risers)toburst,
which inturnescalatedtoatotalloss.Thelargenumberof
fatalities waspartlyduetothefailureofevacuationandrescue
measures [3].
The PetroleumSafetyAuthorityNorway(PSA)hasinseveral
accident investigationreportsconcludedthatunderslightly
different circumstances,theincidentscouldhavedevelopedinto
major accidents,withextensivepollutionandpotentiallossof
multiple lives [10]. Centralquestionsarethen
– Whatcircumstances?
– Howprobablewerethesecircumstances?
– Whatwerethepossibleharm/consequences?
These questionsareonlysuperficiallyanswered,iftheyare
answered atall,intheaccidentinvestigationreports.IfthePiper
Alpha, orthemorerecentDeepwaterHorizonaccident,was
prevented bythegascloudnotbeingignitedduetoafortunate
wind direction,shouldtheynothavebeentakenjustasseriously?
The numberofoccupationalaccidentsisnotanindicatorfor
major hazardrisk.Humanerrorisnotarootcause.PSAgives
examples ofrelatedassumptionsthatcanbemisleading [11]:
– assumptionthatanoverviewofhistoricalperformancepro-
vides reliableinformationaboutrisk,andthatadeclineinthe
number ofincidentsbyitselfisareliableindicatorofthe
robustness ofbarriersthataresignificantinpreventinga
major accident;
– assumptionsthatinformationusedasabasisforevaluating
major accidentriskisrelevant,reliable,adequateandtimely,
with subsequentcementingofincorrectassumptionsand
under-estimation ofuncertainty.
The BritishHealthandSafetyExecutive(HSE)statesthatits
objective istoreducethelikelihoodofcatastrophicaccidentsin
major hazardindustries.Thefrequencyandthenatureofcata-
strophic accidentsmakethemunsuitableasmeasuresofhealth
and safetyperformance.Instead,incidentsthathavethepotential
to leadtoordevelopintoacatastrophicaccident,so-called
precursor incidents,areusedasindicators.Aprecursorincident
is aneventorgroupofeventsthatindicatesfailureinsystems
controlling therisksfromamajorhazard.Theyarethelinksina
chain ofcausation,andtherebykeyelementsinpreventing
certain catastrophicoutcomes [12]. Thereareoveralargenumber
of precursorincidents(e.g.gasleaks,kicksandshipcollisions)
every yearontheNorwegianContinentalShelf [13]. Thepre-
cursor incidents,orunwantedincidentsastheyareoftencalled,
are usuallysuperficiallyjudgedininvestigationreportsrelatedto
the potentialharmusingriskmatrixes.Theconsequencesof
major accidentsareunacceptableinoursociety,andtherefore
precursor incidentswiththepotentialtocausemajoraccidents
should bethoroughlyinvestigatedinordertopreventthemfrom
reoccurring. Theimportanceofinvestigatingprecursorincidents
has beendescribedinalargenumberofarticles,e.g. [14–18].
There isthoughalackofarticlesabouthowthesecanbedonein
practice intheoilandgas(O&G)industry.
1.1. Objectives
This articledescribeshowaccidentinvestigationmethodology
and QuantitativeRiskAnalysis(QRA)canbecombinedto
investigate precursorincidentsbytheuseofwellknownhazard
analysis techniques.ThecombinedmethodisshortenedasQRA
PII (QuantitativeRiskAnalysisPrecursorIncidentInvestigation).
QRA PIIincludesthefollowingelements:precursorincident
reporting, indicators,safetybarriers,fault/event-trees,bow-ties
and QRA.Theelementsarebrieflydescribedfollowedbya
discussion onhowQRAPIIcanbeatoolforfurtherimprovement
within riskmanagement.Thediscussionincludesexperiences
from HighReliabilityOrganisations(HROs)andthenuclear
industry, wheretheuseofprecursorincidentinvestigationhasa
longer traditionrelatedtotheanalysisofdecisiongatesfor
control roomoperators.
The QRAmodellingincludesseveralhazardanalysistechni-
ques likefault-treeandeventtree.TheresultsfromtheQRAare
often describedusingbow-tiediagrams.Thesehazardanalysis
techniques canbedescribedas‘investigatinganaccidentbeforeit
occurs’. Thesetraditionalapproachestohazardanalysisare
according toanumberofexperts,e.g.Leveson [19] and Hollnagel
et al. [20], overwhelmedbytheincreasingcomplexityofthe
systems, bytheintroductionofdigitaltechnologyandsoftware
and bytheincreasedrelianceondistributedhuman–machine
decision-making andcontrol [19].
According toLeveson [21,22] amodelofaccidentcausation
and theengineeringtechniquesbuiltonitthatconsideronly
component failures,willmisssystemaccidents.Inaddition,the
role ofhumanoperatorsischangingfromdirectcontrolto
supervisory positionsinvolvingsophisticateddecision-making.
The typesofmistakeshumansaremakingaredifferentand
are notreadilyexplainedorhandledbythetraditionalchain-
of-failure-events modelsandbymostofthehazardanalysis
techniques. Also,thereismorewidespreadrecognitionofthe
importance ofmanagement,organisationalandculturalfactorsin
accidents andsafety:thetraditionaltechniques,whichwere
never derivedtohandlethesefactors,dosopoorlyifatall [22].
To completelyunderstandthecauseofaccidentsandtoprevent
future ones,thesystem’shierarchicalsafetycontrolstructure
must beexaminedtodeterminewhythecontrolsateach
level wereinadequatetomaintaintheconstraintsonsafebeha-
viour atthelevelbelowandwhytheeventsoccurred [22].
Understanding thephysicalfactorsleadingtothelossisonly
the firststep,however,inunderstandingwhytheaccident
occurred. Thenextstepisunderstandinghowtheengineering
design practicescontributedtotheaccidentandhowtheycould
be changedtopreventsuchanaccidentinthefuture [22]. This
includes understandingwhypeoplebehavethewaytheydoby
examining theirmentalmodelsandtheenvironmentalfactors
affecting theirdecision-making.Allhumandecision-makingis
based ontheperson’smentalmodelofthestateandoperationof
the systembeingcontrolled [22]. Levesonarguesforthedevel-
opment ofanewhazardanalysistechniquecalledSystem-
Theoretic ProcessAnalysis(STPA) [19,22]. Theauthorsagree
about theshortcomingsofseveraltraditionalhazardanalysis
techniques, butbelievethatbycombiningdifferentdatainput
and hazardanalysistechniquesamorecompletecauseandrisk
picture canbeproducedforprecursorincidentstherebyavoiding
major accidents.Theobjectiveofthisarticleistodemonstrate
how thiscanbedoneinpracticeusingdatasetsandhazard
analysis techniquesthatarewellknownwithintheNorwegian
O&G industry.
1.2. Limitations
This articledoesnotincludeanexplanationastohowQRAs
are performed.Forreadingsaboutthissee [23–26]. Thescopeis
limited tomajorhazardsintheO&GindustryintheUKand
Norway. Majorhazardshavethepotentialtocausemajoracci-
dents, whichareoftenunderstood,e.g.byHSE [12], asaccidents
out ofcontrolwiththepotentialtocausefivefatalitiesormore,
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 49
3. caused byfailureofoneormoreofthesystem’ssafetyand
preparedness barriers.
There arealargenumberofdifferentaccidentinvestigation
methods andcausalanalyses.Inthesameway,thereisagreat
variation inthewayriskanalysesarepreformed.Thereare
several perspectivesrelatedtobothaccidentsandtheircauses.
A primarydifferenceishowaccidentsaremodelledandhowan
organisation isinterpreted,seee.g. [27–31]. Areviewofthe
methods andthedifferentperspectivesisnotascopeofthis
article. Ourviewissomewhatpragmatic.Thebasecaseisthe
methods andelementsthatareusedintheUKandNorwaytoday.
2. Incidentreportingandlearning
The theoryofincidentlearningreliesontheobservationmade
by Turner [32] thatdisastershavelongincubationperiodsduring
whichwarningsignals(orincidents)arenotdetectedorare
ignored.Thus,whiletheoccurrenceofincidentsmaybenormal,
onlyanorganisationwithaneffectiveincidentlearningsystem
canrespondtotheseincidentstopreventseriousaccidentsfrom
occurringinthefuture.Phimisteretal. [15] discusstheimpor-
tanceofidentification,withoutwhichincidentlearningisimpos-
sible.Unlesstheorganisationissensitisedtolearnfromincidents,
deviationsfromnormalbehaviourwillgounnoticed.Accordingto
CookeandRohleder [33], anorganisationthateffectivelyimple-
mentsaformalincidentlearningsystemcanevolveintoanHRO.
For severalindustriestherehasbeenachallengetoachievea
good reportingrate,andanincidentcannotbeinvestigatedunless
it isreported.Furthermore,therateofincidentsreporteddepends
on thepersonalcommitmenttosafetybytheworkerswho
observe orareinvolvedintheincidents.Managementcanshow
their commitmenttosafetybycreatingaclimateinwhich
incident reportingisrewardedinsteadofpunished.TheO&G
companies operatingintheNorthSeahaveforalongtime
emphasised thatallunwantedincidentsshouldbereported.The
O&G companieshaveachievedahighrateofincidentreporting,
which initselfisgood.However,thehighreportingratecanmake
it difficulttoidentifythemostimportantproblemshighlightedin
the reporteddata.AsreportedbyBerntsenandHolmboe [34] too
much resourceswerespentonacomprehensivehandlingand
analysis ofavastamountofincidentswithlessimportanceforthe
safety level,takingthefocusawayfromthemoresevereand
important incidents.Thehighresponserateisalsoaresultofa
process wheretherehasbeenlimitedpunishmentandhuntfor
scapegoats. Theinvestigationsareusuallydoneinaquickmanner
and withoutquestioningskills,competenceanddecisionsmade
by theinvolved(seee.g. [35]). Theincidentreportshavemainly
been usedforworkingoutsafetyindicators.
3. Indicatorsandriskinfluencefactors
The term‘‘indicator’’canbeusedinvariouscontexts,for
exampleperformanceindicators,safetyindicators,safetyperfor-
manceindicators,directperformanceindicators,indirectpro-
grammaticperformanceindicatorsandriskindicators [36]. Also,
indicatorsmaybedefinedindifferentways.Safetyindicatorshave
beenaddressedinaspecialissueof SafetyScience (volume47,
2009)andseveralrecentresearcharticles [36–46]. Mainlythe
articlesdiscusstwodimensionsofsafetyindicators:personal
safetyversusprocesssafety,andleadingversuslaggingindicators.
HSE [41] statesthatbothleadingandlaggingindicatorsare
neededtoensurethehighqualityoftheselectedindicators,but
Hopkins [40] claimsthattodistinguishbetweenleadingand
laggingindicatorsisnotusefulforprocessindustries.
In theRiskLevelProject(RNNP)inNorway,theso-called
leading andlaggingindicatorsareusedtoassesstherisklevelof
the NorwegianO&Gindustryonanannualbasis,inadditionto
questionnairesandinterviews.Thefirstreportwaspublished
early in2001,basedondatafortheperiod1996–2000.RNNPuses
various statistical,engineeringandsocialsciencemethodsto
provide abroadillustrationofrisklevels,includingrisksdueto
major hazards,risksduetoincidentsthatmayrepresentchal-
lenges foremergencypreparedness,riskperceptionandcultural
factors [45,47]. Relatedtomajoraccidents,thefollowingcate-
gories ofdataarecollected [13]:
– uncontrolledreleaseofhydrocarbons,fires(i.e.processleaks,
well events/shallowgas,riserleaks,otherfires);
– structuralevents(i.e.structuraldamage,collisions,threatof
collision);
– accidentsandeventsinhelicoptertransportactivities;
– experiencedatarelatingtotheperformanceofbarriersagainst
major accidents.
The numberofprecursorincidentsisusedasindicatorsin
RNNP. Inadditiontheperformanceofsafetybarriersisincluded.
4. Safetybarriers
Safetybarriers(barriers)arephysical ornon-physicalmeans
plannedtoprevent,controlormitigateundesiredeventsoraccidents.
Barriersmaybepassiveoractive,physical,technicalorhuman/
operationalsystems [48,49]. ThePSAregulationsrequirethefollow-
ingaspectsofbarrierperformanceto beaddressed:reliability/avail-
ability,effectiveness/capacityandrobustness(antonymvulnerability).
In 2000StatoildevelopedasystemtoassesstheTechnical
SafetyCondition(TTS)ofitssafetybarriersonO&Gfacilities
[50,51].TTSincludesareviewofthemaintenance,inspectionand
designroutinesthatareverifiedagainstpredefinedperformance
standards.Thereare22differentperformancestandards,for
exampleregardingthegasdetectionsystem,alarmmanagement
andwellbarriers.Eachperformancestandardconsistsofperfor-
mancerequirements.Theassessmentiscarriedoutatadetailed
levelusingchecklists.Thereisalreadyalargeamountofdata
collected,andseveraloilcompanieshaveadoptedasimilarsystem.
The safetybarrierdiagrams‘bow-tie’graphicallydisplaythe
relationship betweenhazards,threats,controlsandconse-
quences. Bow-tiesincludetwoparts.Theleftpartdescribesthe
latent hazard,initiatingevents,preventativecontrolsandinitial
hazard release.Thehazardreleaserepresentsapotentialmajor
incident. Therightpartdisplaysthepotentialmajorincidentasa
starting point,barriersinsequenceandtheconsequencesthat
result fromthefailureofthebarriers.Thebow-tiediagramis
based onthecouplingofafaulttreeandaneventtreediagram
linked toacriticaleventthatrepresentsahazard.Bow-tie
diagrams allowtheidentificationofsafetybarriersimplemented
to preventthecriticaleventfromtakingplaceand/ortomitigate
its effects.Severallevelsofcausesandeffectscanbedescribed.
Bow-tie diagramsarethereforegoodillustrationsofdefence-in-
depth [52]. QRAsintheO&Gindustryhavetraditionallyhada
rather narrowanalysisofbarrierperformance [23].
Revealingthehumanandorganisationalfactors(HOFs)isimpor-
tantwhenanalysingsafetybarriersandprecursorincidents.Human
factorsareunderstoodasthebranchofscienceandtechnologythat
includes whatisknownandtheorizedabouthumanbehavioural
and biologicalcharacteristicsthatcanbeappliedvalidlytothe
specification, design,evaluation, operationandmaintenanceof
productsandsystemstoenhancesafe,effectiveandsatisfyinguse
by individuals,groups andorganisations [53]. Humanfactorsare
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 50
4. seen asarangeofissues,includingtheperceptual,physicaland
mentalcapabilitiesofpeople,aswellastheinteractionsofindivi-
dualswiththeirjobandtheworkingenvironments,theinfluenceof
equipmentandsystemdesignonhumanperformanceand,aboveall,
the organisationalcharacteristics thatinfluencesafety-related
behaviouratwork.
The terms‘humanfactors’and‘humanerror’areoftenused
interchangeably, but,aspointedoutbyGordon [54], itisimpor-
tant todistinguishbetweentheunderlyingcausesofaccidents
(human factors)andtheirimmediatecauses(humanerrors).
Traditionally, humanfactorsaredefinedastheinteraction
between manandmachine,althoughmanyvariationsexist [55].
Human errorcanbedefinedas‘thefailureofplannedactionsto
achieve theirdesiredends—without theinterventionofsome
unforeseeable event’ [56]. AccordingtoJacobsandHaber [57],
human errorsmaybeofvariousoriginsandpartoflarger,
organisational processesthatencourageunsafeacts,whichulti-
mately producesystemfailures.
Organisational factorsarecharacterisedbythedivisionof
tasks, designofjobpositions,includingselection,trainingand
cultural indoctrination,andtheircoordinationtoaccomplishthe
activities. Themainissuesoforganisationandsafetyinclude
factors suchascomplexity(chemical/process,physical,control
and task),sizeandageofplant,andorganisationalsafetyperfor-
mance shapingfactorssuchasleadership,culture,rewards,manning,
communicationsandcoordination,andsocialnormsandpres-
sures [58].
HOFs playanimportantroleinNorwegianandUKlegislation.
HOFs mustbemodelled,andtheirroleassafetybarriersmustbe
revealed tofulfilthelegislationrequirements.Duringthelast
decade, severalresearchprojectshavebeenworkingtoinclude
HOFs inQRA.OrganisationalRiskInfluenceModel(ORIM) [59],
Barrier andOperationalRiskAnalysis(BORA) [60,61] andOpera-
tional SafetyCondition(OTS) [25,62] arethemostrelevant
methods. Table 1 shows thatHOFsarecentralbothinaccident/
precursor incidentinvestigationsandQRA.
5. QRA
Risk analysismethodologyisaboutestablishinggoodprinci-
ples, methodsandmodelsforanalysinganddescribingrisk.QRA
is usedastheabbreviationfor‘QuantifiedRiskAssessment’
or ‘QuantitativeRiskAnalysis’.Thecontextusuallyhastobe
considered inordertodeterminewhichofthesetwotermsis
applicable. Riskassessmentinvolvesriskanalysisaswellasan
evaluation oftheresults.Thetechniqueisalsoreferredtoas
Probabilistic RiskAssessment,ProbabilisticSafetyAssessment,
Concept SafetyEvaluationandTotalRiskAnalysis.Inspiteof
more thantwodecadesofuseanddevelopment,noconvergence
towards auniversallyacceptedtermhasbeenseen [23]. Inthis
article thetermQRAreferstoallthedifferenttechniques.
Authorities arebasingtheirregulations,andoperatorsarebasing
their design,ontheuseofQRA.
According toguidelinesforQRA [64], thefollowingrisk
elements relatedtomajorhazardriskshall,asaminimum,be
considered foroffshoreO&Ginstallations:
– blowouts,includingshallowgasandreservoirzones,unignited
and ignited(Wellincidents);
– processleaks,unignitedandignited(IgnHCleak/UnignHC
leak);
– utilityareasandsystems’firesandexplosions(Otherfire/expl);
– fireinaccommodationareas(Otherfire/expl);
– falling/swingingobjects;
– transportationaccidents;
– transportofpersonnelfromshoretotheinstallation;
– helicoptercrash;
– collisions,includingfieldrelatedtraffic,andexternaltraffic,
drifting andunderpower(Shiponcollcourse);
– riserandpipelineaccidents(Dam.subsinst/Subsequipmleak);
– accidentsfromsubseaproductionsystems(Dam.subsinst/
Subs equipmleak);
– escape,evacuationandrescueaccidents,i.e.untilaso-called
‘safe place’hasbeenreached(Evac/muster);
– structuralcollapse,includingcollapseofbridgesbetweenfixed
and/or floatinginstallations(Struct.Damage);
– foundationfailure(Struct.Damage);
– lossofstability/position(Struct.Damage).
The shorteningsinthelistrefertothecategorisationbyPSA
related toprecursorincidents.Everyyeartheprecursorincidents
are recordedbythePSA,see Fig. 1.
Most oftheincidentsareinvestigatedbythecompanies
themselves, whileafewareinvestigatedbythePSA.
Fig. 2 illustrateshowthedifferentelementscanbecombinedin
a bow-tieillustration.QRAincludesmodellingofengineering,
operationalandmaintenanceactivities.QRAcoverstheinitiating
eventsaswellastheirconsequences.SomeQRAsalsoincorporate
the initiatinghuman,organisationalandtechnicalfactors [26]. A
typicalprecursorinvestigationdoesnotcovermodellingofthe
potentialconsequencesandrelatedprobabilities.Therebythestatus
of allthesafetybarriersthatwerenotused,isnotinvestigated.
6. Accident/precursorincidentinvestigations
An accidentinvestigationisthedeterminationofthefactsof
an accidentbyenquiry,observationandexamination,andan
analysis ofthesefactstoestablishthecausesoftheaccidentand
the measuresthatmustbeadoptedtopreventitsrecurrence [66].
The CenterforChemicalProcessSafety(CCPS)describesthree
main purposesforaccidentinvestigation.Thefirstpurposeisto
organise informationabouttheaccidentonceevidencehasbeen
collected. Thesecondistohelpindescribingtheaccident
causation anddevelopingahypothesisforfurtherexamination
by expertsandthelastistohelpwiththeassessmentofproposed
corrective actions [67,68]. Inaddition,theanalyticaltechniques
should alsoensurethattheresultsaretransparentandverifiable.
Table 1
Human andorganisationalfactors [63].
HOF Description
Work practiceThecomplexityofthegiventask,howeasyitis
to makemistakes,bestpractice/normalpractice,
checklists andprocedures,silentdeviations,
control activities
Competence Training,education—both generalandspecific,
courses, systemknowledge,etc.
Communication Communicationbetweenstakeholdersinthe
process ofplan,act,check,do
Management Workmanagement,supervision,dedicationto
safety, clearandprecisedelegationof
responsibilities androles,changemanagement
Procedures and
documentation
Data basedsupportsystems,accessibilityand
quality oftechnicalinformation,workpermit
system, safetyjobanalysis,procedures(quality
and accessibility)
Workload andphysical
working environment
Time pressure,workload,stress,working
environment, exhaustion(shiftwork),toolsand
spare parts,complexityofprocesses,man–
machine-interface, ergonomics
Change managementManagementoftechnicalororganisational
changes, andavoidingaccidents
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 51
5. Accident andincidentinvestigationsareoftenaimedatfinding
the rootcausesofanaccident.AccordingtotheHSE,arootcause
is themostfundamentalanddirectcauseofanaccidentor
incident thatcanbereasonablyidentified,andthatmanagement
has acontroltofix.Arootcausecontainsthreekeyelements [69]:
Basic Cause. Specific reasonsastowhyanincidentoccurred
that enablerecommendationstobemadethatwillprevent
recurrence oftheeventsleadinguptotheincident.
Reasonably Identified. Incident investigationmustbecom-
pleted inareasonabletimeframe.Rootcausesanalysis,tobe
effective, musthelpinvestigatorstogetthemostoutofthe
time allottedforinvestigation.
Control toFix. General causeclassificationssuchas‘operator
error’ shouldbeavoided.Suchcausesarenotspecificenough
to allowthoseinchargetorectifythesituation.
During thelastdecades,anumberofmethodsforaccident
investigation havebeendeveloped.Eachofthesemethodshas
different areasofapplicationanddifferentqualitiesanddeficien-
cies. AuthorslikeHendrickandBenner [70], Groeneweg [71] and
Svenson [72] have developedanddescribedtheirowninvestiga-
tion method,inthesamewaydifferentgovernmentalofficesand
authorities havetheirownmethods.
Accidentmodelscansuperficiallybedividedintothreemajor
groups.Thefirstgroupis‘‘sequentialaccidentmodels’’,atermalso
Undesirable event with
potential for harm or
damage, e.g
Gas leak
(Precursor incident)
Conse-quences
Barriers
Engineering activities
Maintenance activities
Operations activities
Initiating
human,
organi-zational
and
techn-ical
factors
QRAPII (Quantitative Risk Analysis precursor incident investigation)
Typical accident investigation
Initiating
events
QRA modelling
Giving probabilities for different scenarios,
Describing decision gates (probabilities and consequences)
QRAincl.
HOF
Fig. 2. Bow-tie, QRAandQRAPII.
Fig. 1. Precursor incidents [65].
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 52
6. used byHollnageletal. [73], whichdescribetheaccidentasa
sequenceofeventsinaspecificorder,e.g.thedominotheory.The
second groupis‘‘humaninformation processingaccidentmodels’’,a
term usedbyLehtoandSalvendy [74], whichdescribetheaccidentin
terms ofhumanbehaviourandactions.Thethirdgroupis‘‘systemic
accidentmodels’’,atermalsousedbyHollnageletal. [20] such as
Reason’smodel,whichincludeorganisationalandmanagement
factors anddescribetheperformanceofthewholesystem [18].
CCPS [68], USDepartmentofEnergy(DOE) [75,76], PSA [77,78]
and HSE [69] have reviewedanddescribedseveralmethods.Several
articleshavealsoevaluatedthemethods [18,27,29]. DOE [76]
dividestheprocessintothree(partiallyoverlapping)mainphases:
(a) collectionofevidenceandfacts;
(b) analysisofevidenceandfacts—development ofconclusions;
(c) developmentofjudgmentsofneed—writing thereport.
Kjelle´n [79] also includestheimplementationandfollow-upof
recommendations aspartoftheinvestigation.Withinthefieldof
accident investigation,thereisnocommonagreementabout
definitions andconcepts.Thenotionofcausehasespeciallybeen
discussed intheliterature.Whilesomeinvestigatorsfocuson
causal factors [75], othersfocusondeterminingfactors [80],
contributing factors [81], activefailuresandlatentconditions
[82] or safetyproblems [29,70].
6.1. Faulttreeandeventtreeanalysis
FaulttreeanalysisiscentralinboththeQRAandseveralaccident
investigationmethods.Faulttreeanalysisisamethodfordetermining
the causesofanaccident(ortopevent) [83]. Thefaulttreeisagraphic
model thatdisplaysthevariouscombinationsofnormaleventsbythe
use oflogicgatesthatillustrateequipmentfailures,humanerrorsand
environmentalfactorsthatcanresultinanaccident.Afaulttree
analysismaybequalitative,quantitativeorboth.Possibleresultsfrom
theanalysismaybealistingofthepossiblecombinationsof
environmentalfactors,humanerrors,normaleventsandcomponent
failuresthatmayresultinacriticaleventinthesystemandthe
probabilitythatthecriticaleventwilloccurduringaspecifiedtime
interval.Thestrengthofthefaulttreeasaqualitativetoolisitsability
tobreakdownanaccidentintorootcauses [29].
An eventtreeisusedtoanalyseeventsequencesfollowingan
initiatingevent [84]. Theeventsequenceisinfluencedbyeither
successorfailureofnumerousbarriersorsafetyfunctions/sys-
tems.Theeventsequenceleadstoasetofpossibleconsequences.
The consequencesmaybeconsideredasacceptableorunaccep-
table.Theeventsequenceisillustratedgraphicallywhereeach
safetysystemismodelledfortwostates:operationandfailure.An
accidentinvestigationmaygraphicallydescribetheaccidentpath
as oneofthepossibleeventsequencesinaneventtree.
The useofgraphicaldescriptionisessentialinseveralaccident
investigation methodsandQRA.Itgivesaneasilyunderstandable
overview oftheeventsleadinguptotheaccidentandtherelation
between differentevents.Further,itfacilitatescommunication
among theinvestigatorsandtheinformantsandmakesiteasyto
identify eventually‘‘missinglinks’’orlackofinformation [29].
Safety barrieranalysisisusedtoidentifyhazardsassociatedwith
an accidentandthebarriersthatshouldhavebeeninplaceto
prevent it.Thebasicstepsinasafetybarrieranalysisareto [76]
– identifythehazardandthetarget;
– identifyeachbarrier;
– identifyhowthebarrierperformed;
– identifyandconsiderprobablecausesforthebarrierfailure;
– evaluatetheconsequencesofthefailureinthisaccident.
7. CombiningaccidentinvestigationandQRA
Identifying hazardsandbarriersisessentialinaccidentinves-
tigation andQRA.Byexpandingthecollectionofevidenceand
facts whenperforminganaccidentinvestigation,moredetailed
information canbegatheredaboutthebarriers,includingthose
that werenotused. Fig. 3 shows howaneventtreeanalysiscanbe
supported byasafetybarrieranalysisanddatasources(e.g.RNNP
and TTS).Theeventtreeisquitesimilartoacauseconsequence
diagram usedinseveralaccidentinvestigationmethods,although
the latteroftenusesmoretextandmoregraphicalsymbols.The
different scenariosandtheirprobabilitiescanbecalculatedbased
Fig. 3. Event treemodeling–safetybarrieranalysis–sourcesforassessments.
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 53
7. on informationfromtheaccidentinvestigationandmodelsinthe
QRA. Necessaryinformationwilldifferdependingonthetypeof
precursor incidentoraccident.Oneexampleisdroppedobjects,
which canresultinseveraldifferentconsequences:noinjury/no
damage, personalinjury/damagedequipmentaswellasbeingan
initiating eventforleakageofhydrocarbonsduetodamaged/
ruptured processequipment.
7.1. PSAinvestigationsuseMTO
The PSAaswellasseveraloilandgascompaniesinNorway
uses theMan,TechnologyandOrganisation(MTO)-methodology
[77]. Acomparisonofdifferentaccidentinvestigationmethods
done bySklet [29] showed thattheMTO-analysisisoneofthe
most completeanalysismethods.Themethoddemandsthatthe
user isaspecialist/expert [29]. ThebasisfortheMTO-analysisis
that human,organisationalandtechnicalfactorsshouldbe
analysed inanaccidentinvestigation.Themethodisbasedon
the methodHumanPerformanceEnhancementSystemfromthe
nuclear industry [77,78].
Fig. 4 illustrates theMTO-analysisworksheetandhowitcan
be combinedwithQRA.Thefirststepistodeveloptheevent
sequence longitudinallyandillustratetheeventsequenceina
block diagram.Thereafter,thepossibletechnicalandhuman
causes ofeacheventareaddedanddrawnverticallytotheevents
in thesamediagram.Thenextstepistomakechangeanalyses,
i.e. toassesshoweventsintheaccidentprogresshavedeviated
from thenormalsituation,orcommonpractice.Normalsituations
and deviationsarealsoillustrated.Technical,humanororganisa-
tional barriersthatfailedorweremissingduringtheaccident
progress arethenanalysed.Theresultillustratesallmissingor
failed barriersbelowtheeventsinthediagram.Thelaststepin
the MTO-analysisistoidentifyandpresentrecommendations.
The recommendationsshouldberealisticandspecific,andmight
be technical,humanand/ororganisational.
Table 2 describes additionalquestionsthatcanbeanswered
when combiningMTOandQRA.
7.2. Anexample
In January2006,agasleaktookplaceonaninstallationinthe
North Sea.Ametalplateintheflaredrumcollapsed,causinga
large holeintheflarepipe.Theincidentwasthelargestgasleak
to occurinaprocessareaontheNorwegianshelfinyears.
According tothePSAinvestigation,designflawsandthelackof
pressure retentionintheflaredrumwerethedirectcausesthat
triggered theincident.Theleakoccurredrightafterflaringhad
Fig. 4. MTO andQRAinput.
Table 2
Additional informationwhencombiningMTOandQRA.
Basic MTOanalysisquestions [77] Additional questionswhen
combining MTOwithQRA
– Whatmayhavepreventedthe
continuation oftheaccident
sequence?
– Whatmaytheorganisationhave
done inthepastinordertoprevent
the accident?
– Whatweretheprobabilitiesrelated
to thebarriertoperformas
intended?
– Howcouldtheincident/accident
escalate?
– Whatwerethepotentialaccident
scenarios?
– Whatwasthepotentialfor
escalation?
– Whatbarrierswereessentialto
prevent escalation?
– Whatwasthestatusofthese
barriers?
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 54
8. started asintended,followinganinterruptioninoperations.The
crew observedalargeflameontheflarewhenthemetalplatein
the KOdrum(‘theflaredrum’)collapsed,causingaholemeasur-
ing approximately0.5mintheflarepipe.Theincidentdeveloped
over ashortperiodof2min.Therewere91personsonboard.
No onesufferedphysicalinjury [85].
The incidentdidnotentailpersonalinjuriesorharmtothe
external environment.Theactualconsequenceswererelatedto
damage totheprocessequipment,withthelargestlosslinkedto
delayed production.ThePSAinvestigationconcludedthatallthe
automatic safetyfunctionsinvolvedaftertheincidentoccurred
functioned asintended.Thisincludedprocessandemergency
shutdown systems,aswellasthesprinklersystemsinaffected
areas [85]. Thepotentialconsequenceswerebrieflydescribedin
the investigationreportbymentioningthatifthecourseofevents
had beenonlyslightlyaltered,theleakcouldhaveledto
consequences includingpossiblelossoflivesandlossofthe
facility. Anignitedgascloudcouldhavecaused [85]
– extensiveandexplosivefire;
– lossoflivesaswellasdifficultandhazardousevacuationof
personnel;
– impairmentofstructureandpotentiallossofstructure;
– damagetosubseawellbaseframecausedbysinkingstructure.
The investigationdidnotanswerthequestions:
– Whatchainofeventswouldhaveledtoamajoraccident?
– Howprobableweretheseevents?
– Howwouldtheaccidentscenariosevolve?
Table 3 describes howQRA-modellingcanaddinformationto
the incidentinvestigation.
The likelihoodofasuccessfulevacuation,escapeandrescue
(EER) canalsobeevaluatedusingQRAmodelling(seee.g. [86]).
Risk influencingfactors(RIFs)influencingEERwere [85]
– shorttimefromdetectiontopossibleignition;
– nostand-byvessel;
– thenumberofavailablelife-boatsasreduceddueto
maintenance;
– largewaves.
An extendedinvestigation(accordingto Fig. 3) andQRA-
modelling mighthaverevealedthatthegasleakwasamajor
accident preventedonlybyafortunatewindspeedanddirection.
A largeleakintheflaresystemisextremelycriticalasoneofthe
flare system’sfunctionsistoreleasethepressureofhydrocarbon
segments. Ifanexplosionhadoccurred,theEERoperationswould
have beenchallengingduetotheRIFs.
8. Discussion
Safety isoftendefinedastheabsenceofaccidents [87], wherean
accident isdefinedasaneventinvolvinganunplannedand
unacceptableloss.Basedonthisdefinition,anincidentthatdoes
notcauseanylosses,likemostofthe precursorincidents,doesnot
affect thesafety.Anotherdefinitionforsafetyistheconditionof
being protectedfrom,orunlikelyto cause,danger,riskorinjury.
Accordingtothisdefinitiontheunlikelihoodhastobejudged.A
precursor incidentisaneventthatsignalsthatthesafetyhasbeen
affected. Thelikelihoodandpossibleconsequencescanbeanalysed
usingQRAPII.Riskanalysisisaboutanalysingthefuture.Inarisk
analysis,itisusuallyself-evident toapplyarecognisedmethod,
whichhoweverisrarerinprecursor/accidentinvestigation [88].
Leaksfromhydrocarbonsystemsareoneofthemaincontribu-
torstomajorhazardrisksoffshore.Evenso,onlyveryfewofthe
leaksareinvestigatedbythePSA.Theoperatorsdotheirown
investigations,butthelearningfromtheseincidentsislimitedas
theinvestigationsarenotpubliclyavailable.Areviewofaccident
investigationscarriedoutbytheInstituteforEnergyTechnology
concludedthatthereisamainfocusontechnicalfactors,evenin
incidentswherehumanandorganisationalfactorshaveinfluenced
Table 3
QRA elementsandcommentsongasleak.
Event treebranchInformationfromthePSAinvestigation [78] Additional informationbyQRA-modelling
Leak sizeTheleaksizewascalculatedbytheoperatorto900kg/s
(Hydrocarbon leakswitharategreaterthan10kg/sare
classified inthemostseriouscategoryusedontheNorwegian
shelf.)
– GascloudmodellingusingComputationalFluidDynamics
(CFD) programsfortheactualwinddirection
– Analysehowprobablewasgaspresentinthedifferentareas
on theinstallations
– Analysewhatwindspeedsanddirectionswouldhave
caused gasontheinstallation,andinwhichareas
The windspeedwas37m/sinthegustontheactualday
Ignition Thetotalvolumeofgasthatblewthroughtheholewas
calculated atapproximately26t
The ignitionprobabilitydependedon
– theprobabilitythatreleasedgaswasexposingtheignition
sources (revealedbyCFDcalculations)
– thenumberandstatusofpotentialignitionsourcespresent
– theprobabilitythatanexposedsourceofignitionwould
ignite thegas
The leakoccurredintheimmediatevicinityoftheflarestack,
where theflarewasburningthroughoutmostoftheincident
Escalation duetoexplosionIntheareawiththeknockoutdrumthereareothersegments
with hydrocarbonsduetoconnectionstoflarefromdifferent
process segments
Analyse andcalculatethepotentialfireandexplosionloads
based oncomputersimulations.Input(equipment,placing,
hydrocarbons, volumes,etc.)couldbegatheredaspartof
the investigation
Isolation andpressurerelief
of segment
The isolationandpressurereliefisdonethroughtheflare
system. Theleakisintheflaresystem
Model theprocessflowbetweenthedifferentsegments
containing hydrocarbons
Escalation tootherequipment
due tofireandstructural
collapse
Gas leakfornearly50min,pressurereliefentailedthatthegas
leak continuedthroughtheholeintheflarepipe
Modelling ofescalationbasedonfireandexplosion
calculations andtheinstallationsdesignaccidentload.
Added informationare
– potentialdurationoffire
– sizeandlocationoffire
– fire-fightingcapacity
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 55
9. largely [35]. ThereisalackofunderstandingofhowMTO-analysis
shouldbepreformed.TheMTO-diagramsareusedtoillustrate,and
nottoanalysetheincidentinasystempropertyview.Kletz
summariseschallengesrelatedtoaccidentinvestigations [89]:
– findonlyasinglecause,oftenthefinaltriggeringevent;
– findonlyimmediatecausesanddonotlookforwaysof
avoiding thehazardsorforweaknessesinthemanagement
system;
– listhumanerrorasacausewithoutsayingwhatsortoferror;
– listcausesonecandolittleabout;
– changeproceduresratherthandesigns.
Although thefirsteventinthechainisoftenlabelledthe
‘initiatingevent’,theselectionofaninitiatingeventisarbitrary,
and previouseventsandconditionscouldalwaysbeadded.When
learninghowtoengineersafersystemsisthegoalratherthan
identifying whotopunish,theemphasisinaccidentanalysisneeds
to shiftfrom‘‘cause’’(whichhasalimiting,blameorientation)to
understanding accidentsintermsofreasons,i.e.whytheeventsand
errors occurred [21]. Thisshouldconsistofanunderstandingofthe
total system,includingthebarriersthatwereplannedbutnotused.
Therebywhenasystemfailsitshouldbeinvestigatedaccordingtoa
systempropertyview,notacomponentproperty,eventhoughat
firstviewitisonlyacomponentthathasfailed.Animportantpartof
the systempropertyviewistounderstandthepotentialconse-
quencesofthesystem’sfailure.QRAPIIisatooltodothis.
An importantpartofriskmanagementefficiencydependson
the wayorganisationslearnandalsoonhowlearningisorga-
nised. Learningfromexperienceimplies,forinstance,thateach
person involvedinanincidentoranaccidenttakespartin
reviewing theinformationassociatedwiththesystemfailures
[90]. Itisthereforeimportantthatthepotentialscenariosare
described. Precursorincidentsrarelyleadtomajoraccidents,and
this reducesthefearofanoccurrencewithinthecompany,and
also reducesthevisiblebenefitsofsafetyinvestments.Bydescrib-
ing thescenariowithrelatedprobabilitiesandconsequences,the
good sideoffear,proactivemanagement,canbemobilised.
Information fromprecursorincidentinvestigationscanalsobe
important toolsforimprovedriskcommunication.Probability
information canbeprocessedeithersystematicallyorheuristi-
cally. Riskcommunicatorsusuallypreferpeopletoprocess
information systematicallybecausethisismorelikelytoleadto
informed decision-making.Inareviewoftheresearchliterature
related toprobabilityinformationinriskcommunication,
Visschers etal. [91] concluded thatinformationthatwasconcrete
and easytosimulateinmemorywaspreferredtomoreabstract
information, whichtheheuristicsimulationpredicts.Anexample
is scenarioinformationversusfrequencyinformation.UsingQRA-
modelling, thedifferentscenarios,includingworstcasescenarios,
are simulatedfortheprecursorincidentsandcantherebysupport
learning throughscenariodescription.
Precursoranalysis,theevaluationof‘nearmisses’,hasbeenan
activityoftheUSNuclearRegulatoryCommission(NRC)foralmost
20 years.Oneitemthathasremainedconstantoverthistimeis
thatthefocusoftheanalysishasbeenonmodellingthescenario
usingariskmodelandthenutilisingtheresultsoftheanalysisto
determinetheseverityoftheprecursorincident.Theinvestigation
of precursoreventscanbeusedasasourceofinformationforthe
constructionofastructuredmethodologicalapproachforopera-
tionaldecisions [92]. TheNRCstartedtheAccidentPrecursor
SequenceProgrammein1979 [93]. Over1000licenseeevent
reportsareyearlysubmittedtotheNRC [17]. Eachyearthe‘most
risksignificant’eventsaretabulatedandrankedaccordingtothe
conditionalcoredamageprobability(CCDP)intheNRCpublication
NUREG/CR-4674(Table2).CCDPistheriskmetricusedbytheNRC
to determinetheseriousnessofaprecursorevent.CCDPisdefined
astheprobabilityofcoredamagewhengiventheplantconfigura-
tionduringtheinitiatingeventsituationorduringtheunplanned
equipmentoutage [94]. ThecalculationofthenumericalCCDP
valueisbasedontheprobabilisticriskassessmentmodels,and
carefullyconsiderstheimpacttothebase-casemodelofaspects
suchasoperatoractions/recoveries,adjustmentstodependent
eventslikecommon-causefailureprobabilities,andplantinitiating
events [17].
An HROsucceedsinavoidingmajoraccidentsinanenviron-
ment wherenormalaccidentscanbeexpectedduetoriskfactors
and complexity.ThereareseveralcharacteristicsrelatedtoHRO.
One isthattheyaggressivelyseektoknowwhattheydonotknow
[95]. HROsalsousefailuresimulationstotraineveryonetobe
heedful ofthepossibilityofaccidents [95]. QRAsuseevent-trees
and fail-treestomodeldifferentscenarios.Thesametechnique
can beusedtosimulatedecisiongatesanddifferentscenarios
related toprecursorincidents.TheQRAisascientificmethodthat
uses availableinformationtoidentifyhazardsandtopredictthe
risk. TheQRAcancontributetobuildanorganisationalmemoryof
what happenedandwhy.Accidentinvestigationofprecursor
incidents withQRAmodellingcanbeusedtocommunicate
organisational concernwithaccidentstoreinforcethecultural
values ofsafety,andidentifypartsofthesystemthatshouldhave
additional barriers.Alltheseelementsarecharacteristicsofan
HRO. Firmsthathavefeweraccidentshavedevelopedsystems
and processesforcommunicatingthebigpicturetoeveryonein
the organisation.Thisisamajorchallengethatbeginswithtop
management encouragingtheculturetobesupportiveofopen
communications. Therewardandincentivesystemhastorein-
force anopenflowofcommunicationaswellassupporttheopen
discussion oforganisationalpurpose [95]. Communicationand
the discussionofprecursorincidentsisaconcretemethodthat
may simplifyfindingaunitedplatformforthestatusofthesafety
as wellaspossibleimprovements.
There areseveralchallengeswhenusingQRAinriskmanage-
ment, andthesamechallengeswillapplywhenusingQRAaspart
of precursorincidentandaccidentinvestigations.Event-based
models likeQRAencouragelimitednotionsofcausality;usually
linear causalityrelationshipsareemphasised,anditisdifficultto
incorporate non-linearrelationships,includingfeedback.Inaddi-
tion, someimportantcausalfactorsaredifficulttofitintosimple
event models.Forexample,studieshavefoundthatthemost
important factorintheoccurrenceofaccidentsismanagement’s
commitment tosafetyandthebasicsafetycultureintheorgani-
sation orindustry [21], oftenreferredtoasHOFs.
It iscommontodefineanddescriberiskusingprobabilities
(combinedwithhazards and consequences).Aven [96] arguesthat
theseperspectivesanddefinitionsaretoonarrow.Theydonot
reflect thatprobabilitiesareimperfect toolsforexpressinguncer-
tainties.Theassignedprobabilitiesareconditionedonanumberof
assumptionsandsuppositions.Theydependonthebackground
knowledge ofthesysteminmind.Uncertaintiesareoftenhiddenin
thebackgroundknowledge,andrestrictingattentiontotheassigned
probabilitiescouldcamouflagefactorsthatcouldproducesurprising
outcomes. Byjumpingdirectlyinto probabilities,importantuncer-
taintyaspectsareeasilytruncated, meaningthatpotentialsurprises
could beleftunconsidered [96]. QRAPIIcanaddqualitative
information relatedtotheprobabilities.Thedifferentaccident
scenarios canbefurtherdescribed byinformationcollectedaspart
of theinvestigation.Inthisway the uncertaintiesinaQRAcanbe
discussed,andformthebasisforlearning.
ThefindingsfromQRAPIIcanalsobesourcesforsafety
indicators andabetterunderstandingofthecorrelationbetween
differentindicators.Traditionally, thefocusofsafetyindicatorsfor
majorhazardshasbeenonincidentindicators orlaggingindicators,
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 56
10. which meansrecordingthenumberofaccidentsornear-misses.It
has beenclaimedthattheseindicatorsmaynotbeusefulasearly
warnings [6], andthefocusondevelopingindicatorsthatprovide
feedback beforeanaccidentoccurs(so-calledleadingindicators)
has beenincreased [38]. TheRNNPdoincludealargenumberof
indicators,butthedependencybetweentheseislargelyunknown
(see e.g. [97]), soistheunderstandingoftheirvalidityasearly
warningsignals.Theunderstanding ofearlywarningssignalcanbe
supportedbylearningfromQRAPII.
9. Conclusion
Every yearalargenumberofprecursorincidentsarereported
in theNorthSeaOGindustry.Accidentinvestigationisthe
collection andexaminationoffactsrelatedtoanoccurredspecific
event. Riskanalysisisthesystematicuseofavailableinformation
to identifyhazardsandtoestimatetherisk.Boththemethodsare
about describinghazardsinamethodicalstructure.Theyshare
very muchthesameelements.Theextensiveresearchthatisdone
related tothatincludingHOFsinQRAbringsaccidentinvestiga-
tion andQRAclosertogether.Theoilandgasindustryconsistsof
complex systemsthatarehardtospecify.Evensoitisimportant
that weusethescientificmethodsthatareavailable,andcombine
these toensureasmuchunderstandingandspecificationas
possible. Precursorincidentsrarelyleadtomajoraccidents,and
in turnthisreducesthefearofanoccurrencewithinthe
organisation aswellasreducesthevisiblebenefitsofsafety
investments. Bydescribingtheprecursorincidentswithrelated
probabilities andconsequences,proactivemanagementcanbe
mobilised. Adeeperunderstandingoftheprecursorincidentswill
give thepotentialtocontrolvariabilityratherthanbyconstrain-
ing it.Tobeabletocontrolvariabilitywilldemandthatprecursor
incidents aretakenseriously.UsingpartsofQRAmodellingin
accident investigationshasbeendoneearlier.Especiallymodel-
ling ofgascloudsandexplosionforceshasbeendone,toboth
verify softwaretoolsaswellasunderstandthesequenceinthe
accident. Itisthoughnotdoneforprecursorincidents.Regardless
of thepurposeofanaccidentinvestigation,anyconclusionshould
be basedonanunderstandingoftheeventsleadingtothe
accident, aswellasitspotentialconsequences.Combiningpre-
cursor incident/accidentinvestigationandQRAcancontributeto
this understanding.Alternativeandcombineduseofwellknown
data setsandtraditionalhazardanalysistechniquescanbealess
struggling approachthanintroducingnewtechniques,andstill
ensure amorecompletecauseandriskpictureincomplex
systems. Thisincludesanextendedunderstandingofhuman
and organisationalfactorsinaccidentsandpreventionofthese.
Acknowledgements
Especially wethankresearcherJahonKhorsandiatUCBerkeley
for reviewsandcomments.Wealsoappreciatethecommentsand
suggestions madebythereferees,andthefinancialsupportfrom
the NorwegianResearchCouncilandStatoil.
References
[1] NæsheimT.NOU,the‘‘AlexanderL.Kielland’’-accident.Oslo;1981[in
Norwegian].
[2] PSA[Internet].Fromprescriptiontoperformanceinpetroleumsupervision;
2010. Availableat: /http://www.ptil.no/news/from-prescription-to-perfor
mance-in-petroleum-supervision-article6696-79.html?lang=en_USS [cited:
16 February2010–2011].
[3] CullenWD.ThepublicinquiryintothePiperAlphadisaster.London:
Department ofEnergy;1990.
[4] DawsonD,BrooksB.EssoLongfordgasplantaccident:reportoftheLongford
Royal Commission.LongfordRoyalCommission;1999.
[5] HopkinsA.LessonsfromLongford:theEssogasplantexplosion.Sydney:
CCH AustraliaLtd.;2000.
[6] BakerJ,BowmanF,ErwinG,GortonS,HendershotD,LevesonN.Thereportof
the BPU.S.Refineriesindependentsafetyreviewpanel.Washington,DC;
2007.
[7] GrahamB,ReillyWK,BeineckeF,BoeschDF,GarciaTD,MurrayCA,etal.
Deep Water.TheGulfoildisasterandthefutureofoffshoredrilling.Reportto
the President.Washington(DC,USA):TheNationalCommissionontheBP
Deepwater HorizonOilSpillandOffshoreDrilling;2011.
[8] DHJIT.USCG/BOEMMarineBoardofinvestigationintothemarinecasualty,
explosion, fire,pollution,andsinkingofmobileoffshoredrillingunitDeep-
water Horizon,withthelossoflifeintheGulfofMexicoApril21–27,2010.
Deepwater HorizonIncidentJointInvestigationTeam,TheUSCoastGuard
(USCG)/Bureau ofOceanEnergyManagement,RegulationandEnforcement
(BOEMRE) JointInvestigationTeam(JIT);2010.
[9] USDI.Increasedsafetymeasuresforenergydevelopmentontheouter
continental shelf.USDepartmentoftheInterior;2010.
[10] PSA[Internet].Investigations.Stavanger;2010.Availableat: /http://www.
ptil.no/investigations/category157.htmlS [cited: 09April2010].
[11] PSA.Managingtheriskofmajoraccidentsinagovernanceperspective;2010.
[12] HSE[Internet].MajorHazards;2010.Availableat: /http://www.hse.gov.uk/
aboutus/strategiesandplans/hscplans/businessplans/0405/07.htmlS [cited:
08 April2010].
[13] PSA.Trendsinrisklevelinthepetroleumsector,NorwegianShelf,2008.
Norway: PetroleumSafetyAuthority;2009.
[14] LindbergA-K,HanssonSO,RollenhagenC.Learningfromaccidents—What
more doweneedtoknow?SafetyScience2010;48:714–21.
[15]PhimisterJ,OktemU,KleindorferP,KunreutherH.Near-missincident
managementinthechemicalprocessindustry.RiskAnalysis2003;23:445–59.
[16] WuW,GibbAGF,LiQ.Accidentprecursorsandnearmissesonconstruction
sites: aninvestigativetooltoderiveinformationfromaccidentdatabases.
Safety Science2010;48:845–58.
[17] SmithCL,BorgonovoE.Decisionmakingduringnuclearpowerplant
incidents—a newapproachtotheevaluationofprecursorevents.Risk
Analysis 2007;27:1027–42.
[18] KatsakioriP,SakellaropoulosG,ManatakisE.Towardsanevaluationof
accident investigationmethodsintermsoftheiralignmentwithaccident
causation models.SafetyScience2009;47:1007–15.
[19] LevesonN.Engineeringasaferworld—systems thinkingappliedtosafety
(draft). TheMITPress;2009.
[20] HollnagelE,WoodsD,LevesonN.Resilienceengineering:conceptsand
precepts. AshgatePublishingLtd.;2006.
[21] LevesonN.Anewaccidentmodelforengineeringsafersystems.Safety
Science 2004;42:237–70.
[22] LevesonNG.Theneedfornewparadigmsinsafetyengineering.In:DaleC,
Anderson T,editors.Safety-criticalsystems:problems,processandpractice.
London: Springer;2009.p.3–20.
[23] VinnemJE.Offshoreriskassessment.2nded.London(UK):Springer;2007.
[24] AvenT.Foundationsofriskanalysis:aknowledgeanddecision-oriented
perspective. Chichester:Wiley;2003.
[25] VinnemJE,SeljelidJ,HaugenS,AvenT.Generalizedmethodologyfor
operational riskanalysisofoffshoreinstallations.JournalofRiskand
Reliability 2008;223:87–98.
[26] SkogdalenJE,VinnemJE.Quantitativeriskanalysisoffshore—human and
organizational factors.ReliabilityEngineeringSystemSafety2011;96:
468–79.
[27] LundbergJ,RollenhagenC,HollnagelE.What-you-look-for-is-what-you-
find—the consequencesofunderlyingaccidentmodelsineightaccident
investigation manuals.SafetyScience2009;47:1297–311.
[28] HollnagelE.Investigationasanimpedimenttolearning.In:HollnagelE,
Nemeth CP,DekkerS,editors.Remainingsensitivetothepossibilityof
failure. Aldershot(UK):Ashgate;2008.
[29] SkletS.Comparisonofsomeselectedmethodsforaccidentinvestigation.
Journal ofHazardousMaterials2004;111:29–37.
[30] WeickKE,SutcliffeKM.Managingtheunexpected:assuringhighperfor-
mance inanageofcomplexity.SanFrancisco(CA):Jossey-Bass;2001.
[31] WeickKE.Organizingandtheprocessofsensemaking.OrganizationScience
2005;16:409.
[32] TurnerBA.Man-madedisasters.London(UK):Wykeham;1978.
[33] CookeDL,RohlederTR.Learningfromincidents:fromnormalaccidentsto
high reliability.SystemDynamicsReview2006;22:213–39.
[34] BerntsenR,HolmboeRH.Incidents/accidentsclassificationandreportingin
Statoil. JournalofHazardousMaterials2004;111:155–9.
[35] ThunemA,KaarstadM,ThunemH.Vurderingavorganisatoriskefaktorerog
tiltak iulykkesgranskning(Evaluationoforganisationalfactorsandmeasures
in accidentinvestigations).Kjeller:InstituteforEnergyTechnology;2010
(in Norwegian).
[36] ØienK,UtneIB,HerreraIA.Buildingsafetyindicators:part1—theoretical
foundation. SafetyScience2011;49:148–61.
[37] DuijmNJ,Fie´vez C,GerbecM,HauptmannsU,KonstandinidouM.Manage-
ment ofhealth,safetyandenvironmentinprocessindustry.SafetyScience
2008;46:908–20.
[38] HaleA.Editorial:specialissueonprocesssafetyindicators.SafetyScience
2009;47:459.
J.E. Skogdalen,J.E.Vinnem/ReliabilityEngineeringandSystemSafety101(2012)48–58 57